Journey into the world of cybersecurity with Idan Plotnik, a true pioneer in the field, as he revisits the path that led him to become a leading figure in tech innovation. Starting with a childhood fascination for computers, Idan advanced to play a pivotal role in the Israeli cyber security unit, eventually founding Erato, which caught the eye of Microsoft. He shares insights from his tenure as General Manager for Software Engineering at #Microsoft and how his encounters with Satya Nadella ignited his passion to launch his first company in 2019. This episode unravels the stark differences between nimble startups and the often sluggish corporate giants, offering a compelling narrative for aspiring entrepreneurs and industry veterans alike.
Explore the sophisticated challenges of ensuring software and cloud security in today's fast-paced tech environments. With cloud platforms like AWS, Azure, and GCP enabling swift deployments, safeguarding software architecture before cloud deployment becomes crucial. Dive into the intricacies of Apiiro's ASPM platform, which revolutionizes the detection and management of code changes for enhanced security measures. The conversation expands into the realm of AI, highlighting emerging threats and innovative risk-management strategies employed by companies like Apiiro. This episode promises essential insights into balancing development speed with security needs, preparing listeners for the future trajectory of AI in software security.
Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today
Speaker 1: how's it going?
00:00:02
Don it's uh really great to finally get you on the podcast,
00:00:05
or?
00:00:05
I guess, uh, maybe again right, because we tried this before
00:00:11
and a couple weeks ago and israel became under attack and
00:00:15
the internet, uh, was not cooperating very much yeah, so
00:00:19
yeah, thanks, joe, for having me for the for the second time.
00:00:23
Yeah, yeah, absolutely.
00:00:26
Not many people come on a second time.
00:00:29
Speaker 2: Yeah it is, it is, but this is our life.
00:00:32
You know, life of a startup is active, so you know we're used
00:00:38
to it.
00:00:39
Speaker 1: Yeah, yeah, it's like it's that mentality of, well, I
00:00:41
don't know what, I don't know, but I also won't know until I
00:00:44
start.
00:00:44
Like it's that mentality of, well, I don't know what, I don't
00:00:54
know, but I also won't know until I start.
00:00:56
Like it's a, it's like a vicious circle.
00:00:57
Yeah, Well, you know you done.
00:00:58
Why don't we start with?
00:00:59
You know how?
00:00:59
How you got into tech?
00:01:00
Right?
00:01:00
So you're, you're from Israel, right?
00:01:03
So obviously you probably made your way into the israeli
00:01:08
military, as everyone from israel does.
00:01:09
Yeah, but I'm wondering about before that time period, were
00:01:15
you already interested in tech?
00:01:16
Were you already inclined to go ?
00:01:18
You know a technical route?
00:01:20
Um, what was that looking like?
00:01:24
Speaker 2: it's an interesting question, by the way, joe.
00:01:26
No, no one asked me this, that question, before and I'm getting
00:01:30
uh into a lot of you know interviews lately, tldr.
00:01:34
I started programming, uh, when I was, I think, six, when my
00:01:39
father back then bought me a computer and, um, and I think it
00:01:44
came over like from that moment I fall in love in a computer
00:01:51
and I was a technical person from from the beginning, from
00:01:56
the early days, and, yes, I served in a cyber security unit
00:02:01
at the idea called matzo, and I was there around four and a half
00:02:08
years plus.
00:02:09
After that I had my own consulting services company, so
00:02:14
I did a lot of penetration testing, security code review,
00:02:18
risk assessments, custom development for large
00:02:22
enterprises, you on the security side and, as part of you know,
00:02:30
a casual pen test which was so you were talking to me about how
00:02:35
you figured out how to steal the ntlm hash of a device and
00:02:40
then you were able to use that to escalate and pivot throughout
00:02:44
the environment.
00:02:45
Speaker 1: So if we want to start there, and then also you
00:02:49
know why don't we take maybe just a step back?
00:02:51
What's the NTLM hash right?
00:02:53
Why is it important?
00:02:54
Why does it matter in Windows systems?
00:02:57
Speaker 2: So NTLM hash or Kerberos token is actually the
00:02:59
identity of the user or the machine is actually the identity
00:03:03
of the user or the machine.
00:03:04
If you're able to steal that, you don't need to know the
00:03:11
password of the user or the password of the computer to be
00:03:14
able to move laterally across the organization.
00:03:17
And this was a very, very back then sophisticated attack.
00:03:22
We all know, you know, know mimikatz and all apt attacks the
00:03:31
mimikatz tool, of course, and the amazing person behind it and
00:03:35
tldr.
00:03:36
This led me to a research and a patent back then to identify,
00:03:43
profile and identify abnormal behavior of users and machines
00:03:49
inside the network.
00:03:50
Back then, we founded a company called Erato.
00:03:54
We were pioneers in the UEBA space, sold it to Microsoft in
00:04:02
December 2014.
00:04:04
January 15, we were in at microsoft.
00:04:07
Um was amazing, amazing ride.
00:04:10
Microsoft.
00:04:14
I was the gm for software engineering, running product
00:04:19
research, development and data science.
00:04:22
I was running the Defender for Identity business.
00:04:24
So that's it.
00:04:27
It was, like you know, from zero to not zero, from $1 million to
00:04:33
$416 in three years.
00:04:34
It was an amazing growth.
00:04:37
You know, microsoft sounds easy but it's not.
00:04:41
But I think that now you know, microsoft and CrowdStrike are
00:04:46
the biggest companies, cybersecurity companies in the
00:04:50
world that are leading the abnormal behavior identity stuff
00:04:57
.
00:04:57
They also like CrowdStrike also acquired a company back then
00:05:02
and I was fortunate enough, to you know, to meet satya in
00:05:07
person.
00:05:07
I I reported to two people under satya nadela so I had two
00:05:12
one-on-one-on-ones with him.
00:05:13
I learned a lot about the business and it like moving
00:05:20
forward at microsoft.
00:05:21
I felt kind of a very interesting challenge or pain
00:05:29
where, you know, from a startup where you used to deliver code
00:05:33
to production on a daily, weekly basis, and now you need to fill
00:05:36
out risk assessment questionnaires, you need to go
00:05:40
through 10 different scanning tools on your code, go through
00:05:50
10 different scanning tools on your code, you need to go
00:05:51
through threat model, pen tests, security reviews, compliance
00:05:53
reviews before you ship code to production, and this was a huge
00:05:58
pain.
00:05:58
Another pain that we faced is when we found risks in
00:06:02
production or in runtime, it was very, very hard to attribute it
00:06:11
back to the code owner or the code component in our code base
00:06:17
and TLDR.
00:06:17
This is what led us to leave Microsoft and found Purell back
00:06:25
then in 2019, 2020.
00:06:27
And back then no one knew what we were talking about.
00:06:31
What does it mean?
00:06:32
Aspm, application Security, password Management?
00:06:35
Why do you need another technology to scan, code and
00:06:42
protect or understand your software architecture and then
00:06:47
expand it to software supply chain and provide a
00:06:52
comprehensive platform that allows you to secure your
00:06:57
software from design, development and delivery in one
00:07:03
risk engine or one platform.
00:07:06
So this is my story in a like, in a nutshell, hmm.
00:07:15
Speaker 1: Yeah, I'm sure you know, one of the biggest
00:07:16
challenges probably at Microsoft , at any level that you're at
00:07:21
within the company, is just the red tape and the processes and
00:07:25
the procedures that you have to follow.
00:07:28
You know, I'm I'm, uh, I'm currently at a at a pretty large
00:07:31
company and I mean it takes you , it takes you a year just to
00:07:36
decide what you're going to buy, and there's other divisions
00:07:41
right Of this same company that takes them three years minimum,
00:07:44
like if they go three years of testing products and whatnot,
00:07:48
like that's them moving quick, right, and it's, it's weird,
00:07:53
right, like I, I feel like I feel like you're not even a
00:07:57
technologist to some extent anymore, right, because by the
00:08:00
time you make a decision on the product, maybe the players in
00:08:05
that space change.
00:08:06
Right, maybe the products that you were testing had major
00:08:09
issues with.
00:08:10
Now, because this process is so , you know, regimented, you know
00:08:14
you have to start over, you have to start completely over.
00:08:17
You can't just plug one in and move forward.
00:08:20
You know, and I'm sure that's probably like one of the
00:08:24
internal, you know downfalls at microsoft too.
00:08:27
Right is where it's like you, you really only move forward.
00:08:32
Speaker 2: I think that, on the security side, microsoft is more
00:08:35
.
00:08:35
You know, build versus buy and and I don't think this is the
00:08:43
issue we solve that in Appiro because we serve around 10% of
00:08:50
Fortune 500 companies.
00:08:51
We solve this problem by one, providing a seamless integration
00:08:59
.
00:08:59
You need read-only API to your source control manager.
00:09:03
That's it.
00:09:04
Read-only API to your source control manager, that's it, and
00:09:06
you can do it.
00:09:07
You can deploy it fully on-prem in an AirGap environment or
00:09:11
hybrid, or use our SaaS offering , whatever, but from the moment
00:09:18
you connect us to your source control manager in one hour, and
00:09:24
this is the core intellectual property that we've built.
00:09:27
We developed a technology called DCA, deep code analysis, where
00:09:32
we scan the entire history of your code base and then we
00:09:36
translate code into entities Like, for example, we know, I
00:09:40
would say, components, like we know all your APIs in the code,
00:09:44
all your Gen AI usage, all your you know technologies, security
00:09:48
controls, exit points, and then we map it on a graph and the aha
00:09:55
moment is where you can tell me hey, dan, no way I didn't
00:10:00
approve my developers to use a bouncy castle from this version,
00:10:03
or I didn't approve my developers to use a bouncy
00:10:04
castle from this version, or I didn't approve them to use
00:10:08
Spring Security for input validation or authentication.
00:10:13
And then you get visibility to your software architecture for
00:10:20
the first time.
00:10:20
All the other scanning tools out there will scan for all of
00:10:24
us.
00:10:24
We developed a completely new technology that fully
00:10:29
understands your software architecture.
00:10:31
And now if you want to connect all your existing tools into
00:10:35
Appiro and contextualize their findings, or their noisy
00:10:40
findings, and match it to your software architecture and say,
00:10:44
okay, it's great that I have sql injection or log4j or secret in
00:10:48
code or whatever, but you know what?
00:10:51
It's not in a code module with pii, or it's not deployed, or
00:10:55
it's not a high business impact application or stuff like that.
00:10:59
And I think I think this is how we overcome all the barriers of
00:11:09
going through very, very large enterprises that are paying
00:11:15
multi-million dollar deals to a Puro today.
00:11:18
But we did it in small chunks.
00:11:21
We did it in small chunks.
00:11:24
You can start small and grow with the pure old, but the
00:11:29
unique value prop is just to tell you hey, joe, this is your
00:11:31
software architecture and the only way to know that is
00:11:37
questionnaires or manual security reviews or other
00:11:44
self-based attestation processes .
00:11:46
That will you like?
00:11:48
You say x, yes, I do, I don't have pii and tomorrow you do
00:11:52
have pii in your code base and no one will actually identify
00:11:58
that in a continuous manner.
00:12:00
So I think the value prop plus a very seamless, easy, with
00:12:07
short time to value, this is how we overcome and, of course, all
00:12:12
the security controls that we have and the regulations that we
00:12:16
put in place, and on and on.
00:12:19
But this is how we overcome the burden of going through a
00:12:26
one-year evaluation process with large enterprises.
00:12:32
Speaker 1: Yeah, a lot of people don't understand or they don't
00:12:35
realize how big of a problem this actually is, right, and you
00:12:41
know.
00:12:42
I'll give you an example.
00:12:43
You know, in my environment right now, right, and I've been
00:12:49
in other environments where this is the exact situation where
00:12:55
you really don't know the third-party libraries, for
00:12:59
instance, that are being used in an application, unless your
00:13:02
developer specifically tells you or you have a way to call them
00:13:07
out on it.
00:13:07
Right, there's no way for you to know, you don't know if
00:13:11
they're outdated, if they're vulnerable to something.
00:13:14
Right that you're opening yourself up to a new attack that
00:13:17
you don't even know about.
00:13:18
Right, and with how cloud applications are nowadays, you
00:13:23
need you know four or five different tool to actually
00:13:27
secure your pipeline and your code and make sure that we're
00:13:31
not using uh ai models and ways that make us, you know,
00:13:37
vulnerable to different, different attacks and whatnot.
00:13:39
These are, these are huge, huge problems.
00:13:43
One real world.
00:13:47
Speaker 2: Sorry, Joe, no, no, I just wanted to say before we
00:13:50
move on, I think that the problem is much more complex
00:13:57
than that, because everyone are looking at their text surface in
00:14:03
silo.
00:14:04
You are now telling me on open source, but if I will tell you,
00:14:08
listen, this open source is actually using a secret and in
00:14:14
the same code module you have API that expose BI data or an
00:14:19
API that sends data to open AI surface.
00:14:23
Without understanding your software architecture, you will
00:14:27
continue to fight the siloed alerts and you cannot win the
00:14:32
battle.
00:14:32
You cannot win because you have so many alerts and so many
00:14:39
vulnerabilities.
00:14:40
You need to contextualize them.
00:14:42
You need to first understand your software architecture and
00:14:47
only then connect these siloed alerts on top of your software
00:14:54
architecture to make sense of them and to understand if
00:14:58
they're impacting your business or not.
00:15:01
Or you have a toxic combination that you need to handle before
00:15:07
you need to handle any log4j or any vulnerable dependency,
00:15:12
because you need to look at it as a whole and not as one simple
00:15:18
alert and another like this is problem.
00:15:22
Another problem is how you identify these combinations
00:15:28
early in the development lifecycle before you deploy to
00:15:31
production.
00:15:32
This is the key, because if you have three, you know, I'm so
00:15:38
many years in the cybersecurity industry.
00:15:40
The AppSec exists for 20 years.
00:15:44
And then everyone said shift left, shift left, shift left.
00:15:47
And what happened is they blocked developers on every CVSS
00:15:53
score eight and above.
00:15:54
But who cares about CVSS score if CVSS does not understand your
00:15:59
software architecture?
00:16:00
And then what happened?
00:16:02
You stop developers and they are frustrated from security.
00:16:06
So what we decided to do is to build our own risk graph engine.
00:16:12
Okay, the risk graph engine actually takes from the DCA the
00:16:18
deep code analysis, the software architecture, and then from
00:16:21
your CMDB, from your five different SaaS SCA Secrets you
00:16:26
know CSPM, whatever tools that you are using and combine them
00:16:31
together on a graph and say you know, now Joe opened a pull
00:16:36
request and it touches a sensitive data with the
00:16:40
sensitive business logic in this code module that transfer money
00:16:44
, for example, Plus an open source dependency with
00:16:47
vulnerability that is reachable in the code.
00:16:49
This is why it's a risk to the business.
00:16:53
Let's stop Joe at the pull request and providing
00:16:57
remediation guidance or automatically try to fix that.
00:17:01
And when you have this context now you can actually shift left.
00:17:06
So again, it's not only detecting these types of risks,
00:17:14
it's correlating the data, it's understanding the software
00:17:17
architecture, and only then you can actually block and prevent
00:17:23
risks early at the pull request, before you start the build
00:17:27
process, or after, or at the deployment, whatever.
00:17:30
It's too late from my point of view.
00:17:32
But I'm just saying everyone are missing the point.
00:17:36
They are missing the software architecture they need to
00:17:42
understand and siloed tools.
00:17:44
Care about CVSS core or EPSS core, and it's meaningless and
00:17:50
then it's just bombarding developers.
00:17:52
And again, I don't want to complicate stuff, but you
00:17:56
touched on software supply chain .
00:17:59
Yes, you need to look at the attack vector.
00:18:02
It's a multidimensional attack vector.
00:18:06
Someone can breach into your source, Someone can breach into
00:18:11
your CICD pipeline or inject malicious code, like in the
00:18:15
solar wind attack that actually you know they breached one cidcd
00:18:23
pipeline and managed to breach all their, the customers of
00:18:29
solar.
00:18:29
So it's looking at your code and your code is very complex
00:18:36
because it's assembled from first party code code,
00:18:39
third-party code, secrets, open-source dependencies,
00:18:44
third-party technologies, SDKs and then secure.
00:18:47
Make sure that you have all the application security platform
00:19:04
from the design phase which we will talk about in a second to
00:19:08
the development, to the deliver makes sense yeah, yeah, it makes
00:19:14
sense.
00:19:15
Speaker 1: You, uh, I was going to get there, you know where,
00:19:18
where we're diving into the actual architecture, right,
00:19:22
because actually I've experienced this.
00:19:24
You know personally, right, where there was a potential.
00:19:27
You know event, right, and we were looking at an application I
00:19:32
didn't even know how it was designed, right, where is it
00:19:35
pulling the data from?
00:19:36
What is it actually doing on the back end?
00:19:38
Why is this?
00:19:40
You know, a critical production application, right, and there's
00:19:44
literally one person at the company that is able to tell me
00:19:48
that God forbid, they go on vacation or something, right,
00:19:51
like, that's how it was, you know.
00:19:53
And now, you know, I'm over here creating the first like
00:19:56
architecture diagram of how this application runs, especially in
00:20:01
the cloud, right, yeah?
00:20:05
like especially in the cloud, where people can, you know, just
00:20:09
so easily deploy new applications, new architectures,
00:20:12
new patterns right using new services in AWS, azure, gcp than
00:20:19
are what are you know, even previously approved and whatnot.
00:20:22
Like they can do those things and you'll have a sprawling
00:20:26
infrastructure that's well beyond what you even think that
00:20:29
it is Totally agree, but I want to differentiate between
00:20:33
software architecture to infrastructure or cloud
00:20:37
architecture.
00:20:37
Speaker 2: Okay, these are totally different inventories,
00:20:40
totally different inventories, totally different relationships,
00:20:44
totally different components, totally different diagrams.
00:20:48
Now, yes, my, if, let's say, an application in java, okay, is
00:20:55
it?
00:20:55
You developed your restful apis in string and one of the APIs
00:21:01
is reading or storing data in a storage bucket.
00:21:05
Yes, you want to know that and you can know that today with our
00:21:10
DCA, with our deep code analysis, only from scanning the
00:21:13
code, okay, without scanning your cloud architecture.
00:21:17
Okay.
00:21:17
But what I'm trying to say is that the software architecture
00:21:21
looks totally different from your cloud architecture and you
00:21:24
need to secure that before you deploy to the cloud.
00:21:29
And the challenge is you said you are building the diagram,
00:21:34
but the diagram will change tomorrow.
00:21:36
How do you keep update, updating the diagram for every
00:21:43
code commit?
00:21:43
That is material, like I don't care if my developer changed the
00:21:51
background color of the login page, but I do care if he
00:21:57
exposed a new data model in the API of the login page.
00:22:01
Yes, absolutely, immediately, I need to trigger a pen test or a
00:22:08
security code review if the data model contains sensitive
00:22:10
data.
00:22:10
And I think this is what the industry is missing because I
00:22:18
wouldn't say it's easy, but it's more structured.
00:22:21
When you open or enable a new service in aws or a new storage
00:22:42
bucket or a new firewall rule, also, you know, prevent that or
00:22:46
have segregation of duties with two approvals.
00:22:51
But if you're a software developer, we'll add the data
00:22:55
model to the API that is responsible for the login page
00:23:01
in the UI.
00:23:02
No one will know, no one, I promise you.
00:23:07
And this is the gap that we are solving in Appiro.
00:23:11
You know, with our ASPM platform that is powered by the
00:23:16
deep code analysis technology.
00:23:17
We are telling you that developer all committed the code
00:23:21
to your code repo.
00:23:23
It's a material change that require a pen test,
00:23:28
automatically trigger it without asking anyone.
00:23:31
The policy is defined in Apiro with your risk threshold and
00:23:38
risk appetite and if you pass this threshold you have gates.
00:23:43
At the design phase.
00:23:45
We scan JIRA tickets or feature requests Okay, and then we stop
00:23:52
you from going to the development phase without Joe
00:23:58
doing a threat model on this feature.
00:23:59
If you open a pull request or commit code to your feature
00:24:04
branch, we will stop you because you committed a material change
00:24:08
or a risk based on your software architecture.
00:24:11
If you're going to release your artifacts.
00:24:15
We will stop you and say, joe, you pass these and these and
00:24:20
these policies, which are a graph-based policies across
00:24:26
multi, multi-data stores, from code, cmdb and runtime data and
00:24:35
more and more.
00:24:36
And this is where you know you put the gates before you ship to
00:24:45
the cloud.
00:24:46
Now to your point.
00:24:48
If you already you know what.
00:24:50
If you ship Log4j three years ago it wasn't vulnerable and
00:24:56
today we found the zero day Then you need to attribute this to
00:25:04
which pipeline when it was deployed, who approved it.
00:25:07
Is it went through a pen test or not?
00:25:09
And with the cold owner that actually imported the package,
00:25:14
who did the review on the pull request and automatically opened
00:25:19
to this developer if he's still in the company, open a pull
00:25:23
request to fix it.
00:25:24
And this is exactly what we're doing with call-to-runtime
00:25:28
matching attributing code components like APIs, open
00:25:33
source dependencies, pii fields, authorization logic and others
00:25:38
to the code owner.
00:25:40
Speaker 1: Yeah, all of those are.
00:25:42
It's like it's close to impossible right now without
00:25:46
that stuff, without that sort of technology, and it's a it's a
00:25:51
situation that I encounter very often, actually, of where you
00:25:55
know someone builds something that maybe throws a
00:25:58
vulnerability scanner alarm right and now we got to add
00:26:02
context around it.
00:26:03
You have to have someone.
00:26:04
You know, really it's a couple people getting on a call and
00:26:08
talking about why it matters and why we should care about this
00:26:11
one module or this one snippet of code right and explaining
00:26:16
that to the dev, and then going through the whole process again
00:26:19
and hopefully it passes this time right, like without that
00:26:23
sort of singular solution.
00:26:24
Speaker 2: Yeah, we have like four different tools to tell us
00:26:27
different things yeah so again two problems one, how you
00:26:33
consolidate all the findings and contextualizing them and you
00:26:38
know who you should talk to.
00:26:39
And and the second problem is, again, just aggregating the data
00:26:45
and finding the code owner will not be effective if you don't
00:26:49
know your software architecture, because you have so many alerts
00:26:53
and without understanding the software architecture, you don't
00:26:57
know how and what to prioritize .
00:26:59
I do want to say just one step back.
00:27:02
You said something interesting.
00:27:04
I don't know when you're going to publish it, but next week we
00:27:09
are announcing unfortunately in an anonymous way.
00:27:14
We closed the largest deal in the ASPM market ever with
00:27:18
Fortune 10 company.
00:27:19
I can't say which one, but it's , it's, it's a one of the
00:27:24
biggest companies in the world.
00:27:26
Why?
00:27:26
Because they manage to quantify what you just said.
00:27:32
We manage to quantify how many man hours they're investing on
00:27:37
every alert in runtime, how how many hours they invest by the
00:27:44
way, invest when they find it in runtime, how much time they
00:27:48
invest to triage, prioritize and then find the code owner to fix
00:27:54
it, because the security team cannot do that.
00:27:56
And then how much time they invest on risk assessment
00:28:00
questionnaires before releasing to production.
00:28:04
We actually and I'm going to share, not I, my marketing team
00:28:09
are going to share the metrics and the data behind it so you
00:28:14
will be able and your audience can go and see exactly the
00:28:19
parameter of how we calculated it with the customer and what is
00:28:25
the total cost of the cost reduction that we managed to
00:28:30
prove to the customer.
00:28:31
So I feel, like I feel I felt the pain that you are talking
00:28:38
about at Microsoft so I can connect to your day by day, joe
00:28:45
and and yes, it's a painful problem and I'm sorry I'm, I'm
00:28:50
like a broken record and without understanding your software
00:28:54
architecture, you literally cannot do that you literally
00:29:04
cannot do that.
00:29:04
Speaker 1: Yeah, yeah, I mean, without even, you know, being
00:29:05
able to put numbers to it.
00:29:06
Like you mentioned, right, you can't.
00:29:07
You can't even really start to like quantify how much work goes
00:29:10
into just this section of your business.
00:29:13
That's probably not even noticed by upper management, you
00:29:16
know, and, like you said, said when they, when they start
00:29:19
seeing how much they're actually putting into it, it's like,
00:29:23
wait a minute, like we're, we're blowing money right now.
00:29:26
This solution over here is cheap compared to what we're
00:29:29
actually putting into it.
00:29:30
We need to, you know, refocus and refactor and you know free
00:29:35
up some time for these.
00:29:36
You know highly paid engineers, highly paid developers, to go
00:29:41
and do the work that we need them to actually do to make us a
00:29:45
Fortune 10 company right To make us the best in the space.
00:29:48
When you start quantifying it like that, it speaks volumes
00:29:53
that you wouldn't be able to do without it.
00:29:56
Speaker 2: Yes, and think about an AppSec engineer which needs
00:30:01
to understand code, which needs to understand a developer's
00:30:06
mentality and processes.
00:30:08
You need a cloud security engineer that deeply understands
00:30:12
AWS architecture and you need the developers to care about
00:30:18
because they have strengths.
00:30:19
And the developers to care about because they have
00:30:20
strengths.
00:30:20
And the developers you need to understand them.
00:30:24
They want to hit their target and their target is to deliver
00:30:31
high-quality features to increase the business, so the
00:30:36
business will grow.
00:30:38
To increase the business, so the business will grow.
00:30:41
If you will keep dealing with security issues again and again
00:30:42
and again, you will not deliver value to the business and it's a
00:30:46
vicious cycle.
00:30:47
So you need to prove as a security, as an application
00:30:50
security engineer.
00:30:51
I'm telling you I am in.
00:30:53
We as a company, you know we are a big company.
00:30:56
We are involved in the smart, with the smartest AppSec
00:31:01
engineers and developers in the world, and we built, I think,
00:31:06
the most, I would say, sophisticated AppSec program in
00:31:10
the market at the moment.
00:31:11
And the reason why we did it?
00:31:13
Because we proved in a quantified manner how much
00:31:18
effort you need to invest in every sprint in security and if
00:31:23
it passes the 5% you're done, go out.
00:31:27
You will impact the business in a negative way.
00:31:30
So because of the risk-based prioritization, because of the
00:31:36
understanding of software architecture.
00:31:38
Now you compare ASPM platforms.
00:31:40
You say, hey, this ASPM platform reduce it by I don't
00:31:45
know 25%, and Apiro managed to reduce it by 85% Pure business
00:31:52
outcome.
00:31:53
And this is why developers love eventually they're not using
00:32:00
the Apiro UI, but they're getting the Apiro bot into their
00:32:06
toolchain prioritize and fix their risks with simple
00:32:21
explanation of why this will impact the business.
00:32:24
So, tldr, we have a built-in business outcome report where we
00:32:32
show to your upper management two metrics Development velocity
00:32:38
goes up, risk goes down before releasing to the cloud and
00:32:45
that's it.
00:32:46
And this makes sense because finding, as you said a minute
00:32:50
ago, to find talent of security engineers it's so hard.
00:32:56
Security engineers it's so hard .
00:33:04
To find a partner on the software development side, it's
00:33:07
so hard.
00:33:07
They are very logical people and they're focused on
00:33:10
delivering value, high quality software with less bugs,
00:33:15
functional bugs and with less security bugs.
00:33:19
And this is how we bridge the gap between these teams.
00:33:24
Speaker 1: Yeah, it is.
00:33:25
It's an interesting challenge, but from what you described it
00:33:30
sounds like the old term, like shift left, right.
00:33:34
You can't get any farther left than where you're sitting right,
00:33:39
when you're able to inject yourself into the process.
00:33:43
Speaker 2: Exactly, and we just released two at Blackett when
00:33:47
Blackett, I don't remember August yeah, two months ago we
00:33:52
released, after working with so many customers as design
00:33:57
partners, we released our risk detection at the design phase.
00:34:02
So think about this your product managers are requesting
00:34:07
features day in, day out and no one actually like you, have so
00:34:13
many product managers and you cannot hire more AppSec
00:34:17
engineers and they cannot go and search in JIRA or whatever,
00:34:21
wherever you open the feature request, like based on keywords.
00:34:26
So we developed our own LLM model it's a private model, not
00:34:30
based on OpenAI or Hugging Phase or others that can actually,
00:34:34
based on understanding of your software architecture, scans the
00:34:38
text and say, hey, joe, this is a risky feature request and why
00:34:43
, and automatically generate threat model stories based on
00:34:49
stride, with contextual mitigations, because we know
00:34:55
which authentication framework you use in your software
00:34:58
architecture and we know which encryption framework and input
00:35:01
validation.
00:35:02
So if you requested an integration I don't know with
00:35:06
Facebook and send through the API these fields, we will tell
00:35:10
you hey, use Spring Security for input validation because the
00:35:14
threat can be spoofing, or information disclosure as part
00:35:19
of stride, and we do that automatically.
00:35:22
This saves tons of time and detect risks that without this
00:35:30
automated process you would never identify.
00:35:34
So we cover our customers at the design phase, at the feature
00:35:41
request phase, at the development phase commit pull
00:35:45
request and at the build and deploy phases before you release
00:35:49
to the cloud.
00:36:02
Speaker 1: So these are the intersection points where we put
00:36:03
our guardrails, our risk-based guardrails, in the development
00:36:05
labs.
00:36:05
Yeah, that is really fascinating.
00:36:06
You know, if you were to project out you know, say five
00:36:09
years, where do you think this space is going in five years,
00:36:15
with the, you know, heavy use of AI growing right, the usage of
00:36:21
these LLMs and whatnot, it's only going to grow from here.
00:36:24
It's probably going to grow exponentially quicker than what
00:36:28
we expect, it's already growing exponentially.
00:36:32
Speaker 2: We just released internally a report that proves
00:36:38
that every customer that started and again, there are two sides
00:36:42
of the coin in AI, in a second I will describe, but we looked at
00:36:47
the numbers and every customer that enabled Copilot or any
00:36:51
other AI-based code assistant, their code, the amount of group,
00:36:57
exponentially in the last six months.
00:37:00
This is a report that we generated internally.
00:37:05
We are thinking about how to anonymize it and maybe publish
00:37:11
it externally, but it's not an assumption anymore.
00:37:15
It's the fact that the data is showing it so.
00:37:20
But there are two sides of this coin.
00:37:22
Why?
00:37:23
One is you using ai for faster development?
00:37:28
Two, it's you as a developer, same developer using ai to make
00:37:35
your software more or smarter and more efficient.
00:37:40
Like, if you now go and embed OpenAI framework inside your
00:37:46
Java application, someone needs to identify it, someone needs to
00:37:50
govern it, someone needs to make sure you comply with all
00:37:54
the requirements and someone needs to trigger a pen test or a
00:37:59
security review or a compliance review in an automatic,
00:38:03
proactive way.
00:38:04
And this is goes back to our dca, the deep code analysis that
00:38:09
identify the software architecture automatically, map
00:38:13
all your gen ai usage in code and then trigger a process based
00:38:17
on the policy.
00:38:18
Now, I do think that both will introduce complete new attack
00:38:25
vector.
00:38:26
Complete new attack vector.
00:38:28
Why?
00:38:29
Because if you're, if you enable, if you're a vp engineer,
00:38:33
okay, vp software engineer.
00:38:36
Now, jo Joe wakes up tomorrow and enabled a copilot on your
00:38:43
GitHub repo.
00:38:44
Who knows that you enforce two reviewers on the pull request?
00:38:49
Who knows that your code changes are now growing
00:38:54
exponentially, growing exponentially?
00:38:55
And maybe you will not introduce foreign abilities, but
00:39:05
you will introduce major material changes to the
00:39:06
architecture and no one will know that, because the Gen AI,
00:39:09
or, sorry, copilot, decided to use a different serialization
00:39:13
framework.
00:39:14
And new serialization framework will open you to a completely
00:39:18
new attack and your SaaS tool will do literally zero because
00:39:24
there is no SQL injection in this serialization framework.
00:39:28
But it's a material change and no one knows about it.
00:39:31
So what I'm trying to say again , to make it shorter, it will
00:39:38
open in the next, not three to five years, in the next year,
00:39:45
completely new attack vector.
00:39:47
We will see totally different types of attacks and you need to
00:39:52
automate everything.
00:39:53
Automate everything Without the automation, without without the
00:39:59
automation, without the.
00:40:00
And when I say automation, it's not just yes, you know,
00:40:03
workflow in an orchestration tool, it's actually, sorry,
00:40:10
broken record.
00:40:11
It's actually understanding your software architecture, the
00:40:14
changes of your software architecture early in the
00:40:17
development lifecycle and then trigger a contextual process.
00:40:20
It can be a contextual threat model or a pen test or a
00:40:25
security review, but also a training, because if Joe did the
00:40:31
same mistake again and again and again five times, I don't
00:40:37
need to wait for the you know the one year training which is
00:40:41
so boring and everyone press next, next, next, next, next,
00:40:45
just to comply with PCI or whatever.
00:40:47
I need to train.
00:40:49
I need to trigger a contextual training to reduce the risk
00:40:52
before delivering to production to production.
00:41:03
Speaker 1: Yeah, yeah, absolutely.
00:41:03
We're moving into a really fascinating time where, you know
00:41:05
, new threats are going to be creating new attack vectors and
00:41:08
it'll be really interesting.
00:41:09
So I'll definitely have to have you back on, you know, sometime
00:41:12
in 2025, and we'll talk about the new ones that are coming up.
00:41:15
But you know, idan, unfortunately we're at the end
00:41:19
of our time here, but you know, I really enjoyed our
00:41:21
conversation.
00:41:23
Speaker 2: Likewise, likewise.
00:41:24
Thank you for having me, joe.
00:41:25
It was an interesting conversation.
00:41:27
I would love to talk more in 2025, when we see the new
00:41:32
attacks that are raising.
00:41:34
Speaker 1: Yeah, yeah, absolutely.
00:41:35
Well, you know, Idan, before I let you go, how about you tell
00:41:38
my audience where they could find you if they wanted to
00:41:41
connect with you and where they could find your company if they
00:41:43
wanted to learn more?
00:41:44
Sure.
00:41:46
Speaker 2: So LinkedIn, Twitter, you know, or Xcom, just add me
00:41:53
and send me a message, or just go to apiro A-P-I-I-R.
00:41:59
Apirocom and reach out.
00:42:03
Speaker 1: Awesome.
00:42:03
Well, thanks everyone.
00:42:05
I hope you enjoyed this episode .