Have you ever pondered how the world of cybersecurity is transforming rapidly, with application security at the forefront? Join us as we dive deep into this intriguing realm with our esteemed guest, Moti Gindi from Apiiro, a military veteran and product management whiz with a fascinating journey from the Israeli Cyber Units to incubating a security business at Microsoft.
Beginning his tryst with technology during his 7-year military service, Moti's unique blend of computer science and linguistics armed him with an uncanny ability to filter vast amounts of data swiftly. His spell with the Israeli Defense Force and subsequent stint at Microsoft, leading the telecom mobile group and nurturing a security business from scratch, is a testament to his exceptional skill set.
With his current focus on the challenging terrain of application security, Moti deciphers the rapid changes in the market and underlines the critical need for a holistic approach. He sheds light on the importance of investing in cloud infrastructure security, application security, and security posture management to safeguard modern applications. A thought-provoking discussion that unravels the intricacies of code writing, AI, and generative technology, this episode promises to fuel your curiosity and leave you eager for more insights into the world of cybersecurity. Are you as excited as we are? Tune in and join the conversation as we navigate through this transformative landscape.
LinkedIn: https://www.linkedin.com/in/moti-gindi-7667b/
Apiiro: https://apiiro.com/
10k Media: https://www.10kmedia.co/
Affiliate Links:
NordVPN: https://go.nordvpn.net/aff_c?offer_id=15&aff_id=87753&url_id=902
Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today
How's it going, everyone? This is another security unfiltered podcast episode. So, real quick, before we dive into the episode, I have to give a big shout out to 10kMedia. This episode would not be possible without 10kMedia, so big shout out to Adam over there for putting this episode together and with that we will go ahead and dive into the episode. Thanks everyone. Good to finally have you on Moti. I'm very excited for our conversation. I think it's going to be really interesting to see where it goes and hear about your journey.
Speaker 2:Great, hi guys. Thank you, joe, for inviting me.
Speaker 1:Yeah, absolutely so, moti. Why don't we hear about how you got into IT, how you kind of got started with security? And the reason why I started everyone off there is because there's a section of my audience that are looking to get into security or looking to get into IT. Maybe they're doing a career change right, and I feel hearing everyone's backgrounds really helps them to know, like, hey, if they did it, maybe I can do it right. Or if they came from a similar background, maybe I can also do something like this. So what's your? What's your background? How did you get into?
Speaker 2:it. I'm smiling because, you know, I have on one hand a very typical background, that is relevant to people that are doing security and cyber in Israel.
Speaker 2:On the other end, it's rather unique from the point of view of general audience. So actually I got into security from my army. Like my army time I was a member of the Israeli cyber units Like the. It's a known number in the in the in the cyberspace, like 8200. So actually as a really young guy around the age of 18, I was recruited and went through a seven years of serving around security, cybersecurity, signal security, and I found out there during my time three very important things. One is that I really like the domain, I really care about it. I think.
Speaker 2:I really think that thinking as a defender or as an attacker from the point of view of cyber is really until intellectual problem. I really liked the seven can figure, learn that I really like and it's really natural for me to be in a position that they remember. It's an intelligence unit, so combined, on one hand, technical capabilities and in the other hand, the big picture of intelligence and in the industry it's called the product manager. There are found out that really what I want to do when I leave the army is actually product management, which is in the connection between technology and need and the role is the combination between the two. And the third thing I really like and learn is the important that the huge opportunity that cyber brings around innovation.
Speaker 2:Basically, again, as an attacker as and as a defender, there is endless amount of things. Imagination is only like. What you do is really limited to your imagination. Because of the end of the day, it's a combination of not only technology but technology and people. When there is either when you are trying to find vulnerabilities in code or we are trying to attack an infrastructure, in both cases you are handling as much as you're handling the technology, you're handling actually the people that built it, and there is also an element there of psychology and processes and the combination between security and people is really like what.
Speaker 2:It sounds a little bit philosophical, so I understand that, but this is the thing that I really learned during my time in 8200 that I really like and, of course, doing good things for my country. But put that aside. So I spent there seven years. During them, I went also to university and learned computer science and linguistics and then started my career as a product manager in various companies and in the last 10 or 12 years I came back to cybersecurity greater bit more than that actually and served and in roles that are, and built products and created business which are in the cybersecurity space, first in Microsoft and then in now in the last half year in the field.
Speaker 1:Wow, so there's a lot to unpack there. Talk to me a bit about how you decided to go down the computer science and linguistics path, right, or what made you want to do that work. I can understand the computer science part of it. The linguistics part is like, I mean, it's not even out of left field, it's like out of the park, you know, trying to get into the play field, right.
Speaker 2:I mean in my again, it was around 20 years ago but, like consistently across the years in the university television university where I learned there were always exactly two people that did exactly two that did this combination of linguistics and computer science, and I think the root to why I chose that was really related to the things I talked about earlier Parts of the part of the problem that existed in the intelligence work like 20 years ago and is really relevant today to every person is the fact that you have so much information. Usually, you know the problem you're saying is that, in terms of my problem is to get to the information. You can get to a lot of information with many ways, via multiple types of information. Then the problem came out of the vast amount of data that I have applicable to my, at my hands, at my table, how quickly do I choose the ones? That is actually helping me to answer the question that I'm investigating now and, as a result, not only in like in every intelligence organization, a big, big problem is around automatically and using before it was called AI, but using machines to help you to unpack what is the content that you are looking at, either if it's text or voice or code, whatever it means, like how you can scale yourself only by having machines that understand what you are looking for and help you to do the first level of filtering and consolidation and correlation of what you are looking to for into something that you as a human being can digest as an analyst or as an intelligence officer. And, as a result, I had the luxury of and the way to do that is again before GPT and before language models. The way to do that was by understanding natural language and I had, as part of my army, I had around two years in which that's something I did. That was in the technology part technology and intelligence, part of understanding human language automatically.
Speaker 2:And, as I said earlier, that was part of the thing that fascinated me the combination around intelligence, but also people and understanding. Trying to understand what the document is talking about, to understand it and trying to programmatically understand what is the thing that you're actually looking after, like what is the reader, the intelligence reader that you're looking after, program it, translate it to something which is programmatic and then allowing a machine to understand this program and provide you valuable information. These were like the me and many other people watch, like the edge of technology that we handled in back day in the intelligence cop sense. Then came Google and came to GPT and came all of these technologies that are trying basically to do the same, like code a question and then bring you the relevant information and for that you need to understand really well the question and you need to understand really well the answers that you are providing. And I was really interested in in I did it practically in the army and then decided it's really interesting for me to understand, like to try and learn about that and then not only go through usual computer science and not program but also understand kind of our languages program.
Speaker 2:And if we went into that, like I went to a university, tel Aviv University that is one of the only universities in the world that when they teach linguistics they don't ask you to know any language. Usually when you go to a linguist with courses you need to learn either advance or learn through the three years you need to learn like seven languages. Tel Aviv University the philosophy is called generative linguistics, interestingly, and the idea was that really there is a common framework, really an algorithm that is the basis to all languages and when we are born and we are learning English or Hebrew or Yiddish or German. Actually we are taking the generic algorithm and setting it to a specific language, and understanding linguistics is really understanding the basic algorithm of how you know language, and so it is a kind of a natural combination, if you think about that, between that logical mathematics and computer science.
Speaker 2:So these type of motivations brought me to learn. It's so funny that 20 years after, with everything that is happening now with LLM and things that we did around newer networks, used to natural language, to text understanding, etc. Like as a hobby, like in the army 20 years ago, or now 1,000 times more sophisticated, but there is a comeback. But that's what I learned and of course, after that I didn't exercise it at all at my work. It was more of like coming from the army learning. I had a lot of time during my two years of doing this in the university and then moved to a more traditional product, high tech and then engineering management roles in the industry until I came back to security around, as I said, 12 years ago when I joined Microsoft.
Speaker 1:Yeah, that's really interesting. I guess I never thought about it that way. The best way to work with a language model or determine, create something that could review a document and give you the pertinent information. A couple bullet points you would need to know linguistics, you would need to be an expert at linguistics. Really, that's very interesting and it kind of takes me down the rabbit hole, right. Well, if this kind of existed 20 years ago and the public is just now seeing chat GPT for the first time this year basically, for the most part, what do they have now that we're going to see in the public in 20 years? That's always the fascinating part for me.
Speaker 1:I was watching another podcast and this former Navy SEAL was talking about the night vision that was used on the raid to kill Osama bin Laden. In the movie Zero Dark Thirty. You see them as these four tube things and everyone that is into that kind of thing. That was brand new for them. They never saw it before. He said yeah, when I got into the Navy SEALs early 2000s, those were 10 years old. That was old tech. They're literally using hand-me-downs for that mission. I'm sitting here like what? Because to me that was like cutting edge, like, oh my God, this is amazing For him. It was just another day. It was just another day at the office like, yeah, I'm going to use this old tech. Hopefully it works, that sort of thing.
Speaker 2:I'll give you another example which rhymes with what you said, I think, in the last, coming back, for example, to cyber in the last 10 years. Plus, there is the common understanding of nation-state attacks and attacks which are sophisticated, which are not only based on a random malware to your computer and try to get Bitcoin out of you or do a simple phishing, but I will collect intelligence and understand who you are. I have a really specific price. I am going after. I'm going after intellectual property and then I will go low and slow and nation-state attacks.
Speaker 2:Currently, all of the security products in this space are aiming to protect you from nation-state attacks. There was an aha moment 10 years ago with, I think, the so-called Chinese attack on RSA in Google. That brought that into the attention and created completely new defense technologies like CIME and XDR and EDR part of the thing that I built. But again, 20 years ago, it was all news. That's the funny part of that. There are places in which I think intelligence bodies has the luxury of being really front-cutting edge technologies. So I totally agree.
Speaker 1:Yeah, it's really interesting to see what's out there, but you have to go through so much to see what's out there that it may not be worth it. So that kind of takes us to your time at Microsoft. Can we talk a little bit about what it was like to be at Microsoft, being such a large company, probably one of the largest in the world, for sure One of the biggest tech names of all time? What did you do there? What did you specialize in? We talked about your I guess it was product management experience within your 8200 group. Did that experience translate over to Microsoft very well or was there a learning curve behind it?
Speaker 2:So I had two distinct periods in Microsoft. The first one, I think the first three or four years I joined Microsoft. Back then I was the director of product management. Already I worked in multiple companies before joining Microsoft. I also established my own startup and I had a vast experience and then joined Microsoft as the director of product management and then as an engineering and product manager and it was, I think, in kind of standard type of product for Microsoft.
Speaker 2:I joined originally and was part of the telecom mobile group on Microsoft developing mobile applications and mobile solutions, and then started to work on the advertising products of Microsoft back then had a very big advertising product when, by the way, tons of what I know later and implemented later in security, which we talk about it, was around. Security is data and AI and data science. I actually learned during my days around leading a team in Microsoft that was responsible for targeting like understanding you, understanding the retailer and matching the best we can as quickly as we can between the Ed and the person. So the chance for you to click will be the biggest, the highest possible. Not a novel cause. I think I'm too proud from the point of view of impact that we made on the world, but really, again, cutting edge technology. That had, later on, a lot of similarities when we actually incubated the security business in Microsoft, which I'm happy to talk about later but that's where I spent three or four years and then I left Microsoft.
Speaker 2:I felt that I need something. Again, it sounds like a little bit of cliché, but I felt that I need something that is bigger, more impactful and that I am handling. I am building products and good products and delivering in quality and creating more money and sophisticated algorithms and really edge, cutting edge technology, but I'm not making enough impact. I'm not the first one, probably that said that, but this is what I felt back then. And then I left and actually did a pause in my high tech career and went to do something completely different and worked for three years to work for the Israeli prime officer, the Israeli government, where I spent three years doing some of the most interesting things I did in my life and the feeling that I'm creating an impact and value.
Speaker 2:And then, when I left there, I got an offer to rejoin Microsoft and I did, mainly because of my life. It's a great company and great people and I really wanted to go back there, but I rebooted my career over there. I didn't join an existing business, I actually incubated together with two good friends, and I incubated a startup within Microsoft which is around security, which I led as the leader for seven years, and these three persons. The startup grew to 600 teams, people that I managed from zero revenue to a business of more than $2 billion revenue and tens of thousands of customers we protected. And I think this was probably the most influential part of my career and an amazing seven years seven, eight years that I spent in Microsoft.
Speaker 1:Wow, there's, there's a lot there again. You know what you discussed. You know the work with the government, right, that it was the most rewarding work that you've ever done. And you know, honestly, when I think of working for the government myself, right, that's absolutely at the front of my mind, right is, you know, helping change and direct things in the right way with the government that's impacting your nation. You know, and I mean that's a that's a huge honor. Can you talk a little bit about what you were doing for them? Were you, you know, potentially, you know looking at, you know, let's say, digital threats or whatever it might be right, and then kind of translating that to people that are not as aware or not as fluent in the area as you were, like, what was that work like?
Speaker 2:I can't talk too much about that. I would only say that it's like the usual. Like the usual. It's like we use technology to help people and make sure that you know the country is safe, etc. And amazing, three years. But it's hard for me to go into more details. I would say that like really it's coming back to the core of the things I liked in every role that I did. Maybe that's like a more meta statement.
Speaker 2:It was an amazing opportunity in which innovation was the thing, innovation and being focused on a mission and using technology to achieve this mission, and the imagination was the only thing that stopped us. And that's one. And I think what I tried to reestablish and to find to myself later when I went to Microsoft and now when I'm in a bureau, is exactly this type of culture assets of the fact that we are doing new stuff. New stuff is really interesting but also really really important. It's not enough. It will be really interesting. It should be really important, and when I?
Speaker 2:That's the main reason that when and I'm thankful for Microsoft for giving me the opportunity and the manager's back that believed in that is that when we try to establish security business in Microsoft, it was one because we thought we can do a really good job. We can make a lot of money for the company, but also we can really take a broken market and help customers to be more safe Really. And the thing of that of doing good on how impactful it is on me and also on the people that worked with me, is something that one of the things that I took really deeply from, from how like the work that I did in these three years and for my career moving forward. There is nothing that is more creating motivation than the impact that you are making on on actual stuff and on doing.
Speaker 1:Right. So at Microsoft. When you went back to Microsoft, you mentioned that you were kind of in charge of, you know, creating a product that would, you know, make some significant changes right within the security ecosystem, potentially at Microsoft, right, yeah? So when I look at your LinkedIn, right, it says that you are in charge of end point security, so to me that sounds like Microsoft Defender. Is that a correct assumption, or yeah, I was part of the.
Speaker 2:I led the innovation team that started Microsoft Defender.
Speaker 1:Yes, Okay, yeah, I mean, you know, as someone that is typically, you know, just naturally against using Azure, right, Well, let's assume that we have to use Azure. It's hard, it's very difficult, you know, nowadays to not recommend using Defender, right, I mean, it is such an all encompassing security solution, it's really more of a security platform within Microsoft Azure. Right, that's the point that it is at right now. You know, of being so expansive, of touching basically every facet that you can use and deploy in Azure. It touches it.
Speaker 1:Were you instrumental in kind of changing the perception of Microsoft Defender? And the reason why I say that is because you know, previously, right, microsoft Defender was that thing on your desktop or laptop. That was antivirus, that was kind of made fun of. Right, that that was lacking in some areas compared to the rest of the market. And then, when they introduced that into Azure, right, it was almost thought of the same way. Right, we, as everyone in the technology space, kind of assumed like, oh, it's going to be the same thing. Very rapidly that changed. When people were, you know, seeing the different features and functionality and what it was able to do and what it was catching and how it was actually operating, people quickly started to shift their perspective. You know, and that was an interesting time in the industry. Were you instrumental in that as well?
Speaker 2:I hope so because when I like I believe so when we started Microsoft, when we started the Defender, like at the beginning, it was called Windows Defender and then we evolved to Microsoft Defender and the name change also came with the strategy change. We can talk about it later. But when we started, exactly Defender was and consumer antivirus there was zero that was given for free as part of the operating system. There was tons of people that work on Microsoft, on security, but their approach was security in the platform, so making Windows more secure in general, and there was no two things where non existing in Microsoft A security wasn't the business, it wasn't something we were selling. B, it wasn't something that was focused on businesses and enterprises. And basically our incubation and pitch back then to the head of Microsoft to the end of Windows like when I pitched the incubation and got the initial funding to actually start the work was that we think we can change these two things First, we need to focus in Microsoft on supplying security for enterprises, which brings a much higher bar than just an AV on the antivirus on the consumer machine. Secondly, that we need to think about that as a business. And then came all the technology and why we think we'll do it much better because of the cloud, because of AI, because of like. Basically, we said that we think that we can. Not only us, by the way, in parallel, other vendors, like cloud strike and some very recent and sent in one, said similar things.
Speaker 2:But the understand, common understanding was back then that, like, in order to make security works, we need endpoint security works. We need to change the game from a security and not a game, so that the way to catch sophisticated nation state attackers is not by being a policeman that says, hey, here is a like. This is what the AV did, the antivirus, this is a bad thing. Stop it. Really, they should set the car. Attackers are much more sophisticated. They are usually not doing bad things. They are doing usual things with a bad intent. So that you need to evolve from being that was our pitch from being a policeman to being a detective or from being a doorman to being like a like a DVR system that actually has a CSI type of like that records everything and search for anomalies and search for the sophisticated, for the mistakes that the attackers are doing, and then understanding the entire scope of the bridge. And the way to do that is, data and data in the cloud and where and on the.
Speaker 2:And this back in the days in Microsoft we have. We thought we had a unique advantage and that was really the pitch. Really, the 32nd pitch of why we got funded at the beginning and that was the first one or two years was to prove that this technology is actually working and create the go to market motion that allow Microsoft to talk with security people in the enterprises, because we sold windows or they sold windows to IT and we went and say, no, we want to be a security player and the and the respective security player with product, and for that we needed to find the right persona, which was the sock persona and the CISO persona, which was a persona that Microsoft didn't approach. And so the first two of the years were all about building the technology, showing that it's actually working, that we can catch sophisticated attacks. This technology was later coming in the air, like endpoint detection, response and and, secondly, building the go-to-market motion of being able to deliver this value to SecOps and CISO and actually also AskMoney for that. So after three years, like we were, I'm using now Gartner, like everyone knows Gartner, so I'm using Gartner as a reference.
Speaker 2:Then, when we started like we were, I think, a niche player in the defender, in the endpoint protection, a magic water which compares between different vendors and give them grades, and we did all of the voyage from merch to contender to, after three or four years, to a market leader, together with others, like crowds to like another, and since then I managed the team till year and a half ago, two years ago, so it was the first seven years. We grew, as always a combination of good luck and good execution. We grew significantly in the size of the business, in the credibility of the market leadership. I think today it's really common that it's Microsoft and CrowdStrike and possibly Sentinel-1 are the three leaders in the endpoint security space. And we grew the team and we grew the input.
Speaker 2:Think after the last census, I would say after a few years, we changed the name from Windows Defender to Microsoft Defender and it was part of another aha moment that we had not revealed one in Microsoft but the fact that not all endpoints in the world are Windows. 80% of them are, but there is also, or 80% in the PC space, okay, but there is Mac and of course there is Linux and in the data center Linux is the most prevalent and of course there is mobile iOS and Android. So really, if you want to be a credible endpoint security player that actually brings value to a customer not only sell but actually bring value and we need to evolve to meet customer where we are and not protect only Windows because we are Microsoft, but actually protect and we develop Linux capabilities and Mac capability and iOS and Android and again slowly gain. You can imagine CISOs where are rather suspicious of really Microsoft. You are going to be best of written protecting Mac or Linux. I don't believe that and I think part of the game general gaming Microsoft back in the days under satia leadership and its security was kind of the forefront was, yes, we are not a Microsoft player, we are a security player and that part of the product that will help us to change step by step the perception of what is defender and the value of defender and create also a sizeable business.
Speaker 2:And I led during this time. I was the product leader so I managed the product management, engineering teams, research, dev works, et cetera. All of the operations that actually brought the product was under my responsibility. Amazing seven years of scale. Each year is really different than the others, from nothing to a huge business. Tons of impact, not only business, but also really helping customers, which is the most important thing, as you understand, and also growing as a manager from a really small team to a huge operation of multiple hundreds of people.
Speaker 1:That's really interesting. That's fascinating how you explained it right is, you know, you essentially created the security component in the cloud, really redefined it and re-engineered the solution from the ground up, it sounds like, and in doing that, you even had to, you know, create a new perception of how this business should be viewed internally at Microsoft, which is really fascinating to me. So is this kind of viewed as a almost like a separate entity within Microsoft that has its own bottom line, its own cost and things like that? Is that kind of how that's viewed within there because it's so large? I can understand why Microsoft would do that, you know.
Speaker 2:So I'll say two things. First of all, I think, like you said it really nicely before I answered the issue around the PNL, our pitch was there like when we tried to pitch of like. So one analogy we used was from a policeman to a detective. The second one was that the previous framework of how you protect endpoints was from within the endpoint itself. You installed an AV that or a code that protected the devices that it ran on. And our technological approach or innovative approach was we call it the brain in the cloud, like the cloud is actually protecting your endpoint. The endpoint is only sending data to the cloud and getting commands for the cloud, but now you get infinite scale. You get the capability to look across not only when I protect your endpoint, it's not only your endpoint, I actually compare it to all of the history of this endpoint and the other endpoints near it in the same organization and all of the organization in the world and all of the windows in the world and all of the devices in the world. So really, the brain in the cloud was kind of the tag name that we used under the internal code name of Defender. We started from day one or day two as a separate PNL, but not as a separate OPE. We were part of the Windows OPE and for a long time, until, I think, two years ago, and that's really kind of the evolution and story of security in Microsoft. We were not only the only security business, there were other security teams, but each team set in the platform they protected. So we protected endpoints, we were part of the endpoint team that built the windows and et cetera, but there was an email protection team that was part of the office team and there was a cloud protection team that was part of the cloud team, the Azure team, et cetera, and around it was publicly announced. I think around two years ago, maybe a little bit more than that, it was a big decision in Microsoft to actually combine all of the security teams into one security, all of the distributed security teams to one security business, and one of the founders of AWS, charlie Bell, joined Microsoft and actually established this reporting to Satya and took all of the three or four, five different security product teams in each of the line of business. That created the security line of business. It was a very important step in Microsoft's voyage of becoming a security player At this point of time.
Speaker 2:Coming back to me.
Speaker 2:Actually, I changed role and moved from leading one of the security lines, the defender line, and took a more holistic, horizontal role, reporting to Charlie, of a chief strategy officer for the security business.
Speaker 2:My role was to look on product strategy across all of the product lines that Microsoft security now had in one team, so endpoint was one I meant that but there was also identity and compliance and data protection, et cetera, and cloud protection, and my role was to look across all of these different markets, different products, and lead product strategy, which is the horizontal one, and also try innovation and understand what is the growth framework of Microsoft, what are the new markets we think are interesting, what are the things in which we have gaps and we need to complete. And that was kind of moving from the trenches to the headquarter and looking and bird's eye view across everything that Microsoft did in security, which is almost everything that exists in security. So that was again another unique experience. That was my last role in Microsoft and actually brought me back into the trenches, into a new domain in application security, which is what I'm doing now in the period.
Speaker 1:Yeah, it's fascinating how Microsoft has turned themselves into a one-stop shop for almost everything tech, everything that you could imagine with tech, everything that you'd want to do. They're basically a one-stop shop and it's just. It's challenging, right, it has its own native challenges, but it's extremely beneficial for a lot of companies out there and that's why a lot of companies go all in on Microsoft. So can we talk a bit about what you're doing at Appuro, what the company specializes in and what you're specialized in within the company?
Speaker 2:Yeah, gladly so I'll actually connect it really naturally to my last hearing in Microsoft.
Speaker 2:As I said. So, first of all, I am in the peer-a-peer is in domain of application security. We are building a cloud application security platform that help customers to build and deliver secure code, and I joined the company in. It's a three-year-old company, so I joined it not at the beginning, but it's really relatively a young company as a chief product officer and, as you can see, it's like now understanding the story of my life. I really from walking in a big company building a Cubation, and now I be modest, but also succeeding in building a very, very huge business and then having an overarching look across even wider business of around like $20 billion business, which is the security business of Microsoft, like they publicly said that. Coming back to the trenches, to a small team, to doing stuff with hands and from the beginning, and I couldn't be more happier on that and the reason I joined, though there are two different kind of forces that brought me into the role, so I'll share them and then talk a little bit about what we are doing. So one thing is the domain in which a bureau is walking, and I think it has an opportunity to be really impactful, which is the problem statement, which is helping customers, helping businesses that are writing code which is basically every business in the world today to deliver, to build and deliver code that is secure from the beginning.
Speaker 2:I have, as I said, multiple years of experience in, from both sides, defend their attacker in security and for eight years, like my role in Microsoft, we ran after attackers that actually manipulated vulnerabilities and bugs and issues that existed in software. If you think about that, it's kind of like we were the doctor that when there was a disease, we tried to identify the disease and make you healthier. But we fixed it okay, we evacuated the attacker and everything was safe. And then a week, after a month, after a year, after the attacker came back in a different way. So you are again going to the doctor and again you are going to the doctor and you can ask yourself if, if you're a doctor that every time fixes a disease and then the disease comes back, are you a good doctor? And that was kind of a philosophy. That's really the philosophical problem with detection and response. You're always reacting to the attacker and you can be very good, but then the attacker will come back and continue this analogy if you do your exercise and eat well and don't eat a lot of carbs, etc. The chances you will go to the doctor are actually reducing, and application security is all about that. It's being able to creating code from the day one that is harder for a attacker to manipulate. And if you do that, the job of the detection and response, which is reactive after the effect, is actually becoming much more redundant. So really the important thing is living good health and not finding diseases quickly, and that's actually again, I'm a little bit philosophical, but one of the things that was really important for me.
Speaker 2:When I had the opportunity to look over the overarching thing that are happening in security, I said I want to go back to the root problem, shift left, but really shift left to solving the problem that hopefully are, if are, most cost-effective to be solved and if they are solved, all the rest of the problems of detection and response of attackers are being much easier. So in application security I saw exactly this opportunity. But also I saw a big problem that is getting bigger because every company is writing code, but also getting deeper because the way that we write code is also different. It's not now again the sequential let's plan application, develop it, test it, deliver one year after. But actually some of our customers today are delivering code to production hundreds of times or thousands of time a day and they are doing that by tens of thousands of engineers. That's what they are doing. So actually understanding your code because it's changing so much and so often in so many ways. And now comes co-pilot or an LLM like ChagGPT type of technology that are writing code autonomously. So actually the surface area is changing so much and going and becoming so complicated that the problem so it's coming back, it's a big problem and it's important problem and it's changing and getting bigger every time.
Speaker 2:And I thought that I have both passion to help solve this problem and also have good ideas on how to approach it, similar to the pitch that I had when we started the defender as an EDR. I thought that we can do things as an industry fundamentally different and that if we do that, we'll be the really big company and really impactful business. And this is why I decided that I want to dive in again from the headquarters to the trenches and try to do something big again in the area of application security. So that was motivation number one. Motivation number two I wanted to do that in the real world, like Microsoft is an amazing place only good things. Maybe I'll come back in the future, but it is a big company and the big company moves slower and also a more vaccine to mistakes. If you do mistakes, you have more chances to fix them, by definition, because the company has more resources and more time and more trust with customers. And something that I wanted, a personal experience that I wanted to have in my life, is building a big business, hopefully successful, but from the beginning, in a smaller team, much more, with less moving faster but also with less places to do mistakes. And this is why I said that I actually want to join a younger company in the domain of application security. And then it came up here A peer I know for a long time.
Speaker 2:I know the he done, the co-founder and the CEO, dan Plotnik, was actually a peer of mine in Microsoft, where he managed the identity team security team and I managed the endpoint security team.
Speaker 2:So we had a lot of time together. We built trust and love. So I knew a peer and what they did and the approach that they are taking to application security and I thought it is an amazing combination for me to join a great team with a vision that was very much aligned to how I think application security should look radically different and with a team that I trust and a team and the company and a set of investors that think big, that think that, then that we need to build a huge and can build a huge business, not only solve a small problem and this is the type of thing that was really very important for me in Microsoft and now that we are replicating, solve something that is significant. So the combination of the domain, my passion, personal passion and my appreciation to the specific company to appeal, made me join around six months ago as a chief product officer to a done and you know, done and the other people in the peer, and since then I'm in heaven.
Speaker 1:So, you know, I think one of the common misconceptions within cloud security, right, it's probably that a CSPM, a cloud security posture management solution, covers your applications in the cloud, that it provides, you know, the expected level of insight into the application, into the code base, into the pipeline, right. But that's not the case. You know, I'll tell you right now, right, I have a CSPM, I have one CSPM that looks at the cloud, and then I have like five different technologies that look at applications. It is, it's, you know, it's frustrating for me as a security person because I want as few places to go as possible to manage the security of my environment, not even from a, you know, single pane of glass. That was kind of, you know, that terminology has kind of been burnt down and buried, right, because it was just so overused. But you want as few places to go as possible so that you can make an intelligent decision about your environment, of what you should be doing to better secure it.
Speaker 1:And I'm wondering, you know, a part of application security, as we've seen with SolarWinds, is the supply chain security. And that is a huge, gigantic headache that everyone in application security and cloud security overall has, because now it kind of reshaped how everyone is thinking about. You know security overall, right, it's like, oh well, we need to start looking at everything that makes up this application, everything that makes up this environment. Because what if you know, this random vendor is breached that we use for this one thing, and now they're manipulating it in a different way that we didn't expect right, and so does your application. Security posture management solution also cover supply chain attacks and supply chain security.
Speaker 2:Yes. The short answer is yes. I think there is, like the you said, multiple things. I'll start with the CSPM and the SPM per minute, like cloud security, posture management and application security, post management Thanks for gardeners for inventing these acronyms, but really they are capturing being and young, I think of protecting modern applications.
Speaker 2:Like you need to protect the house and how it is being built. That's the analogy of the cloud infrastructure. You need to make sure that you have protected VMs and protected the buckets and connected the right way and there is a network that is connected the right way and configured the right way. And but also you need to protect the people with that are in the house, which is in this analogy. That application itself and the application itself, as I said, is built from thousands of different modules that are changing thousands of time a day by thousands of people, which are the engineers, and then you can't protect only the envelope and being agnostic to the content that is running there. And therefore I'm not inventing anything in the sense that there is investment that you need to make in cloud security, infrastructure security, and there are investment that you need to make in actually the content of your application, application security, testing and now a SPM. So first of all they are as I said, they are kind of you can't do the one or the one is complementary to the others. And also you see that in the personas that we are serving in, big organizations are sometimes that CSPM is usually going into the cloud infrastructure type of teams and the SPM is going into the application security that they're working closer she's left closer with engineering and trying to identify. I would say that's another important thing about the SPM. The key thing there is not only identify risks after the fact that, making everything that you can do in order to stop them from ever happening again oh, some filter for happening at the beginning. So actually putting gardeners and SPM is a lot about, in my view, prevention and not only about detection, prioritization and remediation, and that's a really. I think that's part of what a lot of our SPM competitors or friends are missing. It's not only yet another system to collect logs and collect alerts and show them in one queue, but it's actually to manage the technology and the process that stops them from ever happening again, and that's that's the tough thing.
Speaker 2:Another thing I would say when you say protecting the application 10 years ago, five years ago, three years ago, it meant protecting the application code. You had tools like SAST that search for SQL injection in the code and you had tools like SCA that search for vulnerable open source dependencies, and you had the tools that you have still tools that are looking for secrets in code, et cetera, et cetera. But modern application, as we said earlier, is much more than the code that is being developed. It's actually all of the supply chain of how it was developed, so to your point of solar range and open source dependencies, but also it's also the way that it was deployed to the built and deployed into production. So even if you have a code without SQL injection at all and no vulnerabilities but this was code, was built via a pipeline that had the vulnerable Jenkins plugin the code is as vulnerable as a code that has SQL injection. And even if your code, like delivery to the cloud, is a cloud, is a code element, so it's based on infrastructure of SQL. So even if your application code has no vulnerabilities but your deployment to the cloud, terraform et cetera, infrastructure as code actually is doing that in the right, like deploying it to a public server, then you still, then your application is as vulnerable as you had SQL injection and even if the code that you wrote is actually amazing and has no vulnerability, but you used a vulnerable, not even a vulnerable package, use a malware, like a package that has no CVE but is doing really bad things, then your application is still not secure. So, really modern application security must, must, must.
Speaker 2:Look from, I would say, even design, like, even the, I'd say like the even your application has no vulnerabilities, no SQL injection and not open source, but it is designed in the way that there is an API that is open to the internet, as in, not authenticated and give access to API information, then it's not secure. So the only way to actually secure modern application is understand what the application needs to do in the design phase, how it is being developed and changed hundreds of times, thousands of times daily during the development phase, how it is being built and how it is being deployed and executed. And in a peer that's part of what they said like hey appear is a big company in the company with a big vision. That's the core to what we're saying. We're saying application security is from design, threat modeling, design, software architecture to code scanning of code understanding, understanding vulnerabilities in code, understanding code reviews, understanding changes, which are code, understanding the software components that are coming outside into the code through deployment, through build. So understanding the build pipeline and the deployment pipeline, and that's kind of the core to what we are doing. We call it risk graph, but the idea is that all of these things are interconnected.
Speaker 2:The way that your application is being built is a combination of APIs and data models and the service functions and Kubernetes, cluster and configurations, and only by combining all of that together you can have the foundation, on top of which you can say here is a vulnerability and this vulnerability is more important than this vulnerability, and answer really the question that all of the answers customers want us to answer, which is I have one hour out of the 100,000 vulnerabilities that appearing in my Qs. From the five tools that I have, what are the three that I really need to solve? That has the biggest likelihood to happen, or the highest impact, if they happen, or the most cost effective for me to fix, if I actually now put one hour into that. And that's the core intellectual property of what we do and manage a process on top of that, allow you to understand it. You are progressing, understand, communicate with your developers and manage an improvement process that shows that my one hour today is more effective than my one hour yesterday, for example.
Speaker 1:Yeah, it's really fascinating. It's an area of security that is growing rapidly that more and more people have to pay attention to. So you know, motea, you know, unfortunately we're coming to the end of our time here. I feel like we almost need a part two to this episode to have you back on and talk about Appiero a bit more. But before I let you go, how about you tell my audience you know where they can find you, where they can find Appiero, and what the best way to reach out would be?
Speaker 2:So we are in appirocom. I am available, even directly through my email, and I think we are. I'll say like two last, maybe sentences. I think application security is a market like like endpoint security 10 years ago is a market that is completely being changed. In the coming two or three years from now it will look completely different than how it is today.
Speaker 2:We didn't even have the time to talk about generative and how it actually affect code understanding and vulnerabilities in code, but there is so much innovation that is happening there and the second thing that the companies that will win and succeed to create worldwide impact are the ones that think about this problem holistically, and I think we are one of the few companies that are actually doing that, looking from design till production, and I'm happy for everyone everyone, either LinkedIn or direct email to to if they are sharing the passion we have a question to to reach out. I hope through the podcast you see the lightening in my eyes and the energy of really it's an important, huge problem that, like we have now a unique opportunity to solve in the coming years. So totally, yeah, absolutely.
Speaker 1:I'm really excited to see where this space goes and I'm looking forward to you know bringing you back on and talk about it a bit more. Well, thanks everyone. I really appreciate you listening and I hope you enjoyed this episode.