Embark on a transformative odyssey with Varun, a coding-challenged student turned technical tycoon, as he narrates his ascent from ethical hacking enthusiast to the founder of trailblazing enterprises. His tale is a beacon for anyone at the intersection of tech savvy and pioneering vision, emphasizing the crucial alignment between a founder and the market, as well as the delicate dance of transitioning from a specialist to a commanding leader. Varun's candid anecdotes and insights, gleaned from his times at Deloitte, KPMG, and Salesforce, evolve into a study on the meticulous craft of constructing a company from the ground up, hiring a team that embodies trust and diversity, and the pivotal role these elements play in the success and scaling of a startup.
With a spotlight on the dynamically shifting cybersecurity landscape, we navigate through the trials and triumphs of an industry grappling with cloud vulnerabilities and software supply chain threats. Varun's critique is unflinching as he discusses the balancing act between development speed and robust security practices. He peels back the layers on the opaque nature of vendor relations, advocating for transparency and education as cornerstones for better informed security decisions. Further enriching the dialogue, Varun unveils the ethos behind Endor Labs, his venture that aims to revolutionize software supply chain security and catalyze community engagement.
As we surge forward, the conversation turns to the future—where AI's role in cybersecurity promises enhancement, not replacement, of human ingenuity. Varun's forward-thinking perspective underscores the impending rise of software supply chain security and the enduring challenge of identity security. He casts a critical eye towards the interplay of regulations like S-BOMs in setting new standards, and concludes with an invitation to explore the community and resources at Endor Labs, positioning them as a nexus of technical excellence and educational outreach. You're about to tune into an episode that's not just a treasure trove of wisdom but a call to arms for the cybersecurity guardians of tomorrow.
Affiliate Links:
NordVPN: https://go.nordvpn.net/aff_c?offer_id=15&aff_id=87753&url_id=902
Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today
Speaker 1: Hey, varun, how's it going?
00:00:01
It's really good to get you on the podcast.
00:00:04
I know we've been planning this thing for a while now and I'm
00:00:08
really excited for our conversation.
00:00:10
Speaker 2: Yeah, likewise, joe, excited to be here.
00:00:13
Speaker 1: Yeah, absolutely.
00:00:14
It's definitely a crazy time of the year for, I think, everyone
00:00:19
just trying to get schedules to line up and everything.
00:00:23
Yesterday, I remember that I had to go and take an AWS cert
00:00:28
this morning.
00:00:29
I was like, oh okay, that's great, I have to go do that now.
00:00:34
But Varun, I start everyone off with telling their background
00:00:39
right how you got into IT, how you got into security, even what
00:00:46
interested you in the fields or what got you interested to make
00:00:51
you want to go down this path.
00:00:53
Speaker 2: Yeah, it's a fascinating question because I
00:00:55
was doing my undergrad in computer science at the
00:00:57
University of Southern California and I was just a
00:01:01
horrific coder and nor was I good at it, but also I just
00:01:08
wasn't excited and passionate about it and being South Asian
00:01:12
Indian, by the sand, it's like you either become a doctor or an
00:01:15
engineer.
00:01:15
So I had to go finish my degree .
00:01:17
But the one thing that was very clear to me by junior year was
00:01:21
I couldn't see myself being a software engineer.
00:01:24
And so you scramble and say, well, what else would be good
00:01:27
and relevant?
00:01:28
And what I enjoyed truly doing was being on the business side
00:01:30
of technology.
00:01:31
And it so happened that I ended up taking an elective course in
00:01:36
ethical hacking and I absolutely loved what I did.
00:01:39
You could break into people's networks without going to jail
00:01:43
and it was like cool stuff, cool , geeky, cool stuff.
00:01:47
But then kind of the next challenge began, which is back
00:01:50
I'm talking 17 years ago.
00:01:52
Nobody really hired information security professionals out of
00:01:55
college.
00:01:55
You had to be a systems engineer, it professional, and
00:01:59
then you kind of a few years in, made your way into InfoSag and
00:02:03
so, scrambling through all of the career fairs and interview
00:02:07
processes, I was trying to find my wedge in and it so happened
00:02:11
that I got two offers, one from Deloitte and one from KPMG, to
00:02:14
be an IT consultant and I kind of played them both against each
00:02:17
other to say who would allow me to get into the security track
00:02:21
faster and ended up joining KPMG through the university
00:02:27
recruiting process.
00:02:28
It's been a couple years there, just great experience.
00:02:31
Salesforce happened to be one of my clients and this is back
00:02:34
in 2006,.
00:02:35
They had their first security breach, a first cloud company
00:02:39
security breach kind of a big deal and they brought me in full
00:02:43
time to join them and run the platform and kind of app
00:02:48
exchange ecosystem security team .
00:02:50
There was only five, six of us in security at Salesforce.
00:02:54
The whole company was 1500 employees and it was just an
00:02:57
amazing four years learning about cloud security before most
00:03:02
people could spell cloud security.
00:03:04
And then, starting in 2010, I just was starting to get bored
00:03:07
in that job and ended up was about to go to business school
00:03:11
but realized a more real world MBA would be a better option for
00:03:15
me and so I ended up starting a company in the cloud security
00:03:19
space and just since then I haven't looked back 13 years of
00:03:22
company building.
00:03:23
The first company was in the SaaS security space.
00:03:25
The second was as we were migrating from data centers to
00:03:29
platforms like AWS, what would the security architectures look
00:03:33
like in the cloud?
00:03:34
It started BroadLock in 2015, which is a cloud security
00:03:39
posture management company, and really got the privilege and
00:03:42
honor of defining what we know of today as CNAP, both before
00:03:46
the acquisition by Palo Alto Networks, but also after, when I
00:03:49
created a product called Prisma Cloud, which is one of the
00:03:53
market leaders today in cloud security, and I'd say, just
00:03:57
being a student of the business, how it all ties together to
00:03:59
today is when solar winds happen .
00:04:03
My board was asking me a lot of questions around software
00:04:05
supply chain security and I just kind of dove in to understand
00:04:09
more about it and what I recognized was the way we build
00:04:13
software is changing rapidly and I'm sure we'll get into that.
00:04:16
I don't want to steal the thunder, but that led to the
00:04:19
creation of my third startup, which I'm working on now, called
00:04:22
Endor Labs, in the software supply chain space.
00:04:26
Speaker 1: Hmm, it's really.
00:04:28
It's fascinating when, when I talk to people that go from a
00:04:36
technical, you know role right, or a technical background, you
00:04:40
know hands in the weeds right to founding something, to actually
00:04:46
starting something, and then you know there's like that one
00:04:50
one percent or one percent of one percent that are they're
00:04:54
actually successful right, that you actually know, you know the
00:04:57
names of the products, you've worked with them and things like
00:05:00
that.
00:05:00
You know what does it take for someone with a technical
00:05:05
background to make that jump?
00:05:07
Do you think what are maybe some key skills that you may
00:05:11
have developed?
00:05:13
Speaker 2: Yeah, you know it's a great question and oftentimes
00:05:15
in startups you hear about this term product market fit, product
00:05:19
market fit, but we'll get to that.
00:05:21
But really it starts with founder market fit.
00:05:23
So if I look back and say in my career, like what is made, what
00:05:28
is being kind of the criteria, that's helped me be successful,
00:05:31
it's a few things right.
00:05:32
One is, again, I took advantage of the fact that I knew more
00:05:36
about cloud security than 95% of the world back between 2006
00:05:41
through 2010.
00:05:44
And so it was a learning.
00:05:45
It was a first-hand understanding that thousands of
00:05:48
enterprise customers really wanted to use Salesforcecom but
00:05:51
were concerned about data residency and privacy.
00:05:54
And oh my gosh, you're going to have my customer data outside
00:05:57
of my firewall and I don't control anything.
00:05:59
I don't know if you're encrypting it where the world is
00:06:03
stored.
00:06:03
And just hearing those challenges over and over again
00:06:08
helped me get customer empathy and ultimately create the first
00:06:12
company which defined the whole CASB category, like 2010,.
00:06:16
When we started CypherCloud, there was no CASB and our first
00:06:19
product was encryption data protection for Salesforce, which
00:06:22
eventually involved into this reverse proxy architecture.
00:06:26
And so I believe this founder market fit like understanding
00:06:30
the problem firsthand is super important, I think if you're
00:06:35
technical enough to be dangerous , it's always helpful, and
00:06:38
there's two tracks of technical.
00:06:40
You can be technical in understanding the what but maybe
00:06:44
not the how, which takes you down a very good product
00:06:47
management path.
00:06:48
If you're technical where you're the person who's building
00:06:51
stuff, it's really good because you can actually go build the
00:06:54
software.
00:06:55
But I think at some point you have to realize and understand
00:06:58
your strengths and weaknesses and say who do I need to round
00:07:02
myself up with in starting a company that can address the
00:07:06
weaknesses or shortcomings or lack of experience I have in
00:07:09
certain areas.
00:07:10
So if you're a deeply technical engineering background person
00:07:14
but fundraising is something you don't understand as well, or
00:07:18
market validation, engaging customers, selling and marketing
00:07:22
and messaging aspects, then you better find somebody who can
00:07:26
help you round those skills up because, to your point, the odds
00:07:30
are against you.
00:07:31
In order to turn the odds in your favor, you got a round of
00:07:34
the best team.
00:07:35
The best team will eventually build great products, which will
00:07:38
hopefully get you to great set of customers, which will then
00:07:42
eventually get you to a great outcome.
00:07:44
So I think it's going to take me everything in sequence, but the
00:07:47
number one problem that I often see people stumble upon is
00:07:50
either not believing in themselves and having the
00:07:52
confidence to take the leap of faith, as I call it.
00:07:55
A lot of times it's just you need the financial certainty
00:07:59
right.
00:08:00
You're in a place in your life with family, kids in school you
00:08:03
just can't take the risk.
00:08:04
And so, making sure you're a place in your life where you can
00:08:07
give yourself fair and square, a two to three year window to
00:08:11
really try out to see if it'll work, because chances are you
00:08:15
will fail before you succeed.
00:08:16
Also, bake that into your life plan and make sure you have
00:08:20
enough runway, because if you try something for six months
00:08:23
it's not going to work.
00:08:23
I can already tell you just stay in your day job and then
00:08:29
just, yeah, look, recognize your weaknesses and build around it.
00:08:33
Speaker 1: Yeah, you have a couple of really good points
00:08:37
there.
00:08:37
I've had on a lot of CEOs and founders and they have all said
00:08:45
very, very roughly, at least the same thing of you have to build
00:08:50
in some runway.
00:08:51
Right, if you're going to give yourself six months for this
00:08:54
thing to work before you make a change or whatever, it's not
00:08:58
going to work after six months.
00:09:00
This podcast, right.
00:09:03
It's obviously nothing close to running a large company or
00:09:10
anything like that, but I actually gave myself all right,
00:09:13
let's give it a year.
00:09:14
If I still like it at the end of the year, let's do another
00:09:17
year.
00:09:17
And I do it every year.
00:09:19
So now it's like December timeframe and I'm like, well, I
00:09:23
enjoyed the last year, let's go another year.
00:09:27
But if you're giving yourself that short runway, you have to
00:09:31
really go through the hurdles.
00:09:33
You have to fail.
00:09:34
You have to do a really bad job at something and learn.
00:09:38
Okay, I need someone on my team that does X to help me in this
00:09:44
area.
00:09:44
How do you?
00:09:45
Is there any like tried and true methods of building out
00:09:51
your team in terms of actually finding the people?
00:09:54
I'm sure now it's a whole lot easier for you to do it because
00:09:58
you have the network.
00:09:58
You have been in the industry for a decade or two, right, but
00:10:04
if you were starting over today, what would you do to build that
00:10:08
network?
00:10:11
Speaker 2: Build that network, A network, right, Just be out
00:10:13
there.
00:10:14
I think, unfortunately, a lot of us with technical backgrounds
00:10:18
are just by nature interpreted and it's very unnatural for us
00:10:23
to be out there talking to strangers, showing about meetups
00:10:27
, events.
00:10:27
I think, first and foremost, you just got to be vulnerable,
00:10:30
right, it's okay.
00:10:31
Remember, everybody else around you is human too and they're
00:10:35
kind of feeling the same, A little bit of stranger anxiety.
00:10:37
There's a little bit of like, what am I doing here?
00:10:40
What am I going to say?
00:10:40
How am I going to introduce myself?
00:10:42
But you got to do it because, I'll tell you, being as founder,
00:10:47
you're almost always in very uncomfortable situations, so you
00:10:52
better start getting used to that and warming up to that.
00:10:54
The other piece is a lot of people that listen in here, I
00:10:58
imagine, are practitioners.
00:10:59
You work with great people around you in your company.
00:11:03
Identify and ask yourself like, hey, if I ever build something
00:11:07
of my own, who are the one or two people, domain aside, who
00:11:11
have the work, ethic, technical chops that I would just blindly
00:11:15
go call upon to come join me in this journey, Because I think if
00:11:19
you can find one or two people from your closed network, that
00:11:23
at least gets the process going.
00:11:25
If finding a first hire is going to be hard, it's just
00:11:29
always going to be hard.
00:11:29
Not that it gets easier, but having tried and tested people
00:11:33
where you have a level of trust, level of comfort to begin the
00:11:36
company is good.
00:11:37
If you look at my three companies, the first company
00:11:41
that I started with a gentleman who was a co-founder CEO was
00:11:44
somebody who I had known and worked with actually I was on
00:11:48
the advisory board of his prior company as a customer.
00:11:50
I knew him over the years, trusted him, got into business
00:11:55
with him.
00:11:55
For RedLock, my co-founder CTO was somebody who had been an
00:12:00
engineer for me at Cypher Cloud.
00:12:01
At Endor Labs, my CTO is somebody who was my CTO at
00:12:07
Prisma Cloud.
00:12:08
Having that trusted relationship helps.
00:12:11
But beyond that you got to put yourself out there and you got
00:12:15
to ask yourself first principle questions.
00:12:17
For example, at Endor Labs, when we built the company and
00:12:22
the engineering team over the last two years, I could have
00:12:24
taken a very easy path.
00:12:25
I could have called 15 engineers from RedLock and
00:12:27
Prisma Cloud.
00:12:28
They would have joined me in a heartbeat and we got to work the
00:12:31
next day.
00:12:32
Yet the path we chose was to say we promised ourselves that
00:12:37
no more than two engineers in the first 15 hires would be from
00:12:41
the same company.
00:12:42
Why was that important to us?
00:12:44
Because we were building a product.
00:12:47
That's the heart of cybersecurity and software
00:12:49
engineering.
00:12:49
Every company builds software differently.
00:12:52
You look at Google, you look at GitHub versus Cisco and Splunk
00:12:56
and Palo Alto Networks very different maturity levels in
00:12:59
software development and the tooling and the architectures.
00:13:02
We put ourselves through hell in the first year, year and a
00:13:07
half, to hire those engineers to make sure we got diversity of
00:13:10
experiences, diversity of backgrounds, not just gender and
00:13:13
racial diversity, but actual true work product diversity.
00:13:19
I think you have to look back and see what's important to me.
00:13:21
If I'm building a long-term company, I can certainly take
00:13:23
some shortcuts, but is it better that I take the pain now and
00:13:29
build a kind of organization and the talent pool that I need?
00:13:31
And it's going to take work, it's going to be hard.
00:13:34
The one thing I will tell people who are first-time
00:13:38
entrepreneurs is finding the right seed investors and if you
00:13:42
are getting some seed or early pre-seed money, a lot of
00:13:47
investors can help you with some of that initial network and
00:13:51
hiring of your key talent initially.
00:13:53
But that's critical.
00:13:55
The last piece I'll say on hiring and talent is.
00:13:58
A lot of times you feel like you know what?
00:14:00
I don't have a lot of money.
00:14:02
I maybe raised just a million, maybe $2 million.
00:14:06
Do I hire experienced people?
00:14:07
Do I take some shortcuts on hiring?
00:14:09
Get some interns to build code?
00:14:10
Look, you can go down multiple paths and not to say interns are
00:14:14
not smart.
00:14:14
But if you're building a B2B SaaS platform, it'll fall over
00:14:19
pretty quickly if it's not built well from scratch and you might
00:14:24
be able to build a prototype.
00:14:25
The thing is, if your prototype is successful, you're going to
00:14:28
have to continue building forward and going back to
00:14:31
address tech that we think about .
00:14:33
Oh, we'll rebuild it.
00:14:34
Gosh, you never get time to rebuild it because once you get
00:14:37
hit by it with success and adoption, you're kind of
00:14:40
scrambling to go build the next thousand things that your
00:14:43
customers are asking for, not going back to address your
00:14:46
foundation.
00:14:46
So make sure you build a strong enough product foundation is
00:14:49
critical.
00:14:52
Speaker 1: Yeah, that's very true.
00:14:53
I can't even count the amount of times that I've heard oh,
00:14:58
we'll go back and fix it later.
00:14:59
And it never happens.
00:15:02
And this is from an internal perspective where I'm already in
00:15:06
there working with the development teams and they're
00:15:09
saying oh yeah, we just got to get it out the door, it'll be
00:15:11
all right.
00:15:12
And then six, eight months later it's still there.
00:15:15
It's still kind of just barely chugging along with some new
00:15:20
patches of duct tape on it.
00:15:22
Yes, starting any company I would assume pretty much in any
00:15:31
industry it takes a lot of time.
00:15:35
It takes a lot of effort.
00:15:36
What was the time commitment like starting your first company
00:15:44
compared to this company?
00:15:45
Is there any difference?
00:15:47
And do you ever regret any of the time that you put in Because
00:15:51
you're essentially putting off other things?
00:15:53
There's probably other things that you could be doing.
00:15:56
Do you ever regret it?
00:15:57
Or do you look at what you're getting from it and you're
00:16:01
saying, okay, it's worth it?
00:16:04
Speaker 2: Look, let's face the elephant in the room.
00:16:05
The other thing, the biggest compromise you're making is on
00:16:09
your personal and family life.
00:16:11
There is no start time.
00:16:13
There is no end time.
00:16:14
There is you've heard this from people like Bezos it's work
00:16:18
life integration, it's not balance, once you go down a
00:16:21
startup path.
00:16:21
So I think, first and foremost, you have to assess your family
00:16:24
situation, figure out what kind of support you're going to get
00:16:27
from your near and dear ones and that they're equally committed
00:16:30
as you are into the journey you're about to take.
00:16:33
The other piece you have to figure out is where do you draw
00:16:37
the line?
00:16:37
You could work 24, 7, 365.
00:16:40
But, for example, I have twins.
00:16:43
They're three and a half years old.
00:16:45
I don't want to look back five years later and say I missed the
00:16:48
formidable years of their life, not knowing when their first
00:16:51
words came out, when they did their first activity, and things
00:16:55
like that.
00:16:55
And so for me, the time between like 5.30 to 8.30 is super
00:17:00
important every evening and I do my best to be with them.
00:17:03
But then I'm back online at night, right, catching up on
00:17:06
work.
00:17:07
You know, weekends the same thing, compartmentalizing family
00:17:10
time versus work time, but it's look it sacrifices you and your
00:17:14
family will have to collectively make and you have
00:17:17
to go in eyes wide open with that.
00:17:18
Do I regret any of that?
00:17:20
No, like I'm blessed to have a wife that understands this.
00:17:25
She's been with by my side.
00:17:26
We were dating when I started CypherCloud 13 years ago 14
00:17:31
years ago so she's kind of seen the journey through me and I
00:17:37
think you know the other question I often ask myself and
00:17:40
people ask me like, why are you doing it again?
00:17:41
You don't need to write your financial in a place where you
00:17:44
don't need to work.
00:17:45
But I say you know, the thing that drives me is solving
00:17:50
problems.
00:17:51
The security industry is so broken in so many different ways
00:17:54
that we can talk about all day long.
00:17:56
But the thing that drives me is if I look back and said what is
00:17:59
Prisma Cloud?
00:18:00
What did Prisma Cloud do?
00:18:01
And what Prisma Cloud and RedLock have done have provided
00:18:04
the opportunity in the industry for people to not have 100 tools
00:18:09
for cloud security right For on-premise security.
00:18:12
We had a fragmentation of 100 plus security products in an
00:18:16
enterprise In cloud.
00:18:18
The whole CNAP idea is you invest in a single platform that
00:18:22
solves many, many, many problems, and so we really
00:18:25
helped the industry move forward .
00:18:26
We created the constructs of shift left, right.
00:18:29
There are so many things that we did as far as Prisma that I'm
00:18:33
just so proud of, and I believe the same problems need to be
00:18:36
solved now.
00:18:37
Or, similarly, a different set of problems need to be solved
00:18:41
and a platform is needed for the whole SDLC, like securing your
00:18:44
software development lifecycle From the point where your
00:18:47
developers are touching the first open source package and
00:18:50
dependency, to all the pipelines to provenance and attestation,
00:18:55
and it's that right.
00:18:56
This ability to solve and make a difference in the community is
00:19:01
what drives me.
00:19:04
Speaker 1: Yeah, that's a really good point.
00:19:05
What are?
00:19:11
How have the problems in cybersecurity evolved since you
00:19:15
first got into cybersecurity compared to now?
00:19:18
And I asked that question because, even as myself, as a
00:19:26
security engineer, security practitioner, I'm dealing with a
00:19:30
lot of issues in the code, like you mentioned, and these
00:19:35
insecure software packages that we now have to monitor that the
00:19:41
SolarWinds hack brought a lot of light to Right.
00:19:44
Yeah, what are some of the issues that you have seen that
00:19:47
have evolved into where we are today?
00:19:52
Speaker 2: Yeah, and Joe, let's not forget, we're speaking in
00:19:54
December, just before the holidays.
00:19:55
This is two years ago.
00:19:57
This is when log 4J was going down, ruined Christmas and New
00:20:00
Year's for many people.
00:20:01
Yeah, look, everything is changing, but let's kind of
00:20:06
break it down into a few key areas.
00:20:08
Back when I started building companies 2010, everything was
00:20:13
behind your four walls.
00:20:14
Today, everything lives outside of your four walls.
00:20:17
Perimeters are gone.
00:20:20
The areas that we were most vulnerable to 13 years ago were
00:20:25
networks and endpoints.
00:20:26
Today, I would say, we reasonably fortified those.
00:20:30
Over the last few years, it's been cloud.
00:20:33
I'd say today it's your software supply chain which is
00:20:36
probably most vulnerable as we matured in certain areas.
00:20:40
The attackers are smart.
00:20:42
They want to find the laziest route in.
00:20:44
They started finding cloud.
00:20:47
Now they're starting to find software supply chain.
00:20:49
They're relying some software you don't write, and the
00:20:53
inherent trust in the open source ecosystem is the next
00:20:57
place to point to.
00:20:59
The cat and mouse game continues .
00:21:00
Look, the thing that we have to be cautious about is then we
00:21:07
decided shift left was important .
00:21:08
Okay, great.
00:21:09
But then what happened?
00:21:10
5 companies started developing products and shift
00:21:13
left.
00:21:13
Now we're like, oh shit, we need 100 tools for shift left
00:21:15
security.
00:21:16
Now it's becoming a.
00:21:18
What am I doing?
00:21:19
Am I just shifting the responsibility to developers?
00:21:21
Let's not forget, the thing that hasn't changed is
00:21:26
developers are still incentivized and measured on
00:21:30
feature to velocity, feature development and security.
00:21:33
People are still measured on risk management.
00:21:37
These things are orthogonal.
00:21:39
Until, as an industry, we don't collectively put everybody on
00:21:42
the same OKRs, I just don't see how we solve this problem.
00:21:45
On one side, the security teams feel helpless because they're
00:21:49
finding things that are not getting fixed necessarily by
00:21:52
engineers.
00:21:53
On the other side, the engineers feel like security
00:21:56
teams don't understand our modern development practices or
00:21:59
modern development tools.
00:22:00
They're still using these old ways of giving us spreadsheet of
00:22:04
1 issues when, in reality, when I dig in, 90% of them don't
00:22:07
affect me.
00:22:08
So we have major trust issues between security and engineering
00:22:13
that needs to be resolved.
00:22:15
We have tooling that we need to quote, unquote, upgrade for the
00:22:20
modern software development processes and stack, and then
00:22:25
you've got the attack vectors that are rapidly evolving, right
00:22:28
Like look, let's think about software composition analysis
00:22:31
for a minute.
00:22:32
This whole world started with license risks, then we added CVE
00:22:37
based checks, but if you look at where the real attacks are
00:22:40
coming in from today, it's not just people compromising well
00:22:44
intentioned people's packages and vulnerabilities.
00:22:46
It's actually uploading malicious code into NPM and
00:22:50
PIE-PIE.
00:22:50
Okay well, are your SCA tools like sneak doing anything about
00:22:54
it?
00:22:54
Not really, so you got a retool quickly.
00:23:00
So, anyway, that's my rant on the cybersecurity landscape, and
00:23:03
I think the piece I feel most sorry about for people like you
00:23:06
who are the practitioners is there's 5 companies out
00:23:10
there hammering you with emails and calls and information, and a
00:23:14
lot of me too, and copycats and snake oil, and how do you
00:23:18
separate weed from the chef?
00:23:20
And I think the things that blow my mind is 90% of
00:23:23
cybersecurity products don't tell or give you pricing on
00:23:27
their website.
00:23:27
90% of security products don't give you on demand access to the
00:23:31
product.
00:23:31
They won't even show you a demo on their website until you talk
00:23:35
to somebody in sales.
00:23:36
We think that's fundamentally got to change.
00:23:38
The only way practitioners will absorb this information is if
00:23:42
you give them the ability to kind of take an on demand
00:23:45
journey of understanding and uncovering the best products for
00:23:48
themselves and really being more educational than salesy
00:23:53
driven with snake oil.
00:23:55
Speaker 1: Yeah, it's a great point.
00:23:57
You know, one of the biggest issues that I have encountered
00:24:03
as a security practitioner is that typically I'm the stopgap
00:24:07
in between a vendor and my CISO, right, so I'm the guy that is
00:24:11
there to say does this product actually fit in our environment?
00:24:15
Does it do what it claims that it's supposed to be doing?
00:24:18
Are they reliable?
00:24:19
Can I actually put my name behind this thing and say, yeah,
00:24:22
this is something that goes on to the next step and it's
00:24:27
extremely difficult because they're giving you such limited
00:24:33
access, limited experience with it, and you have to really drill
00:24:36
down into the minute details of these solutions over a 30
00:24:42
minute, 45 minute call and that's really difficult If you
00:24:47
don't know the right questions to ask.
00:24:49
You know you're going to run the risk of buying something
00:24:53
that you shouldn't have been buying and spending, you know,
00:24:55
several million dollars on a product that can't do 50% of
00:24:59
what it claimed to be doing when you were, you know, in the
00:25:02
discovery phase, right, I've actually had people reach out to
00:25:07
me.
00:25:07
I actually have a group text that you know when someone's
00:25:11
going to be presented by a new vendor, right, we go through as
00:25:15
a group the different questions that we should be asking for X
00:25:19
vendor you know to be able to like really piece it out and
00:25:23
figure out what's going on.
00:25:24
And this is a great example.
00:25:27
You know I was.
00:25:29
I was leading a POC for a CSPM solution a year or two ago at
00:25:34
this point, and a part of you know bringing in this solution
00:25:40
is that it had to make my life easier.
00:25:42
It had to very specifically make my life easier because
00:25:47
there was only two of us on this cloud security team.
00:25:50
It was me and one other guy, and we're managing three clouds,
00:25:53
right?
00:25:53
So we obviously need a piece of technology to be there to
00:25:57
assist us.
00:25:58
And one of my, you know, tell tale questions was how many
00:26:04
people does it take to actually run your solution?
00:26:06
You know what's the headcount, right?
00:26:08
Can I do it with what I have existing or do I have to add on
00:26:11
headcount?
00:26:14
And one vendor I won't name them in particular was trying to
00:26:19
dodge this question, no matter what, and I just had to be very
00:26:22
blunt with them and I said we're not going on to the next phase
00:26:26
until you answer this question, because if you don't answer it,
00:26:29
it tells me that either one you don't know or two it's too many
00:26:33
for you to ask, and so both of those are red flags to me.
00:26:37
And then I got the answer and, of course, you know we would
00:26:41
have to increase our team size by 200%.
00:26:44
You know, basically immediately with purchasing this technology
00:26:48
that we wanted to purchase in 30 days.
00:26:49
It's just, it's a different mentality when, when you talk
00:26:56
about you know how you present your product, like you were just
00:26:58
talking about you know, having a demo on the website giving
00:27:02
people you know access to the solution to be able to actually
00:27:05
test out and whatnot.
00:27:06
Did you come up with that just with years of experience in the
00:27:11
field?
00:27:16
Speaker 2: Joe, it's a very interesting question, a deep,
00:27:18
rooted question.
00:27:19
I've posted about this publicly on LinkedIn too.
00:27:22
I feel like when you're building a startup, it needs to
00:27:26
be a transparency.
00:27:27
Let's start with the first milestone.
00:27:29
Let's talk about when we're hiring people.
00:27:31
It blows my mind that majority of startup entrepreneurs,
00:27:35
founders when they're hiring engineers, they will not tell
00:27:38
them okay, I'll offer you an offer and I'll say, okay, we get
00:27:42
5 stock options.
00:27:43
Okay, it could be 5 off a million, a 10 million, 100
00:27:48
million total shares.
00:27:49
You have no idea and I always tell people if the company is
00:27:53
not even going to tell you what the total outstanding shares are
00:27:55
or what the strike price of it is or any details that would
00:28:00
effectively help you measure and quantify, what are you getting
00:28:03
yourself into?
00:28:04
Because inherently, you're taking a big risk and leap of
00:28:07
faith coming here to work for me and if I'm not transparent with
00:28:10
you, how can I expect anybody smart to make that jump?
00:28:15
But that's how most of the industry operates.
00:28:17
People do it and I published about this online that this
00:28:22
should be just a no-no.
00:28:23
This is a big red flag if you're looking to join a company
00:28:25
and they won't share basic details.
00:28:27
Similarly, I think as buyers.
00:28:30
If you look at the Endor website, you can watch demos on
00:28:34
the site and in fact next month we're going to have a free
00:28:39
on-demand trial.
00:28:40
You don't have to speak to anybody, you can set up, get
00:28:42
going moving with the product.
00:28:44
We started this whole community because of what we learned.
00:28:46
We actually call this practitioner community lean app
00:28:50
sec Because I find, to your point, there are 5 vendors
00:28:54
calling the CISO.
00:28:55
The CISO is like a quarterback.
00:28:58
The CISO is going to take something and eventually send it
00:29:00
to you.
00:29:00
You've got to do all the work and, by the way, you are one
00:29:04
person in the app sec that's kind of ratio-wise supporting
00:29:08
500 developers.
00:29:09
It's a thankless job and while everybody wants to take the CISO
00:29:15
out to dinner, who's going and appreciating what the app sec
00:29:18
engineers do?
00:29:19
Who's bringing them into a community?
00:29:21
Who's giving them a forum to exchange ideas with?
00:29:24
So we launched by sure accident .
00:29:27
We did a virtual event in the summer called Lean App Sec.
00:29:29
We had speakers from Peloton Docker, great companies come.
00:29:33
It's really a practitioner, a practitioner community and
00:29:36
learning.
00:29:36
We're just facilitators and it was a great success.
00:29:39
We had almost 500 people sign up for it within a month and
00:29:43
from there we had a second edition of Lean App Sec and now
00:29:45
we have one more coming up early part of 2024.
00:29:48
The interest has been tremendous and, along the way,
00:29:51
that community of attendees we just pulled randomly and said
00:29:55
would you like a Slack community where you can all meet and
00:29:57
exchange ideas and talk?
00:29:58
And everybody was a resounding yes.
00:29:59
So we've done that.
00:30:01
We have launched an academy for Lean App Sec where we're giving
00:30:06
people training on software supply chain dependency
00:30:09
management, this whole regulatory movement for S-bonds.
00:30:13
The thing is we're expecting these engineers to take on more
00:30:16
work, especially in this economy where you're not getting more
00:30:18
headcount and vendors want to sell, sell, sell more product to
00:30:22
you.
00:30:22
But who's spending the time looking at the long game and
00:30:24
educating you, adding value to you to be able to do your job
00:30:28
better?
00:30:28
And I'm a big believer in this, like transparency, education,
00:30:33
community building and yeah, I mean I think I've learned this
00:30:36
right Battlescars doing this for the last 13, 14 years.
00:30:39
But these are long relationships, right?
00:30:41
That's the reason why if I send an email or a call to a C-Sword
00:30:44
engineer who I may have talked to eight years ago, the nice
00:30:48
thing is the chances are they'll respond to me, because I didn't
00:30:51
sell them snake oil.
00:30:52
I wasn't transactional and I was actually focused on
00:30:55
providing them value before I asked for something, and I think
00:30:59
that's how you build long-term relationships in this community,
00:31:02
which is large yet so small and so intimately connected to your
00:31:05
point.
00:31:06
You have a group right.
00:31:07
A vendor ticks you all off.
00:31:09
It'll be pretty quick that you'll make sure your peers will
00:31:12
hear about it.
00:31:12
On the inverse, if I give you value, I'm sure your peers will
00:31:17
hear good things about Endor Labs and it'd be a company that
00:31:20
they may want to take a call with eventually, when you know
00:31:22
the day-end time arises.
00:31:25
Speaker 1: Yeah, absolutely you know.
00:31:27
Before we go much further, why don't we talk about what Endor
00:31:32
Labs is, what the problem is that you guys are actually
00:31:36
solving in the marketplace and how you're doing it?
00:31:39
Speaker 2: Yeah, you know, when I was building Prisma Cloud, my
00:31:43
team grew rapidly.
00:31:44
We had 400 engineers using a very popular quote-on-quote at
00:31:48
the time modern SCA tool that generated 68 alerts for my
00:31:53
400 engineers.
00:31:53
And after SolarWinds happened, you know, every board wanted to
00:31:57
know about your software supply chain posture and I asked my VP
00:32:01
of engineering how are we burning these down?
00:32:02
He's like we're not.
00:32:03
We are running the report.
00:32:04
But you know, every time we get our engineers to look at these
00:32:07
alerts, eight out of 10 of them are wrong.
00:32:09
And so it kind of peaked it up with my curiosity.
00:32:13
Look into what's happening in this space.
00:32:14
Look, software development has fundamentally changed.
00:32:17
Five years ago we wrote most of our code ourselves.
00:32:20
Today, 90% of your code is code your developers didn't write
00:32:25
and is borrowed from complete strangers on the internet.
00:32:28
Then we have no idea who they are, what their motivations are,
00:32:30
how good the code quality is, yet it's foundational to our
00:32:34
applications.
00:32:34
Logically, forget anything else , logically as a human being,
00:32:40
when on one side you're putting your third-party commercial
00:32:43
vendors through a ringer to attest their applications field
00:32:46
spreadsheets all of this versus the side door to your house
00:32:49
where your developers bring in our random pieces of code Like
00:32:52
there's something's not right here in the mix, and so we said
00:32:56
look in order to solve software supply chain security.
00:32:58
Well, what are some of the problems?
00:33:00
One is we still haven't figured out how to get wrap our arms
00:33:04
around fostering innovation, empowering developers to use all
00:33:08
of this, reusable components, on the internet especially.
00:33:11
It's getting more exciting with AI.
00:33:12
Right, people say the winner in AI is going to be open source.
00:33:16
Great, I can't block my developers or say log a ticket
00:33:21
and wait to use a package that doesn't work.
00:33:23
If they need something, they need it now.
00:33:24
And how do I make sure that I empower them to use the power of
00:33:29
open source, but do it responsibly?
00:33:30
What does responsibly mean?
00:33:32
Now I want to make sure I understand who's written this
00:33:35
code.
00:33:35
Is the code quality good?
00:33:37
Is it healthy?
00:33:37
Is it well maintained?
00:33:38
Are there any known vulnerabilities?
00:33:41
Are there any risky use of APIs that can be easily exploited in
00:33:44
the future?
00:33:45
Is there any known signs of malware Like?
00:33:47
The things I need to look at go far beyond vulnerabilities like
00:33:52
CDs and license risk, and we don't have a good mechanism to
00:33:55
do this in an instantaneous, automated fashion where it's
00:33:58
integrated to the developer workflow.
00:33:59
So that was one gap.
00:34:01
Then we said okay, people are using great popular tools
00:34:05
BlackDoc, sneak, other things but everybody's frustrated with
00:34:09
the sheer volume of alerts these tools generate.
00:34:11
And if you look at why that is, joe, it's because they are
00:34:18
basically running scans on your manifest files.
00:34:20
And when they scan your manifest file, they're just
00:34:23
getting an approximate estimation of what packages are
00:34:26
being imported, with zero understanding of how your
00:34:29
developers are using those packages.
00:34:30
And they assume your developers are guilty for every
00:34:34
vulnerability and every package that is called out there,
00:34:37
whereas the true reality is only 10% of that code is actually
00:34:41
used by your application.
00:34:42
If I could understand what that 10% of code is.
00:34:45
I start looking at prioritization, far beyond just
00:34:49
CVSS.
00:34:49
I look at things like reachability.
00:34:51
I look at fixability.
00:34:53
I look at is it in test or production?
00:34:56
What is the maturity of exploit ?
00:34:57
And by using these factors I can take that 68 list down
00:35:02
to 68, maybe 100, maybe 200, and really give things to my
00:35:07
developers to fix that have a meaningful return on investment.
00:35:11
And, moreover, I'm not breaking the trust to say it's your
00:35:16
problem.
00:35:16
Here's a spreadsheet of like 30 criticals and highs.
00:35:19
Go figure out what to fix and how to fix.
00:35:21
So, enddoor Labs the net it out is all about how to enhance
00:35:26
developer productivity while keeping your software supply
00:35:29
chain secure and ultimately regaining that trust between
00:35:33
engineers and application security professionals cloud
00:35:36
security professionals, to kind of get all of that right.
00:35:38
So typically a customer of ours will switch over from a check
00:35:43
mark, a severe code, a sneak, a black duck, to Enddoor Labs and
00:35:47
usually find a 70 to 80% reduction in alert fatigue and,
00:35:51
more importantly, they're able to turn their vulnerability
00:35:54
programs into being a evidence driven.
00:35:57
So if I'm telling a developer to fix it, I'm showing them
00:35:59
where in a code it is, how it's getting called in their
00:36:02
application, what is the best path to fix it in their code.
00:36:06
But also I'm looking at software supply chain risk
00:36:09
beyond vulnerabilities.
00:36:10
So that was a starting point of Enddoor Labs.
00:36:13
Then we heard and realized from customers it's not just a code
00:36:16
visibility and governance problem, it's also a pipeline
00:36:19
problem.
00:36:20
I have 2000 repos in GitHub.
00:36:22
People are kind of managing it on their own in the development
00:36:24
team.
00:36:25
I don't know how I enforce branch protection rules.
00:36:27
I'm getting 10 alerts for secrets.
00:36:30
I don't know which ones are valid, which one is an incident
00:36:33
versus which one is a hygiene problem.
00:36:34
And so we've expanded our scope to really look at code
00:36:38
governance, but also pipeline governance, much more
00:36:41
holistically and do it in a way which is enhancing developer
00:36:45
productivity, not slowing them down.
00:36:50
Speaker 1: Hmm, I mean, you said a lot there that we should
00:36:55
definitely unpack, but I feel like a lot of it centers around
00:37:00
customer obsession.
00:37:02
You know, like Amazon has these leadership principles and one of
00:37:07
them is customer obsession.
00:37:09
And whenever I look at those leadership principles, I
00:37:12
immediately think of myself in the times that I've bent over
00:37:16
backwards for customers, someone that I've only talked to over
00:37:21
the phone, probably never even seen them on camera or whatever,
00:37:24
but they're a customer, you know, and to me that holds a
00:37:27
special place, to me, even though it's not my own company
00:37:31
technically or anything like that, but I took ownership over
00:37:34
it.
00:37:35
Do you also see it that way?
00:37:36
Because you know it sounds like from an outsider right, it
00:37:40
sounds like you're approaching this problem from how can I best
00:37:43
serve someone, rather than how can I best make money?
00:37:47
Right, and as an engineer, as someone who is buying solutions,
00:37:53
whenever I see that you know it's automatically like, okay,
00:37:57
I'm getting the best solution out there, like for sure, you
00:38:00
know, and this person, if I have an issue at 2am, you know
00:38:04
they're going to get up and help me.
00:38:05
You know, like that means a lot to me.
00:38:10
Speaker 2: Yeah, look, it's funny.
00:38:11
If you ever come into our Palo Alto office, it literally
00:38:13
customer obsession is big on all walls, and so I think everybody
00:38:17
wakes up and thinks about that.
00:38:19
But here's the thing, joe, I think about it from a CISOS
00:38:22
perspective.
00:38:23
The best CISOS think of their engineering organizations as
00:38:27
customers.
00:38:28
Right, the best security teams think of their engineers as
00:38:31
customers.
00:38:31
And that mindset is important because you want to service your
00:38:35
customers, you want to come in their way, you want to figure
00:38:38
out how to help them do their jobs better.
00:38:40
And then, if I look at that chain of command like for
00:38:44
security teams, if engineers are your customers, product teams
00:38:46
are your customers.
00:38:47
You want them to be able to ship code faster, put it in the
00:38:52
clouds, be more transformative, be more innovative, then my job
00:38:56
is to help you service your customer, and what that
00:38:59
collectively means is that you and I should be able to look in
00:39:02
the eyes of your technology leaders and engineering leaders
00:39:06
and not just talk about risk reduction, but talk about how
00:39:10
did you help them enable their business priorities and
00:39:13
accelerate their business priorities.
00:39:15
How did you help them save time ?
00:39:19
We've probably seen these stats in large enterprise especially
00:39:21
regulated Upwards of 40% of an engineering team's time is
00:39:26
getting spent today on chasing vulnerabilities and security
00:39:29
issues.
00:39:29
Think about it in a macroeconomic situation where
00:39:33
we're not all adding 20% in our engineering headcount year over
00:39:37
year, you still got to do more.
00:39:39
You will less, which means we have to drive collective
00:39:41
efficiency, and Microsoft's a great example.
00:39:46
Microsoft just made a CISO leadership change this past week
00:39:50
and look at the background of Igor, who just came on as a new
00:39:56
CISO.
00:39:56
He's never been a CISO, he's been a technology person.
00:39:58
He's built technology for hedge funds like Bridgewater, and so
00:40:03
the future of cybersecurity is empowerment of engineering,
00:40:09
understanding modern engineering practices, integrating into
00:40:10
those.
00:40:11
And to me, I think every CISO and security organization needs
00:40:16
to be customer obsessed, meaning they're internal customers.
00:40:18
And the way I win long term is that if I'm obsessing with you,
00:40:23
alongside you, about your customers and driving
00:40:25
efficiencies in your business, and not just unilaterally
00:40:29
looking at this as a risk management problem but as an
00:40:35
efficiency problem.
00:40:37
Speaker 1: Yeah, it's very true and I've personally experienced
00:40:43
it.
00:40:43
When you get a CISO that has actually done the work, they've
00:40:47
done the technical work, they have the technical job, so to
00:40:51
speak, and when you're talking to them, nothing's going over
00:40:54
their head, they understand, they can follow along and
00:40:57
everything.
00:40:57
And that always translates into a better relationship between
00:41:03
security and the rest of the business, because security
00:41:08
should always be seen at least in my view, it should always be
00:41:11
seen as a business enabler.
00:41:12
I want you to be able to understand that.
00:41:16
I want you to be able to have access to every single piece of
00:41:20
technology that you need to make this company as successful as
00:41:24
possible.
00:41:25
It's my job to make sure that it's all secured, but it's your
00:41:29
job to make sure that you can do what you need to do to make us
00:41:34
more successful.
00:41:36
And I'm running into that exact issue that you described right
00:41:41
now, actually, where our developers are completely
00:41:45
overwhelmed with the amount of findings and security
00:41:50
vulnerabilities and prioritization is a very real
00:41:54
problem.
00:41:54
And I feel like the market is slowly starting to pick up on
00:42:01
this trend, because it's not just happening at one company,
00:42:06
it's happening throughout the entire market.
00:42:07
Almost every company that I've been at the past five years,
00:42:12
have all experienced this problem, and then the difficulty
00:42:15
that security teams have is actually well, how do I
00:42:19
prioritize this?
00:42:19
I don't know if that application is using this
00:42:23
vulnerable piece of code, and I don't know if that vulnerable
00:42:26
piece of code makes my application less secure just
00:42:30
because it's there.
00:42:36
Speaker 2: Yeah, I'm sorry, didn't mean to cut you off, but
00:42:38
this is where you need to hold your vendors to a higher bar.
00:42:40
I mean, I think just don't tell me every problem on Earth Like,
00:42:44
explain to me, explain to me, give me evidence on why it
00:42:49
matters.
00:42:49
Where does it matter?
00:42:51
Because not only does it help you be more credible with your
00:42:54
engineers remember, most likely the ticket that is ending up in
00:43:00
a developer's plate wasn't the developer that originally
00:43:03
created this problem three years ago, four years ago, five years
00:43:05
ago?
00:43:05
So somebody in engineering is also trying to figure out the
00:43:08
context of shoot.
00:43:09
You asked me to change this dependency.
00:43:11
How did it come in?
00:43:12
Maybe it's transitive three levels down?
00:43:14
That's a complex problem, and can you show me the path?
00:43:18
How does my application call it ?
00:43:20
And so the nice thing about SaaS and subscriptions is, if
00:43:26
your vendor is not keeping honest to the promises that
00:43:29
they've made you, it's time for a change.
00:43:31
It's time to look elsewhere.
00:43:33
And, yes, switching costs are a thing between products, but I
00:43:37
think most vendors are starting to figure out how to get better
00:43:39
at that.
00:43:40
But yeah, I think it gives enterprises and organizations
00:43:45
like yours a much better opportunity to hold their
00:43:51
vendors accountable for much higher standard of products and
00:43:54
prioritization.
00:44:05
Speaker 1: Yeah, it's interesting to see where the
00:44:10
field is going and you know the new areas of focus that are
00:44:17
popping up.
00:44:17
Where do you see the field evolving in the next five years?
00:44:22
You know, because I don't want to say that this is relatively a
00:44:26
newer or a new issue.
00:44:28
Right, it's probably been around for a long time, but
00:44:31
people are finally just now identifying it and actually
00:44:35
trying to solve it.
00:44:36
You know, where do you see everything going in the next
00:44:39
five years?
00:44:40
And I'll tell you.
00:44:41
The reason why I asked this question is because, with my
00:44:44
audience, I always tell them to think more towards the future.
00:44:47
Right, start to prepare your career for you know what's
00:44:52
coming five, 10 years down the road, so that when that change
00:44:56
happens, when that evolution happens of the field, you know
00:45:00
you're more prepared, you're more well suited to make that
00:45:03
change, to make that jump.
00:45:04
So where do you see, you know, everything going the next couple
00:45:09
of years?
00:45:11
Speaker 2: Yeah, gosh, you know, given what we've seen in the
00:45:15
last nine, 10 months, with the advances in AI by the week, it's
00:45:20
hard and I'll probably be wrong in everything I predict right
00:45:23
now.
00:45:23
But I give you a few of my friends that I'm following
00:45:26
closely.
00:45:27
You know what is.
00:45:28
I think AI will certainly be an enabler.
00:45:31
It's not going to take our jobs away in security, but it will
00:45:34
help us be more efficient, right , Things like prioritization,
00:45:37
explainability, right, there are certain things it's pretty good
00:45:41
at.
00:45:41
But it's going to also create a whole new set of challenges for
00:45:44
us, right?
00:45:44
Like, okay, so far your problem was developers writing bad code
00:45:48
.
00:45:48
Now, when machines write bad code, how do you kind of put
00:45:51
machine versus machine to fix the poorly written code?
00:45:55
You've got a whole set of kind of challenges there.
00:45:59
Right, that data privacy issues will kind of reemerge and be at
00:46:02
the forefront again.
00:46:03
I'd say, from an organizational perspective, I think it goes
00:46:07
back to what I just gave you an example of.
00:46:09
I think most organizations will have to, from a security
00:46:13
perspective, think of engineering counterparts as
00:46:15
their customers, not their foes.
00:46:17
I think you will see a number of companies where product
00:46:22
security will become really part of an engineering function, not
00:46:25
a security function.
00:46:26
I think it will be deeply embedded there.
00:46:27
I think there will be a role of security teams defining policy,
00:46:32
defining the what and the engineering teams with embedded
00:46:37
DevSecOps.
00:46:37
People will be deciding on the how you meet these objectives.
00:46:42
So I think you know you should be prepared for pretty large
00:46:45
organizational changes.
00:46:49
The other trend I've started seeing pretty closely is several
00:46:51
CIO a CISO.
00:46:52
So it's funny, if you remember, for many, many years and even
00:46:56
to this day today, a lot of CISOs report to the CIO, right,
00:47:01
Although now you're starting to see CISOs take the CIO job.
00:47:05
So we're starting to see a career ladder where CISOs are
00:47:08
becoming CIOs.
00:47:09
Because, look, if you're going to find all these problems, you
00:47:12
better take ownership to A, do things the right way from the
00:47:15
onset, but also have risk management embedded into your
00:47:19
entire framework.
00:47:20
So obviously you're going to see that and I do strongly
00:47:24
believe the next frontier right, we saw cloud and we saw
00:47:27
endpointing networks becoming cloud as the next frontier of
00:47:30
tech.
00:47:31
And you know we've seen identity continues to be a
00:47:35
challenge.
00:47:35
I think identity kind of remains vastly unsolved.
00:47:39
But I think software supply chain security is where the next
00:47:43
frontier is going to be for the next five years, and it's one
00:47:47
of those unique situations where actually the government is
00:47:51
taking a leading role, not a lagging role, in driving the
00:47:55
standards of operations much higher.
00:47:57
Now you may not agree with S-POMs and the value of S-POMs,
00:48:00
Regardless, the conversation is happening.
00:48:03
That's the most important part and that's driving people to
00:48:06
think about better controls, you know, better capabilities
00:48:10
around software supply chain security, because, look, two
00:48:13
things One, every company is becoming a software company.
00:48:16
Two, the fact that you can use software to be weaponized
00:48:23
against your users, your employees.
00:48:25
It's kind of a big deal and the impact this can have is pretty
00:48:29
significant, as we've already seen.
00:48:31
So, yeah, I'd say those are a handful of my predictions.
00:48:35
Like I said, I'll mostly be wrong.
00:48:36
A few of them might be right, but I'm looking forward to
00:48:40
catching up with you in five years and doing a little
00:48:43
checking on these.
00:48:45
Speaker 1: Yeah, absolutely.
00:48:46
I think it'll be a lot of fun.
00:48:47
You know, unfortunately we're at the top of our time here, but
00:48:52
before I let you go, how about you tell my audience?
00:48:54
You know where they could find you if they want to reach out,
00:48:57
where they could find Endor Labs to learn more if they wanted?
00:49:02
Speaker 2: Yeah, thanks for asking, Joe.
00:49:03
So I'm very active.
00:49:04
I love engaging with the community on LinkedIn, so please
00:49:07
follow me or connect with me on LinkedIn.
00:49:09
You can look up by my name.
00:49:11
Endor Labs is pretty straightforward EndorLabscom is
00:49:16
a website.
00:49:16
We believe in having a lot of information there.
00:49:18
You know, our engineering organization is very uniquely
00:49:23
technical.
00:49:23
Like a third of our engineering team is PhDs and computer
00:49:25
science deep researchers, and a lot of our content and our blogs
00:49:29
mostly, I would say is written by engineers, not by marketeers.
00:49:32
So if you'd like to learn about new techniques, technologies,
00:49:36
do check it out.
00:49:37
But also, like I said, a heavy focus at Endor is learning.
00:49:40
So if you go on our website on the Learn track, there's Academy
00:49:44
, there's peer to peer conversations and then, of
00:49:47
course, if you want to join our Slack community, then do reach
00:49:49
out to me and I'll be able to kind of get you an invite.
00:49:54
Speaker 1: Awesome.
00:49:55
Well, you know this has been a fantastic conversation and I'm
00:50:00
looking forward to future conversations.
00:50:03
You know when maybe you release new products or features,
00:50:06
whatnot?
00:50:07
I think it'd be really interesting to have you back on
00:50:09
and even talk about, you know, the space evolving, you know, as
00:50:13
we go.
00:50:14
Speaker 2: Yeah, awesome Joe, thanks for having me.
00:50:16
I really enjoy the conversation .
00:50:18
Before to being in touch, take care Absolutely Well.
00:50:21
Speaker 1: Thanks everyone.
00:50:22
I hope you enjoyed this episode .