November 4, 2024 • 43 mins
Journey into the world of cybersecurity with Idan Plotnik, a true pioneer in the field, as he revisits the path that led him to become a leading figure in tech innovation. Starting with a childhood fascination for computers, Idan advanced to play a pivotal role in the Israeli cyber security unit, eventually founding Erato, which caught the eye of Microsoft. He shares insights from his tenure as General Manager for Software Engineering at #Microsoft and how his encounters with Satya Nadella ignited his passion to launch his first company in 2019. This episode unravels the stark differences between nimble startups and the often sluggish corporate giants, offering a compelling narrative for aspiring entrepreneurs and industry veterans alike.
Explore the sophisticated challenges of ensuring software and cloud security in today's fast-paced tech environments. With cloud platforms like AWS, Azure, and GCP enabling swift deployments, safeguarding software architecture before cloud deployment becomes crucial. Dive into the intricacies of Apiiro's ASPM platform, which revolutionizes the detection and management of code changes for enhanced security measures. The conversation expands into the realm of AI, highlighting emerging threats and innovative risk-management strategies employed by companies like Apiiro. This episode promises essential insights into balancing development speed with security needs, preparing listeners for the future trajectory of AI in software security.
Follow the Podcast on Social Media!
Tesla Referral Code: https://ts.la/joseph675128
YouTube: https://www.youtube.com/@securityunfilteredpodcast
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:01):
how's it going?
Don it's uh really great tofinally get you on the podcast,
or?
I guess, uh, maybe again right,because we tried this before
and a couple weeks ago andisrael became under attack and
the internet, uh, was notcooperating very much yeah, so
yeah, thanks, joe, for having mefor the for the second time.
(00:23):
Yeah, yeah, absolutely.
Not many people come on asecond time.
Speaker 2 (00:29):
Yeah it is, it is, but this is our life.
You know, life of a startup isactive, so you know we're used
to it.
Speaker 1 (00:39):
Yeah, yeah, it's like it's that mentality of, well, I
don't know what, I don't know,but I also won't know until I
start.
Like it's that mentality of,well, I don't know what, I don't
know, but I also won't knowuntil I start.
Like it's a, it's like avicious circle.
Yeah, Well, you know you done.
Why don't we start with?
You know how?
(00:59):
How you got into tech?
Right?
So you're, you're from Israel,right?
So obviously you probably madeyour way into the israeli
military, as everyone fromisrael does.
Yeah, but I'm wondering aboutbefore that time period, were
you already interested in tech?
Were you already inclined to go?
You know a technical route?
(01:20):
Um, what was that looking like?
Speaker 2 (01:24):
it's an interesting question, by the way, joe.
No, no one asked me this, thatquestion, before and I'm getting
uh into a lot of you knowinterviews lately, tldr.
I started programming, uh, whenI was, I think, six, when my
father back then bought me acomputer and, um, and I think it
(01:44):
came over like from that momentI fall in love in a computer
and I was a technical personfrom from the beginning, from
the early days, and, yes, Iserved in a cyber security unit
at the idea called matzo, and Iwas there around four and a half
(02:08):
years plus.
After that I had my ownconsulting services company, so
I did a lot of penetrationtesting, security code review,
risk assessments, customdevelopment for large
enterprises, you on the securityside and, as part of you know,
(02:30):
a casual pen test which was soyou were talking to me about how
you figured out how to stealthe ntlm hash of a device and
then you were able to use thatto escalate and pivot throughout
the environment.
Speaker 1 (02:45):
So if we want to start there, and then also you
know why don't we take maybejust a step back?
What's the NTLM hash right?
Why is it important?
Why does it matter in Windowssystems?
Speaker 2 (02:57):
So NTLM hash or Kerberos token is actually the
identity of the user or themachine is actually the identity
of the user or the machine.
If you're able to steal that,you don't need to know the
password of the user or thepassword of the computer to be
able to move laterally acrossthe organization.
And this was a very, very backthen sophisticated attack.
(03:22):
We all know, you know, knowmimikatz and all apt attacks the
mimikatz tool, of course, andthe amazing person behind it and
tldr.
This led me to a research and apatent back then to identify,
(03:43):
profile and identify abnormalbehavior of users and machines
inside the network.
Back then, we founded a companycalled Erato.
We were pioneers in the UEBAspace, sold it to Microsoft in
December 2014.
(04:04):
January 15, we were in atmicrosoft.
Um was amazing, amazing ride.
Microsoft.
I was the gm for softwareengineering, running product
research, development and datascience.
I was running the Defender forIdentity business.
(04:24):
So that's it.
It was, like you know, from zeroto not zero, from $1 million to
$416 in three years.
It was an amazing growth.
You know, microsoft sounds easybut it's not.
But I think that now you know,microsoft and CrowdStrike are
(04:46):
the biggest companies,cybersecurity companies in the
world that are leading theabnormal behavior identity stuff
.
They also like CrowdStrike alsoacquired a company back then
and I was fortunate enough, toyou know, to meet satya in
(05:07):
person.
I I reported to two peopleunder satya nadela so I had two
one-on-one-on-ones with him.
I learned a lot about thebusiness and it like moving
forward at microsoft.
I felt kind of a veryinteresting challenge or pain
(05:29):
where, you know, from a startupwhere you used to deliver code
to production on a daily, weeklybasis, and now you need to fill
out risk assessmentquestionnaires, you need to go
through 10 different scanningtools on your code, go through
(05:50):
10 different scanning tools onyour code, you need to go
through threat model, pen tests,security reviews, compliance
reviews before you ship code toproduction, and this was a huge
pain.
Another pain that we faced iswhen we found risks in
production or in runtime, it wasvery, very hard to attribute it
(06:11):
back to the code owner or thecode component in our code base
and TLDR.
This is what led us to leaveMicrosoft and found Purell back
then in 2019, 2020.
And back then no one knew whatwe were talking about.
(06:31):
What does it mean?
Aspm, application Security,password Management?
Why do you need anothertechnology to scan, code and
protect or understand yoursoftware architecture and then
expand it to software supplychain and provide a
(06:52):
comprehensive platform thatallows you to secure your
software from design,development and delivery in one
risk engine or one platform.
So this is my story in a like,in a nutshell, hmm.
Speaker 1 (07:15):
Yeah, I'm sure you know, one of the biggest
challenges probably at Microsoft, at any level that you're at
within the company, is just thered tape and the processes and
the procedures that you have tofollow.
You know, I'm I'm, uh, I'mcurrently at a at a pretty large
company and I mean it takes you, it takes you a year just to
(07:36):
decide what you're going to buy,and there's other divisions
right Of this same company thattakes them three years minimum,
like if they go three years oftesting products and whatnot,
like that's them moving quick,right, and it's, it's weird,
right, like I, I feel like Ifeel like you're not even a
(07:57):
technologist to some extentanymore, right, because by the
time you make a decision on theproduct, maybe the players in
that space change.
Right, maybe the products thatyou were testing had major
issues with.
Now, because this process is so, you know, regimented, you know
you have to start over, youhave to start completely over.
(08:17):
You can't just plug one in andmove forward.
You know, and I'm sure that'sprobably like one of the
internal, you know downfalls atmicrosoft too.
Right is where it's like you,you really only move forward.
Speaker 2 (08:32):
I think that, on the security side, microsoft is more
.
You know, build versus buy andand I don't think this is the
issue we solve that in Appirobecause we serve around 10% of
Fortune 500 companies.
We solve this problem by one,providing a seamless integration
(08:59):
.
You need read-only API to yoursource control manager.
That's it.
Read-only API to your sourcecontrol manager, that's it, and
you can do it.
You can deploy it fully on-premin an AirGap environment or
hybrid, or use our SaaS offering, whatever, but from the moment
you connect us to your sourcecontrol manager in one hour, and
(09:24):
this is the core intellectualproperty that we've built.
We developed a technology calledDCA, deep code analysis, where
we scan the entire history ofyour code base and then we
translate code into entitiesLike, for example, we know, I
would say, components, like weknow all your APIs in the code,
all your Gen AI usage, all youryou know technologies, security
(09:48):
controls, exit points, and thenwe map it on a graph and the aha
moment is where you can tell mehey, dan, no way I didn't
approve my developers to use abouncy castle from this version,
or I didn't approve mydevelopers to use a bouncy
castle from this version, or Ididn't approve them to use
Spring Security for inputvalidation or authentication.
(10:13):
And then you get visibility toyour software architecture for
the first time.
All the other scanning toolsout there will scan for all of
us.
We developed a completely newtechnology that fully
understands your softwarearchitecture.
And now if you want to connectall your existing tools into
(10:35):
Appiro and contextualize theirfindings, or their noisy
findings, and match it to yoursoftware architecture and say,
okay, it's great that I have sqlinjection or log4j or secret in
code or whatever, but you knowwhat?
It's not in a code module withpii, or it's not deployed, or
(10:55):
it's not a high business impactapplication or stuff like that.
And I think I think this is howwe overcome all the barriers of
going through very, very largeenterprises that are paying
(11:15):
multi-million dollar deals to aPuro today.
But we did it in small chunks.
We did it in small chunks.
You can start small and growwith the pure old, but the
unique value prop is just totell you hey, joe, this is your
software architecture and theonly way to know that is
(11:37):
questionnaires or manualsecurity reviews or other
self-based attestation processes.
That will you like?
You say x, yes, I do, I don'thave pii and tomorrow you do
have pii in your code base andno one will actually identify
(11:58):
that in a continuous manner.
So I think the value prop plusa very seamless, easy, with
short time to value, this is howwe overcome and, of course, all
the security controls that wehave and the regulations that we
put in place, and on and on.
(12:19):
But this is how we overcome theburden of going through a
one-year evaluation process withlarge enterprises.
Speaker 1 (12:32):
Yeah, a lot of people don't understand or they don't
realize how big of a problemthis actually is, right, and you
know.
I'll give you an example.
You know, in my environmentright now, right, and I've been
in other environments where thisis the exact situation where
(12:55):
you really don't know thethird-party libraries, for
instance, that are being used inan application, unless your
developer specifically tells youor you have a way to call them
out on it.
Right, there's no way for youto know, you don't know if
they're outdated, if they'revulnerable to something.
Right that you're openingyourself up to a new attack that
(13:17):
you don't even know about.
Right, and with how cloudapplications are nowadays, you
need you know four or fivedifferent tool to actually
secure your pipeline and yourcode and make sure that we're
not using uh ai models and waysthat make us, you know,
vulnerable to different,different attacks and whatnot.
(13:39):
These are, these are huge, hugeproblems.
One real world.
Speaker 2 (13:47):
Sorry, Joe, no, no, I just wanted to say before we
move on, I think that theproblem is much more complex
than that, because everyone arelooking at their text surface in
silo.
You are now telling me on opensource, but if I will tell you,
(14:08):
listen, this open source isactually using a secret and in
the same code module you haveAPI that expose BI data or an
API that sends data to open AIsurface.
Without understanding yoursoftware architecture, you will
continue to fight the siloedalerts and you cannot win the
(14:32):
battle.
You cannot win because you haveso many alerts and so many
vulnerabilities.
You need to contextualize them.
You need to first understandyour software architecture and
only then connect these siloedalerts on top of your software
(14:54):
architecture to make sense ofthem and to understand if
they're impacting your businessor not.
Or you have a toxic combinationthat you need to handle before
you need to handle any log4j orany vulnerable dependency,
because you need to look at itas a whole and not as one simple
(15:18):
alert and another like this isproblem.
Another problem is how youidentify these combinations
early in the developmentlifecycle before you deploy to
production.
This is the key, because if youhave three, you know, I'm so
(15:38):
many years in the cybersecurityindustry.
The AppSec exists for 20 years.
And then everyone said shiftleft, shift left, shift left.
And what happened is theyblocked developers on every CVSS
score eight and above.
But who cares about CVSS scoreif CVSS does not understand your
(15:59):
software architecture?
And then what happened?
You stop developers and theyare frustrated from security.
So what we decided to do is tobuild our own risk graph engine.
Okay, the risk graph engineactually takes from the DCA the
deep code analysis, the softwarearchitecture, and then from
(16:21):
your CMDB, from your fivedifferent SaaS SCA Secrets you
know CSPM, whatever tools thatyou are using and combine them
together on a graph and say youknow, now Joe opened a pull
request and it touches asensitive data with the
sensitive business logic in thiscode module that transfer money
(16:44):
, for example, Plus an opensource dependency with
vulnerability that is reachablein the code.
This is why it's a risk to thebusiness.
Let's stop Joe at the pullrequest and providing
remediation guidance orautomatically try to fix that.
And when you have this contextnow you can actually shift left.
(17:06):
So again, it's not onlydetecting these types of risks,
it's correlating the data, it'sunderstanding the software
architecture, and only then youcan actually block and prevent
risks early at the pull request,before you start the build
(17:27):
process, or after, or at thedeployment, whatever.
It's too late from my point ofview.
But I'm just saying everyoneare missing the point.
They are missing the softwarearchitecture they need to
understand and siloed tools.
Care about CVSS core or EPSScore, and it's meaningless and
(17:50):
then it's just bombardingdevelopers.
And again, I don't want tocomplicate stuff, but you
touched on software supply chain.
Yes, you need to look at theattack vector.
It's a multidimensional attackvector.
Someone can breach into yoursource, Someone can breach into
(18:11):
your CICD pipeline or injectmalicious code, like in the
solar wind attack that actuallyyou know they breached one cidcd
pipeline and managed to breachall their, the customers of
solar.
So it's looking at your codeand your code is very complex
(18:36):
because it's assembled fromfirst party code code,
third-party code, secrets,open-source dependencies,
third-party technologies, SDKsand then secure.
Make sure that you have all theapplication security platform
(19:04):
from the design phase which wewill talk about in a second to
the development, to the delivermakes sense yeah, yeah, it makes
sense.
Speaker 1 (19:15):
You, uh, I was going to get there, you know where,
where we're diving into theactual architecture, right,
because actually I'veexperienced this.
You know personally, right,where there was a potential.
You know event, right, and wewere looking at an application I
didn't even know how it wasdesigned, right, where is it
(19:35):
pulling the data from?
What is it actually doing onthe back end?
Why is this?
You know, a critical productionapplication, right, and there's
literally one person at thecompany that is able to tell me
that God forbid, they go onvacation or something, right,
like, that's how it was, youknow.
And now, you know, I'm overhere creating the first like
(19:56):
architecture diagram of how thisapplication runs, especially in
the cloud, right, yeah?
like especially in the cloud,where people can, you know, just
so easily deploy newapplications, new architectures,
new patterns right using newservices in AWS, azure, gcp than
(20:19):
are what are you know, evenpreviously approved and whatnot.
Like they can do those thingsand you'll have a sprawling
infrastructure that's wellbeyond what you even think that
it is Totally agree, but I wantto differentiate between
software architecture toinfrastructure or cloud
architecture.
Speaker 2 (20:37):
Okay, these are totally different inventories,
totally different inventories,totally different relationships,
totally different components,totally different diagrams.
Now, yes, my, if, let's say, anapplication in java, okay, is
it?
You developed your restful apisin string and one of the APIs
(21:01):
is reading or storing data in astorage bucket.
Yes, you want to know that andyou can know that today with our
DCA, with our deep codeanalysis, only from scanning the
code, okay, without scanningyour cloud architecture.
Okay.
But what I'm trying to say isthat the software architecture
(21:21):
looks totally different fromyour cloud architecture and you
need to secure that before youdeploy to the cloud.
And the challenge is you saidyou are building the diagram,
but the diagram will changetomorrow.
How do you keep update,updating the diagram for every
(21:43):
code commit?
That is material, like I don'tcare if my developer changed the
background color of the loginpage, but I do care if he
exposed a new data model in theAPI of the login page.
Yes, absolutely, immediately, Ineed to trigger a pen test or a
(22:08):
security code review if thedata model contains sensitive
data.
And I think this is what theindustry is missing because I
wouldn't say it's easy, but it'smore structured.
When you open or enable a newservice in aws or a new storage
(22:42):
bucket or a new firewall rule,also, you know, prevent that or
have segregation of duties withtwo approvals.
But if you're a softwaredeveloper, we'll add the data
model to the API that isresponsible for the login page
in the UI.
No one will know, no one, Ipromise you.
(23:07):
And this is the gap that we aresolving in Appiro.
You know, with our ASPMplatform that is powered by the
deep code analysis technology.
We are telling you thatdeveloper all committed the code
to your code repo.
It's a material change thatrequire a pen test,
(23:28):
automatically trigger it withoutasking anyone.
The policy is defined in Apirowith your risk threshold and
risk appetite and if you passthis threshold you have gates.
At the design phase.
We scan JIRA tickets or featurerequests Okay, and then we stop
(23:52):
you from going to thedevelopment phase without Joe
doing a threat model on thisfeature.
If you open a pull request orcommit code to your feature
branch, we will stop you becauseyou committed a material change
or a risk based on yoursoftware architecture.
If you're going to release yourartifacts.
(24:15):
We will stop you and say, joe,you pass these and these and
these policies, which are agraph-based policies across
multi, multi-data stores, fromcode, cmdb and runtime data and
more and more.
(24:36):
And this is where you know youput the gates before you ship to
the cloud.
Now to your point.
If you already you know what.
If you ship Log4j three yearsago it wasn't vulnerable and
(24:56):
today we found the zero day Thenyou need to attribute this to
which pipeline when it wasdeployed, who approved it.
Is it went through a pen testor not?
And with the cold owner thatactually imported the package,
who did the review on the pullrequest and automatically opened
(25:19):
to this developer if he's stillin the company, open a pull
request to fix it.
And this is exactly what we'redoing with call-to-runtime
matching attributing codecomponents like APIs, open
source dependencies, pii fields,authorization logic and others
to the code owner.
Speaker 1 (25:40):
Yeah, all of those are.
It's like it's close toimpossible right now without
that stuff, without that sort oftechnology, and it's a it's a
situation that I encounter veryoften, actually, of where you
know someone builds somethingthat maybe throws a
vulnerability scanner alarmright and now we got to add
(26:02):
context around it.
You have to have someone.
You know, really it's a couplepeople getting on a call and
talking about why it matters andwhy we should care about this
one module or this one snippetof code right and explaining
that to the dev, and then goingthrough the whole process again
and hopefully it passes thistime right, like without that
(26:23):
sort of singular solution.
Speaker 2 (26:24):
Yeah, we have like four different tools to tell us
different things yeah so againtwo problems one, how you
consolidate all the findings andcontextualizing them and you
know who you should talk to.
And and the second problem is,again, just aggregating the data
(26:45):
and finding the code owner willnot be effective if you don't
know your software architecture,because you have so many alerts
and without understanding thesoftware architecture, you don't
know how and what to prioritize.
I do want to say just one stepback.
You said something interesting.
I don't know when you're goingto publish it, but next week we
(27:09):
are announcing unfortunately inan anonymous way.
We closed the largest deal inthe ASPM market ever with
Fortune 10 company.
I can't say which one, but it's, it's, it's a one of the
biggest companies in the world.
Why?
Because they manage to quantifywhat you just said.
(27:32):
We manage to quantify how manyman hours they're investing on
every alert in runtime, how howmany hours they invest by the
way, invest when they find it inruntime, how much time they
invest to triage, prioritize andthen find the code owner to fix
(27:54):
it, because the security teamcannot do that.
And then how much time theyinvest on risk assessment
questionnaires before releasingto production.
We actually and I'm going toshare, not I, my marketing team
are going to share the metricsand the data behind it so you
(28:14):
will be able and your audiencecan go and see exactly the
parameter of how we calculatedit with the customer and what is
the total cost of the costreduction that we managed to
prove to the customer.
So I feel, like I feel I feltthe pain that you are talking
(28:38):
about at Microsoft so I canconnect to your day by day, joe
and and yes, it's a painfulproblem and I'm sorry I'm, I'm
like a broken record and withoutunderstanding your software
architecture, you literallycannot do that you literally
(29:04):
cannot do that.
Speaker 1 (29:04):
Yeah, yeah, I mean, without even, you know, being
able to put numbers to it.
Like you mentioned, right, youcan't.
You can't even really start tolike quantify how much work goes
into just this section of yourbusiness.
That's probably not evennoticed by upper management, you
know, and, like you said, saidwhen they, when they start
seeing how much they're actuallyputting into it, it's like,
wait a minute, like we're, we'reblowing money right now.
(29:26):
This solution over here ischeap compared to what we're
actually putting into it.
We need to, you know, refocusand refactor and you know free
up some time for these.
You know highly paid engineers,highly paid developers, to go
and do the work that we needthem to actually do to make us a
Fortune 10 company right Tomake us the best in the space.
(29:48):
When you start quantifying itlike that, it speaks volumes
that you wouldn't be able to dowithout it.
Speaker 2 (29:56):
Yes, and think about an AppSec engineer which needs
to understand code, which needsto understand a developer's
mentality and processes.
You need a cloud securityengineer that deeply understands
AWS architecture and you needthe developers to care about
(30:18):
because they have strengths.
And the developers to careabout because they have
strengths.
And the developers you need tounderstand them.
They want to hit their targetand their target is to deliver
high-quality features toincrease the business, so the
business will grow.
To increase the business, sothe business will grow.
(30:41):
If you will keep dealing withsecurity issues again and again
and again, you will not delivervalue to the business and it's a
vicious cycle.
So you need to prove as asecurity, as an application
security engineer.
I'm telling you I am in.
We as a company, you know we area big company.
We are involved in the smart,with the smartest AppSec
engineers and developers in theworld, and we built, I think,
(31:06):
the most, I would say,sophisticated AppSec program in
the market at the moment.
And the reason why we did it?
Because we proved in aquantified manner how much
effort you need to invest inevery sprint in security and if
it passes the 5% you're done, goout.
(31:27):
You will impact the business ina negative way.
So because of the risk-basedprioritization, because of the
understanding of softwarearchitecture.
Now you compare ASPM platforms.
You say, hey, this ASPMplatform reduce it by I don't
know 25%, and Apiro managed toreduce it by 85% Pure business
(31:52):
outcome.
And this is why developers loveeventually they're not using
the Apiro UI, but they'regetting the Apiro bot into their
toolchain prioritize and fixtheir risks with simple
(32:21):
explanation of why this willimpact the business.
So, tldr, we have a built-inbusiness outcome report where we
show to your upper managementtwo metrics Development velocity
goes up, risk goes down beforereleasing to the cloud and
(32:45):
that's it.
And this makes sense becausefinding, as you said a minute
ago, to find talent of securityengineers it's so hard.
Security engineers it's so hard.
To find a partner on thesoftware development side, it's
(33:07):
so hard.
They are very logical peopleand they're focused on
delivering value, high qualitysoftware with less bugs,
functional bugs and with lesssecurity bugs.
And this is how we bridge thegap between these teams.
Speaker 1 (33:24):
Yeah, it is.
It's an interesting challenge,but from what you described it
sounds like the old term, likeshift left, right.
You can't get any farther leftthan where you're sitting right,
when you're able to injectyourself into the process.
Speaker 2 (33:43):
Exactly, and we just released two at Blackett when
Blackett, I don't rememberAugust yeah, two months ago we
released, after working with somany customers as design
partners, we released our riskdetection at the design phase.
So think about this your productmanagers are requesting
(34:07):
features day in, day out and noone actually like you, have so
many product managers and youcannot hire more AppSec
engineers and they cannot go andsearch in JIRA or whatever,
wherever you open the featurerequest, like based on keywords.
So we developed our own LLMmodel it's a private model, not
(34:30):
based on OpenAI or Hugging Phaseor others that can actually,
based on understanding of yoursoftware architecture, scans the
text and say, hey, joe, this isa risky feature request and why
, and automatically generatethreat model stories based on
stride, with contextualmitigations, because we know
(34:55):
which authentication frameworkyou use in your software
architecture and we know whichencryption framework and input
validation.
So if you requested anintegration I don't know with
Facebook and send through theAPI these fields, we will tell
you hey, use Spring Security forinput validation because the
threat can be spoofing, orinformation disclosure as part
(35:19):
of stride, and we do thatautomatically.
This saves tons of time anddetect risks that without this
automated process you wouldnever identify.
So we cover our customers atthe design phase, at the feature
(35:41):
request phase, at thedevelopment phase commit pull
request and at the build anddeploy phases before you release
to the cloud.
Speaker 1 (36:02):
So these are the intersection points where we put
our guardrails, our risk-basedguardrails, in the development
labs.
Yeah, that is reallyfascinating.
You know, if you were toproject out you know, say five
years, where do you think thisspace is going in five years,
with the, you know, heavy use ofAI growing right, the usage of
these LLMs and whatnot, it'sonly going to grow from here.
(36:24):
It's probably going to growexponentially quicker than what
we expect, it's already growingexponentially.
Speaker 2 (36:32):
We just released internally a report that proves
that every customer that startedand again, there are two sides
of the coin in AI, in a second Iwill describe, but we looked at
the numbers and every customerthat enabled Copilot or any
other AI-based code assistant,their code, the amount of group,
(36:57):
exponentially in the last sixmonths.
This is a report that wegenerated internally.
We are thinking about how toanonymize it and maybe publish
it externally, but it's not anassumption anymore.
It's the fact that the data isshowing it so.
(37:20):
But there are two sides of thiscoin.
Why?
One is you using ai for fasterdevelopment?
Two, it's you as a developer,same developer using ai to make
your software more or smarterand more efficient.
(37:40):
Like, if you now go and embedOpenAI framework inside your
Java application, someone needsto identify it, someone needs to
govern it, someone needs tomake sure you comply with all
the requirements and someoneneeds to trigger a pen test or a
security review or a compliancereview in an automatic,
(38:03):
proactive way.
And this is goes back to ourdca, the deep code analysis that
identify the softwarearchitecture automatically, map
all your gen ai usage in codeand then trigger a process based
on the policy.
Now, I do think that both willintroduce complete new attack
(38:25):
vector.
Complete new attack vector.
Why?
Because if you're, if youenable, if you're a vp engineer,
okay, vp software engineer.
Now, jo Joe wakes up tomorrowand enabled a copilot on your
GitHub repo.
Who knows that you enforce tworeviewers on the pull request?
(38:49):
Who knows that your codechanges are now growing
exponentially, growingexponentially?
And maybe you will notintroduce foreign abilities, but
you will introduce majormaterial changes to the
architecture and no one willknow that, because the Gen AI,
(39:09):
or, sorry, copilot, decided touse a different serialization
framework.
And new serialization frameworkwill open you to a completely
new attack and your SaaS toolwill do literally zero because
there is no SQL injection inthis serialization framework.
But it's a material change andno one knows about it.
(39:31):
So what I'm trying to say again, to make it shorter, it will
open in the next, not three tofive years, in the next year,
completely new attack vector.
We will see totally differenttypes of attacks and you need to
(39:52):
automate everything.
Automate everything Without theautomation, without without the
automation, without the.
And when I say automation, it'snot just yes, you know,
workflow in an orchestrationtool, it's actually, sorry,
broken record.
It's actually understandingyour software architecture, the
(40:14):
changes of your softwarearchitecture early in the
development lifecycle and thentrigger a contextual process.
It can be a contextual threatmodel or a pen test or a
security review, but also atraining, because if Joe did the
same mistake again and againand again five times, I don't
(40:37):
need to wait for the you knowthe one year training which is
so boring and everyone pressnext, next, next, next, next,
just to comply with PCI orwhatever.
I need to train.
I need to trigger a contextualtraining to reduce the risk
before delivering to productionto production.
Speaker 1 (41:03):
Yeah, yeah, absolutely.
We're moving into a reallyfascinating time where, you know
, new threats are going to becreating new attack vectors and
it'll be really interesting.
So I'll definitely have to haveyou back on, you know, sometime
in 2025, and we'll talk aboutthe new ones that are coming up.
But you know, idan,unfortunately we're at the end
of our time here, but you know,I really enjoyed our
conversation.
Speaker 2 (41:23):
Likewise, likewise.
Thank you for having me, joe.
It was an interestingconversation.
I would love to talk more in2025, when we see the new
attacks that are raising.
Speaker 1 (41:34):
Yeah, yeah, absolutely.
Well, you know, Idan, before Ilet you go, how about you tell
my audience where they couldfind you if they wanted to
connect with you and where theycould find your company if they
wanted to learn more?
Sure.
Speaker 2 (41:46):
So LinkedIn, Twitter, you know, or Xcom, just add me
and send me a message, or justgo to apiro A-P-I-I-R.
Apirocom and reach out.
Speaker 1 (42:03):
Awesome.
Well, thanks everyone.
I hope you enjoyed this episode.
how's it going?
Don it's uh really great tofinally get you on the podcast,
or?
I guess, uh, maybe again right,because we tried this before
and a couple weeks ago andisrael became under attack and
the internet, uh, was notcooperating very much yeah, so
yeah, thanks, joe, for having mefor the for the second time.
(00:23):
Yeah, yeah, absolutely.
Not many people come on asecond time.
Speaker 2 (00:29):
Yeah it is, it is, but this is our life.
You know, life of a startup isactive, so you know we're used
to it.
Speaker 1 (00:39):
Yeah, yeah, it's like it's that mentality of, well, I
don't know what, I don't know,but I also won't know until I
start.
Like it's that mentality of,well, I don't know what, I don't
know, but I also won't knowuntil I start.
Like it's a, it's like avicious circle.
Yeah, Well, you know you done.
Why don't we start with?
You know how?
(00:59):
How you got into tech?
Right?
So you're, you're from Israel,right?
So obviously you probably madeyour way into the israeli
military, as everyone fromisrael does.
Yeah, but I'm wondering aboutbefore that time period, were
you already interested in tech?
Were you already inclined to go?
You know a technical route?
(01:20):
Um, what was that looking like?
Speaker 2 (01:24):
it's an interesting question, by the way, joe.
No, no one asked me this, thatquestion, before and I'm getting
uh into a lot of you knowinterviews lately, tldr.
I started programming, uh, whenI was, I think, six, when my
father back then bought me acomputer and, um, and I think it
(01:44):
came over like from that momentI fall in love in a computer
and I was a technical personfrom from the beginning, from
the early days, and, yes, Iserved in a cyber security unit
at the idea called matzo, and Iwas there around four and a half
(02:08):
years plus.
After that I had my ownconsulting services company, so
I did a lot of penetrationtesting, security code review,
risk assessments, customdevelopment for large
enterprises, you on the securityside and, as part of you know,
(02:30):
a casual pen test which was soyou were talking to me about how
you figured out how to stealthe ntlm hash of a device and
then you were able to use thatto escalate and pivot throughout
the environment.
Speaker 1 (02:45):
So if we want to start there, and then also you
know why don't we take maybejust a step back?
What's the NTLM hash right?
Why is it important?
Why does it matter in Windowssystems?
Speaker 2 (02:57):
So NTLM hash or Kerberos token is actually the
identity of the user or themachine is actually the identity
of the user or the machine.
If you're able to steal that,you don't need to know the
password of the user or thepassword of the computer to be
able to move laterally acrossthe organization.
And this was a very, very backthen sophisticated attack.
(03:22):
We all know, you know, knowmimikatz and all apt attacks the
mimikatz tool, of course, andthe amazing person behind it and
tldr.
This led me to a research and apatent back then to identify,
(03:43):
profile and identify abnormalbehavior of users and machines
inside the network.
Back then, we founded a companycalled Erato.
We were pioneers in the UEBAspace, sold it to Microsoft in
December 2014.
(04:04):
January 15, we were in atmicrosoft.
Um was amazing, amazing ride.
Microsoft.
I was the gm for softwareengineering, running product
research, development and datascience.
I was running the Defender forIdentity business.
(04:24):
So that's it.
It was, like you know, from zeroto not zero, from $1 million to
$416 in three years.
It was an amazing growth.
You know, microsoft sounds easybut it's not.
But I think that now you know,microsoft and CrowdStrike are
(04:46):
the biggest companies,cybersecurity companies in the
world that are leading theabnormal behavior identity stuff
.
They also like CrowdStrike alsoacquired a company back then
and I was fortunate enough, toyou know, to meet satya in
(05:07):
person.
I I reported to two peopleunder satya nadela so I had two
one-on-one-on-ones with him.
I learned a lot about thebusiness and it like moving
forward at microsoft.
I felt kind of a veryinteresting challenge or pain
(05:29):
where, you know, from a startupwhere you used to deliver code
to production on a daily, weeklybasis, and now you need to fill
out risk assessmentquestionnaires, you need to go
through 10 different scanningtools on your code, go through
(05:50):
10 different scanning tools onyour code, you need to go
through threat model, pen tests,security reviews, compliance
reviews before you ship code toproduction, and this was a huge
pain.
Another pain that we faced iswhen we found risks in
production or in runtime, it wasvery, very hard to attribute it
(06:11):
back to the code owner or thecode component in our code base
and TLDR.
This is what led us to leaveMicrosoft and found Purell back
then in 2019, 2020.
And back then no one knew whatwe were talking about.
(06:31):
What does it mean?
Aspm, application Security,password Management?
Why do you need anothertechnology to scan, code and
protect or understand yoursoftware architecture and then
expand it to software supplychain and provide a
(06:52):
comprehensive platform thatallows you to secure your
software from design,development and delivery in one
risk engine or one platform.
So this is my story in a like,in a nutshell, hmm.
Speaker 1 (07:15):
Yeah, I'm sure you know, one of the biggest
challenges probably at Microsoft, at any level that you're at
within the company, is just thered tape and the processes and
the procedures that you have tofollow.
You know, I'm I'm, uh, I'mcurrently at a at a pretty large
company and I mean it takes you, it takes you a year just to
(07:36):
decide what you're going to buy,and there's other divisions
right Of this same company thattakes them three years minimum,
like if they go three years oftesting products and whatnot,
like that's them moving quick,right, and it's, it's weird,
right, like I, I feel like Ifeel like you're not even a
(07:57):
technologist to some extentanymore, right, because by the
time you make a decision on theproduct, maybe the players in
that space change.
Right, maybe the products thatyou were testing had major
issues with.
Now, because this process is so, you know, regimented, you know
you have to start over, youhave to start completely over.
(08:17):
You can't just plug one in andmove forward.
You know, and I'm sure that'sprobably like one of the
internal, you know downfalls atmicrosoft too.
Right is where it's like you,you really only move forward.
Speaker 2 (08:32):
I think that, on the security side, microsoft is more
.
You know, build versus buy andand I don't think this is the
issue we solve that in Appirobecause we serve around 10% of
Fortune 500 companies.
We solve this problem by one,providing a seamless integration
(08:59):
.
You need read-only API to yoursource control manager.
That's it.
Read-only API to your sourcecontrol manager, that's it, and
you can do it.
You can deploy it fully on-premin an AirGap environment or
hybrid, or use our SaaS offering, whatever, but from the moment
you connect us to your sourcecontrol manager in one hour, and
(09:24):
this is the core intellectualproperty that we've built.
We developed a technology calledDCA, deep code analysis, where
we scan the entire history ofyour code base and then we
translate code into entitiesLike, for example, we know, I
would say, components, like weknow all your APIs in the code,
all your Gen AI usage, all youryou know technologies, security
(09:48):
controls, exit points, and thenwe map it on a graph and the aha
moment is where you can tell mehey, dan, no way I didn't
approve my developers to use abouncy castle from this version,
or I didn't approve mydevelopers to use a bouncy
castle from this version, or Ididn't approve them to use
Spring Security for inputvalidation or authentication.
(10:13):
And then you get visibility toyour software architecture for
the first time.
All the other scanning toolsout there will scan for all of
us.
We developed a completely newtechnology that fully
understands your softwarearchitecture.
And now if you want to connectall your existing tools into
(10:35):
Appiro and contextualize theirfindings, or their noisy
findings, and match it to yoursoftware architecture and say,
okay, it's great that I have sqlinjection or log4j or secret in
code or whatever, but you knowwhat?
It's not in a code module withpii, or it's not deployed, or
(10:55):
it's not a high business impactapplication or stuff like that.
And I think I think this is howwe overcome all the barriers of
going through very, very largeenterprises that are paying
(11:15):
multi-million dollar deals to aPuro today.
But we did it in small chunks.
We did it in small chunks.
You can start small and growwith the pure old, but the
unique value prop is just totell you hey, joe, this is your
software architecture and theonly way to know that is
(11:37):
questionnaires or manualsecurity reviews or other
self-based attestation processes.
That will you like?
You say x, yes, I do, I don'thave pii and tomorrow you do
have pii in your code base andno one will actually identify
(11:58):
that in a continuous manner.
So I think the value prop plusa very seamless, easy, with
short time to value, this is howwe overcome and, of course, all
the security controls that wehave and the regulations that we
put in place, and on and on.
(12:19):
But this is how we overcome theburden of going through a
one-year evaluation process withlarge enterprises.
Speaker 1 (12:32):
Yeah, a lot of people don't understand or they don't
realize how big of a problemthis actually is, right, and you
know.
I'll give you an example.
You know, in my environmentright now, right, and I've been
in other environments where thisis the exact situation where
(12:55):
you really don't know thethird-party libraries, for
instance, that are being used inan application, unless your
developer specifically tells youor you have a way to call them
out on it.
Right, there's no way for youto know, you don't know if
they're outdated, if they'revulnerable to something.
Right that you're openingyourself up to a new attack that
(13:17):
you don't even know about.
Right, and with how cloudapplications are nowadays, you
need you know four or fivedifferent tool to actually
secure your pipeline and yourcode and make sure that we're
not using uh ai models and waysthat make us, you know,
vulnerable to different,different attacks and whatnot.
(13:39):
These are, these are huge, hugeproblems.
One real world.
Speaker 2 (13:47):
Sorry, Joe, no, no, I just wanted to say before we
move on, I think that theproblem is much more complex
than that, because everyone arelooking at their text surface in
silo.
You are now telling me on opensource, but if I will tell you,
(14:08):
listen, this open source isactually using a secret and in
the same code module you haveAPI that expose BI data or an
API that sends data to open AIsurface.
Without understanding yoursoftware architecture, you will
continue to fight the siloedalerts and you cannot win the
(14:32):
battle.
You cannot win because you haveso many alerts and so many
vulnerabilities.
You need to contextualize them.
You need to first understandyour software architecture and
only then connect these siloedalerts on top of your software
(14:54):
architecture to make sense ofthem and to understand if
they're impacting your businessor not.
Or you have a toxic combinationthat you need to handle before
you need to handle any log4j orany vulnerable dependency,
because you need to look at itas a whole and not as one simple
(15:18):
alert and another like this isproblem.
Another problem is how youidentify these combinations
early in the developmentlifecycle before you deploy to
production.
This is the key, because if youhave three, you know, I'm so
(15:38):
many years in the cybersecurityindustry.
The AppSec exists for 20 years.
And then everyone said shiftleft, shift left, shift left.
And what happened is theyblocked developers on every CVSS
score eight and above.
But who cares about CVSS scoreif CVSS does not understand your
(15:59):
software architecture?
And then what happened?
You stop developers and theyare frustrated from security.
So what we decided to do is tobuild our own risk graph engine.
Okay, the risk graph engineactually takes from the DCA the
deep code analysis, the softwarearchitecture, and then from
(16:21):
your CMDB, from your fivedifferent SaaS SCA Secrets you
know CSPM, whatever tools thatyou are using and combine them
together on a graph and say youknow, now Joe opened a pull
request and it touches asensitive data with the
sensitive business logic in thiscode module that transfer money
(16:44):
, for example, Plus an opensource dependency with
vulnerability that is reachablein the code.
This is why it's a risk to thebusiness.
Let's stop Joe at the pullrequest and providing
remediation guidance orautomatically try to fix that.
And when you have this contextnow you can actually shift left.
(17:06):
So again, it's not onlydetecting these types of risks,
it's correlating the data, it'sunderstanding the software
architecture, and only then youcan actually block and prevent
risks early at the pull request,before you start the build
(17:27):
process, or after, or at thedeployment, whatever.
It's too late from my point ofview.
But I'm just saying everyoneare missing the point.
They are missing the softwarearchitecture they need to
understand and siloed tools.
Care about CVSS core or EPSScore, and it's meaningless and
(17:50):
then it's just bombardingdevelopers.
And again, I don't want tocomplicate stuff, but you
touched on software supply chain.
Yes, you need to look at theattack vector.
It's a multidimensional attackvector.
Someone can breach into yoursource, Someone can breach into
(18:11):
your CICD pipeline or injectmalicious code, like in the
solar wind attack that actuallyyou know they breached one cidcd
pipeline and managed to breachall their, the customers of
solar.
So it's looking at your codeand your code is very complex
(18:36):
because it's assembled fromfirst party code code,
third-party code, secrets,open-source dependencies,
third-party technologies, SDKsand then secure.
Make sure that you have all theapplication security platform
(19:04):
from the design phase which wewill talk about in a second to
the development, to the delivermakes sense yeah, yeah, it makes
sense.
Speaker 1 (19:15):
You, uh, I was going to get there, you know where,
where we're diving into theactual architecture, right,
because actually I'veexperienced this.
You know personally, right,where there was a potential.
You know event, right, and wewere looking at an application I
didn't even know how it wasdesigned, right, where is it
(19:35):
pulling the data from?
What is it actually doing onthe back end?
Why is this?
You know, a critical productionapplication, right, and there's
literally one person at thecompany that is able to tell me
that God forbid, they go onvacation or something, right,
like, that's how it was, youknow.
And now, you know, I'm overhere creating the first like
(19:56):
architecture diagram of how thisapplication runs, especially in
the cloud, right, yeah?
like especially in the cloud,where people can, you know, just
so easily deploy newapplications, new architectures,
new patterns right using newservices in AWS, azure, gcp than
(20:19):
are what are you know, evenpreviously approved and whatnot.
Like they can do those thingsand you'll have a sprawling
infrastructure that's wellbeyond what you even think that
it is Totally agree, but I wantto differentiate between
software architecture toinfrastructure or cloud
architecture.
Speaker 2 (20:37):
Okay, these are totally different inventories,
totally different inventories,totally different relationships,
totally different components,totally different diagrams.
Now, yes, my, if, let's say, anapplication in java, okay, is
it?
You developed your restful apisin string and one of the APIs
(21:01):
is reading or storing data in astorage bucket.
Yes, you want to know that andyou can know that today with our
DCA, with our deep codeanalysis, only from scanning the
code, okay, without scanningyour cloud architecture.
Okay.
But what I'm trying to say isthat the software architecture
(21:21):
looks totally different fromyour cloud architecture and you
need to secure that before youdeploy to the cloud.
And the challenge is you saidyou are building the diagram,
but the diagram will changetomorrow.
How do you keep update,updating the diagram for every
(21:43):
code commit?
That is material, like I don'tcare if my developer changed the
background color of the loginpage, but I do care if he
exposed a new data model in theAPI of the login page.
Yes, absolutely, immediately, Ineed to trigger a pen test or a
(22:08):
security code review if thedata model contains sensitive
data.
And I think this is what theindustry is missing because I
wouldn't say it's easy, but it'smore structured.
When you open or enable a newservice in aws or a new storage
(22:42):
bucket or a new firewall rule,also, you know, prevent that or
have segregation of duties withtwo approvals.
But if you're a softwaredeveloper, we'll add the data
model to the API that isresponsible for the login page
in the UI.
No one will know, no one, Ipromise you.
(23:07):
And this is the gap that we aresolving in Appiro.
You know, with our ASPMplatform that is powered by the
deep code analysis technology.
We are telling you thatdeveloper all committed the code
to your code repo.
It's a material change thatrequire a pen test,
(23:28):
automatically trigger it withoutasking anyone.
The policy is defined in Apirowith your risk threshold and
risk appetite and if you passthis threshold you have gates.
At the design phase.
We scan JIRA tickets or featurerequests Okay, and then we stop
(23:52):
you from going to thedevelopment phase without Joe
doing a threat model on thisfeature.
If you open a pull request orcommit code to your feature
branch, we will stop you becauseyou committed a material change
or a risk based on yoursoftware architecture.
If you're going to release yourartifacts.
(24:15):
We will stop you and say, joe,you pass these and these and
these policies, which are agraph-based policies across
multi, multi-data stores, fromcode, cmdb and runtime data and
more and more.
(24:36):
And this is where you know youput the gates before you ship to
the cloud.
Now to your point.
If you already you know what.
If you ship Log4j three yearsago it wasn't vulnerable and
(24:56):
today we found the zero day Thenyou need to attribute this to
which pipeline when it wasdeployed, who approved it.
Is it went through a pen testor not?
And with the cold owner thatactually imported the package,
who did the review on the pullrequest and automatically opened
(25:19):
to this developer if he's stillin the company, open a pull
request to fix it.
And this is exactly what we'redoing with call-to-runtime
matching attributing codecomponents like APIs, open
source dependencies, pii fields,authorization logic and others
to the code owner.
Speaker 1 (25:40):
Yeah, all of those are.
It's like it's close toimpossible right now without
that stuff, without that sort oftechnology, and it's a it's a
situation that I encounter veryoften, actually, of where you
know someone builds somethingthat maybe throws a
vulnerability scanner alarmright and now we got to add
(26:02):
context around it.
You have to have someone.
You know, really it's a couplepeople getting on a call and
talking about why it matters andwhy we should care about this
one module or this one snippetof code right and explaining
that to the dev, and then goingthrough the whole process again
and hopefully it passes thistime right, like without that
(26:23):
sort of singular solution.
Speaker 2 (26:24):
Yeah, we have like four different tools to tell us
different things yeah so againtwo problems one, how you
consolidate all the findings andcontextualizing them and you
know who you should talk to.
And and the second problem is,again, just aggregating the data
(26:45):
and finding the code owner willnot be effective if you don't
know your software architecture,because you have so many alerts
and without understanding thesoftware architecture, you don't
know how and what to prioritize.
I do want to say just one stepback.
You said something interesting.
I don't know when you're goingto publish it, but next week we
(27:09):
are announcing unfortunately inan anonymous way.
We closed the largest deal inthe ASPM market ever with
Fortune 10 company.
I can't say which one, but it's, it's, it's a one of the
biggest companies in the world.
Why?
Because they manage to quantifywhat you just said.
(27:32):
We manage to quantify how manyman hours they're investing on
every alert in runtime, how howmany hours they invest by the
way, invest when they find it inruntime, how much time they
invest to triage, prioritize andthen find the code owner to fix
(27:54):
it, because the security teamcannot do that.
And then how much time theyinvest on risk assessment
questionnaires before releasingto production.
We actually and I'm going toshare, not I, my marketing team
are going to share the metricsand the data behind it so you
(28:14):
will be able and your audiencecan go and see exactly the
parameter of how we calculatedit with the customer and what is
the total cost of the costreduction that we managed to
prove to the customer.
So I feel, like I feel I feltthe pain that you are talking
(28:38):
about at Microsoft so I canconnect to your day by day, joe
and and yes, it's a painfulproblem and I'm sorry I'm, I'm
like a broken record and withoutunderstanding your software
architecture, you literallycannot do that you literally
(29:04):
cannot do that.
Speaker 1 (29:04):
Yeah, yeah, I mean, without even, you know, being
able to put numbers to it.
Like you mentioned, right, youcan't.
You can't even really start tolike quantify how much work goes
into just this section of yourbusiness.
That's probably not evennoticed by upper management, you
know, and, like you said, saidwhen they, when they start
seeing how much they're actuallyputting into it, it's like,
wait a minute, like we're, we'reblowing money right now.
(29:26):
This solution over here ischeap compared to what we're
actually putting into it.
We need to, you know, refocusand refactor and you know free
up some time for these.
You know highly paid engineers,highly paid developers, to go
and do the work that we needthem to actually do to make us a
Fortune 10 company right Tomake us the best in the space.
(29:48):
When you start quantifying itlike that, it speaks volumes
that you wouldn't be able to dowithout it.
Speaker 2 (29:56):
Yes, and think about an AppSec engineer which needs
to understand code, which needsto understand a developer's
mentality and processes.
You need a cloud securityengineer that deeply understands
AWS architecture and you needthe developers to care about
(30:18):
because they have strengths.
And the developers to careabout because they have
strengths.
And the developers you need tounderstand them.
They want to hit their targetand their target is to deliver
high-quality features toincrease the business, so the
business will grow.
To increase the business, sothe business will grow.
(30:41):
If you will keep dealing withsecurity issues again and again
and again, you will not delivervalue to the business and it's a
vicious cycle.
So you need to prove as asecurity, as an application
security engineer.
I'm telling you I am in.
We as a company, you know we area big company.
We are involved in the smart,with the smartest AppSec
engineers and developers in theworld, and we built, I think,
(31:06):
the most, I would say,sophisticated AppSec program in
the market at the moment.
And the reason why we did it?
Because we proved in aquantified manner how much
effort you need to invest inevery sprint in security and if
it passes the 5% you're done, goout.
(31:27):
You will impact the business ina negative way.
So because of the risk-basedprioritization, because of the
understanding of softwarearchitecture.
Now you compare ASPM platforms.
You say, hey, this ASPMplatform reduce it by I don't
know 25%, and Apiro managed toreduce it by 85% Pure business
(31:52):
outcome.
And this is why developers loveeventually they're not using
the Apiro UI, but they'regetting the Apiro bot into their
toolchain prioritize and fixtheir risks with simple
(32:21):
explanation of why this willimpact the business.
So, tldr, we have a built-inbusiness outcome report where we
show to your upper managementtwo metrics Development velocity
goes up, risk goes down beforereleasing to the cloud and
(32:45):
that's it.
And this makes sense becausefinding, as you said a minute
ago, to find talent of securityengineers it's so hard.
Security engineers it's so hard.
To find a partner on thesoftware development side, it's
(33:07):
so hard.
They are very logical peopleand they're focused on
delivering value, high qualitysoftware with less bugs,
functional bugs and with lesssecurity bugs.
And this is how we bridge thegap between these teams.
Speaker 1 (33:24):
Yeah, it is.
It's an interesting challenge,but from what you described it
sounds like the old term, likeshift left, right.
You can't get any farther leftthan where you're sitting right,
when you're able to injectyourself into the process.
Speaker 2 (33:43):
Exactly, and we just released two at Blackett when
Blackett, I don't rememberAugust yeah, two months ago we
released, after working with somany customers as design
partners, we released our riskdetection at the design phase.
So think about this your productmanagers are requesting
(34:07):
features day in, day out and noone actually like you, have so
many product managers and youcannot hire more AppSec
engineers and they cannot go andsearch in JIRA or whatever,
wherever you open the featurerequest, like based on keywords.
So we developed our own LLMmodel it's a private model, not
(34:30):
based on OpenAI or Hugging Phaseor others that can actually,
based on understanding of yoursoftware architecture, scans the
text and say, hey, joe, this isa risky feature request and why
, and automatically generatethreat model stories based on
stride, with contextualmitigations, because we know
(34:55):
which authentication frameworkyou use in your software
architecture and we know whichencryption framework and input
validation.
So if you requested anintegration I don't know with
Facebook and send through theAPI these fields, we will tell
you hey, use Spring Security forinput validation because the
threat can be spoofing, orinformation disclosure as part
(35:19):
of stride, and we do thatautomatically.
This saves tons of time anddetect risks that without this
automated process you wouldnever identify.
So we cover our customers atthe design phase, at the feature
(35:41):
request phase, at thedevelopment phase commit pull
request and at the build anddeploy phases before you release
to the cloud.
Speaker 1 (36:02):
So these are the intersection points where we put
our guardrails, our risk-basedguardrails, in the development
labs.
Yeah, that is reallyfascinating.
You know, if you were toproject out you know, say five
years, where do you think thisspace is going in five years,
with the, you know, heavy use ofAI growing right, the usage of
these LLMs and whatnot, it'sonly going to grow from here.
(36:24):
It's probably going to growexponentially quicker than what
we expect, it's already growingexponentially.
Speaker 2 (36:32):
We just released internally a report that proves
that every customer that startedand again, there are two sides
of the coin in AI, in a second Iwill describe, but we looked at
the numbers and every customerthat enabled Copilot or any
other AI-based code assistant,their code, the amount of group,
(36:57):
exponentially in the last sixmonths.
This is a report that wegenerated internally.
We are thinking about how toanonymize it and maybe publish
it externally, but it's not anassumption anymore.
It's the fact that the data isshowing it so.
(37:20):
But there are two sides of thiscoin.
Why?
One is you using ai for fasterdevelopment?
Two, it's you as a developer,same developer using ai to make
your software more or smarterand more efficient.
(37:40):
Like, if you now go and embedOpenAI framework inside your
Java application, someone needsto identify it, someone needs to
govern it, someone needs tomake sure you comply with all
the requirements and someoneneeds to trigger a pen test or a
security review or a compliancereview in an automatic,
(38:03):
proactive way.
And this is goes back to ourdca, the deep code analysis that
identify the softwarearchitecture automatically, map
all your gen ai usage in codeand then trigger a process based
on the policy.
Now, I do think that both willintroduce complete new attack
(38:25):
vector.
Complete new attack vector.
Why?
Because if you're, if youenable, if you're a vp engineer,
okay, vp software engineer.
Now, jo Joe wakes up tomorrowand enabled a copilot on your
GitHub repo.
Who knows that you enforce tworeviewers on the pull request?
(38:49):
Who knows that your codechanges are now growing
exponentially, growingexponentially?
And maybe you will notintroduce foreign abilities, but
you will introduce majormaterial changes to the
architecture and no one willknow that, because the Gen AI,
(39:09):
or, sorry, copilot, decided touse a different serialization
framework.
And new serialization frameworkwill open you to a completely
new attack and your SaaS toolwill do literally zero because
there is no SQL injection inthis serialization framework.
But it's a material change andno one knows about it.
(39:31):
So what I'm trying to say again, to make it shorter, it will
open in the next, not three tofive years, in the next year,
completely new attack vector.
We will see totally differenttypes of attacks and you need to
(39:52):
automate everything.
Automate everything Without theautomation, without without the
automation, without the.
And when I say automation, it'snot just yes, you know,
workflow in an orchestrationtool, it's actually, sorry,
broken record.
It's actually understandingyour software architecture, the
(40:14):
changes of your softwarearchitecture early in the
development lifecycle and thentrigger a contextual process.
It can be a contextual threatmodel or a pen test or a
security review, but also atraining, because if Joe did the
same mistake again and againand again five times, I don't
(40:37):
need to wait for the you knowthe one year training which is
so boring and everyone pressnext, next, next, next, next,
just to comply with PCI orwhatever.
I need to train.
I need to trigger a contextualtraining to reduce the risk
before delivering to productionto production.
Speaker 1 (41:03):
Yeah, yeah, absolutely.
We're moving into a reallyfascinating time where, you know
, new threats are going to becreating new attack vectors and
it'll be really interesting.
So I'll definitely have to haveyou back on, you know, sometime
in 2025, and we'll talk aboutthe new ones that are coming up.
But you know, idan,unfortunately we're at the end
of our time here, but you know,I really enjoyed our
conversation.
Speaker 2 (41:23):
Likewise, likewise.
Thank you for having me, joe.
It was an interestingconversation.
I would love to talk more in2025, when we see the new
attacks that are raising.
Speaker 1 (41:34):
Yeah, yeah, absolutely.
Well, you know, Idan, before Ilet you go, how about you tell
my audience where they couldfind you if they wanted to
connect with you and where theycould find your company if they
wanted to learn more?
Sure.
Speaker 2 (41:46):
So LinkedIn, Twitter, you know, or Xcom, just add me
and send me a message, or justgo to apiro A-P-I-I-R.
Apirocom and reach out.
Speaker 1 (42:03):
Awesome.
Well, thanks everyone.
I hope you enjoyed this episode.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!