July 29, 2025 • 25 mins
➡ Prevent Risk At The Source with Cortex Cloud: https://www.paloaltonetworks.com/cortex/cloud/application-security
In this sponsored conversation, I speak with Sarit Tager, VP of Product Management at Palo Alto Networks, about how Prisma Cloud and their new ASPM solution are transforming cloud and application security by unifying data and deeply integrating business context into AppSec workflows.
We talk about:
Unifying AppSec, Cloud, and SOC into One Data Lake
How Palo Alto merged their products into a single system that consolidates runtime, code, identity, cloud, and SOC data, allowing for true context-aware risk prioritization and faster response times across the board.
From Detection to Dynamic Prevention
Why the future of application security isn’t just about discovering vulnerabilities, but enforcing smart, context-based guardrails during development, CI/CD, and build processes to prevent issues before they reach production.
AI-Powered Insight and the Future of Secure DevOps
How their system uses AI to analyze the full security posture, enrich findings, simulate attack paths, and recommend precise mitigations. The platform even helps guide security and engineering teams through better workflows, boosting velocity, and not blocking it.
Subscribe to the newsletter at:
https://danielmiessler.com/subscribe
Join the UL community at:
https://danielmiessler.com/upgrade
Follow on X:
https://x.com/danielmiessler
Follow on LinkedIn:
https://www.linkedin.com/in/danielmiessler
Chapters:
00:00 – Sarit’s Background and the Goal of Unifying Security Context
01:50 – Building a Single Data Lake for Cloud, SOC, and AppSec
04:28 – From Noise to Clarity: Fixing the Prioritization Problem in AppSec
06:47 – Using Business Context to Drive Risk-Based Decisions
10:18 – True App Ownership, Developer Velocity, and Aligning with Business Impact
13:12 – Continuous Discovery and Bringing External Signals Into One View
15:25 – Why App Grouping and Context-Rich Policies Increase Velocity
17:58 – How Attackers Are Already Building Their Own Unified Context (UEC)
20:45 – Prisma’s Control Points: IDE, PR, CI/CD, Image, Admission Control
21:56 – Bringing In Data From External Scanners and Enriching Coverage
24:23 – Ecosystem Signals, Query Language, and Intelligent Workflow Automation
25:05 – Closing Thoughts: Security and Developers Working Together
Become a Member: https://danielmiessler.com/upgrade
See omnystudio.com/listener for privacy information.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
S1 (00:00):
Unsupervised Learning is a podcast about trends and ideas in cybersecurity,
national security, AI, technology and society, and how best to
upgrade ourselves to be ready for what's coming. All right, well,
welcome to unsupervised learning. Ethan. Yeah. Can you give a
(00:24):
little bit of background about yourself and what you're working on?
S2 (00:28):
Yes. So I'm Sarita Jara and project management for application security.
And SBM is part of Cortex Cloud in Palo Alto Networks.
I can kind of come from a background of engineering
and product, uh, from several, uh, different areas. Uh, mostly
in the last years, cloud security and application security. Um,
(00:51):
I always say that I come to the application security
space from handling or kind of using all these different
tools of application security and trying to write or have
the right experience for both developers and security people to
kind of, I don't know if to laugh, but at
least like security to be able to actually, uh, solve
the problem for the security people and not have so
(01:14):
much problems on the production, production, uh, sites, but also
make sure developers understand what they need to fix and
why they need to fix it.
S1 (01:23):
Okay. That's great. And I was looking at the, um,
at the site in the platform prior to joining. It
seems like it's it's becoming quite cohesive with all the
different pieces. And I heard, uh, somewhere else that you're
looking to, like, unify into, like a single data lake,
which is something that I'm really excited about. I would
(01:43):
love to hear more about that.
S2 (01:46):
So basically, uh, Palo Alto Networks had a product called
Prism Cloud, which handled cloud security or, and also application security,
another product called cortex that handled the, the Siem and
the SoC sock side of things. And, um, in the
last few months, we actually merged these two into one
data lake, in which you can do everything. All the
(02:07):
information you need is just residing in one data lake,
whether these are attacks coming from the SOC or, uh,
cloud posture findings or application security ones. And think about
the potential of having everything within the same data lake
like in one click. You can ask questions that in
the past, it wasn't as simple to do that because
(02:28):
the information reside on different systems. You don't necessarily have
the context. And if you think about application security, in
this sense, the thing that application security, uh, lacks the
most is the context. Like I see so many things,
which is not good, but I don't know if they
are really going to production or they're going to be exploitable.
Are they going to be used by my application? So
(02:50):
one of the things in application security is that you
have just too many issues. Usually developer just either ignore
them or they get mad. On the security people because
they block them or on an on every build or
PR and you kind of there is no balance in understanding, okay.
These are the things that need to be fixed. And
when we introduce uh, cortex cloud and then we will
(03:13):
introduce uh, aspm as well. We actually say we bring
everything together. You don't need to, uh, you know, look
at different things, whether you have different scanners, whether you
have different, uh, version control or different CI, CD systems. Uh,
if you want to see whether you have different clouds,
if you want to see everything, you can come to
our environment, come to our solution and have the platform
(03:35):
you need for, uh, um, everything within the same place,
it means that we give the context. We get, we
get from the cloud. It's not just, you see things
for application for for the code side of things, but
you see things that are code side. But then they
are connected into the cloud one and the cloud one
are being connected to the SOC one. So it's actually
one system that covers everything that a security person cares
(03:58):
about with regards to how you see things within, within cloud.
And we also acknowledge the fact that cloud is, uh,
is growing very fast and application to cloud is growing
very fast. AI is bringing, you know, bunch of more
code into the, into, uh, the environment. Many of our
colleagues been written by different, uh, models. All of these
(04:20):
things also bring security issues, and they don't solve the
problem of having a lot of problems before production. But
what we bring to this one is saying you have
a lot of risk. We will help you to prioritize them,
but not just to prioritize them, but also to prevent them.
Because most of the solutions say, I will prioritize everything
(04:42):
for you, which is great, but the funnel keeps growing.
You know, you cannot kind of manage it. And what
we are saying, we will allow you to actually do
a much more flexible and recommended prevention. How do I
do the right guardrails within my pull request? How do
I do the right guardrails within my build? And this
(05:04):
is using all the things we know from production and
from the actual runtime environment, whether it's actually deployed, whether
it's open to the internet, whether it's had an access
to sensitive data, all the questions you can think of
on how my application will go will look in production.
This is something that we have natively because we have
(05:24):
everything on the data lake and the potential is huge.
S1 (05:29):
Yeah, that is absolutely wonderful. I'm so excited to hear this. Um,
I was wondering, like, who's going to kind of move
in this direction first? This is very exciting. So a
good example of this, um, that I always go to, um,
I was at Robinhood doing, uh, vulnerability management and, um,
application security. I was in charge of those two groups
(05:50):
during log4j2. And so what everyone had to do was
get their spreadsheets ready and start pulling down manual lists
and trying to cross-reference where in the actual technical infrastructure
it is. Okay, which app is that? Okay. Who actually
owns that app? Who do I actually ping to try
to go out here and I'm like, what we actually
(06:12):
need is a single place where this stuff is located
that actually understands. Is this live right now? Is it
is it a system that's running, or is it a
system that we could turn on? Um, what version of
the actual application or the library is enabled? Right. Because
it could be that one of the versions is vulnerable
and one of them isn't. Right. Who's the owner? All
(06:35):
of these things. So like asset management just being natively
built into it, understanding ownership, being natively built into it, um,
just really exciting. So so do you have also like the,
the business understanding potentially that you could bring in. So
for example, we're worried about these things because we're in
(06:56):
this particular industry. We're in this particular country. Um, we
are particularly concerned about the exfil of particular data because
we're in defense or something like that. Um, which to
me is really interesting because it can automatically do what
we've been trying to do in information security for so
long is prioritization of Vulns before we're using vulnerability information
(07:22):
to prioritize vulns. But when we should, what we should
have been doing is saying no. What are our actual assets?
What do we actually care about as a business that
automatically does it for you if you have that context?
S2 (07:35):
So very good question. And just reiterating about log for J. Yes,
it usually comes at the worst case being Christmas on
the on the log for J one. Uh, and um,
it's a, it's a good example because people mostly didn't
understand where they're where they look for Jay is actually located,
like where they use the actual, uh, vulnerable, uh, package
(07:58):
or the version actually. And whether it's just on the
code or also in production and all of these different
things are super, uh, um, complicated when you have to
do it, um, when you have to do it in,
you know, in, uh, in a lot of stress and
you already know that there is an exploit, uh, available
and people try to exploit. So, so it's super, uh,
(08:20):
I would say too late in the process. And you
mentioned another thing which is super important, trying to figure
out from the cloud, uh, who is the owner.
S1 (08:29):
Is.
S2 (08:30):
Good, but it's, it takes too much, like it's too
much to too long to understand. Who is the owner? Uh,
you probably the developer already did like several other things
between now and then. Uh, and it's, uh, it's really
kind of, if you think about it, you try not
to block to be able to make the developer velocity, uh,
(08:50):
very fast, but in the end, because you kind of
bother him with problems from production, you kind of bring
him tasks that were not planned originally to be solved.
So while you try to make the developer velocity, uh, fast,
you actually make it slower by trying to figure out
who is the owner. And, uh, owners tend to not
(09:11):
be that simple of understanding who the one, you know,
when you see a CV within a package, like, who
is the one that's that's only the last one that changed. Uh,
the the fight may change like different version. The one
that actually added this package into the, into, uh, the code.
So it can be a lot of different owners. And
when you are close to the code, it's much easier
(09:33):
to understand who is the owner because he's the committer
of the things and he can block things before even
going into production. Going back to your question about the business, uh,
impact of things, and also, uh, what we can say
about the industry or the industry are in. So one. Yes.
One of the things we always say about SVM is
(09:53):
the is that it's kind of connect the business with
the security. If you think about all the evolution of
the different, uh, SVM stuff, it's always about infrastructure, about network,
about identity, about data, but application is about actually connecting.
What the customer knows about is application and the honoring
the business owner, the criticality of the the business, the
(10:14):
fact that, for example, I can later understand whether this
application is, uh, mostly vulnerable, for example, for um, for
data theft. So probably try to, uh, to harden it
based on this type of, uh, of, um, of, uh,
kind of what application is doing versus what are the
(10:36):
potential of being exploited within. And this is something we're
also going to add more, uh, in the future and
trying to understand what is the application inside and allow
you to bring the relevant guardrails to to help you
solve this, uh, problem. So, yes, business is a very
important part. We are going to make sure it's going
(10:57):
to be very, uh, aligned with what we do on
the security side. I think application is the first time
it's actually connects everything. And when we talk about application,
and this is one of the things which is super, uh,
exciting about what we are doing, is that while in
other places you can define application for the code, you
can define application for the runtime. What we do is
(11:20):
say we don't care what you where you start to
build your application. You can start from the runtime. You
can start from the code. The system will automatically enrich
everything up for you and actually connect all the relevant
assets into one, uh, into one application. And you mentioned
something which is also, uh, important. Um, if you think about, uh,
(11:44):
whether am I like, for example, you said I want
to find all, all the places I have, look for,
look for J. Think about a repository that you didn't scan.
S1 (11:55):
Yeah.
S2 (11:56):
So you don't even know if it's if you have
this problem or not. And one of the things we
invest in our solution is making sure that you have
a good visibility of what you are actually doing. Yeah.
Because if I see a risk and I don't know
what is the coverage, then the risk may not be correct.
So it's not it's not the right place to go.
S1 (12:15):
Yeah. So so for that piece are you talking about
like continuous discovery. Continuous like, um, monitoring external attack surface
to just like be aware and then bring that into
the context into the data lake if it's not already there.
S2 (12:31):
So it's already it's already there. It's part of the
solution having the attack surface as well. Um, as I mentioned,
we kind of brought all these different, all these different models,
different signals, signals into the same place. And then beside
providing insight by our self to our customers, we also
allow the customers to query things they care care about.
(12:52):
They can kind of do it via the graph, or
they can do it via like our query language and
they can query basically everything. You know, one of the
discussion is that if you think about the amount of
different things we have within the system, whether it's the
SOC environment, the Appsec persona, the runtime, the posture management,
they can create something that will be kind of an
(13:13):
overlap kind of overlay of everything. The system brings some
of its own, but it's also open for the for
everyone that wants to query it. So very exciting. And
we have a lot of, uh, uh, super cool things
that are planned as part of our SPM solution. I
really believe that if we think about the next generation
(13:35):
application security and how it connects within the cloud and
the fact that everything is super fast, this is the
way to go, kind of connect between the things. Bring insights. Um,
you know, I think, uh, one of the things we
see is that people don't have, like, they don't want
to search within, uh, a search engine. They prefer to
ask a question. Yes. And in my opinion, one of
(13:58):
the things we are doing on the ASP team is
trying to give the answers instead of kind of let
you go into different tables or different places to look
for your information, but rather give you insights on what
the things you can do and the recommendation on how
to prevent it. And you know, in theory, I would
like to make sure that we have a very good
prevention in which what you see in cloud was only
(14:20):
created in cloud and not something that was kind of
created by code.
S1 (14:25):
Mhm. Yeah. That's really interesting. So I mean what I
see kind of happening from this is like you could
roll this out and suddenly you all of a sudden
your users are way larger than the security team. Because
this is so vastly important to the entire company because
they likely don't have a place, a universal place, to
(14:47):
go and ask questions. And what you what you're likely
to end up with, uh, as you know, is like,
you're going to have the best asset management in the
company is going to be this tool. So people who
aren't even thinking security necessarily, they're going to be like,
I need the current list of this. What's facing the internet?
Like lots of different users could potentially need this.
S2 (15:09):
And again, in the context of the business, like, yes,
these assets that are part of my application, it's not
just an asset. I can know that this asset is
part of an application and the application is owned by someone.
This is the business owner of it. This is the
one that needs to fix things. Um, we're also talking
about the option to kind of group things based on applications.
So you can see that you can see based on
(15:31):
the permission you have, the application you want to see.
And all of this is is coming into the context,
the code context, the cloud context, the things we have
from the runtime and also the one we give from
a get from the business application. So yes, you are correct.
This data lake in a way is our secret for
this is and the, um, the things we do with
(15:53):
the data, which is based on AI and the ability
to actually learn from the data, is what will make
the what makes the, the the solution, um, to be, uh,
such an, uh, a potential for, as you mentioned, like
security people. In the end, they cannot chase, uh, risks.
They need someone to be able to, uh, fix things
(16:15):
before they do that. They don't do policies today because
it's hard. Because it's not because developers tend to, uh, say, no,
you just blocked us. We cannot bring velocity. We cannot
bring more, uh, um, application into, you know, more business
value to our customers. And we want to say no, if,
you know, if you do it right and you do
the right guardrails and you will do prevention in mind,
(16:38):
but in, in a way that you have all the context.
Then your velocity will be increased and not decreased.
S1 (16:46):
Yeah, I am really excited about this. So so what
I've been telling everybody is so, um, customers or whoever
is asking, they want to know what AI is going
to do for attackers and what specifically they're going to
try to build. And what I'm telling everyone is, um,
that thing that I sent you, that USC thing is
that attackers are going to build unified context for targets.
(17:10):
So what they are going to do is they're going
to send out agents, they're going to find your list
of employees, they're going to pull all their social media, um,
they're going to find all your DNS, they're going to
pull all your domains and your subdomains, and they're going
to start pulling all those different assets. Um, and then
they can start interrogating them for open ports and blah, blah, blah.
(17:31):
So they are essentially building a unified data lake for
you as the target. And then the next time they
have a new target, they go and do the exact
same thing. And then they have agents that say, okay,
given the context that you have, how do we attack?
What social engineering campaign do we write? What, uh, you know, exploit,
(17:52):
do we launch on this application? So my my whole
thing to everyone is attackers are building this to attack you.
You need to have a better version for yourself. And
I just absolutely love. Yeah, I absolutely love that that,
you know, you have such a prominent company in Palo
(18:13):
Alto actually doing this and doing this quickly. I thought
it was going to take much longer. I'm really, really
happy to hear this.
S2 (18:20):
Yes. So it's actually already available. Uh, it's already on
the same platform. Um, which is kind of the data
lake is there. We're just adding more and more content
into it. And, um, I really believe that while this
data lake improves, uh, cloud posture Posterior improves SOC. It
also improves appsec to be able to really, you know, um,
(18:43):
make sure you don't get into production and wait for
a lot of time to kind of get the fix,
understand who is the person, try to figure out if
it can fix the issues and deploy back and then, uh,
you know, do testing and then deploy back, kind of
shorten this, uh, cycles and making sure that, uh, we
will provide you with all the information you need to
remediate stuff, but also make sure you prevent in the
(19:07):
future similar, uh, similar problems.
S1 (19:11):
Yeah, it's really powerful. So tell me again, all the
different controls that we have in the platform. So you
have the ability to, um, monitor incoming code and like,
inspect and reject, like, what are the other control points
that you have based on something that you see in
the lake?
S2 (19:29):
Yes. So we have a lot of, uh, different controls.
We start from the ID like the developer Environment. When
it writes the code, it can see everything we know
within that. Of course, it's limited to what is currently editing,
but this is the first time you will find the
system and the inputs and the outputs and inputs. The
(19:52):
second one will be when you try. Well, there is
another one before the commit, but it's very special to
specific use cases. Uh, this the second one will be
when you do the pull request. This will be the
second one. We can, uh, check and kind of enforce.
The other one is just monitoring and understanding what it is.
But you can enforce things when you go into the
PR and say, I don't want to, uh, do critical
(20:15):
CVE for, uh, a repo that goes to production. And
I know this one is, uh, open to the network.
The third one will be around build. I can do, uh, uh,
block the builds, put it as a step in the
CI and have all the context of understanding, uh, on
what I'm actually blocking. And, of course, you have all
(20:35):
the different monitoring of having like the periodic scanning on
a branch and on history. So you have a lot
of things you can do and get all this information,
and you also have the option to do some of
it on the image side of things and even in
the future. Also for admission control, if you do do
it for, uh, um, this kind of, uh, of, um, uh, software.
(20:58):
So we have different options to guard. So put the
guardrails in place. And as mentioned before, um, we are
we are we are a great believer in platformization and
the open the option to actually, uh, pull information from
different other scanners so we don't limit ourselves to the
things that come only from our system. We actually collect
(21:20):
everything we have from the different, um, it can be
different application security solutions. It can be, uh, different version control.
It can be different CI, CD systems. We collect everything
in and uh, provide our enrichment. So it's very important
for us not, you know, to give the value. Even
before you use the scanners, make sure that you have
(21:43):
all the value in the enrichment, the option to create applications,
all this coverage, things I talked, I talked about and
give value to our to our customers, I would say
in minimal time.
S1 (21:56):
Yeah that's really powerful. And then other components in the
ecosystem are also adding to the data lake. Right. So
you also have that richness.
S2 (22:04):
So uh, so let's start from the beginning. The first
one will be the code that we bring into, uh, the,
the lake, the, the code finding. I would say different
code finding can be open source, first party, uh, code, uh,
secrets misconfiguration, all of these things APIs. The second one
will be, uh, everything we bring, uh, from the CI
(22:25):
CD systems, uh, and the version control like posture management.
Think about the fact that I see, uh, a secret
on a version control. It's not, um, it's not protected
by by, uh, let's say, um, MFA, for example. So
this also kind of where the, the code goes into
is also another signal. We have all the, the signals
(22:47):
of the cortex cloud, as we say, the identity, the data,
the network, the infrastructure, everything we have, which is part
of a solution for setup. And then all the things
we have from our endpoints, from our agents within the
cloud and all the things we have from the attackers
perspective for the SOC. So everything you can think of
(23:07):
in this area is through our to our environment. It's
a very big data lake with a lot of options
to do the query.
S1 (23:15):
That's really powerful. So you can like you can build
basically an entire program off of constructing a really high
quality set of questions, and then and then basically have
the answers to those questions trigger different, uh, pipeline or workflows.
S2 (23:33):
Exactly. And also kind of, uh, um, lead users to
improve their security posture by creating the right journey. Because
we have all these different information, we can kind of
guide them to say, if you want to do in
this place, do that one and then, uh, do it, uh, in,
in kind of a stages of phases.
S1 (23:53):
Um, well, sorry, this is super, super exciting. I'm going
to go and actually research a lot more about this. Um,
and I can't wait to see updates. Where can people
learn more about the platform and what you're releasing and
what's already released?
S2 (24:09):
So our so, uh, everything that we already released is
in our site. And the second one will be about
our announcement. Announcement of the new product, uh, going on
on the 25th July.
S1 (24:22):
Oh, great. Yeah, we will, uh, look forward to that. And, uh, yeah.
Anything else you want to add?
S2 (24:29):
No, I think I just want to say that I'm
super exciting. As I mentioned, kind of coming back to
my background, I feel that this is part of my
mission to make developers and security, like, more friendly to
each other and kind of make sure the developer doesn't
see security as something that they need to, uh, something
they need to do or ignore, but actually have this,
(24:50):
this as part of their workflow and make sure security
have all the information to be able to do the
right security decisions.
S1 (24:58):
Awesome. Well, I think this will definitely move us in
that direction. Thanks for your time.
S2 (25:03):
Thank you very much.
S1 (25:07):
Unsupervised learning is produced on Hindenburg Pro using an SM
seven B microphone. A video version of the podcast is
available on the Unsupervised Learning YouTube channel, and the text
version with full links and notes is available at Amazon.com newsletter.
We'll see you next time.
Unsupervised Learning is a podcast about trends and ideas in cybersecurity,
national security, AI, technology and society, and how best to
upgrade ourselves to be ready for what's coming. All right, well,
welcome to unsupervised learning. Ethan. Yeah. Can you give a
(00:24):
little bit of background about yourself and what you're working on?
S2 (00:28):
Yes. So I'm Sarita Jara and project management for application security.
And SBM is part of Cortex Cloud in Palo Alto Networks.
I can kind of come from a background of engineering
and product, uh, from several, uh, different areas. Uh, mostly
in the last years, cloud security and application security. Um,
(00:51):
I always say that I come to the application security
space from handling or kind of using all these different
tools of application security and trying to write or have
the right experience for both developers and security people to
kind of, I don't know if to laugh, but at
least like security to be able to actually, uh, solve
the problem for the security people and not have so
(01:14):
much problems on the production, production, uh, sites, but also
make sure developers understand what they need to fix and
why they need to fix it.
S1 (01:23):
Okay. That's great. And I was looking at the, um,
at the site in the platform prior to joining. It
seems like it's it's becoming quite cohesive with all the
different pieces. And I heard, uh, somewhere else that you're
looking to, like, unify into, like a single data lake,
which is something that I'm really excited about. I would
(01:43):
love to hear more about that.
S2 (01:46):
So basically, uh, Palo Alto Networks had a product called
Prism Cloud, which handled cloud security or, and also application security,
another product called cortex that handled the, the Siem and
the SoC sock side of things. And, um, in the
last few months, we actually merged these two into one
data lake, in which you can do everything. All the
(02:07):
information you need is just residing in one data lake,
whether these are attacks coming from the SOC or, uh,
cloud posture findings or application security ones. And think about
the potential of having everything within the same data lake
like in one click. You can ask questions that in
the past, it wasn't as simple to do that because
(02:28):
the information reside on different systems. You don't necessarily have
the context. And if you think about application security, in
this sense, the thing that application security, uh, lacks the
most is the context. Like I see so many things,
which is not good, but I don't know if they
are really going to production or they're going to be exploitable.
Are they going to be used by my application? So
(02:50):
one of the things in application security is that you
have just too many issues. Usually developer just either ignore
them or they get mad. On the security people because
they block them or on an on every build or
PR and you kind of there is no balance in understanding, okay.
These are the things that need to be fixed. And
when we introduce uh, cortex cloud and then we will
(03:13):
introduce uh, aspm as well. We actually say we bring
everything together. You don't need to, uh, you know, look
at different things, whether you have different scanners, whether you
have different, uh, version control or different CI, CD systems. Uh,
if you want to see whether you have different clouds,
if you want to see everything, you can come to
our environment, come to our solution and have the platform
(03:35):
you need for, uh, um, everything within the same place,
it means that we give the context. We get, we
get from the cloud. It's not just, you see things
for application for for the code side of things, but
you see things that are code side. But then they
are connected into the cloud one and the cloud one
are being connected to the SOC one. So it's actually
one system that covers everything that a security person cares
(03:58):
about with regards to how you see things within, within cloud.
And we also acknowledge the fact that cloud is, uh,
is growing very fast and application to cloud is growing
very fast. AI is bringing, you know, bunch of more
code into the, into, uh, the environment. Many of our
colleagues been written by different, uh, models. All of these
(04:20):
things also bring security issues, and they don't solve the
problem of having a lot of problems before production. But
what we bring to this one is saying you have
a lot of risk. We will help you to prioritize them,
but not just to prioritize them, but also to prevent them.
Because most of the solutions say, I will prioritize everything
(04:42):
for you, which is great, but the funnel keeps growing.
You know, you cannot kind of manage it. And what
we are saying, we will allow you to actually do
a much more flexible and recommended prevention. How do I
do the right guardrails within my pull request? How do
I do the right guardrails within my build? And this
(05:04):
is using all the things we know from production and
from the actual runtime environment, whether it's actually deployed, whether
it's open to the internet, whether it's had an access
to sensitive data, all the questions you can think of
on how my application will go will look in production.
This is something that we have natively because we have
(05:24):
everything on the data lake and the potential is huge.
S1 (05:29):
Yeah, that is absolutely wonderful. I'm so excited to hear this. Um,
I was wondering, like, who's going to kind of move
in this direction first? This is very exciting. So a
good example of this, um, that I always go to, um,
I was at Robinhood doing, uh, vulnerability management and, um,
application security. I was in charge of those two groups
(05:50):
during log4j2. And so what everyone had to do was
get their spreadsheets ready and start pulling down manual lists
and trying to cross-reference where in the actual technical infrastructure
it is. Okay, which app is that? Okay. Who actually
owns that app? Who do I actually ping to try
to go out here and I'm like, what we actually
(06:12):
need is a single place where this stuff is located
that actually understands. Is this live right now? Is it
is it a system that's running, or is it a
system that we could turn on? Um, what version of
the actual application or the library is enabled? Right. Because
it could be that one of the versions is vulnerable
and one of them isn't. Right. Who's the owner? All
(06:35):
of these things. So like asset management just being natively
built into it, understanding ownership, being natively built into it, um,
just really exciting. So so do you have also like the,
the business understanding potentially that you could bring in. So
for example, we're worried about these things because we're in
(06:56):
this particular industry. We're in this particular country. Um, we
are particularly concerned about the exfil of particular data because
we're in defense or something like that. Um, which to
me is really interesting because it can automatically do what
we've been trying to do in information security for so
long is prioritization of Vulns before we're using vulnerability information
(07:22):
to prioritize vulns. But when we should, what we should
have been doing is saying no. What are our actual assets?
What do we actually care about as a business that
automatically does it for you if you have that context?
S2 (07:35):
So very good question. And just reiterating about log for J. Yes,
it usually comes at the worst case being Christmas on
the on the log for J one. Uh, and um,
it's a, it's a good example because people mostly didn't
understand where they're where they look for Jay is actually located,
like where they use the actual, uh, vulnerable, uh, package
(07:58):
or the version actually. And whether it's just on the
code or also in production and all of these different
things are super, uh, um, complicated when you have to
do it, um, when you have to do it in,
you know, in, uh, in a lot of stress and
you already know that there is an exploit, uh, available
and people try to exploit. So, so it's super, uh,
(08:20):
I would say too late in the process. And you
mentioned another thing which is super important, trying to figure
out from the cloud, uh, who is the owner.
S1 (08:29):
Is.
S2 (08:30):
Good, but it's, it takes too much, like it's too
much to too long to understand. Who is the owner? Uh,
you probably the developer already did like several other things
between now and then. Uh, and it's, uh, it's really
kind of, if you think about it, you try not
to block to be able to make the developer velocity, uh,
(08:50):
very fast, but in the end, because you kind of
bother him with problems from production, you kind of bring
him tasks that were not planned originally to be solved.
So while you try to make the developer velocity, uh, fast,
you actually make it slower by trying to figure out
who is the owner. And, uh, owners tend to not
(09:11):
be that simple of understanding who the one, you know,
when you see a CV within a package, like, who
is the one that's that's only the last one that changed. Uh,
the the fight may change like different version. The one
that actually added this package into the, into, uh, the code.
So it can be a lot of different owners. And
when you are close to the code, it's much easier
(09:33):
to understand who is the owner because he's the committer
of the things and he can block things before even
going into production. Going back to your question about the business, uh,
impact of things, and also, uh, what we can say
about the industry or the industry are in. So one. Yes.
One of the things we always say about SVM is
(09:53):
the is that it's kind of connect the business with
the security. If you think about all the evolution of
the different, uh, SVM stuff, it's always about infrastructure, about network,
about identity, about data, but application is about actually connecting.
What the customer knows about is application and the honoring
the business owner, the criticality of the the business, the
(10:14):
fact that, for example, I can later understand whether this
application is, uh, mostly vulnerable, for example, for um, for
data theft. So probably try to, uh, to harden it
based on this type of, uh, of, um, of, uh,
kind of what application is doing versus what are the
(10:36):
potential of being exploited within. And this is something we're
also going to add more, uh, in the future and
trying to understand what is the application inside and allow
you to bring the relevant guardrails to to help you
solve this, uh, problem. So, yes, business is a very
important part. We are going to make sure it's going
(10:57):
to be very, uh, aligned with what we do on
the security side. I think application is the first time
it's actually connects everything. And when we talk about application,
and this is one of the things which is super, uh,
exciting about what we are doing, is that while in
other places you can define application for the code, you
can define application for the runtime. What we do is
(11:20):
say we don't care what you where you start to
build your application. You can start from the runtime. You
can start from the code. The system will automatically enrich
everything up for you and actually connect all the relevant
assets into one, uh, into one application. And you mentioned
something which is also, uh, important. Um, if you think about, uh,
(11:44):
whether am I like, for example, you said I want
to find all, all the places I have, look for,
look for J. Think about a repository that you didn't scan.
S1 (11:55):
Yeah.
S2 (11:56):
So you don't even know if it's if you have
this problem or not. And one of the things we
invest in our solution is making sure that you have
a good visibility of what you are actually doing. Yeah.
Because if I see a risk and I don't know
what is the coverage, then the risk may not be correct.
So it's not it's not the right place to go.
S1 (12:15):
Yeah. So so for that piece are you talking about
like continuous discovery. Continuous like, um, monitoring external attack surface
to just like be aware and then bring that into
the context into the data lake if it's not already there.
S2 (12:31):
So it's already it's already there. It's part of the
solution having the attack surface as well. Um, as I mentioned,
we kind of brought all these different, all these different models,
different signals, signals into the same place. And then beside
providing insight by our self to our customers, we also
allow the customers to query things they care care about.
(12:52):
They can kind of do it via the graph, or
they can do it via like our query language and
they can query basically everything. You know, one of the
discussion is that if you think about the amount of
different things we have within the system, whether it's the
SOC environment, the Appsec persona, the runtime, the posture management,
they can create something that will be kind of an
(13:13):
overlap kind of overlay of everything. The system brings some
of its own, but it's also open for the for
everyone that wants to query it. So very exciting. And
we have a lot of, uh, uh, super cool things
that are planned as part of our SPM solution. I
really believe that if we think about the next generation
(13:35):
application security and how it connects within the cloud and
the fact that everything is super fast, this is the
way to go, kind of connect between the things. Bring insights. Um,
you know, I think, uh, one of the things we
see is that people don't have, like, they don't want
to search within, uh, a search engine. They prefer to
ask a question. Yes. And in my opinion, one of
(13:58):
the things we are doing on the ASP team is
trying to give the answers instead of kind of let
you go into different tables or different places to look
for your information, but rather give you insights on what
the things you can do and the recommendation on how
to prevent it. And you know, in theory, I would
like to make sure that we have a very good
prevention in which what you see in cloud was only
(14:20):
created in cloud and not something that was kind of
created by code.
S1 (14:25):
Mhm. Yeah. That's really interesting. So I mean what I
see kind of happening from this is like you could
roll this out and suddenly you all of a sudden
your users are way larger than the security team. Because
this is so vastly important to the entire company because
they likely don't have a place, a universal place, to
(14:47):
go and ask questions. And what you what you're likely
to end up with, uh, as you know, is like,
you're going to have the best asset management in the
company is going to be this tool. So people who
aren't even thinking security necessarily, they're going to be like,
I need the current list of this. What's facing the internet?
Like lots of different users could potentially need this.
S2 (15:09):
And again, in the context of the business, like, yes,
these assets that are part of my application, it's not
just an asset. I can know that this asset is
part of an application and the application is owned by someone.
This is the business owner of it. This is the
one that needs to fix things. Um, we're also talking
about the option to kind of group things based on applications.
So you can see that you can see based on
(15:31):
the permission you have, the application you want to see.
And all of this is is coming into the context,
the code context, the cloud context, the things we have
from the runtime and also the one we give from
a get from the business application. So yes, you are correct.
This data lake in a way is our secret for
this is and the, um, the things we do with
(15:53):
the data, which is based on AI and the ability
to actually learn from the data, is what will make
the what makes the, the the solution, um, to be, uh,
such an, uh, a potential for, as you mentioned, like
security people. In the end, they cannot chase, uh, risks.
They need someone to be able to, uh, fix things
(16:15):
before they do that. They don't do policies today because
it's hard. Because it's not because developers tend to, uh, say, no,
you just blocked us. We cannot bring velocity. We cannot
bring more, uh, um, application into, you know, more business
value to our customers. And we want to say no, if,
you know, if you do it right and you do
the right guardrails and you will do prevention in mind,
(16:38):
but in, in a way that you have all the context.
Then your velocity will be increased and not decreased.
S1 (16:46):
Yeah, I am really excited about this. So so what
I've been telling everybody is so, um, customers or whoever
is asking, they want to know what AI is going
to do for attackers and what specifically they're going to
try to build. And what I'm telling everyone is, um,
that thing that I sent you, that USC thing is
that attackers are going to build unified context for targets.
(17:10):
So what they are going to do is they're going
to send out agents, they're going to find your list
of employees, they're going to pull all their social media, um,
they're going to find all your DNS, they're going to
pull all your domains and your subdomains, and they're going
to start pulling all those different assets. Um, and then
they can start interrogating them for open ports and blah, blah, blah.
(17:31):
So they are essentially building a unified data lake for
you as the target. And then the next time they
have a new target, they go and do the exact
same thing. And then they have agents that say, okay,
given the context that you have, how do we attack?
What social engineering campaign do we write? What, uh, you know, exploit,
(17:52):
do we launch on this application? So my my whole
thing to everyone is attackers are building this to attack you.
You need to have a better version for yourself. And
I just absolutely love. Yeah, I absolutely love that that,
you know, you have such a prominent company in Palo
(18:13):
Alto actually doing this and doing this quickly. I thought
it was going to take much longer. I'm really, really
happy to hear this.
S2 (18:20):
Yes. So it's actually already available. Uh, it's already on
the same platform. Um, which is kind of the data
lake is there. We're just adding more and more content
into it. And, um, I really believe that while this
data lake improves, uh, cloud posture Posterior improves SOC. It
also improves appsec to be able to really, you know, um,
(18:43):
make sure you don't get into production and wait for
a lot of time to kind of get the fix,
understand who is the person, try to figure out if
it can fix the issues and deploy back and then, uh,
you know, do testing and then deploy back, kind of
shorten this, uh, cycles and making sure that, uh, we
will provide you with all the information you need to
remediate stuff, but also make sure you prevent in the
(19:07):
future similar, uh, similar problems.
S1 (19:11):
Yeah, it's really powerful. So tell me again, all the
different controls that we have in the platform. So you
have the ability to, um, monitor incoming code and like,
inspect and reject, like, what are the other control points
that you have based on something that you see in
the lake?
S2 (19:29):
Yes. So we have a lot of, uh, different controls.
We start from the ID like the developer Environment. When
it writes the code, it can see everything we know
within that. Of course, it's limited to what is currently editing,
but this is the first time you will find the
system and the inputs and the outputs and inputs. The
(19:52):
second one will be when you try. Well, there is
another one before the commit, but it's very special to
specific use cases. Uh, this the second one will be
when you do the pull request. This will be the
second one. We can, uh, check and kind of enforce.
The other one is just monitoring and understanding what it is.
But you can enforce things when you go into the
PR and say, I don't want to, uh, do critical
(20:15):
CVE for, uh, a repo that goes to production. And
I know this one is, uh, open to the network.
The third one will be around build. I can do, uh, uh,
block the builds, put it as a step in the
CI and have all the context of understanding, uh, on
what I'm actually blocking. And, of course, you have all
(20:35):
the different monitoring of having like the periodic scanning on
a branch and on history. So you have a lot
of things you can do and get all this information,
and you also have the option to do some of
it on the image side of things and even in
the future. Also for admission control, if you do do
it for, uh, um, this kind of, uh, of, um, uh, software.
(20:58):
So we have different options to guard. So put the
guardrails in place. And as mentioned before, um, we are
we are we are a great believer in platformization and
the open the option to actually, uh, pull information from
different other scanners so we don't limit ourselves to the
things that come only from our system. We actually collect
(21:20):
everything we have from the different, um, it can be
different application security solutions. It can be, uh, different version control.
It can be different CI, CD systems. We collect everything
in and uh, provide our enrichment. So it's very important
for us not, you know, to give the value. Even
before you use the scanners, make sure that you have
(21:43):
all the value in the enrichment, the option to create applications,
all this coverage, things I talked, I talked about and
give value to our to our customers, I would say
in minimal time.
S1 (21:56):
Yeah that's really powerful. And then other components in the
ecosystem are also adding to the data lake. Right. So
you also have that richness.
S2 (22:04):
So uh, so let's start from the beginning. The first
one will be the code that we bring into, uh, the,
the lake, the, the code finding. I would say different
code finding can be open source, first party, uh, code, uh,
secrets misconfiguration, all of these things APIs. The second one
will be, uh, everything we bring, uh, from the CI
(22:25):
CD systems, uh, and the version control like posture management.
Think about the fact that I see, uh, a secret
on a version control. It's not, um, it's not protected
by by, uh, let's say, um, MFA, for example. So
this also kind of where the, the code goes into
is also another signal. We have all the, the signals
(22:47):
of the cortex cloud, as we say, the identity, the data,
the network, the infrastructure, everything we have, which is part
of a solution for setup. And then all the things
we have from our endpoints, from our agents within the
cloud and all the things we have from the attackers
perspective for the SOC. So everything you can think of
(23:07):
in this area is through our to our environment. It's
a very big data lake with a lot of options
to do the query.
S1 (23:15):
That's really powerful. So you can like you can build
basically an entire program off of constructing a really high
quality set of questions, and then and then basically have
the answers to those questions trigger different, uh, pipeline or workflows.
S2 (23:33):
Exactly. And also kind of, uh, um, lead users to
improve their security posture by creating the right journey. Because
we have all these different information, we can kind of
guide them to say, if you want to do in
this place, do that one and then, uh, do it, uh, in,
in kind of a stages of phases.
S1 (23:53):
Um, well, sorry, this is super, super exciting. I'm going
to go and actually research a lot more about this. Um,
and I can't wait to see updates. Where can people
learn more about the platform and what you're releasing and
what's already released?
S2 (24:09):
So our so, uh, everything that we already released is
in our site. And the second one will be about
our announcement. Announcement of the new product, uh, going on
on the 25th July.
S1 (24:22):
Oh, great. Yeah, we will, uh, look forward to that. And, uh, yeah.
Anything else you want to add?
S2 (24:29):
No, I think I just want to say that I'm
super exciting. As I mentioned, kind of coming back to
my background, I feel that this is part of my
mission to make developers and security, like, more friendly to
each other and kind of make sure the developer doesn't
see security as something that they need to, uh, something
they need to do or ignore, but actually have this,
(24:50):
this as part of their workflow and make sure security
have all the information to be able to do the
right security decisions.
S1 (24:58):
Awesome. Well, I think this will definitely move us in
that direction. Thanks for your time.
S2 (25:03):
Thank you very much.
S1 (25:07):
Unsupervised learning is produced on Hindenburg Pro using an SM
seven B microphone. A video version of the podcast is
available on the Unsupervised Learning YouTube channel, and the text
version with full links and notes is available at Amazon.com newsletter.
We'll see you next time.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
The Joe Rogan Experience
The official podcast of comedian Joe Rogan.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Special Summer Offer: Exclusively on Apple Podcasts, try our Dateline Premium subscription completely free for one month! With Dateline Premium, you get every episode ad-free plus exclusive bonus content.