 Hello, everyone, and welcome to theCUBE's presentation of the AWS startup showcase, open cloud innovations. This is season two, episode one of our showcase ongoing series, recovering very exciting startups from the AWS ecosystem. And we're going to be talking about the open source community. I'm your host, Lisa Martin. And today I'm excited to be joined by Robbie Myra, the head of product and partner marketing at Sneak. Robbie's here to talk with me about developer security for your digital transformation. Robbie, it's great to have you on theCUBE. Hi, thanks, Lisa. Nice to be here. So talk to me about what's going on in developer land. They're under a lot of pressure. A lot of them are building apps with open source, but what is Sneak seeing from the developer's lens? Well, from the developer's lens, there's a lot of pressure to build fast. And that's probably the biggest challenge, right? We're in a world of digital transformation where everybody's trying to compete, no matter what industry you're in, right? On the technology and on the quality of your software or the capabilities of your software, which puts a lot of pressure on developers to build fast. That causes them to do a few things. One, it causes them to develop in a way where they're doing constant iteration. And so models that would have enabled a security check to come in at the end aren't working anymore because they don't have time for those security checks. It also causes them to do a good thing, which is to leverage other people's code when they can, like open source. So they can just focus on their own functionality. And that's true, whether they're building new functionality or modernizing legacy applications by moving them to the cloud. So if a high percentage of app code, 80 to 90% is open source, then that opens up, talk to me about where the vulnerabilities are and how you guys help customers and developers address that. Yeah, the vulnerabilities can be anywhere, but the key is that point, right? If you're using open source in a typical application, 80 to 90 plus percent of the lines of code in that application are going to be open source code. Their code, somebody else wrote that you don't have a direct relationship with. And yet you own the risk that whatever they may have, whatever vulnerabilities may be in their code, you now own that risk. So what we're trying to do, what Sink is trying to do is enable developers to leverage open source, but do that securely. And then we also help them with the 10% that they write as well. And do that all in one really easy environment for a developer that fits into their workflow and into their daily life. So security should shift left. I've had the chance to talk with a couple of, do you call them sneakers? Maybe we'll call them sneakers. Oh, you do, oh good. Couple of sneakers recently, we've talked about security shifting left. That's not a new concept, but I'd love to dig in more to how Sink and AWS do that. And I'm also curious if what you're doing helps, we've talked about the cybersecurity skills that we've got for a long time now. Does what you guys do help address that? It does because it's really leveraging a resource that is there, right? There's the number of developers worldwide is growing from depending on who you believe for these numbers and their estimated numbers, right? But 25 million to 50 million over roughly a five-year period that's already started. So we're somewhere in the 30 now, right? Meanwhile, the security jobs, there's something like nine million cybersecurity people in the world and that's all cybersecurity roles. It's a much shorter, smaller chunk that our application security folks. And there's three and a half million unfilled cybersecurity roles. So you can't get cybersecurity people and keep using the current model you're using but just scale it linearly. You have to change things. And Sneak's belief is the way you change things is you have the developers be part of your security solution, which means they need to have the ability to not only develop, but to develop securely. And that's our concept of developer security. We build tools and a platform that enables developers to be the first part of the security solution and enable security teams rather than individually auditing and fixing things to develop a process, govern the process, guide the development teams but let the developers own that first step of security. And that's really how you solve that scale problem. When you're talking with customers, is this kind of a better together scenario, developers and security folks? Are you helping them align culturally? Cause this is a change. Absolutely, I think one of the biggest misconceptions out there is that there's a tension between security and development. And I think that's because organizationally there might be right. Security is responsible for risk and developers responsible for speed of innovation and the faster you innovate, potentially there's more risk. So there might be some organizational tension but at the human level, people understand each other. They understand the pressures that the other ones going through. They just don't have an easy way to work together. And if you can help them get that, then it really takes off. The relationships form, they'll build human to human programs like security champion programs and things to integrate the teams. Cause they're both going after the same goal. Both sides want to build awesome technology and grow in whatever market they're in. Right, and of course with the need to do that at today's markets speed and scale is a great thing that you guys are doing to facilitate that collaboration. And of course the security, let's kind of take a double click now into the different integrations that Sneak has with AWS services. I know there's quite a few. There's quite a few. The biggest one, probably the easiest one for the integrations is the native integration that we have with code pipeline. So it makes it easy for developers as they're finishing their builds and deploying to have an automatic security check that comes in, understands if there's things that need to be fixed before this really should be released and then they can fix it and go forward. But we integrate across with our API across a lot of other services, ECR, EKS, CodeBuilder so that wherever the developer is working there's a way for us to integrate with them as they're building across their AWS development process. Okay, so giving them plenty of opportunity. Let's dig into the platform. Talk to me about the platform, how it's really aimed at developers. You alluded to this a little bit but I'd like to kind of take a double click into the technology. Sure, the platform part of it is that idea of we've wrapped it all as a developer tool. The thing that makes Sneak unique in this is not only do we have the idea that we wanted to shift left in time but we wanted to shift left in ownership. So the developers are primary user and we built a tool that is a developer tool that happens to do security. And we've extended that tool into a platform by enabling it to connect into the developer's tools sharing information across different elements of what it's securing. So for example, the open source that we're scanning for you and testing to find for vulnerabilities. We're also looking at the vulnerabilities in your code and where they may overlap or intersect we can adjust priorities so that you might not need to fix something. Let's say you're using an open source package that has a vulnerability but your code is never gonna access that you don't need to fix it. So you can prioritize that one lower, right? Same thing with Kubernetes and containers you may have a container vulnerability but the way you're gonna leverage the container that won't be used so we can adjust the priority to make it easy for the developer. And that's the other big thing that's different about a developer security platform than a typical security tool. The typical security tool is an audit tool. It's designed to output here are all the things you have a problem with. A developer security tool is a fixing tool. It's defined to say here are the problems you have a developer here's how you fix it and go back to building. And that partization is a big part of that because you can say here's what you don't need to worry about and then you can focus the rest of your energy on helping developers fix the problem either by giving them really good advice or automating it for them and saying here's a button click that will generate a pull request and your problem is fixed. That must go a long way to improving developer productivity one facilitating that speed and the agility with which they need to work but also from a developer kind of crowdsourcing crowdswell perspective I imagine talk to me about what some of the voices are on the developers that are in your community. What are some of the things that they're saying in terms of how much faster they're able to work they're able to get those priorities established with automation so much faster. Well that's the biggest thing is there the productivity gain happens because of the benefit of shift left, right? You're testing earlier you're finding it at an earlier time when it's easier to fix but that's because they're the ones doing it, right? If they're waiting to hand off to an auto report and then it comes back even if somebody is giving them them audit faster it's still after they've moved on and the other way people try to solve it is they'll say well I'll take a security tool then hand it to the developer and they can run it but so developers are not security experts so the tool needs to understand what they know and what they don't know and work in an upload and that's what developers generally say to us because Sneak makes it easy to work but also focuses on the fix and helps them guide them to that answer then they're able to go much faster. When we're evaluated by companies who are looking for a security solution if the developers get involved in that evaluation they'll choose Sneak. So I'm curious a little bit about as the head of product marketing I'm thinking customer advisory boards things like that what's the collaboration like between Sneak and the developers to really tune and push the technology forward? I imagine it's quite collaborative. It's quite collaborative and it's across a lot of spectrum so we do have a customer advisory board and that's generally leaders, right? That's either security leaders or development leaders or operations leaders who are in that advisory board and they're giving us input on things they need for program-wide governance or program-wide adoption. We also have a developer community where we're talking directly to developers and that's where we get a lot of hey, here's how I could use this better as a developer and that guides where we focus features that help developers work better whether it's integrations with their IDEs or whether it's the way we present information help them prioritize. And then the third part is we have a lot of people using the tool because it has a free model, right? As a developer tool we have a freemium model there's a level of sneak that developers can use that they don't need to pay for that's not a temporary trial it's forever if you want to use it at that level and we can observe what they're doing. So that observability gives us another insight into where folks get challenged running to struggles and then we can look to address those in our roadmap as well. So all of that together really helps us drive the product forward. What is the perspective from the analysts view? You talked a little bit about the perspective from the customer to a customer story in a bit but I'd love to know what are the Gartner saying? Well, Gartner especially put us we debuted in their magic quadrant for application security last year and we debuted as a visionary in sort of the highest part of the visionary quadrant you could get in before you crossed over into leader which is kind of unheard of for a first time into the quadrant. And the main reason for that is they have built the way those magic quadrants are built is they have key capabilities and then they score companies against key capabilities and they weight those capabilities by order of importance. And Gartner has started to put some of this notion of developer security and cross cloud native application security into those key capabilities. And those tend to align really well with what sneaked us. So they have a, for example, a software composition which is sort of open source security analysis we're first, we're the top ranking in that we're the top ranking in container security we're the top ranking in developer enablement. So that's pulling us there. So Gartner and the analyst community is seeing this same demand coming from their customers and that's really aligning to where our vision is. And in terms of kind of propelling that vision forward the voice of the customer, the voice of the analyst aligning with what you guys are doing to kind of lead the vision going forward. I want to get into some of the intelligence before we kind of break into a customer example. Talk to me a little bit about sneak security intelligence what the key capabilities are and some customers that are leveraging it. Sure. The biggest thing is with all the developer tool wrapping that needs to be in this product and it is a developer tool. It's got a developer's heart but it has to have a security brain because it still is a security tool. There are some developer tools to try to have little check the box capabilities of security and the crowd source for vulnerabilities potentially but if you're doing this you need to make sure that all the vulnerabilities that could be found are in the database to be able to be found that the database is comprehensive that it's timely they get in very quickly that it's accurate. You don't waste time on false positives because that will turn developers off faster than anything and that it's actionable. So when it does find something it helps you go forward with it and that's where Sneaks really focused on. So we collect data from multiple public sources we also have a fairly large proprietary research team that curates that information determines what needs to go in sometimes we'll adjust priorities and we also get a lot of contributions from other sources like community contributions again that big free user base of ours is giving us input, academia, open source groups are also in their social media trends. So if we see something trending on Twitter then that'll not only get it into the database but it'll drive prioritization. And that's a big part of what's in SneakIntel which is the name we use for our vulnerability database. We also have a machine learning algorithm that's constantly looking at all the code in public in public applications and repositories and we use that to train for our own proprietary code testing tool but it also just gets a lot of it finds things there as well. So it brings a really good source of information that helps people make sure you're finding the vulnerabilities you're prioritizing them correctly and fixing them. And so Amazon's one who is one of the folks that's using that tool where one of the primary sources of Amazon Inspector for open source vulnerabilities as well as a bunch of other security companies like Rapid7, Tenable and others. One of the things I was reading from I'm always kind of looking at the differentiators and I'm sure you are as the head of product marketing and partner marketing but it sounds like the database is a key differentiator finding vulnerabilities up to what is it? 46 days faster than competitors? Yeah, I mean faster than especially public sources which are the easier ones to know how you're doing against but that's a big part of it. So when I talked about those categories that's really what we measure ourselves against. How are we doing in terms of comprehensive? Do we have the vulnerabilities that we should have? So we have over four times the number of vulnerabilities as the next largest publicly available database. We find them faster so timely so that's at 46 days getting it in faster or faster than other public sources they get into our solution and then accuracy. Again, it's not a stat we can test because you can't test it just from the database. You have to run the tools of others in the space and we don't have those but making sure that you're not hitting a lot of false positives is a big part of it as well. Got it, okay. And we only have a couple of minutes left but there's two more areas that I want to dig into with you just crack the surface. One is log four shell. I was reading, Sneak says this week we were the perfect solution at the perfect time. Unpack that for me in the next minute or so. Yeah, and it kind of wraps back to what we were talking about earlier. Everybody's using open source. If you're in the Java world, a lot of folks had log for shell and we're using log for shell for logging as a part of their applications. And so a lot of our customers, I think it was over 30%, 36% of our paying customers had the vulnerability and you would only have the vulnerability of your Java. So it's very large percentage of our Java using my customers had the vulnerability but because they were using Sneak they were able, once we put it in the database which we did the day it was disclosed they were able to find it and fix it very quickly. So 91% of our customers fixed that vulnerability in just two days, 98% because this was a rolling thunder event, right? There was a vulnerability and then there was a second vulnerability in the fix and then there was a vulnerability even in the fix of that. So the second vulnerability that came out because everybody had been ready for it from the first time, 98% fixed within two days. Whereas the median number of days to generally fix the vulnerability is over two months. So really fast addressing the solution. Love those stats there, those are really impressive. And speaking of stats, I wanted to get into just really quickly a case study that really shows that last year is one of your many customers. Big developer community there about 3,500 developers give me some kind of that the high level of business outcomes that last year is achieving thanks to Sneak. Yeah, I mean, the biggest one is that almost 99% of their applications are deployed in containers. So being able to have the containers tested for vulnerabilities as they're being deployed before they're being deployed is huge for them to reduce the risk of vulnerability. They had a 65% reduction in high severity container volumes a few months after using Sneak across all those developers which really reduces your risk profile of your cloud native applications. They're obviously a big AWS user as well. So for them that was the big thing. And again, it goes to that scale, right? They've got 3,500 developers more than 3,500 developers. If you try to go through the security team and have the security team fixing all those things you'll just never catch up. Got it, last question. Where can I get this available through the AWS Marketplace? You mentioned the freemium model give folks kind of a direction on where to go. Yeah, and so I would say if you're someone in the security team, if you're a buyer the AWS Marketplace is a great place to go because you can probably leverage your existing spend commits with AWS. It's easy to purchase, easy billing, et cetera. If you're a developer then there is this free version where you might go and just start using it and get comfort for it. And if you are a buyer, talk to your developers because there's a pretty good chance someone in your company that's a developer is already using Sneak will be comfortable with it. These solutions are only successful if the developers actually use it. You can't shift left unless the developers pick it up and use it. So using the one that developers are already using is probably a good idea. Awesome, Robbie, this has been a great conversation. So much momentum at Sneak. You're the third sneaker I've gotten to speak to in the last month that I have, it's pretty exciting. But thanks for walking us through the technology, the capabilities, the differentiators, the voice of the customer, the voice of the analyst. We appreciate your insights and your time and we look forward to next time we talk to you. Sure, I think Lisa, I look forward to it as well, but there's a lot more sneakers to go through before you get back to me again, I guess. I look forward to adding to my repertoire of sneaker interviews, Robbie, thanks so much. Thank you. For Robbie Mayra, I'm Lisa Martin. You're watching this CUBE interview as part of the AWS startup showcase. Stick around, more great content coming up next.