 Welcome to this CUBE conversation, which is part of our third AWS startup showcase of this year. I'm your host, Lisa Martin, and I'm pleased to welcome to theCUBE the CEO and co-founder of WhiteSource, Rami Sass. Rami, welcome to the program. Thank you, thank you so much for having me. I'm excited for our audience to hear about WhiteSource. Give us that high level overview of what the company is and how you're helping organizations. Sure. So we have software engineering teams kick track of their use of open source components, sometimes referred to as dependencies and primarily focused on security aspect of those dependencies and are able to very natively and very quickly identify one all of the dependencies that are being used in a certain software that's being developed and alert to any known vulnerabilities that exist in those dependencies. And then make our users through the journey on finding them, prioritizing them and fixing the vulnerabilities such that their software when it gets released is not at risk. Not at risk. One of the things we've talked so much about in the last 18 months is the threat landscape. It's changed dramatically. We've seen a huge increase in ransomware, huge increase in DDoS attacks. We also are in the fifth consecutive year of a cybersecurity skills gap. It's been there for a while. We know that there've been barriers between developers and security. How does WhiteSource help address that cybersecurity skills gap? So we focus on automating as much of the security practices as possible, right? So basically our main premise is that we want to be the security expert for the engineering team so that they don't have to, right? So we provide tools that automate the entire process of remediating the vulnerability so that we can save the developer's effort and time in becoming security expert, basically saying they don't need to become security expert. They can keep doing what they do best, which is develop software and provide more business value to their employer. And we will take care of anything that has to do with security in their software for them. So basically we are trying to alleviate the need for developers to develop any kind of security related skillsets. Got to ask you, how does that address? We talked about the skills gap, but also the cultural shift required for developers to then kind of exhale and put their trust in you guys. And that's a big challenge to change cultures within organizations. How do you help influence that? Sure, so look, when you're talking about cultural shifts it always takes time. Like these things do not happen overnight and it's gradual. And so we are very well aware of it and we do not expect people to have 100% confidence in us immediately in day one. So our tools and practices account for it and we help our users increasingly trust us more by proving ourselves to them, by first starting with providing advice and allowing them to control the pace at which they automate more of the process. So initially we will just tell them what they need to do and let them do it themselves until they've gained enough experience with our tool to just allow us to take the full cycle for them. That's one, few, which maybe is even more important is that we rely very heavily on crowdsourcing, right? So we have a very extensive customer base that is made up of some of the world's leading enterprise organizations that have very complex and a large environment. And across those environments combined with our ongoing and monitoring of everything that's going on in the large world of open source projects, we have compiled a very extensive crowdsourced database or knowledge base, if you will, that basically gives you intel on what others are doing with those vulnerable open source dependencies, right? And we can give you a lot of confidence when we see that the broader community of both commercial and free open source users have upgraded a vulnerable dependency to a safe version and are sticking to the new version, right? They're not pulling it back, they're not undoing that change. And so we give you a lot of visibility into all of that information. And also, when things go bad, right? If we see that many people roll back some change and avoiding some dependency version, then we will warn you away from upgrading that version. So I think that the fact that we are establishing our recommendations on a lot of crowdsourced data is another way for us to provide more confidence and automating actions for our users. The C word confidence is absolutely critical. I got to ask you though, Rami, something that you mentioned, I always like to ask startups, what was the impetus to start the company? You're the CEO and the co-founder, what were some of the gaps that we're missing? Was it crowdsourcing and was it the lack of that community to really provide that visibility to developers that you guys saw as an opportunity to fix in the market? Right, so at the risk of exposing my real age, I'll tell you that the company started over 10 years ago and was actually based on previous experience that us founders had in another company when it was time to sell it, right? So when we sold our previous company, we had to go through a due diligence process where we were required to provide a very detailed report of all the open source dependencies that we were using and we didn't have such a report and sort of caught us off guard and we had to spend a lot of time during the most stressful part of the due diligence finding out which open source we were using and documenting it and coming up with the report. And so that was like a very personal experience we had but it was very obvious that it's not something that we did special, right? Everyone who is developing software is relying very heavily on open source and usually doesn't track it very well. So it initially started from just a very basic need for transparency, visibility, and the ability to provide a simple bill of material that's now become a big thing, right, around SBOM. But 10 years ago, it was very difficult. It was very like manually laborious task to be able to come up with your bill of material. And that's sort of the experience that triggered the foundation of wide source. Got it. And now talk to me about your relationship with AWS and mention in the beginning of this segment that this is part of our third AWS startup showcase of the year. An overview of your relationship with AWS from a technology partnership perspective, sales, marketing, product. Sure. So we've been working with AWS for a very long time and they are a wonderful partner to work with. It started right at the beginning where we are a cloud native company, right? So we're a SaaS solution provider. And from the beginning, we chose AWS to be the infrastructure on which to have a solution. And we grew together with them over time over the last 10 years. We've been scaling again and again our environments and the services that we provide and have been consuming more and more of AWS services, both for infrastructure and mobility, but also and very importantly for securing our runtime environment, which they do a great job at. But then it went even further and we are now integrated with a lot of AWS services and products and technologies. So our offering is very much integrated with several AWS offerings. And even beyond that, we are working closely as a go-to-market partner with AWS. So we have several co-marketing initiatives with them and we are part of the startup co-stale program such that AWS salespeople can co-stale white source to their customers. I imagine that is an advantage, the partnership and the deep relationship that you have with AWS in terms of getting those customers meetings and helping them achieve the confidence in the technologies and the power of the two companies. In 10 years, we're looking at 1,000 customers and some big names I saw from your website, Microsoft, Comcast, Splunk, 23% of the Fortune 100. Tell me how the AWS partnership helps you give those developers the confidence that they need to trust in your technologies. Sure. So first I think the synergy is very apparent, very obvious because both AWS and us sell to the engineering departments and to the DevOps people, right? So we are catering to the same users, the same customers, the same even decision makers. And so it's very easy to understand. It's also very easy to tell the better together story, right? So it's very easy for the AWS salespeople to explain to their customers why it's easily integratable and it makes the sales motion easier and more transparent and fluid. And it makes the customers' consumption of the joint services easier, right? So for them, it's easier to work with AWS as a vendor knowing that they can get all these added security features from them and gain the confidence of having this solution vetted by Amazon and get AWS as a reference for us as a vendor also makes it easier for them to trust us and to use our services in every piece of life. Sounds like synergistic cultures as well. I want to dig into something that I saw on the notes that you guys provided that white sources enabling organizations to eliminate up to 85% of security alerts. That's a big number. How do you do that? All right, okay. So first to clarify, we're talking about open source vulnerability alerts, right? So in general, not all security alerts for open source security alerts, we've developed a deeper analysis that goes beyond just looking at your bill of material and identifying which dependencies are vulnerable and analyzes the way in which the developers are using those dependency. And what we've found over the last three years of running that technology with real customers over many tens of thousands of development projects is that on average 85% of the vulnerabilities in open source dependencies are not reachable from your code, right? So they are still there. You're still using the dependency but you're using some other function of it which is not vulnerable. And the vulnerable function is never actively called in your code base. So this is like very specific. It's not some generic analysis. We had to analyze your code and figure that out. And so again, the average statistics says that just 15% of vulnerabilities are quote unquote reachable from your code and make your software vulnerable, right? All the others are simply not exploitable. And so it can easily be eliminated for the need to remediate, right? So you don't have to. Got it. How are you guys helping customers? There's been a lot of data that shows companies are spending millions annually using multiple web app and API security tools on average but are still having problems with those tools being effective. How does white source help customers not waste time and resources and get right to being able to identify and remediate those vulnerabilities? Sure. So look again, our philosophy is that just detecting the problem with security issues doesn't fix anything, right? Doesn't help you solve your problem, right? Paramount to going to visit your dentist and having them find the cavity. And maybe they do an x-ray and they tell you exactly which tooth it's on and how deep it is and then just send you home and you need to deal with it yourself, right? So it doesn't really solve the problem. Your mouth still painful. You have to fix the problem in order to get any kind of value from a security service or tour. You have to close the loop, finish the process and fix the vulnerability. And so by investing a lot in automating the remediation, in enabling our tools to close that cycle, right? To finish the job and fix the vulnerability, we enable you to actually gain the value from the various tools that you're using and make sure that your software is not exposed and not vulnerable and not just give you a report with the vulnerabilities, right? Not just find them for you. Got it. Last question for you is if we look at your recommendations when you're talking to customers especially as I mentioned earlier in the conversation the threat landscape has changed dramatically in the last 18 months. When you're in customer conversations, how do you advise them to start? Do you start with the developers? Do you start with security? Or do you start by saying you've got to bring everybody together? So we would normally start with security and not necessarily the developers themselves but the engineering managers, the heads of engineering. Again, because our main effort is to leave the developers alone, right? We want to get as little developer involvement as possible so that they can be free to do what they need to do. Security is something they have to do, right? It's a chore. It doesn't add business value. It just protects the business from being exposed to greater risk. And so our approach and our practice is to be a sort of exception-based tool for developers and only get them involved when you absolutely have to have them chime in and do something. Otherwise, we can fully take ownership and automate the entire process of identification, prioritization, and remediation for the organization and just provide reports on how many vulnerabilities we fix this month and give them better visibility into their security posture. But we invest most of our innovation, attention, resources as a company to automate as much of that process as possible so that the developers don't have to spend their time on security issues. We will do it for them. And I imagine developer productivity goes way up for your customers. I do have one more question for you. Given that here we are in the fall of 2021, what are some of the things that you're looking forward to as we go into the new year? I don't know if you win the new Jewish year or the new... Maybe both. I was thinking just as we go into 2022, some of the things that you're excited about. Sure. So look, it's a little difficult to be happy about something that's a problem for other people, right? Because there is a growing threat for application security and there is more and more attacks going on in the world. But I'm really looking forward to helping more people be more protected while not wasting their time, right? So what drives me is the ability for us as a company to provide real value for our customers and not be some shelfware or not be a tool that just produces reports that no one knows what to do with. And the fact that we are able to steal our users and our customers away from risk and save them the hassle of being attacked, being hacked, having their data stolen or having the system broken into is what I'm mostly looking. And there's plenty of opportunities for you guys to do just that and really add that value for those developers and the companies, like I said, big brands, Microsoft, Comcast, Blunk. Rami, thank you for joining me on the program today, talking to us about white source and how you're really filling the gaps in the cybersecurity skills landscape and helping really transform developer productivity where security is concerned. We appreciate your time. Thank you. Thank you so much for having me on your show. My pleasure. For Rami Sass, I'm Lisa Martin. You're watching this CUBE conversation.