 Welcome back to SuperCloud 3, where we explore the security challenges faced by developers, CISOs, SecOps pros, and specifically related to building a common cloud experience across all of states. And we're also digging into the impact of AI and addressing these issues. With me now is Manoj Nair, who the Chief Product Officer at Sneak. Manoj, good to see you again, back on theCUBE. Hey, Dave, it's always a pleasure to be here. All right, let's get into it. And when you think about how cloud has impacted security, it's like the cloud has become this first line of defense, if you will. And that's great because you got, you know, probably better security than you maybe had on-prem, at least for most customers. But you also now have multiple shared responsibility models. You got different experiences across cloud. So the CISO and the SecOps teams are asking developers to build security into code and design in security from the start. So how do you see these fundamental trends shaping and impacting customers today? Dave, you said it, you know, it's both a opportunity and a risk, right? When you think about cloud, cloud is code, essentially. It's APIs and you use infrastructure as code and the whole thing is built with software. So it's not your typical infrastructure. So that's part of the opportunity that if you really think about an application, it's no longer just what you package and you toss it over a wall, you can make that whole continuum, something that a developer can automate and make it part of the work that they do. So this whole shift to DevOps, which kind of are pretty much way into it, but DevSecOps and putting security right in the middle and security all the way from the concept of creating the thing to the deployment and the continuous security of that. And that's the shift that we believe is still happening. A lot of folks are trying to get a good handle on that. And that's, you know, part of, you know, how a company like us was created to enable that developer security, right? The developer cloud, but security trusted. So you got to make it easy. Devs have a lot to do. And part of the goal here to make that vision a reality is how do you make it easy and make it a culture change? Really focusing on automation and fixing as you go, rather than the traditional finding after the fact, which, you know, I feel I spent a lot of time in the security industry and still a lot of security is really about auditing and finding after the fact, here's an opportunity to just do it right and do it continuously and make sure it's, but that's really the shift that we think we're right in the middle of. So thank you for that. Now, given the increased complexity, which cloud, well, in many cases, it simplifies things, but also sometimes has the reverse effect. So you got these cloud environments and you got all these different services that are offered by different cloud providers. How does Sneak specifically adapt its tools to cater to this sort of heterogeneous environment? In other words, how does your technology align with the super cloud concept? And does it help to simplify the security management for devs across multiple clouds specifically? It's a great question, Dave. You know, if you treat each cloud, you know, separately after the fact, you know, post deployment is one of the words we use, then it has to end up becoming bespoke and you can try and abstract it as much as you can, but you're trying to secure the configuration of all the controls in the cloud plus your application in each of those clouds. Now, one of the things that you get an advantage by starting earlier in the software development life cycle is to try and make that security built-in part happen sooner and sooner. So you think about most code today, 70 to 90% of code based on different research that we've seen is open source code. So we start, you know, look at that and say, can I secure the choices being made by the developer? And then can I continuously make sure that that open source code choices that are being made? And it's a very deep dependency problem because it's not just the open source you're using, it's what are the other open source developers that you're using use and then so on and so forth. But that's completely, you know, independent of cloud. Then you look at your own first-party code and that's, you know, a big part of, again, get the fundamentals right and do it as you're building that code, educate developers about security and help fix those issues before they even show up. And then you think about the container packaging off that, like that can be a lot of code, you know, even with cloud-native services there are different kinds of container infrastructure but still packaging that's almost a standard there. What are the different layers of that container packages and images and, you know, the best practices that enterprises have now started building there. And then finally, infrastructure as code is what's used for deploying and there's a way to check whether you're using something like Terraform that is platform-independent or you're using platform-dependent, you know, versions of infrastructure as code, there's ways to check config and policy there. And then finally, you know, we think of, you know, cloud configuration that, you know, all of this is pre-deployment. And so all this can be done pre-deploy. And so your post-deploy verification becomes a verification step rather than you're finding those issues post-deploy, right? So 90-10 versus 10-90. And that's that shift that you can do. And by doing that right, you're also giving flexibility on which cloud deployment, like you don't have to redo your security entirely. You can, you know, do 10% different but you don't have to rethink of your entire security posture depending on which cloud you are. So it's interesting what you described because on the one hand, so you talked earlier about cloud as code. So that simplifies things, but then you talked about all this complexity on the backend. So cloud as code, but now code is now natural language. And when you think about security breaches, they oftentimes occur due to vulnerabilities and things like open source libraries. And you got these libraries growing exponentially. So are you and how are you using AI to keep pace? I eat what approaches might you be using to ensure things like continuous monitoring or rapid response so that you're not sort of doing it after the fact as you just described. What's the role of AI? Well, there's two very key parts here. One is security of AI and then the other is using AI to help make some of these things easier. So I'll break down the first part and then we can take the second part separately. So when the opportunity with AI and especially generative AI it's kind of created this moment where and I'll just focus on the dev part. We all know and we love using various generative AI tools for the kids birthday party, poems and other things. But when it comes to code, you need to train it with specific context. And what is being done for most of the AI generated code, generative AI tools is they use open source. Now, part of what we know is I talked about open source issues. There's a lot of security problems with open source code. That's one of the first things that's where a company like Sneak actually started as securing open source code. So we understand that inherently but not all the models when they train it think about it that way. Then there's the human context required. Every day there's a new zero day and our security researchers keep finding tends to hundreds of it. And how does that, if you have a model that's pre-trained it needs to catch up with that evolving landscape. And what we're seeing is that something that is essentially making an inference of what code should look like based on pre-training on potentially insecure code doesn't necessarily generate secure code at the end. I've got customers who tell me, look, the code generative solutions are improving productivity 40, 45% but what if it's creating security vulnerabilities that 50 to 70% right? Like now all you're doing is creating these issues faster. And fundamentally what we're seeing that's doing is making CISOs and security teams really conscious about the fact that they cannot do this post facto part that you talked about. You have to make that, whether shift left as a buzzword or not you got to really shift that early detection. You almost need to make sure that you're embedding technologies that catch these issues right where the code is being created not after the fact. So that's one of the big trends we're seeing is AI generated code great for productivity. There was a Stanford research and a few other research NYU that shows that AI generated code ends up producing more insecure code. Partly it's because of the technology reason I talked about but partly it's because of the psychological reason where a machine generates something and depending on how senior the developer is you may or may not actually check what is generated. You don't even feel the ownership of what is generated. And so these are the challenges that the security teams that I'm talking to and CISOs and really large companies that's what they're dealing with today. All right, so then thank you. And now let's deal with the second part of the other side of the coin. And so as we go from multi-cloud being, hey, my product runs in a cloud A and cloud B and cloud C and it's all kind of a different experience. As we move towards super cloud I'll ask the question this way. You think about your product it's becoming an integral part of a lot of companies DevOps workflows. So I'd love to hear your insights about how customer needs and concerns are changing in light of that broader shift from multi-cloud to what we're calling super cloud. What are some of those obstacles that customers face with managing security? And to your point using AI to make things easier how does that fit? Yeah, one of the big obstacles with that shift is just standardization of some of these tools. We talked about the complexity Dave you talked about cloud was supposed to make it a little easier it's code but yet you have all these parts and traditional app security really grew up in a age of compliance and audits. And so you just use whatever tool that you use for a certain part of your code stack and it didn't matter. And now it matters because velocity is important dev productivity is important. So you cannot treat these different aspects all of what I described whether it's open source, first-party code containers, infrastructure is code that whole could AI that they're not having holistic platforms of the challenge. And that's one of the things that Adele per security solution is actually like us is trying to solve is have a seamless continuous approach. The other part is a culture change. I talked about this culture to DevSecOps and that really is ownership and it's not going to happen if the developers are given more and more to do you got to make sure it is intelligence and it's something that is a partly educating partly making it intelligent and this is really the opportunity we see with AI is there's not one part that's very loaded as AI there's machine learning, LLMs and all that but what we are doing instead of having a generic AI solution that can generate your drama script and can generate your code and can secure it we're saying we do one thing and one thing only so it's like a full self-driving card analogy I'll use the car needs AI that understands rules and ML that learns from sensory changes in the world on how to react when things change you combine all of that focus on one thing that's securing code doesn't matter how it was generated human or AI and now you're able to do this enhancement of productivity it's going to happen anything that creates productivity enhancements gets adopted by Devs and that opportunity is where we see a big push now and that actually makes that shift left vision of security a reality and that's a great opportunity now to simplify some of the siloed complexity that was introduced with solutions from the past and you're doing that across cloud in a way that sort of hides that complexity and I like what you're saying about the focus but then it leads me to another question I think about like storage vendors trying to build a common storage layer across clouds or what VMware is trying to do with cross cloud you got Red Hat with OpenShift trying to create sort of a similar consistent experience Snowflake doing it in data Databricks doing it in data you guys doing it for Devs so you've got these which is the right thing focused specialists knocking down different parts of their value chain how do you see that coming together? Is it even add more complexity or is that simplified things in your view? I think it's a really matter of context is king in some ways and as a product management leader I think of product managers what do they give developers? They give them context so then they can build a better solution than rather than telling them what to build well we are giving them a security context right where they are to make better choices and that's offers abstraction too that's a side effect unless you brought it up I wouldn't have thought it necessarily in those terms Dave but the abstraction comes from the fact that this is context for us a cloud deployment is context and what we have done with cloud a lot of CSPM CNAP vendors focused on finding these issues and trying to figure out attack paths we actually bring that cloud deployed context all the way in the hands of the app sec teams and the developers so they know that this line of change here based on their actual cloud deployment model whichever cloud it is this particular change is going to impact your cloud deployment in XYZ based we're bringing that pre into the loop and that is another way of abstracting and reducing the complexity and enabling some of these choices you might, we use multiple clouds we do it because we like the capability of those different clouds we don't want every developer in our teams to actually figure out all the details so platform teams get created that abstract it and a lot of the technologies you mentioned we're a customer and partner snowflake we use it in our platform not every developer of ours needs to be an expert in that it's available as a service and that's where we're really seeing security really is also getting built in into that platform stack and then everyone consumes that stack and so that's the way to actually handle this from becoming layers of complexity you're giving this as building blocks to the devs who in the end are creating all this innovation and they just have a simplified set of building blocks and the building blocks themselves are abstracting the complexity away from the dev teams So I'm probably going to keep you a little longer than I initially thought because this is such an interesting conversation and I wonder Alex if you could go back to a one shot of Manoj because over his shoulder it says make every developer part of your security team and the reason why I think this is so interesting is because the CISO and the SecOps teams are asking a lot of the devs and the devs and they're not security experts so this is where you guys come in so you're helping to simplify that but I want to ask sort of a zoom out and ask you a big picture question that we're asking everybody ultimately in your view will AI be more beneficial to attackers or defenders and why do you think that? Well, good from the time I've been in security you know, Dave we've talked about I've been part of nation state attacks when I was back at RSA leading the response it's always a cat and mouse game I think done, right? AI, you know, just being careful about how you adopt it and this is where education is key and this is something we're trying to educate teams that might not be thinking about it they're looking at the sizzle aspect of oh wow I can generate code using chat interface or an API or some tool that has built it into the thing and not thinking through all the aspects and there are security aspects, there's quality aspects there's privacy and data governance and IP aspects now if you can really think about this as you know, I'm going to make the devs more productive and a lot of, you know if you look at some of the attack patterns from the last year it's so easy to get into an organization with supply chain attacks but that same, you know, focus by empowering the devs with, you know, responsible use of AI technologies and really marrying it with responsible use of AI security technologies makes it much more easier for you to build in security into the stack rather than just bolting it on after the fact and you know, so my belief, you know I'm optimistic and it's going to take time it's going to take a lot of education and tooling and culture change all of it coming together but the potential here is that you make a generational leap in our ability to actually tackle some of these issues that just don't seem to go away. Okay, last question. So the chief product officer at Sneak so you have a unique vantage point on the intersection of security and developer trends. So thinking about the context of this AI super cloud era what emerging security challenges do you anticipate that developers are going to face in the next say midterm three to five years I guess that's mid to longterm in these days and how are you planning to evolve your product portfolio to meet these threats? No, I think the here and now challenge we talked about but that'll probably continue for the midterm and that is organizations are going to want then doesn't matter what your compliance posture is what your governance posture is you are going to want to adopt this technology because it fosters faster innovation and that's everything we've seen cloud all the technologies we talked about in the past if you are actually improving innovation you're probably going to get adopted. And so that's kind of the here and now problem and where we are with that is we introduced things like deep code AI is our AI engine it does one thing and one thing well it understands code and it uses layers of AI hybrid AI we call it symbolic machine learning and LLM to find issues real time and fix issues as your writing code and that writing can be done by a different AI that is a code generative AI. So that's something that a lot of our customers look at it as a reason to accelerate shift left get this technology right in the IDE where the developers are writing code or using generative AI solutions and marry sneak code and deep code AI fix as the fix feature right in there and that's the start. There's a lot of, we started seeing things where the open source ML engines can get attacked and that can be a new compromise vector prompt engineering is great but you're able to use that and you're able to use that as an attack vector too and really training the safety of AI in that context what data is getting used by the developer. And so as we go from just generating code and innovation pastor a lot of people are gonna want to use AI well, how do you responsibly use data in the context of AI? And finally the security of those solutions itself and there's a lot of noise rumor reality in the window that maybe some of these models are poisoned but we know that theoretically it is possible and anything that's theoretically possible is going to get exploited. And so how do you secure the actual engines itself that Devs might be using? So we see all of these as areas of focus and then the cloud capabilities keep exploding and so you want to leverage the native goodness of every cloud while not making it a burden. And so enabling that evolution to more of a platform teams is another part of it that we see us empowering really security being built into the platform and that's a trajectory that all these trends are offering. You know, the whole industry is really focusing on these mega trends, Manoj and you're right at the heart of it with your product knowledge and your deep expertise. You've always been a great contributor to theCUBE so thanks for coming back on. Thank you Dave, number 13. Remember they're lucky 13. All right, keep it right there for more content from SuperCloud 3 live and on demand from theCUBE's Palo Alto studios and of course on thecube.net.