 From around the globe, it's theCUBE with digital coverage of AWS re-invent 2020, sponsored by Intel, AWS, and our community partners. Welcome to theCUBE virtual, our coverage of AWS re-invent 2020 continues. I'm Lisa Martin. Got a couple of guests joining me next. Wendy Moore, the VP of product marketing from Trend Micro was here and Gava Salamonovich, global alliances CTO from Sneak, Wendy and Gava. It's great to have you both on the program today. Thanks for having us, great to be here. Hi, Lisa, thanks for having us. Last year, we were probably all crammed in Vegas together. Here we are virtually, but it's great that we're still able to connect. So a lot has gone on since we were all at re-invent in Vegas last year. Wendy, let's start with you. From a security perspective, there's been a growth in open source vulnerabilities that have impacted enterprises globally. Talk to me about what you're seeing there, what's going on. Yeah, well, I think everybody in this audience recognizes the rapid shift to the use of open source in development teams. And what we've seen alongside that is a rapid increase in the number of vulnerabilities that are showing up in open source software. So that means that vulnerabilities that can be exploited and cause damage to your company's application, reputation and your customers are on the increase out there. And a number that you sent over was two and a half X growth in open source vulnerabilities in the last year. Has that number gone up during the pandemic? So I'm not sure if the vulnerabilities have gone up during the pandemic, but we've definitely seen an increase in exploitation of vulnerabilities. You know, there's so much in the news about ransomware incidents in healthcare, targeting pharmaceutical organizations, and most of those are taking advantage of vulnerabilities, not necessarily in open source, but some of it is definitely happening in open source. Yeah, we've been talking about the rise in ransomware for a while and it's all the numbers and types of companies and healthcare organizations, like you said schools, governments, for example, lot of vulnerabilities being exploited, that's for sure. So yeah, well, let's go over to you, talk about from Sneak's perspective, the impact on businesses and how can you guys help? Yeah, and I'll put in a few insights there on the open source risk as Wendy talked about it. Why is it growing? One, of course, just open source usage is growing. So of course, we've got just the amount of vulnerabilities is growing and the amount of exploits. But when you look at it from a hacker's perspective, attacking is an ROI based activity. Hackers want to spend their hacking hours where they're more likely to get a reward, be able to get that ransom or steal the data or do whatever they can. And open source actually makes it much easier for them than a lot of these other alternatives. One, the source is open, so just finding the vulnerabilities much easier than trying to find the vulnerability in proprietary code. Two, there's like a market for these exploits and companies even like Sneak, which have bases of all the known vulnerabilities. One of the byproducts of that is that you can just go and see all the vulnerabilities out there and pick the ones that you want to try to exploit. But three, which is really the most critical piece is that if you do find the juicy vulnerability in a very popular open source package, the amount of companies you can attack is not one, it's thousands or tens of thousands because that's precisely what makes the popular open source package popular. It's being used broadly. And so if you spend this effort to develop an exploit and then you can send it like they're just across the board to tens of thousands of companies, you're more likely to be successful. And that's what's driving a lot of the hacker attention into the open source vulnerabilities. And that's where the growing. So it's a low cost, high reward for those hackers. Wendy, what are some of the ways that organizations can protect themselves from this? Well, one of the best ways to protect themselves against exploitation of vulnerabilities and against vulnerabilities showing up in their code is to actually analyze their code and scan it looking for vulnerabilities. And the best possible place to do that is actually in the code repository. So before code is ever packaged up and deployed, it actually gets caught really early. So it's all about shifting security left. But some of the challenges with that is that the code repository and the code and open source has largely been the domain of DevOps and the developers. And security who is tasked with managing the risk of the organization has little to no vulnerability into what vulnerabilities might exist. So something that's a growing part of an enterprise risk profile, the security team doesn't really see. And that's a big gap for most organizations. So in terms of that visibility being essential, sounds like maybe even a cultural gap there. Gabba, what are your recommendations? We talk about SecOps, we talk about DevOps. Is the solution that SecOps or SecDevOps? And I mean, all these developers are definitely helping there but you kind of need to break it down and understand the problems, which is what Wendy was articulating. One, you have these traditional security teams have all their traditional tools. They look at mostly, and let's call it IT type of security. Then you have this entire new category of risk, which is let's say open source risk, but it sits inside the code repository inside a GitHub repo or somewhere where they completely have no visibility into. And what that causes is, one, hard to have a conversation with the developers who are those who ultimately need to pick those vulnerabilities, remove them from the code. But two, also just from a mind sharing that in allocation, it's hard for you to protect something you don't have visibility into, which causes open source security to be possibly under provisioned in your entire security stand as you're looking at security risk. And as you're talking about solutions, so one of the movements we've seen with the DevOps where engineering team and IT teams have come together and to have a shared ownership of the results of deploying these applications in production. Now you expand that into DevSecOps and it's okay to actually make this work. We need to have a shared the responsibility model where both developers step up to take some ownership and the traditional security team step up to understand what the developers are doing, build tools to make it easier for them. And ultimately I think when they nailed it in the head they said the best way to protect yourself is actually to remove the vulnerable line of code from your application, not wait for it to be deployed and try to put some blocks there. All right, so Wendy, how are Trend Micro and Speak working together to resolve that challenge that you guys just described? Yeah, well, Trend Micro and Speak have been working together for over a year now and we came out with an initial offering and now we're coming out with a new offering that is really focused on basically delivering that code scanning ability right in the code repository. And through Trend Micro's Cloud One platform, we are delivering this as a service to the security operations team so that they get visibility of anything that Speak finds in the code repository and they can take action from there. So Trend Micro's Cloud One security services platform basically equips cloud builders with a whole bunch of different types of technologies to satisfy their different infrastructure requirements. So we've got things like workload security, application security, network security, a number of different types of security tools and this just brings another security tool to the security operations team and the DevOps team so that they can basically extend their visibility and their security controls back to the code repository. And Geva, what are some of the impacts that you're seeing? So for obviously, besides wanting to find those vulnerabilities faster is when we talked about shifting left, but give me some examples of some customers that you were working with maybe in the first iteration and what the impact has been. Well, the impact of what, Harry, can you repeat the question? Yeah, the impact of your technologies together. You said that there's a new offering coming up. But talk to me about some of the impact that these customers are making. Yeah, okay, sorry, thank you for repeating the question. And so this joint product is very exciting from multiple perspectives. The one is going to be delivered inside the Cloud One platform which Wendy just talked about. You're asked before, what is the impact of COVID and one of the big impact has been on the financial stress every company and every vendor is having. And so just the ease of managing less vendors and less tools and less places to procurement is of high value for every organization just in terms of efficiency of operations and just being able to acquire this new product on an existing platform where there are already consuming security tools that by itself is amazing value. And number two, we're taking again, we're taking a technology which is a cloud native it's a modern technology that typically has been outside of the purview of the traditional security team and making it accessible to them in a place where it's easy for them to try out. They can start small and grow from there. They don't have to make a big commitment to get going. And more importantly, it's giving them visibility into this important technology that they didn't have before. So Wendy, this is all intended at bridging that gap. I'm just curious like if we take a peek inside what this enables SecOps to do what it enables DevOps to do? What are some of the feedback that you're hearing from customers about those teams coming together and actually being able to work very collaboratively with that shift left actually being able to be done? Yeah, I mean, if you talk to, there's some organizations who do this really well they're very mature and their security operations teams and their DevOps teams work very closely together collaboratively, excuse me and they also understand each other's needs. So they're able to insert tools into the security pipeline that don't slow DevOps down but also meet the needs of the security team. Whereas we see some other organizations where Dev is at one side of the pipeline and you've got security at the other and they don't tend to converse or meet and those are the organizations where there tends to be more challenges. So the idea with this new solution is it's going to give the security team visibility of basically the scale and scope of their open source situation. So that they've actually got some data to go have conversations with the DevOps teams and start going in that direction of making those teams work more seamlessly together. I mean, you use the term DevSecOps before some organization that's a very real situation others still have a long ways to go and we think this is a great first step to bring those teams together. Fostering long-term friendships, I'm sure. So talk to me about the go to market, Wendy. How are you guys going to market together a Trend Micro and Sneak selling direct channel? What's that like? So this is actually going to be a Trend Micro Cloud One offering. So we jointly developed it with Sneak but it's going to be Trend Micro who is selling it and we go to market a number of different ways. AWS Marketplace is a big channel to market for us and this will be available for purchase there when it becomes available in January. And also we also work very closely with channel partners as well who also participate in AWS Marketplace. So what are some of the things that you're expecting to customers to be able to take advantage of around the time of re-invent and into early 2021? Yeah, I really encourage customers to visit our page on the AWS re-invent platform. We're going to have all kinds of exciting demos there. You can go learn more about this new offering that we're delivering jointly developed with Sneak and you can also ask about how you can sign up for early access to this new offering. So highly encourage you to go check that out. Excellent. Early access is always nice to be a beta tester and really get that symbiotic relationship. Kev, the last question for you is as the Global Alliance is CTO, I imagine your customer conversations in the last year have changed dramatically. Talk to me about some of the things that you really think, in terms of like exposing vulnerabilities, let's talk about exposing opportunities that Sneak is helping organizations do so that they can not just keep the lights on during this very unprecedented time but actually be winners of tomorrow. Yeah, I think again, at the heart of the DevOps movement and why it's been successful, it's reducing that feedback loop between writing some code, getting it to production in the hands of customers, getting the feedback from them and rinse and repeat. And it's shortening that loop. And those who have it the faster can get to market faster and can deliver value faster and ultimately are the winners. Now, one of the things we've seen with COVID is a lot of this outbound activity has been going down. People are going to advance and need to look more internally on how you can become better as an organization. And we've actually seen an increase in the investment of the digital transformation and cloud journeys and stuff like that. And one of the traditional inhibitors that's going fast and all into the cloud is that sense of loss of control of the traditional security teams on the application development where now people can deploy hundreds of times every application to the cloud a day. And what we've seen is that they come to Sneak or to companies like us so we can secure those new modern development life cycles and give the security feedback to the developers as they're building the applications and give the security teams the visibility into those built pipelines and application building. So they have a sense that they're not losing all the control they used to have they're still getting visibility into those application development and actually allowing the organizations to go faster because of it they can sign up to these new methodologies and actually increase the speed of going to the cloud. Yeah, and that's critical because as you mentioned as we've been talking about for months now the acceleration of cloud adoption the speed of digital transformation it's one of those things that's challenging to do you've got to have visibility period in order to facilitate that. And if it's another thing that you kind of we're describing at GABA as that visibility provides that sense of control or trust and that's also huge for not just a business to catch vulnerabilities but for teams the DevOps teams the SecOps teams to be working together in a highly collaborative way. Do you agree, Wendy? Absolutely, and the beautiful thing is this sets that up, this tool. So it allows them to work together very collaboratively but it also sets up that visibility so that down the road there could be even further automation into that process because the whole purpose of DevOps is to take the people out of it, right? But in order, you need to set up those processes to begin with. So this is a first step in terms of setting up that automation and visibility amongst those two teams. Excellent, and can you say one more time, Wendy where prospective customers can go to learn more and become a early adopter? Yeah, absolutely. So visit our trend micro page at the AWS re-invent platform and there you'll be able to learn much more about the offering and also learn how you can access the early adopter program. Excellent, you guys thank you so much for joining me on the program today and sharing what Trend Micro and Speak are doing together and how you're helping organizations cross-functionally be successful. We appreciate your time. Thank you, Lisa. Appreciate it. Thank you so much. My pleasure. For my guests, I'm Lisa Martin and you're watching theCUBE Virtual.