 All right everyone we're back here continuing our coverage from the open-source security summit in Austin Our next guest is Derek Townsend Townsend, like Pete. Like Pete Townsend Derek's with legit security to legit to quit We've actually covered legit security on Textual TV before But they are an exhibitor here, and we didn't really talk about it up We're on the second floor here at the JW Marriott I believe it's the third note. It's up on the fourth floor. Fourth floor. There's the sponsors exhibit area. It's a large Exhibit area legit is one of the exhibitors there, but on top of that They're also a member of the open SSF. I always open-source security foundation OSSF and And We're gonna talk about that. We're gonna talk about supply chain some other stuff, but anyway Derek welcome. Thanks for joining us It's great to be here. Thanks, you know what I'd like to get out of the way though And I I didn't mention it to you when we when we first started which is look not everyone out here knows legit security I would you know I said I we've covered them before but not everyone watch that either So why don't we start there man? Let's let's give them a little legit background and a little bit of your background Sure. So just background on the company. So legit security is headquartered in Tel Aviv But almost all of our sales and marketing activity right now is in North America So we're selling to larger enterprises and it's a software supply chain security solution I think the the interesting thing is it's a really popular space right now So there's a lot of vendors talking about software supply chain security So when you even say that now you kind of have to define what that means to you Well, I don't and we're gonna define that in a minute, but not only that I Mean when was legit founded? Do you know? Yes? It was back in 2019 So it was just prior to solar winds right sometimes just I've only I've learned this lesson in business Sometimes it's better to be lucky than smart and man What a good time to get into software supply chain security, right? The whole world's blown up since then. Let's talk a little bit about you though. What's your background? Oh, I've been doing software startups for quite some time Bounced around in different areas developer tools Cloud management solutions identity management, which got me into cyber and now here Same here. I've been chasing that. Well, so tech strong is not venture back So it's my this was my blog and if he came this but Yeah, I know how that goes too So let's talk a little software supply chain security As we said, it's it's certainly a hot topic even here, right? This is our second day here You know, I was gonna say filming, but that's an old word recording and speaking with folks broadcasting Streaming and you know, that's been topic one. Yeah software supply chain security and it was interesting I had a conversation earlier today with one of our guests and it's like so this is a word that's coming to vogue Let's say in the last two years Right, maybe since solar winds, but really what we talk about When we say software supply chain security Goes back a lot longer than two years Right, we've always been worried. I mean look I you know, I I remember selling security in the federal government space years and years ago 15 years ago And they were worried about backdoors and about what was embedded in the software. They were They were installing back then we just think about supply chain security, right? What's legit take on this? Well, I think a lot has Transpired with dev ops that has made software Supply chain security a more urgent problem and a much broader attack surface I think rewind the clock years ago. There was always a risk of insider attack There was always a risk of some open-source libraries Potentially causing a vulnerability, but now when you look at dev ops and what's happened across the sdlc All the different tools all the different developers and collaborators that get involved all those moving parts have have gotten much more complicated and Although cloud security and other aspects of code scanning technologies are Getting more mature Looking at the sdlc and all of its complexity in all of its moving parts has not caught up and Solar winds was the wake-up call and it wasn't the only one Several after that and now that's why you're seeing this rush into the space yeah, so I Don't disagree, but I would add to it is in this way when we look at what dev ops is about right and There's no official definition and all that but certainly it was a big dose of agile Yeah, and some a pinch of lean IT Right added into that and and you know how we do dev and ops and then the whole software development life cycle pipelines all of these things You know it introduced especially from the lean heritage from lean Manufacturing and Deming and all that stuff right it introduced this Analog of People Building software the way we build stuff in assembly lines Yes, you know on a pipeline and and and it goes along the pipeline getting finished until it's Delivered until it's deployed and and so I think the very name software supply chain security Comes from supply chain security. Yeah, right that we see there So I I think that's the heritage for it of where that analogy comes in for something that as we both said we Has been done before necessarily, but we've never had software Be developed in the factory sort of mode. Yes that dev ops is introduced I think factories a good word because factory also connotes automation Yep, and the automation is there at all of these Multiple steps, and it's also got this sense of kind of lean Manufacturing in just-in-time assembly that takes place from multiple different sources and dependencies And that's part of the complexity problem And then you add on top of that you've got different developers Different teams contractors other folks coming in and out. It's it's a very dynamic environment And that is Representative of modern kind of physical supply chains today, too. Absolutely. So let me ask you another question then I've spent the last two days talking probably to a dozen people already about software supply chain security s bombs and so forth My fear is Every single person I spoke to gave me a different story. Yeah, or not a different story with a different take On this issue and and that's okay You know, there's no one right way one wrong way the world doesn't go necessarily go black white This great, but my take is are we going to extend it and embrace it for every single vendor out here? Until you unix fire, right? Where you know you have all these different flavors, but they're not really compatible You know cyber is interesting and and you look at the evolution of different categories of cyber solutions It takes a little bit of time for to gel and for the boundaries to come that could be right where we are and categorize And I think this is early days There is no formal category defined by someone like a Gartner or a forester yet for what software supply chain security is But I think what you're seeing is that when you look at the attacks They come from a lot of different vectors and there's a lot of lateral movement And so someone can claim a kind of a more narrow scope solution to software supply chain security It's not exactly wrong. It could be one attack vector But when we think about it We we think that what the market needs is something more holistic that looks across Everything from when the developers submits the code it goes through the build server You go through the artifact repo and it gets just ready to go into production that to us is the scope of the software supply chain So it's the pipeline. It's the systems and infrastructure in that pipeline It's the developers and the collaborators that are interacting in it And it's also the code that's passing through it But where we draw the line internally is that we're not a code scanning tool We're not sassed. We're not SCA. Those are well-defined categories lots of vendors in it mature tech We're not trying to recreate that wheel But there are some other pieces of code security like secret scanning and scanning Infrastructure is a code that still have space and we think are still part of that integral solution But our take is don't try to replace them But there's value in finding where they are positioned across a software supply chain So sometimes they you know your essay tool got turned off or sometimes you don't have SAS scanning on a product line You should and just getting visibility into that is really important And the other thing that we're finding this is at the intersection of dev and security dev sec ops Development teams might know some of this kind of back of the envelope or back of their hand They know where these tools are the security folks don't necessarily and so it starts in our mind getting visibility Into that whole pipeline that whole SDLC first Including knowing where the other security controls are and now you can start taking action now You can start doing important things to tighten up your security posture. Love it. I Want to talk a little OS SF participation so legit the corporate member of the OS SF Along with some of the you know the biggest names IBM Microsoft Google. Yeah, big big deck What do you guys like what's your and I don't mean you personally, but what do you see is the role of? Legit security in this kind of organization. Yeah, I mean This is something that really comes from our founders That we're part of the IDF and have seen these things in the real world and they want to You know truly kind of help out the broader community not just our customers and that's in a couple different ways One is the research that we have so we actually have an actual security research team within legit We're actively looking for vulnerabilities and publishing them doing responsible disclosure. We had one Two months ago. We have another one coming out later this month So part of it is finding those vulnerabilities and sharing them before they get out of control But the other one that's probably going to be even more impactful is the open-source tools that we're going to Contribute so I mentioned earlier, you know our platform does this automated discovery across this whole pipeline So you get to see what's out there? We're going to carve off small pieces of that capability for example looking at your github instances Is it properly configured has a developer taken a private repo and made it public which they shouldn't do That sort of security posture Management for a github repo is something that we're now actively working at to provide to the open-source community as a tool That folks can use on their own to improve their own software supply chain security for that piece Now if they find that useful They might find legit security and they might find out that we do not just that but all the other repos all the other build Servers all the other artifact repos and everything else so it could be an entry point to that But in the meantime it definitely helps the community at large Love it. Absolutely Yesterday was I forgot what they call it but like affiliate day or whatever and the open SSF had their Kind of event would not to say that you know, it's very embedded into everything going on this week But I'm wondering if you were involved in that at all what your impressions were from what you've seen so far I wasn't involved in the event, but I think the open-source community as a whole has a really important role in just the topic of software supply chain security and You know part of it is sea tools and just the Vulnerabilities that can be introduced through open-source libraries consumed in software That in of itself is a huge deal You talk to some people and they'll tell you commercial software today is composed anywhere from you know Up to 80% or even more of open-source libraries. That's not going to change so continuing to focus on that and and Bring more attention to that space is really important And then I think it takes you in other important areas about all the other dependencies associated with building software today S bombs are part of that which is picking up Momentum you think so yeah, and you know and there's a there's other things. It's not just open-source libraries There's other dependencies across the board. So the more people talk about it the more people start to take Put their attention to how this is being managed and it's not a mystery anymore and people are looking at ways to secure I think it's better for everyone. I I don't disagree with you at all. Hey, you know what? We didn't tell people if they want to get information on legit security Yeah, legit security calm, okay Come check out a demo. Yeah, you go to the website. There's a book a demo button. You know we found that Like a lot of these vendors they'll talk about software supply chain security when you see the product work Then the light bulbs really go off and and that's not unlike us. So go check out a demo. Excellent. Hey, man Derek, thank you so much. Enjoy the rest of the week here at open source summit check out legit security They're a member of open SSF. We're live here in Austin. We'll be back in a moment with another guest