 Hi, this is your host up in Bhartiya and welcome to another episode here for our newsroom and today We have with us Moti in the chief product officer at Napiro. Moti is great to have you on the show. Hi. Nice meeting you Thank you for inviting me. Yeah, it's my pleasure to have you here today We are going to tower x bombs which you folks and those if I'm not wrong a week or so ago But before we go there, I would love to know a bit about the company itself Talk a bit about the company mission at the bureau is so is to secure your application code and the way that it is Delivered into the cloud the fact that we're doing that in a Innovative way the fact is that the growing complexity of how application are being developed deployed coded and delivered in the last two years mainly around this Agile cloud based application is changing completely the way that Attack surface and attackers are going after applications. It's create a new completely Interconnected attack surface which combine different types of components and their relations to each other current app sectors which are Siloed and standalone looking only on open source only on secrets or only on Applicative codes are actually creating an overwhelming list of Alerts that are disconnected are to try out and even harder to remediate and to fix later on What we are doing in a bureau is actually creating a real-time inventor of your application how it was being billed how it is Executed how it is being Deployed and based on that we create the most important thing to alert striage and remediation, which is context taking this this part alerts connecting them together and making something which is a And Sensible out of them which translates to the risk of your business Which allows you to choose the important things that you need to to remediate and fix them fast That's what that's what we do in in the bureau I talked a lot of folks in a security space and wasn't a while I'll get a guest and they're like, you know what the fact is the security is actually not that complicated It's actually very easy all you have to do the right thing But the fact is that in the cloud native cloud centric word security can be very very complicated There are so many moving parts there. So from your perspective if you look at the whole evolution of From traditional IT space all the way to the cloud native Kubernetes word has security become easier or it's more challenging and complicated definitely become more complex it became more complex from three different reasons one is The way that application are being built Technically built moved from a monolith application that was built by a small set of people to a distributed application that is built by hundreds sometimes or dozens of engineers that each one is Relevant to its own sub part. This is the microservices type of a technology This means that as exactly you said that there are tons of moving parts which are changing dynamically and And not co-ordinately The second thing is that the attack surface changed The fact that the application is in the cloud and is based on running on Model cloud applications and servers and Kubernetes and identities and access third-party services that may be out of the scope of the application create simply new attack surfaces that were not Existing at all when the application set On a single machine in your data center And the third is the pace of the application So not only how it is being built and how the the infrastructure it runs onto but also the processes Back in the days an application delivery could have happened once every year or even two years or three years You had time to plan and do threat modeling and pentest etc And before you actually had a one milestone in which this application is going into production now this thing happens daily Dozens of time hundreds of time thousands of time with some of our customers and the rate of the pace It simply does not allow you to do a sequential process of understanding the risk and solving that so the combination of fast pace very distributed the methodologies and complex infrastructure that is Developed in parallel to its new attack surface new blind spots and complexities So definitely it's a long answer to say it's definitely more complex to secure more than up than a traditional app One thing that we can agree on which is actually easy is to Take at least inventory of what is running in your application or you know, whatever it is I mean if look at the assembly line of a car, you know, they're like thousands of pieces But they do know in the assembly line what's coming from where so that's where we talk about S bombs actually a few years ago the Biden's mission they also came up with the next key order Especially the open source so many moving parts are coming in Can you talk about the rule as bombs are playing in once again? First of all giving the visibility of what's there and to help companies with their security posture Yeah, so actually as as you said really right as Bob was born based on the understanding that creating an inventory of an application that was built By multiple components coming from multiple development teams and some of them and actually a growing number of them outside of the development team from the supply chain is a really A tough task. It's not easy to understand because it's changing as we said by multiple people multiple engineers multiple times a day and secondly It's very important task because that's the only way to understand your attack surface And because if you don't know what you have you cannot protect that So as bomb started on these foundations which are created a good motion across all of the industry to try and do exactly that The challenge and this is wow The we'll talk about it in a minute our move from s bomb to x bomb makes me so excited is the fact that Every vendor or sub part of the industry translated s bomb to what was comfortable to them Currently if you go to open source security vendors and ask what is an s bomb They would say s bomb is the list of all of the open source Libraries that you are using if you will go to an infrastructure company and ask that what is an s bomb They will say an n bomb is the list of all of the infrastructure components you are using They are both right and they are both not enough because In addition to the open source vulnerabilities that you are using and the infrastructure components that you are leveraging There are so many other components that are building your attack surface Your data that that that is is part of the application your api set How this thing is actually being built how this application is being deployed who developed it Did it went through pentest did it went to security review? how it was Built a long time like what happened a year ago? What happened a month ago who edited this change? all of these things Are creating together really the modern attack surface of an application and modern application in the cloud as we discussed And this is where we think that s bomb was a great step in the right way But it's not enough. It's it's repeating the issue of looking on siloed sub elements of the overall attack surface Excellent. Once again, thank you. And of course, I would love to talk about x bomb But before we go there what I do want to talk about of course you folks do A lot of open source as we were discussing before the starting of this interview The Lala open source for Linux foundation. They have spdx and a lot of projects are there which are and a lot of initiatives are there to us of course, we also need to Increase awareness about s bombs a lot of industries a lot of companies. They're not comfortable with creating generating s bombs But there is a you know, actually this is not federal government. There's a Mandate which is coming in So before we talk about x bomb, let's talk about when it comes to adoption of s bombs or when you look at hey There are still some struggle going on What do you see is happening in the market because we have to also consider Where the market is and then try to lower the bed of entries so that you know This doesn't become another hurdle or you know another task for the developers. It is something easier So let's let's see where market is in terms of adoption of s bombs great Say what we see from also from our customers the market in general I think the understanding of the complexity of modern supply chain plus regulations plus standards a situation in an increasing pace that every company understand that s bomb is not only a liability Something they need to check the box and they actually and and do but it's actually a value That only by creating An accurate picture of what they have they can actually implement the core Course and a core value of application security, which is understanding which vulnerabilities are important Where are these vulnerabilities and how to fix them? So what we see what I see is that S bomb that started as oh my god, we need to do this thing because of regulation To actually something more and more customers saying I need that For my own benefit for my own Transparency for my own efficiency for my own processes and I want it to be as accurate as possible And frictionless as possible which comes to your second part of the question um As bomb cannot be created by developers that doesn't make sense not the point of view of Um Productivity as you said and the overwhelming the developer with yet another more chart A role But also from the point of view of accuracy The only way to create an accurate s bomb is actually looking at the entire picture And remember that every developer is seeing part of the picture the service. They are responsible for So really the right scalable way durable way to create an s bomb is by doing it automatically as part of your Development processes build processes and deployment processes and making it a background A process within the company and using technology that allow you to do that when you're talking about As bombs earlier you did you know talk about x bomb and did a no slight comparison there But I do want to go a bit deeper into The the launch of x bomb what additional value is bringing Uh, and if you can also compare hey, these were some of the shortfalls or shortcomings of traditional s bombs and we are kind of You know overcoming those yes, and thank you for the question and this is again where I get I got I got excited so We understood I think based on the previous comments that the the modern application is is a complex beast that it changes constantly and And and and is developed in a distributed way and part of the attack surface is the way that is developed and the way that it is deployed I think I also try to convey the point that understanding that is a key part in order to create a security program without understanding How your application is being built you don't know what you have and you can't secure what you don't know So you have to know what you have And this is exactly what s bomb is saying and also executive governments say you need to have a provenance and understanding of how your application is being built and executed and and and deployed The challenge with s bomb that it's a partial view. It's if I take your analogy of the car It's really on the right Track, but it shows you only how how your tires are being built And now your wheel is being built But the engine is left and there is no connection between how the engine is being built and the we had the tires and the wheels Because it's clear that all of them are creating one car We think that that's exactly the challenge with existing s bomb It allows you a flat list of your vulnerabilities open source or vulnerabilities or a flat list of your infrastructure components, but really And modern application is the combination of all of these plus many mores as I said earlier The data that you are managing the function that you have The apis that you are using that the the private information pay the pi that is part of your application And if you ask a software architect how your application is being built He won't give you a list of things he or she will give you a graph usually Here is a module that connects to this api that connects to this data model that connects To this database that is deployed to this cluster, etc, etc Ex bomb is exactly that it's taking the way that the human being Software architect is thinking about an application And making it automatically automatic daily and sorry A continuous in order to Follow this structure with every commit and every code change that is happening thousands and and hundreds and thousands at a time a day so When we in apiura are coming with the concept of x bomb We are trying to say to customers and to applications securities and to application engineers Look at the entire set of your application Which is the combination of everything all of the things that they said components api code modules developer behaviors How they are being deployed data models, etc Here is the snapshot of your application Here are all of the components how they are connected And here are all of the vulnerabilities and risks that exist across all all of this application inventory so we're taking the concept of s bomb and Following exactly them but expanding them beyond open source only or infrastructure only to everything that the code is based on and For a long time. This is the thing that we are building in apiura Behind the scene and now based on customer feedback and understanding the value of it. We are saying to customers Here is your capability now to understand how your application is really being built and what is your real? Attack surface can you talk about the availability of x bomb and how you know customers can consume him it's a combination of two things that we are trying to do one is Educate and help and push the industry in order for everyone that is in our industry to be able to Create an x bomb in order for customers to To produce it for order to customers to consume it Sorry it produce an x bomb order for customers to consume it in order for customers to Have better transparency and better understanding of their attack surface in parallel For customers that are using our product Apiura cloud application security a platform We are supporting x bomb out of the box For every application that we are protecting every developer and every development environment that we are protecting You are able both to an export your x bomb x bomb Of the application and also query and ask questions within the system about the x bomb of the application For example, what are all of my apis that are touching sensitive data? That are not authenticated. So It's a both. We are trying here to create both An evolution into the of the market into where we think All vendors of our type should go and in parallel provide a product capability within apiura cloud application security platform To export and to query x bomb for the value of our customers. It may be unrelated, but I also quickly want to talk about What do you think about standards because when we look at s bombs? We are looking at components metadata. They are different Foundations. They are different stand not a standards, but different projects like Cyclone DX is there spdx is there. There are so many others What are the thoughts on some? Is standardizations around s bombs? We are not in the business of creating a new standard and a new way to actually New formats, sorry, we are not in the business of creating new formats and a new way to expose data and They actually do good standards like Cyclone DX coming from us, for example, is a really good standard the issue a standard and a capability to create to create and present complex relation between different software components We think that the main thing is around the content within this standard so the way that I we think about that is A good standard for example for x bomb or format is a cyclone db or salsa based Standards, the key thing is to agreeing in the industry about the Components and the content that is there and if you look at silent DX recent Standards, they are Moving away by themselves from looking only on open source or sub elements of the System into actually saying the full attack services of a system is the combination of I'm quoting modules and components and Connections and data between them and x bomb is actually a Thank you so much for taking time out today Of course talk about x bomb, but more importantly talk about the larger, you know with s bombs that option the challenges Thanks for all those insights and I would love to have you back on the show again Thank you. Thank you again for the opportunity and I know for me to allow me to express my excitement on what we are doing With x bomb, hopefully helping customers and enterprises and everyone that is writing code and securing it. So thank you again