 from our studios in the heart of Silicon Valley, Palo Alto, California. This is a CUBE Conversation. Hey, welcome back everybody. Jeff Frick here with theCUBE. We're in our Palo Alto studios for a CUBE Conversation. It's just a couple of days until RSA kicks off a huge security conference. I think the biggest security conference in the industry. And we've got a security expert here in the house and we're excited to have stopped by as Manish Gupta, the founder and CEO of Ship Left. Manish, great to see you. Yeah, great to see you too, thank you. Welcome. So you must be really busy getting everything buttoned up for next week. Oh yeah, absolutely, ready to go. All right, so for the people that aren't familiar with Ship Left, give us kind of the basic overview. Yeah, of course, so Ship Left, about a two and a half year old company. We started with the problem of, you know, the software is driving innovation all around us, right? I mean, we see it in autonomous cars, IOTs, increasingly SaaS software in the cloud. And all of the software needs to be figured out how are we going to protect it? And so it's a big problem. And we've been working on it for about two and a half years now, raised our cities A. And most recently in the last two weeks, we announced our cities B of 20 million. Congratulations. Amazing team, yeah. So you've been in the security space for a long time. Correct. And RSA is a giant conference. I don't know what the numbers will be this year. I'm sure it'll be north of 40,000 people. Moscone north, south and west will be full. Every hotel is full. But it kind of begs a question. Like, haven't we got some of the security thing figured out? It's just a never ending kind of startup opportunities as there's new ways to approach this kind of fundamental problem, which is how do we keep the bad guys out? How do we keep them from doing bad things while the surface area expands exponentially, the attack surface expands. And we hear every day that people are getting breached and breached and breached. So the whole ecosystem and kind of approach has completely changed over the time that you've been involved in this business. Indeed, as you said, I've been in cybersecurity for a long time. I like to say over the last 15 years, first part of my career, I was focused on detecting viruses. Then it became worms. Then most recently at FireEye, we were detecting advanced malware, nation-state attacks like APT-1s and APT-3s. But it was then that sort of dawned on me that, look, about 80% of security, money gets spent on detecting bad stuff, right? And that's reactive. Essentially what that means is we are letting the bad guy shoot first and then we're trying to figure out, okay, what are we going to do now? We're waiting like 150 days, right? Down from 230 days before we even know that he's shooting at us. That's right. Now, couple that with, as you said, the attack surface is ever increasing, right? Because we're using software in every which way, which means all of this stuff needs to be protected. And so that's why we wanted to start with a fresh perspective, which is to say, let's not worry about attacks because that's not in our control. That's in the bad guy's control. What can we control, which is our software? And so that is why what we do at Shift Left is to understand the software very quickly, extract its attack surface in minutes, and then allow you to fix whatever you want to, whatever you can during the timeframe you have available. And here comes the next innovation, which is if you don't fix anything, which is almost always the case, we will protect the application in production. Now the key is we protect the application in production against its vulnerabilities. So we never ever react to threats. We don't care. Do you have like a wrapper around the known vulnerabilities within the code? Yes, you could absolutely have that. That's a good way of thinking about it. Is, you know, let's say a million lines of code, we find 10 vulnerabilities in it. So it's only in 10 specific instances of the application. Now we also know what vulnerabilities exist on line 100, line 200, and so on. And with that knowledge, we can very precisely protect each vulnerability. It's a really interesting approach. You know, one of the things I find fascinating with security is it's kind of like insurance. In theory you could spend 110% of all your revenue budget on security, but you can't, right? So you have to make trade off decisions. You may have to make business value decisions and you have to prioritize. So this is a really different approach that you're offering an option either to fix the known and or just to protect the known. So there's some variability into kind of the degree of investment that the customer wants to spend. You summed it up well, Jeff. I think the fundamental challenge with security has been that. Is that, you know, 15 years ago, we've asked our customers to buy antivirus. Then we asked them to buy intrusion detection. Then we asked them to buy nation state modern malware protection. Now we are asking them to buy machine learning based mechanisms to detect more threats, right? And so the funnel is like this, right? But it never goes down to zero. And so tomorrow some other approach will come up to detect a 0.1% of the malware. And guess what? The CISOs really don't have a choice, right? Because they have to protect their organization. So they have to buy that tool also. Now in this entire process, you never get better, right? Notice that you never get better. All you're doing is just reacting. And because a virus from 15 years ago theoretically could still come and attack you, you can't throw away that tool either, right? And so that is precisely why I'm so passionate about what we're doing at Shift Left is we will protect you from and sort of embed continuous improvement for the first time in security. Find the vulnerabilities, fix them. But if you can't fix them, we will protect you. Now what about another kind of big shift in the way software is delivered as everything is an API to somebody else's software? And oftentimes there's many, many components that are being pulled in from many, many places that contribute to but aren't software that I control personally. So how do you guys deal with those types of challenges? Great question. You know, the popular saying is we are becoming an API economy. Right, right. And what we exchange on our APIs is increasingly a lot of data, right? And you're right. If you think about historical approaches, we will now have to break open the API on a network to find out what it contains. And for various reasons, super hard to do, lots of operational efficiencies, inefficiencies, excuse me. So this is again, where the Shift Left approach is rather unique. See, because we go down to the very foundation. It's hard work, right? But we go down to the very foundation. What is the source code of the API? So we will understand, okay, well, this is what you should be putting in the API, right? But then I see that a variable called personally identifiable information is being put into that API. I can now tell you, before this becomes a problem that'll embarrass you in the newspapers, we will tell you, hey, look, you are writing PII to a third-party API without encryption, right? So you get to fix the problem at the very root where it starts. But can you wrap the known vulnerability in a partner piece of software? Absolutely, we can. As it interfaces with my software? Correct. So there are two aspects to it, right? The first is, what are you putting into that API? That is completely in your control, right? We don't really need to understand the API for that matter. So that is one particular use case we can absolutely protect you there, right? The second is when the API then integrated into your application makes your application vulnerable, right? So I'll give you an example. This happened to one of our customers. This is a 3,500-person technology company based here in Santa Clara. They were using a third-party API, very popular one. That third-party API, in turn, was using a Jackson data bind library, just an open-source library. Now, as a company, when we decide to use that API, we don't really worry about, we don't have visibility into what all is it hurting. Downstream, how many feeds are in that one particular one? That's right. And so this is the supply chain of software, right? Multiple components are now being brought together very quickly to create the functionality that you want to deliver to your users, to your customers. But in this pace of execution, we need tools like Shift-Left to tell us, hey, what are we hurting? And whatever we are hurting, how is that impacting the security of our application? Right, right. Pretty interesting stuff. You got another component of something that's really important today that wasn't necessarily when you started this adventure. And that's the open-source play. Yes. So as I understand it, you guys started really from more of an open-source play and then Shift-Left grew out of kind of commercializing what was that open-source project. I wonder if you can explain a little bit more. Yeah, I would love to. So the foundation of what we do is a technology called Code Property Graph. So this is an invention of our chief scientist, Dr. Fabian Yamaguchi, one of the foremost authorities in the world in the area of understanding code, right? And so as part of his PhD thesis, he came up with this technology and decided to open-source a tool called Yorn. J-O-E-R-N. That's right. It's not easy to figure out. Yorn, yes. Exactly. And it's actually his friend's name, so that's how we named him. Oh, is that right? That's right. So he open-sourced it and several organizations around the world have since used it to find very hard to find vulnerabilities, right? So as an example, and this is an IEEE paper where this technology was used by Fabian to find 18 zero-day vulnerabilities in the mainline Linux kernel, right? So arguably one of the most complex pieces of code on the planet, 15 million lines of code, arguably one of the most analyzed pieces of code on the planet. And as recently as 2015, he finds 18 zero-days and no false positives. Every single vulnerability has been acknowledged and fixed by the Linux community. That's the power. And so we use that as a foundation. So you write that as open-source. But since then, we've done a lot of incremental work on enhancing it to make it enterprise ready. And that is a product we offer as called as Ocular where we give you, think about it as my best analogy is this like Google Maps for your source code. Yeah, I think it's a good analogy. And he goes through that in one of his videos, kind of explaining the mapping of different layers of kind of visibility into how you should look at software code. Indeed. Yeah. All right, well, before we let you go, we got some exciting things happening next week beyond just the regular activity at RSA. You guys have been invited to participate in a special activity. I wonder if you can share a little bit and give a plug and maybe we can send some fans up to, I don't know if it's going to be audience participation in the judging, but go ahead and listen to what you're doing. Thank you for giving me that opportunity. Yes, super, super excited about. So we've been selected as one of the top 10 finalists for the RSA Innovation Sandbox. As you mentioned in your opening, RSA is the biggest security trade show in the world. And so now this has become the most seminal way of highlighting innovative work being done in the security industry. So I get three minutes to pitch shift left in front of an audience of about 1500 or 2000 people. Really looking forward to that. Well, I don't know if you could speed this up to only three minutes, but I'm sure you'll be able to nail it. I will try. All right, well, Manish, thanks for taking a few minutes of your day and I'm sure we'll see you in San Francisco next week. Thank you very much. Thank you. All right, it's Manish. I'm Jeff. You're watching theCUBE. We're having a CUBE conversation on our Palo Alto studios. Thanks for watching and we'll see you next time.