 Hello everyone, welcome to theCUBE's coverage of the AWS startup showcase season two, episode one. I'm Lisa Martin, and I'm excited to be joined by Sneak next in this episode. Liren Tal joins me, the director of developer advocacy. Liren, welcome to the program. Lisa, thank you for having me, this is so cool. Isn't it cool? All the things that we can do remotely. So I had the opportunity to speak with your CEO, Peter McKay, just about a month or so ago at AWS, and that so much growth and momentum going on with Sneak. It's incredible, but I wanted to talk to you about specifically, let's start with your role from a developer advocate perspective, because Sneak is saying, modern development is changing. So traditional app stack, gatekeeping, doesn't apply anymore. Talk to me about your role as a developer advocate. It is definitely. The landscape is changing both developer and security. It's just not what it was before. And what we're seeing is developers need to be empowered. They need some help. Just working through all of those security issues, security incidents happening, using open source, building cloud native applications. So my role is basically about making them successful, helping them any way we can. So getting that security awareness out there, making sure people are having those best practices, making sure we understand what are the frustrations developers have, what are the things that we can help them with to be successful day to day and how they can be a really good part of the organization in terms of fixing security issues, and not just knowing about it, but actually being proactively on it. And one of the things also that I was reading is, Shift Left is not a new concept. We've been talking about it for a long time, but Sneak's saying it was missing some things and proactivity is one of those things that it was missing. What else was it missing? And how does Sneak help to fix that gap? Correct. So I think Shift Left is a good idea. In general, the idea is we want to fix security issues as soon as we can. We want to find them, which I think that is the small nuance that was kind of like missing in the industry. And usually what we've seen with traditional security before was, because notice that the security department has siloed the organizations. Once they find some findings, they push it over to the development team. They are in the leader or things like that. But until it actually trickles down, takes a lot of time. And what we needed to do is basically put those developer security tools, which is what Sneak is building the whole security platform, is putting that at the hands and at the scale and speed of modern development into developers. So for example, instead of just finding security issues in your open source dependencies, what we actually do at Sneak is not just tell you about them, but to actually open a pull request to your source code versioning management system. And through that, we are able to tell you, now you can actually merge it. You can actually review it. You can actually have it as part of your day-to-day workflows. And we're doing that through so many other ways that are really helpful and actually remediating the problem. So another example would be the IDE. So we are actually embedding an extension within your IDEs. So once you actually type in your own codes, that is when you actually find the vulnerabilities that could exist within your own code if that's like insecure code. And we can tell you about it as you hit command S and save the file, which is totally different than what SASTL's static application security testing was before because when things started, you usually had SASTLs running in the background and like CI jobs at the weekend and in deltas of code bases because they were so slow to run. But developers really need to be at speed. They're developing really fast. They need to deploy. Modern development is deployed to production several times a day. So we need to really enable developers to find and fix those security issues as fast as we can. Yeah, that speed that you mentioned is absolutely critical to their workflow and what they're expecting. And one of the unique things about Sneak, you mentioned the integration into how this works with end development workflow with IDE, CIDC, they're the git environment, but that enabling them to work at speed and not have to be security experts, I imagine are two important elements to the culture of the developer environment, right? Correct, yes. This is a large part is we don't expect developers to be security experts, right? We want to help them. We want to, again, give them the tools, give them the knowledge. So we do it in several ways. For example, that IDE extension has a really cool thing. It's kind of unique to it that I really like. And that is when we find, for example, like you're writing code and maybe there's like a path for versatility in the function that you just wrote. What we would actually do when we tell you about it is we'll actually tell you, hey, look, these are some other commits made by other open source projects where we found the same vulnerability and those commits actually fixed it. It's actually giving you example cases of what potentially good code looks like. So if you think about it, like, who knows what path for versatility is, what product pollution, like many types of vulnerabilities, but at the same time, we don't expect developers to actually know the deep aspects of security. So they're left off with, you know, having some findings, but not really, they wanna fix them, but they don't really have the expertise to do it. So what we're doing is we're bridging that gap and we're being helpful. So I think this is what really proactive security is for developers. This is helping them remediate it. And I can give like more examples, like the security database is like a wonderful place where we also like provide examples and references of like, where does the vulnerability come from if this like was found in an open source package? And we highlight that with a lot of references that provide you with things like, you know, the pull requests fix that fixed it or the issue where this was discussed. So you have like an entire context of what is the, you know, what made this vulnerability happen? So you have like a little bit more context than just specifically, you know, merging some stuff and updating. And it was like, there's a ton more. I'm happy like dive more into this. I could, well, I can hear your enthusiasm for it and natural developer advocate. It seems like you are, but it all talking about the bridges and the gaps that you guys are feeling. It also seems like the developers and the security folks that this is also a bridge for those teams to work better together. Correct. I think, I think that is not siloed anymore. I think the idea of having security champions or having threat modeling activities are really, you know, are really good or like insightful, both like developers and security, but more than just being insightful, useful practices that organizations who actually do actually bringing a discussion together, actually creating a more cohesive environment for both of those kind of like expertise, development and security to work together towards some of these aspects of like just mitigating security issues. And one of the things that actually Sneak is doing in that, in bringing the security into the developer mindset is also providing them with the ability to prioritize and understand what policies to put in place. So a lot of the times security organizations, actually what, you know, the security org wants to do is put just, you know, guardrails to make sure that developers have a good leeway to work around, but they're not like doing things that like they definitely shouldn't do, that are like bringing a big risk to the organization. And that is, that's, you know, what I think we're doing also like great, which is the fact that we're providing the security folks to like put the policies in place and then developers actually like, you know, work really well within those, understand how to prioritize vulnerabilities. This is an important part. And we kind of like quantify that. We put like an urgency score that says, hey, you should fix this vulnerability first. Why? Because it has, first of all, well, you can upgrade really quickly. It has a fix right there. Secondly, there's like an exploit in the wild. It means potentially an attacker can weaponize this vulnerability and like attack the organizations in an automated fashion. So you definitely want to, you know, put that, put like a lead on that, on that broken window, if so to say. And like, so many other, other, kind of like metrics that you can like quantify and put this as like an urgency score, which we call the priority score that helps. Again, developers really know what to fix first because like they could get a scan of like a hundred of the vulnerabilities, but like, what do I start first weight? So I find that like very useful for both the security and the developers working together. Right. And especially now as we've seen such changes in the last couple of years to the threat landscape, the vulnerabilities, the security issues that are impacting every industry, the ability to empower developers to not only work at the speed with which they are accustomed and need to work, but also to be able to find those, those vulnerabilities faster, prioritize which ones need to be fixed. I mean, I think of log for a shelf, for example, and when the challenge is going on with the supply chain that this is really a critical capability from a developer empowerment perspective, but also from an overall business health and growth perspective. Definitely. I think, first of all, like if you want to kind of step, just a step back in terms of like what has changed, right? Like what is this landscape? So I think we're seeing several things happening. First of all, there's like this, you know, big tremendous, I would call it trend, but now it's like the default, right? Like of the growth of open source software. So first of all, you know, as developers are using more and more open source and that's like a growing trend. I have like graphs of this and it's like always, always increasing across, by the way, every ecosystem. Go Rust.net, Java, JavaScript, whatever you're building, that's probably like on a growing trend, more open source. And that is, you know, we will talk about it in a second, what are the risks there? But that is one trend that we're seeing. The other one is cloud native applications, which is also worth to like, I think dive deep into in terms of the way that we're building applications today has completely shifted. And I think what AWS is doing in that sense is also, you know, creating a tremendous shift in the mindset of things. For example, out of the cloud infrastructure has basically democratized infrastructure. I do not need to, you know, own my servers and on my monitoring and like configure everything out. I can actually write code that when I deploy it, when something parses this and, you know, runs this, it actually creates servers or monitoring, logging, you know, different kind of things for me. So if democratize the whole sense of building applications from what it was decades ago, and this whole thing is important and really, really fast. It makes things scalable. It also introduces some risks. For example, some misconfiguration. So there's a lot that has been changed. And in that landscape of like, what modern developers is. And I think in that sense, we kind of can need a little bit more be helpful to developers and help them like avoid all of those cases. I'm like happy to dive into like the open source and the cloud native was like followups on this one. I want to get into a little bit more about your relationship with AWS. When I spoke with Peter McKay for a re-inventing, talked about the partnership being a couple of years old, but there's some kind of really interesting things that AWS is doing in terms of leveraging sneak. Talk to me about that. And then so sneak integrates with almost, I think probably a lot of services, but probably almost all of those that are like unique and related to developers building on top of the AWS platform. And for example, that would be if you actually are building your code, it connects like the source code editor. If you are pushing that code over, it integrates with code commit. As you build and see iOS are running, maybe code build is something you're using that's in code pipeline. That is something that you have like native integrations at the end of the day, right? Like you have your container registries or lambdas if you're using like functions as a service for your applications. What we're doing is integrating with all of that. So at the end of the day, you really have all of that, it depends where you're integrating, but on all of those points of integration, you have like sneak there to help you out. And like make sure that if we find on any of those any potential issues, anything from like licenses to vulnerabilities in your containers or your just your code or your open source code in those, we actually find it at that point and mitigate the issue. So this kind of like, if you're using sneak, you know on your development machine, it kind of like accompanies you through this journey all over the, you know, what a CICD kind of like landscape looks like as an architectural landscape for development. It's kind of like all the way there. And I think what you kind of like might be, I think more interested, I think to like put here on an emphasis would be this recent integration with the Amazon inspector, which is as you know, it's like very pivotal parts on the AWS platform like provide a lot of, integrate a lot of services and provide you with those insights on security. And I think the idea that now that is able to leverage vulnerability data from this, the sneak security intelligence database that says, that's tremendous. I, and we can talk about that with look for shell and recent issues. Yeah, let's dig into that. We've had a few minutes left but that was obviously a huge issue in November of 2021 when obviously we're in a very dynamic global situation period. But you know, it's now not a matter of, if an organization is going to be hit by vulnerabilities and security threats, it's a matter of when. Talk to me about really how impactful sneak was in that the log for shell vulnerability and how you help customers evade probably some serious threats. And that could have really impacted revenue growth, customer satisfaction, brand reputation. Definitely. The log for shell is, well, I mean, was a vulnerability that was disclosed but is probably still a major part in going to be probably for the foreseeable feature, future and issue for organizations as they would need to deal with this. And we'll dive in a second and figure out like why? But in, you know, in kind of like a summary here, log for shell was the vulnerability that actually was found in a Java library called log for J, a logging library that is like so popular today and used. And the thing is having the ability to react fast to those new vulnerabilities being disclosed is really a vital part of the organizations because when it is as impactful as we've seen log for shell being, that is when, you know, it determines where the security tool you're using is actually helping you or it's like, you know, just an added thing on like a checkbox to do. And that is what I think made sneak so unique in that, in this sense. We have those, you know, a team of those folks that are really both, you know, manually curating the ecosystem of, you know, CVEs and like finding by ourselves, but also there's like an entire kind of an intelligence platform beyond us. So we get a lot of notifications on chatter that happens. And so when someone opens, you know, an issue on an open source repository says, hey, I found an issue here, you know, maybe that's, you know, an XSS or code injection or something like that. We find it really fast. And we, at that point, you know, before it goes through like, you know, CVE requirement and stuff like that through like MITRE and NVIDIA, we find it really fast and can add it to the database. So this has been something that we've done with log for shell where we found it as it was disclosed, not on the open source, but like just on the open source, you know, system, but like it was generally disclosed to everyone at that point. But not only that, because log for J as the library had several iterations of fixes they needed. So, you know, they fixed one version, then that was, you know, the recommendation to upgrade too. Then that was actually found as vulnerable. So they needed to fix another time and then another time and so on. So being able to react fast, which is, you know, what I think helped a ton of customers and users of SNCC is, you know, is that aspect. And what I really liked in the way that this has been respond, you know, has been received very well is we were very fast on like creating those command line tools that allow developers to actually find cases of the log for J library embedded in their application, but not through a package manifest. So sometimes you have those like legacy applications, you know, deployed somewhere, probably not even legacies or just like the log for J library is like bundled into another jar, another Java source code piece. So you may not even know that you're using it in a sense. And so what we've done is we've like exposed with like SNCC CLI tool and a command line argument that allows you to like search for all of those cases like we can find them and help you, you know, try as and mitigate those issues. So that has been, that's been amazing. So you've talked in great length, Liren, about in detail about how SNCC is really enabling and empowering developers. When last question for you is when I spoke with Peter last month that re-invent, he talked about the goal of reaching 28 million developers. Your passion as a director of developer advocacy is palpable. I can feel it through the screen here. Talk to me about where you guys are on that journey of reaching those 28 million developers and what personally excites you about what you're doing here. Oh, okay. So many things, I know where to start. We are, you know, we are constantly talking to developers, you know, on, you know, communities and things like that. So it's a couple of examples or we have like this DevSecON community which is a growing, kind of growing and kicking community of developers and security people coming together, trying to, you know, work and understand and like, you know, just learn from each other. We have those events coming up. We have, we actually have this, the big fix it's a big security event that we're launching on February 25th. And the idea is when I help the ecosystem, you know, secure, you know, secure your applications open source or, you know, even if it's closed source will like help you fix it. So the idea is like helping them. We've launched this as the secure sneak ambassadors program which is developers and security people. CISOs are even in there. And the idea is how can we help them also be helpful to the community because they're like known, they are passionate as we are on application security and like helping developers, you know, code securely, build securely. So we're launching all of those programs you have like social impact related programs and the way that we like work with organizations maybe nonprofit, maybe they just need help like getting, you know, the security part of things and like figure it out. Students and things like that. Like there's like a ton of those initiatives all over the board helping basically the world be a little bit more secure. Well, we could absolutely use Sneak's help and making the world more secure. Liren, it's been great talking to you. Like I said, your passion for what you do and what Sneak is able to facilitate and enable is palpable. And it was a great conversation. I appreciate that. And we look forward to hearing what transpires during 2022 for Sneak. So you got to come back. I will, thank you. Thank you, Lisa. This has been fun. All right, excellent. For Liren Tall, I'm Lisa Martin. You're watching theCUBE's second season, season two of the AWS startup showcase. This has been episode one. Stay tuned for more great episodes full of fantastic content. We'll see you soon.