>> (narrator) From around the globe. It's theCUBE. With digital coverage of AWS re:Invent 2020. Sponsored by Intel, AWS and our community partners. >> Welcome to theCUBE virtual. Our coverage of AWS re:Invent 2020 continues. I'm Lisa Martin. Got a couple of guests joining me next. Wendy Moore the VP of product marketing from Trend Micro is here and Geva Solomonovich Global Alliances CTO from Snyk. Wendy and Geva, It's great to have you both on the program today. >> Thanks for having us. Great to be here. >> Hi, thanks for having us. >> Last year we were probably all crammed in Vegas together. Here we are virtually but it's great that we're still able to connect. So lot has gone on since we were all at re:Invent in Vegas last year. Wendy, let's start with you from a security perspective there's been a growth in open source vulnerabilities that have impacted enterprises globally. Talk to me about what you're seeing there. What's going on? >> Yeah. Well. I think everybody in this audience recognizes the rapid shift to the use of open source in development teams. And what we've seen alongside that is a rapid increase in the number of vulnerabilities that are showing up in open source software. So that means that vulnerabilities that can be exploited and cause damage to your company's application, reputation and your customers, are on the increase out there. >> And a number that you sent over was two and a half X growth in open source vulnerabilities in the last year. Has that number gone up during the pandemic? >> So I'm not sure if the vulnerabilities have gone up during the pandemic, but we've definitely seen an increase in exploitation of vulnerabilities. There's so much in the news about ransomware incidents in healthcare targeting pharmaceutical organizations, and most of those are taking advantage of vulnerabilities. Not necessarily in open source, but some of it is definitely happening in open source. >> Now we've been talking about the rise in ransomware for awhile, and it's all... The numbers and types of companies and healthcare organizations like is it schools, governments, for example lot of vulnerabilities being exploited that's for sure. >> So Geva let's go over to you. Talk about from Synk's perspective. The impact on businesses and how can you guys help. >> And then I'll put in a few insights there. on the open source risk. Wendy talked about it as well. Why is it growing? One of course is open source tuition usage is growing. So of course it bulges, the amounts of vulnerabilities is growing and the amount of exploits. But when you look at it from a hacker's perspective, attacking is an ROI based activity. Hackers want to spend their hacking hours where they're more likely to get our reward, be able to get that ransom or steal the data or do whatever they can. And open source actually makes it much easier for them than a lot of these other alternatives. One, the source is open. So just finding a vulnerability is much easier than trying to find the vulnerability in proprietary code. Two, there's like a market for these exploits and companies even like need for chapter. One of the byproducts of that is you can just go and feel the vulnerabilities out there and pick the ones that you want to try to exploit. But three, which is really the most critical piece is that if you do find the juicy vulnerability in a very popular open source package, the amount of companies you can attack is not one, is thousands or tens of thousands because that's precisely what makes the popular open source packages popular. It's being used broadly and so if you spend this effort to develop an exploit and then you can send it like there just across the world to 10 thousands of companies you're more likely to be successful. And that's what's driving a lot of the hacker attention into the open source vulnerabilities and that's why the growing. >> So it's a low cost high reward for those hackers. Wendy what are some of the ways that organizations can protect themselves from this? >> Well, one of the best ways to protect themselves against exploitation of vulnerabilities and against vulnerability showing up in their code is to actually analyze their code and scan it looking for vulnerabilities. And the best possible place to do that is actually in the code repository. So before code is ever packaged up and deployed it actually gets caught really early. So it's all about shifting security left. But some of the challenges with that is that you know the code repository, Tory and the code and open source has largely been the domain of DevOps and the developers and security who is tasked with managing the risk of the organization has little to know visibility into what vulnerabilities might exist. So something that's a growing part of an enterprise risk profile the security team doesn't really see. And that's a big gap for most organizations. >> So in terms of that visibility being essential, sounds like maybe even a cultural gap there. Geva what are your recommendations? We, you know, we talk about SecOps, we talk about DevOps. Is the solution DevSecOps or SecDevOps? >> I mean, all these partners are definitely helping there but you kind of need to break it down and understand what their problems, which is what Wendy was articulating. Why you have these traditional security teams have all their traditional tools. They look at mostly and let's call it the IC type security. Then you have this entire new category of risk which is lets say open source risk, but it's just inside the code repository inside a GitHub repo or somewhere, or they completely have no visibility into. And what that causes is one has to have a conversation with the developers who are those who are convenient to pick those vulnerabilities, remove them from the code. And, but to also, just from the mind ensuring that in our location it's hard for you to protect something that you don't have visibility into which causes opensource security to be possibly under provisioned in your entire a security fence. As you're looking at the security risk. And as we are talking about solution, so one of the movements we've seen with DevOps, where you know engineering team and IT teams have come together to have a shared ownership of the results of deploying these applications. In production now you expand out into DevSecOps. It's okay to actually make this work. We need to have a shared responsibility model where both developers step up to take some ownership and the traditional security each step up to understand what the developers are doing, build tools to make it easier for them. And ultimately I think Wendy nailed it on the head. She said the best way to protect yourself is actually to remove the vulnerable line of code from your application, not wait for it to be deployed and try to put some blocks in there. >> All right. So Wendy how are Trend Micro and Snyk working together to resolve that challenge that you guys just described? >> Yeah, we'll Trend Micro and Snyk have been working together for over a year now. And we came out with an initial offering and now we're coming out with a new offering that is really focused on basically delivering that code scanning ability right in the code repository. And through Trend Micro's Cloud One platform, we are delivering this as a service to the security operations team so that they get visibility of anything that Snyk finds in the code repository. And they can take action from there. So Trend Micro's Cloud One security services platform basically equips cloud builders with a whole bunch of different types of technologies to satisfy their different infrastructure requirements. So we've got things like workload security application security, network security, a number of different take types of security tools. And this just brings another security tool to the security operations team and the DevOps team so that they can basically extend their visibility and their security controls back to the code repository. >> Geva what are some of the impacts that you're seeing. So for obviously besides wanting to find those vulnerabilities faster as when you talk about shifting left. Give me some examples of some customers that you were working with maybe in the first iteration and what the impact has been. >> The impact is the... what, sorry, can you repeat the question? >> Yeah. Impact of your technologies together? You said that there's a new offering coming up but talk to me about some of the impact that these customers are making. >> Yeah. Okay. Sorry. Thank you for repeating the question. And so this joint product is very cunning from a multiple perspective. So one, it's going to be delivered inside the Cloud One platform, which Wendy just talked about. You asked before what is the impact of COVID? And one of the big impacts has been on the financial stress. Every company in every, every vendor is having. And so just the ease of managing less vendors and less tools and less places to procurement is of high value for every organization Just in terms of efficiency of operations. And just being able to acquire this new product on an existing platform where there are already consuming security tools. That by itself is amazing value. And number two, we're taking again... We're taking a technology which is a cloud native, it's a modern technology. And that's typically has been outside of the purview of a traditional security team and making it accessible to them in a place where it's easy for them to try out and they can, you know, start small and grow from there. They don't have to make a big commitment to get going. And more importantly, it's giving them visibility into this important technology that they didn't have before. >> So Wendy this is all intended at bridging that gap? I'm just curious, like if we take a peek inside, what this enables SecOps to do what it enables DevOps to do. What were some of the feedback that you're hearing from customers about those teams coming together and actually being able to work very collaboratively with that shift left actually being able to be done? >> Yeah. I mean, you know, if you talk to... There's some organizations who do this really well. They're very mature and their security operations teams and their DevOps teams work very closely together collaboratively, excuse me. And they also understand each other's needs. So they're able to insert tools into the security pipeline that don't slow DevOps down but also meet the needs of the security team. Whereas we see some other organizations where Dev is at one side of the pipeline and you've got security at the other and they don't tend to converse or meet. And those are the organizations where there tends to be more challenges. So the idea with this new solution is it's going to give the security team visibility of basically the scale and scope of their open source situation. So that they've actually got some data to go have conversations with the DevOps teams and start going in that direction of making those teams work more seamlessly together. I mean, you used the term DevSecOps before, some organizations that's a very real situation. Others still have a long way to go. And we think this is a great first step to bring those teams together. >> Fostering long-term friendships I'm sure. Just talk to me about the go to market, Wendy. How are you guys going to market together? Trend Micro and Snyk selling direct channel? What is it like? >> So this is actually going to be a Trend Micro Cloud One offering. So we jointly developed it with Snyk but it's going to be Trend Micro who is selling it. And we go to market a number of different ways. AWS marketplace is a big channel to market for us And this will be available for purchase there. When it becomes available in January. And also, we also work very closely with channel partners as well who also participate in AWS marketplace. >> So what are some of the things that you're expecting to customers to be able to take advantage of around the time of re:Invent and into early 2021? >> Yeah. I really encourage customers to visit our page on the AWS re:Invent platform. We're going to have all kinds of exciting demos there. You can go learn more about this new offering that we're delivering jointly developed with Snyk. And you can also ask about how you can sign up for early access to this new offering. So highly encourage you to go check that out. >> Excellent, early access is always nice to be a beta tester and really get that symbiotic relationship. >> Geva last question for you is as the Global Alliances CTO I imagine your customer conversations in the last year have changed dramatically. Talk to me about some of the things that you really think like in terms of like exposing vulnerabilities. Let's talk about exposing opportunities that that Snyk is helping organizations do so that they can not just keep the lights on during this very unprecedented time but actually be winners of tomorrow. >> Yeah, I think again at the heart of the DevOps movement and why it's been successful it's reducing that feedback loop between writing some codes, getting it to production in the hands of customers, getting the feedback from them and rinse and repeat and starting that loop. And those who have it, the faster you can get to market faster and can deliver value faster ultimately are the winners. Now, one of the things we've seen with the COVID is a lot of the this outbound activity has been going down. People have been going less to events and need to look more internally and how you can become better as an organization. And you've actually seen an increase in the investment of a digital transformation and cloud journeys and stuff like that. And one of the... One of kind of the traditional inhibitors that's going fast and all in into the cloud is the loss of control of the traditional security teams on the application development. Where now people can, you know... deploy hundreds of times every application to the cloud a day. And what we've seen is that they come to Snyk or to companies like ours, so we can secure those new modern development life cycles and give the security feedback to the developers as they're building the applications and give the security teams the visibility into those pipelines and application domain. So they have a sense that they're not losing all the control they used to have. They're still getting visibility into those application development and actually allowing their organizations to go faster because of it they can sign up to and be doing the technologies and actually increase the speed of going to the cloud. >> Yeah and that's critical because as we, you mentioned as we've been talking about for months now that the acceleration of cloud adoption, the speed of digital transformation it's one of those things that's challenging to do. You've got to have visibility. Period. In order to facilitate that. And if it's another thing that you kind of were describing Geva as that visibility provides that sense of control or trust, and that's also huge for not just a business to catch vulnerabilities but for teams the DevOps teams, the SecOps teams to be working together in a highly collaborative way. Do you agree Wendy? >> Absolutely. And the beautiful thing is this sets that up This tool. So it allows them to work together very collaboratively but it also sets up that visibility. So that down the road there could be even further automation into that process. Because you know, the whole purpose of DevOps is to take the people out of it. Right. So, but in order... You need to set up those processes to begin with. So this is a first step in terms of setting up that automation and visibility amongst those two teams. >> Excellent. And can you say one more time Wendy where prospective customers can go to learn more and become a early adopter? >> Yeah, absolutely. So visit our Trend Micro page at the AWS reinvent platform. And there you'll be able to learn much more about the offering and also learn how you can access the early adopter program. >> Excellent. You guys thank you so much for joining me on the program today. Sharing what Trend Micro and Snyk are doing together and how you're helping organizations cross-functionally be successful. We appreciate your time. >> Thank you, Lisa. Appreciate it. >> Thank you so much. >> My pleasure. For my guests, I'm Lisa Martin and you're watching theCUBE virtual. (upbeat music)