(upbeat music) >> Welcome to the Q3 "AWS Startup Showcase", I'm Lisa Martin. We're going to be talking about new breakthroughs in DevOps, Data Analytics and Cloud Management Tools, with WhiteSource Software, at least for the DevOps track. I'm excited to welcome Susan StClair, Director of Product at WhiteSource software to the program. Susan, it's great to see you! >> Oh, very excited to be here, Lisa, thank you. >> We've got a lot of stuff to talk about today, but ultimately, the theme that Susan's going to talk to us about us is, winning developer's trust is key to scaling-up open source security for the enterprise. We're going to unpack that. You talk about, that winning that trust is key, shifting left won't work without developers buy-in. Susan, help us understand this. >> Yeah, sure, so- on some of the topics we have later but you look at the rate of applications of being the pool of how fast that is, and you look at development teams of hundreds and you have the OpSec teams of five or ten, and they just can't do it all, so, really, you need to leverage everybody who's part of the application to really be able to make sure that you're developing and deploying and releasing a secure application. So, that's the Shifting Left. Unfortunately, I think what's happened is, because application security is overwhelmed and because they're like, "Oh, we have all of these developer teams over here, and it's their code, and they should fix it." And they just kind of dumped application security on them and the poor development teams are like, "but that's not what I do, I don't have any expertise in there." So if you really, truly, want a Shift Left to work, you do need to build that buy-in, you do need to build the trust with your extended team, for lack of a better word. And, really start to look at things that are important to them. So automated tools, making sure that they work with their tools sets and their processes. Looking at automation, not just in terms of scanning but also remediation. You just really need to start to work with them and think about application releases in a different mindset. >> And your recommendation here is also to build that trust gradually, and to let developers control the pace- >> Absolutely >> And the level of automation. Talk to me about why it's important to give the developers that control? >> Yeah, sure. Again, I think nobody likes to be told what to do, I certainly don't, don't tell me how to do my job. So, I think, that because historically application security and development have really been at odds. It has been somewhat of a confrontational relationship, so, I think as you're starting to build that trust, you do need to go slow. Where does it make sense to add in auto-remediation solution like WhiteSource, right? Where does it make sense? We don't want to do it everywhere, we don't want to overwhelm development teams with this. So, really start to look, let them control the pace, build that trust, build that. This is a good thing for everybody. And, again, I think with tools like WhiteSource, the solution software, you can pick and choose, it's not an all or nothing. We're going full automation, full remediation, one-stop-shopping, I mean you can kind of control the pace as you start to build that trust between the various teams. >> Is that differentiator for WhiteSource the ability for this auto-remediation tool to let them control that? >> Yeah, it definitely is, and I know it just rolls off the tongue, doesn't it? Just rolls off the tongue. >> It really does. (both laughing) >> Say it ten times fast >> I'm afraid to. >> Exactly, exactly. So, no, it actually, absolutely is a differentiator for us. And again when we look at, looking at our customer base and enterprise and we look at, even maybe smaller teams that trust is really made us successful and the key to that trust is really that controlling the pace with auto-remediation. And, some of the other automation pieces to the solution. >> And speaking of customers, you guys have 23% of the Fortune 100 as customers, give me an example of one of your favorite customers that you think really shows the value that WhiteSource is giving to those developers by giving them that control. >> Yeah, sure. So I feel like we're like the big company or bigger company that nobody has heard of outside of this space. But, not naming names, but large financial customers and really shifting application security, open-source application security, to the hands of the development teams. So they've actually, again, small application team, they've really pushed it out to the development teams as part of a repo-integration for scanning, for ticket creation, for auto-remediation, and that's really, let them scale beyond, just one or two teams to thousands of repos, for example. I mean, that is, in my opinion, a huge use case or huge validation of that this works. This isn't just somebody talking about how cool their software is and it's not based in reality. >> A stat that I read about WhiteSource offer that I wanted to get your feedback on, is that, "WhiteSource goes beyond traditional detection, providing dependency and trace analysis and that this helps organizations eliminate upto 85% of security alerts." That's a big number. Talk to me about how you guys do that and the advantages that delivers. >> Yeah, sure, so I think like the one of the challenges with, historically, with open-source solutions, is that they scan and they get this result, and you could have hundreds and thousands of insecure libraries and you're like, "Holy moly, where do I even start?" It's just completely overwhelming. And then you dig into little deeper and again starting to build that trust with development teams, and the development teams comes back to you and says, "Well, hey, guess what? Yeah I know that library is insecure, but I'm not using that part of that library." So, it's really kind of a false-positive. So, what this dependency tracing does and how it helps with prioritization, is it says, "Okay, we see this particular library, this vulnerable open-source library, and it is in your execution path, we can see that you're using it." So then, you're able to say, "Okay, I should definitely fix this, because we're using it, or maybe not." Maybe, again, it's part my backlog yes, we should always keep up-to-date, and be completely secure. But having that ability to prioritize where to start and having the alerts based on that really reduces the noise. And again, it builds the trust between the teams. >> So, we talked from the beginning about shifting left isn't going to work without developers buy-in, the idea of using auto-remediation tools to let developers control that pace, the OpSec folks, the Dev folks, we also have for, I believe, it's the fifth consecutive year now, a huge gap in cybersecurity skills. I think I've seen some reports estimating that there needs to be another three million professionals in the next five years to help fill that gap and at the same time we're seeing the security landscape changing dramatically. Talk to me about how the cybersecurity skills gap is affecting developers, OpSec folks, and what your seeing as a tool that can help remediate some of that. >> Sure, yeah, no, that's, I mean that is the challenge. And I would even say that there seems to those skills gap on the development side too. But, I think that in terms of some of the challenges with that, so you have to look at ways, how can we be smarter about things. So, we don't have people, large teams where they know everything about application security and open-source security that we can really rely on to drive remediation, but, also to use these tools that all of us bought that do different things, that aren't correlated but to kind of provide that glue. So, where WhiteSource, I think is trying to address this is, again, if I don't have the people, and I don't have the skillsets, first of all automation, right? So, the more that we can automate, the better. But, not just again, automating on the scanning side, I think that's certainly a part of it, but again, looking at how we can help development teams that are maybe not security experts, and keeping them up-to-date and giving them, again, automatic remediation so that they can fix things without having a really depth that you would expect in a cybersecurity professional. >> I'm sure they appreciate that, not having to have that depth, because there really isn't, in terms of developers, there isn't the time. Speed is always of the essence there. One of the things too that I know, is there's lot of tools being used, you mentioned that. How can WhiteSource Software help the developers to better utilize some of the tools that they have or not just be buying tools to check boxes? >> Yeah, sure. So, yeah it's sad fact, I think, within our industry, probably more than just our hours, but really a lot of decisions, purchasing decision are based on the, "Well, I need to scan because somebody told me to and I that I had to, and I'm going to check the box. I'm not really interested in fixing anything, I just need to check that box." And, I think, historically, when it comes to tool selection, again, because application security is really focused on that check-the-box because they need to do that for a compliance or governance reason, they really haven't taken into heart the teams that would actually be using them and having to make the magic happen. So, they would prioritize things that, again, maybe OpDev wouldn't, so, again does it work with my tools? As a developer, I live in my IDE, I live in my code-repo, I live in my ticketing system, security doesn't typically care anything about that. So, I think with WhiteSource, again, providing the tools that the OpSec team needs. So again, the compliance reports and the policies and all this stuff we love. Also providing, again, the way to easily fit into developer workflows, that's how we're helping to move beyond, okay, we're checking the box but we do want to actually fix something and we want to move the target along. So we're really, I think, helping address that need as well. >> I know you guys did a DevSec Ops Insights Report recently, unpack that a little bit with some of the key findings that have come out of that. >> Yeah, no, that's great, so it's very interesting. First of all I think we in the industry we talk a lot about DevSecOps and that security is part of the DevOps process and everything is good. But when you actually talk to people, I think, two things, one, it's very much a work in progress, absolutely, and a lot of that is part of the tooling. I think, too, like what we've found as a part of this survey, is that the developers, are often, they feel forced to, okay, I'm shifting left, you're telling me I own security, but you're also telling me that I need to get this application out the door. I need this to compete. So, they're really being forced into hard choices of which one to prioritize, and that really comes down to a culture thing. What is more important to you. Being secure or being competitive? And how do you weigh that? So, I thought that was actually very interesting, I think that we tend to give OpDev teams a bad rap but they're really doing the best they can and they need clear guidance and there needs to be a security culture for them to operate in. >> Right, that's a really big one that you just hit on, that cultural impact. It's hard to change. In the last 18 months, we've all been through so much change, personally and professionally. We've seen this massive acceleration in digital transformation, so probably more pressure on developers who need to be able to be productive from work, from anywhere environments, that that cultural change, is really critical. I'm curious if you have some feedback from customers that have done it successfully or are in the process of doing it successfully that you can share? >> Yeah, change is hard, no matter where it's at. Absolutely. So, I think, like where we've seen the most successful of our customers, around this specifically, it truly is both a top-down and bottom-up approach. From a top-down, you can't just give lip-service that application security is important. You can't just say, "Oh, again from a compliance check-the-box, point-of-view, we scan, and we're looking, and, oh look, we have these statistics. You have to really have to live it. And what I mean by that is, when you're developing new applications it's just as important as the feature list. Security bugs are just as important as any other type of bugs. So again, it goes into the workflow of the application development teams and you don't make them make these hard trade-offs all the time between security and release. And then, from the bottom-up, again, you need to be where your teams are at. You can't ask them to go into another tool, or another thing, or another this and that. They have things to do. You have to be where they are. And you, have to give targeted, actionable, not things they have to go research, a guidance, and automate as much as you can. Again, both on the scanning as well as on the remediation side. >> Meet them where they are and facilitate that automation. Susan, thank you so much for joining me today, talking about- >> My pleasure. >> How WhiteSource Software is helping that, and also for the challenge of saying auto-remediation 10 times in a row, fast. (Susan laughing) I might practice that later. But it's been great talking to you. >> That will be my home work. Likewise. >> Exactly! Thank you so much for joining me. >> My pleasure. >> This has been our coverage of the "AWS Startup Showcase", New Breakthroughs in DevOps, Data Analytics and Cloud Management tools. For Susan StClair, I'm Lisa Martin. Thanks for watching. (gentle music)

>> Live from Barcelona, Spain. It's the cue covering Sisqo, Live Europe. Brought to you by Cisco and its ecosystem partners. >> Welcome back to Sisqo. Live in Barcelona, Day Volant with my co host to Mina and you're watching the Cube, the leader in live coverage of Day one of a three day segments that we're doing here at Cisco Live. Barcelona Bread Hartmann is here is the CTO of Cisco Security Group and we think a Cube alum from way back, way, back way back. Great to see you again. Thanks for coming on. So we're gonna talk about workload security? What's that? What is working? What >> is workload security? So it's really the whole idea of how people secure applications today because applications aren't built the way they used to be. You know, it's not the idea that you have an application that's just sitting running on a server anymore. Applications are actually built out of lots of lots of components. Those components may run in a typical data center. They may run in the cloud. It may be part of a sass solution. So you got all these different components that need to be plugged together. So questions How do you possibly secure that when you have all these pieces? Containers, virtualized, workloads, all working together? That's the big question >> written often times by different people. >> Different people's services. Yeah, Matt Open source. Right. So all that somehow has to come together and you have to figure out how to secure. That's the question. >> So what did you used to do with applications? Securities Just kind of figured out the end and bolted on. >> Pretty much. I mean, yeah, historically, people would do their best to secure their application. It would be kind of monolithic, you know, or, you know, three tier yet of, you know, the Web here after your database, that sort of thing. And then you'd also depend a lot on the infrastructure. Depend on firewalls. You depend on thing's on the edge to protect the application. The problem is, there's not so much of an edge anymore. When in that world I described you can't really relies so much on that infrastructure anymore. That's the shift of the world. We know. >> Also, what's the prescription today? How do you solve that problem? >> You know, there's a lot of ad hoc work, and so this whole notion. A lot of people talk about Deb set cops these days, or sometimes it's, you know, Deb Opsec girl. But you know, there's always different versions of that. But the whole idea of the de bop swirl the way people build applications today and the security world, its security ops world are coming, either coming together are colliding or crashing, right? And so it's it's getting those things to work. So right now, the way Deb ops and SEC cops works today is not particularly well, a lot of manual work. Ah, a lot of kind of ad hoc scripts, but I will say probably over the last year, there's a lot more awareness than we need to figure this out. To be able to merge these two things together. That's kind of the next day. >> Print one. Wanna bring us inside that a little bit because if you, you know, listen to the Dev ops people. It's you know, we've got a new C i. C. We need to move fast. And there was the myth out there. Oh, well do and my faster or am I secure? And, you know, I was reading some research recently. And they said, Actually, that's a false tradeoff. Actually, you can move fast and be more secure. But you raised a risk because you said if these are two separate things and they're not working in lob stacked and it's not secure every step of the way in that part of your methodology, then you're definitely >> going to security exactly right. And there's a basic question of how much of a responsibility that developers have to provide security anyway. I mean, historically, we don't really necessarily trust developers to care that much about security. Now, as to your point these days, without, you know the way people develop software today, they need to care more about it. But typically it was the security operations. Folks that was their responsibility of developers could do whatever they wanted, and the security folks kept them safe. Well, again, as you said, you can't do that anymore. So the developers have to pull security into their development processes. >> Yeah, when I go to some of the container shows or the surveillance shows, the people in the security space are like chanting up on state security is everyone's responsibility. It hasn't traditionally been the >> case it has not. And so it's really work. What companies are working on now is how to the security operations people fit into that development process and what are the tools? And again, it's a long, complicated set of infrastructure and other sorts of tools. But that's sort of the point that Cisco we're really working on on evolving the security products and technologies. So exactly it fits into that process. That's the goal. >> So I'm sure there's a maturity Mahler or a spectrum. When you talk to customers, maybe we could poke it that a little bit sort of described that. So you're really just really talking about a world where it's team sport. The regime is everybody's gotta gotta be involved. But but oftentimes that, working for different people, someone working for the C e O. Maybe some the CTO from the sea so different companies contract, there's >> providers all >> that right partners. So so what is that spectrum look like? And how are you helping customers, you know, take that journey. >> So not surprisingly, companies that are born in the cloud they're like, This is old news. It's like, This is how they, how they deal with it every day. They A lot of those companies have lower risk deployments. Anyway, the organizations that are really early days on this, or the ones that have lots of existing investment and all that data center stuff, and they're trying to figure out how this is gonna work. You know, you talk to a typical bank, for example, you know, their core business processes of how they protect money. They're not going to move to the cloud, right? So how did they evolve? And they, by the way, they have to do with compliance requirements on all this other stuff they can't They can't play too fast and loose, so that's an example of something that's early days. But they are also working a lot in terms of Ah, evolving, moving to the cloud and having TTO be able to support that, too. >> So when you engage with with Cline, I presume you're tryingto assess kind of where they're at and then figure out where they want to go, and then how to best get him there. So, yeah, what is Cisco's role in helping him get? >> And so first of all, of course, I represent, you know, the business group that builds the security products, right? So a lot of this, and the reason why my group is so interested in this and and our security Francisco so interested is this really represents the future of security. This idea of having a much more embedded into the applications is supposed to purely being in the infrastructure. So what we're seeing for typical customers, like, if I roll the clock back a year ago and we talked about things like Deb set cops, they're like, Yeah, kind of an interesting problem. The one we just talked about what it's like, not quite ready for it now. This is, I think, every C so you know, chief security officer, I talked to very aware, have active engagements about how they're working with their nabobs groups and are actively seeking for tools and technology to support them. So to me, that's a good sign that it's you know, the world is moving in this direction, and as a security vendor, we need to evolve, too. So that means things like evolving the way firewalls work. For example, it's not just about firewall sitting at the edge. It means distributing firewall functionality. It means moving functionality into the public cloud like a Ws and Google and Azure. It means moving security up into the application itself. So it's a very different world than just a box sitting on the edge. That's that's the journey. And we're on that journey, too. And the industry is I mean, it's not a solve problem for exactly how to do >> that. If we go back to the early days were talking about, you know, that when the Cube started twenty ten, Security really wasn't a board level topic back then. >> It's at least not for every company. There's certainly company. Yeah, but not now. It's like you're right. Every company cares about it, >> right, and it comes up. But every quarterly knowing, you know, certainly every every annual meeting. Um, so So what? Should Sasha, the technical Seaside CEO CTO. If they're invited into the board meeting, how should they be communicating to the board about security, what >> it's run its? And and to your point, I mean typically these days for most major corporations in the world, the chief security officer is often presenting at every board meeting because cyber risk it's such a big, big part of that risk. And this is a challenge, right? Because to try to communicate all the tech required to manage that risk to aboard Not so easy, right? It's like, yeah, China count. How many now, where threats stopped. It's like, what do they do with that? If you talk to our our chief security officer, Steve Martino here, it's Cisco. I mean, he talks a lot about, first of all, having visibility, you know, being able to show how much visibility, how much can we see? And then how much can we control and show that the organization is making more and more progress in terms of just seeing what's out there so you don't know broke devices and then putting controls in place? So you need some pretty. You know, the big animal pictures communication of being able to manage that. But you can never come in and say, Yep, guaranteed. We're secure, you know, are given a number. It kind of has no meaning >> but strategy. Visibility, response. You know, mechanisms preparedness. What? The response. You know, protocol is that that's the level of it sounds like >> showing, you know, maturity of the process is really on the ability to take that on a supposed to getting into the weeds of, you know, all the metrics that stone. >> So we've had multi vendor for a long time, and even then, the network space, there's a lot of different pieces of the environment. How is multi cloud different from a security >> standpoint? Yeah, so the issue there and kind of what I was hinting that we talk about the way people build applications, is that all those vendors, they all do security differently. Everyone that scary differently s'all good, I mean and for example, Amazon, Google, Microsoft. They're all making massive investments to secure their own clouds, which is awesome, but they're always also different. And then you have the SAS vendors. You talked to sales force drop box in box. They have different security mechanisms. And then, of course, you have different ones in the enterprise. So from a chief security officer standpoint reporting to the board, they want one policy. You know, we want to protect sensitive corporate data, and then you have maybe one hundred different security policies across all these, All this mess. That's why it's different trying to manage the complexity and get the policies, toe work and get enforced across all those platforms. You can't force it all to be the same. So a lot of what we're working on, a really tools to do that so you can fitting back into that develops process. You, Khun, define high level policies of how do you control that data and then map it? Toe all those different platforms? That's that's the gold. That's how we that's how we get there. Make progress. >> She had a picture up in the keynotes today. It had users. Device is kind of on one side of the network and then applications in data on the other side of the network and then the network in the middle right and all those pieces fitting in. How does that affect how you think about security? We've talked a lot about application securing the application. Are you thinking similarly about the data or the devices, or even the users? You know bad user behavior will trump great security every time. Where do those other pieces fit into the context? >> Of course, that's a big reason why we just acquired duo security. You know, very significant acquisition there, which is exactly around trust of human beings as well as the device, is a key component that Sisko didn't have before that and fits in exactly to that point. I was a key strategic piece of that of trust, defining trust, and you know that it's in. Obviously, we already do lots on the device side. You know, we do things like identity service engine to enforce access. You know, with the network, we have more and more on the application side. Not so much in the data side yet, I mean, but as we move up the sack and of the application, it'll be around data, too. But the network is a natural convergence point there, and the whole idea of having security embedded right into that network is, of course, you know why. Why Francisco, right, that's security is a critical thing that needs to be embedded and everything that Cisco does. >> Well, you've got an advantage and that you could do the deep packet inspection you hear in the network. I mean, that's what >> visit bill I mean, Maturity is is really all about visibility. Don't visibility of nothing. And Cisco has this incredible foot print. Incredible telemetry across the world. I mean, all the statistics around Talos you probably seen it's a huge right and that's that's. Ah, that's a big advantage that we have to really provide security. >> Right? Awesome. Well, Bret, thanks for for coming back on The Cube was great to see you. My pleasure, tuk. Alright, alright. Keep right there, Everybody Stupid Open day! Volante, You're watching the cue from Cisco Live, Barcelona! Stay right there. We'LL be right back.