>>Welcome to this cube conversation which is part of our third Aws startup showcase of this year. I'm your host lisa martin and I'm pleased to welcome to the cube ceo and co founder of White Source Romney Sasse Rami, Welcome to the program. >>Thank you. Thank you so much for having me. >>I'm excited for our audience to hear about White Source, give us that high level overview of what the company is and what you how you're helping organizations. >>Sure. So we have software engineering teams keep track of their use of open source components sometimes referred to as dependencies and primarily focused on security aspect of those dependencies and are able to very natively and very quickly identify one all of the dependencies that are being used in a certain software that's being developed and alert to any known vulnerabilities that exist in those dependencies and then nick our users through the journey of finding them prioritizing them and fixing the vulnerability is such that their software when it gets released is not at risk, >>not at risk. And one of the things we've talked so much about In the last 18 months is the threat landscape. It's changed dramatically. We've seen a huge increase in ransom where huge increase in Ddos attacks. We also are in the fifth consecutive year of a cybersecurity skills gap. It's been there for a while. We know that there have been barriers between developers and security. How does White Source help address that cybersecurity skills gap. >>So we focus on automating as much of the security practices possible. Right. So basically our main premise is that we want to be the security expert for the engineering team so that they don't have to right? So we provide tools that automate the entire process of remediating the vulnerability so that we can save the developers effort and time in becoming security expert basically saying they don't need to become security expert, they can keep doing what they do best, which is developed software and provide more business value to their employer. And we will take care of anything that has to do with security in their software for them. So basically we're trying to alleviate the need for developers to develop any kind of security related skill set. >>I got to ask you how does that address? We talked about the skills gap but also the cultural shift required for developers to then kind of exhale and and put their trust in you guys and that's a big challenge to change cultures within organizations. How do you help influence that? >>Sure. So look, when you're talking about cultural shift, it always takes time. Like these things do not happen overnight And its gradual and so we are very well aware of it and we do not expect people to have 100% confidence in us immediately in day one. Okay, so our tools and and practices account for it and we help our users uh increasingly trust us more by proving ourselves to them by first starting with providing advice and allowing them to control the pace at which they automate more of the process. Right? So initially we will just tell them what they need to do and let them do it themselves until they are, they have gained enough experience without tools to just allow us to take the full cycle for them. That's one which maybe is even more important is that we rely very heavily on crowd sourcing, Right? So we have a very extensive customer base that is made up of some of the world's leading enterprise organizations that have very complex and a large environments and across those environments, combined with our ongoing and monitoring of everything that's going on in the large world of open source projects, we have compiled a very extensive crowd source database or knowledge base, if you will, that basically gives you intel on what others are doing with those vulnerable open stores dependencies, Right? And we can give you a lot of confidence when we see that the broader community of both commercial and free opens those users have upgraded a vulnerable dependency to a safe version and are speaking to the new version, right? They're not pulling it back there, not undoing that change. And so we give you a lot of visibility into all of that information and also, you know, when when things go bad, right? If we see that many people roll back some change and uh avoiding some dependency version, then we will warn you away from upgrading that version. So I think that the fact that we are establishing our recommendations on a lot of crowd sourced data is another way for us to provide more confidence, automating actions for our users. >>The C word confidence is absolutely critical. I got to ask you though Romney, something that you you mentioned, I was always, I always like to ask start ups, you know, what was the impetus to start the company? You're the Ceo and co founder? What were some of the gaps that were missing? Was it crowdsourcing? And was it the the lack of that community to really provide that visibility to developers that you guys saw as an opportunity to fix in the market? >>Alright. So at the risk of exposing my real age, Uh tell you that the company started over 10 years ago and was actually based on previous experience that as founders had in another company when when it was time to sell it. Right? So when we sold our previous company, we had to go through a two diligence process where we were required to provide a very detailed report of all the open source dependencies that we were using and we didn't have such a report and sort of caught us off guard and we had to spend a lot of time during, you know, the most stressful part of the due diligence, finding out which open source we were using and documenting it and coming up with the report. And so that was a very personal experience we had, but it was very obvious that it's not something that we did special. Right? Everyone is developing software is relying very heavily on open source and usually doesn't track it everywhere. Soon it initially started from just the very basic need for transparency, visibility and the ability to provide a, you know, simple bill of material that's now become a big thing right around S bahn Uh, but 10 years ago it was very difficult, it was very like manually laborious task to be able to come up with your bill of material and that's sort of the experience that big. Uh, the foundation of white suits >>got it and then talk to me about your relationship with AWS and mentioned in the beginning of this segment that this is part of our third AWS startup showcase of the year. Give us an overview of your relationship with AWS from a technology partnership perspective cells marketing product. >>Sure. So we've been working with us for a very long time and they are a wonderful partner to work with. It started right at the beginning where we are a cloud native company. Right? So we're staff solution provider and from the beginning we chose aws to be the infrastructure on which to no solution and we grew together with them over time over the last 10 years. We've been scaling again and again our environment and you know, the services that we provide and have been consuming more and more on AWS services, both for infrastructure and but also and very importantly for securing our runtime environment, which they do a great job at. But then it went even further and we are now integrated with a lot of AWS services and products and technologies. So our offering is very much integrated with several AWS offerings. And even beyond that, we are working closely as they go to market partner with AWS. So we have several co marketing initiatives with them and we are part of the startup coastal program. Such that AWS sales people can coastal white source to their customers. >>I imagine that is an advantage the partnership and the deep relationship that you have with a W. S in terms of getting those customers meetings and and helping them achieve the confidence in the technologies and the power of the two companies in 10 years. We're looking at 1000 customers and some big names. I saw from your website Microsoft Comcast, uh, Splunk 23% of the Fortune 100. Tell me how the aws partnership helps you give those developers the confidence that they need to trust in your technologies. >>Sure. So, first I think the synergy is very apparent, very obvious because both AWS and us sell to the engineering departments into the devil's people. All right. So we are catering to the same users the same customers the same, even decision makers. And so it's very easy to understand. It's also very easy to tell the better together story. Right? So, it's very easy for the the the THE AWS sales people to explain to their customers why it's easily integrate Herbal and it makes the sales motion easier and transparent and fluid and it makes the customer's consumption of the joint services easier. Right? So it's for them, it's easier to work with AWS is a window knowing that they can get all these added security features from them and gained the confidence of having this solution vetted by amazon and get us as a reference for us as a vendor also makes it easier for them to trust us and to use our services uh, with peace of life. >>Sounds like a synergistic cultures as well. I want to dig into something that I saw in the notes that you guys provided that white sources enabling organizations to eliminate up to 85% of security alerts. That's a big number. How do you do that? >>Okay. First, to clarify, we're talking about open source vulnerability or its rights are not in general. Not all security for open source security alliance. We've developed a deeper analysis that goes beyond just looking at your bill of material and identifying which dependencies are vulnerable and analyzes the way in which the developers are using those dependencies and what we've found over the last three years of running that technology with real customers? over many tens of thousands of development projects. Is that on average, 85% of the vulnerabilities in open source dependencies. I'll not reachable from your code. All right. So they are still there. You're still using the dependency but you're using some other function of it, which is not vulnerable. And the vulnerable function is never actively called in your code base. So this is like very specific. It's not some generic analysis. We had to analyze your code and figure that out. And so again, the average statistics statistics, is That just 15% of vulnerabilities are quote unquote, reachable form your code and makes your software vulnerable. Right? All the others are simply not exploitable. And so it can easily be eliminated for the need to remediate. Right? So you don't have to >>got it. How are you guys helping customers? There's been a lot of data that shows companies are spending millions uh annually using multiple web app and a P. I. Security tools on average but are still having problems with those tools being effective. How does white source help customers not waste time and resources and get right to being able to identify and remediate those vulnerabilities >>short. So look again in our philosophy, is that just detecting the problem? The security issues doesn't fix anything. Right. Doesn't help you solve your problem. Right, paramount to going to visit your dentist and having them find the cavity and maybe they do an x ray and they tell you exactly which tooth it's on and how deep it is. And then just send you home and you did you need to deal with it yourself. Right? So it doesn't really solve the problem. Your your mouth still painful. You have to fix the problem in order to get any kind of value for the security service of tool, you have to, you know, close the loop, finish the process and fix the vulnerability. And so by investing a lot in automating the remediation in enabling our tools to close that cycle right to finish the job and fix the vulnerability. We enable you to actually gain the value from the various tools that you're using and make sure that your software is not exposed and not vulnerable and not just give you a report with the vulnerabilities, right? Not just find them for you. >>Got It. Last question for you is if we look at your recommendations when you're talking to customers, especially as I mentioned earlier in the conversation, the threat landscape has changed dramatically in the last 18 months when you're in customer conversations, how do you advise them to start? You start with the developers. Do you start with security or do you start by saying you've got to bring everybody together. >>So we would normally start with security uh and you know, not necessarily the developers themselves, but the engineering managers. The heads of engineering again because our main effort is to leave the developers alone. Right. We want to get as little developer involvement as possible so that they can be free to do what they need to do. Security is something they have to right? It's a sure it's not, it doesn't add business value, it just protects the business from being exposed to greater risk. And so our approach and our practice is to be a sort of exception based tool for developers and only get them involved when you absolutely have to have them chime in and do something. Otherwise, we can fully take ownership and automate the entire process of identification, prioritization and remediation for the organization and just provide reports on, you know, how many vulnerabilities we fix this month and and give them better visibility into their security posture. Yeah, but you know, we invest most of our innovation attention resources as a company to automate as much of that process as possible so that the developers don't have to spend their time on security issues. We will do it for it. >>And I imagine developer productivity goes way up for your customers? I do have one more question for you, given that here we are in the fall of 2021, what are some of the things that you're looking forward to as we go into the new year? >>I love you in the new jewish year or then you >>Uh maybe both. I was thinking, you know, just as we go into 2020 to some of the things that you're excited about. >>Sure, so look, it's it's a little difficult to be happy about something that's a problem for other people, right? Because there is a growing threat for application security and there is more and more attacks going on in the world. But I'm really looking forward to helping more people be more protected while not wasting their time. All right. So it what drives me is the ability for us as a company to provide real value for customers and not be some shelf will not be a tool that just produces reports that no one knows what to do with. And the fact that we are able to steal our users and our customers away from risk and save them. The the hassle of being attacked, being hacked, having their data stolen or having the system broken into is what I mostly look >>and there's plenty of opportunities for you guys to do just that and really add that value for those developers And the company is like I said, big brands Microsoft Comcast block Romney, thank you for joining me on the program today, talking to us about white source and how you're really feeling the gaps in the cybersecurity skills landscape and helping really transform developer productivity where security is concerned. We appreciate your time. >>Thank you. Thank you so much for having me on the show. >>My pleasure for a missus I'm lisa martin. You're watching this cube conversation. Mhm mm mm.

>> Announcer: From San Jose, California, it's The Cube, covering Big Data Silicon Valley 2017. >> Welcome back everyone. We are at Big Data Silicon Valley, running in conjunction with Strata + Hadoop World in San Jose. I'm George Gilbert and I'm joined by Raymie Stata, and Raymie was most recently CEO and Founder of Altiscale. Hadoop is a service vendor. One of the few out there, not part of one of the public clouds. And in keeping with all of the great work they've done, they got snapped up by SAP. So, Rami, since we haven't seen you, I think on The Cube since then, why don't you catch us up with all that, the good work that's gone on between you and SAP since then. >> Sure, so the acquisition closed back in September, so it's been about six months. And it's been a very busy six months. You know, there's just a lot of blocking and tackling that needs to happen. So, you know, getting people on board. Getting new laptops, all that good stuff. But certainly a huge effort for us was to open up a data center in Europe. We've long had demand to have that European presence, both because I think there's a lot of interest over in Europe itself, but also large, multi-national companies based in the US, you know, it's important for them to have that European presence as well. So, it was a natural thing to do as part of SAP, so kind of first order of business was to expand over into Europe. So that was a big exercise. We've actually had some good traction on the sales side, right, so we're getting new customers, larger customers, more demanding customers, which has been a good challenge too. >> So let's pause for a minute on, sort of unpack for folks, what Altiscale offered, the core services. >> Sure. >> That were, you know, here in the US, and now you've extended to Europe. >> Right. So our core platform is kind of Hadoop, Hive, and Spark, you know, as a service in the cloud. And so we would offer HDFS and YARN for Hadoop. Spark and Hive kind of well-integrated. And we would offer that as a cloud service. So you would just, you know, get an account, login, you know, store stuff in HDFS, run your Spark programs, and the way we encourage people to think about it is, I think very often vendors have trained folks in the big data space to think about nodes. You know, how many nodes am I going to get? What kind of nodes am I going to get? And the way we really force people to think twice about Hadoop and what Hadoop as a service means is, you know, they don't, why are you asking that? You don't need to know about nodes. Just store stuff, run your jobs. We worry about nodes. And that, you know, once people kind of understood, you know, just how much complexity that takes out of their lives and how that just enables them to truly focus on using these technologies to get business value, rather that operating them. You know, there's that aha moment in the sales cycle, where people say yeah, that's what I want. I want Hadoop as a service. So that's been our value proposition from the beginning. And it's remained quite constant, and even coming into SAP that's not changing, you know, one bit. >> So, just to be clear then, it's like a lot of the operational responsibilities sort of, you took control over, so that when you say, like don't worry about nodes, it's customer pours x amount of data into storage, which in your case would be HDFS, and then compute is independent of that. They need, you spin up however many, or however much capacity they need, with Spark for instance, to process it, or Hive. Okay, so. >> And all on demand. >> Yeah so it sounds like it's, how close to like the Big Query or Athena services, Athena on AWS or Big Query on Google? Where you're not aware of any servers, either for storage or for compute? >> Yeah I think that's a very good comparable. It's very much like Athena and Big Query where you just store stuff in tables and you issue queries and you don't worry about how much compute, you know, and managing it. I think, by throwing, you know, Spark in the equation, and YARN more generally, right, we can handle a broader range of these cases. So, for example, you don't have to store data in tables, you can store them into HDFS files which is good for processing log data, for example. And with Spark, for example, you have access to a lot of machine learning algorithms that are a little bit harder to run in the context of, say, Athena. So I think it's the same model, in terms of, it's fully operated for you. But a broader platform in terms of its capabilities. >> Okay, so now let's talk about what SAP brought to the table and how that changed the use cases that were appropriate for Altiscale. You know, starting at the data layer. >> Yeah, so, I think the, certainly the, from the business perspective, SAP brings a large, very engaged customer base that, you know, is eager to embrace, kind of a data-driven mindset and culture and is looking for a partner to help them do that, right. And so that's been great to be in that environment. SAP has a number of additional technologies that we've been integrating into the Altiscale offering. So one of them is Vora, which is kind of an interactive sequel engine, it also has time series capabilities and graph capabilities and search capabilities. So it has a lot of additive capabilities, if you will, to what we have at Altiscale. And it also integrates very deeply into HANA itself. And so we now have that for a technology available as a service at Altiscale. >> Let me make sure, so that everyone understands, and so I understand too, is that so you can issue queries from HANA and they can, you know, beyond just simple sequel queries, they can handle the time series, and predictive analytics, and access data sort of seamlessly that's in Hadoop, or can it go the other way as well? >> It's both ways. So you can, you know, from HANA you can essentially federate out into Vora. And through that access data that's in a Hadoop cluster. But it's also the other way around. A lot of times there's an analyst who really lives in the big data world, right, they're in the Hadoop world, but they want to join in data that's sitting in a HANA database, you know. Might be dimensions in a warehouse or, you know, customer details even in a transactional system. And so, you know, that Hadoop-based analyst now has access to data that's out in those HANA databases. >> Do you have some Lighthouse accounts that are working with this already? >> Yes, we do. (laughter) >> Yes we do, okay. I guess that was the diplomatic way of saying yes. But no comment. Alright, so tell us more about SAPs big data stack today and how that might evolve. >> Yeah, of course now, especially that now we've got the Spark, Hadoop, Hive offering that we have. And then four sitting on top of that. There's an offering called Predictive Analytics, which is Spark-based predictive analytics. >> Is that something that came from you, or is that, >> That's an SAP thing, so this is what's been great about the acquisition is that SAP does have a lot of technologies that we can now integrate. And it brings new capabilities to our customer base. So those three are kind of pretty key. And then there's something called Data Services as well, which allows us to move data easily in and out of, you know, HANA and other data stores. >> Is it, is this ability to federate queries between Hadoop and HANA and then migration of the data between the stores, does that, has that changed the economics of how much data people, SAP customers, maintain and sort of what types of apps they can build on it now that they might, it's economically feasible to store a lot more data. >> Well, yes and no. I think the context of Altiscale, both before and after the acquisition is very often there's, what you might call a big data source, right. It could be your web logs, it could be some IOT generated log data, it could be social media streams. You know, this is data that's, you know, doesn't have a lot of structure coming in. It's fairly voluminous. It doesn't, very naturally, go into a sequel database, and that's kind of the sweet spot for the big data technologies like Hadoop and Spark. So, those datas come into your big data environment. You can transform it, you can do some data quality on it. And then you can eventually stage it out into something like HANA data mart, where it, you know, to make it available for reporting. But obviously there's stuff that you can do on the larger dataset in Hadoop as well. So, in a way, yes, you can now tame, if you will, those huge data sources that, you know, weren't practical to put into HANA databasing. >> If you were to prioritize, in the context of, sort of, the applications SAP focuses on, would you be, sort of, with the highest priority use case be IOT related stuff, where, you know, it was just prohibitive to put it in HANA since it's mostly in memory. But, you know, SAP is exposed to tons of that type of data, which would seem to most naturally have an afinity to Altiscale. >> Yeah, so, I mean, IOT is a big initiative. And is a great use case for big data. But, you know, financial-to-financial services industry, as another example, is fairly down the path using Hadoop technologies for many different use cases. And so, that's also an opportunity for us. >> So, let me pop back up, you know, before we have to wrap. With Altiscale as part of the SAP portfolio, have the two companies sort of gone to customers with a more, with more transformational options, that, you know, you'll sell together? >> Yeah, we have. In fact, Altiscale actually is no longer called Altiscale, right? We're part of a portfolio of products, you know, known as the SAP Cloud Platform. So, you know, under the cloud platform we're the big data services. The SAP Cloud Platform is all about business transformation. And business innovation. And so, we bring to that portfolio the ability to now bring the types of data sources that I've just discussed, you know, to bear on these transformative efforts. And so, you know, we fit into some momentum SAP already has, right, to help companies drive change. >> Okay. So, along those lines, which might be, I mean, we know the financial services has done a lot of work with, and I guess telcos as well, what are some of the other verticals that look like they're primed to fall, you know, with this type of transformational network? >> So you mentioned one, which I kind of call manufacturing, right, and there tends to be two kind of different use cases there. One of them I call kind of the shop floor thing. Where you're collecting a lot of sensor data, you know, out of a manufacturing facility with the goal of increasing yield. So you've got the shop floor. And then you've got the, I think, more commonly discussed measuring stuff out in the field. You've got a product, you know, out in the field. Bringing the telemetry back. Doing things like predictive meetings. So, I think manufacturing is a big sector ready to go for big data. And healthcare is another one. You know, people pulling together electronic medical records, you know trying to combine that with clinical outcomes, and I think the big focus there is to drive towards, kind of, outcome-based models, even on the payment side. And big data is really valuable to drive and assess, you know, kind of outcomes in an aggregate way. >> Okay. We're going to have to leave it on that note. But we will tune back in at I guess Sapphire or TechEd, whichever of the SAP shows is coming up next to get an update. >> Sapphire's next. Then TechEd. >> Okay. With that, this is George Gilbert, and Raymie Stata. We will be back in few moments with another segment. We're here at Big Data Silicon Valley. Running in conjunction with Strata + Hadoop World. Stay tuned, we'll be right back.