(upbeat instrumental music) >> From our studios in the heart of Silicon Valley, Palo Alto, California. This is a CUBE Conversation. >> Hey, welcome back everybody. Jeff Frick here with theCUBE. We're in our Palo Alto studios for a CUBE Conversation. It's just a couple of days until RSA kicks off a huge security conference. I think the biggest security conference in the industry. And we've got a security expert here in the house and we're excited to have him stop by. It's Manish Gupta, the Founder and CEO of ShipLeft. Manish, great to see you. >> Yeah, great to see you too, thank you. >> Welcome. So you must be really busy getting everything buttoned up for next week. >> Oh yeah, absolutely ready to go. >> Alright so for the people that aren't familiar with ShiftLeft, give us kind of the basic overview. >> Yeah of course. So ShiftLeft about a two and a half year old company. We started with the problem of you know, the software's driving innovation all around us, right? I mean, we see it in autonomous cars, IoTs, increasingly SwaaS software in the cloud. And all of the software needs to be figured out, how are we going to protect it. And so it's a big problem, and we've been working on it for about two and a half years now. Raised our Series A and most recently in the last two weeks, we announced our Series B of 20 Million. >> Congratulations. >> Amazing team, yeah! >> So, you've been in the security space for a long time. >> Correct. >> And RSA's a giant conference. I don't know what the numbers will be this year. I'm sure it'll be north of 40 thousand people. Moscone North, South and West will be full. Every hotel is full. But it kind of begs a question, like, haven't we got some of the security thing figured out? It's just a never-ending kind of startup opportunities as there's new ways to approach this kind of fundamental problem which is, how do we keep the bad guys out. How do we keep them from doing bad things while the surface area expands exponentially. The attack surface expands. And we hear every day that people are getting breached and breached and breached. So the whole ecosystem, and kind of approach has completely changed over the time that you've been involved in this business. >> Indeed, as you said, I've been in cybersecurity for a long time. I like to say the last 15 years, first part of my career, I was focused on detecting viruses. Then it became worms. Then most recently at FireEye, we were detecting advanced malware nation-state attacks like APT1s and APT3s. But it was then that sort of, it dawned on me that, look about 80% of security money gets spent on detecting bad stuff, right? And that's reactive. Essentially what that means is we are letting the bad guy shoot first and then we are trying to figure out, okay what are we going to do now. >> We're waiting like 150 days right, down from 230 days, before we even-- >> Exactly. >> know that he's shootin' at us. >> That's right. Now couple that with as you said, the attack surface is ever increasing, right. Because we're using software in every which way which means all of this stuff needs to be protected. And so that's why we were wanted to start with a fresh perspective which is to say, let's not worry about attacks. Because that is not in our control. That's in the bad guys' control. What can we control? Which is our software. And so, that is why what we do at ShiftLeft is to understand the software very quickly, extract its attack surface in minutes, and then allow you to fix whatever you want to, whatever you can during the time frame you have available. And here comes the next innovation which is, if you don't fix anything, which is almost always the case, we will protect the application in production. Now the key is, we protect the application in production against its vulnerabilities. So we never ever react to threats. We don't care. >> So you have like a wrapper around the known vulnerabilities within the code. Is that a good desciption? >> Yes, you could absolutely, that's a good way of thinking about it is you know, let's say a million lines of code. We find 10 vulnerabilities in it. So it's only in 10 specific instances of the application. Now we also know what vulnerabilities exist on line 100 and line 200 and so on. And with that knowledge, we can very precisely protect each vulnerability. >> It's a really interesting approach. You know, one of the things I find fascinating with security is it's kind of like insurance. >> Mm hmm. >> In theory, you could spend 110% of all your revenue budget >> Correct. >> on security, but you can't so you have to make trade off decisions. You have to make business value decisions and you have to prioritize. So this is a really different approach, that you're offering an option either to fix the known, and/or just to protect the known, so that there's some variability in the kind of the degree of investment that the customer wants to spend. >> You summed it up well, Jeff. I think the fundamental challenge with security has been that. Is that ya know, 15 years ago we've asked our customers to buy antivirus. Then we asked them to buy intrusion detection. Then we asked them to buy nation-state or malware protection. Now we're asking them to buy machine learning based mechanisms to detect more threats, right? And so the funnel is like this, right, but it never goes down to zero. And so tomorrow some other approach will come up to detect the 0.1% of the malware. And guess what? The sys-os really don't have a choice right? Because they have to protect their organization. So they have to buy that tool also. Now in this entire process, you never get better, right? Notice that you never get better. All you're doing is just reacting. And because a virus from 15 years ago theoretically could still come and attack you, you can't throw away that too either. Right, and so that is precisely why I'm so passionate about work we're doing at ShiftLeft is we will protect you from, in sort of in bad continuous improvement for the first time in security. Find the vulnerabilities, fix them. But if you can't fix them, we will protect you. >> Now, what about another kind of big shift in the way software is delivered, is everything is an API to someone else's software. And oftentimes there's many many components that are being pulled in from many many places that contribute to, but aren't software that I control personally. >> Correct. >> So how do you guys deal with those types of challenges? >> Great question, great question. And you know, the popular saying is we are becoming an API economy. >> Right, right. >> And what we exchange on our APIs is increasingly a lot of data. And you're right. If you think about historical approaches, we will now have to break open the API on a network, to find out what it contains. And for various reasons, super hard to do, lots of operational efficiencies, inefficiencies, excuse me. And this is again where the ShiftLeft approach is rather unique. See because we go down to the very foundation. It's hard work right, but we go down to the very foundation, what is the source code of the API. So we will understand, okay, well this is what you should be putting in the API, right? But then I see that a variable called Personally Identifiable Information is being put into that API. I can now tell you before this becomes a problem that'll embarrass you in the newspapers. I, we will tell you, hey look, you are writing PII to a third party API without encryption, right. So you get to fix the problem at the very root where it starts. >> So but, can you wrap the known vulnerability in a partner piece of software? >> Absolutely we can. >> As it interfaces with my software? >> Correct. So, there are two aspects to it right. The first is what are you putting into that API, right, that is completely in your control. >> Right. >> Right, we don't really need to understand the API for that matter. So that is one particular use case we can absolutely protect you there, right. The second is when the API, when integrated into your application, makes your application vulnerable. Right, so I'll give you an example. This happened to one our our customers. This is a 3,500 person technical, technology company based here in Santa Clara. They were using a third party API. Very popular one. That third party API in turn was using a Jackson databind library, just an open source library. Now, as a company when we decide to use that API, we don't really worry about, we don't have visibility into like what all is it hurting. >> Downstream. >> Exactly. >> And how many feeds are in that one particular one. >> That's right. And so this is the supply chain of software. Right? Multiple components are now being brought together very quickly to create the functionality that you want to deliver to your users, to your customers. But in this pace of execution, we need tools like ShiftLeft to tell us hey what are we hurting. And whatever we are hurting, how is that impacting the security of our application. >> Right, right. Pretty interesting stuff, you got another component of something that's really important today that wasn't necessarily when you started this adventure. And that's the open source play. >> Yes. >> So as I understand it, you guys started really from more of an open source play and then ShiftLeft grew out of kind of commercializing what was that open source project. I wonder if can explain a little bit more. >> Yeah, I would love to. So the foundation of what we do is a technology called Core Property Graph. So, this is an invention of our chief scientist, Dr. Fabian Yamaguchi, one of the foremost authorities in the world, in the area of understanding code, right. And so as part of his PhD thesis, he came up with this technology and decided to open source a tool called Joern. >> Joern. J-O-E-R-N. >> That's right. >> Not easy to figure out, Joern yes. (laughing) >> Exactly. And it's actually his friend's name so that's how he named it. >> Ah, is that right? >> So he open sourced it and several organizations around the world have since used it to find very hard to find vulnerabilities. Right so as an example, this is a IEEE paper where this technology was used by Fabian to find 18 zero-day vulnerabilities in the main line Linux code, right. So arguably one of the most complex pieces of code on the planet, 15 million lines of code. Arguably one of the most analyzed pieces of code on the planet. And as recently as 2015, he finds 18 zero-days. And no false positives. Every single vulnerabilty has been acknowledged and fixed by the Linux community. That's the power. And so we use that as the foundation. So you write that as open source but since then we've done a lot of incremental work on enhancing it to make it enterprise ready. And that is a product we offer. as call this Ocular. Where we give you, think about it as my best analogy, is just like Google Maps for your source code. >> Yeah, I think it's a good analogy and he goes through that in one of his videos kind of explaining the mapping. >> Correct. >> Of different layers of kind of visibility into how you should look at software code. >> Indeed. >> Yeah alright, well before we let ya go, you got some exciting things happening next week beyond just the regular activities at RSA. You guys have been invited to participate in a special activity. I wonder if you can share a little bit and give a plug and maybe we can send some fans up to, I dunno if it's going to be audience participation in the judging. >> Yes. >> Go ahead and let us know what you're doing. >> Thank you for giving me that opportunity. Yeah super, super excited about, so we've been selected as one of the top 10 finalists for the RSA Innovation Sandbox. As you mentioned in your opening, RSA is the biggest security trade show in the world. And so now this has become the most seminal way of highlighting innovative work being done in the security industry. So I get three minutes to pitch ShiftLeft in front of an audience of about 1,500 to 2,000 people. Really looking forward to that. >> Well I dunno if you can speed this up to only three minutes (laughing) but I'm sure you'll be able to nail it. >> I will try. >> Alright well Manish, thanks for taking a few minutes of your day and I'm sure we'll see you in San Francisco next week. >> Thank you very much, thank you. >> Alright, It's Manish, I'm Jeff. You're watching theCUBE. We're having a CUBE Conversation in our Palo Alto studios. Thanks for watchin' and we'll see ya next time. (upbeat music)

>> Live from London, England, it's theCUBE covering .NEXT Conference Europe 2018 brought to you by Nutanix. >> Welcome back to theCUBE's coverage of Nutanix's .NEXT 2018 here in London, England. I'm Stu Miniman, my co-host is Joep Piscaer. 3500 here in attendance. Actually in the closing keynote, we just listened to Dr. Jane Goodall talk about her life's work, her next, where she's going. Really powerful content here to help round out what we're doing. We're actually really thrilled to have as our penultimate guest to the program Chetan Conikee who is the founder and CTO of ShiftLeft.io, a customer of Nutanix based out in San Francisco. Thanks so much for joining us. >> Thank you very much for having me Stu and Joep, pleasure. >> So Chetan, ShiftLeft.io, tell us a little bit about that. We love to hear from founders. What was the why, what did you see out there? What were you looking to do and then we'll get into it from there. >> Absolutely. We founded ShiftLeft back in December 2016. ShiftLeft is a venture-backed application security company. I co-founded ShiftLeft with the Chief Products Officer of FireEye and one of the core architects at Google. So our reason and emphasis to build out the security company was to essentially make security relevant to what they call as cloud-native applications. So ShiftLeft by virtue of the word meaning shift security to the left is bring securities awareness to the early stages of the software development lifecycle. As engineers write code, we have built a system that in a matter of minutes converts code to a graph, a graph akin to a social network. Almost like a social network graph except that it's connecting all the functions and variables in your code that represent the application. Now using that graph, we extract vulnerabilities that might exist in the code. Now as we know, engineers are focused on velocity, developing software and servicing their customers. So often security gets left behind, which is why we have built this autonomous agent that takes the data that we extracted during coding and protect the application in Runtime from imminent threats. >> Okay, we could spend an hour talking about this. Security is one of the hottest spaces, one of the biggest challenges in kind of modernizing this multi-cloud era, cloud-native absolutely. Maybe you'll be at theCUBE Con show in a couple weeks. We can talk even more about that because oh boy, so much to go there but you're a startup and what brings you to Nutanix is I guess the question. Come on, cloud-native, you should be born in the cloud. You're venture-backed, they probably don't want you spending lots of money on infrastructure. So maybe connect the dots with us as to how you ended up with Nutanix. >> Absolutely. The core ethos of ShiftLeft is observing, observing threats in real time and observing vulnerabilities that might exist in code. Observing means we have to make sure that our own infrastructure is protected from threats and at the same time we provide a high accessibility to our customers. Which means that we have to observe our own infrastructure which is why we subscribed early on to a Nutanix product called Epoch. Because the core essence of Epoch is to provide observability to infrastructure. Our infrastructure is very complex because every time engineers write code and commit code into GitHub or any other so-called management system, we react to that and at the same time if any threats are applied, when they deploy that code in production, we react to that as well. So it is important for us to maintain our uptime which is why we use Epoch to continuously observe our system for faults or any threats applied upon our own system and Epoch provides us that service, that service because our infrastructure is very complex. It is comprised of at least about 80 to 100 micro-services deployed in a cloud-native infrastructure. Now all these micro-services are working in concert with each other every time it receives an event, an event of a code check-in from a customer's ecosystem or any threats applied to our customers' infrastructure deployed in their private data centers or their cloud infrastructures. >> So let me get this right. You're a Nutanix customer but I'm guessing you're not the typical customer, right? You are not running their appliance in the data center but you're using different products. So I hear you mentioned Epoch which is observability. So that gives you insight into the system you are running. But to clarify, you're not running Nutanix in your data center? >> Absolutely, we are a cloud-native company. Our infrastructure entirely runs on Masels and Kubernetes which is deployed on AWS, Azure and GCP. So we are a multi-hybrid cloud ecosystem and Nutanix Epoch product is agnostic of the servers because it's a software-defined product that enables us to place hooks in the appropriate places of our software-defined or our software stack and then provide us the necessary observability. Observability from the perspective of latency, throughput or essentially any impact induced upon our infrastructure. >> So you are using it to monitor the sort of applications you're running in micro-services. So this is not even about infrastructure monitoring. This is about your application, it's uptime, error rates, thresholds, stuff like that. >> Absolutely because our system is comprised of a dense micro-service mesh which means that if one micro-service is down, it impacts a set of other micro-services which in turn impacts the customer as well. So what we do is try to identify cause and effect, correlate events and understand this dense and complex infrastructure. Nutanix Epoch has this cloud map feature that enabled us to dynamically plot the entire map of our infrastructure. This is almost akin to Google Maps because you can plot a from and to destination but upon that you might have traffic contention, accidents, tolls and everything else you can think of. So this is a similar situation with very dense and complex infrastructure as well, meaning if one service is down, it has this ripple side effect on other services as well. >> Yeah, I'm actually glad we got to interview you towards the end of our coverage here because one of the things we've been looking at is Nutanix has gone from basically two products to now they have a much broader portfolio. Some of those have been organically and some have been through acquisition. So Epoch which I believe is now under the Xi family, so Xi Epoch, I interviewed back in New Orleans, it was Netsil, Netsil came in through the acquisition. So I believe you've been using it since it was Netsil. >> Absolutely. >> What have you seen? I love kinda your outside viewpoint as to what's that meant to the product? Besides being renamed, what's the same, what's different and how do you see that impacting Epoch going forward? >> Absolutely, great question. For the most part the core product hasn't changed as much. The vision has always been carried on from what it used to be to what it is today. But the product has improved significantly. The user experience has improved significantly and now what they have is the foundation of Nutanix which is critical because there are various other product lines in Nutanix that can serve us better as well along with Epoch and we are looking forward to understanding what Beam is, what X-Ray is and there are various other product lines along with what we are already using at this point. >> Great, so I'm curious your experience here at the show. What brought you to the show? What conversations have you been having with your peers? We talked to Nutanix about what they're doing with the developers and about the cloud native space. How are they doing? You live in that space. How has Nutanix positioned themselves? >> Absolutely, I've been tracking Dheeraj and his crew for quite some time. I think they're doing a phenomenal job moving up the stack because eventually, being cloud native is critical at this point given that the majority of the new SMBs and SMEs are deploying in the cloud. So if Nutanix joins that bandwagon, it makes it relatively easy for Enterprise customers who have deployed in their own private data centers to cloud burst into Nutanix Enterprise Cloud. So over the past two days, the energy has been amazing. I presented with the Epoch crew and we got an amazing response, got to listen to customers. Their curiosity to adopting Epoch, given that they have been using Nutanix and also bursting into cloud native ecosystems as well which is why they want to understand and observe how their workloads are performing in the cloud. So very excited and looking forward to the future for the most part. >> So looking at your product, you deliver it, as I said service. You have software developers that develop that software and based on the announcements Nutanix has made in the last couple of days with Carbon and being able to develop cloud native apps, will that impact how you develop software or how you look at Nutanix as a partner for your company? >> We are growing at a very steady state and given that our core focus is security, some of our customers are on Wall Street which means that they have to ensure that they are deploying or subscribing to a service that has guarantees of its uptime and also that data is effectively protected. So we have commenced our journey as a cloud native company but that shouldn't impede us from moving into a private data center as well because our software fabric can be deployed both in a cloud native ecosystem and also on a private DC as well. So we're looking forward to working with Nutanix as a partner in the future as well if the opportunity permits. >> Yeah, so with the little time we have left, I want to get your viewpoint, talk to us about the security environment today. I'm an infrastructure guy by background and lived through, you've talked about virtualization. Been watching the containerization space, IOT greater increasing the surface area of everything. I know serverless is a whole can of worms as to how that fits in. So as we look to 2019 and going forward, what excites you and what worries you about the security space? >> What excites me is that, you know the surface is essentially getting abstracted. Back almost two decades ago, we were dealing with deploying in physical data centers on physical hosts. That transcended to VMs and then moved to Docker Unikernels and now we are speaking serverless. So in relatively, maybe in a click of a button or a single script, someone can deploy an application and that application can be scaled in a matter of minutes or seconds. So that's very exciting but what worries me is also that with the velocity and complexity, the risk is also getting amplified which means that applications are the target du jour. Applications were always the target du jour and they will continue to be as well because as engineers code even more faster, they will essentially always leave security behind. So it is important to understand the attack surface of the application because if we examine most of the recent attacks like Struts Equifax, the application was compromised and then the attacker laterally moved from host to host until they acquired or hit that asset, which is the data. So it is important to write secure software from the get-go and at the same time it is important to observe how a threat imposed by an adversarial entity correlates to a vulnerability. Which means that we have to be upfront and always observe our security from the very beginning of the software development lifecycle. So it equally excites me and worries me, which is why we decided to found ShiftLeft. >> All right, really appreciate getting to hear about ShiftLeft and your journey and what you're doing with Epoch, so thanks so much for joining us. >> Absolutely. >> And thank you for joining us. We'll be back with more coverage here from Butanix .NEXT 2018 in London, England. Thanks for watching theCUBE. >> Thank you. (up tempo electronic tones) >> Hi I'm John Walls, I've been with theCUBE for a couple of years serving as a host here on our broadcast, our flagship broadcast on SiliconANGLE TV. I like to think about the how's and the why's and the what's of technology. How does it work, why does it matter? What is it doing for end users? When I think about what theCUBE does and what it means, to me it's an off the chart benefit. The value is just immense because when theCUBE shows up, it puts a stamp of approval on your event that says man, you've arrived. I know you can't be everywhere. You'd like to be but what theCUBE--