(electronic music) >> Hello everybody, welcome back to Boston. This is Dave Vellante and you're watching theCUBE's continuous coverage of AWS re:Inforce 2022. We're here at the convention center in Boston where theCUBE got started in May of 2010. I'm really excited. Lena Smart is here, she's the chief information security officer at MongoDB rocket ship company We covered MongoDB World earlier this year, June, down in New York. Lena, thanks for coming to theCUBE. >> Thank you for having me. >> You're very welcome, I enjoyed your keynote yesterday. You had a big audience, I mean, this is a big deal. >> Yeah. >> This is the cloud security conference, AWS, putting its mark in the sand back in 2019. Of course, a couple of years of virtual, now back in Boston. You talked in your keynote about security, how it used to be an afterthought, used to be the responsibility of a small group of people. >> Yeah. >> You know, it used to be a bolt on. >> Yep. >> That's changed dramatically and that change has really accelerated through the pandemic. >> Yep. >> Just describe that change from your perspective. >> So when I started at MongoDB about three and a half years ago, we had a very strong security program, but it wasn't under one person. So I was their first CISO that they employed. And I brought together people who were already doing security and we employed people from outside the company as well. The person that I employed as my deputy is actually a third time returnee, I guess? So he's worked for, MongoDB be twice before, his name is Chris Sandalo, and having someone of that stature in the company is really helpful to build the security culture that I wanted. That's why I really wanted Chris to come back. He's technically brilliant, but he also knew all the people who'd been there for a while and having that person as a trusted second in command really, really helped me grow the team very quickly. I've already got a reputation as a strong female leader. He had a reputation as a strong technical leader. So us combined is like indestructible, we we're a great team. >> Is your scope of responsibility, obviously you're protecting Mongo, >> Yeah. >> How much of your role extends into the product? >> So we have a product security team that report into Sahir Azam, our chief product officer. I think you even spoke to him. >> Yeah, he's amazing. >> He's awesome, isn't he? He's just fabulous. And so his team, they've got security experts on our product side who are really kind of the customer facing. I'm also to a certain extent customer facing, but the product folks are the absolute experts. They will listen to what our customers need, what they want, and together we can then work out and translate that. I'm also responsible for governance risk and compliance. So there's a large portion of our customers that give us input via that program too. So there's a lot of avenues to allow us to facilitate change in the security field. And I think that's really important. We have to listen to what our customers want, but also internally. You know, what our internal groups need as well to help them grow. >> I remember last year, Re:invent 2021, I was watching a talk on security. It was the, I forget his name, but it was the individual who responsible for data center security. And one of the things he said was, you know, look it's not at the end of the day, the technology's important but it's not the technology. It's how you apply the tools and the practices and the culture- >> Right. That you build in the organization that will ultimately determine how successful you are at decreasing the ROI for the bad guys. >> Yes. >> Let's put it that way. So talk about the challenges of building that culture, how you go about that, and how you sustain that cultural aspect. >> So, I think having the security champion program, so that's just, it's like one of my babies, that and helping underrepresented groups in MongoDB kind of get on in the tech world are both really important to me. And so the security champion program is purely voluntary. We have over a hundred members. And these are people, there's no bar to join. You don't have to be technical. If you're an executive assistant who wants to learn more about security, like my assistant does, you're more than welcome. Up to, we actually people grade themselves, when they join us, we give them a little tick box. Like five is, I walk in security water. One is, I can spell security but I'd like to learn more. Mixing those groups together has been game changing for us. We now have over a hundred people who volunteer their time, with their supervisors permission, they help us with their phishing campaigns, testing AWS tool sets, testing things like queryable encryption. I mean, we have people who have such an in-depth knowledge in other areas of the business that I could never learn, no matter how much time I had. And so to have them- And we have people from product as security champions as well, and security, and legal, and HR, and every department is recognized. And I think almost every geographical location is also recognized. So just to have that scope and depth of people with long tenure in the company, technically brilliant, really want to understand how they can apply the cultural values that we live with each day to make our security program stronger. As I say, that's been a game changer for us. We use it as a feeder program. So we've had five people transfer from other departments into the security and GRC teams through this Champions program. >> Makes a lot of sense. You take somebody who walks on water in security, mix them with somebody who really doesn't know a lot about it but wants to learn and then can ask really basic questions, and then the experts can actually understand better how to communicate. >> Absolutely. >> To that you know that 101 level. >> It's absolutely true. Like my mom lives in her iPad. She worships her iPad. Unfortunately she thinks everything on it is true. And so for me to try and dumb it down, and she's not a dumb person, but for me to try and dumb down the message of most of it's rubbish, mom, Facebook is made up. It's just people telling stories. For me to try and get that over to- So she's a one, and I might be a five, that's hard. That's really hard. And so that's what we're doing in the office as well. It's like, if you can explain to my mother how not everything on the internet is true, we're golden. >> My mom, rest her soul, when she first got a- we got her a Macintosh, this was years and years and years ago, and we were trying to train her over the phone, and said, mom, just grab the mouse. And she's like, I don't like mice. (Lena laughs) There you go. I know, I know, Lena, what that's like. Years ago, it was early last decade, we started to think about, wow, security really has to become a board level item. >> Yeah. >> And it really wasn't- 2010, you know, for certain companies. But really, and so I had the pleasure of interviewing Dr. Robert Gates, who was the defense secretary. >> Yes. >> We had this conversation, and he sits on a number, or sat on a number of boards, probably still does, but he was adamant. Oh, absolutely. Here's how you know, here. This is the criticality. Now it's totally changed. >> Right. >> I mean, it's now a board level item. But how do you communicate to the C-Suite, the board? How often do you do that? What do you recommend is the right regime? And I know there's not any perfect- there's got to be situational, but how do you approach it? >> So I am extremely lucky. We have a very technical board. Our chairman of the board is Tom Killalea. You know, Amazon alum, I mean, just genius. And he, and the rest of the board, it's not like a normal board. Like I actually have the meeting on this coming Monday. So this weekend will be me reading as much stuff as I possibly can, trying to work out what questions they're going to ask me. And it's never a gotcha kind of thing. I've been at board meetings before where you almost feel personally attacked and that's not a good thing. Where, at MongoDB, you can see they genuinely want us to grow and mature. And so I actually meet with our board four times a year, just for security. So we set up our own security meeting just with board members who are specifically interested in security, which is all of them. And so this is actually off cadence. So I actually get their attention for at least an hour once a quarter, which is almost unheard of. And we actually use the AWS memo format. People have a chance to comment and read prior to the meeting. So they know what we're going to talk about and we know what their concerns are. And so you're not going in like, oh my gosh, what what's going to happen for this hour? We come prepared. We have statistics. We can show them where we're growing. We can show them where we need more growth and maturity. And I think having that level of just development of programs, but also the ear of the board has has helped me mature my role 10 times. And then also we have the chance to ask them, well what are your other CISOs doing? You know, they're members of other boards. So I can say to Dave, for example, you know, what's so-and-so doing at Datadog? Or Tom Killelea, what's the CISO of Capital One doing? And they help me make a lot of those connections as well. I mean, the CISO world is small and me being a female in the world with a Scottish accent, I'm probably more memorable than most. So it's like, oh yeah, that's the Irish girl. Yeah. She's Scottish, thank you. But they remember me and I can use that. And so just having all those mentors from the board level down, and obviously Dev is a huge, huge fan of security and GRC. It's no longer that box ticking exercise that I used to feel security was, you know, if you heated your SOC2 type two in FinTech, oh, you were good to go. You know, if you did a HERC set for the power industry. All right, right. You know, we can move on now. It's not that anymore. >> Right. It's every single day. >> Yeah. Of course. Dev is Dev at the Chario. Dev spelled D E V. I spell Dave differently. My Dave. But, Lena, it sounds like you present a combination of metrics, so, the board, you feel like that's appropriate to dig into the metrics. But also I'm presuming you're talking strategy, potentially, you know, gaps- >> Road roadmaps, the whole nine yards. Yep. >> What's the, you know, I look at the budget scenario. At the macro level, CIOs have told us, they came into the year saying, hey we're going to grow spending at the macro, around eight percent, eight and a half percent. That's dialed down a little bit post Ukraine and the whole recession and Fed tightening. So now they're down maybe around six percent. So not dramatically lower, but still. And they tell us security is still the number one priority. >> Yes. >> That's been the case for many, many quarters, and actually years, but you don't have an unlimited budget. >> Sure >> Right. It's not like, oh, here is an open checkbook. >> Right. >> Lena, so, how does Mongo balance that with the other priorities in the organization, obviously, you know, you got to spend money on product, you got to spend money and go to market. What's the climate like now, is it, you know continuing on in 2022 despite some of the macro concerns? Is it maybe tapping the brakes? What's the general sentiment? >> We would never tap the breaks. I mean, this is something that's- So my other half works in the finance industry still. So we have, you know, interesting discussions when it comes to geopolitics and financial politics and you know, Dev, the chairman of the board, all very technical people, get that security is going to be taken advantage of if we're seeing to be tapping the brakes. So it does kind of worry me when I hear other people are saying, oh, we're, you know, we're cutting back our budget. We are not. That being said, you also have to be fiscally responsible. I'm Scottish, we're cheap, really frugal with money. And so I always tell my team: treat this money as if it's your own. As if it's my money. And so when we're buying tool sets, I want to make sure that I'm talking to the CISO, or the CISO of the company that's supplying it, and saying are you giving me the really the best value? You know, how can we maybe even partner with you as a database platform? How could we partner with you, X company, to, you know, maybe we'll give you credits on our platform. If you look to moving to us and then we could have a partnership, and I mean, that's how some of this stuff builds, and so I've been pretty good at doing that. I enjoy doing that. But then also just in terms of being fiscally responsible, yeah, I get it. There's CISOs who have every tool that's out there because it's shiny and it's new and they know the board is never going to say no, but at some point, people will get wise to that and be like, I think we need a new CISO. So it's not like we're going to stop spending it. So we're going to get someone who actually knows how to budget and get us what the best value for money. And so that's always been my view is we're always going to be financed. We're always going to be financed well. But I need to keep showing that value for money. And we do that every board meeting, every Monday when I meet with my boss. I mean, I report to the CFO but I've got a dotted line to the CTO. So I'm, you know, I'm one of the few people at this level that's got my feet in both camps. You know budgets are talked at Dev's level. So, you know, it's really important that we get the spend right. >> And that value is essentially, as I was kind of alluding to before, it's decreasing the value equation for the hackers, for the adversary. >> Hopefully, yes. >> Right? Who's the- of course they're increasingly sophisticated. I want to ask you about your relationship with AWS in this context. It feels like, when I look around here, I think back to 2019, there was a lot of talk about the shared responsibility model. >> Yes. >> You know, AWS likes to educate people and back then it was like, okay, hey, by the way, you know you got to, you know, configure the S3 bucket properly. And then, oh, by the way, there's more than just, it's not just binary. >> Right, right. >> There's other factors involved. The application access and identity and things like that, et cetera, et cetera. So that was all kind of cool. But I feel like the cloud is becoming the first line of defense for the CISO but because of the shared responsibility model, CISO is now the second line of defense >> Yes. Does that change your role? Does it make it less complicated in a way? Maybe, you know, more complicated because you now got to get your DevSecOps team? The developers are now much more involved in security? How is that shifting, specifically in the context of your relationship with AWS? >> It's honestly not been that much of a shift. I mean, these guys are very proactive when it comes to where we are from the security standpoint. They listen to their customers as much as we do. So when we sit down with them, when I meet with Steve Schmidt or CJ or you know, our account manager, its not a conversation that's a surprise to me when I tell them this is what we need. They're like, yep, we're on that already. And so I think that relationship has been very proactive rather than reactive. And then in terms of MongoDB, as a tech company, security is always at the forefront. So it's not been a huge lift for me. It's really just been my time that I've taken to understand where DevSecOps is coming from. And you know, how far are we shifting left? Are we actually shifting right now? It's like, you know, get the balance, right? You can't be too much to one side. But I think in terms of where we're teaching the developers, you know, we are a company by developers for developers. So, we get it, we understand where they're coming from, and we try and be as proactive as AWS is. >> When you obviously the SolarWinds hack was a a major mile- I think in security, there's always something in the headlines- >> Yes. But when you think of things like, you know, Stuxnet, you know, Log4J, obviously Solarwinds and the whole supply chain infiltration and the bill of materials. As I said before, the adversary is extremely capable and sophisticated and you know, much more automated. It's always been automated attacks, but you know island hopping and infiltrating and self-forming malware and really sophisticated techniques. >> Yep. >> How are you thinking about that supply chain, bill of materials from inside Mongo and ultimately externally to your customers? >> So you've picked on my third favorite topic to talk about. So I came from the power industry before, so I've got a lot of experience with critical infrastructure. And that was really, I think, where a lot of the supply chain management rules and regulations came from. If you're building a turbine and the steel's coming from China, we would send people to China to make sure that the steel we were buying was the steel we were using. And so that became the H bomb. The hardware bill of materials, bad name. But, you know, we remember what it stood for. And then fast forward: President Biden's executive order. SBOs front and center, cloud first front and center. It's like, this is perfect. And so I was actually- I actually moderated a panel earlier this year at Homeland Security Week in DC, where we had a sneak CISA, So Dr. Allen Friedman from CISA, and also Patrick Weir from OWASP for the framework, CISA for the framework as well, and just the general guidance, and Snake for the front end. That was where my head was going. And MongoDB is the back-end database. And what we've done is we've taken our work with Snake and we now have a proof of concept for SBOs. And so I'm now trying to kind of package that, if you like, as a program and get the word out that SBOs shouldn't be something to be afraid of. If you want to do business with the government you're going to have to create one. We are offering a secure repository to store that data, the government could have access to that repository and see that data. So there's one source of truth. And so I think SBOs is going to be really interesting. I know that, you know, some of my peers are like, oh, it's just another box to tick. And I think it's more than that. I definitely- I've just, there's something percolating in the back of my mind that this is going to be big and we're going to be able to use it to hopefully not stop things like another Log4j, there's always going to be another Log4j, we know that. we don't know everything, the unknown unknown, but at least if we're prepared to go find stuff quicker than we were then before Log4j, I think having SBOs on hand, having that one source of truth, that one repository, I think is going to make it so much easier to find those things. >> Last question, what's the CISO's number one challenge? Either yours or the CISO, generally. >> Keeping up with the fire hose that is security. Like, what do you pick tomorrow? And if you pick the wrong thing, what's the impact? So that's why I'm always networking and talking to my peers. And, you know, we're sometimes like meerkats, you know. there's meerkats, you see like this, it's like, what do we talk about? But there's always something to talk about. And you just have to learn and keep learning. >> Last question, part B. As a hot technology company, that's, you know, rising star, you know not withstanding the tech lash and the stock market- >> Yeah. >> But Mongo's growing, you know, wonderfully. Do you find it easier to attract talent? Like many CISOs will say, you know, lack of talent is my biggest, biggest challenge. Do you find that that's not the challenge for you? >> Not at all. I think on two fronts, one, we have the champions program. So we've got a whole internal ecosystem who love working there. So the minute one of my jobs goes on the board, they get first dibs at it. So they'd already phoning their friends. So we've got, you know, there's ripple effects out from over a hundred people internally. You know, I think just having that, that's been a game changer. >> I was so looking forward to interviewing you, Lena, thanks so much for coming. >> Thank you, this was a pleasure. >> It was really great to have you. >> Thank you so much. Thank you. >> You're really welcome. All right, keep it right there. This is Dave Villante for theCUBE. We'll be right back at AWS Re:inforce22 right after this short break.

>>Hello everyone. And welcome to the cubes presentation of the AWS startup showcase open cloud innovations. This is season two episode one of our showcase ongoing series. We're covering very exciting startups from the AWS ecosystem. And we're going to be talking about the open source community. I'm your host, Lisa Martin. And today I'm excited to be joined by Robbie, Myra, the head of product and partner marketing at sneak. Robbie's here to talk with me about developer security for your digital transformation. Robbie, it's great to have you on the cube. >>Thanks Lisa. Nice to be here. >>So talk to me about what's going on in developer land. They're under a lot of pressure. A lot of them are building apps with open source, but what does sneak seeing from the developers lens >>From the developer's lens? There's a lot of pressure to build fast and that's probably the biggest challenge, right? We're in a world of digital transformation where everybody's trying to compete no matter what industry you're in, right on the technology and on the quality of your software or the capabilities of your software, which puts a lot of pressure on developers to build fast. That causes them to do a few things. One, it causes them to build, to develop in a way where they're doing constant iteration and so models that would have enabled a security check to come in at the end, aren't working anymore because they don't have time for those security checks. And it also causes them to do a good thing, which is to leverage other people's code when they can like open source. So they can just focus on, on their own functionality. And that's true, whether they're building new functionality or modernizing legacy applications by moving them to the cloud. >>So it's a high percentage of, of app code 80 to 90% is open source. Then that opens up. Talk to me about w where the vulnerabilities are and how you guys help customers and developers address that. >>Yeah, the vulnerabilities can be anywhere, but the key is that that point, right? If you're using open source in a typical application, 80 to 90 plus percent of the lines of code in that application are going to be open source code, their code. Somebody else wrote that you don't have a direct relationship with, and yet you own the risk that whatever they may have, whatever vulnerabilities may be in their code, you now own that risk. So what we're trying to do with sneakers, trying to do is enable developers to leverage open source, but do that securely. And then we also help them with the 10% that they rent as well, and, and do that all in one really easy environment for a developer that fits into their workflow and into their daily life. >>So security should shift left. I've had the chance to talk with a couple of, do you call them sneakers sneakers? Oh, you do a couple of sneakers recently. We've talked about security shifting lab. That's not a new concept, but I'd love to dig in more to how sneak and AWS do that. And I'm also curious if what you're doing helps. We've talked about the cybersecurity skills got for a long time. Now, just what you guys do, help address that >>It does because it's really leveraging a resource that, that is there, right? There's the number of developers worldwide is growing from, depending on who you believe for these numbers and their estimated numbers, right? But 25 million to 50 million over roughly a five-year period that's already started. So we're somewhere in the 30 now, right? Meanwhile, the security jobs, there's something like 9 million cyber security people in the world, and that's all cyber security roles. It's a much shorter, a smaller chunk that are application security folks. And there's three and a half million unfilled cybersecurity roles. So you can't get cyber security people and keep using the current model you're using. But just scale it linearly, you have to change things. And sneaks belief is the way you change things is you have the developers be part of your security solution, which means they need to have the ability to not only develop, but to develop securely. And that's our concept of developer security. We build tools and a platform that enables developers to be the first part of the security solution and enable security teams rather than individually auditing and fixing things to develop a process, govern the process, guide the development teams, but let the developers own that first step of security. And that's really how you solve that scale problem. >>When you're talking with customers, is this kind of a better together scenario, developers and security folks? Are you helping them align culturally because this is a change? >>Absolutely. I think one of the biggest misconceptions out there is that there's a tension between security and development. And I think that's because organizationally there might be right. Security is responsible for risk and developers responsible for speed of innovation and the faster you innovate, potentially there's more risk. So there might be some organizational tension, but at the human level, people understand each other, they understand the pressures that the other one's going through. They just don't have an easy way to work together. And if you can help them get that, then they, it really takes off it. The relationships form they'll build human to human programs like security champion programs and things to, to integrate the teams because they're both going after the same goal, both sides want to build awesome technology and grow in whatever market they're in. >>Right. And of course, with the need to do that at today's markets speed and scale is a great thing that you guys are doing to facilitate that collaboration. And of course the security let's kind of take a double-click now into the different integrations that sneek has with AWS services. I know there's quite a few, >>There's quite a few. The biggest one, probably the easiest one for the integrations is the native integration that we have with code pipeline. So it makes it easy for developers as they're finishing their builds and deploying to have an automatic security check that comes in, understands if there's things that need to be fixed before this really should be released, and then they can fix it and go forward. But we integrate across with our API across a lot of other services, ECR EKS code builder, so that wherever the developer is working, there's a way for us to integrate with them as they're building across their AWS development process. >>Okay. So giving them plenty of opportunity, let's dig into the platform. Talk to me about the platform, how it's really aimed at developers. You alluded to this a little bit, but I'd like to kind of take a double-click into the technology. >>Sure. That the platform, it, part of it is that idea of it we've wrapped it all as a developer tool. But the thing that makes sneak unique in this is not only we have the idea that we wanted to shift left in time, but we wanted to shift left in ownership. So the developers are primary user and we built a tool that is a developer tool that happens to do security. And we've extended that tool into a platform by enabling it to connect into the developers tools, sharing information, across different elements of what it securing. So for example, the open source that we're scanning for you and testing to find for vulnerabilities, we're also looking at the vulnerabilities in your code and where they may overlap or intersect. We can adjust priorities so that you might not need to fix something. Let's say you're using an open source, vulnerable, a package that has a vulnerability, but your code is never going to access that you don't need to fix it. >>So you can prioritize that one lower, right? Same thing with Kubernetes and containers. You may have a container vulnerability, but the way you're going to leverage the container that won't be used so we can adjust the priority to make it easy for the developer. And that's the other big thing that's different about a developer security platform than a typical security tool. A typical security tool is an audit tool it's designed to output. Here are all the things you have a problem with a developer security tool is a fixing tool. It's just defined as a, here are the problems you have developed with here's how you fix it and go back to building on that. That prioritization is a big part of that, because you can say, here's what you don't need to worry about. And then you can focus the rest of your energy on helping developers fix the problem either by giving them really good advice or automating it for them and saying, Hey, here's a button click that will generate a pull request. And your problem is this fixed. >>It must go a long way to improving developer productivity, one facilitating that speed and the agility with which they need to work, but also from a developer kind of crowd sourcing, crowd swell perspective. I imagine, talk to me about what some of the voices are, the developers that are in your community. What are some of the things that they're saying in terms of how much faster they're able to work, they're able to get those priorities established with automation so much faster? >>Well, that's the biggest thing. Is there a, the productivity gain happens because of the benefit of shift left, right? You're testing earlier. You're finding it at an earlier time when it's easier to fix, but that's because they're the ones doing it, right. If they're waiting to hand off to an auto report and then it comes back, even if somebody is, is giving them them audit faster, it's still after they've moved on. And the other way people try to solve it as well. They'll say, well, I'll take a security tool then to hand it to the developer and they can run it. But so developers are not security experts. So the tool needs to understand what they know and what they don't know, and, and working in an upload. And that's what developers generally say to us because sneak makes it easy to work, but also focuses on the fix and helps them guide them to that, to that answer. Then they're able to go much faster when we're evaluated by companies who are looking for a security solution. If the developers get involved in that evaluation, they'll choose sneak. >>So I'm curious a little bit about as, as the head of product marketing, I'm thinking customer advisory boards, things like that. What's the collaboration like between sneak and the developers to really tune and push the technology forward. I imagine it's quite collaborative, >>Quite collaborative and it's across a lot of, of spectrum. So we do have a customer advisory board and that's generally leaders, right? That's either security leaders or development leaders or operations leaders who are in that advisory board. And they're giving us input on things they need for program-wide governance or program wide adoption. We also have a developer community where we're talking directly to developers and that's where we get a lot of, Hey, here's how I could use this better as a developer. And that guides where we focus features that help developers work better, whether it's integrations with our IDs or whether it's the way we present information, help them prioritize. And then the third part is we have a lot of people using the tool because it has a free model, right? We're as a developer tool, we have a freemium model. There's a level of sneak that developers can use that they don't need to pay for. That's not a temporary trial, it's forever. If you want to use it at that level and we can observe what they're doing. So that observability gives us another insight into where folks get challenged run into, to struggles. And then we can look to address those in our roadmap as well. So, so all of that together really helps us drive the product forward. >>What is the perspective from the analyst view? You talked a little bit about the perspective from the customer. We'll get into a customer story in a bit, but I'd love to know what are the gardeners saying? >>Well, Gardner especially put us, we debuted in their magic quadrant for application security last year. And we did David as a visionary and sort of the highest part of the visionary quadrant you could get in before you crossed over into leader, which is kind of unheard of for a first time into the, into the quadrant. And the main reason for that is that they have built the way those, those magic quadrants are built is they have key capabilities and then they score companies against key capabilities and they weight those capabilities, you know, by order of importance. And Gardner has started to put some of this notion of developer security and cross cloud native application security into those key capabilities. And those tend to align really well with what sneakers. So they have a, for example, a software composition, which is sort of open source security analysis, where first, w w w where the top ranking in that, where the top ranking and container security, where the top ranking and developer enablement. So that's pulling us, they are so-so Gardner and the analyst community is seeing this same demand coming from their customers. And that's really aligning to where our vision is. >>And in terms of kind of propelling that vision forward, the voice of the customer, the voice of the analyst, aligning with what you guys are doing to kind of lead the vision going forward. I want to get into some of the intelligence before we kind of break into a customer example. Talk to me a little bit about snakes security intelligence, what the key capabilities are, and some customers that are leveraging it. Sure. >>The biggest thing is with all the developer tool wrapping that needs to be in this product than it is a developer tool. It's got a developers heart, but it has to have a security brain because it still is a security tool. There are some developer tools. We try to have little check the box capabilities of security and they'll crowdsource for vulnerabilities potentially. But if you're doing this, you need to make sure that all the vulnerabilities that could be found are in the database to be able to be found that the database is comprehensive, that it's timely. They get in very quickly that it's accurate. You don't waste time on false positives because that will turn developers off faster than anything. And that it's actionable. So when it does find something, it helps you go forward with it. And that's where sneaks really focused on. So we collect data from multiple public sources. >>We also have a fairly large proprietary research team that curates that information determines what needs to go in. Sometimes we'll adjust priorities. And we also get a lot of contributions from other sources like community contributions. Again, that big free user base of ours is giving us input academia. Open source groups are also in their social media trends. So if we see something trending on Twitter, then that'll not only get it into the database, but it'll drive prioritization. And that's a big part of what's in sneak Intel, which is the name we use for our vulnerability database. We also have a machine learning algorithm. That's constantly looking at all the code in public, in public applications and repositories. And we use that to train for our own proprietary code testing tool, but it also just gets a lot of it finds things there as well. So it brings a really good source of information that helps people make sure you're finding the vulnerabilities, you're prioritizing them correctly and fixing them. And so Amazon's one who is the, you know, one of the folks that using that tool where one of the primary sources of, of Amazon inspector for open source vulnerabilities, as well as a bunch of other security companies like rapid seven tenable and, and others. >>One of the things I was reading from, I'm always kind of looking at the differentiators and I'm sure you are as the head of product marketing and partner marketing, but it sounds like the database can, is, is a key differentiator finding vulnerabilities up to what is it? 46 days faster than competitors. >>Yeah. I mean, faster than especially public sources, which are the easier ones to, to know how you're doing against, but that's a big part of us. So when I talked about those categories, that's really what we measure ourselves against. How are we doing in terms of comprehensive? Do we have the vulnerabilities that we should have? So we have over four times the number of vulnerabilities as the next largest publicly available database, we find them faster, so timely. So that's at 46 days getting it in faster or faster than other public sources, they get into our solution and then accuracy. Again, we, it's not a stat we can test because you can't test it just from the database. You have to run the tools of our, of others in this space. And we don't have those, but making sure that you're not hitting a lot of false positives is a big part of it as well. >>Got it. Okay. And we only have a couple minutes left, but there's two more areas that I want to dig into with you just crack crack. The surface one is log four, shallow was reading. Snake says this. We were the perfect solution at the perfect time. Unpack that for me in the next minute or so. >>Yeah. And that's a bit, and it kind of wraps back to what we were talking about earlier. Everybody's using open source. If you're in the Java world, a lot of folks had logged for shell and we're using lock for shell for logging as a part of their, as a part of their applications. And so a lot of our customers, I think it was over 30%, 36% of our paying customers had the vulnerability. And you would only have the vulnerability of your Java. So it's a very large percentage of our Java using my customers had the vulnerability, but because they were using sneak, they were able, once we put it in the database, which we did the day, it was disclosed, they were able to find it and fix it very quickly. So 91% of our customers fixed that vulnerability in just two days, 98%, because this was a rolling thunder event, right. There was a vulnerability. And then there was a second vulnerability in the, in the fix. And then there was a vulnerability, even in the fix of that. So the second vulnerability that came out because everybody had been ready for it from the first time 98% picks within two days. Whereas the median number of days to generally fix a vulnerability is over two months. So really fast addressing the solution. >>So those are really impressive. And speaking of stats, I wanted to get into just really quickly a case study that really shows that lasting is one of your customer. One of your many customers, big developer community there about 3,500 developers. Give me some kind of the high level of business outcomes that at Lasagne is, is, is achieving thanks to sneaky. >>Yeah. I mean the biggest one is that almost 99% of their applications are deployed in containers. So being able to have the containers tested for vulnerabilities as they're being deployed before they're being deployed is huge for them to reduce the risk of a vulnerability. They, they had a 65% reduction in high severity container volumes a few months after using sneak across all those developers, which really reduces your, your risk profile of your, of your cloud native applications. They're obviously a big AWS user as well. So, so for them, that was the big thing. And again, it goes to that scale, right? They've got 3 3500 developers, more than 3,500 developers. If you try to go through the security team and have the security team fixing all those things, you'll just never catch up. >>Got it. Last question. Where can I get this available through the AWS market prays marketplace? You mentioned the freemium model, give folks kind of a direction on where to go. >>Yeah. So I would say if you are a, if you're someone in the security team, if you're a buyer, the AWS marketplace is a great place to go because you can probably leverage your existing spend commits with AWS. It's easy to purchase, easy billing, et cetera. If you're a developer, then there is this free version where you might go and just start using it and get comfort for it. And if you are a buyer, talk to your developers because there's a pretty good chance. Someone in your company, that's a developer is already using. Sneak will be comfortable with it. These solutions are only successful. If the developers actually use it, you can't shift left unless the developers pick it up and use it. So using the one that developers are already using is probably a good idea. >>Awesome. Robbie, this has been a great conversation, so much momentum at snake. You're the third sneaker I'd gotten to speak to you in the last month and I have, it's pretty exciting, but thanks for walking us through the technology, the capabilities, the differentiators, the voice of the customer, the voice of the analyst, we appreciate your insights and your time. And we look forward to next time we talk to you. >>Terrific. Lisa, I look forward to it as well, but there's a lot more Smith sneakers to go through before you get back to me again. I guess >>I look forward to adding to my repertoire of sneaker interviews, Ravi. Thanks so much. Thank you for Ravi Myra. I'm Lisa Martin. You're watching this cube interview as part of the AWS startup showcase. Stick around more great content coming up next.

(bright music) >> Welcome back to AWS re:Invent. You're watching theCUBE. And we're here with Steve Mullaney, who is the president and CEO of Aviatrix. Steve, I got to tell ya, great to see you man. >> We started the whole pandemic, last show we did was with you guys. >> Steve: Don't say we started, we didn't start it. (steve chuckles) >> Right, we kicked it off (all cross talking) >> It's going to be great. >> Our virtual coverage, that hybrid coverage that we did, how ironic? >> Steve: Yeah, was as the world was shutting down. >> So, great to see you face to face. >> Steve: Great to see you too. >> Wow, so you're two years in? >> Steve: Two and a half years yeah. >> Started, the company was standing start $2 billion valuation, raised a bunch of dough. >> Steve: Yeah. >> That's good, you got to feel good about that. >> We were 38 people, two and a half years ago, we're now 400. We had a couple million in ARR, we're now going to be over a 100 million next year, next calendar year, so significant growth. We just raised $200 million, three months ago at a $2 billion valuation. Now have 550 customers, 54 of them are fortune 500, when I started two and a half years ago, we didn't have any fortune 500s, we had probably about a 100 customers. So, massive growth, big growth (indistinct). >> Awesome, I got to ask you, I love to ask CEO's, entrepreneurs, how did you know when to scale? >> You just know it, when you see it. (indistinct) Yeah, there's no formula, you just know it and what you look for is that point where you say, okay, we've now proven the model and until you do that you minimize things and we actually just went through this. We had 12 sales teams, four months ago, we now have 50. 50, five zero and it's that step function as a company, you don't want to linearly grow 'cause you want to hold until you say, it's happening. And then once you say it's happening, okay, the dogs are eating the dog food, this is good then you flip the other way, and then you say, let's grow as fast as we possibly can and that's kind of the mode we're in right now. >> Okay, You've... >> You just know it when you see it. >> Other piece of that is how fast do you scale? And now you're sort of doing that step function as your going. >> Steve: We are going as fast as we possibly can. >> Wow, that's awesome, congratulations and I know you've got to long way to go. So okay, let's talk about the big trends that you're seeing that Aviatrix has taken advantage of, maybe explain a little bit about what you guys do. >> Yeah. So we are, what I like to call Multi- Cloud Native Networking and Network Security. So, if you think of... >> David: What is multicloud native? You got to explain that. >> I got to to explain that. Here's what's happened, it's happening and what I mean by it's happening is, enterprises at two and a half years ago, this is why I joined Aviatrix, all decided for the first time, we mean it now, we are going into Cloud 'cause before that they were just mouthing it. And they said, "We're going into the Cloud." And oh by the way, I knew two and a half years ago of course it was going to be multicloud, 'cause enterprises run workloads where they run best. That's what they do, it's sometimes it's AWS, sometimes it's ads or sometimes it's Google, it's of course going to be multicloud. And so from an enterprise perspective, they love the DevOps, they love the simplicity, the automation, the infrastructure is code, the Terraform, that Cloud operational model, because this is a business transformation, moving to Cloud is not a technology transformation it's the business. It's the CEO saying we are digitizing we have an existential threat to the survival of our company, I want to grow a market share, I want to be more competitive, we're doing this, stop laying across the tracks technology people, will run you over, we're doing this. And so when they do that as an enterprise, I'm BNY Mellon, I'm United Airlines, you name it, your favorite enterprise. I need the visibility and control from a networking and network security perspective like I used to have on-prem. Now I'm not going to do it in the horrible complex operational model the Cisco 1994 data center, do not bring that crap into my wonderful Cloud, so that ain't happening but, all I get from the Native constructs, I don't get enough of that visibility and control, it's a little bit of a black box, I don't get that. So where do I get the best of the Cloud from an operational model, but yet with the visibility and control that I need, that I used to have on-prem from networking network security, that's Aviatrix. And that's where people find us and so from a networking and network security, so that's why I call it multicloud Native because what we do is, create a layer basically an abstraction layer above all the different Clouds, we create one architecture for networking and network security with advanced services not basic services that run on AWS, Azure, Google, Oracle, Ali Cloud, Top Secret Clouds, GovClouds, you name it. And now the customer has one architecture, which is what enterprises want, I want one network, I want one network security architecture, not AWS Native, Azure Native, Google Native. >> David: Right. >> We leverage those native constructs, abstract it, and then provide a single common architecture with demand services, irrespective of what Cloud you're on. >> Dave, I've been saying this for a couple of years now, that Cloud Native... >> Does that make sense Dave? >> Absolutely. >> That abstraction layer, right? And I said, "The guys who do this, who figure this out are going to make a lot of dough." >> Yeah. >> Snowflakes obviously doing it. >> Yeah. >> You guys are doing it, it's the future. >> Yeah. >> And it's really an obvious construct when you look back at the world of call it Legacy IT for a moment... >> Steve: Yeah. >> Because did we have different networks to hookup different things in a data center? >> No, one network. >> One network of course. I don't care if the physical stack comes from Dell, HP or IBM. >> Steve: That's right, I want an attraction layer above that, yeah. >> Exactly. >> So the other thing that happens is, everybody and you'll understand this from being at Oracle, everybody wants to forget about the network. Network security, it's down in the bowels, it's like plumbing, electricity, it's just, it has to be there but people want to forget about it and so you see Datadog, you see Snowflake, you see HashiCorp going IPO in early December. Guess what? That next layer underneath that, I call it the horsemen of the multicloud infrastructure is networking and network security, that's going to be Aviatrix. >> Well, you guys make some announcements recently in that space, every company is a security company but you're really deep into it. >> Well, that's the interesting thing about it. So I said multicloud Native Networking and Network Security, it's integrated, so guess where network security is going to be done in the Cloud? In the network. >> David: Network. >> Yeah in the network. >> What a strange concept but guess what on-prem it's not, you deflect traffic to this thing called a firewall. Well, why was that? I was at Synoptics, I was at Cisco 'cause we didn't care about network security, so that's why firewall companies existed. >> Dave: Right. >> It should be integrated into the infrastructure. So now in the Cloud, your security posture is way worse than it was on-prem. You're connected to the internet by default so guess what? You want your network to do network security, so we announced two things in security; one, we're now a security competency partner for AWS, they do not give that out lightly. We were networks competency four years ago, we're now network security competency. One of the few that are both, they don't do that, that took us nine months of working with them to get there. And they only do that for the people that really are delivering value. And then what we just announced what we call, 'ThreatIQ with ThreatGuard.' So again, built into the network because we are the network, we understand the traffic, we're the control plane and the data plane, we see all traffic. We integrate into the network, we subscribe to threat databases, public databases, where we see what are the malicious IPS. If we have any traffic anywhere in your overall, and this is multicloud, not just AWS, every single Cloud, if we see that malicious traffic going some into IP guess what? It's probably BIT Mining, Bitcoin, crypto mining, it's probably some sort of data ex filtration. It could be some tour thing that you're connected to, whatever it is, you should not have traffic going. And so we do two things we alert and we show you where that all is and then with ThreatGuard, we actually will do a firewall rule right at that gateway, at that point that it's going out and immediately gone. >> You'll take the action. >> We'll take the action. >> Okay. >> And so every single customer, Dave and David, that we've shown this new capability to, it lights up like a Christmas tree. >> Yeah al bet. Okay, but now you've made some controversial statements... >> Steve: Which time? >> Okay, so you said Cisco, I think VMware... >> Dave: He's writing them down. >> I know but I can back it up. >> I think you said the risk, Cisco, VMware and Arista, they're not even in the Cloud conversation now. Arista, Jayshree Ullal is a business hero of mine, so I don't want to... >> Steve: Yeah, mine too. >> I don't want to interrogate her, she's awesome. >> Steve: Yeah. >> But what do you mean by that? Because can't Cisco come at this from their networking perspective and security and bring that in? What do you mean by they're not in the Cloud conversation? >> They're not in the conversation. >> David: Okay, defend that. >> And the reason is they were about four years ago. So when you're four years ago, you're moving into the Cloud, what's the first thing you do? I'm going to grab my CSR and I'm going to try to jam it in the Cloud. Guess what? The CSR doesn't even know it's in the Cloud, it's looking for ports, right? And so what happens is the operational model is horrendous, so all the Cloud people, it just is like oil and water, so they go, oh, that was horrendous. So no one's doing that, so what happens in the Cloud is they realize the number one thing is the Cloud operational model. I need that simplicity, I have to be a single Terraform provider, infrastructure is code. Where do I put my box with my wires? That's what the on-prem hardware people think. >> David: The selling ports your saying? >> The selling boxes. >> David: Yeah. >> And so they'll say, "Oh, we got us software version of it, it runs as a VM, it has no idea it's in the Cloud." It is not Cloud Native, I call that Cloud naive, they don't understand so then the model doesn't work. And so then they say, "Okay, I'm not going to do that." Then the only other thing they can do, is they look at the Cloud providers themselves and they say, "All right, I'm going to use Native constructs, what do you got?" And what happens basically is the Cloud providers say, "Well, we do everything and anything you'll ever need and networking and network security." And the customers, "Oh my God, it's fantastic." Then they try to use it and what they realize is you get very basic level services, and you get no visibility and control because they're a black box, you don't get to go in. How about troubleshooting, Packet Captures, simple things? How about security controls, performance traffic engineering, performance controls, visibility nothing, right? And so then they go, "Oh shit, I'm an enterprise, I'm not just some DevOps Danny three years ago, who was just spinning up workloads and didn't care about security." No, that was the Cloud three years ago. This is now United, BNY, Nike. This is like elite of elite. So when my VC was here, he said, "It's happening." That's what he meant, it's happening. Meaning enterprises, the dogs are eating the dog food and they need visibility and control, they cannot get it from the Cloud providers. >> It's happening in early days Dave. >> So Steve, we're going to stipulate that you can't jam this stuff into Cloud, but those dinosaurs are real and they're there. Explain how you... >> Steve: Well you called them dinosaurs not me but they're roaming the earth and they're going to run out of food pretty soon. (all laughing) The comet hit the earth. >> Hey, they're going to go down fighting. (all laughing) >> But the dinosaurs didn't all die the day after the comet hit the earth... >> Steve: That's right. >> They took awhile. >> Steve: They took a while. >> So, how are you going to saddle them up? That's the question because you're... >> Steve: It's over there walking dead, I don't need to do anything. >> Is it the captain Kirk to con, let them die. >> Steve: Yeah. >> Because you're in the Cloud, you're multicloud... >> Steve: Yeah. >> That's great, but 80% of my IT still on-prem and I still have Cisco switches. Isn't that just not your market or? >> When IBM and DEC did we have to do anything with IBM and DEC in the 90s, early 90s, when we created BC client server, IP architectures? No, they weren't in the conversation. >> David: Yeah. >> So, we dint compete with them, just like whatever they do on-prem, keep doing it, I wish you the best. >> But you need to integrate with them and play with them. >> Steve: No. >> Not at all? >> No, no we integrate, here is the thing that's going to happen, so to the on-prem people, it's all point of reference. They look at Cloud as off-prem, I'm going to take my operational model on-prem and I'm going to push it into the Cloud. And if I push it into multiple Clouds, they're going to call that multicloud, see we are multicloud. You're pushing your operational model into the Cloud. What's happening is Cloud has won, it won two and a half years ago with every enterprise. It's like a rock in the water. And what's going to happen is that operational model is moving out to the edge, it's moving to the branch, it's moving to the data center and it's moving into edge computing. That's what's happening... >> So outpost, so I put an outpost in my data center... >> Outpost looks like... >> Is that Aviatrix? >> Absolutely, we're going to get dragged with that... >> Dave: Okay, alright. >> Because we're the networking and network security provider, and as the company pushes out, that operational model is going to move out, not the existing on-prem OT, IT branch office then pushing in. And so, what's happening is you're coming at it from the wrong perspective. And this wave is just going to push over and so I'm just following behind this wave of AWS and Azure and Google. >> Here's the thing, you can do this and you don't have a bunch of legacy deductible debt... >> Steve: Yeah. >> So you can be Cloud Native, multicloud native, I think you called it? >> Steve: Yeah, yeah. >> I love it, you're building castles on the sand. >> Steve: Yeah. >> Jerry Chen's thing. >> Steve: Yeah. >> Now, the thing is, today's executives, they're not as naive as Ken Olsen, UNIX as, "Snake oil," who would need a PC, so they're not in denial. >> They're probably not in denial, yeah. >> Right, and so they have some resources, so the problem is they can't move as fast as you can. So, you're going to do really well. >> Steve: Yeah. >> I think they'll eventually get there Steve, but you're going to be, I don't know how many, four or five years ahead, that's a nice lead. >> That's a bet I'll take any day. >> David: Then what you don't think they'll ever get there? >> No, 10 years. (steve laughing) >> Okay, but they're not going out of business. >> No, I didn't say that. >> I know you didn't. >> What they're doing, I wish them all the best. >> Because a lot of their customers move... >> I don't compete with them. >> Yeah. We were out of time. >> Yeah. >> What did you mean by AWS is like Sandals? You mean like cool like Sandals? >> Steve: Oh, no, no, no. I don't want to... >> You mean like the vacation place? >> Have you ever been to Sandals? >> I never done it. What do you mean by that? >> There coming, there coming. Which version of sandals (indistinct)? (people cross talking) >> This is for an enterprise by the way, and look, Sandals is great for a lot of people but if you're a Cloud provider, you have to provide the common set of services for the masses because you need to make money. And oh, by the way, when you go to Sandals, go try it, like get a bottle of wine, they say, "We got red wine or white wine?" "Oh, great, what kind of red wine?" "No, red wine and it's in a box." And they hope that you won't know the difference. The problem is some people in enterprises want Four Seasons, so they want to be able to swipe the card and get a good bottle of wine. And so that's the thing with the Cloud, but the Cloud can't offer up a 200 bottle of wine to everybody. My mom loves box wine, so give her box wine. Where ISBs like us come in, is great but complimentary to the Cloud provider for that person who wants that nice bottle of wine because if AWS had to provide all this level of functionality for everybody, their instant sizes would be too big, >> Too much cost for that. (people cross talking) You're right on. And as long as you can innovate fast and stay ahead of that and keep adding value... >> Well, here's the thing, they're not going to do it for multicloud either though. >> David: I wouldn't trust them to do it with multicloud. >> No. >> David: I wouldn't. >> No enterprise would and I don't think they would ever do it anyway. >> That makes sense. Steve, we've got to go man. You're awesome, love to have you on theCUBE, come back anytime. >> Awesome, thank you. >> All right, keep it right there everybody. You're watching theCUBE, the leader in enterprise tech coverage. (bright music)