Dave Gruber: Welcome. I’m here today with Idan Plotnik from Apiiro, Co-Founder and CEO, and we’re going to talk a little bit about Application Security and some of the challenges that are happening today. First, Idan, congratulations on winning the RSAC 2021 Innovations Sandbox Award. You must be super excited. Both, its a huge accomplishment and it helps validate the track that you guys are on.
Idan Plotnik: Thank you. Thank you very much, Dave.
Dave Gruber: Hey, so software development is without a doubt a core driver of business growth today. You know, there’s a lot of talk about how digital transformation has accelerated quite dramatically throughout the pandemic times and through code reuse, open source, cloud platform advancements and other investments in DevOps. The dev teams are really hitting it out of the park right now and certainly delivering at a pace I never thought was going to be possible.
Idan Plotnik: So, yes, and even more like the combination between cloud native development practices, where everything is code today. You don’t need to do manual work on your cloud workloads or define IAM policy and configure the API gateways and deploy your code and change it on, you know, no time. And customers will get new features on a daily basis. This changed everything.
Dave Gruber: Yeah. So meantime, Application Security – more tools in use than ever before. Recent research that we did here at ESG said that 70 percent of organizations are using more than 10 Application Security tools. Twenty seven percent use more than 20. Organizations are becoming fairly overwhelmed with the amount of potential risk that’s being surfaced from all these tools. And, Application Security is just simply not keeping up with the cycle of development today.
Idan Plotnik: Absolutely. And let’s talk about like – you have SAST and DAST and IAST and secret scanning and infrastructure code scanning and threat model tools and orchestration tools. And the missing piece is context. What’s the business impact of this application? Is this is a user facing application or internet facing application? Is there money transfer modules in the application? Do they use third party encryption or authorization mechanisms?
Dave Gruber: You’re making a really important point. I want to make sure our viewers get it here. So, there’s a big difference between exposing just more vulnerabilities across the entire code base versus focusing in on what is real risk or what might have material risk on the organization. This is a different approach to thinking about Application Security, right?
Idan Plotnik: Totally different approach. And two years ago, me and my Co-Founder, we submitted a patent based on how to identify risky material changes, not only in code; in general, and focus your manpower and tools only on them. So if you have a funnel of so many changes, you don’t need to get all these changes through the same vulnerability or weaknesses scanning or compliance violations scanning. You need to narrow the funnel at the beginning based on these material changes and understand their risk in a multi-dimensional approach.
Dave Gruber: I love your analogy of a funnel, because that’s exactly what we’re talking about here. It’s like let’s not be focused on the things that we’re relatively sure there’s little to no risk associated with. And let’s get more focused on those areas of change where there’s material or significant potential risk for the organization overall. This funnel approach, this idea of narrowing and focusing on those risky areas is what changes the model.
Idan Plotnik: This is this will change the industry. You need to identify automatically these risky areas. Then, you need to identify what is a material change versus a non-material change. Then, you need an adaptive governance that will automatically validate and ensure that you implemented the proper security controls. And only then when you have smaller amount of changes in your funnel, only then run your vulnerability scanning tools. I want to give you just one more example, ok, which is very, very concrete from one of our customers that are using a large SAST vendor. By defining a simple governance rule in Apiiro and saying: I want to show vulnerabilities to the developers only on high business impact applications in internet facing APIs that exposes PII data. Only then if this SAST tool finds vulnerability on this API, I want the developer to see it in the pool request. And this is a true shift left.
Dave Gruber: I love this. So let’s make it clear, though, so we’re not talking about orchestration. That’s different. In fact, you’re not talking about throwing all the tools away either, which I think was clear from your example. The tools have value. We still need to scan in the right places. We still need to test in the right places. We still need to perform even the manual type functions that we have in the right places. But what you’re saying here is we’re going to approach it differently. We’re going to approach it where there’s material risk. And we’re going to unload the developer burden from those simple changes that frankly have such low risk that we’re wasting our time and energy doing so, correct?
Idan Plotnik: Absolutely. I will double click on one thing that you said. There are some tools that we can replace if you want or not. The platform can come with a built-in capabilities like secrets detections and weaknesses detections and other capabilities. But, we are taking the tools into Apiiro and enrich with more and more and more context.
Dave Gruber: All right, here’s the story. The way I hear it. First of all, we know that AppSec is falling behind. We know that organizations are shipping vulnerable code to meet deadlines. Second is, a new approach is needed that the tools and tech that we have in today simply aren’t scaling to keep up with the kind of dev practices that have been ramping up, frankly, very rapidly. So change is needed there. This is fundamentally a different approach. It’s a different strategy, a different approach to your Application Security program. It’s not a throw everything you have away and replace everything strategy. It’s a think differently, apply a new approach, a new set of technology in conjunction with and to your point, you just made potentially replacing some pieces and parts. Did I get that right?
Idan Plotnik: Absolutely.
Dave Gruber: Great. Thank you. Idan Plotnik from a Apiiro. Thanks for changing the app security the way we know it today. We look forward to seeing your success.