The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

The Security Podcast of Silicon Valley

The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

67. Gadi Bashvitz: How Bright Security Is Redefining AppSec for Developers

Hello, everyone, and welcome to another episode of the Security Podcast of Silicon Valley. I'm one of the hosts, John McLaughlin. I'm joined with our other host, Sasha Sienkiewicz. And today we have a very special guest, Ghani Boschwitz, the co-founder and CEO of Bright Security.

Hey, John. Hey, Sasha. Thanks for having me. I love the jacket.

It's very bright. That's what we said. If this is a formal recording, then we have to be in our formal bright attire. Thank you so much for joining us on the show.

And to share a little bit with our listeners about your background, maybe you'd like to share with us your story of what inspired you to start Bright Security. Perfect. So I'll go back into just a bit of history. Started my way in cyber many, many moons ago when I was in the Israeli military.

I grew up in a bunch of different countries and moved to the U. S. more than 20 years ago. But I was in the 8200 unit dealing with all sorts of fun stuff around encryption and decryption of voiceover network, if those of you who are old enough to remember the predecessor of voiceover IP.

And that's really where I started my career and have held many different roles since then. But in 2018, when we started Neuralegion, which was the predecessor of Bright, we changed our name, we changed our focus, we made a major pivot in 2020. But I was the CRO of another company at the time. We were just about to sell that company.

And I started discussions with my two co-founders, Sean and Barr, who had an idea. So the idea actually came from Barr, who's our CTO, an experience both CTO and CISO. And he was seeing the writing on the wall that AI is going to start becoming a very interesting thing way back in 2018. And the original idea was, can we create an AI driven fuzzer that will use biological evolution techniques in order to find zero day vulnerabilities.

Really cool idea. We all jumped in. So I met Barr through Sean. Sean is our third co-founder.

He's our COO. And Sean and I go back to kindergarten. So we've known each other for 40x years. So it's been a while.

And they came up with this initial idea. We said, yep, sounds good. Let's partner on this. And that was the original reason for starting the company.

What we learned in the first couple of years is that while we were building really cool technology, that it was cool technology. And unfortunately, the market wasn't really there. But it was a very small team of people, fanatics in the positive way that were very passionate about working together and solving real problems. And we decided to make a pivot in 2020 and address a very significant problem that we were hearing from every customer that we spoke with, basically.

And that was, I've been deploying application and API security solutions for many, many years. And yet, I've not been able to reduce the number of vulnerabilities in my applications. And I'm still getting data breaches, etc, etc. It would be great if there was a solution that could run much earlier in the development lifecycle and have fewer false positives and enabled me to find these vulnerabilities and remediate them before we got into production.

And that's what we decided to pivot to in 2020. And the whole journey has evolved from there. That's to your question of, how did we get here? That's, that's, that's the origin story.

The origin story that goes all the way back to kindergarten. That's awesome. Yeah, I've heard a lot of different ways the founders have met their co founders. And I think that might be a first.

We started, yeah, it took a few years to get there. Amazing. So during that pivot, you mentioned that you pivoted in 2020. And you really, it sounded like you moved from a place where you focused on amazing technology, super hard problem, and you focus a little bit more on what was being asked in the marketplace.

And, and what was being asked in the marketplace, what I if I heard correctly was, hey, I've got all these false positives, I do all of this hard work, I can't really seem to reap a benefit from all of this investment that I'm just pouring into the product and the life cycles. And, and so what's the magic sauce that bright brings to the table? Yeah, I think I think the problem itself was was an interesting one, right? The problems they were seeing were one, by the time I found vulnerabilities with the tools that I have in place, which were either dynamic scanning, or real time protection, etc.

It was too late, the vulnerabilities were already in production. And now I'm playing a defense game instead of an offense game trying to find them and fix them early on. There's also a fact that if you're finding a vulnerability in production, and you're trying to fix it, it will take you 60x the amount of time to fix it in production, because the developer is no longer in the code, they've forgotten what's in there. Sometimes you don't even know who wrote that code, etc.

Right? It'll take you 60x longer to fix it in production, versus fixing it while you're developing and in the development life. So that was problem number one. Problem number two, was that they were deploying other tools like static analysis, and those had a lot of false positives, because they're looking at the code itself, they're not looking at the compiled code.

So you're not looking at true vulnerabilities that exist in the production environment. And the third problem was that we changed. And by the way, this problem is taken on a completely new level to it with the advent of AI. So we'll talk about that in a second.

But the third problem was really around the fact that engineering practices had changed, and application security had not kept up. And what you end up having in these organizations, if you look at a very large financial institution, the ratio between now AppSec people and developers is one to 200, one to 300. But there are 200 other people that are waiting for them to help and help them remediate that. And the big change in our mindset came when we realized that, yes, this is a security concern, but it needs to be addressed as an engineering problem.

And if you can fix it and address it as an engineering problem, you will be able to actually fix it in a much more comprehensive way. And in order to do that, we have to take a completely new approach that nobody had taken before, ignore all of the rules that existed. And this is still a discussion we're having with customers. A lot of times we'll talk to organizations, to prospect customers and tell them, no, this is how you should do it.

And they say, no, it's impossible. In the last 20 years, it was impossible to do it. And we said, no, that's why we thought about it differently. And that means that instead of running scans to find vulnerabilities that will take three days or four days, no, those scans can only run for 15 minutes.

That's the whole time you have. So how do you get there? You have to separate your discovery from your scanning and make sure that you're discovering continuously in the background and just running incremental or delta scans. You have to only scan for the vulnerabilities that could actually manifest based on the technology.

So there's a lot of changes that you need to make. You have to provide proof of vulnerability for every vulnerability because guess what? A developer is not an AppSec specialist. They don't know what it is if you tell them it's an exorcist, right?

So you have to give them proof of vulnerability. You have to give them remediation guidelines and really work with them. And that was the initial solution that we launched in late 2021 was really that dev-centric dynamic solution. And we built a whole platform on top of that.

So it was taking a very different approach than what people had taken before. Back in the days, we had the entire organization dedicated to SRE. That used to be the name for the infrastructure engineers, but it turns out it doesn't really scale and it doesn't work for many different reasons. It's an organization, you write an application and you hand it over to the SRE.

Now it's called DevOps organization. And then you expect that organization to totally support without understanding how the core logic of the application is supposed to function under normal and extreme conditions. There is a very similar pattern in the security space where you have a bottleneck often. And I think you mentioned that in your earlier statement that you have a single engineer who might be dedicated to the application security.

And you have this huge overload of reviewing the source code and trying to find security vulnerabilities in the source code. And then if we talk about the supply chain vulnerabilities, that makes the job of a single engineer extremely difficult because in order to be extremely fluent and educated in your research, you have to understand the logic of that source code, and then you can do your investigation. That's how ideally it should work. But you're absolutely right.

A lot of tools in the market, they fail to identify what is actually exploitable, remove the noise and suggest the appropriate steps based on the good security standards, how to remediate it. Yeah. I think you're touching on a critical point. And it's really interesting how we learned along the way.

When we decided to make the pivot in 2020, we said one of the core values of us as a company that we learned from our failure is we have to make sure that we're continuously listening to what our customers are saying. In many cases, listening to what they're not saying, but what they really need. And double click on that and understand that. I'll give you an example.

One of the capabilities we released in 2023 was exactly to the point that you're mentioning. And that is, we have customers that are using our solution for dynamic analysis. We have customers that have deployed static analysis tools, whether it's check marks or sneak or whatever it is. And we realized that one of the biggest problems they have is all the false positives that they're getting from those static solutions.

So we integrated with those tools. We get an API from them where they give us all the results from a scan that they ran. And we try to correlate all of those findings. And we say, okay, great.

You found 120 vulnerabilities in this application. We were able to run a dynamic scan, just looking to correlate those 120. We found 80 of those, by the way, these numbers are from a real customer. So we found 80 and we're able to correlate those 80.

Out of those 80, we were able to provide proof of vulnerability for 20. And out of those 20, 11 were critical, high, medium. So within a couple of hours of getting a result of a static scan, we were able to tell a developer, look, there's 120 here. These are the 11 you should fix right now.

The other 109 can go into a different cycle and they can be dealt with in the longer term. But these are the 11 that are medium, high, critical, and they exist in your production environment. Go fix them right now. When you're looking at the set of vulnerabilities that you can find, those vulnerabilities really divide into two key parts.

The first part are technical vulnerabilities. So that can be SQL injection and XSS and file upload and file inclusion and all sorts of like a very broad set of the OS top 10, whether for APIs or for applications. But there's a whole different set of vulnerabilities that are business logic vulnerabilities, like privilege escalation, that are not technical vulnerabilities. They are functional vulnerabilities, but they enable hackers to, or unlawful actors to create a security vulnerability because of them.

And because of our fuzzing history, we included business logic vulnerabilities very early on in what we deployed, which became the basis of very quickly being able to add LLM vulnerabilities. So there are unique sets of LLM vulnerabilities that, and OWASP has now released the top 10 for LLMs. And then there was a debate of, are those the right top 10? Are they not?

And that's going to change. So the key thing is that because we had these abilities, or we had already built all the infrastructure to run scans for business logic vulnerabilities, we were very quickly able to add all of the LLM vulnerability tests that are relevant for the application and API layer, which was really, really cool. So we were able to very quickly release a solution. But it touches on that broader set that you brought up, Sasha, which is not just technical, but also the business logic vulnerabilities and how do you find them?

And how do you enable organizations to remediate those as well? Who do you see as your main customer for this product? The answer to your question is a shifting answer, and I'll explain why. Realistically, the budgets are coming from the security world.

So it's people who roll up to the CISO and the people who are responsible for application security or API security. That's where the budgets are coming from. However, more and more we're seeing that the actual users are the developers. So we're looking at it and we're seeing that the AppSec team becomes basically the bookends.

They're the ones that define the strategy. They're the ones that do the validation and the reporting later. But the actual work is being done more and more by developers. It's integrating into their unit tests, it's integrating into their CI, and they're the ones taking action to remediate and fix vulnerabilities.

We're starting to see a shift in that trend where in some cases, the budget starts coming from the CTO office and not from the CISO office or the chief security officer office. I will add another thing that is just starting now, and we're already working on this with a few design partners and with the intent of launching a solution in the first half of this year. And then John and I have talked about this in the past. But the big change that's happened, and again, this is based on listening to customers, seeing what they're actually doing, whether they tell us or they don't tell us, and trying to make sure that that is addressed.

So if you start looking at tools like GitHub Copilot and Augment AI, right, and other tools like that that are code generation tools, they introduce a whole new challenge into the world that we operate in. Because it's a whole new opportunity, but it's a whole new challenge. Because that code that is AI generated, all the content that goes into training it, or the majority of the content goes into training it, is open source. And that open source content is not aware of security, which means the code that is being generated by these AI tools is vulnerable.

And it's actually 4x more prone to vulnerabilities than human generated code. What we saw, it was, again, it's all a journey, right? We started by having an agreement or a partnership with Microsoft in May last year to be able to test AI generated code that was generated with Copilot. And the way we realized that we need to do that is we have this component called SecTester in our products that can generate security unit tests.

Because we realize that developers don't really understand security, so we need to give them the tool to do that. Once we integrated SecTester with Copilot or hopefully augment AI and other tools like that, we automatically understand what is actually in that code and can tell the developer, look, these are the unit tests you need to run. You don't know what's in that code. It was AI generated, but trust us, we already know what's in that code.

These are the unit tests you need to run to find vulnerabilities. So, A, we tell them what they need to do in order to run the scans. Then they can run those scans with the correct payloads that they're testing for, find the vulnerabilities. But then we realized, you know what, it's not just for AI generated code.

It's for human generated code as well. As long as that AI tool exists in your environment, we can guide you on what unit tests to create for the human generated code. So, now we're covering both aspects. And then, and this is the new stuff that is just coming.

Great. We found the vulnerabilities. Now we've been doing DevCentric DAS since 2021. Let's be honest.

Developers don't want to sit there and fix vulnerabilities, right? We can go back to the AI tool and guide it on how to fix the vulnerabilities that were found. But much more importantly, because we're a dynamic solution, we can then test that that fix actually remediated the security risk. So, it goes back to the point that you raised, Sasha, around the broader context, because we can test the broader context and make sure that that fix was actually deployed.

That last part of auto-remediation and testing it, that's very, very, very new, that's just in some pilot customers right now. Again, it's planned to be released by the middle of the year. And that's a huge game tester because now we're, or game changer, because we're moving out of the testing realm. We're getting into the automated testing and remediation realm, which is super exciting to us.

Who do you see the main customer from the SMB or enterprise point of view? What is your biggest traction point in this market? So far, it's definitely been enterprise. So, large banks, large financial institutions, leading insurance companies, technology companies, but larger organizations are definitely the the primary adopters.

Because I think that for them, understanding that their reputation is so critical to them that it's important to find these vulnerabilities early and prevent them from actually manifesting. And that's why they've been the first to adopt. The other side of it, honestly, is that deploying a dynamic solution is not an easy thing. You need to have the right authentication and the right credentials.

You need to be able to get to all of your targets. So, it's a complex thing that is easier for large organizations to adopt. Saying that, I think that as we launch this auto-detect and auto-remediate solution, it's going to open up the aperture to a lot more organizations to adopt it. So, that's an incredible journey and an awesome product.

I'm super grateful that there are amazingly gifted and talented and smart entrepreneurs willing to take the risk, explore this application of new technology onto some very old problems. I'm curious though, Gadi, would you pick out a moment as your proudest moment along your journey? Wow. My proudest moment along the journey.

I don't think I've gotten to the proudest moment yet. I think we're still on the journey itself. I think there are a lot of proud moments along the way, right? Landing the first large customer and implementing them successfully and getting a very positive review from them on G2 or getting a very positive review from them in Gartner Peer Insights.

That's a very proud. It's not landing the customer, that's the fun, but it's getting that positive review from that customer is a very proud moment. Getting really good feedback from a partner that we've implemented and integrated with and they said, like, wow, your product really made our solution better with our customers. Actually getting positive feedback from an investor or from a team member, those are all proud moments.

I don't know that I've had the proudest moment so far. I'm still waiting for that one. We're still on the journey. I love it.

No, I love it. You feel the hunger to drive and to move forward and to make the world a better place. It's always in front of us as entrepreneurs. How about, what's the hardest thing that you've had to do along your entrepreneurial journey?

It's funny, right? Because when you talk to investors, when you talk to other people, entrepreneurship is not an easy thing. It's not for the faint of heart. It's hard.

The hardest thing is staying positive and staying consistent, no matter what happens. And constantly being tenacious and not giving up. And you will hear no 500 times a week. And you just can't let it affect you.

And by the way, I think that that's where, if you were a single founder, it's much harder. If you have co-founders that you can collaborate with and co-founders that you trust, and sometimes you're down and they're up and sometimes it's the other way around. And as long as you can talk about it and support each other, that's a critical, critical thing that a lot of people underestimate. If you could go back in time, meet your younger self, would you?

And what would you say? I think I'm in a unique position. And I actually tell my co-founders this all the time of, I must be much dumber than you guys, because this is my fourth startup and I keep on doing it again and again and again, despite how hard it is. This is not their fourth startup.

So I think I would, I knew what I was getting into, unlike other people who start a company. So there wasn't much I would have to tell myself, but because I knew what I was getting into. I definitely think that overall, telling people that are going to get into an entrepreneurship path and start a company is just know what you're getting into. Understand that there are no weekends, there are no vacations, there is nothing like that.

That's as long as you're on this journey, you are giving up your life for this. And your co-founders are your partners, and you are always thinking and you need to be obsessed with what's next. Because until you're a large, profitable company, you haven't made it. And you're still concerned about how do I make payroll tomorrow?

Or how do I make payroll next month? Or how do I make payroll in three months? And how do I find the right partnerships, etc. ?

I think the advice I would give myself and any other entrepreneurs just know what you're getting into because you're saying goodbye to your weekends and your vacations and anything else like that until you're on the other side of this journey. Yeah, it must be worth it. 100%. So speaking of making it worth it, what legacy would you like Bright Security to leave?

I think the thing that we are striving to do, and we have been striving since the beginning, is make applications and APIs more secure. In the end, it's the understanding of the way we have been doing things just doesn't work. And that's why we haven't seen significant improvement. And don't get me wrong, there have been some amazing steps along the way, right?

And some companies have done amazing things along the way, and deployed amazing solutions. But in the end, we haven't solved this problem yet. And I'd like to get to the point where, and I know it's a utopia, because we're not going to get there, but to get to a point where vulnerabilities and applications and APIs are a thing of the past, right? That ounce of prevention versus the pound of cure that we have to deploy later, I'd like people to leverage that ounce much more effectively and reduce the need for the pound later.

So organizations are more secure and our data is not constantly exposed and being stolen, etc. There are ways to do it, you just need to deploy the right solutions. And to Sasha's earlier point, it's not just the right solutions, there's the age old people process technology, and you need to train your people correctly, you need to have the right processes in place to make sure that these things are being implemented. And that's the legacy that we would love to leave behind of saying, we made a dent, right, a lot more organizations are now deploying secure applications and APIs before they get to production.

And we've reduced the amount of bad actors in the world based on that. We have a ton of entrepreneurs who listen to the show. So this is a little bit of a leading question. But is there any like tool or service that you just wish existed, and someone could just go off and build like right now, and you would absolutely be the first customer?

Wow, there's so many, I think that as I look at each and every discipline, right, and a lot of these tools can actually built with be built with AI now, which is really cool, but you need more time. So I would say if somebody was able to find me more time in the day, and free up more time somehow, that would be the best tool possible.

But looking at the various disciplines, you know, when we look at the company, and I'm saying, okay, there's the sales organization, there's the marketing organization, there is the development organization, the product organization, the customer success organization, our CIS organization, so all these different teams, I think that what would be really, really cool is, is there's Slack, and we're constantly communicating on Slack and other tools like that, but a better way to distill communication within the organization. So we can communicate amongst ourselves and with our customers in a better way, that would be really, really cool.

So understand what is actually important to me from the 250 Slack messages that I get a day, and highlight those to me in an effective way. We have a lot of awesome audience. Where can people meet you in person soon? Oh, perfect.

So wow, we have we have a lot of stuff. So we were just talking before we started recording on the fact that we are presenting it at RSA. We're sponsoring RSA. We're sponsoring B-Sides San Francisco.

So we will be at both of those. There are a lot of regional events that we participate in. So I'm going to Orlando in a week and a half for an event. I'm going to Denver in a couple, like three weeks from now for an event.

Go to BrightSec. com. So BrightSec, short for BrightSecurity. com.

We have all our events posted there. You want to reach out to me directly? It's very simple. Gadi at BrightSec.

So feel free to reach out. I can connect you with the right people and would love to engage more and talk more. Gadi Boschwitz, everyone, the co-founder and CEO of BrightSecurity. Thank you so much for joining us for our show today.

It's been an absolute pleasure. Thank you, John. Thanks, Sasha. Thanks, everybody.

I really enjoyed being here. Thank you.

‹ 68. From Netflix to Startup CEO: Travis McPeak Is Redesigning Security for Developers

66. AI Expert Michal Pechoucek: How AI Is Targeting Your Mind Now ›