The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

The Security Podcast of Silicon Valley

The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

69. Cryptography and Web3 Expert: Security vs. Speed Is a False Choice

Hello, everyone, and welcome to another episode of the Security Podcast of Silicon Valley. I'm one of your hosts, John McLaughlin. I'm joined with the other host, Sasha Sienkiewicz. And today, we have an amazing guest, Ryad Wabi.

Welcome to the show. Thanks for having me. It's great to have both of you on. We were just chatting a little bit before we clicked record, and you were telling us a little bit about CMU.

Yeah, as a tiny bit of background, I'm faculty at Carnegie Mellon. I'm in the Electrical and Computer Engineering Department, and we were sort of reflecting on the dizzying array of departments that all have some claim to teaching computer science, and mine is one of them. I mean, it's something about hardware, I think, is important when we start talking about computers, right? And you're also a co-founder and CEO of Cubist.

That's right. It's kind of exciting. It's nice to have, you know, one foot on both sides of the line. Yeah, Cubist is an interesting place to work.

We're still pretty small. We're, you know, a couple of years, two and a half years in, almost three years in, actually. Yeah, we're having a good time thinking about computer security, cryptographic key management, you know, everything that's fun. So tell us a little bit about Cubist.

What's the scoop? It's hardware-backed key management for Web3. Web3. That's right.

You've said it in a nutshell, but essentially, we're building systems and APIs that let kind of anyone manage cryptographic keys in a really sane way for Web3. Being able to sort of apply sane security policies to keys that really reflect, you know, the level of sensitivity, the level of activity. And, of course, being able to do this in a programmatic way where, you know, you can really, you know, you build your company's software operations to interact with blockchains. That's sort of our mission.

So it's that dilemma in the security that we always have. Security versus usability. And where do you guys on this slider? Our goal is to say, look, you don't need to choose between these two things.

You should be able to get both. You know, I think most people think, no, you can't. But here's one way that you can. So you can actually attach really, really fine-grained policies to each of your keys.

And you can use them at extremely high speed, you know, compared to others in the industry where 100 to 200 times faster to, you know, actually respond. And so, you know, you get this high speed, you get, you know, the performance you need for your, say, trading application or whatever it is. But you also get to make sure that when the bad guy says, hey, no, give me the money, the key says, wait a second, that's not allowed. I love it.

I love connecting your AuthZ directly into the mechanism that's driving the transaction. That's perfect. And it kind of feels like you have a personal experience or you saw this problem in a very, like, up-close manner. Yeah, a few different ways.

But, okay, so the story of how we, like, got to this as a product is kind of a classic. You tell it to a founder, they're like, oh, yeah, that's what happened to us too, right? We actually had this other idea that we were like, oh, my gosh, this is going to be so cool. You know, we're going to build this, you know, this sort of software development suite that's, you know, going to help people build complex Web3 applications, you know, handle multi-chain interactions and stuff like this.

Which, by the way, is a real problem. And we built something, you know, just, you know, version zero, get it out there, get customers using it. And we went and started talking to customers. And, by the way, credit to my co-founder, Anne, who is, you know, sort of our business savior, who really, really put the screws to us and said, you guys, okay, stop building things.

We know that's fun, but it's time to go talk to people. And so we listened to Anne grudgingly at first, but then we realized she was right. And everyone kind of said the same thing, which was, this seems really cool. But the thing that actually keeps me up at night is this one tiny corner of the diagram three slides ago where you said, like, automate this stuff.

And we said, oh, yeah, well, you know, we're, yeah, that's part of it because, you know, you need that for continuous deployment. You know, continuous deployment. And they said, no, no, no, we need it for everything. It's not just for CD.

It's for, like, the whole operation. And we had this kind of aha moment where, well, okay, after the seventh customer told us this, we had this kind of aha moment where we were like, okay, so this is the product that people actually want. And, by the way, it's actually a product that we can build really well. Like, we've thought about it carefully.

It seems like it'll be a fun thing to build. And so that's how we actually got there. But, you know, in our kind of personal interactions of the co-founders with, you know, Web3 generally, this had already been something where it's like it can't possibly be this clunky. It can't possibly be this bad.

What are we missing here? And then it turned out, yeah, it was the stuff we were replacing really was that clunky and that slow and that hard to use. And so I think we kind of found a niche. Amazing.

How did you meet your co-founder and? Interesting story. So we, okay, actually, let me back up because I met my other two co-founders first. So there are four of us in total.

Four total. Okay. Yeah, yeah. So Fraser and Dayan were both PhD students with me at Stanford.

We all worked together doing research stuff, like way before we had any thought of building a company. At some point, Dayan went and found a company that was working on JavaScript security. Cool stuff, really. And he, you know, so he was sort of in San Francisco and kind of in the, you know, SF startup scene.

And he met Anne. She was working as a COO at another startup in kind of in a fintech, like really kind of heavily compliance and kind of anti-fraud type stuff. And so, you know, we knew Anne through Dayan. And at some point we said, like when we were kind of talking about building this company, we said, like, you know, actually, number one, we need somebody who can, like, who actually knows about operations.

And number two, like Anne's background is perfect because, like, she's sort of our counterpart, but on the, like, finance side, right? Like, she knows how to talk to folks in fintech. She knows, like, kind of about the way that, you know, compliance processes work and about preventing fraud. And, you know, which is like, you know, I claim to know how to, like, prevent somebody from breaking into my computer, but it's actually a very different thing, right?

Like, you kind of have layers of security. And one of those layers really is, like, here are our processes for preventing fraud. And so having somebody who knows that sort of thing cold and, you know, who's really done it in, like, in a high-risk industry for many years is a superpower. So go find it.

Like, if you're starting a company, like, find yourself somebody who is excellent at operations because your company is a machine and they know how to make it run. And find somebody who, you know, if you're in security, who knows how to do this sort of thing. It's been a superpower. So, I mean, I guess message for all of the founders out there, you have to find yourself an Anne who understands, like, operations, compliance, and maybe the business side of things.

But I'm super happy that there are incredibly smart people, like, jamming on this incredibly difficult problem. Kind of you to say. It's certainly a fun problem. So, you know, I kind of feel lucky that I get to work on it.

You know, have you always thought of yourself as a security person or did you accidentally, like, happen to stumble into this crazy, crazy field? I kind of started out thinking of myself as something, well, more like cryptography. Okay. So long ago in the mists of time in middle school, I was at a bookstore with my dad and I somehow convinced him to get me this enormous red book called Applied Cryptography by Bruce Schneier, which is like, you know, a classic.

You see it on everyone's shelf. Sasha. Sasha. I was going to say Sasha.

There it is. Turn around because there's one right there. There it is. That's amazing.

And, you know, he was like, wait, really? You want to read? He looked at it. And he was like, wait, come on.

And I said, this seems amazing. And then from there got into like, you know, the cypherpunks. And actually for a while, I was like the administrator of the cypherpunks mailing list and all this sort of stuff. Okay.

So I was like deep in the like kind of security kind of cypherpunk scene, you know, was kind of looking back now. You know, I didn't know a lot, but I was very excited about cryptography. Let's put it that way. And then I went off to college and, you know, I saw this other bright, shiny thing, which was circuit design.

And so I ended up working on that. I ended up as an electrical engineer and I spent a long time in industry like designing analog integrated circuits. But kind of in the back of my mind, always like, you know, keeping a finger on the pulse, like computer security. This is like a cool thing.

There's a lot of interesting kind of policy, politics, tech stuff going on at this nexus. And at some point, well, it depends. Internally, I was like, you know, maybe a slight shift would be cool. And then I ended up like going back to grad school and, you know, working on working in computer science.

Yeah. Then I ended up sort of back in the fold and like working on cryptography again. So I kind of made a full circle. So computer security, cryptography, they're not quite the same thing, of course, as I tell my students.

But they're close. And, you know, both are super interesting. And it's a really, really, really cool area to work in. And fast forwarding to today, here we are with Cubist.

You're building a solution to an incredibly difficult problem and using like all of the great cryptographic primitives to help achieve success. And you've raised money. You've raised $7 million in seed, according to LinkedIn. Yeah, a little more than that nowadays.

It's sort of kind of amazing that you can kind of tell investors like, look, here's the problem. This is what we're doing about it. Like, look at this. And, I mean, number one, I think it's really kind of amazing that, well, we were very lucky.

We found investors that we really click with. They're super technical. They're folks that, you know, when we explain these things, they're like, oh, yeah, we understand that. And by the way, here's a couple other points.

And here are a couple people you should talk to. Right. So, like, when your investors do that, like, you know, you're talking to your people. Right.

And it's just amazing that you can sort of find a problem, you know, identify it, say, look, this thing is a real thing that we should do. And then there are people out there who understand enough to say, yes, and I'm going to back it. So, I mean, that's kind of amazing. Which I think is a very important point that you, Ria, just touched upon, which is the seamless connection with your team.

And when you take external money, the VC becomes part of your team. Like, you have to be aligned in the direction, in the vision, and on the execution as well. Especially if you get that external help from VCs, not just in terms of money, but in terms of connecting people, connecting the pain points, connecting with other businesses. That's extremely helpful.

Absolutely. You know, every VC prides themselves on is being connected to everyone else. Right. So, to the extent that they're able to leverage that for you, that's something that, you know, you haven't, presumably, you as a founder, haven't spent years cultivating all these relationships because, like, you've been doing whatever it is that your company's doing instead.

Ria, you mentioned something else very interesting. You guys were in the build mode. Let's build a product. Let's build even more product.

And then at some point, Anne mentioned that, hey, guys, maybe let's stop and let's talk to the customers. At what point did you pull a plug on the further development and just reiterate what you already had and communicated that to the existing customers or prospect at that point? And why was it important? I can only speak for myself personally.

And, you know, a little bit I can reflect on my experience with my co-founders. But I think a lot of people tend to be perfectionists about this kind of thing, right? Like, it's really easy to say, it's not ready yet. We're going to take a little more time and then we're going to, right?

And I think you kind of, like, I think if you're ever, like, taking a product to a customer and feeling really comfortable about it, you're probably missing an opportunity because it means you should have done it, like, six months ago when you were less comfortable about it. I don't know, six months, something. Because, you know, I think if you're talking to the right people, they're not expecting to see something that's perfect and polished. And meanwhile, you could very easily have spent, you know, that six months or whatever polishing something that nobody in the end wants, right?

So I think getting over the need for perfection in favor of something where, you know, I know what the strengths are. I know what the weaknesses are. I'm going to be very frank about the weaknesses. Like, take it to a customer.

Like, hey, I know that, you know, it's a little rough around the edges and it doesn't work with, you know, all the chains that you're interested in. Maybe in the case of the product that we were looking at. But the imperfection is kind of part of the process is super important. And I mean, I'm preaching that, but like, really, I am basically just reiterating what Anne told me, which was, look, if you perfect it, you're wasting time.

Which is super important. When we wear the engineering hats, we also, we always look for that perfect solution, the perfect function, the perfect class. But in reality, there is no need to get to that perfection state because it doesn't exist, which is what you mentioned. And often the 80-20 rule is more than sufficient in order to move forward to the next stage.

I'm super curious, as you reflect on your journey, it's been almost three years now. What's been the absolute best day that you've had? What did that feel like and what was going on? Okay, I think there's one clear answer here.

After we decided to really focus on the kind of key management infrastructure, when we zoomed in from that huge picture to this tiny thing that all the customers had actually cared about, we actually were in a position where we had a customer who was launching a new product. Like, we had a customer who was willing to pay for the thing, and it didn't exist yet, but that's okay. And we were just kind of building with them. Like, they had this kind of new thing.

They said, look, we need all this. Here's the feature sets that we need. Here's the stuff that we're building. Here's our timeline.

And that timeline was, like, insane, of course. And, I mean, because why not? Like, you got to. .

. Of course. That's what you do. You move fast.

Yeah. And so we then went into, like, insane build mode. And so we were, you know, you're just in that state where it's like you sleep for four hours. You dream about the code that you were writing before you went to sleep.

You wake up. You, you know, write code for 20 straight hours. Maybe there's food in there somewhere. And then you just rinse and repeat, right?

And, okay, first of all, I love that. There's almost nothing that's as pure as that. Just, like, here's six months of adrenaline, right? Yes.

Yes. But at the end of that, we actually launched the thing on time, by the way. We launched the thing and the customer was, like, up and running. You know, we had things working.

But then, of course, that's a fantastic feeling. That's spectacular. That's a huge win. And it works.

Like, here we go. This was for a customer who was, you know, building a specific kind of application where they, you know, they had a bunch of machines that were sort of automatically generating a bunch of signatures. And there were certain kinds of, yeah, there was sort of a certain event that was relatively rare but was, like, that's good when that happens. Like, it's rare just by the design of the sort of external system.

And so we really wanted to know when those sort of rare good events happened. And so at some point, we hooked up the good event to PagerDuty. And so then at 3 in the morning, my phone goes off and it's PagerDuty. And I'm like, oh, no, what's happened?

And I look and it's like, oh, oh, the good thing happened. Well, that's amazing. Nice. And then, of course, the next day we unhooked that because, like, nobody wants to wake up at 3 in the morning.

But that moment was like, ah, this is fantastic. That's spectacular. What was the good thing? Like, you discovered you bumped into a new Bitcoin.

Was it mining related? Yeah, exactly. I mean, so this was for Ethereum. But, yeah, basically, like, it was one of their validators proposed a block.

And, you know, you'd be at a big reward as a result. And, yeah, so we got a PagerDuty for every proposed block. And, yeah, people quickly put the damper on that. I was like, ah, sometimes it would be nice to be rewarded by PagerDuty.

But they said no. The face. No, I like that. Like, why are the interrupts always, like, negative?

They should be positive. I love that. I love that. And it fits with your – I feel like your leadership style is very positive, very, like, forward-looking, filled with gratitude and humility.

So it fits. That's kind of you to say. I hope that that's true. Okay, okay.

The converse question is could you think of your most challenging moment that you've had so far as a founder? Yeah, so that one's also easy, it turns out. And it happened really early, which, I mean, I guess that's a good thing. Like, the low point should come as early as possible, and then it's kind of a climb out from there.

So we, you know, we put together a plan. We were like, we're going to pitch. So we had built this beautiful pitch. Like, really, I think it was kind of a nice – it was a clean story.

And people were liking it. And we said, okay, now's the time. Like, it's time to, like, to strike, to really to raise a round and go. And that was great.

We had a bunch of meetings lined up. Like, we were able to really kind of compress the timeline. Kind of all the things that people say, this is what you should do, right? Things were going great.

And then do you remember a little thing called Terra and Luna? Maybe this was in the news where these two cryptocurrencies crashed. The bottom fell out. That was the second week that we were raising funds.

And so this – I don't remember exactly the day, but let's say it happened on a Tuesday. You know, the next day, we had, like, a meeting with, like, a really important person who, by the way, is fantastic. We had this kind of really important meeting. And we show up at the meeting, and he kind of shows up.

And you could just immediately tell something's not right. And we're like, hey, man, how's it going? He's like, it's terrible. I've been awake for 36 hours.

What do you want to talk to me about? And we were like, oh, okay, not great. And so that whole week of meetings was basically just people who hadn't slept because, like, half their fund was gone. And it was quite challenging to, you know, sort of pitch through that.

Things kind of worked out. So I guess in the end, it was – you know, that really was lower than the local max. But that was scary. I thought we were done at that point.

But, wow, it can be, you know, in that moment where something just completely external to you, it's like, at least if I'm going to fail, I want to have been the reason for the failure. But in this case, it's like, no, just like some random stuff happened that really has nothing to do with me. And now the world is just, like, burning down. And, I mean, it's such a terrible feeling.

It's like not only are things going wrong, but you're also completely helpless. So what do you do? What is the main pain point that you guys solve for your customers today? Yeah, that's a great question.

So I think – yeah, I think there are multiple layers of answer. So – and really just kind of riffing on what you said, I mean, at the bottom, you know, if we had to reduce everything too much to a single pain point, it's like, well, it's just too darn hard to do this stuff, especially if you're trying to use secure hardware to do it. Like, the hardware systems tend to be slow. They tend to be inflexible, all that.

But that's not – you know, that's not what the customer feels directly, right? Like, they're seven layers removed from that. What they feel is, well, I've got to integrate this new system that I've never seen before. It's got this weird key format, and who knows how key derivation works, and my customers really want to be able to log in with, you know, their Gmail account or whatever it is.

And, right, so, like, that's what they actually feel. And those two things are, you know, very directly connected, but, you know, by, you know, seven layers or so. So I'd say at the bottom, really, our, you know, our approach starts from secure hardware. So all of the key management, key generation, key usage, like, everything happens inside of secure hardware.

And we're able to do that by kind of coupling two different secure hardware systems. One is, like, a kind of classic FIPS 140, like, bank-type HSM hardware security module. And then the other is a secure enclave. Like, effectively, the property that we need is we're able to say here is some code that's identified by its hash by a signature or whatever it is.

And only that code is able to access this key, this sort of master key that lives inside of the HSM. And so we lock those two things together. And now you can actually get some really strong properties, right? When you can say, I know that the only code that's allowed to touch this data, which happens to be a secret key, is, you know, this code.

And then I can really focus on, you know, making sure that code is correct, making sure that it does the stuff I need it to do, et cetera. So at the bottom, that's really what it's about. Okay. But then on top of that, there's all the stuff that the customers actually want, which is, like, well, I need, like, a nice API for generating keys.

I need to be able to import my existing keys, right? Like, most of our customers aren't starting from zero. They're starting from tons of keys. How do you securely import keys into the secure hardware?

I want to be able to back up and export my keys. If I'm running a wallet, like, where, you know, I have end users and the end users are the ones who actually own their own keys, then our customer, you know, we have a lot of customers who are in that mode where they're not the custodian. We're certainly not the custodian. Each of their customers owns their own key, right?

So now you have this really interesting question. Well, how do you make sure that the customer is able to retrieve their key and back it up, say, but, you know, no one else is. And especially the company that's providing the service is not able to touch that key because, of course, they don't want to be – they want to be able to say, like, we have strong safeguards. None of our employees can touch it.

We can't touch it, et cetera, right? So I think all of those little things are – you know, you kind of have to have all these pieces in place. But then, of course, you also have to have, you know, really fast performance. You have to, you know, have broad support for, you know, any kind of chain that somebody might want to use.

You have to be able to add new chains really quickly. Like, that's something that we're able to be really agile about this. And sort of I think that kind of gestalt is the pain point that we're solving. It's like there's a million details and the space is expanding at this incredible rate and you still need to be able to have a product that isn't just, like, sitting still and is like, well, the stuff from five years ago is good enough.

And what we tend to see and one of the reasons that we tend to win when we go up against kind of the more traditional competitors in the space is that those folks, you know, tend to fall really far behind on adding new support or on, you know, supporting workflows that don't look like the workflows that they envisioned, right? And so because we're able to remain agile like that and because we've kind of thought really carefully about all of these details like import, export, you know, the custody model, the, you know, the sort of security policies that apply to the keys, you know, different user models, et cetera. Like all these things, getting all those details right.

I think that's where we're able to really say, look, we can solve your problem in a way that the competitor can't. It's a very difficult problem on so many different levels and making it fun and making it a business viable product. Props to you, Riyad. Thank you so much.

That's, that's, it feels good to hear you say that, but it is definitely true. Like we get to have a lot of fun. The technical side, there's always something interesting. There's always a, you know, kind of a small problem that's very satisfying to, to solve.

You know, there are these nice, really hardcore kind of engineering problems. And so, you know, there's, there's a lot of, there's a lot of payoff for working on this kind of thing because, you know, it's, it's, there's never a dull day. I love it. Okay.

With your journey with where you are today, if you had an opportunity to go back in time and meet your younger self, would you? And would you, what would you say to your younger self? So, um, I, I, I don't know. I'm kind of an adrenaline junkie.

I really like that kind of thing. Um, and so I guess I would tell my, my, my, you know, past self, like enjoy that, especially enjoy the parts where, you know, the pressure turns down a little bit. You can relax and maybe have a hobby because in a few years, you're going to lose your mind. You're going to go to grad school where you're not allowed to have hobbies.

And then you're going to have, you know, be faculty and you're going to be a startup founder where you're not allowed to have a hobby with either one of those, let alone both at the same time. So like, just enjoy it. Like, you know, enjoy what doesn't feel like, but actually is like a quite relaxing period in your life. And then you can enjoy the life of a startup founder, which has a lot of its own props and benefits.

Absolutely. No, I mean, like, like I said, I'm an adrenaline junkie. Like there's, there's nothing better. So in other words, you're going to go back in time and encounter your younger self and say, basically, oh, you think this is hard?

Just wait. I guess apparently I would taunt my past self. That's what we've just discovered together. Enjoy this.

This is easy, actually. Okay. Well, that's, that's beautiful. Some sort of twisted way.

That's, that's great. I love it. I love it. Okay.

Let's go into the future now. So if we could go into the future and you envision success, like smashing success, you knock it out of the park, you hit your growth goals, you hit your fundraising goals, you hit like all of these happy customers. What, what does that look like for you and for Cubist? That's a great question.

So I think maybe backing out a little bit, the focus, like what does it look like for the industry? I think what it means is that this is going to sound a little bit self-absorbed. So I want to be clear up front. I'm self-aware enough to know this is going to sound a little self-important, but I think it'll mean that there's been a bit of maturation in the industry generally, like in the Web3 industry.

And here's what I mean. I think right now what we see is there's sort of a lot of energy and a lot of, you know, a lot of heat and a lot of light. And there's sort of things happening and they're kind of going in all directions. And as a result of that, a lot of, you know, the newest developments, you know, people are like, don't worry about security.

There's not enough time for that. Right. And so, you know, you end up in a situation where, you know, the newest, hottest project is like, of course, like it's a minimum viable product. Right.

And so, you know, security was not one of the parts of minimum viability. And so, you know, that tends to be something that gets built on later. I think the future is a place where we actually, you know, we kind of know, like the industry hits its stride and like, here are the killer applications. Here's where, you know, the next billion people are getting into blockchain.

Here's how enterprises are adopting. You know, this is what, you know, now finally people stop saying like, oh, well, no, nobody's ever going to use that, which I don't think is true. I think people will use it. And I think we're kind of getting close to that.

And I think at that point, what we're going to have is, you know, the focus will really be on let's, you know, sort of step up the quality of the process. Let's step up the, you know, the way that we handle things. And I think, you know, people in Web3 will think that this is a bad thing, but I don't. You know, the engineering processes will start to look a lot more like they do in Web2.

And I think at that point, a product like ours is essentially inevitable. Like, this is what you need, right? You need to be able to manage things in a way that, you know, gives you as a company the ability to manage your own assets in a really clean way. You need to be able to, you know, offer APIs to your, you know, if you have sort of technical customers, or you need to be able to offer a clean UI and a great user experience to your non-technical customers, whatever it is, like all of those things, because Web3 is so mediated by cryptographic keys, all of those things come via a system like Cubis, like CubeSigner.

And so to me, that smashing success is really following on the heels of like, finally, Web3 grows up. And, you know, here's the use case that, of course, everyone is now seeing as like inevitable. And, you know, as a result, like we really need to build, like carefully build systems that are, you know, managing keys and managing the way that we interact with the rest of the world. So it turns out the classical security principles apply to Web3 as well.

It turns out. It turns out. And it sounds like based on the product that you have already built, you put your customers in a very interesting position where the forward secrecy applies. I'm sure you have the function that supports that.

The agile crypto also applies. You can switch from different algorithms, which is super exciting. Yeah, absolutely. I think one other kind of interesting thing that maybe is a little further down the pipe, but someday, you know, we'll be we'll all be talking about is, you know, the real.

And I'm sure you all have already talked about it is because you're future looking is, you know, once we start to, you know, really see crypto threatening quantum computers coming down the pipe. Personally, I think it's probably a bit further out than some people say. But like, I wouldn't say that I'm kind of the the in the in the in the group who thinks it's, you know, happening in the next five years. I think that's probably not likely.

But I don't think it's never. I don't think it's 100 years. I don't think we get to say, like, our grandkids will solve that problem. Like we're we're going to be the ones like all of us are going to be the ones who are solving it.

And it's going to change the landscape in really interesting ways. So that's an instance of here's a kind of nice problem that all of us are going to get to solve someday. And we know it. But but maybe we don't have to worry quite yet.

You know, we're yet. Walby, everyone. Thank you so much. And thank you to all of our listeners for tuning in to another episode of the security podcast of Silicon Valley, a Y security production.

It's a great pleasure to have you on the show. And absolutely. And absolute joy. Thanks for having me.

This has been super fun. No, thank you. Thank you.

‹ 70. The AI Governance Expert: 3 Things Every Business Needs to Trust AI

68. From Netflix to Startup CEO: Travis McPeak Is Redesigning Security for Developers ›