The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

The Security Podcast of Silicon Valley

The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

Why Asking Developers To Fix Everything Is A Bad Idea with Neatsun Ziv

Hello, everyone, and welcome to another episode of the Security Podcast of Silicon Valley. I'm one of the hosts, Jon McLachlan. I'm joined with Sasha Sinkevich, the other host. And we have an amazing guest, Neatsun Ziv, co-founder and CEO of Ox Security.

Welcome to the show. How you doing, Sasha? Thank you. Welcome to the show.

It's a pleasure. So for all of our listeners, would you like to share a little bit about Ox Security? What are you guys up to over there? Ox was formed with the problem statement that shift left as a concept failed us for years.

We've been trying to make it work, but it's just that everybody's got their priorities. It is super hard to try and fix security as we go along. And as technologies emerge, we started saying, hey, let's prioritize, let's do this, let's do this, and constantly trying to push it towards the cutting edge of making sure that application security and product security actually work from the moment you start thinking about code up until it's running in the cloud. That's a basic concept, but every year you see new technologies, especially now with AI coming into the equation, it just becomes mind blowing.

You mentioned there are a lot of different things. How do you focus? Because it's important to focus. There are so many things we could be solving every day, but we cannot spread too thin.

How do you guys figure out the question, what is the biggest pain point that we need to focus as a team? First of all, yes. I think that for years we know it's all about the context. So if we're just saying, hey, all you have to do is guess a bank number and a password to get into the account, and I'll give you the right context, yeah, that would be easy to guess that one.

But the challenge is most of us are coming blind to those questions saying, is it deployed to the cloud? I don't know. Is it right now exploitable, exposing any APIs? What does it mean?

We're blind to that. So yes, it is context. But I think one of the advancements that we've seen recently is actually taking it to the developer and saying, maybe we could take it not to the developer itself. Maybe we can take it to the context of the vibe coding agent.

And as part of this journey, we started getting to a place saying, hey, if we've got the context in advance, why wait for the wrong code to be actually written? If we can load up front the context saying, hey, you are going to touch right now with this request an API that is externally exposed. These are the database that this app is connected to. Those are the microservices that's going to be deployed in connection with.

We want you to have those security restrictions and this rate limit and this sanitization. Here are examples. And I've already found a few passwords. Why don't I just move them to your vault and just do the work instead of shifting it to the developer that is already loaded?

Why don't we move that to a vibe coding agent with the right context? So with the right context, you can do marvelous things. I'm not sure what's the equivalent of the sentence, give me a big enough lever and I'll move a planet to AI context, but I'm sure that there is such a thing. No, I'm sure there is too.

It's looking at Ox security. It's like vibe sec security that vibes the way that software is built. Unless you've been living under a rock, the software engineering space is absolutely changing, is moving at incredibly fast paces. And there's AI agents writing code.

And now as an engineer, we're a little bit more like almost managing these agents as they produce a lot of the code that ends up in production systems. And I guess the timing smells perfect to like revisit all of these hard security problems that we've been like manually slugging through everything in our rear view mirror, all of our past histories. I'm super curious, though, was there a moment that you woke up and you had this spark of inspiration? We have to be a little bit crazy to start a company, a little bit crazy to be a founder.

You've clearly got a vision and you've got that spark. What was it like to experience that? What was that moment for you? The moment that you're saying, I'm going to do that?

Yep. So before starting Ox, VP, large security company, big department, like huge budgets, accountability from sales to product, like everything that I wanted. But at a certain point, you do understand that large companies has this disadvantage that you can't do everything that you're doing and still focus on new projects. It's this or the other.

And I think there are a few books to describe it really well. But you basically need this absolute focus and you need to be in a situation where there is no regrets, no undo. It's like you can't go back. You actually need to burn the bridge behind you.

Option to go back to something that is easy. It's super tempting. After my partner and myself left the company that we worked for and started Ox, you get to those moments in time that you're saying, oh, my God, what have I done? It's like it doesn't make any sense.

And I'm sure you heard it from a lot of founders, but a founder's life, it's like a roller coaster. It's like you never know if you're going up next minute or down. You just know that it's going somewhere that you don't expect. Yeah.

Yeah, absolutely. It's a roller coaster. And you also mentioned your partner, your co-founder. How did you guys meet?

So we worked together at the same company. We actually joined the company with a two weeks difference from each other. So we actually worked together for almost 14 years now. So you're kind of like work spouses or something?

Yeah, something like that. We're trying to do like activities outside of the home. I'm in New York base, he's Israel base. So we are actually trying to do like at least twice a year, do like a hike together, usually in US or Europe.

And it gives us like a few good days to hash things out. Amazing. Well, you have to have like that trust built up and rapport because in order to ride that roller coaster of being an entrepreneur together requires some foundation there. Yeah, well, he's got this amazing trait not to get excited from anything.

And I'm exactly the opposite. So it's like he balances me off. Okay, so this complementation, that's really good. Do you also have a complementation and sort of the focus and the skill sets that you're bringing to the table?

Are you both security experts? Yeah, so we work together at a security company. So we kind of have this very, very deeply ingrained inside of us. But one of the interesting is that actually, the field that we're working in right now, it's a field that we always were in overlap with, but we never worked in this field.

So this adventure of getting to a new field, learning everything, even though we kind of know it, getting to own it, it's a different thing. Just to own every detail, thinking, you know what, I can do this better. Like I've tested other products, I know why they failed miserably. And we have a shot at doing something better.

It's almost like you feel that pain firsthand. And that's maybe part of your superpower in this space. You know exactly what you want to see. And now you're in a position where you really own it, as you put it.

Yeah, so that's a big thing for us. What's been the proudest day so far that you've had? I would say that every time that we're getting to a new milestone, it's like the best and the worst day. The moment that you see that the goal that you set is actually achievable, you hadn't reached it yet, but you can feel it.

And it might be a quarter away, but you can actually say, you know what, I'm in the right trajectory to get there. That's the high. The low is when you know you're getting to that point, because you know a second afterwards, the next goal is going to hit you. And the next goal is not going to be like, okay, we moved from $10 million to $20 million.

It's going to be from $20 million to $50 million. So the next one is like way higher. And then you're just like, I have no idea how to do that one. You start planning it and the math doesn't make sense and everything is like, it's broken.

It's like you need to scrape yourself from the floor and start from the beginning. And every founder that I had this conversation with goes through this journey and say, yes, it happens in a few interesting points. And once you do that, it's like you get rolling and somehow it's working. Nobody understands this equation, but it's really about being out there, trying every day, putting your best effort into it, and hopefully some luck will help you.

Maybe something about being at the right place at the right time. Yes. I mean, maybe I underestimated it. It's like you don't need a bit of luck.

You need a lot of luck. In the beginning of the show, we mentioned there is a lot of noise. There are a lot of different pain points that we could be solving in the industry. And Neatsun, you mentioned that it's important to have those conversations with your customers in order to distill away all of the noise and focus on what actually matters, the actual pain point that if solved will deliver huge benefit.

What does this process look like for Ox Security and your partners? Usually it starts with a very basic question, which is what are you trying to achieve? I know it's very mundane, but just getting to a very crystal answer on this one, it's usually a very hard exercise. So let's do this exercise right now saying, let's imagine an imaginary company.

Because think about it, with the right context you saw everything, with the wrong context you're going to get hallucinations, so you kind of need to be in a very good spot for that one. Yeah, I mean that reflects a leadership style that speaks very closely to myself. When you have a team, if you're just barking orders and giving commands about what to do, you're really violating autonomy, but if you set up a situation where through the context of what's going on, you share the difficult problems we're trying to solve, with that context, you're respecting people's autonomy to allow them to go off and think about how to solve problems. And it sounds like a very similar analogy in the agentic space, where if you can provide and use the context appropriately and position that in a way where you can get value from it.

You used a word too, augment, which is one of my favorite words these days, and it really goes back to this idea of maybe enhancing the things that we're already doing as humans instead of replacing humans. I had this conversation a few days ago, saying what's the difference between fraud and cyber? Is fraud cyber? And somebody told me a sentence that just placed everything in place, saying, so cyber, it's more about abuse of a system, where fraud is more of an abuse of trust.

Now, it's a very nice distinction, and I think that as we're taking this to the AI sense, I think we are going to face a lot of challenges. As we've seen them, it's like, okay, can I do the equivalent of a VM escape to the basic instruction set that the agent gets? How do I hard code things? How do I make sure that the trust given to the agent is actually enforced?

And we're going to face a lot of those issues. I'll give you something that our research team found. I think it was already published, but if not, I'm sure I'm not ruining anything. But let's say that you just go to GitHub, and you publish the equivalent of a typo squatting.

And in this typo squatting, you're actually adding a command that one of the famous Vibe coding environment just treats as, hey, if it's on the machine, then I'm fine with that. Then you can instruct it to actually say, you know what? Write a malware locally that takes everything from the machine and just uploads it. So when you think about this concept saying, I'm actually recycling things that you trust.

It's a name type thing that I've trusted. Downloading this package, yes, I've mistaken with the hyphen, but I got this by mistake. I've got this environment that I trust because it's really doing good for me. And the combination of trusting this and trusting this is really a bad idea.

I think that we're going to find a lot of those edge cases that you think about one solution, it's fine. You're combining two things that you trust. I'm sure that we're going to find a lot of quirks over there. I mean, stuff like that to me is exciting.

We get to think through a new problem space as security professionals, as a security community. We talked a little bit about agents. We talked about application, the new threat model, the new surface attacks. And with AI, it's pretty common concept and pretty common acceptance that AI allows attacker to be a lot more nimble.

How do you see the defense side of the house? So you have red team, you have blue team. How does the blue team can take advantage of all of the innovative advancements that happen on the application layer, maybe infrastructure and maybe outer layer? It is my opinion, I haven't proven it yet, but it actually increases the asymmetry between the attackers and the defenders.

Think about token economy for a second. So in token economy, every intent that you have costs you something, let's say tokens. Now for a defender, you're always looking for a lot of data and inside of it, you're looking for weak signals or anomalies. Attacker is using this to actually scramble everything with a very, very cheap effort.

Meaning, what is a cheap effort? You can actually say, you know what, take my code and scramble it so it won't look the same. It would cost you a few tokens, a few millions of tokens, nothing big, it's like $10. Really for a deep work.

Then think about a defender for a second. They need to do it for everything, but most of it is not malicious by intent. It's like, I think that one of the research that I've seen is mostly that intent traffic contains like 0.3% of malicious content or unwanted content. I think that was the definition.

And as part of it, it actually puts a very, very, very high cost on the defender if you're going to do it in a very naive way. Now on the other hand, one of the things that we are doing is saying, look, if you want to find things in code and I need to scan code with AI, that's going to cost me a lot of money. So I can use it just for edge cases and to prefabricate patterns. So instead of human analysts actually working on generating hundreds of what are called signatures, we can really automate this loop and just say, hey, what is the odd cases and start balancing the equation saying, okay, I've scanned something for the first time.

I want to see there's nothing anomalous in this one. And I would just balance the cost saying, most of the time I'm going to do pattern base. Periodically, I'm going to do like a deep scan. And you need to start thinking about things in a different way.

I don't think that we've figured this one out. And in every field of security, this is going to look completely different. Some of the fields are taking it to response, for example. You're saying we're doing the scrubbing using basic signatures.

As we're moving up, we're investing more and more to get it from possible to verified. So exciting world. It's changing so quickly and changing in ways I'm sure like even we'll be surprised in six months. I'm convinced of that.

But, you know, looking the other direction just for a moment, I'm really curious if you had the opportunity to meet your younger self, would you take that opportunity? And what advice might you have for yourself? That's a good question. For the second part, I kind of know.

But the first question, it's a very good question. You meet yourself, then your younger self actually knows how your older self is going to be. So am I actually eliminating time lines that, I don't know, it's a very tricky question. You're changing yourself, but in a way that would like maybe result in a different version of yourself, which also there's a self-acceptance piece to this question that's like very maybe uncomfortable for folks that are very comfortable in themselves.

Yeah, so it's a very good question. I think that, yes, it will definitely augment my previous self. I'm not sure that the law of unintended consequences will actually be in my favor in this case. So I don't know.

That's really interesting. Yeah. Okay, so if you had an opportunity to meet someone very similar to your younger self that's definitely not you, would you have any advice for them? I think that the, I mean, beside the obvious cheating of saying, hey, tomorrow's talk is going to go up and just, of course, this is not an advice to anybody, but I would probably say, at least in our space, I would probably say that it's really about taking risks.

And while keeping it safe makes a lot of sense, part of this journey is really about taking the risk and be able to go to sleep and actually sleep. It's not as easy as it sounds. And, yeah, self-acceptance is definitely something that I know that a lot are struggling with. I love the piece on risks.

It resonates really well with a lot of my life experiences. And I'm a motorcycle rider, so every time you jump on one of those things, it's a ginormous risk, but I just couldn't imagine life without it. But that doesn't mean you need to be stupid, right? You can always put on armor.

There's this saying, like, all the gear all the time, which kind of goes along with our discussion around, like, security. We don't need to take astronomical risks, but you need to be prepared for the inevitable. There are advantages definitely for my motorcycle, for sure. Not necessarily in the wintertime.

Sasha, you ride motorcycles too, right? Occasionally. I was going to say that isn't that is what security all about. It's managing the risk.

It's a scale. It's in any product, security is usually there for a reason. And that reason is to protect the crown jewels and protect the business. But it's a scale in a sense that we have to be very careful about how much of the overhead security can add.

Because oftentimes security can be seen as an overhead. It can be seen as the slowdown of innovation or slowdown of the business or where business wants to go. And I think, Neatsun, you touched on this. It's very important that security is an integral part that is very seamless.

It shouldn't introduce friction, but rather it should add value while being very seamlessly integrated in the background. I've got like similar but a bit different perspective. So usually it's not the security that is slowing the business. It's a vague decision to do something or to block something because of a past experience or regulation or fear that prevents you to do something from great.

I had the opportunity to talk with a few CISOs that went into the regulators and say, hey, look, this is a really, really bad idea. I want to explain to you this is not what I'm going to do. This is what I'm going to do. Instead, this is actually a better risk profile.

Even though it sounds just on the surface as a bad idea, it's actually a very, very good idea because. And if you've got the strategy taking you from

90. How Two Marines Cracked the Defense Tech Industry (Reveal Technologies) ›