Developers should be on the front lines of cyber security. How do they do it? On a recent episode of TechRepublic’s Dynamic Developer, I spoke with Guy Podjarny, founder and president of Snyk, and Willie Tejada, GM of ISV and Build Partners and chief developer advocate for IBM about just that. Podjarny and Tejada shared their thoughts on the current cybersecurity threat landscape, why partnerships like the one between IBM and Snyk are crucial for combating cyberthreats and the critical role developers and open-source play.
The following is a transcript of the interview, edited for readability.
Listen to this podcast on Soundcloud
The cybersecurity threat landscape has evolved in important ways
Bill Detwiler: All Right. Well, let’s get right to it. And so we know how important cybersecurity is, and not just to companies, but to the U.S. as a nation. It’s been in the news a lot in the last several years, not like it always hasn’t been. As an old IT guy, we were talking about this 20, 30 years ago. So, let’s start by looking at kind of the landscape that we face today, the threat landscape that we face today, the importance of cybersecurity, and why the partnerships are so important in addressing those threats. So Willie, maybe I’ll start with you.
Willy Tejada: Bill, it’s timely given everything that we have actually going on, and I’m sure we’ll talk a little bit more about it. But just to give you an idea of size and scope, IBM’s security business probably sees 150 billion events that are candidates for some type of cyber-compromise. And that’s across about 17,500 organizations. The interesting part about where IBM is actually headed is, security and what we actually do in security is about protecting the surface area. What I mean by surface area, it’s everything from your mobile device to your desktop to everything actually in between. So, you think about that surface area. What we experienced when we went into the pandemic was that the surface area got a bit broader, given everybody working remotely. Then when you couple that with something like IBM’s core strategy, which is a hybrid cloud approach, which means that our enterprises work with not just IBM’s software and cloud, but also work with AWS’s cloud, work with the Azure’s cloud, the surface area actually gets to be quite broad from that standpoint.
But it’s probably as important, and one of the reasons why we’ve been collaborating with Snyk is that we’re also in this new era of just the software supply chain and how things get built and utilizing open source as a key element in what we’re actually building. And so, I think it requires a developer first mentality, because right there, you’re actually working with a new way to develop software in this open era. And Snyk’s a very unique approach going after that. So, while the cyber landscape has been evolving just in terms of protecting the surface area, one of the things that we can actually do to combat that is to go right when software’s developed. I think Guy has some pretty strong opinions in relation to that, but he’s built a company that’s focused in that particular area. You might just ask Guy to actually comment a little bit about that particular area, because I think it’s one that’s evolving to be of utmost importance relative to enterprises we work with.
Guy Podjarny: I think Willie teed it up great in the sense that cyber is expanding. The attack surface is changing. And I think with that, what’s happening is that on one hand, you have sort of all the businesses and everything around what we do becoming increasingly digital. And that means that it is controlled and decided upon by applications. And that logic, those decisions are really defined by the developers building those applications. Those are the apps that move around kind of a lot of those kinds of digital aspects of our lives, which is increasingly a lot of them, and digital aspects of our businesses. And on the other end, what’s happening is that the rate of change is accelerating. So, not only has it changed, it’s continuing to change, and it’s changing at an accelerated pace.
And that’s sort of a core paradigm that’s happening right now in terms of business innovation. And generally, it’s a good thing. You talk about software supply chain and around just sort of this reuse of open source technology and other components. That’s not a bad thing. It’s a great thing. It kind of helps move innovation faster. You don’t have to reinvent the wheel. You get to sort of build these amazing things. But it means that the way we do security needs to adapt. It needs to catch up to this faster pace, and just how much of it originates in these kinds of developer land kind of setups. Really how many of these decisions are made in that developer environment in which the code gets written.
When you look at Snyk and Snyk’s kind of whole ethos is to say, “Well, that’s the core. That’s the heart. You have to be developer-first.” And the meaning of that, one of my favorite things to do is to talk to a chief security officer and say, “Yes, you’re kind of here to sort of help secure the organization and you are the one likely to sign the check, but you’re not the most important user of the product.” Because the most important user of the product, the biggest risk we both face is the developers don’t actually pick it up. When CISOs are looking to sort of embrace this sort of new approach to security, they’re looking to roll out security and build that into how they build their technologies, their applications. Their biggest challenge is to get developers to actually embrace it, to actually build that in.
And so when we think about cybersecurity as a whole, we think about the industry, we think about how it changed and the need to adapt to it. You need to embrace more of that approach. You need to build tools that are really developer tools that tackle security. We try to do our own here in Snyk, in terms of helping developers secure what they do. And really, what you want to eventually do is … developers are not going to become security experts overnight. Developers need to do a lot of things, including innovate and help your business thrive. And so they’re not going to become security experts. It’s not going to become the primary job they do. The primary job they do is to kind of create customer value. We need to make it easier for them. We need to simplify it.
SEE: Business leaders as developer: The rise of no-code and low-code software (free PDF) (TechRepublic)
We need to kind of change our approach to cybersecurity to be developer-centric, to think about a lot of those surrounding functions, sort of help think, how do we help make that simpler? And to me, if I just sort of close the loop a little bit on that sort of cybersecurity problem, not only do I think it’s the right way to secure your apps, I think fundamentally, we have to change the game. There’s kind of a cat-and-mouse game here, or whatever, a race going on between the attackers and the defenders. And if we keep patching things up post-deployment, we’re never going to win. And so you have to embrace more and more of that. Of course, it’s also critical to kind of partner it early on. The one thing I would say is, what I’ve described right now and what Willie described, these are massive problems.
You asked, Bill, before about, kind of, collaboration, why we’re together. And I think what I most love about the developer tooling ecosystem, it’s a bit better in the dev tooling space than in security, but I think this is a part of embracing a dev tooling approach, is the collaboration. It’s the acknowledgement that we’re talking about, changing the kind of the ecosystem. Developers are using IBM products. They’re using these platforms. They’re using these developer tools. They’re using the Red Hat platform to run their containers. They’re doing all these different bits of work. And they can’t go elsewhere to secure stuff. We need to come to them as part of that simplification. And so for us, this notion of partnering, and IBM’s a great partner in that, is around building security in and allowing them to kind of level up, right? It’s like build in the security competencies you need in the day to day, and then provide you with that sort of next step of support when you want to look at things in a broader fashion, sort of step outside to the specific activity you’re doing right now.
How do you convince developers to build security into their apps from the very beginning?
Bill Detwiler: I’d love to get a follow up from you on that one, Guy, and then you, Willie, which is how do you make that transition within an organization that doesn’t necessarily, as you both said, have a history of building security into the apps from the very beginning. So, it is a little bit of a reeducation. It’s a little bit of explaining why it’s important. It’s a little bit of explaining, giving people the tools, developers, the tools to actually build secure apps, because for decades, it was, “Oh, we’ll just put this us out. We want it to work quickly. We want it to work well. We want it to look good, provide a good customer experience. And then we’ll let the network admins, we’ll let the security professionals, we’ll let other folks worry about securing the app.”
But that’s just not the way, as you both have said, that we can operate anymore. So, how do you go about convincing maybe developers that hadn’t thought about building security in their apps from the beginning, from doing it in the organizations, that that’s the right thing to do? So Guy, first to you, and then Willie, I’d love to hear what you think there, too.
Guy Podjarny: Yeah, for sure. So first of all, you’re asking the right question, which is, it’s the how. So already, you’re kind of in a good place, which is, “I acknowledge this needs to happen. Now how do I make it a reality?” Fundamentally, there’s the organization answer and the ecosystem answer. As an ecosystem, we need to work to make things easier. So we need to provide indeed tooling and platforms that just make this technology change less daunting. You want to, sort of, make it a bit simpler for developers to actually kind of pick it up. But the bigger kind of challenge really typically comes in their organization and the cultural shift that they do. And really, fundamentally, again, aside from investing in the right sort of tooling and technologies to do this, you want to take a breadth and a depth approach.
When you think about developer tools and how they get adopted, they don’t tend to get adopted just by doing some minimum level across the entire org of using some tool minimally. What typically happens is that you have some shining stars. There are some teams that lead the charge and they become masters in a certain practice, in a certain tool. They become methodologies and they become the role model for much of the rest of the organization about how to do that correctly, and importantly, how the business benefits from it, how, because they’ve done it in this fashion, you actually get some monetary, some true bottom-line results that get better from it. And then at the same time, you have a lot of these drivers because you want to embrace cloud technologies and all these new technologies that drive you towards going breadth, to saying, “OK, I need to understand what is the minimal set of developer involvement that I need to have in order to be able to unblock cloud transformation, cloud adoption, to allow all the applications?”
So really, fundamentally, for organizations that have accepted this need, I’d say they need to think in these two swim lanes, on one hand, find their shining stars, find their role models and invest in them and help them really kind of get great at it and celebrate that success. And then the second is, ensure everybody, work with everybody to get to level one, to just embrace that and build that up.
And Willie, what do you think?
Willie Tejada: You pointed to two things. One is, developers are about going to where they are. One of the things, roughly, that I think Snyk did a really fantastic job of was taking a look at how most of the developers actually do their development work right now? What are the tools they use? What are the tool trainings that they’re familiar with? And then as you mentioned, the open-source community actually is a community that replicates the individuals who have eminence, just as Guy actually mentioned.
So, what ends up happening is, when you achieve a level of eminence, actually, in those communities, folks will follow exactly what are you using? What’s the process of methodology that you’re using? And so one of the first things, to that point, in terms of getting the adoption, meeting them where they are, and then influencing in many cases, those folks who have eminence to gain that adoption. I think, in many ways, when you apply what Snyk has done and just take the approach and apply AI roughly actually to the process, there’s kind of three fundamental things that I think, at the macro level, we’re looking at doing in terms of development.
One is, securing the software supply chains. And that’s number one, actually, in doing that. And we can… Applying AI can do a lot more automating open source security management and things of that sort in that particular area. By doing it and doing it in a system approach, we can actually then apply AI, actually, as these systems become more resilient. I think the last IBM report in terms of the cost of a data breach report actually listed that the time to detection and containment was about 287 days. Right? When you think about it from that standpoint, 212 to detect, 75 to contain. With Snyk, we’re going right at the beginning, right? So, in many cases, a lot of these things is, can we address security issues before we actually put this into the wild?
And so that’s actually impacting day-zero, right where it starts. And so that’s a really, really important aspect in terms of this new supply chain that we’re building. And then the last piece is just using AI in the number of these pieces to deal with the changing threats, because at the end of this, there’s another human who’s the malicious actor that’s working at this full time. And so it’s not just the defeat once, but it’s kind of keeping and being able to adapt to the changing threat landscape. And again, I think that that’s fundamentally one of the things that the developers are looking for, is one, if we can actually get them to where they do their work today, they prefer just not to be able to worry about it and just focus on innovation and development.
Open source, AI, hybrid cloud, etc. all have a role to play in cybersecurity
Bill Detwiler: How important are technologies like open source, like AI? You talked about hybrid cloud. Willie, how important are utilizing technologies like that to creating a good cybersecurity framework to work in. I was about to say solving. There is no solving. It’s always going to be a little bit of … there’s always going to be innovation. There’s always going to be development. There’s always going to be things that have to happen. But to create a more secure environment, how critical are technologies like that?
Willie Tejada: So, that’s a great question, Bill. One of the things that comes about with the open-source era is, I think folks have come to the conclusion that there’s not one company or entity that can out-innovate a thriving community. That starts in the innovation sector in terms of that. At one point, when we were kind of going old school, there were two kinds of platforms actually out there. It’s kind of like dot net and Java. I think everybody’s actually moving forward and saying, “Containers are in.” Right? Everybody’s moving actually to containers. It’s the first time we’ve kind of had agreement roughly in moving towards containers in that particular area. But back down to what you were saying, in terms of how important is something like open source, just as much as we point to that, you can’t out-innovate a thriving community.
You also can’t match the time to containment or patching of a thriving community when it comes to a vulnerability that is discovered roughly actually in software, in terms of a thriving open-source community. So, while open source, oftentimes, it’s thought of as free, it’s also probably the most resilient because of the number of developers who are contributing and how quickly they can actually deal with vulnerabilities that are in fact found. So, the way I would say it as well is, when we have partners like Snyk, who has kind of have open source in their DNA, they kind of actually take it directly in saying, how do I actually bring value to a community that’s already operating in this environment?
One, adapting to what we are seeing in open source, a tremendous amount of value, roughly, actually taking advantage of the community characteristics. Applying AI all along that surface and landscape is all about kind of what Snyk and IBM is actually trying to do to operationalize that stuff, specifically kind of in both AI ops and in the other areas in that particular area. But I think, again, what it comes down to is being able to impact these technologies to where the developers already are and what they’re using today. And quite honestly, Guy could probably speak to that better than I can.
Guy Podjarny: I think the points are very well said. I’d say AI, generally, it’s job is to simplify. Really, these are complicated systems. They’re getting more complicated by the day. So AI is there to make things that used to be hard, easy. And I think there are actually some great innovations. There are GTP-3 in the open-source space. We have some stuff of our own at Snyk in Snyk code that is all about AI-powered program analysis of software. And I think we’re able to draw conclusions around what is code doing and whether it’s right or wrong better than we ever did before. And it’s progressing by leaps and bounds. Open source is fascinating. Open source has immense power and responsibility when it comes to security. It is massively, widely used because it’s so amazing, because it is free, because it’s not vendor lock-in and you can control it and all these other good reasons. It’s embraced like no commercial software ever is.
And so every vulnerability in it gets magnified because of just the sheer adoption, the sheer prevalence of that component. And at the same time, it sits with this double-edged sword, which is that some open source maintainers are not paid for their job. They might not be consistent at it. There’s no central security organization that it’s there to sort of equip them and work with them to help them consume them. And so it has this huge responsibility and this sort of pretty risky liability. And really, the good news, the way to sort of address that is the open-source community in, and it’s really about how do we mobilize the community. And so both IBM and Snyk right now are premium members of the Open Source Security Foundation, the OpenSSF working together. So that’s a consortium trying to kind of help build better tooling, make it easier for open source Snyk, and much of IBM is also free for open-source tools.
That’s actually like a great trend in the ecosystem, which is that many great tools are made available for free, for open source. Commercially, aiming for that sort of … influencing these sort of eminent projects, because they in turn help the business. But that’s a good thing. It’s a cycle here, which is we help those projects be better. And then in turn, that is visible and drives that adoption. And really just kind of mobilizing this in terms of responsibility, getting more open-source maintainers and the open source community as a whole to expect an investment in security, to standardize how you communicate that and visualize it.
And I think it’s improving. The one last bit that I’ll throw there is, open source doesn’t end at open source. I think what a lot of organizations are growing to realize is that open source isn’t free for them to consume. If you purchase software from someone, you’ve purchased it. You have someone that has your back. You can trust them to do it. If you download something off of open source, that open source maintainer doesn’t really owe you anything. They’re there and they’re giving you something great of value for you, meaning to own it. And oftentimes, that’s really where commercial vendors, Snyk and IBM included, are there to provide commercial support for you to be able to consume open source well in an enterprise-grade surrounding. And the two work well together. That’s what a thriving community looks like in it. And I guess on the challenge front, there’s many challenges, but from a trend perspective, I think there’s more collaboration around helping consume open source securely and build secure open-source components than ever before, and it’s advancing at a rapid pace.
How should developer teams be setup to build secure software?
Bill Detwiler: In the time that we have left, I’d love to wrap up with one question put to both of you, which is, if you had a bit of advice, if you had one thing to say to developers who are listening to this or developers, those people who are leading development teams who are listening, what would it be? How should they set their teams up for success in this new threat landscape and for the new threats that we’re facing now and that we’re going to face in the future? So Willie, I’ll go to you first, and then Guy, to you.
Willie Tejada: Maybe I can do a little bit of macro view and then have Guy drill down on that, because I think it starts with what you mentioned early on in the conversation, Bill. Is there a way that you can actually take, given the threat landscape, a developer-first mentality and let the development and the software supply chain next generation model actually be an ally to how you are actually limiting both the threats and stuff that actually happens kind of from the day-zero kind of scenario, because they’re building it directly actually in, or they’re utilizing tools that take away the thought process from the developer, because it’s built into the way they’re actually doing development? I think number one is to build that awareness. And then number two is to make them aware of the tools that are available out there for them to actually get their jobs done.
And then for the consideration, because again, developers get into their ways. They go through and use their normal sets of tooling and their methodologies. And so introducing, essentially, that requirement to them, asking them to be visible in relation to things that they’re doing right from the get-go. And that’s where companies like Snyk and others actually are putting together a lot of resources for the developers that they go into this next generation.
Bill Detwiler: Well, that’s great advice. And Guy, what about you? What would you add?
Guy Podjarny: I think Willie set it out very well. I guess maybe my one addition would be to developers. And the best advice is just, don’t be afraid. We make security into such a mystic thing with all of our kind of movies and fashion, and it’s a complicated space and there’s villains and you’re not going to get perfect, but you know what? Software is complicated. And for most software developers, you’ve solved problems that are just as complicated in your work. And so I’d say, you don’t need to master it day-one. You just get started, start learning about some of the problems in your code. Start getting going, take some responsibility, and you’ll build it up. Operations was a very scary proposition for developers early on. Now, they’re best practices. A lot of developers take pride in their ability to build great, very operable, very instrumented software, and we’re going to get to the same place with security. It doesn’t have to be day one. So just get, get going, and we’ll get to good places.