Alan Shimel: Hey everyone, it’s Alan Shimel, Tech Strong TV, and we’re back here live at KubeCon in the windy city of Chicago. It wasn’t that windy out. It was actually pretty warm this morning. I thought it was going to be worse. So we’re really happy about that. I am joined by Payton O’Neal, director Marketing at Apiiro. Payton, first of all, thank you for coming.

Payton O’Neal: Thank you.

Alan Shimel: We’ve been working with Peyton … Well-

Payton O’Neal: Long time.

Alan Shimel: Even before you were at Apiiro Yeah, a long time. And coming here to KubeCon, it is about seeing a lot of old friends. Apiiro is a company we’ve been working with for a while too, but I realize not everyone is going to be familiar with Apiiro. So why don’t we start there if it’s okay, Payton?

Payton O’Neal: Sure.

Alan Shimel: Give us a little bit of Apiiro background.

Payton O’Neal: Sure. So Apiiro, this is our second KubeCon, North America application security space. We definitely are sort of bridging the gap between developers and application security teams, but really trying to solve two core problems.

One is that traditional AppSec tools suck. They create a lot of noise. This is a known problem in the space. Everyone this year is talking about noise, reducing noise, cutting through the noise. But two, which is a problem we don’t talk about as much is all of the processes that AppSec teams rely on to understand their application attack surfaces, and ultimately prevent attacks, breaches, et cetera.

We flip that model on its head. We’re taking a very risk-based approach. Of course, everyone’s saying risk-based approach. What does that mean? It means understanding context of your application and your business to define what really is a risk, and then use that to take action, whether it’s shifting left, so giving that feedback to developers earlier in the development lifecycle or alerting your application security team, or even using a design flaw that we determine is high risk to trigger a threat model or even add to your pen test scope.

So those are the two main spaces, and it’s kind of an emerging market. Application security posture management, really just kind of well-defined this year. We’re excited to see where it goes next year. There’s a lot of vendors in this space already. If there’s one thing AppSec is good at, it’s-

Alan Shimel: Attracting vendors.

Payton O’Neal: Attracting vendors.

Alan Shimel: Well, so I’ve been in the security space a long time, as you know. So from a VC point of view, or the glass half full point of view is because no one’s doing it right. If someone was doing it right, you would have the traditional three vendors and that’s it.

Payton O’Neal: Totally.

Alan Shimel: So that’s the mark of an emerging market with vendors who have not quite solved-

Payton O’Neal: And it’s a trickle effect of you had the Veracodes and traditional SaaS tools.

Alan Shimel: Well, the old app. So as you said, AppSec was noisy. When we talk about noisy, it’s more than noisy. The problem is it generates so much data that it’s not just the noise, it’s the signal to noise ratio.

Payton O’Neal: Totally.

Alan Shimel: Right? So if you have a lot of noise, but there’s a lot of nuggets there, great. But when you have to look for that needle in the haystack.

Payton O’Neal: Exactly.

Alan Shimel: It doesn’t work. Now, some people will tell you, “Oh, we have AI or we have ML or whatever that finds the needles in the haystacks for you.” Again, they talk that game, but we don’t really see the answer to that.

Payton O’Neal: Yeah.

Alan Shimel: So that’s an issue.

Payton O’Neal: It’s not a silver bullet. Yeah. So it’s both about bringing all of those signals together. So you do have a unified control plane to see everything in one place. And then our approach that’s a little bit different from some other vendors is going really, really deep on the context.

So both in code. So understanding where PII exists, being able to extrapolate every type of application component, language, framework, technology, and then also connecting to your running [inaudible 00:04:29] clusters or API gateways to get that runtime context.

Is it deployed? Is it internet facing? You need all of these factors to be able to say, “This is a risk that I need to address right now, or that I’m going to block a build or block a pull request for.” Unfortunately, DevSecOps tried to shift security left, but it really just shifted the same problem left.

Alan Shimel: Well, it shift … Right. Well, what it did is it put security on the back of the developer who was probably already overworked.

Payton O’Neal: Exactly.

Alan Shimel: I think what we’ve seen, Payton, is a lot of, even the AppSec vendors. I did a Tech Strong TV, we do this video series called DevOps Unbound, and we had one on AppSec recently, and I saw a different tune.

Actually, it wasn’t DevOps Unbound, it was our SecOps virtual event, and I did a panel on there about. It was called the Sock and The Knock.

Payton O’Neal: Okay.

Alan Shimel: Little Dr. Susie thing. Even the AppSec vendors were saying, “We got to shift all over. You can’t just shift left. You got to shift everywhere.” And I think that’s a theme that’s up and coming of, look, we got to go where the problems are in security. Software supply chain security, the S bomb stuff, the observability, security issues. These are all things that-

Payton O’Neal: They’re all interconnected.

Alan Shimel: Right. They all …

Payton O’Neal: Risk is multidimensional. Attackers don’t think in CVEs or-

Alan Shimel: No. Nor do they think about, “Oh, I want to exploit what this vendor does, not what that vendor does.”

Payton O’Neal: Right.

Alan Shimel: So you guys are here at the show. I know it’s early on Tuesday here.

Payton O’Neal: It is. Just opened the door.

Alan Shimel: What do you think so far?

Payton O’Neal: It’s great. Detroit was quieter last year.

Alan Shimel: Detroit was the first after Covid one. I think Covid is, no one gives a crap about it anymore. So I was in Amsterdam. You didn’t do Amsterdam?

Payton O’Neal: No, we didn’t do Amsterdam.

Alan Shimel: It was more like this, though European.

Payton O’Neal: Yeah.

Alan Shimel: Food was better. Not really. Amsterdam was okay, but Chicago’s good food too. No dissing Chicago.

Payton O’Neal: Yeah. It’s amazing. But it’s great to see so many security vendors here.

Alan Shimel: It’s a very strong security.

Payton O’Neal: Over past couple years, you’ve just seen such an influx first with more of the infrastructure security, cloud security shifting left. My previous company created Checkoff, an open source tool.

Alan Shimel: Yeah sure.

Payton O’Neal: And now application security joining the team. We have tons and tons of vendors, so it’s good to see.

Alan Shimel: Because I think what it is we’ve seen a shift from a really very dev centric KubeCon to ops centric, and I think that security’s part of that.

Payton O’Neal: Yep. All the projects around open source security and supply chain security, all of these are interconnected and the cloud native ecosystem relies on all of these components. So we need to be here.

Alan Shimel: It’s also the primacy of security. Security’s a priority. So now you guys didn’t have necessarily an announcement here, but I know you guys got some stuff in the works.

Payton O’Neal: We’re working on some stuff.

Alan Shimel: I don’t want to get you in trouble.

Payton O’Neal: No trouble.

Alan Shimel: It’s just you and I. No one else is here.

Payton O’Neal: No one here, nobody.

Alan Shimel: What do you guys got working on? Whatever you can tell us.

Payton O’Neal: A natural progression of this market, and a lot of vendors are already starting to combine more and more elements. Having native context is really important for the core components of cloud native applications.

So APIs, very, very important to have a strong understanding of your inventory. Open source dependencies, obviously the percentage of usage in code bases is whatever, 90%, whatever they’re saying now. And pipelines and source control managers are the next part of that.

Alan Shimel: Yeah, absolutely.

Payton O’Neal: Completing our coverage there, having a really strong story about being able to connect all of those potential risks into what might be a toxic combination that an attacker could easily use to get in the front door and some more. I’ll stop there. [inaudible 00:08:45]

Alan Shimel: Yeah. Otherwise, we won’t have you on next year. Let’s talk about this now. So this is KubeCon. Where else if people want to maybe are planning on going to some conferences, will you guys be maybe at re:Invent or RSA or any of these shows?

Payton O’Neal: So re:Invent is a tricky one in AppSec. There’s really, if you look at the partners of AWS and AppSec, there’s really not that many. We are working on having a tighter alignment there, more to come there, but of course always the RSAs, always the black hats. We do a lot with OWASP. They’re a solid foundation that’s been been around for a long time.

Alan Shimel: They are. Absolutely.

Payton O’Neal: There’s some synergies of course with the CNCF and Linux and OWASP. So yeah, regional events. Love them. KubeCon is always a favorite.

Alan Shimel: And of course, if people can’t get to see you in person, they go on the web. It’s APIRO.com.

Payton O’Neal: Yep.

Alan Shimel: And they could find out about all these things happening that you’re hinting at.

Payton O’Neal: Of course. Follow us on LinkedIn.

Alan Shimel: So keep your eye on apiiro.com. Or look, you can catch it on, well, you guys are on Security Boulevard. You hit all our bases.

Payton O’Neal: Of course.

Alan Shimel: Security Boulevard, devops.com, Cloud Native now. They’re on all of them.

Payton O’Neal: Of course.

Alan Shimel: Payton, enjoy the show.

Payton O’Neal: Thanks for having me.

Alan Shimel: It’s a pleasure to have you here.

Payton O’Neal: Always.

Alan Shimel: Apiiro.com. Check it out. We’re live in Chicago. We’re shooting out, so you can see some of the traffic here. It’s a busy show floor.

Payton O’Neal: It is. Sure is. All right.

Alan Shimel: Thank you.

Payton O’Neal: Thanks for having me.

Alan Shimel: All right. We’re going to take a break. We’ll be back here in a second live at KubeCon, Cloud Native Con. This is Alan Shimel. We’re out.