WEBVTT 1 00:00:00.360 --> 00:00:01.950 Michael Novinson: Hello, this is Michael Novinson with 2 00:00:01.950 --> 00:00:05.370 Information Security Media Group. I'm joined today by Dror 3 00:00:05.370 --> 00:00:09.750 Davidoff. He is the co-founder and CEO of Aqua Security. We're 4 00:00:09.750 --> 00:00:13.320 going to be taking a look back at 2022, as well as the look 5 00:00:13.320 --> 00:00:16.200 ahead to 2023. Good morning, Dror. How are you? 6 00:00:17.070 --> 00:00:18.780 Dror Davidoff: Hi, good morning, Mike. Very good to be here. 7 00:00:18.780 --> 00:00:19.350 Thank you. 8 00:00:20.220 --> 00:00:22.080 Michael Novinson: Thank you so much for making the time. I 9 00:00:22.320 --> 00:00:26.160 wanted to start by talking about what happened in 2022 - you had 10 00:00:26.160 --> 00:00:28.740 announced that in October, you had more than doubled your 11 00:00:28.740 --> 00:00:32.040 revenue at Aqua. Wanted to get a sense from you off the top of 12 00:00:32.040 --> 00:00:33.600 what were the key drivers of that. 13 00:00:33.750 --> 00:00:36.660 Dror Davidoff: External macro factors have changed 14 00:00:36.660 --> 00:00:39.510 dramatically. But with the company still enjoying a very 15 00:00:39.510 --> 00:00:43.410 good momentum, a very good growth in the last 18 months, 16 00:00:43.440 --> 00:00:46.890 the company, like you said, more than doubled its revenues, more 17 00:00:46.890 --> 00:00:51.420 than doubled its employee base, we made a very important 18 00:00:51.420 --> 00:00:56.100 acquisition in late 2021. And we're starting to see the fruit 19 00:00:56.100 --> 00:01:01.710 of that in our operation. So what's the driver for that is 20 00:01:01.710 --> 00:01:05.520 demand for cloud services. More and more companies are moving to 21 00:01:05.520 --> 00:01:11.940 the cloud or growing the footprint in the cloud. And when 22 00:01:11.940 --> 00:01:14.820 they do that, they will need to do it in a secure way. So 23 00:01:14.820 --> 00:01:19.140 they're looking for the new cloud security tools to secure 24 00:01:19.140 --> 00:01:22.140 their application, to secure their cloud infrastructure. And 25 00:01:22.140 --> 00:01:25.470 Aqua is a leading provider of that. So the combination of 26 00:01:25.800 --> 00:01:30.600 strong demand for cloud services with the very clear need for 27 00:01:30.600 --> 00:01:34.110 security, new means of security of those services, creates very 28 00:01:34.110 --> 00:01:37.230 good demand. So, you know, we enjoyed very good growth in the 29 00:01:37.230 --> 00:01:41.820 last 18 months, but we predicted that we will continue the same 30 00:01:41.820 --> 00:01:44.730 momentum looking for the next 12 months the same way. 31 00:01:46.110 --> 00:01:47.850 Michael Novinson: You alluded to the acquisition of Argon 32 00:01:47.850 --> 00:01:51.570 security that made in December of last year, what has Argon 33 00:01:51.570 --> 00:01:52.710 allowed you to do at Aqua? 34 00:01:53.850 --> 00:01:57.600 Dror Davidoff: So Argon was a young, very innovative solution 35 00:01:57.600 --> 00:02:00.840 for software supply chain security. So this is a 36 00:02:00.840 --> 00:02:05.880 relatively new problem of dealing with a supply chain, the 37 00:02:05.880 --> 00:02:08.880 software supply chain. There were a lot of changes in the 38 00:02:09.180 --> 00:02:13.230 last - let's call it - decade in the way software is being 39 00:02:13.230 --> 00:02:16.530 developed and put together. And it now involves many more 40 00:02:16.530 --> 00:02:20.910 components that come from third party, a lot of open source, the 41 00:02:20.910 --> 00:02:24.720 pace of a software development and the way it's being pushed 42 00:02:24.720 --> 00:02:28.740 into the production environment and change radically. And all 43 00:02:28.740 --> 00:02:31.680 these different changes. Now when you look at the tool chain 44 00:02:31.740 --> 00:02:35.580 and the sequence of things that happen in the build phase of any 45 00:02:35.850 --> 00:02:40.590 software application, if there are a lot of risk factors 46 00:02:40.590 --> 00:02:45.630 involved there, this whole area was built in different silos. 47 00:02:45.660 --> 00:02:49.140 There were solution, looking at the code vulnerabilities and 48 00:02:49.140 --> 00:02:52.980 code scanning in different bits and bytes. Over the last few 49 00:02:52.980 --> 00:02:56.100 years, the notion of looking at the entire supply chain to look 50 00:02:56.100 --> 00:02:59.550 at the tool chain and different, the CI/CD and all the different 51 00:02:59.550 --> 00:03:04.020 plugs in the different sources of software components that are 52 00:03:04.020 --> 00:03:09.300 being brought in, the notion of debt is one problem. From a 53 00:03:09.300 --> 00:03:13.620 security perspective, there are a few companies. Argon was a 54 00:03:13.620 --> 00:03:21.210 leading innovator index. Late last year, we joined forces, we 55 00:03:21.210 --> 00:03:25.170 acquired Argon and very natively integrated into the Aqua 56 00:03:25.170 --> 00:03:28.410 platform. So for us it was a natural extension of things that 57 00:03:28.410 --> 00:03:30.750 we did before. We just added more capabilities together with 58 00:03:30.750 --> 00:03:34.590 Argon and we now have probably the most comprehensive software 59 00:03:34.590 --> 00:03:38.220 supply chain security for cloud-native application in the 60 00:03:38.220 --> 00:03:38.670 market. 61 00:03:40.500 --> 00:03:42.810 Michael Novinson: So what's different about doing supply 62 00:03:42.810 --> 00:03:45.540 chain work around cloud native applications versus more 63 00:03:45.540 --> 00:03:47.190 traditional on-premises environments. 64 00:03:48.120 --> 00:03:50.640 Dror Davidoff: So, on-premises environments are still managed 65 00:03:50.670 --> 00:03:55.230 in more traditional ways. Things are much more siloed, there is a 66 00:03:55.260 --> 00:03:57.930 clear distinction between the development phase and the 67 00:03:57.930 --> 00:04:03.990 production phase, if the internal quality has been in 68 00:04:03.990 --> 00:04:09.090 development. Weights package is still handled in, you know, the 69 00:04:09.240 --> 00:04:12.690 traditional way. The cloud introduced a lot of changes into 70 00:04:12.690 --> 00:04:16.290 that and in a cloud native environment where you create 71 00:04:16.290 --> 00:04:19.230 application, package them and very quickly push them into 72 00:04:19.230 --> 00:04:23.070 production, something in a matter of hours, what used to be 73 00:04:23.070 --> 00:04:28.050 months. You know, shortening the cycles have created one big 74 00:04:28.050 --> 00:04:31.410 change. Another thing that they created - a change - and this is 75 00:04:31.410 --> 00:04:34.260 true for everything, but more so in a cloud native environment is 76 00:04:34.260 --> 00:04:37.800 the amount of open-source components - there is an 77 00:04:37.800 --> 00:04:43.560 exponential growth. It used to be that organization would 78 00:04:43.590 --> 00:04:47.940 reframe completely from using open source to a situation where 79 00:04:47.940 --> 00:04:51.570 more than 60% of the code is actually based on open source, 80 00:04:52.080 --> 00:04:55.590 right? So the amount of open source creates again an exposure 81 00:04:55.590 --> 00:04:58.980 because you need to understand who handled the open source, 82 00:04:58.980 --> 00:05:02.340 what is the thought, what is the latest and greatest version. And 83 00:05:02.730 --> 00:05:06.270 it's an ongoing issue. So you constantly pull different 84 00:05:06.270 --> 00:05:10.050 components of code from open-source repositories so 85 00:05:10.050 --> 00:05:14.280 that, you know, those changes created some unique challenges 86 00:05:14.280 --> 00:05:17.520 within the cloud environment, the cloud native application 87 00:05:17.520 --> 00:05:20.700 environment. It is true for more and more environments, but in 88 00:05:20.700 --> 00:05:24.090 the cloud area, this is where we see the biggest exposure of the 89 00:05:24.090 --> 00:05:24.540 problem. 90 00:05:26.490 --> 00:05:28.560 Michael Novinson: Interesting, and I know that was through 91 00:05:28.560 --> 00:05:32.100 acquisition. What about from an organic perspective? What new 92 00:05:32.130 --> 00:05:34.980 capability, what new feature are you most proud of that you've 93 00:05:34.980 --> 00:05:36.240 rolled out here in 2022? 94 00:05:37.530 --> 00:05:40.200 Dror Davidoff: So in 2022, there were few things that we did. So 95 00:05:40.200 --> 00:05:43.650 you know, we continue our journey to create a platform 96 00:05:43.920 --> 00:05:48.360 that will secure application from code to production. So 97 00:05:48.360 --> 00:05:51.660 connecting a lot of the dots. So two very important things that 98 00:05:51.660 --> 00:05:59.040 we did this year is one, we, in our platform, we have a lot of 99 00:05:59.070 --> 00:06:02.220 capabilities of connecting the dots, we call it the Aqua hub. 100 00:06:02.640 --> 00:06:04.920 This is where we collect information from different parts 101 00:06:04.920 --> 00:06:07.620 of the application lifecycle, and create a much better 102 00:06:08.220 --> 00:06:11.880 security posture for the entire application and understanding 103 00:06:11.880 --> 00:06:15.270 where the problem is, how to prioritize, providing a lot of 104 00:06:15.300 --> 00:06:18.570 insights. So this type of capability is something that we 105 00:06:18.570 --> 00:06:23.580 enhanced significantly this year. Another area of a huge 106 00:06:23.580 --> 00:06:27.360 progress is around the runtime control. So Aqua is the 107 00:06:27.360 --> 00:06:31.830 innovator of cloud workload controls, runtime controls, I'm 108 00:06:31.830 --> 00:06:35.250 sorry. And they, you know, we constantly added more 109 00:06:35.250 --> 00:06:38.640 capabilities. In our six years, we are now in this year, in 110 00:06:38.640 --> 00:06:43.050 2022, we released the third generation of our enforcement 111 00:06:43.050 --> 00:06:46.950 capabilities, which is entirely based on EBPS technology. And 112 00:06:46.950 --> 00:06:51.570 that was a huge step forward for us as far as our way to deploy 113 00:06:51.600 --> 00:06:55.080 on very large scale and become much more efficient with a much 114 00:06:55.080 --> 00:06:58.620 smaller footprint for our customers. So providing better 115 00:06:58.620 --> 00:07:01.860 security, with more and more efficient way. So that was 116 00:07:01.860 --> 00:07:03.630 another big release equity this year. 117 00:07:04.110 --> 00:07:05.670 Michael Novinson: So now when you're talking about the market 118 00:07:05.670 --> 00:07:09.660 landscape, you've got Orca and Wiz and Lacework and some other 119 00:07:09.660 --> 00:07:13.110 folks in this cloud security world. What do you feel is the 120 00:07:14.070 --> 00:07:16.890 biggest differentiator in terms of how you and Aqua are taking 121 00:07:16.890 --> 00:07:18.750 on cloud security versus some of your peers? 122 00:07:20.100 --> 00:07:22.950 Dror Davidoff: So yes, it's a very vibrant ecosystem. I think 123 00:07:22.950 --> 00:07:27.780 many of the players are focused on some specific use cases and 124 00:07:27.780 --> 00:07:31.560 their requirement, where Aqua is looking at a much more holistic 125 00:07:31.620 --> 00:07:36.120 view. So we started in the runtime controls, but we, over 126 00:07:36.120 --> 00:07:40.530 time, extended and shifted left our capabilities. And we now 127 00:07:40.530 --> 00:07:44.340 have the most comprehensive platform from a dev to 128 00:07:44.340 --> 00:07:48.330 production. When you look at our competitors, they are much more 129 00:07:48.360 --> 00:07:54.240 focused on specific use case. And they are doing that. We 130 00:07:54.360 --> 00:07:57.600 closed some of the gaps with the competition, but I think they 131 00:07:57.600 --> 00:08:02.190 will have to expand and create their own solution, because the 132 00:08:02.190 --> 00:08:03.870 market will require that. 133 00:08:05.940 --> 00:08:09.870 Michael Novinson: I see. Let's turn and talk about 2023 here. 134 00:08:10.050 --> 00:08:12.510 So out of the gate, what do you see as the biggest market 135 00:08:12.510 --> 00:08:14.340 opportunity for Aqua in the year to come? 136 00:08:16.140 --> 00:08:18.570 Dror Davidoff: So I think there are multiple things, you know, 137 00:08:18.870 --> 00:08:24.960 top three of mind, number one, we spoke about supply chain. I 138 00:08:24.960 --> 00:08:27.720 think supply chain, the awareness of the challenges 139 00:08:27.750 --> 00:08:31.440 around software supply chain, is increasing in organizations. Now 140 00:08:31.440 --> 00:08:34.740 across the board, this is now a top priority for all of them. On 141 00:08:34.740 --> 00:08:37.980 top of that, there is a - the Biden administration just 142 00:08:38.100 --> 00:08:42.780 released an executive order with specific requirements about the 143 00:08:42.810 --> 00:08:45.810 SBOM, the software bill of materials, so you need to be 144 00:08:45.810 --> 00:08:51.720 able to comply with, you know, in report, the specific of the 145 00:08:51.780 --> 00:08:55.410 components and the software build up that any application 146 00:08:55.410 --> 00:09:00.090 has, and address some of the big risks around software supply 147 00:09:00.090 --> 00:09:03.570 chain. And right now it's an executive order, assuming 148 00:09:03.570 --> 00:09:07.110 nothing will become a regulatory requirement. And I think that 149 00:09:07.110 --> 00:09:10.950 will push many, many organization to quickly find 150 00:09:10.950 --> 00:09:14.760 good solution for that. So for us, this is a huge opportunity. 151 00:09:14.790 --> 00:09:19.170 And that will be top of mind for many CISOs in the U.S. and 152 00:09:19.170 --> 00:09:25.560 globally. The second, a very big area, is when you think about 153 00:09:25.590 --> 00:09:29.940 cloud in general and you know, everyone are moving to the cloud 154 00:09:29.940 --> 00:09:33.540 and everyone are moving cloud services, evolved in a very 155 00:09:33.810 --> 00:09:36.090 disparate ways there. You know, there was a proliferation of 156 00:09:36.090 --> 00:09:38.910 cloud services, different groups, different application 157 00:09:38.910 --> 00:09:41.760 are using different things. Same thing happened with cloud 158 00:09:41.760 --> 00:09:48.150 security. So we see, one, you know, a midsize and in the 159 00:09:48.420 --> 00:09:52.890 higher organization that will have multiple sets of tools, 160 00:09:53.100 --> 00:09:55.950 sometimes doing the exact same things for different groups 161 00:09:55.950 --> 00:10:00.690 within the same organization. I think what we will find now that 162 00:10:00.690 --> 00:10:05.520 in order to achieve better security and better consistency, 163 00:10:07.500 --> 00:10:11.130 security practitioners, we look for standardization across the 164 00:10:11.130 --> 00:10:14.850 organization. So number one for the different areas, select the 165 00:10:14.850 --> 00:10:18.300 best and the more appropriate tools, but then also look for 166 00:10:18.300 --> 00:10:20.610 areas where they can consolidate. And rather than 167 00:10:20.610 --> 00:10:25.800 have two or three or four siloed niche solutions, actually look 168 00:10:25.800 --> 00:10:29.640 for one platform that can solve a bigger problem in a more 169 00:10:29.670 --> 00:10:35.130 effective and efficient way. If you add on top of that, the 170 00:10:35.160 --> 00:10:39.870 overall financial macro conditions, and they think that 171 00:10:39.870 --> 00:10:42.420 people are looking also for better efficiencies, better 172 00:10:42.420 --> 00:10:49.350 budget spent, that will only accelerate the quest to 173 00:10:49.380 --> 00:10:52.500 integrate and consolidate different solutions into one 174 00:10:52.500 --> 00:10:52.860 place. 175 00:10:54.000 --> 00:10:56.100 Michael Novinson: So I asked you in terms of, you mentioned the 176 00:10:56.130 --> 00:10:58.800 Biden administration's executive order around the software bill 177 00:10:58.800 --> 00:11:02.160 of materials or SBOM. What are some of the biggest challenges 178 00:11:02.160 --> 00:11:05.430 that creates for organizations, particularly organizations in 179 00:11:05.430 --> 00:11:08.250 the cloud? And what are they looking for from technology 180 00:11:08.250 --> 00:11:11.640 providers is that year around, SBOM becomes a regulatory 181 00:11:11.640 --> 00:11:12.270 requirement? 182 00:11:13.590 --> 00:11:16.950 Dror Davidoff: Right. So as we mentioned, organization now, in 183 00:11:16.950 --> 00:11:19.980 the development phase, they are pulling a lot of software 184 00:11:19.980 --> 00:11:24.270 component from either third party or from open source. Now 185 00:11:24.270 --> 00:11:29.970 based on the executive order, they need to prove what is the 186 00:11:29.970 --> 00:11:38.190 source. And do they have the right reputation? Are you using 187 00:11:38.190 --> 00:11:43.260 the right thing? In? Am I as a consumer of your software can 188 00:11:43.260 --> 00:11:46.590 now validate? Where did it come from? Can I trust this code? Or 189 00:11:46.590 --> 00:11:51.660 can I not trust this code, based on my security requirements? So 190 00:11:51.660 --> 00:11:54.420 it just creates much better transparency, If you think 191 00:11:54.420 --> 00:11:58.560 about. It's almost like to have the instruction on the team, 192 00:11:58.560 --> 00:12:00.870 right? What are the different ingredients? And then I can 193 00:12:00.870 --> 00:12:04.560 decide, okay, can I take it or not take it. So it just creates 194 00:12:04.560 --> 00:12:07.710 a much more transparent way of delivering software, it's not no 195 00:12:07.710 --> 00:12:12.660 longer a black box. And I think it's also a mental change in the 196 00:12:12.660 --> 00:12:15.630 way that software is being built and then shipped, because it's 197 00:12:15.630 --> 00:12:18.540 no longer a black box, you now need to be able to demonstrate 198 00:12:18.570 --> 00:12:21.810 what are the components? And where did you get it? And are 199 00:12:21.810 --> 00:12:27.300 they trustworthy, or not? etc? What is the reputation? And I 200 00:12:27.300 --> 00:12:31.620 think it's only a start, I think we will see more of that when 201 00:12:31.620 --> 00:12:34.470 you think about the software supply chain. The executive 202 00:12:34.470 --> 00:12:37.590 order is not the final thing, but it's definitely a very 203 00:12:37.590 --> 00:12:41.460 important step to make software as a whole more secure. 204 00:12:42.120 --> 00:12:44.220 Michael Novinson: So what do you feel will be some of the 205 00:12:44.220 --> 00:12:46.980 toughest challenges that customers will have to deal with 206 00:12:46.980 --> 00:12:47.730 in the year to come? 207 00:12:49.260 --> 00:12:50.730 Dror Davidoff: I think, you know, obviously, the 208 00:12:50.730 --> 00:12:54.810 macroeconomic condition, budget tightening, security is still 209 00:12:54.810 --> 00:12:59.130 top of mind. So we look for efficiencies, they will look for 210 00:12:59.130 --> 00:13:06.150 much better ROI. So, you know, many times, in previous times or 211 00:13:06.150 --> 00:13:11.160 in previous years, a ROI was pushed aside based on new trends 212 00:13:11.190 --> 00:13:17.550 or a requirement that were not justifiable all the way. I think 213 00:13:17.550 --> 00:13:22.590 in today's economy, any piece of software, including in security, 214 00:13:22.680 --> 00:13:25.770 will have to have good justification. So we look for 215 00:13:25.980 --> 00:13:30.810 good returns, good value for the solution that they're using. 216 00:13:30.810 --> 00:13:34.320 What is the ROI on the different tools? And where can I create 217 00:13:34.320 --> 00:13:37.560 better efficiencies to consolidate, to standardize on 218 00:13:37.560 --> 00:13:41.970 specific tools to look more for a platform solution rather than 219 00:13:41.970 --> 00:13:45.990 a specific in a siloed solution that then create a lot of 220 00:13:45.990 --> 00:13:50.640 overhead for the organization in putting it all together? So I 221 00:13:50.640 --> 00:13:54.600 think efficiency for security will also become a huge topic in 222 00:13:54.600 --> 00:13:55.170 23. 223 00:13:56.400 --> 00:13:58.200 Michael Novinson: I see. Finally here, what do you feel is the 224 00:13:58.200 --> 00:14:01.140 key to success for your customers in 2023? 225 00:14:01.650 --> 00:14:03.870 Dror Davidoff: In the cloud world, I don't know to say in 226 00:14:03.900 --> 00:14:06.720 other words, but I think in the cloud world, what we can think 227 00:14:06.720 --> 00:14:10.020 is that, you know, everyone are on a learning journey, right? 228 00:14:10.050 --> 00:14:12.570 The cloud is very new, the service is very new, the 229 00:14:12.570 --> 00:14:15.570 security challenges are very new. So, everyone are on this 230 00:14:15.570 --> 00:14:18.660 learning journey, I think in growing the awareness 231 00:14:18.690 --> 00:14:22.200 understanding better what are the exact problem and what is 232 00:14:22.200 --> 00:14:26.130 the right solution is still a challenge and a lot of 233 00:14:26.130 --> 00:14:30.060 organization are still in their learning more than in 234 00:14:31.950 --> 00:14:36.900 experiment, in the exploring for the right solution. I think in 235 00:14:36.930 --> 00:14:40.290 23, we see the market take another big step forward as far 236 00:14:40.290 --> 00:14:44.100 as maturity and you know the definition will be set better 237 00:14:44.100 --> 00:14:48.240 for what is cloud security and hence they will be able to focus 238 00:14:48.240 --> 00:14:51.090 more than actually putting the right tools in place and 239 00:14:51.120 --> 00:14:55.770 executing with them. So the next step in maturity, I think we 240 00:14:55.770 --> 00:14:56.940 will see that in 23. 241 00:14:58.110 --> 00:15:00.690 Michael Novinson: Interesting. Will definitely be on exciting 242 00:15:00.690 --> 00:15:03.330 space to watch. Dror, thank you so much here for the time. 243 00:15:03.750 --> 00:15:04.740 Dror Davidoff: Michael, thank you. 244 00:15:05.430 --> 00:15:07.230 Michael Novinson: We've been speaking with Dror Davidoff. He 245 00:15:07.230 --> 00:15:11.160 is the co-founder and CEO at Aqua Security. For Information 246 00:15:11.160 --> 00:15:14.340 Security Media Group, this is Michael Novinson Have a nice 247 00:15:14.340 --> 00:15:14.610 day.