Veracode CEO Sam King on Joining AppSec, Container SecurityKing Shares Why Software Smarts Trumps Infrastructure Expertise in Cloud Containers
The push to migrate applications to cloud-native architectures has driven increased use of containers and created the need for more security. Containers now face a host of vulnerabilities introduced through other software, misconfiguration and poorly managed secrets, such as Amazon Web Services credentials in Dockerfiles.
Veracode has been focusing on application security since it was founded in 2006. Veracode CEO Sam King says that application security heritage helps the company identify open-source code and known vulnerabilities in containers and fix them, while infrastructure security companies struggle to spot container software issues.
That's a differentiator for the company's new tool - providing insight into what's in the container as well as the vulnerabilities being inherited and running in production environments (see: Synopsys, Checkmarx Top Gartner MQ for App Security Testing).
"For us, everything is driven from software out, because ultimately it's about making what is in the container secure," King says. "A number of other providers that have come at this from a core outside of software security are potentially looking at it more outside in, maybe how the container is running in the runtime environment. But we are focused more on what the container contains."
In this video interview with Information Security Media Group, King also discusses:
- What the Synopsys-WhiteHat deal has meant for Veracode;
- Veracode's investments in the SCA and SBOMB markets;
- Issues for clients looking to secure their software supply chain.
King is a founding member of Veracode and has played a significant role in the company's growth trajectory over the past 16 years, helping to mature it from a small startup to a company with a more than $2.5 billion valuation. Under her leadership, Veracode has been recognized with several industry distinctions, including a nine-time consecutive leader in the Gartner Magic Quadrant, leader in the Forrester SAST Wave, and a Gartner Peer Insights Customer Choice for Application Security. Prior to Veracode, King held leadership positions in cybersecurity and technology companies including Verisign and Razorfish. She currently sits on the board of Progress Software and ZeroFox.
Michael Novinson: Hello, this is Michael Novinson with Information Security Media Group. I'm joined today by Sam King. She is the CEO at Veracode. Good morning, Sam, how are you?
Sam King: Doing good. How are you doing, Michael?
Novinson: I'm doing really well, thanks so much for taking the time.
King: No problem.
Novinson: Wanted to dive in here. Just last month, you, at Veracode, had announced a container security offering. And I wanted to give a little bit more color around why you decided to invest into container security, first off, and then secondly, what do you feel differentiates your approach to container security from some of the other players in the market?
King: Yeah. So the reason that we did this is that we are looking at the ways in which our customers are developing and deploying software and with the massive move to cloud-native and new application development, starting with cloud-native principles in mind, and a lot of migration going on of monolithic applications into microservices, etc. that are ultimately being transformed to run in cloud-native architectures, there's increasing use of containers. And it is an area that we wanted to extend our security solutions to. And the approach that we have taken is we ultimately are all about building a bridge between the security team and the development team. So we think that both those constituencies matter tremendously if we're going to get software security done the right way in the future. So what we have come out with is a capability that is extremely easy for developers to use, you can use it to a command line interface, and it gives you very quick results where you can get intelligence on what you've got in your container, what might be some of the vulnerabilities that are present in there. But then also provide it in such a way that the security team can, overtime, get information around what kind of software has been developed, and what kind of policies are being practiced in the organization.
Novinson: So you moved into the container security space from your heritage and application security. And I was wondering what do you feel the benefits are from that versus - we've seen, obviously, a number of standalone container security startups as well as cloud security companies, CSPM, SIEM, CASB companies move into container security. What's the benefit about moving into container security from the application space versus the cloud space?
King: Yeah, great question. Because with things like container security and so forth, you see a little bit of migration into those areas from people that do software security, as well as people that do infrastructure security, right? So for us, everything is about securing software. So we approach all problems software-out, right? So we're not saying, "Hey, here's a set of infrastructure-level vulnerabilities that we're providing to you. And here's a little something that we can tell you about containers or your infrastructure as code," etc. right? We're approaching everything from the standpoint of what makes up the software, what's in that container, how much of that is your code, how much of that is open-source code, what are the vulnerabilities that are present in it, what are the known vulnerabilities, how do you go fix those vulnerabilities. So for us, everything is driven from software-out because ultimately, it's about making what is in the container secure. Whereas, I think a number of other providers that have come at this from whatever their core was outside of software security, or potentially looking at it more outside-in, looking at maybe how the container is running in the runtime environment, and so forth. Whereas we are focused more on what does the container contain. And what are the vulnerabilities you are inheriting and therefore running in your production environment as a result of that.
Novinson: Interesting. Want to get a sense from the standpoint of existing customers who've been using you for application security today. What are the primary benefits of them buying into your container security offering, an extender capability with Veracode?
King: Yeah, I mean, listen, one benefit, which is more a business benefit really than a technology benefit, is now more than ever before, I hear a strong desire for simplifying your cybersecurity program as a whole. And part of that simplification comes from consolidating with a certain number of key vendors because one of the things that I'm sure you observed, Michael, is that the cybersecurity industry is very fragmented. It's very noisy, right? But there's the next gen of the next gen of the next gen and enterprises, sometimes they're using over hundred security vendors to solve this problem. And so increasingly, I'm hearing enterprises say, "This is madness. We need to standardize around a set of key strategic partners that are going to solve our problems in cybersecurity for, let's say, software or endpoint or infrastructure or what have you." So in this case, one of the value propositions that we're offering is customers that have been utilizing us for testing their software applications, whether it was software applications they built or open-source code or what have you, can now also extend to users, a known party or trusted party to also do container security.
Novinson: I see, why don't you discuss this well. Back in August, you'd announced extended integrations around SCA (software composition analysis), as well as the API for SBOM. I was wondering why, first off, why were those areas of focus from an integration standpoint for you?
King: Yeah. So a term that is almost inescapable now, when you're talking about software security is software supply chain security, right? That topic has come to the forefront, especially this year in 2022, more so than at any other period of time prior to that. Now, that's not because vulnerabilities in the software supply chain didn't exist prior to 2022. They did. It's just that they got mainstage and a lot of attention with some of the events that we saw happen this year, right. So software supply chain security is a really high-priority item for the customers that we're working with. And it's for good reason. Because when they look at what makes up their software infrastructure, the software that they're relying on as an organization, a good portion of it is software that they didn't build, it's either open-source code, or it's commercial, third-party code that they're reusing. So the extended software supply chain becomes increasingly important to what is their posture around software security. So for us, taking something like SCA (software composition analysis), and being able to offer that at the earliest stages of the software development lifecycle where developer is making a decision around what they're going to include in their code is really powerful, because we are shifting software supply chain security solutions left as well, right? So that was the reason why we really worked hard to talk about, and think about, how should you take SCA and integrate it into the earliest stages of the software development lifecycle, and then our move to provide SBOM through APIs and just the functionality around a software bill of materials is to help organizations satisfy some of the requirements that have been put out in the executive order. That was issued last year, as well as, just giving organizations a way to demonstrate that they know what makes up their software infrastructure, and in doing so, be able to demonstrate that they're using the secure versions of various libraries and things like that. So we're really trying to further the solutions that people are bringing to bear on the software supply chain topic.
Novinson: As you mentioned, it has been a major topic of conversation this year, in particular, also last year on software supply chain. What do you feel is different about your approach, particularly to the SBOM issue, in wake of the EO? What do you feel is different about how you're approaching next month versus what else you see in the market.
King: Michael, for us, it's a similar answer to what I shared earlier around container security. For us, it's all about software-out, right? So we are looking at the code at its DNA level, if you will. We do, you know, binary analysis, which allows us to look at dependencies and so forth. And so what we are trying to provide is deep insight into what is the code that you have, and not just the code that you've written, but the code that you are ultimately dependent on because of various dependencies, transitive dependencies, and so forth, and illuminate what those vulnerabilities might be as a result of all of this code that is getting pulled in sometimes without you even realizing. And then the other thing that we are doing, because we study the code at a very deep level is we're also giving you a sense for - are you actually using this code path where there is this vulnerability present, because one of the problems that exists in security in general, is that we inundate users with lots and lots of data, right? But someone has to do something with that data. It's not about finding all these vulnerabilities but fixing those vulnerabilities. So making the data that we're providing actionable has always been a big part of our thinking around how we report out this information. So we have functionality in SCA around vulnerable methods where we are giving you a sense for the known vulnerabilities that are present in the open-source code you're using, but also whether your code is actually exercising that code path or not, because if it isn't, maybe you can defer the remediation of that later. If it's a high severity vulnerability, you still want to go fix it, but it allows you to prioritize where you bring your attention first.
Novinson: Before existing customers who've been using you, I mean, what's been their biggest challenges as many start to think or focus more on the software supply chain security issues last year? What have been some of the biggest obstacles or hurdles they've had to overcome?
King: I think it starts - it's weird, first of all, finding manageable ways to wrap your arms around this problem, right? Because the software supply chain has a long tail associated with it, right? It's a large issue, it's an extended issue. So I think we work with our customers to help them break the problem down into its constituent parts, right? So you've got a lot of software infrastructure that you rely on, let's split that up into - you got your own code. So here's how we can work with your developers to educate them on security principles, integrate security testing into the SDLC, in the IDE, in the pipeline, etc., then you have all this third-party software, okay, what kind of third-party software, you have open source, there are solutions that you can bring to bear on that, there's commercial third-party code. So what kind of agreements do you have with your vendor community around the security of the software that they're supplying to you, your third-party contractors. So the first step is to help them break this down into constituent parts. So you can start to tackle the problem because if you just think of the software supply chain issue in its entirety, it can be overwhelming. So that's really the first challenge we're helping them overcome.
Novinson: Interesting. Let's shift gears here a little bit. Wanted to talk to you about the market landscape. Notably in the application security world, we saw Synopsys acquire WhiteHat earlier this year, and I wanted to get a sense of what the impact has been when you're in competitive bid situations during RFPs of those two organizations coming together.
King: Yeah, so I think we view dynamic analysis as a key part of any software security program, which is why we have had a dynamic analysis capability for quite some time, and have invested quite a bit behind our dynamic analysis capability in recent years, as well. And most importantly, bring that to market in an integrated fashion, right? So there's a single platform where you can do static, you can do dynamic, you can get those results in a similar look and feel. So at the end of the day, you're just getting information on the security vulnerabilities in your application from multiple engines. But those engines are really less relevant than the complete picture that both doing static and dynamic and SCA etc. provide for you. So I can see why Synopsys would have made that move to further extend into this particular area. You know, what I observed was, I think they also liked the fact that WhiteHat does what they do as a service. And so it was giving them a little bit more capability around SaaS, which is something that they have transitioned to versus something that they started out as. I think in our case, we've been a SaaS vendor, a cloud vendor since day one. And so I could see why it was not just about dynamic, it was also to try to get some SaaS capabilities. The question, of course, is always how well do you integrate it so that you provide a unified view to your customer base?
Novinson: Has it been different in terms of going to market in the months since this acquisition closed? Or has it looked different in terms of when you're pursuing competitive customers, new customers? Or is that the landscape has not really changed too much in that contract, even with the two coming together?
King: No. I mean, we have competed with WhiteHat effectively. We've competed with Synopsys effectively. So it's really just now we're competing with them as one entity, but it hasn't changed that much. Because the use cases for the customers are still the same.
Novinson: I see. I wanted to ask as well, in terms of the startup world, we've seen Snyk announced multiple rounds of layoffs in recent months. Wanted to get a sense from you - a two-parter. First, have you seen any changes in terms of the customer buying patterns or behaviors with the macro economic slowdown? And then secondly, have you done or considered any workforce reductions of your own?
King: Yeah, so great questions, Michael, because the macro environment is a topic that's top of mind for everybody right now. It's kind of - you can't not think about it, right? And for good reasons. So here's how I have observed the internalization of the macro environment inside the companies that we've worked with. The sense of urgency and the priority around software security continues to be really high. And if anything, is higher this year than it was last year. Maybe in preparation for some of the SEC requirements that are likely going to come out in April of next year, that are going to strengthen the disclosure requirements for public companies, talking about what policies and procedures they have, what management expertise they have around cybersecurity, what board expertise they have around cybersecurity, etc. So, as far as the topic of security and the topic of software security is concerned, the level of urgency and this need to act and go, do something and try to solve this problem for real is as high as it has ever been and if anything, increasing. At the same time, businesses also have to cater to the economic environment in which they are operating. So what I do see is a more stringent buying process, I see more connection between the procurement team and the business buyers to make sure that they are doing the right job of vetting the vendors, I see a greater orientation toward vendor consolidation, because perhaps with that simplicity, they can reduce some of the effort on their site to manage multiple vendors, and so therefore, do more with a smaller number of key partners. So that is one of the changes that I'm definitely observing. And in some organizations, the approval chains for getting especially large orders approved might be a little bit more scrutinized than it was before. So those are the changes that I'm seeing around the buying behavior. As far as the need is concerned, the need has never been greater.
Novinson: In terms of the buying behavior then what's been the tangible impact? Has it been primarily longer sales cycles, has it been that some deals just don't get across the finish line, because of the additional scrutiny? What does it actually mean?
King: I think, for us, it means that you have to get more people involved earlier in the sales cycle. Right? So now we typically try to make sure that we've got security, and we've got development at the table from day one, talking about what the needs are of each of the constituencies. So we can, through the buying process, help them get aligned so that when we roll out our solution, it has a higher likelihood of being successful. Increasingly, though, I think we're also saying, "Okay, what has shifted in the procurement environment inside your organization? How do we need to be catering to that? What do we need to be aware of?" So I think it's just a greater recognition of that. And in some cases, you just have to be prepared for - there's going to be a little bit more scrutiny in terms of where their budget is going.
Novinson: Interesting. From a personnel standpoint, I know Snyk had disclosed those two rounds of layoffs since June. Do you have to do any workforce reductions at Veracode?
King: So, in our case, you know, we have always been on a path of profitable growth. So when you look at our competitive landscape, I think there were several companies that were all around growth at all costs. And that pendulum has swung back in the market as a whole, that pendulum has definitely swung back in the direction of profitability. And companies that weren't previously profitable are having to exercise that muscle and figure out how to move to profitability, we have been on a path to profitability. For many years, we've exceeded the rule of 40. So this was a playbook that we were running the last few years, versus just now. So in that sense, it's not a new muscle that we're having to exercise. We are being more judicious around the use of our dollars for sure. So, you know, we have calibrated around the budget that we had set when we came into our fiscal year, we have calibrated around that a little bit, around do we really need to make all of these investments right now? Or do we want to watch what happens macro economically? So, we're being more thoughtful and more judicious in the use of our dollars. Year over year, we'll still be investing more in the business.
Novinson: I see. Let me ask you here. Finally, I'm going to ask you to gaze into the crystal ball here and give our viewers a sense of what they should be expecting from Veracode in 2023. What do you anticipate being the main areas of focus, the main areas of investment for you in the year ahead?
King: Yeah, great question. And something that I get super excited to talk about. So the thesis that we have is around bringing security and development teams together, and actually increasingly more than just security and development teams together, getting your board involved in this conversation, getting your executive team involved in this conversation, getting your procurement team, if you're talking about the software supply chain involved in this conversation. So we view our role as building bridges between these key constituencies that have to play a really important part to make sure that software is built securely, and that software stays secure. So with that lens in mind, we always think about what can we be doing more for each of these constituencies. For developers, we will continue to emphasize automation and orchestration and the integration into the software development lifecycle, tighter ways to integrate. We are very excited to be coming out with intelligent remediation where Michael, to date, we have scanned 97 trillion lines of code. And we have helped customers fix something like 79 million security flaws. So we have a massive data set from which we can derive a lot of knowledge on what do code fixes look like. So we've been training our machine learning algorithms against that and are going to be doing intelligent remediation. So we will help to automate not just the finding of the security vulnerabilities, but hopefully fixing the security vulnerabilities too, so that we can make development teams more productive, right. So that's a capability for developers along with tight integrations that I'm super excited about. In terms of the security teams, we will continue to build on our SBOM functionality, we will continue to build on a flexible policy engine so that your governance needs can be met in a better and better way. Super excited to be launching real-time peer benchmarking. So we have all this data at our disposal, customers can go in and they can get a sense at any given point in time of - how does their software security compare to peers in their industry or the industry as a whole? That's really powerful data to bring into the kinds of conversations that are going to be increasingly occurring inside boardrooms and executive tables, right? So equipping the security team with that visibility, not just of your program, but how does it benchmark against everyone else, and then continuing to do more around supporting security for cloud-native application development, as more and more people move to the cloud. You saw us launch container security, we're looking to do more around infrastructure-as-code scanning, continue to build on our API scanning solution. So those are some of the themes and some of the areas that we're pursuing.
Novinson: Definitely a lot of interesting stuff to watch. Sam, thank you so much for the time.
King: Thank you for having me.
Novinson: Of course. We've been speaking with Sam King. She is the CEO of Veracode. For Information Security Media Group, this is Michael Novinson. Have a nice day.