www.managedITmag.co.uk 25 INTERVIEW 65%. We're now getting down to customers that maybe for security reasons of their own don't want to operate in the cloud. There's very few of them left but there are one or two and obviously they will take longer to convert. JG: What is driving demand for your products – is it the number of apps being developed or the greater complexity? SJ: It is both. More apps are being developed, but just as important is the shift to the cloud. As large enterprises move more of their compute to the cloud, application security becomes even more critical, because more of your application surface is exposed to the public environment. When an application was deployed only in your data centre, you could control the perimeter, so, while you could not be lax about security, the criticality was a little less. People are even more focused on application security today because it is in the public cloud and there are just more attack surfaces – code, APIs, infrastructure, containers, storage. JG: Is the C-suite sufficiently engaged with this or is there an education piece you need to do? SJ: No, it is highly engaged. But there has been a shift. The CISO organisation and enterprises have always been engaged in application security, but it used to be a bit of an afterthought; the dev team would develop applications and then the security team would try to convince them they needed to fix this and that before the app could be shipped out. Enterprises moved to DevOps and are now taking a step further and moving to DevSecOps where they not only have an integrated product to dev, test and operate but also want security built in from the very beginning. Our deployments of Checkmarx One are mostly fully integrated with the dev cycle and dev tools. Developers, for example, will have a plugin for security within their IDE (integrated development environment). JG: Don’t developer tools have a security element within them already? SJ: Some do, some don't. But even the ones that do typically don't have very sophisticated security capabilities. GitHub is quite a common dev tool. It's part of Microsoft, and they have something called GitHub Advanced Security, which seems to work well or OK for smaller customers and relatively simplistic environments. But it is not security-focused enough for large enterprises with complex deployments. It's kind of okay, which doesn't work for a large bank or a large federal agency. JG: Obviously, a lot of developers are using GenAI. What are the risks you've identified with that and how are you addressing them? SJ: People are trying to adopt Gen AI as quickly as possible because it has huge benefits for developers including a 15% or 30% or 40% productivity increase. That means you will have 30% to 40% more code coming into the enterprise that happens to be auto-generated – and just because code is autogenerated by GenAI doesn’t mean it is vulnerability-free. We now have a plugin that can scan code and check for vulnerabilities as people use generative AI systems, before they bring it into the enterprise. The second set of vulnerabilities that GenAI introduces are hallucinations. There have been instances where someone looking for an open source package to do a specific thing has asked GenAI if there is one and it has hallucinated and just created one. You think you're using an open source package, but it's actually something the GenAI system has created for you. That's a new kind of vulnerability and we check for that as well. We launched a number of AI capabilities for Checkmarx One several weeks ago. We're also using GenAI to improve the product itself. Developers are not always experts on security issues, so when we surface a vulnerability we can make a recommendation on how to fix it, based on GenAI. This improves developer productivity because they don't need to become experts in XYZ vulnerabilities. JG: Do you remediate problems you identify? SJ: We tell developers how to remediate. We identify the problem and then we can tell them how to fix it. We have two capabilities there. One is a set of training tutorials that describe a vulnerability, how it manifests itself and how you should address it. And then with GenAI we can suggest a code to do it. JG: What should we be looking out for from Checkmarx this year? SJ: We launched our AI portfolio a few weeks ago. That was a big launch for us. We are planning to launch ASPM and continue to roll out more capabilities on our Checkmarx One platform. A lot of that investment is in GenAI. We continue to improve the developer experience because it needs to be a developer-first product. GenAI ASPM is a category that we’re investing a lot in, which is how you get value across the platform. Lastly, we are doing a lot of integrations with cloud runtime security tools, so that we can deliver code to cloud, which is the holy grail in security. People want to make sure that they're secure from the first line of code that's written all the way to deployment. We cover everything pre-deployment and we integrate with runtime security tools, so you get an end-to-end view. Richard Hinson
RkJQdWJsaXNoZXIy NDUxNDM=