GitHub Advanced Security, which seems to work well or OK for smaller customers and relatively simplistic environments. But it is not security-focused enough for large enterprises with complex deployments. It's kind of okay, which doesn't work for a large bank or a large federal agency. TR: Obviously, a lot of developers are using GenAI. What are the risks you've identified with that and how are you addressing them? SJ: People are trying to adopt Gen AI as quickly as possible because it has huge benefits for developers including a 15% or 30% or 40% productivity increase. That means you will have 30% to 40% more code coming into the enterprise that happens to be auto-generated – and just because code is auto-generated by GenAI doesn’t mean it is vulnerability-free. We now have a plugin that can scan code and check for vulnerabilities as people use generative AI systems, before they bring it into the enterprise. The second set of vulnerabilities that GenAI introduces are hallucinations. There have been instances where someone looking for an open source package to do a specific thing has asked GenAI if there is one and it has hallucinated and just created one. You think you're using an open source package, but it's actually something the GenAI system has created for you. That's a new kind of vulnerability and we check for that as well. We launched a number of AI capabilities for Checkmarx One just a couple of weeks ago. We're also using GenAI to improve the product itself. Developers are not always experts on security issues, so when we surface a vulnerability we can make a recommendation on how to fix it, based on GenAI. This improves developer productivity because they don't need to become experts in XYZ vulnerabilities. TR: Do you remediate problems you identify? SJ: We tell developers how to remediate. We identify the problem and then we can tell them how to fix it. We have two capabilities there. One is a set of training tutorials that describe a vulnerability, how it manifests itself and how you should address it. And then with GenAI we can suggest a code to do it. TR: What's your route to market? SJ: It’s a hybrid strategy. We have a direct salesforce that targets direct customers and we have quite a large number of channel partners, both regional and global, that our sales teams work closely with. About 30% of our business comes from the channel and we are continuing to recruit new channel partners to increase our reach and to invest in training and enablement so that they can be more self-sufficient. TR: Richard, could you give me some names of UK channel partners? RH: Building upon what Sandeep just mentioned, the idea in the UK is to drive growth and there are three ways you can do that: you can extract more money out of your customers; you can grow your sales team; or you can do a much better job of working with your channel partners. One of the things we've implemented in the UK is more of a channel-first strategy. We started that on the first of January and have pushed out the message that we want to work with channel partners to help us cover the market in the most effective way. We’re working with people like Accenture in the GSI space. Then we've got the tier ones, Computacenter is our main one, because they have reach into those really big enterprises. Then there are more generalist partners like Softcat and AppSec specialists like Riversafe. Our strategy is to concentrate on a relatively small number of partners and invest heavily in training and enablement, working alongside them so they can get a return on their investment of time and effort in this space. We're well on our way towards a channel-first approach. Deal registrations, where a partner registers an opportunity with us to protect it, have gone up 400% down to customers that maybe for security reasons of their own don't want to operate in the cloud. There's very few of them left but there are one or two and obviously they will take longer to convert. TR: What is driving demand for your products – is it the number of apps being developed or the greater complexity? SJ: It is both. More apps are being developed, but just as important is the shift to the cloud. As large enterprises move more of their compute to the cloud, application security becomes even more critical, because more of your application surface is exposed to the public environment. When an application was deployed only in your data centre, you could control the perimeter, so, while you could not be lax about security, the criticality was a little less. People are even more focused on application security today because it is in the public cloud and there are just more attack surfaces – code, APIs, infrastructure, containers, storage. TR: Is the C-suite sufficiently engaged with this or is there an education piece you need to do? SJ: No, it is highly engaged. But there has been a shift. The CISO organisation and enterprises have always been engaged in application security, but it used to be a bit of an afterthought; the dev team would develop applications and then the security team would try to convince them they needed to fix this and that before the app could be shipped out. Enterprises moved to DevOps and are now taking a step further and moving to DevSecOps where they not only have an integrated product to dev, test and operate but also want security built in from the very beginning. Our deployments of Checkmarx One are mostly fully integrated with the dev cycle and dev tools. Developers, for example, will have a plugin for security within their IDE (integrated development environment). TR: Don’t developer tools have a security element within them already? SJ: Some do, some don't. But even the ones that do typically don't have very sophisticated security capabilities. GitHub is quite a common dev tool. It's part of Microsoft, and they have something called Q&A technologyreseller.co.uk 35 continued... Richard Hanson
RkJQdWJsaXNoZXIy NDUxNDM=