Exciting News! We are transitioning from Cyber909 to 909Exec.
Joined by industry leaders Javed Hasan, CEO of Lineaje, and Kumar Chivukula, co-founder of Opsera, the discussion explores how AI is revolutionizing the way we approach software vulnerabilities and security.
.jpg)
Kumar Chivukula is an entrepreneur and a visionary executive with 20+ years of experience accelerating digital transformation and business growth at Fortune 100 and Fortune 500 companies, like Adobe and Symantec. Kumar has built high-performing teams in IT strategy and architecture in Cloud, DevOps and large-scale SaaS platforms with a ‘customer first’ mindset.
Kumar is currently the CEO and co-founder of Opsera helping build and scale a DevOps Continuous Orchestrator solution, so companies can deliver software faster, safer and secure. He loves building innovative products and solutions while working with awesome teams.
Narrator :
Welcome to 9 0 9 Exec, your source for wit and wisdom and cybersecurity and beyond. On this podcast, your host, veteran chief security officer at Cyber Aficionado. Den Jones taps his vast network to bring you guests, stories, opinions, predictions and analysis you won't get anywhere else. Join us for 9 0 9 exec, episode 46, software security in the age of ai.
Den:
Hey guys, welcome to the LinkedIn Live event. This is going to be awesome. This is software security in the age of AI and 909 Cyber. We are consultancy, but we also have a podcast. So I love to speak with great people that can really bring something to our industry. And we have two awesome people because I've known Kumar for a long time. And then I got to know Javed as part of this relationship. We are partnering with obera and Lineage as part of field CISO type activities that we do. So this is a pot sponsored event and as part of this you're going to see a few other things with these guys that we're really excited about. We only get involved with a few companies on the field CISO stuff. And the big thing for me is if you're solving problems in an inspiring way, then we're going to be excited to partner and get involved. And for me, the space of DevSecOps and then SBOM, that kind of stuff for me has always been a struggle. And luckily we've got two thought leaders here that will introduce themselves and then they're going to jump into a fun topic of why the hell do they want to partner together. Anyway, so hey Javed, why don't you jump in and start to introduce yourself and then we'll hit Kumar up.
Javed:
Yeah, so I'm Javed Hasan then. So first, great, great being part of your program. Javed Hasan, I'm the co-founder and CEO of Lineaje. Lineaje is a full lifecycle software supply chain security company and with our unique value proposition being autonomous fix so we can fix things in the software supply chain automatically. And of course we are excited to partner with Ops and Kumar, so I'll let Kumar introduce himself.
Kumar:
Okay, thank you Den and for having us and great to see you Javed again and appreciate your partnership. Kumar Chivukula, co-founder of Opsera, excited to present both Opsera Lineaje solution together today. And from Sera standpoint of view, we are a power DevOps platform and what we do is we meet the customer where they are and then help them improve the overall DevOps maturity dev maturity by protecting their investment and then enabling them to make the software delivery faster, better secure. In doing so, we can help them with the DevOps platform for SDLC and the SaaS and COS applications and partnering with Lineage team, we are doing the DevSecOps automation with the auto remediation. That last but not least is we have a way to provide the developer productivity developer experience using Opsera in unified insights. These are three modules I'm powered by Hummingbird ai. We can talk more about it in the next few minutes. Thank you Den. Thank you Javed again.
Den:
Yeah, and I'm excited because well Kumar was a guest on our 9 0 9 exec podcast, episode 43, so you can check that out. And we've scheduled, or I think we're scheduling Javed to come on the show and the thing for me is in those shows, these guys talk about the journey of being a founder and A CEO and the trials and tribulations of that one. But in this one I really wanted to dig into, so we've got two exciting companies, but you've came together as a partnership to really bring more value to your customers. So what was the aha moment where you guys thought, wait a minute, this really works. I mean, first of all, how did you guys meet? And then secondly, what was the aha moment where you're like, wait a minute, we can bring more value to our clients if we partner?
Javed:
So let me kick it off. So I think as frequently happens in Silicon Valley as we met at a coffee shop because Kumar had reached out and we just wanted to talk and I think in the first five minutes at least, it was evident to me that putting DevSecOps and DevOps together makes tremendous sense. So you have this whole area of DevSecOps which is all about finding issues in software. So vulnerability is code quality, security, posture, et cetera, et cetera. And DevOps and dev is where the remediation happens, the fixes will happen there. So we at Lineage had the ambition that we wanted to fix things autonomously. We needed a good partner with significant ability to do that autonomously for us. And so it made complete sense for us to put Sera and Lineaje together to deliver complete solution where we call it from source to cloud.
If you want to deliver better software availability, free tamper proof software, then we could put these two companies capabilities together and deliver an end-to-end solution to our customers. So not only do you find things faster and better and deeper, but the more important problem then becomes how do you fix it quickly? And so what Sera gives lineage is the ability to rebuild containers for example, relatively quickly, eliminating vulnerabilities, update source code so that there are no vulnerabilities, so on and so forth. But that's been the story and it is relatively evident that we should do it quickly.
Den:
And I think Javed, to your point, a lot of companies find stuff and they tell you about stuff, but they're doing something about this stuff. So if there's a vulnerability in a library that I've used as a software developer finding, it's brilliant knowing about, it's brilliant, but a lot of the time, first of all, people don't know about it. That's where you guys come in and then they're doing something about it in real time without human intervention I think is where that partnership with Opsera comes in. Right, exactly.
Kumar:
Yeah. So I think it's the Javed and team have done along with a, and they've done a fantastic job of building this so spam and the way they can scan the multi-layer approach. And when we looked at others before we were connected with Javed and team, we kind of heard about this thing but not at the deeper level. We have got to know about the solution. It was basically very much partnership is something we don't have to debate about it, whether it's something that we have to do it or not. It's a naturally progressed and Java looked at the demo within five minutes and said, okay, it's something we should explore that. But now we are in the process of working with really working with a lot of the customers and engagement some of the engagements as well and helping them to remediate them, not only highlight the issues that they have at a multi-layer approach and the Javed team at the solution that they have, we are taking the plan and S spam and auto remediating them to offset a solution. It makes a comprehensive thing. Nobody wants to be fatigued with bunch of alerts, a bunch of vulnerabilities anymore, not about showing the vulnerabilities, it's about showing and fixing it, showing the governance along with it. So we do autom remediation and the Javed, then the linear solution and the solution. We also have a capability of a human in the loop. It's not like automation. While we do internal automation, we can have a human in the loop as well.
Den:
And when our team, as we were getting involved with you guys, our CISOs are looking at your technology and one of the things that got us excited was the ability to reduce cost. I look at it like reduce costs, reduce friction and reduce risk. But usually in that order, because we're all under pressure to save money, we were inspired just by the amount of money you guys can help clients save. So do you want to talk a little bit just about an example of some of your clients and how they're seeing cost savings?
Javed:
If you could pull up that there's a slide here. So we took the data from one client that we are working on together on. And so let's go to the next slide.
So we call it application aware and in this case very specifically we are fixing the containers. So if you sort of look at it now, what Lineaje can do is Lineaje can decompose a container figure across all layers, figure out all its components of software structure, which is where the SBOM comes in. Once the software structure, you can also of course find all the vulnerabilities. And so we found a humongous number. As you can see that's the distribution in blue of critical, high, medium and low. And then because we understand software structure and we understand open source and dependencies pretty well, what we can do is we can make generate a plan, what we call a compatible plan to fix those vulnerabilities per container. So just before you are about to deploy a container, you bring in lineage and ops, in this case Lineage will analyze the container, generate a list, generate a plan, and then pass it on to ops.
And so then Opsera will autonomously essentially rebuild the container and generate a new one. So you have container A and container a prime and AP Prime is significantly less vulnerabilities just taking one of the many risks that we mitigate. So if you sort of look at it from a very broad data perspective, critical and high vulnerabilities on an average we are finding between us we can remediate 93% of critical and high vulnerabilities. So think of it, these are things that your developers confi, right? DevOps would have to get pretty deep into understanding the application to understand compatibility and so on. We bypass all of that. So 93% drop in there, 32,000 vulnerabilities dropped to about 5K. Much of them are really low and medium so you don't care as much about them. So the critical and high drop pretty dramatically. Now even if you just assume that it takes three hours of DevOps time and find and fix, actually it just takes triage, which is we would've saved about 75,000 hours of time of employee time. That's very significant. And the most interesting thing between us is because ops era is a DevOps platform and we are DevSecOps platform, we generate the plan, but when we rebuild between us, we can also detect breakage because we did it. And so in this case it validates that we can fix containers without breaking them and also can push it into the test testing stages so that it's actually automatically tested as well before being deployed.
So we are sort of looking at it and saying this technology, it helps you, we call it application aware of self-heal because the container fixes application aware and is not breaking the application, much of the risk is dropping. In fact 93% of the risk is dropping and on top of it you are saving a whole amount of money in terms of time. So your developers and DevOps can do better things than focus on security fixes. And the company in the end is getting better software, better applications, less vulnerable as they deploy those applications.
Kumar:
I'll just maybe chime in and just give an example of my personal story that this is something I've been living through that Den is aware of this one and Javed's on the other side, building the solution. We were using a lot of the tools and dealing with vulnerabilities for almost 20 plus years. And one of the stories that I have was in my previous company managed 2015, 20,000 fleet of servers and containers and whatnot. And you used to get a report from security team, the report never used to go down, you always used to increase and every month the number of vulnerabilities are going to continue to increase. There is no way it's a paint in the golden gate, right? You go start with one place and you complete it, you start all over again. It's not worth that many people want to do it.
We engaged as site, we used to pay good check of money to do this work every quarter. Imagine that this type of solution was there. At that time we would've saved easily couple of millions of dollars per year, easily a couple of million dollars. And in a company like we were talking about it, which was not, it's very important critical, but no one is to take care of it. And with the current joint customers that we have, we are able to prove that to Javed's point and critical and high are the ones which are exploitable and medium and low less exploitable. We are focusing on that and we are able to demonstrate the time and time again at least in the engagement that we're in, that they're able to secure the images faster and not only images faster, but also remediate them continuously. The biggest thing is it's continuous scanning.
It's not like you throw an image, you buy an image, and once you buy the image, what is going to happen is somebody will run the AM update or some install and guess what? The image gets tamed. There is no way you can go back and fix it. With the linear solution, we not only protect the image, we do the continuous validation vulnerability management. As a result they can save time and that assured they can get the report before and after the scan ensure that they're secure And complaints. Important thing is you have to show the proof to the complaints. We provide the complaints success. Well
Den:
Yeah. And one thing Kumar, in our conversations over the last few months, there's clients who already have their own images. So they have their own images, they have their own packages, so you guys can meet them and their journey with that or you guys can deliver images for them as well. So can you share just a little bit about how that works?
Kumar:
I'll let Javed chime in on that because he is more close to the images and the scan.
Javed:
So then you hit something really important. So this is also an era where people are buying what they call minimal images. So the minimal images are images that reduce the components or the slim down damage so that you have less vulnerabilities. The problem with that approach is that when you actually put it under an application in a container, it may break your application because you don't have the components that the application calls for their application agnostic. So one of the things we can do with this technology is not give you images that are vulnerability free and we are doing that with gold images in that lineage cells. A fair amount of the backend work is automated through kumar's capabilities from so we can rebuild images without minimizing them, but eliminating vulnerabilities. That's a magical thing. And while inside a company when we are scanning software that DevSecOps, we can understand, like I said earlier, the application structure. So we know it's OS dependencies and utilities dependencies and runtime dependencies. So we can build images, we call them application aware images that are guaranteed to not break your application but eliminate vulnerability. So we see that as the future path of differentiation against these minimal images that cause a lot of churn both in app dev and in dev because now you have to figure out how to add to those images and now end up and when you do, the vulnerabilities are back. So what we are able to do here is create application aware based images that will eliminate the vulnerabilities and not break your application. So we are seeing that as a huge value proposition. The second
Kumar:
I think Go ahead. I just want to say that I, one point is that's unique offering that application images not many people are offering and I don't think you have it now in the marketplace right now.
Javed:
So one other thing I would add then and Kumar, so one of the other reasons we sort of brought this together is DevSecOps is a discipline with, it requires a certain user interface, a certain experience. So DevSecOps people work in a certain way, DevOps people work in a certain way and they acquire their own user interface and so on. So one of the other reasons, one is sort of this value proposition that you see end-to-end, but you want to deliver the value in what I would call a native experience for each one of the personas involved. So for us to go out and build the right DevOps experience is very, very hard for Lineage. Similarly, for Kumar to go in and build the right DevSecOps experience is hard, but bringing the two product lines that one completely focused on DevSecOps and one completely focused on DevOps actually tightly integrated together, which is what we have done, allows us to sort of cater to what DevSecOps need in their native interfaces and what DevOps need in their native interfaces. But the automation and the connection is already there. So now you get the best of all worlds with this approach.
Kumar:
Yeah, it's a pretty seamless integration. It's no longer whether you get onboard through Lineage, the onboard drop cetera, it's basically a customer doesn't have to know the underlying architecture underlying, we can explain to them, but they don't have to know the details of each of them. It's product level integration is done and it's a seamless to both DevOps and dev set people. Whichever the console you use, you'll be able to operate either of the functions very easily and that's the beauty of that. So I think that the team creative goes to the and wish rest of the team who really pull this one off from our side as well.
Den:
Yeah, I mean yeah, and that integration to make it seamless and I think Javed, you hit the nail on the head about the experience, right? Because you've got the security team, then you've got the DevOps team and SREs and all those guys and they have different needs. I mean as you mentioned, right? They don't all want the same thing or need the same thing. One of the things for me, Kumar and I, we've lived through the pain of not having something like this. So we do appreciate and understand why and hiring the importance of this gap being filled. But one of the things, I mean we've always been fans of automation, so in this case you're automating a lot of things. One of the things I was thinking as you were speaking earlier was just about removing of human error. I think one of the things, you may have touched on it a little bit, but I'd love to dig into this one more because I think when you can have this end-to-end robust system that you guys have brought together, the human error element of this whole life cycle starts to reduce, right? I mean are you guys seeing that?
Javed:
We are absolutely seeing that, right? I mean again, both in DevOps and in DevSecOps I will focus a little bit more on DevSecOps is a lot depends on the skill of the individual who's seeing the scanned results. And then if you truly think of it, DevSecOps does not really get into changing code, updating containers and so on. They need to hand it off now. So for example, I would just take the case of prioritization. So Ecop spends, we as CSOs, you as a field CISO understand this, right? That security DevSecOps folks will spend a lot of time prioritizing vulnerabilities for example. Now the challenge, so that's a skill. First thing is understanding what's exploitable, right? There's a fair amount of information required in being able to do that now and then code is changing continuously. So if you argue that something is not reachable today, some vulnerability tomorrow when code changes it's reachable.
So I'm going to add one more element to your question then, which is the rate of change. So we are now in a state where code is changing faster than you can prioritize it. Vulnerabilities found are faster than the rate of prioritization, which is faster than the rate of fix, but code is changing faster than all three. So you are fundamentally in a mode where DevSecOps is reactive. So you are looking by the time you end up prioritizing, even if you have the skills, your code has already changed, right? We know we have customers who have changed who are pushing a million updates a day, think of that rate of change and now you think that a human sitting with correcting all kinds of information can actually prioritize even with tools. But at the time at which you prioritize, you're already out of date because new code changes have pushed a week later you're definitely out of it, but the dev teams and DevOps team are going against your old priorities.
So what they're fixing is already legacy and has already changed. So that's the reality of today's world With this approach, what we are able to do is to say, look, we can eliminate all vulnerabilities. So prioritization is taking us into a future where we are choosing to ship software that is vulnerable. We don't believe that is true. So the number one benefit of automation here is the fact that if you're about to deploy a container like in this slide, you will eliminate, we will eliminate 93%. So why would we not eliminate the rest of the 7%? They're incompatible. So we know that difference, but if we are allowed to break containers, which some customers are allowing us to do and then fix it, now you're getting to a hundred percent vulnerability free container. Same thing we can do and we haven't really opened that box up yet with code.
So you're about to with applications. So application bills between Sera and Lineage. Lineage can fix and Sera can fix your bills as well. We call them gold open source. So that's how we regenerate what we call gold open source packages. But we can also do fix your applications autonomously. What's the point that DevSecOps has to shift to the left truly? And DevSecOps cannot fix things. They have to work with dev and DevOps to do that. And so a tight integration between these two companies is not just the fact that the current processes are significantly better like we are seeing what we are trying to put together is the future of automation where code when it's written is auto fixed containers when they're built are AutoFi and developers and DevOps whose job is to essentially accelerate the velocity of innovation can focus on that while we take care of the software maintenance world, if you will, in that sense. Anyway, I'll let Kumar add to that, but that's a very big flip. It's not just a process, it's a process flip. It's the way we evaluate software flips to becoming much more proactive rather than reactive.
Kumar:
Yeah, I think I just add a point. I think Javed covered it really well and how we can eliminate the human error and also how we can streamline the overall process. But one of the new dimension that came into the market around the time we came into market partnership, the core a assistance is you can see the copilot and cursor winds and source grab many of them. What they're doing is enabling the citizen developers to generate the code who doesn't even understand what code they're writing in the first place. They're inheriting so many open source libraries packages, modules without them knowing it, they getting some application, they're deploying a container. Imagine that now at least we have controls before. Now you don't have any controls and this code is generated. PR size are getting longer. And when you run the scan and understand the vulnerabilities, the problem statement is even bigger than what we have.
So if you have an automation engine embedded like elimination, Opsera included in the enabling the citizen developers along with the existing developers because most of the developers as Javed mentioned multiple times to me, the developers inherit the code for the 90% of the time. They don't have a way to understand, fix the code that is determined by someone else. It's opaque, it's nowhere, no one is managing them. As a result, you need to have a solution like what we are bringing in so that we can also remove the headache from the developers. They don't have to go and research on something, they don't have a solution in the first place. Even if they find the solution, how do they apply the fix in the first place? Interpretation, we can remove the interpretation as well besides human error, human interpretation, what I see is a fix may not be fixed after I play this fix maybe around the scan, waste my time go through the process, we can run the before scan and fix the issue after scan, provide a comprehensive reporting that gives us a satisfaction if in case in one of the conversations, Javed, myself, we were one of the customer, they want to run the scan through their own tool.
I said, okay, absolutely, why not? You can also validate the solution through your own scan on top of that, compare the results. So that level of flexibility we offer. So three parts to it, human errors you brought up. Another one is code A assistance. Third one is given the flexibility for the customers to validate the results that we are providing to them.
Den:
And I was just thinking we got 24 and a half minutes in before we talked about ai, so that's not bad, but well there was two things that I was thinking of because I did want to get to the whole how is AI changing all of this piece? So Kumar, I'll give you the 20 bucks later. There was a couple of things. One is can you explain, so a new CV is uncovered, what do you guys, so new CV is uncovered. I've got 20,000 compute instances in my environment with all these apps and shit running all on top of it. What happens? I mean you guys have the ability to say that new CV is uncovered, it's in these packages here, let's go deal with it, right? So can you just explain that little piece of the puzzle? I think what we were dealing with Kumar and our large global enterprise E company job was the security team would hit us with CVEs every single week and then you've got thousands upon thousands of compute instances with packages and applications running on top. And then our task was, okay, how do we know that? How did we even know that that application was using that library? That was, so that whole thing for me is one of the biggest things I see you guys taking care of. So can you share just how that happens?
Javed:
So let me kick it off, right? So just the first thing, so you'll hear stories of I have 20 million vulnerabilities in production and to your point, I mean there are many instances the same vulnerability. How do you even expect me to get a handle on it? How do I fix? That's sort of if I were to look at the top level CISO problem, it's like this is a problem that we can't fix. And then on top of it, what's happening to companies is new CV is discovered now find it everywhere and get it fixed everywhere because it's critical and exploitable. So the way we solve that problem is we are talking about containers. So before you deploy a container, we'll scan it. One of the things we will generate for it is not just your normal vulnerability list for IT licenses, code quality, but we'll actually generate a software bill of material for it and then we store it.
We build the industries first as bomb manager in 2022. Exactly for this reason. So you store the SBOM of every deployed container in an SBOM manager. It's a product called SBO 360 Hub. Now you have the SBOs of every container you have deployed in your environment and new vulnerability coming in. We will auto detect it. Of course we have vulnerability feeds and we will tell you it exists in the following containers. Not only that we will be able to find and then we know well it's in the operating, where is it in the stack? And we do a full stack so we know which containers it is in. We can also know if it's an application vulnerability, which applications it is in. And now so from the announcement of the vulnerability to detecting where all it is is a few seconds. So we all lived through log four J for example, right?
When log four J vulnerability came out, we struggled. I was in a large enterprise company and running a bunch of products. It took us a fair amount of time to find all the instances of log four J. And it took us months actually to manage multiple product teams and get them to fix it. And we had to report to our customers first daily and then every week and so on till they were all resolved. So it was a humongous project at that time. Now, so fast forward to today. If log four J comes out today and you have Lineage and op, you will be able to search in an SPO manager or Lineage will actually tell you that these vulnerability exists in the following containers, in the following applications. And by the way, trace it back to here specifically in your source code where it's referenced.
The second thing we can now do is we will find the fix for it. That's why we launched something we call gold open source. So gold open source is essentially critical and high vulnerability free packages and images, we'll create a version that is that vulnerability free. And then depending on where the fix needs to be, we'll update your containers and Opsera will redeploy them autonomously, right? As well as application code gets updated so the future belts don't have that vulnerability. Not only that will blacklist essentially the old version and say this is the new version. We'll find even if code is not deployed yet in production but is in dev, we'll still find it and essentially be able to update those packages, dependent packages with the correct versions. So now something that used to be many months you finding it is a few seconds fixing it is maybe a day or two depending on how aggressive you want to be. And it's all autonomous and you don't have to follow up with let's say hundreds of developers and tens of develops people to get it all fixed. And it can all be orchestrated from our viewpoint from a DevSecOps dashboard and of course the DevOps guys get the right messages, dev get the right messages and it's stuff. So we are looking at a very different future than the past there.
Den:
That for me, I think that's a game changer. And as I mentioned at the start of the show, I think it's been an area that for the last 10 years has just been a real huge struggle for teams and businesses. So Kumar introduced this concept called ai. I mean, well he talked about I don't think it was his thing, he'd be way richer than all of us. So guys, so ai, how do you say and the title of the whole thing just, I don't want to do a bait and switch in our audience, but the title of the whole thing is the security in the Age of ai. So how are you guys seeing AI change things? Now, Kumar mentioned a little bit earlier, so I'd love Javed to hear your view on that side of it with copilots and all these kind of things. But then how do you see what's the next five years from an AI and how it impacts this specific landscape?
Javed:
So one of the things, as you have said, I try to avoid selling AI for the sake of ai. So when I use the word autonomous, it is all agentic AI doing work. But fundamentally we believe that the value of AI is in the delivery of the value, not in the hyping of the list of agents that we might have built. So that's one just from a conversation perspective. Now having said that, the way we look at this is there are two big movements that are happening that we are part of. One is AI for security. So what we are doing there is look all the autonomous decision making, the fixing of containers, detecting compatibility. So we call these agents that do this bomb bots bill of material bots, we just like the term and there's a very cute little tiger bot that we use to sort of show that.
But anyway, but the point is there are a lot of little agents that we have built that will do pull requests for you in context that will detect compatibility, that will upgrade your container, update your container, so on and so forth. So these are a whole bunch of little agents that are orchestrated and they work together to deliver that. And so what we are seeing is the big benefit of AI for security and security for AI are the two plays there is that we can now essentially do the decision making that a DevSecOps or a DevOps person will need to do between us and then autonomously perform those tasks. And like Kumar mentioned, one of the things that we have tried hard between us to preserve as we do that is that your current checks and balances still work. So for example, if you have third party scans that scan your containers and your source code, they will show the results.
If you have test harnesses that test a container that we generate, we'll pass pass it through the same test harness and we'll do it for one container, two containers, 50 containers. At some point you will say, look, this thing works automatically and so I will now take the human out of the loop. So that's one. The second big thing that we are working on and that is what we call security for ai. So we are all, I mean like you said, everyone's running AI projects and what we are seeing is just like on the normal software side, we have been able to fix end to end and improve software development processes. Now think of AI dev processes and AI governance on the shift left side. We think that's a compelling value prop. There's a lot of investment being made in runtime AI security. But if you go shift left and say how do I govern an AI ops pipe? How do I secure it? It's the same problem, right? So there you go. So we talked about containers, we talked about applications. Now let's talk about, okay, so you have an MCP server.
We could tell exactly the same story that we just told about an MCP server that you are deployed right now. It is accurate. All the agents that you're deploying, same story. These are in the end containers that get deployed. And so we fixed them. But again, so we started offering something we call gold ai. So gold MCP service, gold LLMs, so on and so forth. We go down that path. And the other path of that is as you're deploying is the same thing, which is dev call them ai, dev, ai SecOps, and then AI DevOps. And it's really the same flow but with additional capabilities about being able to detect LLMs understand risk differently because m risk is different. But the same technology set that we are using between ops and lineage works to actually fix AI pipelines. So that's the other big area that we are investing in. We hopefully will launch something very soon. I'll let Kumar talk through that part of it.
Kumar:
Yeah, so I think it's an interesting question. Very hard to predict what is going to happen in five years from now. Because the way the rate of innovation, rate of pace and change that is happening is significant. That also poses risk. We talked about how we are seeing the issues that we generated by the code that is written by people, but think about bad actors. AI is also given the opportunity for them equally, whether they like it or not. Same tools can also give the opportunity for them to exploit faster. In the past it used to take some time and experts to do it. Now you can feed the same exploit data like exploited vulnerabilities into the system. They can easily apply right an agent and exploit it at a scale. And again, we are not trying to scare the people. That is a potential possibility because same information while producing something, you can also give this something to destructive way.
And then we do that in a large scale manner. So how do you go in front of it and be able to security by design and security with ai, watch Javed talked about it, you preached about it then multiple times. We both talked about it. Security by design multiple times. It's something it's no longer afterthought. It's AI and the velocity and throughput and the going to market faster is important but not at the risk of losing your assets, losing your reputation, losing your customer data and everything else. So to me it's more towards that having the thought process is part of your software delivery management and software supply chain and AI security is absolutely important and I think we are at the right cusp of making this transition going from vulnerabilities reporting and managing from Excel sheets service now Jira tickets to more into the autonomous way, which is what eliminate the need of managing the people doing this work, which will take so much time and they can do much better things in the first place.
Second thing is that's where you can savings risk posture and AI can be used to do things faster than human can do across the same thing multiple times and without any human errors and doing in a repeated way. And then something, this is a great use case for AI auto remediation that we both are working. It's a wonderful use case can automate at scale and be able to manage your risk posture, cost posture and compliance posture altogether. So I believe that this is going to help many enterprises and some time will tell what is going to happen five years from now, but hopefully we'll have a different conversation at that time. Not at the same vulnerability remediation.
Den:
Yeah, no, the crystal ball of where is it going to go, right? But one thing I do agree on was people talk about AI and it's really not about ai the thing it's about we're solving problems and in the background, the way we're solving problems, we may leverage AI to solve problems where it makes sense. And it kind of goes back to the old adage of you don't need to automate everything. Sometimes manual is fine, but when you identify the use case and it makes sense, then jumping and go for it. And I think the other thing, Java, you mentioned this, which I totally totally agree with, which is there's a lot of people leveraging AI and I look at how are we securing the AI agents and the AI components and platforms because one crystal ball I do have is at some point the next five years, one of these big AI players, they're going to be breached.
And all this shit that people have been feeding into these platforms is going to be out there. And I think it's a reminder for people that are playing in the AI sandbox, you've got to remember and imagine that if that breach happens or when that breach happens, all the stuff that you've thrown in there, if you've been putting IP or PI in there, you're going to be caught. So my thing with everybody is we got to start securing AI platforms and how we use AI and how we integrate with ai. And if we always thought identity was the frontline before, you've got to imagine one human in a company is going to have 50 agents working on their behalf in the future. So I used to always think in the companies Kumar and I worked in where our number of generic accounts, I ran the identity space in there for a long time.
The number of generic accounts was easily one-to-one with the number of human accounts, the number of groups we had doubled the number of groups in that database than we did humans. So the reality is AI agents and the number of agents were going to have in the future is going to far surpass anything we dreamed of before in the normal identity landscape. So I see, and even as you guys do your integrations together, right? I'm sure you put a lot of thought into this. Well if I can do the Kumar stuff from the Javid platform or vice versa, well that integration's got to be solid and secure. So especially because you guys are effectively a security vendor. So I know QR traditionally you're thinking of the DevOps vendor space, but now you've crossed a line into the dark side. That's why Javed background is all dark and mysterious. You'll get there too one day. So yeah, fun change.
Kumar:
One point I want to add to both of you brought up Javed brought up MP servers. The one thing we're exploring both of us is that we launched code light, code LED ai and where in which we can, well people are creating MCP servers at scale now you know that billions of agents now they'll have to convert MCP servers, which is what Javed is talking about it I presume. And these MCP servers have to be managed and maintained given that we already have integration in place, we adding the similar integration into the MCP servers and operating managing CP servers. If it's security vulnerability free is our goal and this is our objective and goal. Let's see how we can achieve that in the next few weeks and three months.
Den:
Yeah, yeah, no, that's pretty cool. I think it's a world. So in our capacity we do more internal CSO work than we do field CSO work and with our clients internally. I mean we're seeing the adoption of AI as being a number one objective for most of our clients. And I think they're trying to figure out how do they use AI internally to accelerate their business. And as they do that, as the fractional CISOs, we're sitting there being like, well how are we doing it in a secure way? There's the doing it and we need to enable it as a security organization, but we also need to think of it being something secure. So I have excitement and I also have a level of nervousness and that goes along with it, but I think companies that aren't leveraging AI are going to be left behind. Absolutely. To see that. And hopefully guys like you are thinking of, and I know from this conversation that this is true. You are thinking of, well, how do you secure companies as they go down that path? And I think one of the other things, if you're building product and you're kind of listening into our conversation, I think is just vital to realize that not only are you trying to protect that whole life cycle, but you're also trying to figure out ways to accelerate your client's journey as they onboard to use more AI technologies, right?
Kumar:
Absolutely. And I think this is, it's evolving and we're also, one thing I could see that is a little bit of maturity in the stack, a stack now compared to two years back, which is good news to some degree, but it's evolving much faster than what we generally used to build the software. But I think security team security in general industry has to caught up to be catching up and to caught up to some of these things now I think there's many insertion points and to your point then data used to be shared under the four walls and behind the firewalls and whatnot. Now it's a chat GPT , Claude interface or Gemini something else. There's so many ways you can ask questions. You accidentally open up a file that contains all the secrets or the file that contains all the PA data file that contains all your customer data.
So you got to be careful with how you're connecting and how you're asking the questions. The prompt engineering prompt injection, the vulnerabilities are slightly different. It's no longer in the core, it's also in the prompts. We have to look at the market, look at the landscape slightly differently. But I think many enterprises are going to go through the struggle. But a lot of the vendors are up for challenge. I'm hoping that between both of us, what we are working or what we already worked will help them enterprises when future with MCP integration can also help them secure their APAs and CP servers even more. Consider both opportunity.
Den:
So as we get close on wrapping up, I love to, one of the observations our team had with you guys was you can help your clients really quickly. I see the acceleration of deploying your technology in a client site is being really rapid. Can you explain, just share a little bit, what does a typical engagement look like? So they call you up, you come in, you do A POC, what does that journey look like for a typical client?
Javed:
So let me start with lineage. So the typical engagement that we get into is first thing is risk is misunderstood or not. So one of the things that Lineaje can do is given a portfolio in a couple of days, we can scan all your source code and all your containers and essentially tell you what your risk is applications are and where is risk. So one is what is the risk, but more importantly, where is it and where is it coming from? The name of the company's lineaje and what's the lineaje of your risk? How much is coming from open source? How much is coming from third party? How much is coming from your own code and applications? So once you understand the source of risk, then the question is how do you make to fix it? And so we drive that fix. So in general engagement would be in a couple of days we would be able to tell you where your risk comes from and generate plans on how to fix it for the most critical part.
And then the question really is how do you now make it operational? And so that's where integration like Opsera is invaluable because now you can autonomously start fixing things with our agents and of course with Opsera. And then so we try to bring in ops in those engagements because we need really tight DevOps integration and dev integration, which is a different set of tools, but basically we deliver that in some companies they already have it. We'll of course they're autonomously deliver that, but typically end-to-end POC takes about six days. And then companies are faced with a decision of spending a reasonable amount of money to eliminate risk.
Den:
Yeah, I think what you really said was spending a reasonable amount of money to save a shit ton of money and eliminate risk. Exactly. I think that's what I heard Javed. It's funny because we shared this slide earlier of cost savings. Kumar shared with us other slides as well when he met our team and having lived this life, I mean I know the amount of money you're spending to deal with this problem on the human resource side of it, I also know the time it takes and I also know that most companies aren't even getting to do it. They're not on top of it. And I think spending a reasonable amount of money to save a shit ton of money and reduce your risk and be on top of the problem because I think that the next log four J is out there. So for me, I'm like, yeah, I think you guys help solve a problem. That log four J really highlighted. I mean it was huge.
Kumar:
It was really huge. And also it's a simple, basically whether you engage through the lineage, the seamless integration, as I talked about it before was mentioned we discussed with both of you. So it makes it very transparent and it takes a couple of hours for a customer to see that potential prospect, to see the value of bringing the image on the scan and we'll be able to tell you how we can easily fix the issues. It's decision making processes a little complicated because of the many parties that are involved, CISO and platform engineering group and VP of engineering. So that's where the consist has to come in. But given that we show the results, we are able to cut down the time and hopefully we can make it even seamless for the buying process as well.
Den:
Yeah, yeah, exactly. So we're up on time, gents, I love this conversation. I love it more because as Kumar knows, we lived the dream, we lived the nightmare, whatever you want to call it, but we were the ones in the background getting the security team, sending us all the bigger, the ever-growing list of shit we had to deal with and you were just never able to get on top of it. So the ability for leveraging your combined platforms together to really get on top of this. And I think finally something exists in the market that can help these teams get ahead of the problems and stuff. And it's exciting. I'm going to leave you guys to close out the show with one part in Word of Wisdom or Call to action for our audience. Javid, why don't you start that one off.
Javed:
So first, thank you for inviting me. So then it's a pleasure being here. And the one word of one sentence of advice I would lay out is that building safe, transparent applications and deploying them is possible and lineage and will take you there.
Den:
Awesome. Hey God, you should be a salesman. Kumar, anything else to add to that one? I don't know if you can beat that to be honest.
Kumar:
No, I can't beat that, but sure. But I think first of all, thank you again as usual and as along with Javed and always great talking to you. You guys give a lot of nuggets in the conversation and I always make note of that and continue to learn. But I think to cut, sum it up, we are here to help. You don't have to deal with challenges that we all dealt with in the past. You have a solution, you have a platform. It's just a one phone call away. Just sign up for demo, sign up for POC, we are here to help.
Den:
And we'll put all the links in the show notes when we publish this on the podcast side as well. So gents, thank you very much. Great conversation everybody. Thanks for listening in and it's great to be talking on topics like this that I think they're exciting when you see shit done right and this is for me. Awesome. So thank you everybody. Thank
Kumar:
You.
Den:
Thank you.
Narrator :
Thanks for listening to 9 0 9 exec. Subscribe wherever you get your podcasts and don't miss an episode of your source for wit and Wisdom in cybersecurity and beyond.
.svg){kind=icon}