Hi, here we have managed to get done. Here's the CEO and founder of Shift-Wet. So welcome, hello, managed. It's lovely to meet you.
And if you go back to the latest on your win, fresh out of the gate, only announced on Monday. So here you are, RSA. Super excited. Thank you so much.
I'm going to give you your leaders and your panel for selecting us. Yeah, we couldn't be prouder for where we are. Brilliant. Well, it's a nice way to kick off the RSA week, because it was a tough one.
It was a tough one. And we were chatting just before the start of this about where you come from and the success you've experienced with FireEye, the stuff that you've done at Cisco, Macafees. So RSA is in your blood now as a conference in the place to be. Could you panel up, give us a brief description of Shift-Lef?
Because as we were talking about earlier, Shift-Lef is not just your company. It's also a way of thinking. It's a position, a mission within the IT community now. So tell us a little bit about where the idea came from and what it's all about.
Indeed. And I think I'll let me take you a little bit back to my journey through FireEye, Cisco, and Macafees, because it's very relevant. So across those three companies, about 16 years, I spent detecting viruses, worms, nation state attackers, modern malware at FireEye. And it was circa 2015, when I was talking to customers, and everyone was telling me that they're developing more software, and they're developing it ever faster.
And what's more is people are increasingly deploying that software in the hybrid cloud, AWS Azure. And when I looked at that, everything around us is being driven by software, whether it is web applications, whether it is mobile applications, whether it is self-driven cars. And having been in security for about 15, 16 years, I also knew that there is no way we are going to get better at security if we continue to react to threats. Why?
Because we see way too many of them every day, right? So about 350,000 pieces of new malware are seen every day. Right? And so if you're reacting to those threats, you're allowing the bad guy to shoot first, and then you're trying to react.
And so that's when I felt that if we are going to get better at security, we have to fundamentally shift security left, which means that we have to allow, we have to enable developers to develop secure software more securely. And as I came to the realization, the next step was, OK, well, now that I believe that that's what needs to happen, what are the solutions that are available in the marketplace? And what I found was that all the solutions that customers are using were about 15 years to 20 years old. And even the software development has changed so significantly in the last five years, using all of these legacy code analysis solutions was creating a lot of friction.
They are very slow. They are very inaccurate. And so the whole process of running code analysis, looking at the scans, prioritizing them, takes too long. As a result, many companies, what they do is they're developing perhaps and releasing on a daily or weekly basis.
But they're only doing code analysis once a month, because it's so time consuming. And so that is what gave rise to shift left, too, for the first time, come up with a code analysis solution that is built for the modern software development lifecycle. And so in 2016, when we started the company, we called it shift left, which back then was a very rarely used or undisturbed term. And we are very excited to fast forward in 2020.
And it is like a verb being used by many customers that are across the globe. I constantly run into even larger companies who are saying, we have an internal project called shift left. So it's great. Yes, it's very much ahead of the curve there, very much ahead of the curve.
So that was obviously your focus. And you've come from, I mean, it's obviously been inspired by your conversations, many, many conversations when you're working at FireEye. And obviously taking that from an idea to a reality. And obviously, we like to think that the accolade that you received is a reflection of what you've achieved, because it's not just about having a great conceptual product.
It's also how you're taking that to market and making that a difference. So for software development teams who have embraced agile development, you now also have a platform that allows them to do that securely, but without the hindrance perhaps of some of the lack that they were experiencing for. Indeed, ideas or diamond doesn't. I think it's the execution that's super important for a startup to get to where we've gotten to.
And that really comes, execution is, of course, dependent heavily on the team. So we're very, very fortunate to have put together the teams that we've put together. Brilliant minds, very passionate, very committed to this very notion of how we go to shift security left. And yes, to your point, we now have a platform.
A story we are now helping customers do court analysis as far left in the development cycle as possible, which is the modern pull request. Pull request, two platforms like GitHub, GitLab are becoming the way for developing software. And every time a developer makes a change, he's doing a pull request. And as we are inserting court analysis at that very stage, we are getting that developer while the entire context of the chain that he made is fresh in his mind.
We are telling him, here are the things that are wrong. Here are the vulnerabilities that your change is causing. And he's fixed them. And so while that is one part, we also are called in that security also has a very important role to play.
They are the ones who have a company-wide view of what security is desirable, how much risk they're willing to take, and perhaps what is happening in the macro environment in terms of threat landscape. So security now for the first time can institute policies, define policies, to say, hey, anytime a pull request creates more than, for example, three critical vulnerabilities, we need to fail the pull request. And so this allows security to provide automated feedback, again, as soon as the pull request is done. And when you compare this process with how legacy application security gets done, we find that this hour shift left away is about six times more efficient for customers.
And that is really the future is we have to reduce the operational complexity around AppSec, because that is when both developers and application security teams are going to want to do it. Because if it remains as cumbersome as it is today, for most companies, it will be an afterthought. It'll be a check in the box. And from your perspective, to talk about execution, what do you see as some of the challenges that you faced in the shift left journey so far?
Yeah, so what we are doing is hard, trying to understand a piece of software, because software is written in multiple languages. And each language is like English. And so it's grammar is different. It's syntax is different.
And so that is one of the harder parts is to continue to support additional programming languages with the level of accuracy that we demand. Because we don't want to compromise on just saying, hey, we support this language, but if crappy results were developers, because that is a short, short way of making sure they don't use the product. So that has been the hardest part. And that in turn means just sort of hiring the brightest minds who can help and rest this problem.
So I think the two go hand in hand. But that is a very major of a startup. You believe passionately about solving a particular problem. And I like to believe the harder it is, the better it is, because it creates a protective mode around us.
So that fewer companies out there can compete with the product solution that we developed. So today, for example, our core analysis is 40 times faster than anyone else. We can scan about a quarter of a million lines of code in 28 seconds on average. We are about three times more accurate than anyone else.
And from a workflow perspective, we are integrating this core analysis of the pull request and saving the operational cost that I talked about. And those are sort of hard to achieve. So yeah, it's very proud of the team and having gotten here. Good.
And you guys are based on the core router, doesn't it? No, we are based on the center-car. OK, we have a very distributed team. We have an office in Berlin.
Yeah, and many, many people just are on the globe. Wonderful. So you're feeling very international? Yes, already.
Well, that's given raising the global opportunity, because COVID is being crazy everywhere. Yeah, indeed. And also, I think I like to say that, why Silicon Valley has been an important hotbed of innovation? We don't have the monopoly on talent.
They're smart engineers everywhere around the world. And they're two platforms like GitHub for the first time. You can create a team that is as international as we are. And yet, be able to create a cohesive team that we're working together.
Five years ago, this really wasn't as feasible as it is today. So that's helping entrepreneurs like yourself to find the talent. And not necessarily have to pull them all into one location, which is amazing. And what are you most proud of over your journey so far?
Yeah, I think the thing that we're most proud of is the customers that we've now gotten onboarded. We're using the platform and the benefits that they're seeing. So as an example, one of the world's largest airlines came onboarded the customer last week. They have about 20 million lines of code.
And they were able to onboard that into our platform in three days. That's just fun hard off. When we asked them, they were using another coordinate solution to pass. And when we asked them how long it took them, the usual rule of thumb for that many lines of code and that many applications is about three months.
So what historically got done in three months we are now doing in three days? So you're going to make a time machine for onboarding that? Yeah, yeah, exactly. And the faster end, I should say there are at least 40, 50 engineers out of that team were already onboarded into shift left.
They're creating accounts of their own. They're shifting their own applications, seeing the results. And so the very discussion that we were having earlier is how do we search code analysis into the developer workflow? That is becoming real.
I often mean before you walked into the room, there was a customer here. And this is often something that we hear. And that was particular customer's case. The ratio of developers to application security is 400 is to one.
One application security for every 400 developers. And that's the norm. We usually see anywhere between 80 developers to an application, one application security person in the most security conscious organizations. And then it goes all the way to even 400, 500 developers for application security.
And that's a big beat. Exactly. And so regardless of how we think about this problem, if we continue to ask, regardless of how good a solution is, if we continue to ask that one application security person to manage the work, the development work by 100 developers, it's an impossible equation. And so we have to find a way to leverage the developers to do code analysis.
And if we stay with that vision, that goal, then some of the requirements of the product just get obvious. It needs to be fast. It needs to be accurate. It needs to be a workflow that developers like to use, and it causes minimal friction for them.
Because that's always been the issue with security. It is. You can be really secure, but you can't actually get anything done. Right.
Because it doesn't allow you to actually operate in a way that you need to. So that's good. So from your perspective, obviously, this is one of your early accolades. I'm sure there will be many more to come.
What would you sort of say to others? What would be your view on getting involved with things like this? Yeah. I mean, of course, to your listeners who are trying to solve the application security challenge, invite them to try out shift-flap.
We became, I think, the first company that is now offering this as a self-serve. So because, again, you repeat the developers, and developers usually don't like to talk to marketing or sales box. They're very technical. They're very hands-on.
And so they want to just try out the product on their own and see if it meets their needs. And so that is now possible. You can listen to it and go to shift-flap.io and just try it out on their own. So that's the first step.
The second is those listeners in your audience who are less part of the organization, but are developers who want to contribute to the improvement of the security. We have various open source projects. So we've taken the schema, the specification of our intellectual property, the code property graph, and we've open source, which allows anyone out there who wants to leverage this specification to convert a programming language to this specification so that they can use our tool, which is also, one of the versions, is also open source to analyze their own code. So that is sort of meaningful contribution that one could make to the community at large.
Well, I think that's always a nice thing. I do see a lot of the startup community where they'll be embracing both. So you'll have an open source sort of initiative. And people will be very passionate about that as well as obviously the commercial one.
Indeed. I think you have to create a balance between the two, yes. Right. And from your perspective, as an entrepreneur, do you see what kind of value do you see as being named as a tech trailblazer in the security space for the eight edition?
I've been going for a while. You've got some wonderful predecessors. I was talking about Zero Fox who I spoke to Evan Blay yesterday. And other great names, Zscaler and other guys, who've gone on to great things.
So hopefully over the next couple of years, maybe we'll sit down again and you can talk to me more about the journey so far. And what's next? Is there anything that you can tell us about that's coming down the pipe? I mean, you've actually been talking to the media over RSA and may well have made some announcements.
Yeah. So first of all, it's a great, great honor. We're very proud to receive the award that we have. Like you said, the company that we are in makes us even prouder with companies like Zero Fox and Zscaler.
I think the way that you select the winners, which is sort of a polling mechanism, right? That's what I said. Right? As to the judges.
So that's very important also for us. And in terms of sort of what's in the future for us, I think short term, we're very focused now that we've developed the platform to get as many customers on board as possible. So there's a lot of focus now on making the self-serve platform as easy for developers to use, right? Because the key to success of this strategy lies in developers just trying the product out on their own, providing us feedback when something is not good and can be improved, right?
And using the product when they think that they are satisfied, the product meets their needs, right? So that's one. And I think the next big focus that we have is historically core analysis has been very focused on technical vulnerabilities, right? While they are important, increasingly, the hackers are leveraging all business logic flaws in the application to exploit them.
OK. It's a funny pathway in that. Exactly. And again, I believe we are the only solution that can detect business logic flaws in source code.
And so that is an area that we're very focused on, is how do we create more and more use cases where customers can use our product to identify business logic flaws, right? Because today, the only way that gets done is either through pen testing at the 11th hour or through manual code reviews, neither of which we scale. And it's not either or, right? I mean, one would probably still need to use pen testing.
But more and more business logic fraud that we can identify and detect, again, at the pull request, more efficient in organization becomes less expensive security becomes. Because as soon as change has been made by a developer, you're highlighting some of the things that could be wrong. And just to give you a couple of examples, because business logic can be very broad term. So one good example is as customers, I'm rapidly moving into the cloud.
Developers perhaps sometimes make mistakes and hard code credentials in the source code, or secrets in the code codes, source code, excuse me. And secrets will be leaked in a program that you can cause massive damage to an organization. So how do we find those? How do we find back doors in the source code?
Some third party developer, some disgruntled developer writes a back door so that he can log in at a subsequent time in the future and just get room to access. Finding those things is not possible with legacy code analysis solutions. And that is what we're bringing to the table also. Well, you've got to peek them out there and get right.
Yes, exactly. And we'll continue to move the security conversation forward. Some people in the industry discuss how we have DevOps as a culture, as a way of developing and deploying software, but security is being left behind. And if we are going to get better at developing software secure so that inherently they be creating more trust with our customers, we have to find a way to insert security into this highly agile DevOps, CI, CD, whatever you want to call it pipeline.
And that's what our vision is. And obviously, this is a venture for you in the entrepreneurial world as well, from slightly more corporate previously, you've actually moved into startup. What's your advice, having done this for a period of time and obviously making some really great progress? What's your advice to others who are on this journey?
Yeah, first of all, I'm humbled by the very questions. But I would say for those of you listeners who think about starting a company, follow your passion. Some entrepreneurs approach me and say, I want you to start a company, but I don't have an idea. And I think that's the wrong way of thinking about it.
You have to become passionate about a problem that you want to solve, right, as opposed to how to solve first. And because once you get passionate about a particular problem that you want to solve and you spend enough time, you will find either a solution to the entire problem or a solution to a part of the problem. And once you achieve that, everything else from that point onwards gets easier. You're committed, you're not in this for money alone.
You identified a problem, but you're very passionate about solving. And that'll hold you in good stead of doing both difficult and good times. Because that is the very nature of a startup. It's a Cecil.
Yeah, I've got a rollercoaster. I just think that's a better way to help. Enjoy the ride. Fantastic.
Well, thank you so much. We should continue to success at the show. And thank you for spending time with me and telling me more about what you're doing. And hopefully we'll get to hear more about that over coming in.
Thank you so much. That was great to meet you. Thank you. Thank you.
You're welcome. Bye.