theCUBE + NYSE Wired: Zero Trust Cyber Series | Roni Fuchs, Legit Security

Clips
More from theCUBE + NYSE Wired: Zero Trust Cyber Series

Roni Fuchs

Co-Founder & CEO

Legit Security

play_circle_outline Use of AI to map data in the software development lifecycle to reduce risks.

play_circle_outline Legit Security CEO Roni Fuchs discusses company origin, focusing on application security posture management.

play_circle_outline Importance of aligning security and development teams for effective application security.

play_circle_outline Example of detecting and addressing vulnerabilities in a financial organization's build server.

play_circle_outline Collaborative Industry Efforts: Protecting Critical Business Apps with GenAI and Cloud Security Measures

Info
Transcript

Roni Fuchs, Legit Security

Roni Fuchs

Co-Founder & CEO Legit Security

Roni Fuchs, CEO of Legit Security, founded the company in late 2020 after identifying a gap in application security. Legit Security focuses on application security posture management and aims to prevent vulnerabilities in production environments by providing visibility and context to security teams and developers. The company uses AI to map data and prioritize vulnerabilities based on business impact.

Fuchs' experience in IDF's Unit 8200 influenced his approach to problem-solving and innovation. Legit Security targets big enterprises, especially in t... Read more

explore Keep Exploring

What factors led to the founders starting the company? add

What category did Gartner name "ASPM" three years after the company Legit was founded? add

What is one of the main reasons for friction between security teams and developers when it comes to application security? add

What is an example of how a big financial customer was able to prioritize and patch vulnerabilities in their build server with the help of a platform like Legit? add

What are some important considerations regarding the security of software, especially for applications utilizing GenAI and critical business front ends? add

bolt Powered by CUBE AI

Roni Fuchs, Legit Security

search

>> Hello and welcome back to theCUBE. I'm John Furrier, your host. We are here at the NYSC CUBE Studios as part of the NYSC Wired Community and we're psyched to be here on Media Week. This is Cybersecurity and AI Innovators. The AI Summit's going on in New York. We're here getting all the action. Roni Fuchs is here, CEO of Legit Security. Very legit technology. Great to have you on. Thanks for coming on theCUBE.

Roni Fuchs

>> Great being here.

>> Not a bad backdrop here at the NYSC.

Roni Fuchs

>> It's amazing.

>> Soon you're going to go public here.

Roni Fuchs

>> Give it a few years but yeah.

>> You guys are doing good. Congratulations on your business. Give some context. You guys started at the end of 2020. Talk about the company, then we'll get into some of the conversations, what's going on in the marketplace and your products.

Roni Fuchs

>> So we started at the end of 2020, but we had years of experience and application security much before that. And basically we started the company because we've seen a lot of changes in how developers are working. While at the same time we haven't seen the security vendors, the application security vendors changing with them. The changes we've seen back then were the usage of agile microservices, cloud adoption, just adopting a lot of technologies which developers are doing and they're doing it really well and we felt that the security equivalent of that was not catching up. And a good example is also, we'll talk about it probably later on, but is GenAI. It's also something developers adopted really fast and there were just a lot of gaps and holes of how the security side was ensuring those apps are secure. So that's basically why.

>> What was the motivation on getting into the application security posture management as it's called, because as you mentioned GenAI is just the one forcing function. You have just posture in general and I bring it up because I'm curious to know where the origination came from and kind of where you are now because the number one thing I hear from companies that are implementing and the vendors that serve them is how do you bring in innovation while maintaining the posture, which is a balance. Share your story, the origination and the motivation and behind the posture management and the impact of GenAI?

Roni Fuchs

>> So when we founded the company, it wasn't called application security posture management yet. We basically identified the recognized the problem and the problem was that applications weren't secure when they got to production environment, they weren't secure and the reason they weren't secure is that the security teams did not have the right visibility on how those applications are being built. When you think of how apps are being built, it's basically a lot of moving parts. It's developers, third parties, code, build servers, GenAI, pipelines, cloud adoption and just having a map, it's a lot of data points. Having a map of all that data was something that was missing. So we built Legit to address that and part of the innovation is how do you use AI to map the data set while helping security teams make sure that what they're getting that posture eventually reduces risks. That's what you want. Most of our customers are big enterprises, some huge financials and they want to make sure that the applications that their customers are using are secure and that's something that has to catch up with the way developers are working. So basically the room to innovate starts with developers And we brought it to the security team. We wanted them to be able to stay at the same speed, not reduce the speed, not block the developers. That's why we founded Legit. Gartner called it ASPM three years after. But yeah, that's -

>> Gartner likes to make up new categories, but it's nice to create a category. I mean you're in that. Is this the shift left also wave that we're seeing?

Roni Fuchs

>> Absolutely. It takes a team, it takes a village to create a category. So it's not just us, but yeah, shifting left some of the controls. Eventually when you think of what do we need to secure applications, we think about it in three pillars. Find, fix, prevent. The application security industry historically was focused on finding, finding vulnerabilities. Vulnerability management was focused on fixing, not necessarily obstacle nor that is what's fixing. There was no vendor company or platform that looked at the entire end-to-end lifecycle of that where eventually the goal is to prevent, we want them to not get in the first place and the way to do that is to track how developers are working and put those guard rules around them to make sure that they can continue moving fast, innovating and developing security.

>> One of our analysts, Paul Nashawaty on our CUBE research team covers the app dev space and app dev has been shifting as well because you have the cloud-native platform engineering teams, which now are overlapping with the security teams because of the role of data, actually cloud-native and microservices obviously cloud operations, dev stack ops, et cetera is in there. So we're doing an app dev summit coming up in March. Definitely want to have you guys there to contribute to that. But it brings up the question of developer shifting left yet we've seen that in security for a while. That's been the DevOps revolution. Now you got generative AI coming down where I don't know what they're shifting to, but it's the same kind of pattern during the shift left, beginning of that phase of the standards that were emerging around that you heard things like guardrails, I've got to have the guardrails. We want to have some automation. I want to have ease of being in the CI/CD pipeline where the point of development you can deploy frameworks and reference implementations around standards so they don't have to come back and fix.

Roni Fuchs

>> Yeah.

>> Okay? Data is becoming same thing. We're starting to see the same thing. Guardrails, AI, safety. I mean safety and DevOps both don't let it go down. Day zero, right? So you got the collision between two worlds going on right now. You have the expansion of the foundational cloud-native infrastructure services and we heard from Amazon re:Invent, we were just at those chips are getting tightly coupled with the software. So is that platform engineering's stabilizing? In comes the data engineering piece, that's where the security goodness will come out of. So are you seeing any parallels between that shift left and coming up against the DevOps piece of it because developers like that shift left and now data's coming in, being central to cybersecurity data is at the center of the opportunity.

Roni Fuchs

>> A hundred percent.

>> What's your vision on that?

Roni Fuchs

>> So my vision, our vision, the company's vision is that it is a data problem. Understanding how applications are being built is a lot of data points and we are seeing that shift left movement and DevOps engineers, by the way they led this revolution, DevSecOps and DevOps revolution, they're at the core of this and you talked about the friction. I think the friction comes because there's not a common language when security that owns making sure security engineers that the application are secure while developers own making sure those applications are driving the business generating revenue. They don't want to slow each other down and when they don't speak the same language, when security teams don't know what the developers are doing and the developers don't necessarily know why is it important to fix this vulnerability or this issue before that, that's more where the friction happens. So for us to automatically detect that, create that common language and we use AI to do that, basically train LLM how to reduce positive, how to get three times as much AppSec workforce. That's part of it that reduces the friction by itself.

>> I got to ask you, how has your IDF experience with Unit 8200 impacted your thinking as a founder and as you assemble your team, as you look at the cybersecurity landscape, obviously it's an elite group in IDF, as cybersecurity takes on that teamwork approach, we heard that a lot. How has that experience impacted your entrepreneurial venture?

Roni Fuchs

>> I think my life changed, went to a different path when I was basically accepted to join 8200. I think being surrounded with such an amazing people trying to solve such hard problems and doing that with basically just use your imagination to solve it. That changed the way basically innovation happens. That's just being around these so many talented people allowed us to hire the best talent in Israel and in Tel Aviv from day one. And on the other hand that framework of thought of how do I solve a problem? Not how do I apply a technology to something in the world, but hey, here's a real problem, here's a change in the world. How do I solve that? That's something that I was lucky enough to learn in my service.

>> I was interviewing another entrepreneur with the NSA in America and he was on the offense side there. Now he's on the defense side. He mentioned something I want to get your thoughts on because you just brought up something that triggered that for me, cyber security used to be a software business. Hey, put a shield around that little port or a software and put protect that little device to more of a system view, where craft and problem solving comes into play. And so we're moving from a software centric only protection to software that enables the human and teams to build craft in the job. +I don't want to say Warcraft, but I'm talking about Tradecraft. You're talking about cyber security is a systems view, heavy on data, heavy on situational awareness. What's your reaction to that?

Roni Fuchs

>> So I think there's some truth in that, but even those systems are software eventually. So it's like a loop, but basically you go back to software. Software is the thing that drives our world and gen AI is software, data is software systems are software. So I think eventually it's true, but it's also you trust that software. It's a trust question essentially. And to be able to put those guardrails, those systems, you need to have that trust and having that trust is the foundation basically to do that.

>> Okay, so Legit Security, you guys are targeting which market, if you had to say which market you're targeting, what would you say?

Roni Fuchs

>> So most of our customers are big enterprises, Fortune 500, many of them listed here and basically big enterprises where software drives the business, which is 95% of the enterprises today in the world.

>> And they buy your product because they're on the defense side, threat hunting, incident reporting, where is or is it more of just managing base infrastructure?

Roni Fuchs

>> So basically it's application security, devsecops, product security teams that are overwhelmed or drowned with endless lists of vulnerabilities and at the same time don't necessarily feel they're getting anything done. It starts with visibility to what we find and then you want the capabilities on fixing and preventing. So it's mainly that part of the market.

>> And who do you sell to when you go in there, who's the key persona that you target?

Roni Fuchs

>> Application security, security architects, sometimes chief information security officers, but usually the hands-on people are application security and product security.

>> So I have to throw this out there. There's a big buzz over low code, no code agents coding code assistance. Okay, that's going to open up some democratization. Look, I get that, I buy that. But then the hardcore developers moving down closer to the hardware, how is that impacting the stack when you look at GenAI coming around the corner for security?

Roni Fuchs

>> So I think today you can train LLMs to help you understand code in a much better level than you had a couple of years ago. It nearly didn't exist back then. So the problem shifts from specific programming languages that might be relevant for low code or for higher or lower levels of programming to just making sure that the process itself of building software is secure. It's actually fueling our industry. It helps us give value to our customers even faster.

>> Roni, talk about the software developer now you mentioned that earlier. I love that because they're coding all the time, and again even with the help of GenAI, it's still a human fact. It's got to design it. What are some of the challenges right now that developers are facing with security coding in line? Yeah, shift left has gone on for a while because you got software supply chain, which everyone's been talking about a lot still out there. You got all kinds of other potential areas in the workflow. What is the biggest change in the app development process?

Roni Fuchs

>> I think the biggest change that we're seeing that we're helping our customer with is to not suffer so much from security. It's like they suddenly know what to do, they can do it faster, they know it earlier, not after they finish developing the product, the feature, the capability, but as early as possible in the life cycle. That's the prevention piece and generally they just like each other more. It's eventually humans. We're all people and we want the security teams to get along with the developers team. They just achieve more.

>> Okay, so I'm the customer, I'm sold. I like working with you. What do I do? Am I downloading a service, a subscription? How do I deploying Legit Security? Take me through the day in the life of what do I do if I'm in?

Roni Fuchs

>> So we're a SaaS company. Most of our customers use us as a service. It takes a few minutes to create your tenant and you connect us to any place within your SDLC, usually the code repositories and then we sprawl our way from there automatically. We'll detect for you all those parts I just mentioned and then you'll get a graph view, just a map of how my software factory actually looks like, which applications am I building, what's the business context of each one of them. For example, if you have two vulnerabilities in two applications, one is customer facing and being deployed to production every day, that's naturally much more critical for you to solve. So we give you that visibility and we'll just help you go through that journey of basically preventing the next vulnerability.

>> So your value proposition to me then is I don't get vulnerabilities in production. Is that one of the main key benefits?

Roni Fuchs

>> So the main key benefits is having visibility to the process and eventually moving to the prevention mode and putting the guardrails where no new vulnerabilities are being entered because once we deploy, we detect a lot of things. And you can think about it as a ship with holes. Most AppSec vendors in that analogy gives you maybe buckets that you could start to, we help you close those holes and then you can use the buckets as well. But eventually what you want is no more water in the ship. You don't want to sink.

>> You make sense of the leaks but maybe no holes.

Roni Fuchs

>> Yeah, yeah.

>> Holes sink the ship.

Roni Fuchs

>> Exactly. You don't want your ship to sink. You want to make sure it doesn't happen. So the process is to map out those holes.

>> Give an example of a use case. You don't have to name the customers because it's obviously sensitive if you're a client or you can use external names too. But give an example of what would happen if you weren't there and then an example where you have been involved and prevented a potential of vulnerability or breach.

Roni Fuchs

>> Yeah, so one good example, I won't name the customer, but it's also a big financial. After we detected those -

>> Holes....

Roni Fuchs

>> holes, basically, yeah, we saw that there's a major build server where applications being deployed to production all the time that was exposed and had vulnerabilities in it. Now that was very low in the priorities of the security team because it wasn't a significant vulnerability, but when we saw what's going on through there and that an attacker could get access to that source code, basically exploit that and could affect all of us, we helped basically put a spotlight on, hey, you have to solve this thing first and this is how you solve it and this is how you patch the hole so it won't happen again. So we had that happen more than once and had you not have Legit or a platform like Legit, you would probably still go with those traditional scanners scanning code, not being aware of the pipeline of your entire posture and you want to be able to prioritize what to do first because traditional prioritization only takes into context the vulnerability itself, not the business impact. We add that layer.

>> So you gave a holistic view of the software estate or factor as you say.

Roni Fuchs

>> Exactly.

>> And then look at vulners in that context.

Roni Fuchs

>> Exactly.

>> Timing, situation.

Roni Fuchs

>> Criticality, business impact. We also train an LLM that helps you reduce false positives. A lot of vulnerabilities historically where false positives and then you lose the trust between developers and security teams. So we train internally an LLM for many years now that helps reduce false positives to making sure that again, you're prioritizing the right things, you're duplicating the issues.

>> So I'm a customer or a prospect, how do I know I need to call you guys up and what signs in my environment might be the smoke before the fire, so to speak. What's happening in my world that you would say that's where you need me or I would know to call Legit Security.

Roni Fuchs

>> So first of all, if you're watching this interview, that's a great start, but if you're an application security engineer, a security architect, you care about the security of your applications and you just feel that you're not getting anything done. It's just an endless work. More vendors, more scanners, and you need one place to manage the entire process. That's when you call us.

>> And you can work within all those tools. You can work with all those?

Roni Fuchs

>> Correct. Yeah.

>> Okay. You're like the radar?

Roni Fuchs

>> Exactly.

>> Look at this code. Okay, here's where it's at. And then the experts could apply their craft and context to the situation at hand?

Roni Fuchs

>> And they can use the context that we're seeing from any scanner that you have, any vulnerability that you have to prioritize the most critical work first.

>> What kind of companies work with you? Is there a specific industry? Is it more horizontal? What would be the pattern you're seeing with the customer traction?

Roni Fuchs

>> So any enterprise is usually a good fit. They all rely on software, but financials is our biggest segment. Tech companies, a lot of the tech that's around us uses us. Some of the more traditional enterprises, pharmaceutical, manufacturing, basically. If you have more than 200 developers in your team, then you care about your applications and then you need Legit.

>> When you have that size of developer army, if you will. I call it army, because it's a lot of developers. Is it more inertia internally? Is the challenge just coordination, or is it productivity? What's the main -

Roni Fuchs

>> It's all of the above because your developers are not producing the right things if they're hung up on fixing vulnerabilities that might not be relevant. It's about getting the trust. By the way, our average customer has thousands of developers, so the complexity grows very significantly, the bigger you are.

>> It's battalion.

Roni Fuchs

>> Yeah.

>> As I say. Okay. So where are you guys at now? What's your growth strategy? Give some metrics, some of your accomplishments and milestones you've hit, funding, employees and your plan.

Roni Fuchs

>> So we're about a hundred employees. The product and engineering team is based in Tel Aviv. They're an amazing team. Even though it wasn't an easy year for everyone. The sales go-to-market is based out mainly out of Boston headquarters. We grew very nicely in the last year. Most of the hires happened then about a year ago we raised our last round and we're here to keep on growing.

>> So go-to-market and engineering mainly the normal stuff?

Roni Fuchs

>> Yeah.

>> Cool. How you feel? How's things going with you?

Roni Fuchs

>> So I just moved to the U.S. three weeks ago, so I'm really happy to be here. It was the shortest ride I ever did for an interview.

>> You drove down from Boston?

Roni Fuchs

>> Exactly.

>> Because it's easier to drive than fly, I found.

Roni Fuchs

>> And I'm really excited to be here. The NYC is decorated for the holidays. There's amazing people all around us too, great conversation. So I'm really excited to be here.

>> It's a great time of year. And what a great journey. You've had. Again, two computer science degrees, master's, undergraduate and masters. Cyber security is a hot area. What's the big concerns that you might have that you think the industry should be aware of? Resilience been kicked around. GenAI has shown that it's off to the races. The hype curve is kind of dying down. You're starting to see more of rational, practical use cases, but still resilience, think of GenAI as like another application. Many people have said to me, "John, it's just another application. We've got to go through AppSec review." And so take us through as you look at the posture side of it, if GenAI is just another application, now granted it's got some extra cool things that's being enabled for sure. We're very bullish on GenAI. What should people be afraid of? What should they should pay attention to? What's your instincts tell you? What does your data tell you?

Roni Fuchs

>> I think GenAI is here to stay and it's an amazing thing and not only it's an application, it also generates code. So it even multiplies the need to secure software. I think the just biggest thing that I am seeing, I'm seeing that happening all the time, is that we should just continue collaborating much more. We're seeing different pieces of the pie and I think that's what drives the security business forward, especially the software security.

>> And for folks who have apps out there that have critical business front end, which GenAI, that's their crown jewel.

Roni Fuchs

>> Exactly.

>> They got to protect those apps and tie that back in.

Roni Fuchs

>> And you can market.

>> Yeah. Tie that back to the cloud.

Roni Fuchs

>> Yeah.

>> Cool. Roni, thanks for coming on theCUBE. Really appreciate it.

Roni Fuchs

>> Thank you for having me.

>> Thanks for coming on. We're breaking down all the action media week here in New York Stock Exchange. I'm John Furrier and check out Legit Security and tell them John sent you to get a 10% discount. Only kidding. They'll mark it up 10%. Seriously, enjoy the rest of the program. Again, this is the kind of content and information we want to provide as part of our open NYC Wired Community with the NYC. And remember, security is critical. Application continues to be a data problem and as GenAI comes to software, developers still have to be productive. Whether they're agents or code assistants, we're going to see more and more software hit the scene. Of course, we got you cover here in theCUBE. Thanks for watching.