Summary: Security has become the top priority for users as Cloud Native Computing is moving into production. Cloud security has become a busy place with both traditional and cloud-native vendors offering solutions to users, Oxeye is a new player in the space, which is still in stealth mode, offering a cloud-native application security testing platform. In this interview for KubeCon 2021 (NA), Dean Agron, CEO & Co-Founder of Oxeye joined me to talk about why he created the company. “ The main driver that moved us to open Oxeye was the shift in the application technology landscape towards cloud-native approach, and that’s combined with the shift-left movement in the cybersecurity landscape, handing over the responsibility and ownership of a security to developers,” said Agron.
Here is a summary of the topics we covered in this show:
- Introduction to the company, why it was created.
- Difference between traditional IT security vs Cloud Native Computing security and what unique challenges does it pose?
- We hear a lot about shift left and DevSecOps, SRE movement, but how much of it is actually being practiced vs preached?
- Is Oxeye a security vendor or an observability vendor?
- What kind of solutions does Oxeye have?
- Presence at KubeCon and plans for coming out of stealth?
About Oxeye: Oxeye provides a cloud-native application security testing solution designed specifically for modern architectures. We enable our customers to identify and resolve the most critical code vulnerabilities as an integral part of the software development lifecycle. The company helps AppSec and Developer teams ensure no vulnerable code ever reaches production. The company’s solution offers a single pane of glass for microservices and modern application security testing by providing rich vulnerability context and limiting the noise of true/false.
About Dean Argon:
Dean is the CEO of Oxeye, he is a cyber-security expert with +14 years of diverse experience and executive positions. Prior to Oxeye, Dean led the strategic consulting group at Kayhut, a cyber security service provider. He led a variety of engineering, sales, and partnership roles working for Imperva and Checkpoint.
Topics: KubeCon 2021 (NA), Kubernetes, Security
Swapnil Bhartiya: Hi, this is Swapnil Bhartiya, and welcome to Let’s Talk About Kubernetes. This is our special episode for CubeCon, sponsored by an alternate cloud provider Linode. And my next guest is Dean Agron, CEO and co-founder of Oxeye. Dean, it’s great to have you on the show.
Dean Agron: Thank you, Swap. It’s good to have you.
Swapnil Bhartiya: Since this is the first time you’re talking, I would love to know a bit about the company since you’re a co-founder. So tell me what problem you saw in the market that you wanted to solve, which led to creation of this company?
Dean Agron: So both me and Ron, both of us, arrived from the cybersecurity landscape. We’ve been there for a while now. I held multiple positions in additional companies, both engineering and business roles. Same goes with Ron. He was a security researcher for a long time and then managed R&D teams. Now, we see two, I would say, the main driver that moved us to opening Oxeye was the shift in the application technology landscape towards cloud-native approach, and that’s combined with the shift left movement in the cybersecurity landscape, handing over the responsibility and ownership of security to developers. Those were the main drivers which moved us towards building a new, I would say a cloud-native application security testing platform, and that’s what Oxeye provides.
Swapnil Bhartiya: Perfect. And as you’re talking about, you saw a shift happening from app development, or traditional IT towards cloud native, and then also shift left when it comes to security. First of all, I want to understand from you how different is security in the cloud native landscape versus regular app development or traditional IT, what unique challenges does it pose?
Dean Agron: I think that the main challenge is the shift that was done with code vulnerabilities, this is one of the main challenges, and I’ll elaborate. In the past, we had a big chunk of code on top of a server or multiple servers. That’s the [inaudible 00:02:28] application. Today the code is everywhere. We have multiple components on top of microservices on top of containers, everything orchestrated on cloud environments. Now this shift has a major effect on security and especially it reflects the vulnerability landscape. The code’s vulnerabilities. Because in the past a code vulnerability started and ended on the same code base. Today it starts with one component which may be developed in-house, externally, maybe an open source component, which is open to the internet and the vulnerability stretches to the sync component, which is the secret right? For example, Now we are talking about a flow. So the vulnerability has changed from being in one core component to stretch over multiple components. Not only that, but now it also depends on the infrastructure layers, because if the container is configured in one way, then the risk or the severity of the vulnerability is one. But if the container is configured in another way, for example, sharing a namespace or sharing a resource with the host, then the vulnerability on the microservice, the risk may be much higher. So that’s, I think what the shift to cloud native did to the vulnerabilities landscape.
Another shift that we see the shift left, means that developers are required to own security. And the cost of remediation much be lower than today. We must find new ways to make the remediation time much more efficient and in Oxeye. What we’re doing is we are providing the developers very clear remediation guidance. We are taking what used by the static tools, dynamic tools and interactive tools and hand it over them. And I think that’s providing them what they need to resolve the vulnerabilities. I think another major challenge, which is fault of the movement that I’ve just described.
Swapnil Bhartiya: I want to just discuss the second point that you talked about the shift left, where security is becoming developer’s responsibility. And yes, that’s one of the big differences in the early times. I don’t even know what is early times anymore, but in the early times, security used to be someone else’s problem. But now it is a problem of developer. We are also talking about a lot of paradigm shift, cultural shift. We talk about dev ops, dev sec ops. You talk about CSREs, a lot of new labels are also being created. The security there used to be a silo. Security teams were there. And there was a bit of friction also between developers team, everything. Now we tried to break the silos, but now we have created new silos as well, if you look at it. So when we do talk about shift left, how much is actually happening because we still talk about these paradigm shifts. And that said, we still see rise in ransomware attacks and all of those things. So how much is this just on paper, on trans versus something that is happening in real life at companies as well.
Dean Agron: Oh, It’s a good question. It’s a good question. I think that like in every trend, what you reading in the newspaper and what we see on the blogs and on the videos is a year ahead of us. So maybe more than that, but when we talk to CSOs along the road and [inaudible 00:06:38] leaders, their teams are getting smaller. Where new roles arise, for example, product security’s a role that’s when I was a developer 10, 15 years ago, there was no such role as product security. Dev sec ops is a combination of dev ops and security, but again, you never had such a role and we see more and more security architect as part of the dev teams. So, even if not all developers have security as their second or third responsibility or ownership after they’re providing what they need. I think it becomes more and more part of the process, part of the development life cycle rather than just owning it.
Swapnil Bhartiya: Do you see yourself as a security player, or you see yourself as observability player because without knowing what’s going on, how are you going to secure it?
Dean Agron: So, it’s a great point because one of our flags is contextual risk assessment. You need a security tool that has no observability. You’re blind and Oxeye focuses not only on finding vulnerabilities, but also finding the application flows, providing visibility to developers. And I think that the best example for how Oxeye sees a visibility is a major thing is we provide the developers, not only the line of code and how to reproduce the step for reproduction in the vulnerabilities, we provide a complete what we vulnerable flow. Which component is going into which component to which [inaudible 00:08:32] witch SSD pocket. So when a solution is defined, sometimes it will be defined on a different place than where the vulnerability is. And we believe that visibility is an inherent part of solving and remediating security issues. So that’s one of our core, I would say core values. When we build a new cloud native security product, you can’t cloud native without visibility, it won’t last.
Swapnil Bhartiya: We have been talking about the problem areas a bit. I want to understand the solution you had. Can you talk about what kind of solutions Oxeye have?
Dean Agron: So Oxeye is an application security testing platform designed specifically to overcome the challenges imposed by cloud native architecture, because what Oxeye does is first it analyzes the code’s vulnerability. It was just released a new OS top 10, the updated OS top 10. So Oxeye will first analyze the codes vulnerabilities across the microservices and enrich it with data from the different infrastructure layers. So this allows us, once we found the vulnerability to first understand the applications flows that are leading to it. And second, to understand the configuration of the layers beneath it, to give it context. And based on that context, provide risk assessment. Now it’s not only that we provide that, but Oxeye also has the edge of active testing because we see the flows. We initiate active testing, active security testing, like mini [inaudible 00:10:30] on each vulnerability that we found. So the developers will receive only validated exploitable vulnerabilities. I think that’s the major functionality that our solution provides. Pointing out the vulnerabilities, validating them, and then providing a holistic and remediation guidance or complete remediation guidance to the developers.
Swapnil Bhartiya: You folks are going to be at coupon bet, but if I’m not wrong, you are still in the stealth mode. So this is an interesting stealth mode right, you are going out publicly, but you’re still in stealth mode. So can you quickly talk about what plans you have for getting out of stealth mode? What strategies you have and how are you planning to make a big splash in this cloud network?
Dean Agron: Sure thing. Thank you for the question. So today we are 12 employees we are already running with multiple design partners among them are Fortune 200 players. We plan to go out of stealth in the upcoming weeks, and we are working with our design partners to release our MVP in the upcoming months. Now, our strategy on top of that is to be involved in the community. Ron, my CDR, Ron Vitor is a project leader of the OS top 10 cloud native security. We are also very involved in the CNCF in the cloud native computing foundation, contributing code and being part of the community. And we believe that today’s tools are bought bottom up, you need to convince the working or the engineers that this product provides value and saves time and effort.
And that’s what we are focusing on, building a tool that is very easy to install. It will be completely self-serve just download it and install it. And once you did it, you would see the value very, very quickly. And that’s how we are building the product. That’s why we are headed to CubeCon. Dev ops engineers, software engineers. This is the audience that I believe today, you need to convince, they need to want to use the product. And once they do the organization will follow them. Today the leaders are the engineers and the dev ops. So, this is the audience that we are focusing on. I hope it answers your question.
Swapnil Bhartiya: Dean thank you so much for taking time out from your schedule and talk about the company, your focus area, and also the whole trend that we are seeing in the cloud native space in terms of security. And I am already excited to see company get out of stealth mode and looking towards over the next conversation. Thank you.
Dean Agron: Swap. Thank you very much for your time. It was a great session. Thank you very much.