Transcript
Hi Mike Matchett with Small World Big Data again here at RSAC 2025, talking with every great cybersecurity vendor here at the show. We've got Black Duck to figure out what they're doing and how they're adding to the cybersecurity conversation. I've got Tim here. Tim, how are you doing? I'm doing well. Nice to meet you, Mike. All right. So let's just start off by Black Duck. What what does Black Duck do at a high level? For our audience, who may not all be security professionals. So the easy way to think of it is when people talk about cybersecurity, it's a continuum. And most people will think in terms of information security. How do I protect a document? How do I go and secure a VPN, that type of thing. We're different. We're in the application security space. So how do you secure the application that's behind the firewall? How do you secure the thing that is touching the data? That's really what we're all about. And is that mostly a development time process or is this, uh, including when it's in source code or at other times? So development time from design, implementation, deployment potentially, but across its entire lifespan life cycle. So people like to talk about the SDLC. And I've got a CI CD process and I can integrate all this technology in there to do security testing. That works very well if you're in a cloud, but not so well if, say, you're dealing with a car or a pacemaker or an HVAC system or something, that's got a long lifespan. So for us, software is software, and it's the actual trust that our customers have in that software that matters. And so we're enabling them to basically do that at whatever their scale of development might be. So as fast as cloud native development might be, or for something that's going to last a few decades, that software for us, that's the type of security that we're bringing. All right. So is this, would you say an operational kind of paradigm where we're interfacing with the code as it's as it's being developed and getting back to developers or part of a CI, CD pipeline. Or even bigger than that. Even bigger than that. So it starts out with a CI. Cd pipeline, starts out with the developers and their Ides, giving them, for example, security information about what they're working on right now. So if they have a specific feature that they need to do, they might not necessarily, for example, know how a certain development model might work, how to work with a specific API or an SDK. We can help guide them towards that through the development side. On the CI CD, being able to say, here are some static analysis type problems, here's some software composition analysis. Being able to generate software builds of material or crypto information or whatever might be part of what does it mean to responsibly produce and deploy that piece of software. All right. So let me just switch a little bit to RSA here or the RSA conference. A lot of themes going on here. Ai is obviously one of them. But it's also we've heard about supply chain analysis. We've heard about a couple other things going on. What theme strikes you here that you've heard about from folks, and how does Black Duck maybe help them with that? So there are two big things that I'm hearing. So you actually touched on both on the supply chain side. The world is becoming more regulated, and the regulators don't necessarily always understand what the technology is trying to do. So being able to say, I have this particular piece of information about an element within my supply chain, I should be able to do something with that, say, maybe understand its vulnerability status, understand whether or not it's calling out to third parties. Where is it? These are very key elements on the supply chain side of things. As we layer AI on top of that, we get to a point where is the AI assisting in the code development? Is the AI part of the code development? Are we developing new techniques and potential, let's say future versions of AI? All of those things are part of what we're hearing today. But there really is a lot of I overlay on top of how do I become more effective in a security world? Right. And I think we're just seeing that more and more with the kinds of coding tools that are coming out. Everything's AI powered. It kind of concerns me to hear a lot of the AI. The security tools are AI powered, so if there's corruption there, we're going to be in problem someday, too. I really don't see it so much as being able to remove the human as aid the human. So one way to think about it is we've seen declines in the number of organizations that are giving true developer level cybersecurity training. It's now kind of assumed to be part of the IDE. Well, if we can bring AI into that to give guidance to the developer that, hey, this way it's not quite as secure as you want it to be, this way is a little bit better. That's now empowering the developer to do more without necessarily loading them up with a whole bunch of extra policies and procedures and training and so forth. That just slows them down. Yeah, I definitely think that the right way to use AI or think about it today productively is it's giving you advice and enabling and coming up with suggestions and best practice not doing the job itself, because it can be fooling you if it's just trying to do the job on what it's doing. Exactly. So if we get to a point where, say, you and I are trying to work on a new project together, we're figuring out, okay, well, we want to use this framework and this language and so forth. Eventually we get to a point where, okay, I want to do X. Well, what does X look like? Maybe we need to design a UI. Well can I have the AI help me there. Can I have the AI help choose a component that is better suited to this particular task than a different component? More security, more active development, what have you? How can it guide towards a, let's call it more viable implementation that's going to have longer security legs under it, as opposed to something that was just developed with our respective knowledge and skills and so forth. If you had one piece of advice, then to give the 25,000 people here at RSA who are wandering around and, you know, what would that be with regards to, you know, app development and code vulnerabilities and really securing that supply chain of software. So the key thing for me is don't get yourself tied into a specific way of thinking that you're a developer. People have different roles throughout their development lifecycle. They may be a manager, they may be a product lead. They may be a developer. That spectrum means that you have to have an understanding of what all of the disciplines are. So being able to say, here's a testing technique, here's a security target, here's a release criteria, and map it back to the testing that needs to be performed, so that you can say with confidence that this is trustworthy software. That's the way to go. If you wanted to tell someone where they should maybe start looking into this, say day. This causes people like, you know, I don't think we have a really good grasp on our actual software development side of security. We we do firewalls and we do all this other stuff. But as a CISO, I haven't been willing to have. What would you advise them to start? What would you what should what should they look at first? So for me this is let's go and look at a few how people are doing things that aren't specifically a vendor. So within the Black Duck world, we have something called the Bsim report, which is the Build Security in Maturity model. We have about 120 vendor customers who participate in this. So we're looking at how their software development practices and how they're running their organizations are. That's a fantastic way of going and baselining that maturity against your whatever implementation. Another one would be to take a look at how the software supply chain is put together. We have a report called the OSR report that specifically looking at Audited commercial software for their use of open source and what their governance looks like. Both of those are fantastic reports. Just to get a sense as to what other people are doing without it being a survey. So both of these are based off of the real world as opposed to, hey, I got a survey out. So really taking a look at that. So if someone's more interested in Black Duck, we don't have much more time here. Where would you point them at? Obviously you probably have a website, but is there something specific for people who are saying, oh, this sounded interesting here in the security side for that? What would relevant to our conversation? Where would you point them at? Definitely point at Black Duck. Com the website has been just recently revamped. It's very much promoting our true scale application security offerings. Okay. Thank you so much Tim. Appreciate it. Check out Black Duck. We know you have software. We know you do. Check it out.
