Earlier this summer, JFrog acquired Vdoo to deliver end-to-end continuous security from development to device—is this what DevSecOps looks like? JFrog CEO Shlomi Ben Hami and Natenel Davidi, CEO of Vdoo, speak with Alan Shimel about what the acquisition means and how this will change the way organizations approach DevSecOps. The video is below, followed by a transcript.
Announcer: This is Digital Anarchist.
Alan Shimel: Hey, everyone. Thanks for joining us here on a special segment of Tech Strong TV. I am really happy to be joined by two gentlemen, one coming to us all the way from Israel, Netanel Davidi from a company called Vdoo, and for those who don’t know, Vdoo is a Hebrew word meaning we understand. What?
Netanel Davidi: Making sure.
Shimel: Making sure. And then my second guest needs no introduction to our audience, it’s my friend, Shlomi Ben Hami. Shlomi, of course, is CEO and one of the Co-founders of JFrog, and he’s coming to us, I’m gonna assume, from the swamp in Silicon Valley today?
Shlomi Ben Haim: You are correct. Great to see you again.
Shimel: Shlomi, welcome. Good to see you, my friend. It looks like you’ve been in the sun a little—a little tanned. I’m glad to see they’re letting you out a little bit.
But guys, we’ve got some big news to break today. Nati, you’re a new person—okay, I was gonna say, who wants to break the big news, but up to you, Shlomi.
Ben Haim: Yes, I think I’ll go first and obviously, Nati—
Ben Haim: – will have far more information to share with all of you. Nati Davidi and the Vdoo team are joining JFrog. We are announcing the acquisition of this wonderful company that will complete our SecOps solution, not just for the DevOps and SecOps pipeline, but all the way to the edge, whatever the edge is, whether it’s a device, a data center, or any other destination.
And Alan, you’ve heard me so many times saying that DevOps without security is half-baked and crippled, so the solution that we are now building together will take us another leap forward toward our vision of liquid software, and becoming the company behind all the software updates in the world. So ,we are obviously very, very excited to join Nati and the team to the JFrog family.
Shimel: Congratulations. Thank you, Shlomi. Nati, as we say here in Boca Raton, mazel tov to you and the whole Vdoo team. So, tell our audience—and our audience, Nati, you should know is a very cyber savvy audince. Let’s hear a little bit about the Vdoo story. We know JFrog, but give us a little of the Vdoo story.
Davidi: Sure. So, it all started almost four years ago when we were an initial team of people coming from endpoint security and a space of software vulnerability expert mitigation. Our previous company, we dealt with it as part of Palo Alto Network, they acquired my previous company, Cyvera, and another part of the group coming from embedded security and the space of reverse engineering and vulnerability research. And we joined together to cope with what we believed three or four years ago to be the biggest problem today in the security space, which is the connected device and embedded systems.
We call it that way more technically because, clearly, there are very many other good companies out there doing more network security for IoT. We claimed and are still claiming that you need to take care of the source of the problem, which are the manufacturers and the creators of such devices, of such embedded systems, and for that, we established Vdoo.
So, we did initially, we focused on that, and very quickly, we came up with a platform for product security, focused specifically on embedded systems and IoT, that allows developers and product security stakeholders to analyze automatically any kind of connected device. But when I say analyze, it’s not from the network point of view, but rather analyze the software stack in order to identify any security issue, any of the main buckets like third party issues, issues with your own code, the first party proprietary cloud that you are writing, issues with whatever in between, productization issues, configuration issues, hardening issues, architectural issues, things around cryptography, around how you keep your keys, how you configure things.
So, we said we want to be the first player that allows everything, truly everything. Look at all of the aspects of security clearly, of course, supply chains, threats within it, and say to the manufacturers of devices, “Take this, and this will be your product security officer in a box, and a product security team in a box.” And it worked well.
Now, the interesting thing is that, in order to do it, we had only one applicable approach—analyzing binaries. Why? Because in the embedded space, everything is around binaries. You have images of real time operating systems, third party compiled binaries and files and packages that you cannot really see into them what’s going on. You get them in the form of drivers from Qualcomm or AUTOSAR, whatever known library, and the manufacturers need to look into those, and they don’t have the source code. They have to be able to analyze them.
So, we focused on binaries, and with that, again, we came with the platform and very quickly without even us knowing, our customers started to use us for purposes other than embedded security analysis. They started to analyze web applications, mobile applications, containers. Because when dealing with embedded, which is considered to be the most complicated and advanced or difficult things to analyze automatically, doing the rest is usually more about gaining more data but not developing more technology.
So, we adapted, and we allowed our customers to analyze the applications that are talking with the devices and the web services that are talking with the devices. And we added more and more capabilities, and by then, we said, “Wait, why focus in on embedded systems if, through the binary analysis approach, we can serve the entire industry, we can provide security for whatever software artifact is out there.”
And the next thought was, we just need to find the right partner who will deal with binaries. [Laughter] And the answer was, there is one such pioneer, which is known to everyone, which is JFrog.
So, I asked Shlomi kindly to meet, to consider collaboration, so we can enjoy the many thousands of customers and huge community of JFrog and tell them, “No, use us to analyze your repository on top of Xray. Xray brings great capabilities, we enhance it with more capabilities for zero day analysis, configuration analysis. So, let’s do it together.”
And that’s how our discussion started and today, we see where it is going and we are very, very excited about it.
Shimel: What a great story. So, did you get the space two floors from them in order to meet, or were you already there? [Laughter] I’m kidding, I’m kidding.
Seriously, I mean, my background is—look, I cofounded a company that really pioneered what we used call NAC, right, Network Access Control, and we did it for the U.S. government, for the DoD, right? So, this was not embedded systems, these were every endpoint network device coming on via, you know, 2.1x, we would test configuration vulnerability, et cetera. I know what a tough job that is.
Once you go into the world of embedded systems, though, it’s like—anything goes, right? As you said, you’ve got Qualcomm drivers, there so much black box stuff. Knowing what’s secure and not is—I can’t even imagine, you know, how you do that. But now, once you’re taking binaries and artifacts, you’re right, there is only one company for you to go to, you know, it’s this man’s company. So, what a great match.
Shlomi, he mentioned, Nati mentioned Xray. Xray’s a good product. But it’s a very specific product, right? If you’re downloading an artifact from the repository, it’s gonna check that as you’re doing it. This, of course, opens a whole different world of checking downloads and components and so forth. What’s the plan?
Ben Haim: So, I’ll first start by saying, Alan, that I’m sitting here thinking that this would be probably the only interview in the world that you will have two CEOs that are so excited about binaries. [Laughter]
Shimel: Yeah. [Laughter]
Ben Haim: I’m enjoying it.
Shimel: I think you’re right—you’re right, you win that.
Ben Haim: So, listen—when we started, we built Artifactory to be the universal repository for all types of artifacts. And very fast, we identified the software package, the binary, as the first level citizen in your DevOps pipeline. There is no other asset that is more important. And why? Not because JFrog thinks so, but because of the fact that this is what you bring from outside, this is what you build inside the organization. This is what you test, this is what you promote, this is what you deploy, and this is the incremental update that you want to see at the end of the day on the edge.
Now, with this in mind and the liquid software vision to be the company that changed the way software is being updated in the world, it was clear to us that SecOps cannot end on securing your repository. That’s great, that’s a great value. Xray can give you the composition analysis, the dependencies graph, secure your binaries—that’s great.
But what happens when the Product Manager needs to take a binary? This is where the trust is broken. And we can—you know, every SecOps company, and you met all of them and you know all of them, Alan—every SecOps company will tell you, “We want to kind of build the bridge between developers and security guys.” It will not happen because you don’t use the same currency.
And when it comes to binaries, both Vdoo and JFrog speak the same language, identify the same pains, and take it very seriously, not just on the development side or then on the testing side or then for the Product Manager side—all the way, all the way to the update, all the way to the deployment to production. So, obviously, we were very excited about what Vdoo had to offer, and it was again, just like everything else in JFrog, a binary question—are we competing or buying?
And I’m very happy and very pleased to get to this moment now, speaking with you, knowing that the Vdoo guys are joining JFrog. Now, why this is so important from a culture point of view—and Alan, you know me well. You know how culture and the synergy is also about the people. We are bringing approximately 100 people that thinks and program and build their products like hackers. They know how the threat looks like. We are joining them through our hundreds of people that think like developers. What are the chances that this will not bring a better solution, a better blend to the market?
Ben Haim: And with that, I’m taking the next leap forward to fulfill the liquid software vision.
Shimel: Agreed, agreed. And you know, frankly, it couldn’t come at a better time, right? Because wherever you are in the world today, and look, I’ve been in security 25 years—never has security gotten the attention, real attention, everyone always gave lip service, but real attention now. Whether it’s the supply chain or the ransomware or the whatever the attack du jour is, we are recognizing that cyber, cyber security represents probably one of the most serious threats to our continued transformation, right?
And we saw this past year, unfortunately, without digital transformation and the move to a connected world software, where would we be, right? We would be in a lot worse shape than we were. And cyber security is the biggest threat to this. We need—we need to stop taking and do more doing, right, when it comes to building more secure software, right? And if people are building software like Shlomi and the team say, liquid software, right, without versions, it’s gotta be secure. And not only, it has to be secure, people have to be confident that it’s secure, right? Because that’s the biggest inhibitor—that’s the inhibitor, the lack of confidence.
Davidi: And you can see this coming clearly, finally, from the regulators starting to draft bills around it, and you see demand from the end users—not necessarily consumers, but everyone, hospitals, manufacturers, they start to telling, “you want to buy from you, I want your software to be secure.” This is a demand, this is a requirement for RFPs, for RFIs. We see it everywhere. So, this is going to be a boon, because so far, the cyber security space was highly focused on the after the fact security, on the enterprise, care about, take care of it from the very beginning all the way to the network. And this is the only—
Shimel: No, this builds up material, right, Nati? I’m sure you’re familiar, right? And there’s EEO, the bills of material order. Look, if this thing—you know, why did it take so long? I don’t know, but if this thing catches on that you need to have a bill of material for every software out there, for every app out there, people will, you know—go ahead.
Ben Haim: I will just add to it, Alan, it also makes sense the way it happened. Look at the digital transformation. We are now facing the second wave of it, and we started to realize, everyone, every organization started to realize that being fast is not good enough. But you have to be fast first ________.
Ben Haim: And then to build the security solution around it. So, developers delivered. They started to be faster than the security team, and now, security is catching up. But if you look at 99.9 security companies, they are not selling value, they are selling fear. They are telling you what will happen, what will happen if you will not do that. And developers hate that. Developers want to build, they want to have the freedom of choice and to be faster. And the security tools that are not focusing on the right pain have to be sold as fear and not as value. And this is the change that JFrog and Vdoo will bring to the market. Putting ________ aside, we focus on the community pain, as we did with Artifactory, as we did with Xray, as we announced just three weeks ago at swampUP with JFrog distribution. How can you distribute if it’s not secure all the way to the edge?
Shimel: Okay. We’re running low on time, but let me bring together a little—I need some nuts and bolts, here.
So, the deal was announced on Tuesday, today’s Thursday. Is it closed yet, was it—without getting into, I know you’re not gonna discuss the particulars, but is the deal closed? If not, when is it supposed to close? When are the Vdoo people, when are these hackers joining the developers, chocolate and peanut butter? When are we gonna see it?
Ben Haim: Yeah, we hear this question again and again, first from our team, what are the first signs that we would like to see and what are our other plans?
So, obviously, the definitive agreement is signed, and the closing is supposed to be in the next few weeks. We already have both sides, teams standing ready to merge the products, and the first step will be merging the infrastructure, making sure that this wonderful research that Vdoo is leading with vulnerabilities and database is also merging to Xray so our users can start enjoying that. We are thinking about the product philosophy, the hybrid cloud and on prem—all cloud, all regions, cloud native ready, the unified solution that will be scalable for our users. We have over 6,000 customers that are waiting for something like that.
So, obviously, we will take the first leap and merge the assets and the low hanging fruit into Xray. And then, during 2022, we will build a unified platform that will include Vdoo’s capabilities into the JFrog platform.
Shimel: Excellent. Excellent. Nati, just a question for you. I mean, obviously, all the people at Vdoo will stay on at JFrog. For people who may be very familiar with JFrog but have not heard of Vdoo, what’s the Vdoo website?
Davidi: It’s Vdoo, V-D-O-O dot com.
Shimel: Excellent. Alright. You can go find out more about it there. As I said in the beginning, Nati—congratulations, mazel tov on…you know, I learned from a mentor once, it’s kinda like a boat. The best two days are the day you start the company and the day you sell your company, so congratulations on that, it’s a beautiful thing.
Congratulations to you, my friend, Shlomi, right? This is a piece of the puzzle that was missing and it’s important, and it’s gonna be more important every day going forward, so—good stuff.
Ben Haim: It’s important, it’s a very, very exciting market for us. It’s increasing our addressable markets, and more than everything, we’re bringing over almost 100 people that have the same DNA and the green blood just like JFrog.
Shimel: Look, getting 100 security experts at a shot—that alone might be worth it, because they’re hard to come by, my friend. Alright, Nati, congratulations. Shlomi Ben Haim, CEO—thank you, as always, my friend.
This is Alan Shimel, we’re on Tech Strong TV. We’re gonna take a break. We’ll be back in a moment.[End of Audio]