Check Point Software has announced the acquisition of Spectral, an Israeli start up specialized in automated code security. This further reinforces Check Point’s commitment to cloud security. The video is above and a transcript of the conversation is below.
Interviewer: Hey everyone, welcome to another segment here on Techstrong TV. I’m really happy to have as our guest on this segment TJ Gonen, and hoping I pronounce that right, from Check Point. Hey TJ, welcome to Techstrong TV.
Interviewee: Yeah, and thank you very much for having us.
Interviewer: It’s a pleasure. Is that the right way to pronounce your name?
Interviewee: No, Gonen is the right way. Yeah. TJ is the name that they changed so no one butchers it.
Interviewer: Well I hear you. It happens sometimes. Hey I really, as I mentioned to you earlier I like the 49ers, especially in a week where they had a tough game. LA, the Rams are going to the Super Bowl in LA and still it’s close.
Interviewee: Yeah, they almost made it, almost made it.
Interviewer: It was close, a lot closer than my team, so who am I to say anything. But yeah I know, good for them. Anyway we didn’t bring you on to talk football unfortunately.
Interviewee: Of course.
Interviewer: We’re going to talk security, and maybe that’s better off anyway. TJ, why don’t we start though. Why don’t you kind of give our audience a little bit of who you are, a little introduction. What you do at Check Point, stuff like t hat.
Interviewee: Yeah, sure. So TJ, originally from Israel. That’s a little bit of the accent, now in the US. I am the Vice President for Call Security at Check Point. So I run the Call Security business for Check Point, and been with Check Point for two years. Actually exactly two years since my company was acquired by Check Point a couple of years ago in the cloud security space.
Interviewer: Yeah, what company was that?
Interviewee: So we need to talk about another acquisition so it’s an interesting time.
Interviewer: Well it’s the circle of life. Right?
Interviewee: Yeah.
Interviewer: What was the company that was acquired two years ago, your company?
Interviewee: Ortega Labs. We were in the servalice security space, yeah.
Interviewer: Absolutely, and of course servalice is a huge, huge kind of growth area right now. But that was two years ago, as you said TJ, and congratulations to you on that. But we have a new Check Point act, so it’s the way of the world. We have a new Check Point acquisition to announce or talk about today. Why don’t you share with our audience a little bit?
Interviewee: Yeah, so we just a few days ago we announced the acquisition of a company called Spectral in the code security space, and it’s really our move into the developer first security world, and we’ve been very busy in the code security space for the last four years, Check Point through a series of acquisitions.
Actually to call security business at Check Point started with one acquisition, a company called o9 ______ _____ ______ [crosstalk].
Interviewer: Sure. I know that 09, who was the founder of o9? Not _______.
Interviewee: Zor.
Interviewer: Zor. Yeah, I knew him when he started o9.
Interviewee: There you go, yeah. So awesome company. So that sort of started the journey, then a few acquisitions later including my company and now Spectral, that’s the fifth acquisition we’re actually doing in the code security space.
So I think one of the things that we found out relatively early is that cloud security is almost trying to reinvent all of security. Reinvent it for the cloud and trying to do 30 years of security in 4 years, and it’s very hard to move without acquisitions.
Interviewer: Yes it is, and look, quite frankly my background is security, so I’ve been in security 25 plus years.
Interviewee: Yeah.
Interviewer: It’s the reason I started devops.com. It’s the reason I got so attracted to the whole DevOps thing, which was I really felt like it was a fresh chance for us to kind of right some past wrongs. Right?
Interviewee: Right. Yeah.
Interviewer: A new beginning, if you will. Now it’s funny, I remember in 2005 or from the first time I heard the term cloud security. The Cloud Security Alliance and Chris Hoff and a bunch of folks at RSI were doing a meeting. And back then we found that cloud security is very sort of one dimensional. Right.
Interviewee: Mm-mmm.
Interviewer: And but what we see now is it’s infinite in its variety. There is so many different aspects to securing cloud.
Interviewee: Very much.
Interviewer: And it’s important. You know, I was on with I think it was the Palo Alto folks yesterday with their latest cloud, Native Survey. For the first time their respondents, and keep in mind when you’re a hammer everything looks like a nail, TJ. Right? So their respondents are probably people in Cloud Native, because it was a Cloud Native survey.
Interviewee: Right. Right.
Interviewer: But they said 50 percent of their infrastructure – at least 50 percent was in the cloud.
Interviewee: Yeah.
Interviewer: That’s a big threshold.
Interviewee: It is a big, yeah.
Interviewer: Right. When you say okay, half of organizations’ infrastructure is in the cloud today, well cloud security really damn important then.
Interviewee: Yeah, it is very important. Yeah.
Interviewer: Yeah, and so it’s part, you know, there is reasons for it to be complicated. This acquisition is a little different than o9 or yours.
Interviewee: Yeah, it is.
Interviewer: Why is it different?
Interviewee: Yeah, so the biggest difference I say is the user, and one of the things that we found out over the last two, three years is there is a few trends that are coming down together. One of them is the shift left turn, which is very clear. That shift left is more of a security initiative. Right.
A security initiative that says hey, if I can fix something, prevent vulnerabilities before they hit the ______ department I should do that. Okay. So now if you want to shift left then you are living – your tools are living inside the pipeline, the development pipeline, and they’re supposed to be suddenly used not by security people, but by developers or DevOps people.
Interviewer: Yeah, yeah, yeah.
Interviewee: So these suddenly developed tools that are supposed to be used by people first, not to insure that security is their first priority. That’s number one. Actually it’s probably not their first priority. Even if they care it’s not their first priority. Then number two they just are totally used to different environments.
And you find out that the security company definitely like Check Point that’s been doing security for 30 years and yourself and myself who are older than 10 years old as you can see, at least on my side, is that we know how to develop products for security people.
And to develop products – security products for developers and DevOps people is just a different genetics. It’s a different DNA.
Interviewer: No, that it’s a different animal, man.
Interviewee: It’s a different animal. So we were looking at that and said okay, so one, we think that developer first cloud security is a real thing. I mean it’s very important and it’s going to be a very big part exactly to your point there, of the future of cloud security.
So there is always going to be cloud security – security for security people, which is their own time environment, checking out their actual cloud infrastructure. Making sure that the facts are being blocked and all that good stuff. But when you are talking about developer first cloud security you’re going to have a different type of user. You’re going to need to integrate into different types of tool sets. You need to have different types of genetics.
So that’s what you wanted to sell to Spectral is exactly that. So these guys, you know, I met them first time and I said literally I had a, you know, probably a moment where I said okay, that’s it. These guys just get it. They’ve built a product that developers love. They built a product that developers understand how to use.
Just like the one of their customers told me. They said, you know, I ask him why do you like Spectral compared to the other alternatives like Sneak and maybe a couple of others? And he literally said with Spectral the first time I take the connect to this thing first it took me five minutes.
The second thing, I started to use it, everything was exactly where I expected it to be. And he actually used the metaphor in iPhone, and I totally related to that. Where with IOS everything is you don’t know why, but everything is exactly where you want it to be. You don’t need to think.
So they nailed down the developer experience, and it’s not just the user experience and they integrate with tens of tools right out of the gate. They integrate into the IT environment. It’s also one of the things that we as security people who develop products for security people take for granted that you cannot take for granted in developer world.
I’ll give you just a very simple example. Because we assume we’re selling to security people we assume that they’re going to be okay with us screwing up once in a while. For example, false positives. Something will take a bit more time. It’s okay, because they’re security. That’s their job. I mean they don’t have anything else to do except waiting for you to do your job.
When you are talking with developers and you are going to scan code for example, which is what Spectral does. They started the first was scanning for secrets, hard coded secrets inside code, whether it’s in the I keys and W S keys, fast ______, huge problem. I mean developers who aren’t really fast, they forget keys and secrets inside code. They find an attacker that’s easiest way in.
So now you have tens of repos, hundreds of repos. _______ repositories, S stream buckets, so secrets can be everywhere. If I’m a developer and I’m pushing code and I’m waiting for you to scan, and it’s going to take two minutes I’m going crazy over it. Two minutes I’m going crazy. Five minutes I’m killing someone. Ten minutes I’m out of this.
Interviewer: I’m not doing it.
Interviewee: And finding a way to go around this.
Interviewer: Yeah, yeah, I’m not doing it no more. Yeah.
Interviewer: So this Spectral technology, that was really their core tech, which is really interesting. So they, it’s like keeping it really, really simple. They have the ability to scan huge amounts of code for problems. Now a problem can be secrets. A problem can be mis-configurations in infrastructure as code templates like _______ can be a bunch of missed spaces, but they can do that really fast.
Literally we scan, when we do the due diligence we scan their entire – our entire repo, the checkpoint repo in seven seconds.
Interviewer: Wow.
Interviewee: The entire repo, 30 years worth of repo.
Interviewer: Oh shit. Oh.
Interviewee: Seven seconds.
Interviewer: Holy mackerel.
Interviewee: I know it’s an oh shit. I had an oh shit moment also. It’s so, and it’s not like that. And they were saying okay, something here is happening. Now and it was also super accurate and they found very interesting things.
So once they nail down the user experience or the developer experience you understand how they work and integrated the tools. Then you solve a real, real problem, because that is a real problem and you solve it really fast. That’s why we totally like them.
So we really looking at them and just to make it even more interesting to the point that we started with how different of a DNA it is. Because it’s such a different DNA we’re acting inside my unit, inside the cloud security unit we are leaving them independent. We are not touching them.
I don’t want them to start talking security to security people. You guys get the developers. You understand how they work. You go, you do you. Just keep on doing that thing. I don’t want to dirty them.
Interviewer: I got to tell you, I’m sitting here, you know the word kvelling? Have you ever heard that word in your life?
Interviewee: Yeah, I – yea.
Interviewer: Because so I started devops.com in 2013. Right. And RSA I think 20, maybe it was 2015 RSA. I started what we call the DevSecOps Event within RSA. It was Monday of RSA week. Right.
Interviewee: Right.
Interviewer: And the idea behind it was to bring the security, the cyber whatever you want to call it, the security community together with the DevOps try with the developers. And I got to tell you the aggravation I had, you know, eight years ago. Security people, they don’t care about security, they’ll never care about security.
Interviewee: Exactly. Yeah.
Interviewer: They’re stupid. They’re this.
Interviewee: They’re the enemy. Yeah.
Interviewer: Right. And you know what the developers are. All they do is say no, they slow us down. They are a pain in the ass.
Interviewee: Exactly. Totally.
Interviewer: It was like this. It took me seven years of build, because I believed – I believed that no, security may never be their number one priority, but no developer I ever met raises their hand and says I want to develop in secure code.
Interviewee: They don’t care, no. Right. No.
Interviewer: I like crappy quality. I’m a crappy quality developer. You know what I mean? No one says that.
Interviewee: Right. Right.
Interviewer: They all, they have pride in what they do.
Interviewee: Yes, exactly.
Interviewer: The problem was, is we weren’t giving them tools that they could use.
Interviewee: Yeah.
Interviewer: They’re not CISSPs. They’re not ______ or scanning _______.
Interviewee: No, no, there were security incidents and try to do for _______.
Interviewer: No, they’re not compliance experts.
Interviewee: Yeah, exactly. You found the problem, tell me how to fix it. Be very specific. Don’t tell me how to fix it –
Interviewer: Don’t fix it because I want the quality. I want the quality. Yeah.
Interviewee: Exactly. And I think you are touching now on a very interesting point, because when you start to bundle these things or unwrap it actually let’s say, one is you’re right, it’s a new user so we talk about it. I actually think that security people today, and I can tell you now product group, that’s exactly how we think.
We think about the developer and the DevOps guy and the ______ guy as a new type of user. He is a user to the security side. I need to think, I need to cater to his needs. Now what does he need? To your point earlier, he is not going to read forensic reports. He is not going to read the tax batchers. That is not his job.
His job is to write quality code that is not vulnerable as much as possible. Now if you find the problem in what he does tell him how to fix it and tell him in his language. In his language. His language is not a dashboard with a search. It is not his language. It is not just a piece of code telling that piece of code is problematic. If you replace it with that piece of code you are good to go.
Interviewer: Done.
Interviewee: It’s such a different mindset. It’s like you all are security people. You’ve been around, I’ve been around. We immediately show dashboards and must moves. Who cares? The Spectral ops guys where they showed us a demo and it’s like your heart attack for any normal security person, because what do they show? A CLI.
Interviewer: Yeah.
Interviewee: They open the CLI. It’s like everything black screen CLI. Anyone from a security will say I don’t understand what they are doing, but their customers, that’s exactly what they appreciate. To integrate immediately. You are talking with the ex, that everything is API first.
Yeah, there is a report somewhere that you can see in the background if you need, but everything works inside the development environment.
Interviewer: But this also goes TJ, and we’re probably over time. I apologize.
Interviewee: That is okay.
Interviewer: But this also goes that we need to redefine the relationship between the security team and the DevOps developers and the people who use this kind of tool, because what happens is look, it’s going to be the developer. Maybe the DevOps or the SRE, but it’s going to be those people who are instituting the changes to close down a vulnerability or fix something.
Interviewee: Right.
Interviewer: That doesn’t absolve the security team of responsibility. No one is saying hey security team, you’re out of a job. Or hey security team, you don’t got to worry about it anymore.
Interviewee: ______ no.
Interviewer: The security team still needs that report.
Interviewee: Exactly.
Interviewer: That forensics trail if you will, to say hey, yes this was found, this was fixed and this is how it was fixed. And that again is yet another kind of special talent to make a tool that’s easy enough or is in the DNA of the developer, but still gives the security team, the compliance team what they need to sleep well at night.
Interviewee: That’s why one of the best sentences I like and we used it also when we announced the acquisition is would invent it, people use it before, it’s security tools that developers love and security people trust. That’s the theme. Right. That is so true.
Interviewer: I may steal that from you.
Interviewee: Steal it, _______ it. It’s like ten cents a use, and I know it’s in the –
Interviewer: Okay. We’ll put you down. We’ll put you down. No, but it’s true.
Interviewee: That’s what you want. Right. That’s really where you want, because and you just described the part that what does it mean for me as a security person to trust the tool that you’re using, and to trust the work that you are doing with it. And I think it’s a very different – it’s very interesting.
I’m thinking the future by the Allan, and I think you are sitting with devops.com, just right on the money. Because the future of security looks like this. You’re going to have security people. They are going to more and more, that’s where it’s going to go. It’s not tomorrow, but that’s where it’s going to go.
The traditional security people I call it the sandwich model. The traditional security people is going to be at the beginning in defining what is secure, or what does it mean to be? Is going to be at the end validating that security actually happened. The sandwich in the middle is going to be more than ever what in the future, more than today by far developers. It’s going to be cool.
Security is code. Computer security people are going to define what’s needed. They are going to make sure that they are going to validate that it happened. These people in the middle are going to be more and more code people.
Interviewer: People who make it happen.
Interviewee: Code people. That’s the new security engineer. The new security engineer knows how to code. And that’s why we acquired Spectral and that’s why we are going to let them lead our developer first spot security initiatives, and we’re super excited about it.
Interviewer: I’m excited for you, and I’m glad to see Check Point coming out with this. It’s great. Hey, for people who want to get information on Spectral where do they go?
Interviewer: ______.com website. You are going to find immediately on the homepage a link to the information around the acquisition and you can also go and check out spectralops.io, the website of the company.
Interviewer: I love it. TJ, man thanks for coming on and talking with us.
Interviewee: You are welcome.
Interviewer: It was a great acquisition. We’re going to be watching others go. I think a smart move by Check Point. Hey, we’re going to take a break here on Techstrong TV. We’ll be right back with some more interviews and news and information. TJ, thanks very much.
Interviewee: Thank you very much. Thanks.
[End of Audio]
Everyone knew HashiCorp was attempting to find a buyer. Few suspected it would be IBM.
Embrace revealed today it is adding support for open source OpenTelemetry agent software to its software development kits (SDKs) that…
The data used to train AI models needs to reflect the production environments where applications are deployed.
Looking for a DevOps job? Look at these openings at NBC Universal, BAE, UBS, and other companies with three-letter abbreviations.
Tricentis is adding AI assistants to make it simpler for DevOps teams to create tests.