How Snyk Gets Buy-In to Improve Security with Chen Gour Arie

Chen Gour Arie, Director of Engineering at Snyk, joins Corey on Screaming in the Cloud to discuss how his company, Enso Security, got acquired by Snyk and what drew him to Snyk’s mission as a partner. Chen expands on the challenges currently facing the security space, and shares what he feels are likely outcomes for challenges like improving compliance across value-add on security tools and the increasing scope of cybersecurity at such a relatively early phase of the industry’s development. Corey and Chen also discuss what makes Snyk so appealing to developers and why that was an important part of their growth strategy, as well as Chen’s take on recent security incidents that have hit the news. About ChenChen is the Co-founder of Enso Security (part of Snyk) - the world's 1st ASPM platform. With decades of hands-on experience in cybersecurity and software development, Chen has focused his career on building effective application security tools and practices.Links Referenced:Snyk: https://snyk.ioSnyk AppRisk: https://snyk.io/product/snyk-apprisk/TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: Welcome to Screaming in the Cloud. I’m Corey Quinn. This promoted guest episode is brought to us by our friends at Snyk, and as a part of that they have given me someone rather distinct as far as career paths and trajectories go. Chen Gour Arie is currently a director of engineering over at Snyk, but in a previous life—read as about six months or so ago—he was a co-founder of Enso Security, which got acquired. Chen, thank you for joining me.Chen: Thank you for having me, Corey.Corey: So, I guess an interesting place to begin is, what has the past couple of years been like? And let’s dive in with, what is or was Enso Security?Chen: Yeah. So, Enso started for me first as friendship because I joined the team that I was working with as a contractor for a while. There was such an excellent and interesting team with a very interesting environment. And then after a while, they asked me to join that team, and then I became part of the security team of a company called Wix.com.It’s quite a large company, web do-it-yourself kind of platform, that you can build your own website with a presentation style kind of interface, and our job was to secure that. And we formed a very, very nice friendship throughout it, but we also gained a lot of experience because you work with such a large company, and you experience many challenges, including real-time attempts to penetrate, and the complexity of social engineering at large scale. You go through a lot of things. So, this was the start. And after a couple of years, we decided that we have some interesting ideas that can do good to the community in the cybersecurity industry, and we embarked on a new journey together to start Enso.Corey: I can see why you aligned with Snyk. It sounds like a lot of what you were aimed at is very much in step with how they tend to approach things. I have a number of sponsors that I can say this about, but Snyk is a particularly fun one, in that, obviously, you folks pay me to run advertisements and featured guest episodes like this, which is appreciated, but we also pay you as a customer of Snyk because it does a lot of things that we find both incredibly useful and incredibly valuable. The thread that I’ve seen running through everything coming out of Snyk has been this concept of, I think, what some folks would say shifting left, but it comes down to the idea of flagging issues as early in the process as possible rather than trying to get someone to remember what they did three months ago, and oh, yeah, go back and address that. That alone has made it one of the best approaches to things that are truly important—and yes, I consider security to be one of those things—that I’ve seen in a while on the dev tool space.Chen: Yeah, and this has been the mission of Snyk for a very long time. And when we started Enso, our mission was to help in some additional elements of the same problem space in introducing additional tools to help drive this shift left, this democratization of the security effort around and in the organization, and resolving some of the friction that is created with the, kind of, confusing ownership of security and software development. So, this was kind of the mission of Enso. The category introduced by it and the ASPM category to bring the notion of postural security, postural management to applications. And it really is a huge fit with the journey of Snyk, and we were very excited to be approached by them to join their journey and help them do further shift left and extend on problem space on the complexity of this collaboration between security and developers.Corey: A question I have around this is that it seems to me that viewing security posture management from an application perspective, and then viewing other parts of it from a cloud provider perspective and other parts of it from a variety of different things—you know, go to RSA and walk up and down the endless rows of booths, and you know, look at the 12 different things that they’re all selling because it’s all the same stuff around 12 categories or so, with different companies and logos and the rest—it feels like, on some level, that can lead very quickly to a fractured security posture where, well this is the app side of the security, and then we have the infrastructure security folks, but those groups don’t really collaborate because they’re separate and distinct. How do you square that circle?Chen: Yeah, it’s not an easy problem, and I think that the North Star of many vendors exists this notion of sometimes I think we call it CNAP or something that will unify all of it. Cloud as a solution, and the offering that exists with cloud computing enables a lot of it, enables a lot of this unification, but we have to remember that the industry is young. The software security industry in general is young. If we will look at any other industry with that size, all of them have much more history and time to mature. And inside this industry, the security itself is even younger.It has become a real problem much later than then when software started. It has become a huge problem when cloud emerged and became, like, the huge deal that it is now. And when more and more businesses are based on digital services, and more people are writing software, a lot of it is young, and it needs time to mature, and it’s time to get to—to accomplish some big parts like this unification that you are pointing out missing.Corey: I have to confess my own bias here. A lot of the stuff that I build is very small-scale, leverages serverless technologies heavily, and even when I’m dealing with things like the CDK, where I start to have my application and the infrastructure that powers it coalesce into the same sort of thing, it becomes increasingly difficult, if not outright impossible for some of these configurations, to divorce the application security from the rest of it. And I come from the infrastructure world myself where a lot of the things I cared very much about in the infrastructure side of the world, I have to care about just as much on the application side of the world.Easy example: oh, I’m building a ridiculous front-end thing that needs to talk to a back-end API. I’m just going to go ahead and bake the credentials into the codebase. How about no? How about we do literally anything that is not that? And that feels like if—like, viewed through the lens of doing this properly, you’d wind up with people coming at the security challenges from different teams in different parts of the problem, but on some level, coalescing on some things, or if you’re not careful, stepping on each other’s toes.Chen: Yeah. This could happen, but you can go build something that is more cloud-oriented, full-stack of cloud application, then you can benefit a lot, and you can consolidate a lot of the effort on security. But the real nature of things is that you do need all hands-on deck in different directions, and it tends to happen so that in application security, there is a unique set of issues that cannot necessarily be resolved with cloud infras—or infrastructure security efforts, but still require some special kinds of attentions, especially as you go more to the direction of product security, that is about the business logic and about implementing the right posture to secure specific business logic. There are many problems, and especially when we talk about things that you inherit from others, that can be managed in a more centralized and unified processes, but still, it’s hard to build them as, you know, software is evolving and changing very, very rapidly inside the factories that build those software.Corey: There are a constant series of challenges and tensions in the security world. Partly you have the, whose responsibility is security? I know that the old trope, since I’ve been in this industry has been, “Oh, security is everyone’s responsibility.” And I think that is a great perspective, except for the small minor point that it doesn’t frickin’ work. Because when something is everyone’s responsibility, then it is no one’s responsibility, and things tend not to get done.You see in many of the companies that I find myself talking to, security is sort of off on its own island; they have their own terms of art. We go back to that RSA expo hall, and they’re using a whole bunch of acronyms that no one will bother to expand or define. They just assume everyone knows it. And that’s great, but it’s security people talking to security people, and increasingly, I find in some companies, those groups become relatively isolated, or the ‘Department of No.’ And I’ve talked to engineers who say, “Oh, I don’t need to worry about the security aspects of this. That’ll get caught in code review when security does its thing.” That’s a terrifying thing.Chen: It is. One of the beautiful things about Snyk is that… I’m not sure if they captured it, the founders of Snyk captured it the same way I did because I was thinking about this a little bit from a different direction as we were working on Enso, but in fact, when you function as a central security team, the only thing that you’re after is the buy-in. It’s the buy-in of your executives, and the buy-in of your developers. You’re not really after the bugs, you’re not really after the security, you are after getting their attention, and their desire or their intent to improve on security. Your tools are by propagating knowledge and information about problems that are created when they don’t behave this way, when they don’t include better processes.But really, you are after the buy-in. And Snyk got, in the very early days of it, made a very interesting move on the buy-in of developers, not from the direction of: here you will have a lot of problems. Here you can make a lot of fixes. As a developer, you can solve it locally with your own things, and then the buy-in comes from something that is more attached to how developers thinks about problems. They want to fix them. They don’t want to hear about so many problems.Corey: Snyk has always respected my time in a way that Dependabot never has. When it tells me something, it is important in almost every case. The exceptions being like, “No, no, I’m intentionally making something horrible to be funny. Don’t worry about it.” At which point, it just goes and holds its digital head for a while and sighs.But yeah, that’s what I want. I don’t want 6000 things that I have to fix. I want the things that are actually impactful right now, in the moment, and Snyk has always been able to thread that needle in a way that, to be direct—and you aren’t and can’t pay me to say this—but it’s a—it’s like, it’s magic. It just works. And that’s no small thing in this space.Chen: Absolutely.Corey: So, you were at Enso for, what, three-and-a-half years, give or take, before the acquisition by Snyk. And when you see something like that happening, it’s okay, great. Is this a strategic acquisition or is it an acqui-hire is always the big question. I go to your former website, and it redirects to the Snyk AppRisk for ASPM product offering. So, I’m just going to go out on a limb here and guess that Enso Security became AppRisk. Is that directionally correct?Chen: Directionally, it is correct.Corey: Because that’s always strange when you say, “Yeah, we’re going to sunset our current product, the whole team is going to go work somewhere else, and collectively, you’ll never hear about what we’re doing ever again.” It’s okay, great. I understand that. That is an outcome that, in many cases, is the right answer for everyone involved. But it’s also sad when you have a product that you know and you love. And from what my understanding, what AppRisk is doing, it isn’t taking a step back from what Enso did in any way at all. This is an acceleration for feature releases and in value delivered to customers. Is that correct, or do I have some massive back walking I need to do now?Chen: Yeah, I think that for me, this is an excellent framing for the story of our company. Because on top of, you know, the brand that we used to have in the past, we also have some experience in the field, and we’ve built some very interesting technology to support some important processes in this space. And our story is the kind of story where the buyer recognized this and take this forward, you know? So, we’re very happy about this.Corey: What was it like? I’ve found that I was effectively unemployable for reasons that should be blindingly obvious to anyone that’s ever had more than a 30-second conversation with me. “Wow, that guy would be obnoxious to work with.” Yeah, in the employment context, usually. So, I started this place, not because I had this grand vision at the time for the mark I wanted to leave in the universe, but rather well, what other options do I have? And I made it work, but I’ve never really looked at the idea of going back the other way of oh, we should wind up getting acquired somewhere. What’s it like going from having the autonomy, and yes, also sleepless nights and constant fires of being a founder to the relatively prosaic life of an engineering director?Chen: So, it wouldn’t say prosaic. Just—Corey: [laugh] I’m just going to wildly trivialize your day to day. It’s like, “Oh, yeah, you work at a company that does really well. How hard could it be?” It’s like, oh, no, they’re not [laugh]—the problems are no better. They’re just different.Chen: We are actually in a very exciting, very high-paced one to accomplish this, you know, the same way. I think it’s not too different how we would have felt if it was just still our company, but we—in some ways, I can look at it as a different funding approach. Like, you join a big company to bring this vision to market, or you get money from another venture capital to continue on your own. So, macro climate and these kinds of factors go in, but in terms of our vision and the opportunity to execute the kind of vision that we wanted, it’s still the same pace, we feel the same, we talk about the same subjects and the same challenges, and we build to the same. The beautiful thing about this was that Snyk and us, we had almost the exact vector on what is the future of application security. And this is why it just goes—it’s a very smooth transition, actually.Corey: The idea of how these acquisitions play out is always somewhat difficult to see from the outside world. Was it something that came along and felt like wow, this is a real acceleration? Was it, “All right. You know what? It would be great if we could wind up selling to a company. Let’s start a bidding war, and then we’ll just see whoever winds up throwing the largest pony at us will win.” How did that whole thing unfold?Chen: So, Snyk is very engaged with developing partnership, and they have also a local presence here in Tel Aviv. And as part of this partnership, we engage in different conversations around the problem space, sharing ideas, sharing our thinking, a little bit, teasing about the kinds of technology that we have, and the product support that we have, showing off ourself a little bit. And at some point, they just—Corey: And there’s a counterpoint, too, where each company has four letters in his name. You have two vowels, they have none. I’ve been urging them for years to take some of the money that they’ve raised and use it to buy a vowel. This isn’t exactly what I meant, but okay, good steps.Chen: Yeah. That’s also a good thing to get when you buy something.Corey: I will say this, that there are certain companies—and Snyk is one of them, and they are very rare—that when they buy another company, you’re excited to see what happens. There are other companies who are not in that boat. Let’s make one up hypothetically, and call it Cisco. There was this magical hypothetical company called Cisco that bought a company called Epsagon that I was a huge fan of, and a happy customer of. Step one for me was to call them and congratulate the founders because they’re great folks. And the second was to cancel my user account with them because I couldn’t stand watching, yet again, something I love become something that was basically turned into glass.Whereas when Snyk buys something, this perspective is still—and it goes far beyond me; this is an industry-wide perception—“Oh, wow. I can’t wait to see what happens next.” Snyk’s acquisition track record is stellar. Their company culture remains stellar, at least the perception of it from the outside. Did that factor in at all when you were considering, is this going to be something where the two entities merging into one are stronger than either would be independently?Chen: Yeah. So, definitely. We had a series of discussions talking about how the—we called it at that time collaboration, but it’s obviously a little bit different than that—but how the future of Enso would look like inside Snyk, and we gave a lot of thought on what will be the meaning of making this step.Corey: A question I want to talk to you about—and I’ve mentioned this in a number of episodes in various ways because I find myself thinking about it constantly—but I feel like in the aggregate, there are two categories of problems that businesses have. You have the proactive side of the problem, is how do we expand revenues? How do we open new markets? How do we wind up driving new lines of business?And then you have the reactive side of the world. Security inherently falls on this side of the universe. My own business of fixing AWS bills falls on the side of the business. Buying fire insurance for the office falls on this side of the world. Things you have to do, like eating your vegetables, but you can spend all your time and energy on those things until your company goes under, and it doesn’t move you one iota closer to your company milestones.It feels like security is one of those things where if you let it, it’ll consume everything at a company. It’s always held in tension with feature releases and not getting in the way. But something you’ve been vocal about historically is that cybersecurity is not necessarily the hero of the story. Tell me more about what you mean.Chen: Yeah. So, you’re spot on. I started my career as a pen tester, and we were guided to tell our buyer, to tell our customers, that security is a business enabler, and security can even make your business better. Good engineering practices could accelerate you. But security is, like you said, is something that’s in there to protect your business, and there is no way around it.And I think that now what happens is that the market is going to check on the return on investment on security because of what you pointed out because of this problem that you pointed out, and it’s a good point in time for us security folks to look in the mirror and realize that our job is to protect something that is a little bit more significant than then what we do. What we do is to protect something else. This something is the hero of that story, and it’s almost like software is, in this amazing machine that humankind has built, is the hero of this entire story, and our job in this is to provide security and to protect it. But the main event is software, and digital services, and this amazing machine that humankind is building.Corey: At some level, it feels that security can tip over the line into compliance. And I have to be careful how I talk about this, lest I be misunderstood. Compliance is important, particularly if you’re, you know, a bank, for example, something that matters, in a sense where, oh, if we get out of alignment here, they’re very real harms in the world, as opposed to in my case where if I completely drop the ball on the security side of the fence for my media side of my business, people could send out spam email. Like, the risks are not equivalent. So, compliance is important, but on some level, it seems to become the reason for doing things. I’ve seen too many projects that are green lit just to check a compliance box that don’t actually make anything significantly better. It feels like, left unchecked, that’s a trend that only grows and never gets pulled back.Chen: Yeah, it makes sense. I think that compliance is the access payment on the attempt to standardize security. You know, it’s like a tax system on top of the actual value in security. If you want to make sure that everybody does this, you have to layer in more and more rules and ways to evaluate if these rules are being followed. And on one hand, it’s very costly.On the other end, you don’t really have very effective means, you know, as a global community, to regulate and to push vendors into being more responsible. And this is why this still exists. And I think that we do need to invest in making compliance more accurate to providing value-add on security, but it is going to take time because the nature of this thing is that, you know, you give two developers the same task building the same thing. They will create completely different things with completely different set of problems, different implementation, security and otherwise. And to regulate safety into that is very, very hard.And this is why we experience this growing demand and growing list of compliance frameworks and regulations. But I think that the future is that, as everything, it will have its own natural evolution, and we will end up with better practices, more out-of-the-box security, especially with the power of cloud services, and good practices that are coming along. And maybe the future is a little less entangled in, you know, these spreadsheets with the checkboxes.Corey: Honestly, there are times where getting an office for the Duckbill Group here would make it easier for us to handle the vendor security evaluations at many of our clients’ because it would mean that we could check the boxes people expect rather than having to have a nuanced conversation. One of the reasons I’m not allowed to have those conversations myself is we’re a distributed company, so when you start asking me about the physical security stuff we have implemented, I work from home. This is where my family lives. Bust in here and start threatening them, I will log you into whatever you want and give you a guided tour. If that doesn’t align with the security posture requirements of my clients, then they should make sure not to give me access to anything that would be damaging in that context. I don’t want access to that kind of secrets anyway. It’s not necessary for what I do. But that is a difficult and nuanced conversation to have versus, “Yep, we have locks on the doors and everyone must badge in.” It’s a very big gulf sometimes.Chen: It is. It is. And I think this maybe drives the variety that you see when you go down the aisle in the RSA that you referred to a few times in this talk. It’s a complicated mission to protect things. Even think of your own house.If you step away from the reason you talked about your house in this conversation, how to secure your house—your own house—is very difficult. And then try to apply this to the entire cyberspace. So, many different variables, so many different things inside. And people trying to draw useful lines between in-segment responsibilities, between different processes, different parts of the technology. It drives a lot of frictions in the space, but it’s a necessary part of the evolution of software and of security.Corey: One last topic that I want to get into before we call this an episode is, as we record this, what’s currently in the news cycle is a sentencing for something that happened three years ago or so, where a then employee of First Republic Bank was fired for something or other that they shouldn’t have been doing. Great. Not relevant to the story. They went home, logged into production systems from their not-confiscated-yet work laptop through access that had not yet been revoked, and damaged a bunch of First Republic systems. Now, this person just got sentenced to two years in jail. Great. They acted unethically. I have zero sympathy. Don’t do that.But the real hell of it to me is, First Republic—at least at the time—was a bank. How do you not lock people out when they are terminated from employment? And Snyk does a lot of terrific stuff, don’t get me wrong, but it all presupposes that the basic blocking and tackling, like have passwords set up on your computers, or zip up your pants when you leave the restroom style stuff has already been taken care of. When mistakes like that are being made, on some level, it feels like anything more advanced than those absolute fundamental basics, it just feels like it’s far-future technology. It’s not, but it’s easy for me at least to come at this with a sense of, if we can’t even get the basics right, then what’s the point of all the advanced, neat stuff?Chen: Yeah, so in occasions like this, I tend to try and look at the places where it happens right. Like, we talked just a moment ago about compliance. Compliance means driving forces to promote more and more of this happening right. But, like, I feel a little bit like a broken record, but I think that the main reason for this is that this is hard. It’s hard to accomplish fully proficient security agenda across your entire… exposure, your entire surface.This problem touches everywhere. It touches the subjects that you brought up before about different security teams stepping on each other’s toes, sometimes stuff fall between the cracks, how does shift left affect ownership, many, many different subjects that are not very easy to walk about. But no one said that software security, and software in general, is easy. And it’s not going to remain easy, even with the promise of AI for the near future. But we are here to try, and you know, improve it, try to make it better.Corey: I think that you’re on the right path. As a customer, I deeply appreciate the Snyk experience—obviously. As a vendor, I appreciate your business as well, but honestly, the things I care about the most, yeah, it’s the security piece of it because once—if you dropped the ball on that, none of the rest of it matters. Like, “Well, we’re terrible at security, but we have great marketing,” does not work. You have to do the basics, and just, frankly, everything that you folks have done so far and every time I’ve encountered you, both in my own experiences and in my customer accounts, you leave them better than you found them, and that is deeply appreciated.Chen: Thank you.Corey: I really want to thank you for taking the time to speak with me. If people want to learn more, where should they go?Chen: So, I think the first place to go is to Snyk’s website, to read also about AppRisk, and yeah, take it from there.Corey: And we will, of course, put a link to that into the show notes. Thank you so much for being so generous with your time. I really appreciate the chance to speak with you.Chen: Thank you so much for having me. This has been a very, very pleasant.Corey: Chen Gour Arie, director of engineering at Snyk. This featured guest episode has been brought to us by our friends at Snyk, and I’m Cloud Economist Corey Quinn. If you’ve enjoyed this episode, please leave a five-star review on your podcast platform of choice, whereas if you’ve hated this episode, please leave a five-star review on your podcast platform of choice, along with an angry, insulting comment that, depending on how crappy that comment is, I will hope that that podcast platform gets acquired by either a great podcasting company, or by Cisco.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business, and we get to the point. Visit duckbillgroup.com to get started.