►
From YouTube: Security Q&A - Sales Enablement
Description
Covering the Forrester SCA Wave and other security topics
A
Okay,
so
this
is
the
sales
enablement
call
where
the
topic
of
security
and
it's
sort
of
an
ask
me
anything
approach.
But
I
do
want
to
make
sure
that
we
cover
the
software
composition.
Analysis
wave
that
Forrester
recently
published
and
see
make
sure
everybody's
seen
that
and
that
you
know
how
to
interpret
the
results
and
and
where
to
go
for
more
information
on
that.
So
I
thought
maybe
we'd
start
for
a
minute,
start
there
and
then
see
what
questions
come
up.
A
That's
all
right
and
Phillipe
graciously
agreed
since
I'm
on
the
road
to
to
have
that
the
web
page
available.
So
the
wave
came
out
a
few
weeks
back
and
we
have
a
blog
article
and
a
web
page.
The
blog
article
points
to
the
web
page.
We
didn't
purchase
the
distribution
rights
through
to
the
wave,
because
it's
not
stellar,
it's
it's
great
for
where
we
are
but
there's
other
four
five
one
actually
has
something
that
I
think
positions
us
a
little
bit
better
and
so
we're
looking
at
buying
the
rights
for
that
one.
A
Where
we
came
out,
we
don't
have
we,
they
don't
allow
us
when,
since
we
were
not
buying
the
reprint
rights,
they
don't
allow
us
to
do
the
graphic
of
the
wave
itself
on
here.
But
Philippe
do
you
have
the
report
itself
with
the
graphic
that
we
can
just
show
people,
even
though
we
can't
post
it
anywhere
I.
A
Perfect,
so
the
where
we
are
is
a
challenger
and
they
they
scored
us
low
for
execution
in
terms
of
product
that
we
have
there
today,
which
I
would
expect.
We
haven't
been
around
for
very
long
with
security
capabilities
and
in
fact
we
didn't
qualify
for
the
Gartner
Magic
Quadrant,
because
we
hadn't
had
revenue
from
security
long
enough.
So
the
fact
that
we
are
on
there
at
all
is
really
a
testimony
to
you
know
we
have
a
product,
that's
considered
among
the
ten
that
Forrester
was
was
looking
at.
D
A
True
very
good
point,
so
software
composition,
analysis
includes
static
code,
analysis
and
dependency
analysis
and
license
management.
It
does
not
include
dynamic
scanning
because
it's
it's
really
intended
to
be
what
the
developer
would
be,
not
necessarily
what
the
developer
would
use,
but
what's
used
very
early
in
the
suffer
development
lifecycle
before
testing,
and
so
this
is
before
document.
A
If
you
can
go
back
to
the
wave
picture
there
perfect,
so
you
see
we're
rather
low
in
terms
of
execution
of
our
current,
offering
what
we
have
today
again
I
would
expect
that
I
had
hoped
that
we'd
be
a
little
bit
further
on
the
strategy
side,
but
they
doing
this
for
two
areas
which
you
could
argue
about
and
we
did
considerably
one
is.
A
They
said
that
our
ability
to
execute
against
the
roadmap
was
I
gave
us
a
1
out
of
5,
for
that
which
my
argument
was
we've
we
published
the
roadmap
we
released
once
a
month.
We've
met
our
once
a
month.
Commitment
for
you
know,
90
times
in
a
row.
Show
me
any
other
vendor.
That's
done
that,
but
they
refused
to
budge
on
that
and
in
the
other
area,
was
the.
A
Inability
to
integrate
into
the
SCLC,
which
you
know
on
first
blush-
you
go:
what
are
they?
What
are
they
smoking?
What
are
they
hey?
How
are
they
interpreting
that?
We
don't
integrate
into
the
SDLC,
because
that's
like
our
main
thing
of
what
we
do
but
I
think
where
they're
coming
from
is
we
don't
make
it
super
easy
to
integrate
with
other
tools
in
the
development
chain
because
of
our
strategy
of
being
a
single
single
application
for
the
entire
software
development
lifecycle?
A
So
they
were
kind
of
taking
issue
with
our
strategy
in
that
regard,
and
that's
where
4-5-1
is
better
because
they
see
that
as
an
important
element
of
our
strategy,
and
they
actually
give
us
kudos
for
that,
whereas
Forrester
kind
of
holds
it
against
us.
So
anyway,
a
couple
points
there
that
you
can
make
to
push
back
and
with
anybody
that
questions
where
we
are
on
the
strategy
side
of
that,
but
the
key
takeaways
really
are.
A
You
know
in
record
time
we're
on
the
map,
so
that's
super
important
and
then
our
track
record
of
continuously
improving
and
iterating
this
the
version
that
they
evaluated
was
11.6.
So
in
that
webpage,
I
came
back
and
showed
all
of
the
improvements
that
have
been
made
just
since
11.6
that
addressed
the
some
of
the
concerns
that
they
brought
up.
So
you
know
if
they
were
to
evaluate
it
today.
They'd
probably
put
it
a
little
further
out
because
we
met
some
of
those
some
of
those
issues
so.
A
F
A
And
I
think
that
you
know
when
talking
was
canning
a
bit
who's
a
p.m.
at
the
moment.
I
think
he
agrees
that
will
be
more
likely
to
integrate
SAST
and
DAST
from
other
vendors,
because
those
are
well
established
markets.
It
doesn't
really
make
sense
for
us
to
try
to
build
or
buy
something
there
in
the
container
space
we
will.
I
would
expect
that
we
will,
you
know,
do
more
there,
ourselves.
E
A
F
Okay
and
I
have
just
I
guess
a
general
question,
then
in
the
network
and
endpoint
security
space
strategy
is
very
much.
You
know
defense
and
debt
defense
in
depth,
adding
layers
of
security
products
is
that,
do
you
see
the
same
in
a
knapsack
or
is
it
generally?
You
know
customer
a
is
choosing
white
source
and
that's
it
or
they
just
have
synopsis
and
that's
their
know.
A
There's
multiple
people
players
so
generally
and
a
lot
of
these
vendors
don't
do
the
entire
breaths.
They
don't
do.
You
know
static
dynamic
which
is
not
considered
in
the
SCA
wave,
but
they
you
know
they
don't
do
static,
dynamic
dependency
container
and
license
management,
and
so
generally
it's
been
sort
of
the
Best
of
Breed
approach
and
you
know
people
would
buy.
You
know
maybe
very
code
historically
for
sass
and
they
might
buy.
A
You
know
Sona
type
for
dependency
scanning,
and
you
know
something
else
for
sneak
is
becoming
more
popular.
I
want
to
make
sure
that
y'all
realize
that
of
all
of
these
players
on
here,
they're
the
ones
that
I
think
have
kind
of
grown
the
fastest
most
recently
and
and
there
are
a
niche
player,
so
they're
not
going
to
cover
all
the
bases,
and
so
people
are
still
going
to
have
to
stitch
together.
F
A
There's
kind
of
two
sets
of
customers:
we've
talked
about
in
the
past,
there's
the
more
SMB
market
that
you
know
doesn't
even
necessarily
go
by
size,
but
those
that
haven't
invested
in
application
security
and
those
that
have
and
those
that
have
tend
to
be
the
ones
that
also
have
invested
heavily
in
DevOps.
They
tend
to
be
regulated.
Industries
like
financial
services
and
so
forth,
and
they've
already
made
big
investments
in
some
of
these
others.
You
know
the
very
code
synopsis.
A
A
Well,
so
software
composition
analysis
really
covers
a
lot
of
the
pretty
well-established
areas,
so
static,
static
analysis
has
been
around
for
15
years,
so
that
markets
already
consolidated,
there's
there's
not
any
little
players
out
there.
Really
that
are
doing
static
analysis
that
aren't
covered
by
these
dependency
scanning
is
a
little
bit
newer.
I
do
think,
though,
that
this
picked
up
the
bulk
of
the
dependency
scanners.
I
mentioned
that
sneak
is
the
one
that
to
keep
an
eye
on.
They
seem
to
be
to
be
growing
black
duck
white
source.
A
You
know
those
are
already
really
well
established
players.
The
one
area
that
has
the
most
growth
and
opportunity
for
change
is
container
scanning
and
they
didn't
include
like
stacked
rocks,
twistlock
aqua.
They
didn't
include
those
I
know
Philippe.
Do
you
have
any
comments
on
that?
I'm
I,
don't
know
why
they
didn't
buy.
Do
you
know
why
actually
I
didn't
know?
Why?
A
E
Ab
Cindy
quick
question
here
so
I
run
into
a
couple
of
trials
with
the
security
scans
and
it's
coming
for
the
fact
that
we
don't
support
all
the
languages
that
they
need.
What
is
the
product
I'm
just
curious
as
to
the
process.
I
know
we
have
on
our
roadmap
to
get
the
big,
the
big
languages
out
right
that
we
can
support.
But
what
is
the
process?
So
if
someone
has
some
obscure
language
that
they
have
a
lot
of
legacy
in
like
cobalt
or
something
like
that,
like
you,
we
obviously
make
a
request.
E
What
is
the
process
on
the
back
and
maybe
Philippe
can
can
ask
this
I'm
just
curious:
do
you
have
to
find
a
tool
out
there
that
scans
or
you
have
to
build
one
or
how
do
you
add
these
languages
because
it
seems
like
that
will
help
us
win
a
lot
more.
If
we
can
just
want
support
for
all
their
languages,
sometimes
they
have
20
languages
right.
So
I
just
want
to
understand
kind
of
the
roadmap
for
how
we
add
support
for
languages
across
all
the
scanning
elements.
I
would.
B
Answer
that
doesn't,
if
you
don't
mind,
yeah
all
right,
so
we're
a
bit
off-topic
here
when
I
think
you
are
mentioning
sassed
words.
We
are
talking
about
software
composition
and
Isis,
which
is
a
different
road
map
in
gitlab,
also
a
different
group
who
are
creating
your
day.
They
can
team
for
that.
That
will
be
in
place
next
week
or
something
like
that.
So
the
I'm
mentioning
that,
because
the
process
is
different
when
it
comes
to
SAS
versus
differences,
can
persist.
We
are
using
analyzers
that
are
available
out
there
open-source.
B
So
we
need
a
tool
to
exist
to
be
able
to
wrap
it
and
to
integrate
that
in
tasks
for
dependency
scanning.
We
are
relying
on
Jim
that
was
acquired
last
year
and
the
approach
is
a
bit
different
from
gymnasium.
We
are
doing
everything
in-house
because
we
want
to
control
the
full
workflow
and
it's
going
to
our
OS.
We
have
some
more
powerful
teachers
in
the
future,
but
to
support
new
languages.
That
means
we
need
to
be
able
to
identify
new
sources
of
vulnerabilities.
B
So,
for
example,
if
you
don't
have
any
source
click
out
there,
where
we
can
find
vulnerabilities
for
cobalt
there's
no
way,
we
can
support
that.
We
don't
have
a
threat
resources
team.
This
is
something
that
we
plan
to
him
to
we're
tearing
the
this
year,
but
it's
not
there
yet
I
don't
have
any
schedule
for
that.
Maybe
q2,
maybe
q3.
We
are
working
closely
with
a
wiki
from
security
to
evaluate
this.
B
This
set
up
and
we
can
put
this
this
team
in
place,
but
even
if
we
create
that
team,
it's
not
going
to
be
20
people
right
in
a
well.
So
there's
no
way
we
can
support
so
many
languages
at
once.
We
will
probably
focus
in
priority
on
the
top
line,
which
is
like
Java,
C,
sharp,
C,
C++
and
maybe
Python.
There
comes
things,
but
we
will
add
more
languages
as
we
grow.
Okay,.
E
B
So,
to
do
a
Co
what
Cindy
was
was
saying
era.
The
approach
that
we
have
here
is
not
to
replace
everything.
We
come
up
with
a
single
application.
That
is
a
turnkey
solution,
so
we
want
to
be
able
to
provide
something
that
is
working
through
our
customers,
even
if
it's
not
the
best
period
in
class.
So
it's
a
kind
of
PC
approach.
When
you
buy
your
PC
from
there
or
HP
it's
it's
not
that
you
know
the
Rockstar
PC.
B
If
you
want
to
do
gaming
on
it,
it
doesn't
have
the
the
most
powerful
video
card
out
there.
It
has
a
very
decent
one
that
would
do
the
job,
but
if
you
want
to
do
gaming
with
you
mean
by
another
graphic
card,
if
you
are
DJ,
you
will
probably
buy
another
son
job,
but
at
least
with
with
the
standard
version
that
were
providing,
you
can
do
most
of
the
features
that
you
want
with
really
species.
So
we
have
a
kind
of
dismal
approach
were
not
fighting
in
front
of
these
companies.
B
There's
no
way
we
can
compete
and
that's
also
to
answer
Aden
this
question.
In
the
village
charts,
we
can
compete
with
companies
that
have
been
out
there
for
fifteen
or
twenty
years.
They
are,
if
you
take,
for
example,
synopsis,
maybe
700
or
800
imperious.
Now
they
are
a
lot
bigger
than
the
world
gitlab
company
itself.
B
They
are
just
doing
you
know
a
software
musician
and
arises
and
and
static
add-on
arises,
so
obviously
they
have
better
or
first
and
what
we
have,
but
they
are
not
able
to
cover
all
the
projects,
all
the
commits
or
the
the
single
line
of
code
in
in
these
projects.
So
this
is
where
we
are
better
and
to
get
back
to
your
answer,
Philip
the
bass
way.
B
If
we
don't
support
all
these
languages,
we
can
work
with
them
and
identify
if
it
makes
sense
from
the
project
point
of
view
to
put
more
efforts
on
the
languages
that
they
want
to
have
in
their
in
the
product.
That's
I
mean
the
roadmap
is
never
frozen.
We'd
freeze
the
roadmap
for
the
next
three
iterations
after
that
is
the
direction.
And
after
that
we
have
the
vision.
B
A
A
It
also
actually
includes
code
quality,
but
for
stirrer
didn't
really
dig
into
any
code
quality
questions
in
there
wave
for
some
reason,
but
and
to
John's
point
incorporating
third-party
security
reports
indicate
lab,
and
you
know
I,
as
I
mentioned
I
think
we
will
start
making
it
a
little
bit
easier
to
include
some
of
the
other
scan
or
results,
but
it
would
be
the
vulnerabilities
that
they
find
that
would
show
up
in
the
pipeline
report,
not
necessarily
the
the
reports
themselves.
A
Well,
you've
got
to
remember
that
you
know
our
secret
sauce
is
our
workflow
getting
this
stuff
in
the
hands
of
the
developers
sooner
showing
them
that
the
vulnerabilities
and
surfacing
them
before
they've?
You
know
let
go
of
their
code
and
pushed
it
out
to
the
branch
where
it's
intermingled
with
everyone
else's.
So
it's
all
about
cause
and
effect.
You
know,
I
did
this
change
to
my
code
and
I
can
see
the
results,
and
so
you
having
it
in
that
pipeline
report
is,
is
really
the
the
secret
sauce
that
we'd
want
to
keep
you.
B
Absolutely
there
are
two
things
that
I
would
like
to
mention
so,
first
of
all,
integrating
third-party
vendors
like
check,
marks
or
white
source,
it's
really
required
by
some
customers.
I,
don't
remember
having
discussing
any
customer
that,
isn't
that's
not
asking
for
that.
So
that's
the
first
part
I'm
trying
to
set
that
as
part
of
my
ok
ours.
So
we
start
in
this
in
this
quarter.
To
do
this,
this
initiative
I
still
need
to
validate
that
to
the
project.
So
that's
why
I
don't
want
to
commit
on
this
right
now.
B
B
That's
that's
the
good
having
a
single
place
where
the
security
team
will
be
able
to
take
actions
from
from
there,
but
we
have
some
customers
asking
for
more
reporting
pages
so
pages
that
it
would
be
able
to
share
with
with
the
CSO
director
of
security
or
even
with
exactly
where
they
can
have
the
trends.
Are
we
gonna
have
that
kind
of
things,
but
love
the
list
fully
superior
abilities?
So
this
is
something
that
we
will
work
on
during
this
year.
D
D
H
F
D
F
I've
got
a
question
I.
This
might
be
longer
than
two
minutes,
though,
but
I'd
like
to
understand
what
you
know
we're
bringing
in
for
the
you
know
sans
the
dependency
scanning
we
are
bringing
in
open
source
feeds.
Are
we
having
is
there?
You
know
the,
and
the
value
is
to
shift
everything
left
right,
but
I
hear
from
security
people
and
when
they
say
you
know,
the
open
source
feeds
their
open
source.
They
could
be
available
to
anybody.
A
Well,
I,
don't
know
that
we
can
address
that
in
the
minute.
That's
left,
but
I
can
tell
you
from
a
sales
point.
What
I
would
push
back
on
them
with
is
they're,
absolutely
right.
It's
open
source
scanners.
They
could
build
it
themselves.
You
know.
If
you
want
a
pound
of
hamburger,
you
could
go
butcher
a
cow,
but
do
you
really
want
to
do
all
that
effort
yourself?
I
mean
sorry
I'm,
a
former
Rancher.
That
would
that's
the
analogy
that
came
to.
A
You
know:
do
you
really
want
to
do
all
that
yourself
and
and
yeah
gymnasium
is
proprietary,
but
you
know
I
would
see,
as
I
mentioned
will
probably
be
more
proprietary
on
a
container
side,
since
it's
newer
and
do
more
partnerships
on
for
the
others.
But
that's
a
that's
a
Cindy
Blake
conjecture
at
the
moment,
yeah.
F
That's
generally,
what
I
you
know:
I'm
just
kidding,
that's
the
pushback
that
I
get
generally.
Nobody
wants
to
build
it
themselves,
but
to
say
you
know
the
difference
between
premium
and
Ultimate,
that's
kind
of
where
they
need
to
you
know
figure
out.
Is
it
worth
it
to
bring
in
these
open
source
feeds,
and
is
that
value
worth
it
from
from
a
cost
perspective,
but
yet
fully
buy
nope
amazing,
try
to
say
it's
a
longer
discussion,
though
yeah.