►
Description
Application vulnerabilities are a primary target for hackers. But the complexity and pace of modern application development makes effective detection and remediation of security issues increasingly difficult. Join Scott Johnson, Sr. Director of Product Management from Synopsys as we discuss rising trends of application security, what challenges you might face and how Synopsys can help address those challenges.
A
A
B
Apparently,
we
are
rolling
I'm
going
to
share
my
screen.
My
name
is
mike:
where
is
the
gosh
darn
share
screen
there?
We
go
I'm
going
to
share
my
screen
and
you
know
what
I'm
going
to
present.
My
name
is
mike
wait.
This
is
the
openshift
commons
briefing
operator
hours,
and
we
are
super
excited
here
today
to
have
our
very,
very
highly
energetic
rock
star
best
buddy
scott
johnson
who's,
the
senior
director
of
product
management
over
at
synopsis
scott.
How
are
you
hey.
B
Well,
you
know
I
could
I
couldn't
help,
but
squeeze
that
in
because
you
know
what
as
we
we
got
on
the
on
the
call
at
the
bridge
here
a
little
early
and
I
was
like
geez,
that's
a
pretty
nice
white
background.
You
got
there
and
then,
and
then
ferris,
who
I'm
also
going
to
introduce
in
a
second
is,
has
a
similar
type
of
background.
Then
you
know
you
took
years
off
and
there's
like
this
giant
iron
maiden
poster
on
the
wall,
and
I
was
like.
C
B
A
Well,
I've
I've
always
wanted
to
get
one,
but
I've.
Never
I've
never
been.
I've
never
been
in
a
position
to
catch
one.
I
was
really
close
when
the
bass
players
side
project
played
in
atlanta
to
like
a
hundred
people-
and
I
was
literally
up
upstate
up
in
front
and
had
an
opportunity
to
get
a
picture
with
him,
but
I
was
not
able
to
get
a
guitar
pick,
I
think-
or
in
this
case
one
of
the
guitar
players,
one
of
some
little
10
year
old
kid
snatched
it
away
from
me.
B
Like
you
remember,
when
we
were
kids
just
a
little
sidebar
because,
like
I
find
this
pretty
interesting,
remember
going
to
concerts
as
a
kid,
we
didn't
have
any
money
and
it
was
like
trying
to
figure
out
how
to
get
seats
and
like
can
you
even
get
somewhere
near
on
the
floor,
so
you
could
potentially
get
a
drumstick
or
something,
and
lately
over
the
last
three
or
four
years,
whenever
I've
gone
to
a
concert,
I
basically
just
go
all
in
and
I
buy
like
front
row
center.
I'm
like
just
give
me
six
of
those.
A
B
A
A
Code
right,
everything's
been
shut
down,
so
it's
going
to
be
it's
going
to
be
nice
when
some
of
those
things
open
up
and
we'll
probably
see,
I
would
expect
there's
going
to
be
a
lot
of
new
music
and
books
and
stuff
coming
out
really
soon.
As
you
know,
folks
that
have
been
holed
up
for
a
while
have
have
been
sitting
around,
hopefully
being
creative.
B
B
A
A
B
A
A
A
I
have
a
lot
of
friends
that
work
at
the
some
of
the
various
large
enterprises
and
in
the
space
and
they're
I
mean
they're
feeling
the
pressure
right.
You
know
every
day
when
you
hear
about
you,
know
solar
winds
and
colonial
pipeline
and
meat
packing
plant
right.
What
the
heck
meat
packing
plant
jbs
got
hacked
it's
like
what
in
the
world
right.
B
A
B
C
B
B
I
I
could
tell
that
we
have
some
pretty
good
chemistry
and
synergy
here.
I
don't
think
we're
going
to
have
a
hard
time
running
out
of
things
to
talk
about
today,
but
I
did
want
to.
I
didn't
want
to
get
to
you.
So
what
you
know,
what
do
you
do
here
for
the
company
and
tell
us
a
little
something
about
yourself,
ferris.
A
B
I
I
can't
I
I
cannot
wait,
cannot
wait,
maybe
maybe
around
you
know,
kubecons
coming
up
in
october.
Right,
maybe
there'll
be
a
concert
in
l.a
and
maybe
we
can
like
get
together
like
early
or
stay
after
it.
We
can
go.
I
I
don't
know.
I
haven't
even
looked
for
concerts
in
18
months,
but
that
would
be
cool
if
we
could.
B
C
C
C
Now
a
lot
of
the
times
we
hear
from
our
customers
that
you
know
developers
and
operations
work
in
this
area,
then
they
come
in
and
after
the
code
is
done,
they
go
into
security.
Security
is
going
to
yay
or
nade
the
code,
and
this
is
going
to
bring
the
cycle
way
back
in
and
make
it
that
much
longer
for
them
to
deploy
the
code.
And
today,
in
the
agile
world
of
things,
we
really
can't
wait
that
long
for
code
to
be
coming
into
market.
C
So
we
have
worked
with
our
partners
in
the
security
world
to
go
in
and
secure
the
code
and
secure
the
containers
after
they've
deployed
an
open
shift
now
an
open
shift.
Obviously
it's
a
very
strong
system
built
on
red
hat
linux.
It
takes
care
of
the
security
and
infrastructure,
it
takes
care
of
the
security
of
the
environment,
but
once
you
build
those
containers,
we
wanted
to
work
with
our
partners
to
secure
them.
C
Now
we
have
built
a
lot
of
blueprints
that
will
talk
about
the
devops
world
and
how
it
progresses,
and
we
can
define
how
our
security
partners
work
in
nine
areas
that
are
important
to
security.
We
define
them
into
nine
specific
regions,
sort
of
speak
and
that
basically
would
be
application
analysis,
identity
and
access
management,
compliance
network
controls,
data
controls,
runtime
analysis,
audit
and
monitoring
and
remediation,
and
when
we
define
those
areas,
what
we
set
out
to
do
with
between
me
and
dave,
muir
and
and
levy.
C
If
you
guys,
are
familiar
with
our
team,
we
sat
out
in
the
beginning
of
the
year
and
we
decided
that
it
would
be
a
great
idea
to
have
a
security
series
and
we
started
back
in
march
where
we
started
going
through
the
red
hat
security
ecosystem
and
we
provided
introduction.
We
started
by
product
provider,
introduction
to
the
devops
security
topics
and
then
we
went
on
for
each
month.
We
dedicated
a
topic
so
to
speak,
and
this
this
topic
or
last
month
may
topic
was
that
in
nexus
management.
C
So
if
you
were
following
the
show,
you
would
have
seen
cyber
art
was
on
there
this
month.
We
have
the
app
analysis
where
synopsis
is
our
top
isv
that
do
a
lot
of
work
with
us
in
the
app
analysis.
So
here
we
are
today
and
we've
been
doing
those
series.
Every
third
week
of
the
month-
and
I
know
that
because
a
lot
of
your
audience,
a
lot
of
our
audience
and
our
customers
have
been
gone
to
summit
last
week.
That's
why
we
kind
of
shifted
it
this
this
week.
B
C
Good
cause
why
they
we're
going
into
the
live
events,
but
they
still
can't
catch
him,
but
we're
glad
to
be
here
and
next
month.
I
think
we
can
be
talking
about
the
data
analysis
right,
so
we
look
forward
to
seeing
you
next
month
in
july,
but
for
now
that's
what
we
have
with
the
topic,
we're
going
to
be
talking
to
our
friend
scott
about
a
lot
of
things.
So
I'm
very
excited
to
be
here
today.
B
Cool
thanks
glad
glad
to
have
you
ferris
as
well,
and
so
if
anyone
wants
to
to
stay
on
top
of
the
of
the
security
themes
that
ferris
and
his
team
are
putting
on
with
their
partners,
you
can
go
to
the
open
shift
site.
Openshift.Tv
find
the
calendar
of
events,
and
you
can
actually
sign
up
and
see
you
know
which
events
are
being
put
on
by
whom,
when
and
ours
are
generally
wednesdays,
at
noon.
Eastern.
B
So
looking
forward
to
having
having
you
folks
on
again
here,
ferris,
scott
and
ferris,
I
need
to
I
need
to
talk
about
the
elephant
in
the
room.
Okay,
as
has
well,
there's-
probably
lots,
but
I'm
gonna
bring.
I'm
gonna
bring
one
up,
so
I've
been
here
at
red
hat,
as
some
people
know
who
follow
our
show
forever
and
I'm
as
old
as
dirt.
I've
been
here
for
21
years
and
we
were
yeah.
B
It
was
2002
when
my
office
was
started,
there
were
12
of
us
in
the
in
the
office
and,
and
you
know
back,
then
there
were
all
these
companies
that
were
making
you
know.
All
we
made
was
linux
right.
It
was
like
you
know:
linux
was
our
product,
we
were
one
trick
pony
and
you
know
there
were
these
silicon
companies
out
there
intel
and
and
amd
and
others,
and
they
all
used
software
from
synopsis
for
doing
electronic
design,
automation.
B
They
call
it
edac
right,
and
so,
when
like
when,
I
hear
synopsis,
I
think
chip
design
software
and
I
think
synopsis
is
like
you
know,
buying
up
everybody
else,
and
I
think
I
think
they
really
bought
mentor
graphics.
They
bought
all
these,
but
then
they
went
and
they
bought
black
duck
and-
and
I
was
like
sitting
there
talking
to
myself
at
the
time-
it
was
joe
gomes
who
was
the
who
was
your
you
know
my
main
point
of
contact
there,
great
guy,
I
gotta,
I
gotta
text
him
and
see
where
he
ended
up,
but.
B
Like
black
duck,
software
was
based
out
of
massachusetts
and
and-
and
you
guys
will
know
better
than
me,
but
like
vulnerability
scanning
right
for
open
source
projects,
I
mean
imagine
how
important
that
is.
You're
like
one
of
these
big
commercial
banks-
and
you
know,
you're,
building
all
your
own
apps
inside
your
commercial
bank
and
you're,
taking
all
this
open
source
code,
and
how
do
you
know
that
there's
not
like
vulnerabilities
in
it
and
as
and
I'm
gonna,
I'm
gonna
do
a
really
poor
job
here.
But
you
know
blackduck
was
like
no
problem.
B
B
A
I
think
what
they
really
identified
was
the
importance
of
software
and
securing
software
and
how
we,
how
it's
so
important
to
enable
trust
in
software
over
time
and
so
the
the
company,
the
the
executive
team,
has
made
a
strategic
and
very
focused
investment
and
commitment
right.
It's
really
about
commitment,
it's
beyond
investment,
it's
about
commitment
to
how
you
secure
code
going
back
to
maybe
they
listened
to
what
I
think
was
mark
andresen.
That
said
back
a
decade
ago
that
software
is
eating
the
world
and
it
is
right.
A
Software
is
basically
part
of
everything
we
do
in
addition
to
the
chipsets
and
so
that
commitment
in
addition
to
black
ducks,
so
they
they
have
built
all
right
and
before
that
you
had
sigil,
you
had
coverity.
So
if
you
look
at
the
the
pillars
of
application
security,
static
analysis,
open
source
dynamic,
I
asked
synopsis
and
the
sig
we're
called
sig,
but
within
synopsis.
A
I'm
a
winner,
okay,
you
are
a
winner
and
you
know-
and
it's
it's
it's
interesting,
because
when
you
look
at
what
we
do,
that
doesn't
really
define
what
we
do,
because
we
we
cover
so
many
areas
across
really
the
application
life
cycle
and
you'd
asked
about.
You
know
what
what
is
synopsis
continuing
to
do.
We
just
announced
about
two
weeks
ago
the
acquisition
of
a
of
a
company
called
code
dx,
and
we
could.
A
We
could
talk
a
little
bit
more
about
that
in
a
few
minutes,
but
the
continued
investment
to
provide
the
capabilities
for
for
our
customers
right
when
you
think
about
the
direction
of
application,
security
and
the
companies,
you
know
it's,
it
used
to
be
that
it
was
primarily
something
that
if
you
go
back
to
jeffrey
moore
and
they're
crossing
the
chasm
right,
it
was
kind
of
the
early
adopter
thing
yeah.
For
those
that
are
aggressively
writing
apps,
you
probably
should
do
application
security.
Then
what
do
you
do?
A
Do
you
do
static
analysis,
dynamic
analysis,
open
source?
The
answer
is
all
the
above
by
the
way,
but
that
that
evolution
right
in
terms
of
how
that's
really
evolving
every
single
customer
or
every
single
company
today
is
a
software
company.
It's
some
in
one
form
or
another
banks
from
banks
to
dollar
general.
A
So
the
you
know
if
you're
driving
through-
and
I
think
we
were
talking
about
me
being
from
nebraska-
you
know
during
our
initial
session
and
so
if
you're
driving
through
the
panhandle
of
nebraska,
you
find
three
things
right:
there's
a
gas
station,
there's
a
mcdonald's
and
now
there's
a
dollar
general.
Well
guess
what
dollar
general
builds
a
lot
of
applications,
both
internal
and
external
there's
a
mobile
app
right.
I
guess
you
could
order
your
dollar
general
dollar
stuff
and
go
pick
it
up
right
during
cobit.
A
But
the
point
is
every
company
really,
no
matter
if
they're
high
tech,
financial,
retail
there
there
is
a
security
aspect
of
it,
because
you
have
applications
because
you're
interfacing
with
customers
that
are
using
credit
cards,
a
real
world
real
world
example.
Now
my
wife
recently
bought
a
new
dishwasher
and
she
bought
it
from
a
small
company.
A
I
don't
even
know
where
they're
located
they
got
hacked
her
credit
card
was
stolen
and
and
it
was
breached,
so
we
had
to
go
through
all
the
process
and
figure
out
what
to
do
and
and
all
that,
but
it
just
illustrates
that
no
one
is
really
immune
today
and
that's
in
at
the
core
of
it.
It
really
is
around
the
applications
and
the
data.
A
B
I
have
a
dishwasher,
I
got
a
ski
condo.
I
got
a
dishwasher
there,
my
summer
house,
in
new
hampshire.
I
got
a
dishwasher
there.
I
got
this
house
here.
I
got
a
dishwasher,
they
really
don't
ever
get
used.
Maybe
it's
because
I
you
know,
I
don't
have
a
whole
hockey
team
of
children
like
yeah.
Maybe
you
know
like
dave,
muir
does
but
anyways
that's.
A
B
C
And
then
go
ski
one.
Other
thing
that
I
did
want
to
bring
into
the
discussion
that
also
with
synopsis
is
very
big
in
creating
the
chips
and
create
the
software.
That
would
create
the
chips
and
they-
and
I
was
reading
an
article
the
other
day
about
auto
manufacturing,
and
we
have
you
know.
Synopsis
has
a
big
auto
vehicle
that
they
work
with,
where
they
have
the
chips
and
they
create
them.
For
the
ai
for
the
automotive
industry,
we
at
red
hat
working
very
closely.
C
We
have
our
own
center
of
excellence
in
automotive
and
one
of
the
things
that
the
article
was
talking
about
with
the
intelligent
cars
coming
in
and
how
it's
going
to
lower
the
insurance
rates
and
lower
the
accidents.
But
there
is
one
problem
that
is
really
making
people
stay
up
at
night
and
that's
the
security
of
the
auto
driving.
C
Exactly
because,
then,
if
somebody
hacks
into
that
then
and
takes
over
the
cars,
then
imagine
the
type
of
damage
that
they
could
bring
in
and
the
havoc
they
could
bring
into
smaller
cities,
whatever
the
infrastructures
and
so
on.
So
this
is,
I
think,
there's
very
important
piece
where
black
duck
and
synopsis
can
come
in
and
secure
that
code
before
it
even
gets
into
the
chip,
and
that's
a
very
big
area
that
we've
been
working
on
together
between
red
hat
and
synopsis.
Currently.
A
Yeah
partnership,
wise.
We
have
a
really
strong
relationship
there
to
help
secure
to
secure
the
code
that
goes
in
cars.
If
you
look
at,
I
mean
it's
again:
it's
the
evolution
of
the
space
right
where
there's
a
car,
rubber
and
aluminum
yeah,
but
it's
also
code.
I
think
in
the
latest,
tesla
there's
like
a
hundred
million
lines
of
code
and
a
good
friend
of
mine
who
does
a
lot
of
talks,
ted
talks
and
things
like
that.
A
He
he
was
jokingly
talking
one
time
he
said
I
don't
want
my
automated
driving
car
to
run
over
grandma
when
I'm
backing
out
of
the
garage.
No,
when
it's
backing
out
of
the
garage,
so
I
can
get
in
the
car
right
because
it's
self-driving.
So
it's
it's
a
really
important.
I
mean
it
ties
in
with
everything
we
do,
especially
if
you
look
at
that
that
part
of
the
automation,
if
we
really
do
have
self-driving
cars-
and
we
do
I've
been
in
one-
it's
pretty
impressive.
A
But
if
every
car
is
a
self-driving
car
and
you
have
a
network
that
is
dependent
on
you
know
the
on
no
latency
right
and
if,
if
one
one
small
vulnerability
gets
into
that
software
supply
chain,
that
it
could
impact
that
infrastructure
for
all
the
cars
that
have
to
connect
it's
kind
of
funny.
So
here's
a
non-security
example
but
living
in
atlanta,
we
have
what's
called
the
perimeter
and
it's
basically
a
circle
that
goes
it's
a
interstate
285
goes
around,
I'm
drawing
a
circle
here,
that's
what
that
means.
A
A
B
So
you
started
you
started
talking
about
that.
There
were
a
couple
things
that
you
that
you
threw
out
there
in
your
in
your
preamble.
One
was
about
wayne
wayne
gretzky
talking
about
you
know,
go
where
the
puck's
going,
not
where
it
is
and
in
in
in
computer
terminology.
They
call
that
speculative
execution
and
thinking
back
to
like
security
breaches.
You
know
you,
you
brought
up
the
the
meat
packing
plant
and
the
you
know
the
gas
line
and
solar
winds
and
everything
else.
A
B
B
It
was
amazing
I
I
just
like
it
apparently
like
it
started
way
back
in
the
mainframe
where,
in
order
to
speed
up
transactions,
they
were
like
well,
if,
if
I'm
a
line
order
cook-
and
I
know
that
someone
comes
in
every
day
and
they're
like
hey-
I
need
my
double
bacon
egg
and
cheese
right
and
you
know
so
they
actually
handle
instructions
in
advance
before
the
request
comes
in
well.
If,
for
some
reason
that
request
doesn't
come
in,
it
gets
dumped
on
the
floor
and
and
back
then
you
know
heartbeat.
B
Shell
shock
was
basically
just
dumping
information
on
the
floor
because
it
was
locked
in
a
mainframe
and
then
when
x86
came
out,
it's
like
this
was
anyways
it
it.
It
was
an
amazing
security
problem
that
was
that
was
addressed.
But
but
you
know
that's
not
your
space,
but
but
let's
talk
about
the
meat,
but
it's.
A
But
it's
all
related,
I
mean
it's
all
related,
though
right
I
mean,
if
you
look
at
it
a
lot
of
that
generates
or
it
it
goes
back
to
the
software
right.
So
you
know
when
you
look
at
lateral
movement
in
the
breaches
right.
A
lot
of
it
is
kind
of
social
engineering.
Where
you
know
I
send
you
a
you
know
some,
some
hacker.
Might
you
know
socially
engineer
your
password
or
you
know
the
just
the
old
phishing
attack
hey
mike.
Can
you
check
out
this
file?
A
You
go
you
you
under
you
accidentally
click
on
it
now
you've
downloaded
something
into
the
system.
You
don't
even
know
it
and
then
they
laterally
move
right
and
they
find
the
vulnerabilities
in
the
software.
If
you
go
back
to
like
stuxnet
and
do
we
don't
talk
about
it
here
per
se,
but
stuxnet
is
a
freaking
amazing,
great
documentary
on
it
and
some
good
write-ups,
but
it's
amazing
how
the
lateral
movement
going
from
kind
of
a
vulnerability
on
the
microsoft
server
side.
A
A
B
Yeah
so
meat
packing
plant
pipelines,
like
I
you
know
like
I
said
I've
been
here
forever.
I
have
a
feeling
that
linux
is
a
pretty
secure,
operating
system.
It
like
how.
How
can
these
companies,
I
don't
mean
to
like
point
any
fingers
at
them,
but
come
on
like
like
what
are
they
running?
Are
they?
Are
they
running
their
their
data,
centers
like
on
laptops
and
their
houses,
and
letting
kids
like
play
games
on
them
and
download?
How
does
that
happen?.
A
Yeah
I
mean
well
one,
you
know
one
is
look,
you
know
some
challenges.
I
think
it
ties
into
some
of
the
challenges
right.
The
look,
the
reality
is
there.
There
aren't
enough
people
in
security,
I
mean
there's,
you
know,
there's
there's
a
need
for
education
and
more
more
expertise
at
all.
You
know
at
all
levels
right.
The
the
pipeline
I
mean
a
decade
ago.
I'd
say
more
recently:
they
they
realized.
I
think
they
were
actually
advertising
for
a
a
chief
security
architect
or
something
like
that.
A
But
you
know
there
was
a
time
where
you
would
have
never
even
thought.
I
don't.
Why
would
I
need
any
security
people
or
a
we're
a
paper
recycling
plant?
We
don't
need
that
stuff,
we're
a
pipeline
right.
No,
what
so,
but
when
you
look
at
it,
so
what
it?
What
it
really
boils
down
to
is,
if
you
are
using
software,
you
can
take
it
up
a
level
chips
and
technology.
A
If
you
have
computers
you're
using
software,
and
you
need
to
secure
it
and
regardless
of
your
industry,
you
know
we
were
talking
about
coffee,
joking
about
coffee
as
code,
you
know
a
little.
You
know
in
our
in
our
preamble
the
other
day,
and
you
know
you
think
about
just
walking
into
starbucks
or
whatever
and
order
a
cup
of
coffee
and
that's
that.
But
everything.
C
A
Do
is
software-based
they've
got
over
a
thousand
developers,
they're
hiring
if
you
go
out
to
their
job
board,
because
I
did
just
out
of
curiosity
and
like
the
first
jobs
that
popped
up
were
like
security
testing
engineer,
and
it's
like
wait.
What
about
coffee
growing?
What
about
the
beans?
Well,
that's
all
automated!
So
if
you
hacked
into
their
jump
cloud
process,
you
could
actually
possibly
laterally
move
over
and
maybe
you
end
up
my
wife
had.
A
So
what
companies
have
to
realize
is
if
you
are,
if
you
are
a
business,
security
has
to
be
one
of
the
pillars
of
your
spectrum
of
control
and
how
you
expect
to
really
operate
your
your
your
company
right
because
it
just
it's.
It's
foundational.
It's
bumper!
It's
more
than
bumpers
on
cars.
It's
brakes
on
cars!
That's
what.
C
It
is
yeah
especially
now
nowadays
that
every
time
that
the
security
valve
is
identified,
especially
in
the
code
where
synopsis
really
works
really
hard,
as
as
soon
as
it's
identified,
you
find
youtube
videos,
it's
showing
you
how
you
can
you
can
expose
that
vulnerability
and
then,
if
you're
not
fast
enough
and
the
speed
is
part
of
the
how
you're
going
to
be
able
to
come
ahead
of
those
vulnerabilities,
like
I
remember
like
the
wannacry
vulnerability
or
the
ransomware
that
came
out
yeah
and
there's
a
long
story.
That's
that's
a
very
sad
story.
C
It
came
in
from
the
nsa
and
then
somebody
saw
the
tools
and
exposed
it,
but
microsoft
knew
about
it
and
then
they
put
the
patch.
But
the
people
who
are
using
the
microsoft
servers
when
really
either
went
away
the
page
or
they
thought
they
could
delay
it.
That's
the
ones
that
were
exposed
the
most
right,
because,
even
though
that
they
posted
it,
and
then
you
have
people
that
had
twitter
accounts
and
youtube
that
showed
you
exactly
how
to
hack
it
and
hack
into
some
of
the
companies
and
a
lot
of
companies
fell
victim
to
it.
C
A
A
I
wasn't
I
in
college
or
in
high
school
with
an
iphone.
The
answer
is
no,
but
so
if
you
look
at
just
over
the
last
decade
right
the
think
about
how
many
companies
now
have
mobile
apps
that
had
none
just
a
few
years
ago
now
they've
got
hundreds
and
the
the
number
of
applications,
a
customer
that
that
I
I
worked
with
quite
a
bit
and
became
friends
with
our
appsec
team.
I
remember
when
he
emailed
me
he
said
hey.
You
won't
believe
this.
A
We
just
crossed
over
scanning
our
3000th
application
and
I
was
like
wait
what
you
guys
have
3
000,
separate
or
distinct
applications
or
different
code
bases
and
he's
like
yeah.
Isn't
that
amazing
and
I'm
like
god,
how
do
you?
How
do
you,
how
like?
How
do
you
even
keep
track
of
that
and
then
and
then,
if
you
look
at
the
the
evolution
that's
happening,
there
too
is
what's
an
application
today.
A
I
was
with
a
customer
on
location,
it
was
actually
with
well,
I
won't
mention
the
names,
but
we
were
on
location
or
on
their
site
and
we
were
talking
to
their
appsec
team
member
and
he
said
well
our
debt.
Our
development
team
needs
this
to
be
very
fast,
and
I
said
I
kind
of
nonchalantly
said
yeah.
Well,
we
can
do
that
now
in
two
hours
he
looked
at
me.
A
He
laughed,
he
said
he
said,
hey
man,
they
need
two
seconds
and
and
then
we
all
laughed
and
it
was
like
yeah.
But
it's
not
it's.
That's
exactly
right.
So
when
you
look
at
and
again
tying
this
back
with
with
what
we're
you
know,
what
we're
doing
together
from
a
partnership
perspective
is
as
those
pipelines
as
the
cicd
pipeline
process
has
sped
up
and
is
how
and
as
more
developers
are
engaging
right
in
application
security
because
they
have
to.
A
It
has
to
be
much
quicker
and
that's
a
big
trend
with
all
the
tooling
that's
out
there,
not
just
from
a
static
analysis
perspective,
but
across
the
board
right
where
developers
need
that
insight
back
right,
then,
and
there,
because
the
old
way
right.
If
you
give
me
a
report
that
says,
hey
here's
a
hundred
critical
issues
to
go
fix,
the
developer
has
already
moved
on
right.
So
he
or
she
has.
B
A
Moved
on
that
was
like
two
days
ago,
I've
written
like
another
x
thousand
lines
of
code.
I
don't
even
know
where
I
got
to
go,
but
now
I
have
to
go
back
and
look
for
that.
So
you
really
gotta
that
speed
that
you
were
talking
about
is
so
important
that
balance
and
then
and
then
the
quality
too
right,
reducing
false
positives
and
do
you
think,
do.
B
You
think
that
I
mean
there's,
there's
no
one
vendor
that's
responsible
for
this
speed
right
I
mean,
like
you,
know,
microsoft.
You
know,
containers
and
microservices,
and
you
know,
apps
are
getting
you
know
yeah,
they
might
have
had
3
000
apps,
but
they
probably
were
pretty
small
some
of
them.
They
weren't,
like
3,
000
databases.
B
That's
why
you
know
3
000
different
vendors.
You
know
you
get
all
these
other
vendors
out
there
as
part
of
this
whole
ecosystem.
Like
you,
take
someone
like
a
joget,
for
example,
like
all
their
low
code
no
code,
you
know
development
tools
and
an
environment
that
they
provide.
It's
it's
it's
almost
like
this
whole
thing
is
just
like
this.
One.
Big
ecosystem
is
just
like
continuing
to
accelerate
based
on
the
acceleration
of
the
acceleration.
B
It's
really
it's
really
going
fast,
so
and
and
it,
and
it
makes
sense
that,
like
you
know,
if
you
can't
fix
the
vulnerability
instantly,
that
application
might
not
even
be
being
used
by
the
time
you
might
get
around
to
fix
it
or
it's
had
so
many
changes
to
it
that
doing
a
defect
repair
and
something
that's
three
major
versions.
It's
you
know
so
yeah
it.
It's
amazing
how
fast
things
are
going
and.
A
Like
the
universe-
and
they
say
the
universe
is
actually
the
the
big
bang,
if
you
believe
in
that
or
whatnot,
but
the
explosion
right
we're
we're
accelerating
faster
and
software
is
like
that
and
technology.
A
friend
of
mine
had
another
quote.
He
said
that
technology,
and
software
in
particular,
is
expanding
at
a
rate
that
is
unfortunately
faster
than
our
ability
to
secure
it
like
dang.
That's
really,
that's,
like
you
know,
nostradamus
thinking,
right
or
like
big
brain.
A
A
C
B
A
Here's
a
very
interesting
perspective,
though,
so,
if
you,
if
you
look
at
molecular
biology
and
how
the
molecules
are
typically
around
so
my
table
right
now
right,
it
looks
flat,
but
depending
on
your
on
how
you
look
at
it,
it
becomes
round.
So
if
you,
if
we
go
out
a
billion
miles
from
our
solar
system
and
we
look
back,
does
does
our
does
the
milky
way
look
flat.
Does
the
earth
look
flat?
Maybe
it
is
flat
from
that
context,
but
on
the
planet
like
we
know
it's
a
spear
because
we're
standing
on?
A
Well,
we
think
it's
a
spear,
but
if
you
go
out
farther,
so
it
goes
back
to
the
context
right
and
in
some
ways.
That's
like
software
right.
How
critical
is
the
software?
Well,
it
really
depends
on
the
context
and
how
you're
looking
at
it
and
how
you're
using
it.
If
it's
it's
your
alarm,
clock
yeah,
maybe
not
that
big
a
deal
if
it's
your
pacemaker,
probably
a
pretty
big
deal.
So
your
your
perspective
on
it
changes,
yeah,
yeah,.
C
C
And
then,
if
there's
a
human
intervention,
that's
needed,
then
it
will
direct
it
back
to
her,
but
with
that
they
kind
of
start
like
growing
exponentially
because
they
they're
no
longer
relying
on
one
person
or
bottlenecks,
but
because
it's
all
automated
through
synopsis
and
now
the
code
can
be
scanned
and
verified
and
making
sure
that
it's
okay
and
it'll
be
secure
code.
Now
this
is
we
talk
about
financial
industries,
so
this
is
very,
very,
very
important
topic
for
them,
but
they
were
dependent
on
synopsis
to
do
this,
for
them.
A
Dependencied
analysis,
analysis,
binary
analysis,
snippet,
matching
and
automating
that
right,
so
that
manual
step
right
can
become
less
needed,
or
at
least
less
critical,
or
maybe
only
a
very
critical
point
where
there
just
is
no
other
option
right.
So
you
want
to
automate
those
things
and,
like
our
our
our
our
open
source
risk
analysis
report
by
our
cyber
security
center
research
center
came
out
fairly
recently,
and
we
encourage
the
audience
obviously
to
take
a
look
at
that.
A
I
think
we
have
a
link
on
it
at
the
end
of
the
session,
but
you
know
we
we
studied
or
we
we
audited.
I
think
something
like
I
don't
know
thousands
of
code
bases
20
industries
and
look
everyone's
using
open
source.
So
your
point
there
is
it's
exactly
right
and
here's
the
here's,
the
kicker
on
that
is
everyone's
using
it,
and
everyone
has
vulnerabilities
right.
There
are
high
level
vulnerabilities
in
the
vast
majority,
it's
like
80.
You
know,
I
think
ours
we
said
84.
A
A
We
looked
at
was
like
an
increase
of
10.
I
mean
that's,
that's
double-digit
growth.
So
is
it
any
wonder
with
more
companies
using
open
source,
more
vulnerabilities,
more
code
right,
so
javascript
go
kotlin
now
you've
got
all
the
things
happening
with
infrastructure,
as
code
with
I
mean
so
imagine
a
world
now
where,
because
this
wasn't
this
wasn't
the
case
10
years
ago,
where
your
helm
chart
has
a
parameter.
A
C
A
Even
that
wasn't
even
a
thing
just
a
few
years
ago
now
you
have
to
look
for
that,
whether
it's
open
source
or
you
know,
custom
code.
You've
got
to
look
at
that
from
a
container
perspective,
and
I
think
that's
with
our
partnership
right.
I
think
that's
one
of
the
one
of
the
great
things
about
what
we've,
what
we've
really
done
together
and
I
know
the
team
has
really
been
working.
A
A
B
I,
when
I
started
here,
I
was
a
solutions
architect
and
I
took
over
the
the
the
responsibility
of
doing
you
know:
partner
marketing
for
software
partners.
Synopsis
was
probably
the
most
innovative
and
aware
company,
and
I
remember
in
2003
I
were,
I
think
I
told
you
this
on
the
driver
and
I
worked
with
karen
bartleson.
You
can
look
her
up
on
linkedin,
I'm
sure
she's
still
around
somewhere.
B
She
organized
led
by
synopsis
the
eda
consortium,
which
was
to
rally
all
the
different
chip
vendor
software
companies
together
and
standardize
the
release
cycles
so
product
managing
poor
product
management.
People
like
the
people
who
are
on
your
team,
aren't
ripping
their
hair
out
of
the
head
right
like
geez.
I
I
got
to
support.
You
know
this
version
of
the
software
on
souza
this
and
this
on
red
hat,
so
they
they
standardized
called
the
eda
consortium
and
that
was
led
by
by
by
synopsis.
So
you
know
they
have
a
long
track
record
of
working
with
us.
A
B
A
Way
longer
than
since
we
were
really
in
the
security
space.
So
but
I
mean
some
of
the
some
of
the
things
that
we're
doing
partner-wise,
and
I
mean
that
you
know.
So.
If
you
go
back
and
look
at
you
know
what
are
what
are
you
know
with
those
trends
and
those
challenges?
What
are
some
of
the
things
we're
doing
and
it
does
center
around?
A
I
talked
I
mentioned
code
side
a
little
bit,
so
we
acquired
them
to
provide
us
with
really
normalization
of
vulnerabilities
across
multiple
tools,
whether
they're
they're,
our
own
appsec
tools
or
third-party,
because
there's
so
many
tools
out
there
to
be
able
to
aggregate
and
correlate
those
results.
So
that's
a
that's
a
really
great.
A
You
know
investment
into
into
our
portfolio,
but
then
driving
innovations
right
when
you
think
about
the
shift
left
and-
and
you
know
what
what
we've
been
talking
about
from
a
devsecops
perspective,
enabling
the
ability
to
do
static
analysis
earlier
on
commit
right,
looking
at
infrastructure
as
code
building
that
in
so
we've
got
a
sigma
scanner.
That's
that's
a
a
component
kind
of
of
our
coverity,
offering
that
provides
that
second,
you
know.
A
Second
scan,
if
you're
doing
a
you
know
doing
a
pull
request,
so
we're
doing
we're
doing
things
like
that,
a
number
of
other
things
fuzzing
with
the
physics
we
talked
about
the
automotive
industry
and
a
lot
of
the
you
know
the
the
different
areas
there
in
terms
of
the
protocols
that
that
are
becoming
even
increasingly
important,
as
we
noted.
But
then,
when
you
look
at
our
relate,
you
know
the
the
partnership
we
have
with
you
know.
Building
on.
A
So,
as
openshift
has
continued
to
do
it,
you
know
just
evolve
and
is
it
off
with
you
know
the
the
kubernetes
distribution
and
really
focusing
the
the
the
product
on
the
developer
experience
I
mean
that
that
really
attracts
me
to
what
what
we're
doing
together
in
terms
of
application,
develop
development,
containerized
pipelines
and
enabling
the
developers
like
with
jenkins
and
the
various
tools,
but
then
how
we
built
in
right
using
the
openshift
apis
in
our
in
the
integration
with
black
duck.
So
you
can,
you
can
automatically
scan
and
monitor
the
open
source.
A
That's
in
all
the
container
images
that
are
deployed
and
and
then
monitor
that
you
can
do
some
additional
things
like
you
know:
annotating
and
labeling,
the
images
and
the
pods.
If
there
are
bones
or
violations
that
occur,
so
I
mean
customers,
here's
the
thing,
it's
exactly
what
we
should
be
doing.
Customers
shouldn't
have
to
worry
about
that.
A
B
A
B
We're
we're
we're
live
on
youtube,
we're
live
on,
twitch,
we're
live
on
facebook.
If
and-
and
you
know,
if
anyone
has
questions
for
either
ferris
or
or
scott-
please
drop
them
into
chat
down
there
and
then
the
robots
will
automatically
bring
those
over
here
and
drop
them
into
chat.
Here
we
have,
we
have
seven
minutes
left,
and
I
know
that
every
time
we
go
over
my
producer,
chris
shore
gets
angry
and
he
starts
texting
me
and
blah
blah
blah
blah
blah.
B
So
like
we'll
keep
it
tight,
we
have
seven
minutes
left
what
you
know
like
you
know.
What
are
you
gonna?
What
what
do
you
want
to
make
sure
you
cover
here
today?
So
when
we
get
off
when
we're
done
and
the
phone
rings
and
it's
your
cmo
and
they're
like
scott,
you
were
live
on
the
internet
for
an
hour.
Why
didn't
you
talk
about?
Why
didn't
you
talk
about?
I
don't
know
the
future
of
apsec
or
or
whatever.
A
B
A
Right,
this
is
a
we
are
actually.
I
think
I
think.
Maybe
another
thing
is
when
you
look
at
the
holistic
nature
of
application,
but
you
know
again
if
our
cmo
came
in,
he
said
well
make
sure
we
talk
about
intelligent
orchestration
and
how
we
are
looking
at
or
leveraging
policy
as
code
across
a
pipeline
and
enabling
security
so
the
right
to
ensure
that
the
right
tool
runs
at
the
right
time
and
in
the
right
context.
So
I
use
a
lot
of
analogies,
as
you
probably
heard
from
our
discussion.
A
It's
like
one
of
them.
Is
you
know
you?
Don't
you
don't
put
up?
You
don't
put
up
pictures
with
sledgehammers
right,
I
mean
if
you
can
but
good.
You
know
we'll
probably
have
some
walls
and
some
holes
in
your
wall
so
that
the
point
is
using
solutions
like
our
intelligent
orchestration,
to
enable
the
right
tool
to
run
at
the
right
time
and
to
provide
the
contextual
results
back
right.
A
It
provides
line
code
line
code
level,
validation
of
the
issue
so,
instead
of
looking
around
and
trying
to
figure
out.
Where
is
that
it
gives
you
that
precision
and
you
can
do
that
right
and
the
the
within
the
the
workflow
right?
You
can
do
that
runtime
testing,
you
can
do
it
ad
hoc,
it
can
be
manual
or
functional
testing.
You
can
fully
automate
it
build
into
the
ci
cd
and
then
we
can.
A
You
know
it
runs
obviously
running
rhel
and
can
be
fully
automated
and
it
supports
you
know
the
changes
in
applications
that
we
talked
about
right,
you're,
exactly
right
where
those
3
000
apps,
they
weren't.
All
million
line
python
apps,
it
was
a
mix
of
microservices,
cloud-based
apps,
and
that's
where
the
the
is
capabilities
within
you
know
that
we
offer
together,
provide
additional
value
and
really
another
another
layer
of
security
from
an
openshift
pipeline
perspective.
A
Right
visibility
and
the
the
details
around
things
like
you
know,
is
that
web
services
call
really
an
issue
or
not
right
and
we
can
flag
that
and
provide
that
right
back
to
the
developers.
So
there
would
be
a
couple
things
I
would
make
sure,
and
we
just
did
right
tie
those
in
that
they
go
back
to
the
strength
of
our
partnership
and
why
companies
really
need
to
look
at
the
the
the
combination
that
we're
offering
and
the
value
of
you
know
orchestration
and
security
as
part
of
it.
C
C
Are
very
important
that
you
are
operator
certified
and
open
shift,
so
people
can
go
in
from
the
operator
and
then
they
find
you
right
then
and
there
and
then
we
recently
have
integrated
blackduck
into
rackham
the
red
hat
advanced
cluster
manager,
which
is
something
that
we
have
released
last
year.
Synopsis
has
come
right
in
and
integrated
right
into
it,
so
somebody
could
just
click
basically
and
immediately
you're
in
the
advanced
cluster
manager
schema.
So
we
have
a
lot
of
integration
points
that
we're
doing
together
and
we're
very
excited
for
our
customers.
B
B
Survey,
I'm
I've
got
a
call
to
action
slide
here
that
I'm
going
to
put
up
at
the
end.
I'm
going
to
throw
this
out
there,
though,
that,
like
we,
have
a
really
successful
podcast
series,
it's
called
behind
the
app
we
just
renamed
it.
It
used
to
be
the
red
hat
x,
podcast
series.
Now
it's
the
now,
it's
the
behind
the
app.
C
B
A
A
We
didn't
get
a
chance
to
talk
too
much
about
the
gartner
magic
quadrant,
but
for
the
for
the
fifth
consecutive
year
time
they
skipped
a
year
in
there
somewhere,
but
we
were
a
unquestioned
leader
in
the
space
as
well
as
the
critical
capable
scoring
or
critical
capability
scores.
We
could
talk
about
that,
maybe
more
in
the
future,
and
then
I
talked
a
little
bit
about
our
our
oscar
report.
Definitely
take
a
look
at
that.