Aqua CEO on Why Cloud-Native Apps Need Supply Chain SecurityAqua's Dror Davidoff Shares How Open-Source Repositories Create Risk for Cloud Apps
Software has increasingly relied on components developed by third parties or from open-source libraries, which Aqua Security CEO Dror Davidoff warns injects additional risk into application development.
On-premises environments are still managed in more traditional ways, with the development and production phases completely siloed and the process lasting up to a month, Davidoff says. But in cloud-native environments, applications can be created, packaged and pushed into production in just hours, he says, while the push to take code from open-source repositories has created new areas of exposure (see: Israeli Security Companies CrowdStrike Could Buy for $2B).
"The constant pulling of different components of code from open-source repositories has created some unique challenges within the cloud-native application environment," Davidoff says. "This is true in more and more environments. But the cloud area is where we see the biggest exposure of the problem."
Information Security Media Group spoke with Davidoff before Aqua Security revealed it has laid off 10% of its employees, which Globes and Calcalist say totals 20 employees in Israel and 65 workers globally. The cuts will allow Aqua to strike a better balance between growth and profitability amid the economic downturn, Davidoff told Aqua employees in a message that was posted to the company's website Monday.
"As economic conditions change, we find ourselves once again focused on the responsible path," Davidoff wrote. "These changes were necessary to enable us to refocus on our core strengths and drive efficient growth in 2023 and beyond."
In this video interview with ISMG, Davidoff also discusses:
- The biggest drivers behind Aqua's 100% year-over-year revenue growth;
- How Aqua's approach to cloud security differs from Lacework, Orca and Wiz;
- Why implementing runtime controls around cloud workloads is so critical.
Davidoff has more than 20 years of experience in sales management, marketing and business development in the enterprise software space. He has held executive positions at several emerging IT security and analytics companies. Before co-founding Aqua in 2015, Davidoff headed up global sales of database security products at McAfee (Intel Security), and prior to that he was executive vice president of sales and business development at Sentrigo, where he led its fast market share increase.
Michael Novinson: Hello, this is Michael Novinson with Information Security Media Group. I'm joined today by Dror Davidoff. He is the co-founder and CEO of Aqua Security. We're going to be taking a look back at 2022, as well as the look ahead to 2023. Good morning, Dror. How are you?
Dror Davidoff: Hi, good morning, Mike. Very good to be here. Thank you.
Novinson: Thank you so much for making the time. I wanted to start by talking about what happened in 2022 - you had announced that in October, you had more than doubled your revenue at Aqua. Wanted to get a sense from you off the top of what were the key drivers of that.
Davidoff: External macro factors have changed dramatically. But with the company still enjoying a very good momentum, a very good growth in the last 18 months, the company, like you said, more than doubled its revenues, more than doubled its employee base, we made a very important acquisition in late 2021. And we're starting to see the fruit of that in our operation. So what's the driver for that is demand for cloud services. More and more companies are moving to the cloud or growing the footprint in the cloud. And when they do that, they will need to do it in a secure way. So they're looking for the new cloud security tools to secure their application, to secure their cloud infrastructure. And Aqua is a leading provider of that. So the combination of strong demand for cloud services with the very clear need for security, new means of security of those services, creates very good demand. So, you know, we enjoyed very good growth in the last 18 months, but we predicted that we will continue the same momentum looking for the next 12 months the same way.
Novinson: You alluded to the acquisition of Argon security that made in December of last year, what has Argon allowed you to do at Aqua?
Davidoff: So Argon was a young, very innovative solution for software supply chain security. So this is a relatively new problem of dealing with a supply chain, the software supply chain. There were a lot of changes in the last - let's call it - decade in the way software is being developed and put together. And it now involves many more components that come from third party, a lot of open source, the pace of a software development and the way it's being pushed into the production environment and change radically. And all these different changes. Now when you look at the tool chain and the sequence of things that happen in the build phase of any software application, if there are a lot of risk factors involved there, this whole area was built in different silos. There were solution, looking at the code vulnerabilities and code scanning in different bits and bytes. Over the last few years, the notion of looking at the entire supply chain to look at the tool chain and different, the CI/CD and all the different plugs in the different sources of software components that are being brought in, the notion of debt is one problem. From a security perspective, there are a few companies. Argon was a leading innovator index. Late last year, we joined forces, we acquired Argon and very natively integrated into the Aqua platform. So for us it was a natural extension of things that we did before. We just added more capabilities together with Argon and we now have probably the most comprehensive software supply chain security for cloud-native application in the market.
Novinson: So what's different about doing supply chain work around cloud-native applications versus more traditional on-premises environments.
Davidoff: So, on-premises environments are still managed in more traditional ways. Things are much more siloed, there is a clear distinction between the development phase and the production phase, if the internal quality has been in development. Weights package is still handled in, you know, the traditional way. The cloud introduced a lot of changes into that and in a cloud-native environment where you create application, package them and very quickly push them into production, something in a matter of hours, what used to be months. You know, shortening the cycles have created one big change. Another thing that they created - a change - and this is true for everything, but more so in a cloud-native environment is the amount of open-source components - there is an exponential growth. It used to be that organization would reframe completely from using open source to a situation where more than 60% of the code is actually based on open source, right? So the amount of open source creates again an exposure because you need to understand who handled the open source, what is the thought, what is the latest and greatest version. And it's an ongoing issue. So you constantly pull different components of code from open-source repositories so that, you know, those changes created some unique challenges within the cloud environment, the cloud-native application environment. It is true for more and more environments, but in the cloud area, this is where we see the biggest exposure of the problem.
Novinson: Interesting, and I know that was through acquisition. What about from an organic perspective? What new capability, what new feature are you most proud of that you've rolled out here in 2022?
Davidoff: So in 2022, there were few things that we did. So you know, we continue our journey to create a platform that will secure application from code to production. So connecting a lot of the dots. So two very important things that we did this year is one, we, in our platform, we have a lot of capabilities of connecting the dots, we call it the Aqua hub. This is where we collect information from different parts of the application lifecycle, and create a much better security posture for the entire application and understanding where the problem is, how to prioritize, providing a lot of insights. So this type of capability is something that we enhanced significantly this year. Another area of a huge progress is around the runtime control. So Aqua is the innovator of cloud workload controls, runtime controls, I'm sorry. And they, you know, we constantly added more capabilities. In our six years, we are now in this year, in 2022, we released the third generation of our enforcement capabilities, which is entirely based on EBPS technology. And that was a huge step forward for us as far as our way to deploy on very large scale and become much more efficient with a much smaller footprint for our customers. So providing better security, with more and more efficient way. So that was another big release equity this year.
Novinson: So now when you're talking about the market landscape, you've got Orca and Wiz and Lacework and some other folks in this cloud security world. What do you feel is the biggest differentiator in terms of how you and Aqua are taking on cloud security versus some of your peers?
Davidoff: So yes, it's a very vibrant ecosystem. I think many of the players are focused on some specific use cases and their requirement, where Aqua is looking at a much more holistic view. So we started in the runtime controls, but we, over time, extended and shifted left our capabilities. And we now have the most comprehensive platform from a dev to production. When you look at our competitors, they are much more focused on specific use case. And they are doing that. We closed some of the gaps with the competition, but I think they will have to expand and create their own solution, because the market will require that.
Novinson: I see. Let's turn and talk about 2023 here. So out of the gate, what do you see as the biggest market opportunity for Aqua in the year to come?
Davidoff: So I think there are multiple things, you know, top three of mind, number one, we spoke about supply chain. I think supply chain, the awareness of the challenges around software supply chain, is increasing in organizations. Now across the board, this is now a top priority for all of them. On top of that, there is a - the Biden administration just released an executive order with specific requirements about the SBOM, the software bill of materials, so you need to be able to comply with, you know, in report, the specific of the components and the software build up that any application has, and address some of the big risks around software supply chain. And right now it's an executive order, assuming nothing will become a regulatory requirement. And I think that will push many, many organization to quickly find good solution for that. So for us, this is a huge opportunity. And that will be top of mind for many CISOs in the U.S. and globally. The second, a very big area, is when you think about cloud in general and you know, everyone are moving to the cloud and everyone are moving cloud services, evolved in a very disparate ways there. You know, there was a proliferation of cloud services, different groups, different application are using different things. Same thing happened with cloud security. So we see, one, you know, a midsize and in the higher organization that will have multiple sets of tools, sometimes doing the exact same things for different groups within the same organization. I think what we will find now that in order to achieve better security and better consistency, security practitioners, we look for standardization across the organization. So number one for the different areas, select the best and the more appropriate tools, but then also look for areas where they can consolidate. And rather than have two or three or four siloed niche solutions, actually look for one platform that can solve a bigger problem in a more effective and efficient way. If you add on top of that, the overall financial macro conditions, and they think that people are looking also for better efficiencies, better budget spent, that will only accelerate the quest to integrate and consolidate different solutions into one place.
Novinson: So I asked you in terms of, you mentioned the Biden administration's executive order around the software bill of materials or SBOM. What are some of the biggest challenges that creates for organizations, particularly organizations in the cloud? And what are they looking for from technology providers is that year around, SBOM becomes a regulatory requirement?
Davidoff: Right. So as we mentioned, organization now, in the development phase, they are pulling a lot of software component from either third party or from open source. Now based on the executive order, they need to prove what is the source. And do they have the right reputation? Are you using the right thing? In? Am I as a consumer of your software can now validate? Where did it come from? Can I trust this code? Or can I not trust this code, based on my security requirements? So it just creates much better transparency, If you think about. It's almost like to have the instruction on the team, right? What are the different ingredients? And then I can decide, okay, can I take it or not take it. So it just creates a much more transparent way of delivering software, it's not no longer a black box. And I think it's also a mental change in the way that software is being built and then shipped, because it's no longer a black box, you now need to be able to demonstrate what are the components? And where did you get it? And are they trustworthy, or not? etc? What is the reputation? And I think it's only a start, I think we will see more of that when you think about the software supply chain. The executive order is not the final thing, but it's definitely a very important step to make software as a whole more secure.
Novinson: So what do you feel will be some of the toughest challenges that customers will have to deal with in the year to come?
Davidoff: I think, you know, obviously, the macroeconomic condition, budget tightening, security is still top of mind. So we look for efficiencies, they will look for much better ROI. So, you know, many times, in previous times or in previous years, a ROI was pushed aside based on new trends or a requirement that were not justifiable all the way. I think in today's economy, any piece of software, including in security, will have to have good justification. So we look for good returns, good value for the solution that they're using. What is the ROI on the different tools? And where can I create better efficiencies to consolidate, to standardize on specific tools to look more for a platform solution rather than a specific in a siloed solution that then create a lot of overhead for the organization in putting it all together? So I think efficiency for security will also become a huge topic in 23.
Novinson: I see. Finally here, what do you feel is the key to success for your customers in 2023?
Davidoff: In the cloud world, I don't know to say in other words, but I think in the cloud world, what we can think is that, you know, everyone are on a learning journey, right? The cloud is very new, the service is very new, the security challenges are very new. So, everyone are on this learning journey, I think in growing the awareness understanding better what are the exact problem and what is the right solution is still a challenge and a lot of organization are still in their learning more than in experiment, in the exploring for the right solution. I think in 23, we see the market take another big step forward as far as maturity and you know the definition will be set better for what is cloud security and hence they will be able to focus more than actually putting the right tools in place and executing with them. So the next step in maturity, I think we will see that in 23.
Novinson: Interesting. Will definitely be on exciting space to watch. Dror, thank you so much here for the time.
Davidoff: Michael, thank you.
Novinson: We've been speaking with Dror Davidoff. He is the co-founder and CEO at Aqua Security. For Information Security Media Group, this is Michael Novinson Have a nice day.