Interviews | November 3, 2022

Ability to quickly fix issues in open source dependencies is getting worse

Axonius | Bionic | Checkmarx | KnowBe4 | Snyk

Lenny Zeltser


Q1. The US Cybersecurity and Infrastructure Security Agency (CISA) recently issued a binding operational directive that requires all federal executive branch agencies to implement processes for ensuring continuous visibility over their assets and vulnerabilities in them. What impact do you think the directive—and similar mandates elsewhere—will have on adoption of cybersecurity asset management technologies and practices? What should private sector organizations be taking way from the directive?

Organizations worldwide can look at CISA to understand cybersecurity recommendations regardless of whether they’re in the public or private sector.

At the heart of CISA's directive 23-01 is the observation that knowing the assets that comprise your IT infrastructure is foundational to reducing security risk. That's why CISA considers identifying assets and vulnerabilities a baseline requirement for a security program. This echoes other security frameworks, including ISO 27001 and CIS Critical Controls, but goes a step further.

An insight shared by CISA that's easy to miss is the recognition that gathering asset details involves obtaining data from a variety of sources, including network scans, traffic monitoring, as well as API queries. Extracting data by connecting to enterprise tools via their APIs is a modern take on asset management and resonates with the approach that Gartner calls Cyber Asset Attack Surface Management (CAASM). These two influential publications are pointing at the beginning of a trend and suggest a direction for asset management approaches.

CISA's directive also highlights the need for gathering asset data continuously, going beyond static, point-in-time approaches to asset visibility. Manually entering asset data in a spreadsheet or CMDB cannot provide the up-to-date and in-depth visibility that IT and security professionals need. Instead, organizations should be looking for a way to automate the gathering of asset data in an automated way to ensure comprehensive and current asset coverage.

The private sector should look at the CISA directive as an indicator of what they should strive to achieve when devising their own asset management strategy, which should involve gathering asset data continuously and from multiple data sources.

Q2. What are the key technology requirements for implementing an effective cybersecurity asset management posture? What are the questions organizations need to be asking when acquiring technologies/capabilities for cybersecurity asset management?

First, implement asset discovery from multiple data sources. Connect to all the data sources that can reveal the existence of IT assets. This involves programmatically (via APIs) gathering asset details from tools that handle identity management, endpoint security, systems management, network management, vulnerability scanning, etc. Each of these data sources has its own view of the assets. The asset management tech should interact with as many relevant sources as possible, including on-prem tools, cloud-based resources, and SaaS applications.

Continue with correlation and deduplication to get a unified view of the assets without duplicates. The asset management solution should recognize a unique asset even though multiple data sources might refer to it in different ways. For example, an external network scanner might refer to a host using its public IP address while a systems management tool might refer to the same asset using an internal address. Such correlation abilities not only ensure that the asset listing is duplicate-free but also combine data from multiple sources.

Next, consider the quality of data about each asset. The raw data provided by asset data sources is messy, confusing, and sometimes incorrect. A modern asset management solution needs to account for idiosyncrasies, bugs, and other nuances of the tools that supply asset information. It needs to extract details useful to security and IT practitioners.

Further, consider how you’ll act on asset information to address security gaps. Should you notify an analyst that an internet-accessible system has a severe vulnerability? Direct your systems management tool to deploy a security agent missing from the corporate endpoint? Add the just-deployed virtual machine to the list of systems your vulnerability scanner should examine? Enrich your CMDB with freshly discovered asset details? A modern asset management approach should offer flexible options that match your organization’s processes and objectives.

Q3. What do you want CISOs and other security executives at Black Hat Europe 2022 to know about Axonius? What do you want them to take away from Axonius' presence at the event?

Axonius offers a modern, practical approach to controlling the complexity of today’s IT environments. It uses the tools you already have to generate a comprehensive, always up-to-date asset inventory, helping IT and security teams identify and address security gaps whenever systems, user accounts, and SaaS apps deviate from policies, controls, and expectations.

Perhaps the best way to learn about this approach to asset management is to stop by the Axonius booth in the vendor expo area, so you can see the demo of our solutions right away and speak with our team members. That’s the wonderful thing about attending Black Hat Europe in-person—meeting people face-to-face, expanding your understanding of the industry, and forming connections that will help you along your professional journey.

Of course, if you miss the chance to stop by our booth, you can also learn about asset management and our approach to it on the Axonius website.

Eyal Mamo
CTO & Co-Founder


Q1. Bionic has positioned itself as the industry's first application security posture management company. What exactly is ASPM and what's driving the need for the technology?

Application Security Posture Management is the practice of making applications secure and resilient to significantly reduce business risk. ASPM helps organizations by giving them a comprehensive and continuous understanding of their risk posture as it relates to their applications running in production.

The three most significant factors driving the need for ASPM are

  • The complex, distributed nature of modern applications
  • The velocity and volume of updates that organizations make to applications through CI/CD
  • The absence of a way to see, find, and fix issues in production that create the most risk for the organization

There are many application testing and analysis tools that contribute to more secure applications in pre-production environments. There are also many tools that help secure the networks, VMs, clouds, and containers on which applications. But, at this moment, there is no holistic solution that provides an understanding of an application’s services, dependencies, and data flows that are active in production. This gap in basic, application and data-level visibility creates significant risk for any organization who is trying to innovate.

At the same time, many organizations have secured their clouds and infrastructure with CSPM/CNAPP. They’ve incorporated security as early as possible and scan their applications frequently. And yet, there are still too many so-called critical vulnerabilities and threats that their current tools detect, and too many “must-fix” tickets for any organization to handle.

ASPM bridges this critical gap, allowing organizations to see their full application ecosystem in production and understand threats with real risk context.

Q2. What are some of the different use cases for Bionic's ASPM platform? How is your platform different from or how does it build upon cloud security posture management technologies?

The key use cases that Bionic ASPM provides include the following.

  • Cloud Application Visibility. If you can’t see it, you can’t secure it. The foundation of Bionic’s technology is the visibility that it provides. Bionic provides a code-accurate inventory of all applications, services, and dependencies in production. From this inventory, Bionic creates a visual topology of an application’s ecosystem and maps how data flows throughout.
  • Cloud Application Security. Bionic builds upon application visibility to understand the real risk that specific threats pose to the customer’s business. Bionic uses its visibility and then assesses an application’s architecture against best practices, standards, and frameworks. It then layers in up-to-date vulnerability data to deliver a contextual understanding of threats in terms of its impact and likelihood of exploitation. All of this data and context is delivered through a risk score, which helps customers prioritize what to fix first.
  • Application Data Security. Bionic helps organizations understand where sensitive data is stored and processed within their applications. By discovering and accurately mapping where data is flowing throughout an application’s architecture, Bionic helps organizations govern where sensitive data can flow to minimize risk and comply with regulations (GRPR, CCPA) and adhere to standards and best practices for handling PII, PHI, and payment data subject to PCI-DSS.
  • Application Cyber Resilience. Bionic helps prevent application failures and unplanned downtime. By understanding how each microservice, function, or dependency change affects the application in production, customers are able to create and maintain a resilient application architecture.

What CSPM has done for the cloud, Bionic has done for applications. Bionic builds upon the strong foundation that CSPM provides, and ASPM is the next logical step for organizations who have established security across their cloud environments.

Q3. Why is it important for Bionic to be at Black Hat Europe 2022. What do you expect customers will want to hear from Bionic at the event?

Black Hat Europe 2022 is an incredible opportunity to connect with innovators in Europe and introduce them to a better way of managing cyber risk. One of the biggest challenges that we’ve heard from customers and the cybersecurity community as a whole is that it’s incredibly difficult to understand the top security threats to their businesses right now. There are incredible tools and technologies out there, but there are also too many signals to ingest and contextualize in the greater schema of risk.

Now more than ever, with an ongoing global shortage of cybersecurity professionals, it’s critical for organizations to prioritize the most critical issues. Bionic can help organizations manage risk from the chaos that modern applications create.

Ori Bendet
VP Product Management


Q1. You recently predicted that automatic code generators such as AWS CodeWhisperer, Tab9 and Github CoPilot will one day replace traditional coding. What is driving the trend and what are the potential security implications?

From what we observe, the focus of many software development activities is moving towards the “developer experience”, where it’s all about efficiency, immediate value, and ease of use. As a result, automatic code generators fit all requirements, and we’re already hearing from developers that the tools save a lot of time, allowing them to solely focus on proper business logic development.

Now, while traditional coding will probably never go away, we believe a major portion of it will be replaced by automatic code generators, which will allow developers to focus even more on the pure business logic they need to develop. However, there are security implications that we need address like making sure the generated code doesn’t possess any traditional vulnerabilities or create new ones. As the technology continues to mature, we hope to also create a real, auto-remediation approach to potential vulnerabilities for all code types, especially source code.

Q2. There has been a big increase in attacks targeting public code repositories such as npm and PyPI over the past year. In many of these attacks, threat actors have uploaded malicious packages or poisoned legitimate ones to try and infiltrate software development/build environments. What gap in enterprise defenses has this trend exposed?

Over the past year, we have seen a significant increase in software supply chain attacks, specifically around open source. Attackers fully understand that open source is designed to be "open" to all, and it's also open to them. This fact has allowed attackers to exploit this design weakness and introduce a new set of attacks. This is one of the main gaps in enterprise defenses today.

In most companies today, developers have the autonomy to use whatever open source code they wish, which is essentially “taking code from strangers.” Unlike CVEs, which might be exploitable, this risk can be easily assessed. However, when attackers infect the supply chain with purpose-built malicious packages, the situation is much different. There are no CVEs for malicious packages, and they are not being tracked by something like the NVD. Gone are the days when open source risk can be managed by simply updating know vulnerable packages. Malicious code is automatically executed, often without anyone knowing they were just infected.

Checkmarx helps customers define a repeatable process that can be used to eliminate known vulnerabilities (CVEs) and reduce malicious risk. Today, customers use the Checkmarx One Platform and our Software Composition Analysis (SCA) engine to first identify all open source. Once identified, our SCA engine in combination with our supply chain threat intelligence notifies our customers about both known vulnerabilities and malicious code packages.

So far, Checkmarx has identified over 140,000 malicious open source packages - the most of any application security solution provider in the market. Leveraging our technology, we create a repeatable process to identify changes in existing packages—what we call “a good package gone bad—as well as a process that helps customers understand risk before the package is ever brought into their organizations.

Q3. What is Checkmarx's main focus at Black Hat Europe 2022? What do you have lined up for customers at the event?

Our main focus at Black Hat is to raise the level of awareness around the Checkmarx One Platform. This platform was built in the cloud, for the cloud, and for those moving to the cloud. Gone are the days of disparate application security testing solutions that don’t work well with the way code is being built today, where it’s code, low-code, and no-code.

The platform comes with a suite of tools that allows organizations to manage risk in source code, open source dependencies, supply chains, APIs, infrastructure as code, and containers. The solution comes with the most advanced correlation engine so organizations can visualize and model their risk profiles and reduce risk where is makes the most sense. In addition, we plan to demonstrate an integrated DAST solution as part of Checkmarx One, allowing our customers to get more application security coverage and closing all aspects of their cloud-native application.

The platform is available to organizations of all sizes and budgets, and it fully integrates with the tools developers use. The platform automates security scanning as far left as possible, and developers and security teams around the world are adopting it over their previous solutions and approaches. Checkmarx One is the most comprehensive application security platform, already supporting five different SaaS geo-locations worldwide and now also supports the ability to self-host it on our customers’ own VPC (virtual private cloud).

For those that desire to learn more about the Checkmarx One Platform, stop by our booth for a live demonstration with our software security experts. The world runs on code; we secure it.

Perry Carpenter
Chief Evangelist & Strategy Officer


Q1. Phishing was once again one of the top attack vectors in 2022, like it has been for the past several years. Looking towards next year what do you expect will change and what will likely remain the same with phishing tactics/techniques and social engineering scams in general? How should enterprise teams be bolstering their defenses against these emerging phishing trends?

Every year we see a few new and interesting phishing variants as cybercriminals continue to innovate new ways to bypass technical controls. Threat actors always try to find ways to obscure the ‘click’/URL/download in a phish. One example of that is a type of phishing email that links to a legitimate Google Doc or Drive. The email says that there is critical information on that document and asks the target to follow the instructions. And – of course – it is the document that has the malicious URL. The email is not malicious, so it easily sails past gateway filters, but the content of the email is pure social engineering. I believe we’ll see more thinking similar to this. In a way, it is similar to how predators often try to lure a would-be target to a “secondary location.”

However – as interesting is those types of scenarios are – I believe the vast majority of phishing emails we see will continue to be very run-of-the-mill phishing examples and BEC phishing. The reason for that is that most attackers are not yet being pushed to stretch their creativity; and that’s because secure email gateways still miss between 10%-20% of malicious emails ( We know that attackers will rise to the occasion and become more creative when necessary… but, in 2022-2023, they will continue to be successful using tried-and-true tactics.

Q2. You recently noted the need for security teams to think like marketers when it comes to cybersecurity awareness training for employees. Why is that approach necessary and what does it entail?

I believe security teams should learn to think like marketers when it comes to cybersecurity awareness training for employees because simple “security awareness” has only limited effectiveness. Security awareness does not necessarily result in secure behavior. And secure behavior is what security teams are hoping to achieve when they launch awareness programs.

We can learn a lot from the field of marketing. But the most important thing I think we can learn is that we need to always be putting our message in front of our intended audience. If you think about it, brands don’t just tell us about them one time per year and hope for the best. They know that doesn’t work. Marketers understand the importance of ensuring that their message, their brand, and their products are top-of-mind for their potential customers. They understand that their customers are always in the process of forgetting. So one primary job of marketing is to combat the forgetting curve.

Marketers also understand that they need to wrap their message in unique ways. They often use what I refer to as Trojan Horses for the Mind: Emotion, Visuals, Sound, and Words & Story. All of these come together to help embed a message in our mind. The message slips past many of our mental defenses and has a chance to take root.

Q3. What do you want those attending Black Hat Europe 2022 to know about KnowBe4's strategy for 2023 and beyond? What's your key messaging at the event?

We’ve been focusing intensely on empowering security teams to strengthen their human layer of defense. A major part of that is helping organizations understand the ABCs of cybersecurity: awareness, behavior, and culture. For a long time, the industry focused on awareness; and, as I mentioned earlier, simple awareness will always have limited impact. People can be aware of something, but not care. They can be aware of something without changing their behavior. And even if they care and really want to exhibit a certain behavior, there are times when they will simply forget, get distracted, default to whatever is easiest, or fall back to an old habit.

At KnowBe4, we understand both the value of great content. And – to that end – we’ve been able to say for years that we have the world’s largest security awareness content library. But, of course, content alone isn’t enough. Content can raise awareness, can motivate and engage employees, and can even be a great way to set a relational tone between the security team and the rest of the organization. But organizations can’t afford to stop there. They need to add behavioral supports. That’s where simulated social engineering comes in. Simulated social engineering testing allows employees to develop the instincts, habits, and motor memory necessary to reduce risk.

And that’s also where culture comes in. Culture represents “the way things are done around here” within an organization. Culture is the ideas, customs and social behaviors of an organization that influence its security. It is the way people naturally begin to behave, the group norms, values, beliefs, etc., that are often caught rather than explicitly taught.

We’ll be taking time at Black Hat Europe to talk about these ideas and to demonstrate how the KnowBe4 platform enables organizations to build up their human layer of defense. When you visit our booth be sure to ask about SecurityCoach as well as PhishER (with PhishRIP and PhishFlip) to see some interesting ways we use cutting edge technology to strengthen and empower your employees and reduce risk.

Ravi Maira
VP, Product & Partner Marketing


Q1. What are some of the new challenges and complexities that have emerged with cloud-native application development? What should organizations be doing to address these challenges?

One of the biggest challenges with cloud-native application development, and likely the biggest security challenge with them, is that now the infrastructure is built and managed more like a part of the application than how traditional infrastructure was deployed. Just like application code, it is written in an editor, checked into a repo, code reviewed, merged, and then integrated and built via CICD - all by platform engineers who work much more like developers than traditional IT engineers. Therefore, it needs a security process that aligns to this new workflow - one that resembles an application security process. Today most organizations secure the cloud by looking at it and seeing if something’s wrong - which is too late. You must secure cloud environments from code to cloud and back to code - based first on finding and fixing vulnerabilities in infrastructure as code configurations before they are deployed, and then observing the cloud for vulnerabilities based on drift, and finally remediating any of those issues back in the infrastructure as code. It’s also important that the same security policy is leveraged across the entire process to make sure the results are consistent.

Q2. What should organizations be doing to mitigate risk from the ubiquitous use of open-source components in application development? What did Snyk and the Linux Foundation's survey earlier this year reveal about developer awareness and attitudes around the issue?

Open source software is more popular and powerful than ever - according to the Linux Foundation, 70-90% of modern software applications contain open source. Applications today are ‘assembled’ as much as they are ‘built,’ because it enables developers to build faster and to focus their coding efforts on the unique and differentiated part of the application. However, using any third-party code—including open-source packages or container images—can introduce security risks, as was spectacularly demonstrated with the emergence of Log4Shell. What was particularly tricky with Log4Shell was that, for Snyk’s customers, over 60% of the occurrences of the vulnerability were in indirect dependencies. In other words, it was introduced secondarily via some other open-source package. Developers and organizations using open source need to be aware of the inherent risks that come with those packages. The 2022 State of Open Source Security report uncovered that while open source usage is increasing, the ability to quickly fix issues in open source dependencies is getting worse - more than doubling from 49 days in 2018 to 110 days in 2021. To address this problem, organizations need to make it faster and easier for developers to make better decisions about which packages to use, and to find and fix issues earlier in the development process. And they need to provide security teams with the visibility and control to manage and govern the process while keeping the pace of development high. Snyk of course provides a platform to help companies implement such a process.

Q3. What are Snyk's plans at Black Hat Europe 2022? What can customers expect to see and hear from Snyk at the event?

Snyk will be showcasing our latest product, Snyk Cloud, which provides a code to cloud and back to code security solution for cloud native applications. Snyk Cloud provides a unified policy engine so you can scan everything from code to cloud with one, clear, automatable set of rules. Monitoring in cloud provides a view of the actual deployed state of the everything running in the cloud. And feedback from the cloud back to developers to triage and prioritize fixes in their configurations. We will also highlight all the other aspects of our developer security platform, which allows developers to secure what they build while they build across all components of modern applications - their code, third party open source code, container images and infrastructure as code configurations such as Terraform and Kubernetes. It provides security teams the visibility and control they need to empower their developers while managing and governing the overall process, making it the ideal tool for organizations looking to implement a DevSecOps approach to security so they can develop fast to innovate and compete - and stay secure.

Sustaining Partners