WEBVTT - A Conversation with Bar-El Tayouri from Mend.io 0:00:00.880 --> 0:00:05.040 Unsupervised Learning is a podcast about trends and ideas in cybersecurity, 0:00:05.080 --> 0:00:09.960 national security, AI, technology and society, and how best to 0:00:10.000 --> 0:00:17.680 upgrade ourselves to be ready for what's coming. All right, 0:00:17.680 --> 0:00:22.160 welcome to Unsupervised learning. I'm here with Burrell Taylor, head 0:00:22.160 --> 0:00:24.959 of Minaya, and it's great to see you. 0:00:25.880 --> 0:00:28.120 It's great to be here. What a pleasure. 0:00:29.200 --> 0:00:34.800 Awesome. So before we get into the IO stuff, uh, 0:00:35.360 --> 0:00:38.800 it looks like you have a pretty interesting background. And 0:00:38.800 --> 0:00:41.120 I just want to, like, get a walkthrough of that 0:00:41.120 --> 0:00:45.040 real quick. Like, uh, what gets you excited about tech? Like, 0:00:45.040 --> 0:00:48.000 what have you been doing in tech all these years? And, uh, 0:00:48.360 --> 0:00:49.600 just like to hear about you. 0:00:51.040 --> 0:00:56.520 And, wow, it's a it's a very long and short time. Um, basically, 0:00:56.520 --> 0:01:01.740 since I'm 12, I'm programming, um, I'm into tech. I 0:01:01.860 --> 0:01:07.300 also like I wasn't too into game development and I 0:01:07.340 --> 0:01:11.020 also thought game development. And then I went into slightly 0:01:11.020 --> 0:01:14.420 into cyber of it, like hacking games into getting more 0:01:14.459 --> 0:01:17.700 like a, you know, getting money in the game or, 0:01:17.740 --> 0:01:19.380 you know, points or something. 0:01:19.740 --> 0:01:21.460 Yeah. Yeah. Higher. Higher scores. 0:01:22.020 --> 0:01:26.540 Exactly. And it's so fun. And yeah, especially in the 0:01:26.540 --> 0:01:28.220 early days, it was so easy. 0:01:28.580 --> 0:01:32.580 Yeah. Because everything everything was local, right? Uh, all the resources, 0:01:32.620 --> 0:01:35.539 everything was stored locally. So you could just edit it 0:01:35.540 --> 0:01:37.620 and it would appear on the server side. Yeah. 0:01:38.260 --> 0:01:43.780 Yeah, I remember all the all the Hexa, all the Hexa. Yes. 0:01:44.260 --> 0:01:46.140 All the hex that they tried to find the right 0:01:46.140 --> 0:01:50.100 place with the, with the scores to, to change. And 0:01:50.100 --> 0:01:51.940 it's also fun. Um. 0:01:52.300 --> 0:01:54.420 Yeah. You imagine the tools that we have now. It 0:01:54.420 --> 0:01:56.820 would be so much easier. But I. 0:01:56.820 --> 0:01:57.220 Know it's. 0:01:57.220 --> 0:01:59.880 Crazy. Yeah, yeah, yeah. Um. 0:02:00.640 --> 0:02:03.440 And then, like, you know, since then, I'm, I'm moved 0:02:03.440 --> 0:02:08.040 into more network security operating systems. I also continue into 0:02:08.040 --> 0:02:10.840 the Army. And so I have like a lot of 0:02:10.840 --> 0:02:19.440 experience in Army stuff like cryptography, networks, research. Um, then 0:02:19.760 --> 0:02:24.600 I was the first engineer in augmented reality startup. Um, 0:02:24.600 --> 0:02:28.040 and afterwards I built my own company and we did 0:02:28.080 --> 0:02:32.320 prioritization for, uh, for cloud native alerts, like for container, 0:02:32.680 --> 0:02:36.960 container image scanning. Uh, and then we got acquired and 0:02:37.000 --> 0:02:41.520 into mend, which is the same company I'm in now. Um, yeah. 0:02:41.520 --> 0:02:44.680 And it's now basically it's called Mend Container. Today it's 0:02:44.680 --> 0:02:49.040 the container reachability. And now also I moved into mend AI, 0:02:49.280 --> 0:02:52.600 which is a new product, and we founded, uh, to 0:02:52.639 --> 0:02:53.679 do AI security. 0:02:54.800 --> 0:02:57.610 Very, very cool. What do you think? It's like the 0:02:57.610 --> 0:03:01.170 common thread going through all of this. Like the main thing, uh, 0:03:01.169 --> 0:03:02.690 driving curiosity. 0:03:04.490 --> 0:03:11.290 Um, wow. Amazing question. Um, I think I always was really, uh, 0:03:11.690 --> 0:03:19.290 really excited from new, uh, new industry changing technology. It 0:03:19.290 --> 0:03:23.889 was always the technology that, uh, that, that, like, was 0:03:24.130 --> 0:03:29.170 enabling something and, and make it so exciting, uh, especially 0:03:29.169 --> 0:03:32.770 in the startups world where you have these giant companies 0:03:33.010 --> 0:03:38.850 and one day or like in a process, pretty quick process, um, 0:03:39.290 --> 0:03:44.090 they're all disrupted. There's tons of new things, uh, you 0:03:44.090 --> 0:03:47.730 can build. And yeah, it's a challenge it to challenge 0:03:47.770 --> 0:03:49.730 the Giants. So it's amazing. 0:03:51.290 --> 0:03:56.350 Yeah. So, um, are you mostly interested in the network 0:03:56.350 --> 0:03:59.430 security stuff? Obviously you're doing AI stuff now. Everyone's doing 0:03:59.470 --> 0:04:05.950 AI stuff. Um, but like network security, application security. Uh, like, 0:04:05.950 --> 0:04:08.630 what is like your center of mass? Like your favorite thing. 0:04:09.670 --> 0:04:14.550 So for sure, 100% application security. It's so exciting. But basically, 0:04:14.550 --> 0:04:17.670 at the end of the day, it's all about developers 0:04:17.670 --> 0:04:22.549 and the vulnerabilities, um, like you have in your code. Um, 0:04:22.550 --> 0:04:25.870 so my focus is now application security and AI security 0:04:25.910 --> 0:04:32.589 for inside the application. And that's like our special take. Um, 0:04:32.910 --> 0:04:36.830 we look just on application, we try to, you know, 0:04:37.070 --> 0:04:40.470 there's so many issues there. Um, also on the AI 0:04:40.510 --> 0:04:42.310 components there. So. 0:04:43.110 --> 0:04:46.310 Yeah, what do you see is the biggest problems right 0:04:46.310 --> 0:04:49.630 now in Appsec? Um, obviously a big part of that 0:04:49.630 --> 0:04:52.750 is going to be AI because there's so many AI applications. 0:04:52.750 --> 0:04:55.930 But would you say AI is the biggest sort of 0:04:55.970 --> 0:04:58.609 application security thing happening right now? 0:04:59.970 --> 0:05:03.770 I thought like we looked on many issues and when 0:05:03.770 --> 0:05:07.570 we founded the Atom Security and it was clear the 0:05:07.570 --> 0:05:14.770 biggest issue is prioritization and the the like the size 0:05:14.770 --> 0:05:18.770 of the backlog of vulnerabilities of critical vulnerabilities you have. Yeah. 0:05:19.650 --> 0:05:24.289 And then now with all the reachability technologies that allows 0:05:24.290 --> 0:05:27.969 you to to like reduce the noise, basically remove the 0:05:27.970 --> 0:05:33.130 false positives and the, the trend of platforms and aspm 0:05:33.250 --> 0:05:35.969 allows you to take all the findings in one place 0:05:35.970 --> 0:05:41.490 and prioritize them smartly. And like we see the biggest 0:05:41.490 --> 0:05:47.810 issues now like a what's introduced in AI with AI. 0:05:48.410 --> 0:05:52.270 And then there's like two different things. There's the I 0:05:52.390 --> 0:05:55.150 the employees are using in order to be more productive 0:05:55.510 --> 0:05:59.230 so that it's reduced some risks. And and what we 0:05:59.230 --> 0:06:02.950 see as like the biggest risk. And because we like, uh, 0:06:03.750 --> 0:06:06.110 we see how the world is changing and how our 0:06:06.110 --> 0:06:13.750 customers are moving like towards the, um, in the products. Um, 0:06:13.870 --> 0:06:20.029 is the AI components inside applications and especially the AI agents, um, 0:06:20.430 --> 0:06:22.630 inside these applications that are in production. 0:06:24.550 --> 0:06:32.190 Okay. So when you say AI components, do you mean like, uh, libraries? 0:06:32.230 --> 0:06:34.910 Like what other pieces other than the agents do you 0:06:34.910 --> 0:06:36.310 mean by AI components? 0:06:37.990 --> 0:06:42.110 So it's a great question because like in the beginning, um, 0:06:42.350 --> 0:06:46.630 when when I like did simple data science before before, 0:06:46.670 --> 0:06:51.089 you know, ChatGPT and llms, um, there wasn't many components. 0:06:51.089 --> 0:06:54.570 You know, you had data set and then you build 0:06:54.570 --> 0:07:00.410 with it some some machine learning model. And and now 0:07:00.410 --> 0:07:05.809 it's the amount of components is exploding because you have the, um, 0:07:05.850 --> 0:07:08.010 you know, the data layer and you have data set 0:07:08.170 --> 0:07:11.570 and then you have also data is like changing because 0:07:11.570 --> 0:07:15.170 you have data for training. But if you take already 0:07:15.770 --> 0:07:19.210 a model which is another component and then fine tuned it, 0:07:19.210 --> 0:07:23.250 or just doing alignment. So you have many types of data. 0:07:23.650 --> 0:07:26.250 You also have many types of models. You have models 0:07:26.250 --> 0:07:31.690 you're using for training, models you're using for uh, for, uh, 0:07:32.890 --> 0:07:38.210 for like for fine tuning and models are using as is. Yeah. 0:07:38.930 --> 0:07:42.210 So that's more components. But we also have all the 0:07:42.210 --> 0:07:45.929 components on the code layer. And we have the system 0:07:45.930 --> 0:07:51.340 prompt and the agent Ancient tools and the third party 0:07:51.740 --> 0:07:57.580 tools like MCP servers. Yep. And the actual agents that 0:07:57.580 --> 0:08:02.460 can speak with many of these tools. And we have 0:08:02.500 --> 0:08:07.380 like many agents we're already seeing, we already see adoption 0:08:07.820 --> 0:08:10.460 of like multiple multiple agent frameworks. 0:08:12.100 --> 0:08:15.220 Yeah. And maybe the APIs themselves, which they're not actually 0:08:15.340 --> 0:08:18.540 AI components, but those agents will be calling back to 0:08:18.580 --> 0:08:21.780 traditional APIs as well. Yeah. So that's a pretty good 0:08:21.780 --> 0:08:24.980 list of the components. You're going to mention something else 0:08:24.980 --> 0:08:26.660 like another another component. 0:08:27.340 --> 0:08:30.220 And I'm definitely someone just asked me today like what's 0:08:30.220 --> 0:08:35.859 the difference between like old APIs, third party APIs and 0:08:35.900 --> 0:08:41.940 MCP servers or agent tools? And basically like you, you 0:08:41.940 --> 0:08:47.620 would you would think there's no difference. And I would argue, 0:08:47.880 --> 0:08:49.760 but like, tell me what? Maybe it's also a question 0:08:49.760 --> 0:08:51.760 for you. Tell them what you think. I argue the 0:08:51.760 --> 0:08:56.439 main difference is the way you're using them and not 0:08:56.960 --> 0:08:59.839 the tool is basically the same tool. The way you 0:08:59.840 --> 0:09:05.600 use them is that it's more close and more connected 0:09:05.880 --> 0:09:08.840 to your data, your critical data. 0:09:10.360 --> 0:09:15.880 Yeah, yeah, I would say another big difference is that, um, 0:09:16.480 --> 0:09:20.240 usually when you build an API from scratch, you have 0:09:20.240 --> 0:09:24.880 a skilled developer who is going through very systematic process 0:09:25.480 --> 0:09:30.080 to define exactly what methods are possible. They still make mistakes, obviously, 0:09:30.080 --> 0:09:34.360 because we have API security problems. However, at least it's 0:09:34.360 --> 0:09:39.120 being manually done right. Whereas with um, I feel like 0:09:39.120 --> 0:09:43.880 with MCP servers, the problem is you could have a, 0:09:43.880 --> 0:09:46.160 you know, data and you can have APIs on the 0:09:46.300 --> 0:09:49.940 back end. You spin up this NTP server and it 0:09:49.940 --> 0:09:52.980 just kind of goes and collects all that functionality and 0:09:52.980 --> 0:09:56.780 presents it's its own new APIs that could be used 0:09:56.780 --> 0:09:59.179 by the ancient tools. So I feel like you could 0:09:59.820 --> 0:10:06.140 create more functionality without knowledge. And that that's kind of 0:10:06.179 --> 0:10:08.460 the issue, because you might be surprised by actually what 0:10:08.460 --> 0:10:12.740 can happen through that NCP server. So I think, yeah, 0:10:12.780 --> 0:10:14.460 I think a lot of stuff is being stood up 0:10:14.460 --> 0:10:18.180 with NCP servers, and the people hosting it don't actually 0:10:18.179 --> 0:10:20.380 know all of its capabilities. 0:10:21.380 --> 0:10:24.780 It's a great point. Also, in a way, you can't 0:10:24.820 --> 0:10:29.179 know all the capabilities because part of the like, the 0:10:29.179 --> 0:10:33.740 best thing about this AI revolution is that the interface, 0:10:33.780 --> 0:10:36.820 but also the worst, is that the interface is fuzzy. 0:10:37.300 --> 0:10:39.340 The input and the output is fuzzy. It means. 0:10:39.860 --> 0:10:40.939 Yeah, it's 100%. 0:10:40.940 --> 0:10:44.180 You can't define exactly the signature of the function with 0:10:44.179 --> 0:10:47.440 all the variables. That's only integer. You can't put string there, right? 0:10:47.480 --> 0:10:50.199 So now you can afraid only from integer overflow maybe. 0:10:50.720 --> 0:10:56.200 And and and now the interface is so fuzzy. It's text, 0:10:56.240 --> 0:11:01.160 it's PDF it's voice. It's PDF with image that has 0:11:01.160 --> 0:11:04.200 some something inside it. You have so many options. So 0:11:04.200 --> 0:11:06.000 the text is huge. 0:11:06.800 --> 0:11:09.520 That's right. And then there's also the issue of like 0:11:09.520 --> 0:11:14.080 the fuzziness of if you're actually interacting with an agent 0:11:14.080 --> 0:11:17.840 on the receiving side that is front ending but separate 0:11:17.840 --> 0:11:20.360 from the MCP server. If you're talking to an agent 0:11:20.600 --> 0:11:23.480 and it has the ability to use the tools, you 0:11:23.480 --> 0:11:26.280 might be able to confuse it or trick it into 0:11:26.640 --> 0:11:32.640 using the APIs it has available in unsafe ways. Right. Um. 0:11:33.160 --> 0:11:34.160 That's a great point. 0:11:34.280 --> 0:11:37.600 Yeah. And it might it might respond back and say no. 0:11:37.600 --> 0:11:40.240 And you ask in a different way and it still 0:11:40.240 --> 0:11:41.239 gives you results. 0:11:42.400 --> 0:11:45.929 And by the way, we've seen in the wild and many, 0:11:45.929 --> 0:11:51.449 many patterns, malicious patterns we've seen with open source libraries, 0:11:51.490 --> 0:11:54.290 like in the beginning of a, you know, the concept 0:11:54.290 --> 0:11:58.770 of SCA and open source security and with models and 0:11:58.770 --> 0:12:02.730 like a concept, like a typosquatting when you're trying to 0:12:02.770 --> 0:12:08.490 do phishing to humans. Yeah. So humans are close, you know, 0:12:08.530 --> 0:12:12.410 the wrong open source library because they change something. They 0:12:12.410 --> 0:12:15.330 added a dash. So same with models. We've seen it. 0:12:15.370 --> 0:12:18.329 Yeah. For like for like npm packages, stuff like that. 0:12:18.330 --> 0:12:19.450 Package managers. 0:12:19.850 --> 0:12:23.050 Exactly. So we've seen it also with models in the 0:12:23.050 --> 0:12:27.809 evolution of us of our product. And now we're seeing 0:12:27.809 --> 0:12:33.010 it with both with agent tools and libraries. So cursor 0:12:33.370 --> 0:12:38.610 uh you can very easily precursor uh to use a 0:12:38.770 --> 0:12:42.630 typosquatting package. Let's call it this way. And same for 0:12:42.830 --> 0:12:46.750 NTP servers. You have malicious FTP servers. 0:12:47.590 --> 0:12:51.910 Right? That's a that's a great point. And that could 0:12:51.910 --> 0:12:53.710 just be a man in the middle that just passes 0:12:53.710 --> 0:12:54.750 on requests. Right? 0:12:55.429 --> 0:12:58.550 Exactly. It's totally it's look 100% legit. 0:12:59.309 --> 0:13:03.590 Yeah. But I'm saying when you submit to that malicious one, 0:13:03.590 --> 0:13:06.309 it could be still submitting to the the real one 0:13:06.630 --> 0:13:09.829 and returning you real results. But in the meantime, gathering 0:13:09.830 --> 0:13:11.390 data or doing whatever. 0:13:12.990 --> 0:13:15.470 I guess that's the worst, because when you have a 0:13:15.510 --> 0:13:19.870 Bitcoin miner, I guess like the let's call it malicious 0:13:19.870 --> 0:13:24.110 actor knows that it's going to be caught in the 0:13:24.110 --> 0:13:26.750 next few months, and you're trying to make the best 0:13:26.910 --> 0:13:32.390 out of this month. And this silent, silent man in 0:13:32.390 --> 0:13:37.150 the middle type of malicious packages, malicious models and malicious servers, 0:13:37.190 --> 0:13:40.730 that's probably the worst, especially when it's third party. so 0:13:40.730 --> 0:13:43.809 you don't need even to open source your server. 0:13:44.850 --> 0:13:48.530 Yeah, MCP is going to need some serious security help 0:13:48.530 --> 0:13:53.849 very quickly. It's because everyone's just running full speed, installing 0:13:53.850 --> 0:13:56.610 as many of these things as they can. And yeah, 0:13:56.610 --> 0:14:00.130 it's it's a good point. It's it's a really big 0:14:00.130 --> 0:14:04.810 mess right now. Um, what what other things? Uh, we 0:14:04.850 --> 0:14:08.490 got malicious MCP servers. Um, we've got agents that can 0:14:08.490 --> 0:14:13.410 be tricked. I always talk about just like the, um, 0:14:14.210 --> 0:14:19.210 the agents having too many tools available. Uh, because oftentimes 0:14:19.210 --> 0:14:21.770 I think when if the business is pushing, like, we 0:14:21.770 --> 0:14:24.370 must have I, we must have I. Oh, and by 0:14:24.370 --> 0:14:27.450 the way, we must have an agent. They just give 0:14:27.450 --> 0:14:31.250 the agent access to too many tools. And, um, the 0:14:31.250 --> 0:14:35.730 guardrail infrastructure isn't really there yet. I don't know if, uh, 0:14:35.770 --> 0:14:40.430 you guys have something around this, but, um, Um, like, uh, 0:14:40.430 --> 0:14:44.110 I use bedrock a lot, and bedrock has, um, uh, 0:14:44.110 --> 0:14:47.790 some pretty cool guardrails stuff built in, but we're running 0:14:47.790 --> 0:14:51.750 way faster than the guardrails are being laid down. So 0:14:51.790 --> 0:14:54.510 I just feel like there's a there's a mismatch between 0:14:54.510 --> 0:14:58.350 the amount of power that agents have and the amount of, um, 0:14:58.390 --> 0:15:00.470 access and power that they have. 0:15:02.110 --> 0:15:06.430 I think this asymmetry is was right for every new 0:15:06.470 --> 0:15:11.430 category in security. That's true. I think AI security is 0:15:11.430 --> 0:15:15.030 probably one of the quickest categories to to catch up. 0:15:15.270 --> 0:15:18.230 If you look like on on games, for example, game 0:15:18.230 --> 0:15:22.430 security on operating systems, um, in the early days or 0:15:22.470 --> 0:15:24.990 networks in the early days, we still have protocols like 0:15:24.990 --> 0:15:29.750 DHCP and ARP or DNS. It's so easy, so much 0:15:29.750 --> 0:15:34.950 trust into into other, uh, other people in the early days. 0:15:35.990 --> 0:15:36.310 Yeah. 0:15:36.350 --> 0:15:41.090 Categories like a car's security. Um. Oh, yeah. Security. Very. 0:15:41.330 --> 0:15:46.130 It's amazing how quickly they adopt security practices even before 0:15:46.250 --> 0:15:50.730 the log4j2, uh, happened. Of the industry? 0:15:51.650 --> 0:15:54.650 Yeah, it's a good point. Yeah. ARP is always the 0:15:54.650 --> 0:15:58.570 one that trips me out the most. It's like. It's like, um. 0:15:59.010 --> 0:16:01.330 You don't even have to ask a question. You could 0:16:01.330 --> 0:16:06.810 just receive answers like, oh, by the way, um, here 0:16:06.810 --> 0:16:08.890 is the Mac address that you're supposed to talk to. 0:16:09.690 --> 0:16:12.290 And your host is like, thank you very much. I 0:16:12.290 --> 0:16:15.170 will update that table immediately. It's just. 0:16:15.330 --> 0:16:16.090 It's amazing. 0:16:16.930 --> 0:16:20.610 And the fact that it all still works. Yeah. Interesting. 0:16:20.610 --> 0:16:24.250 So I think I agree with you. I mean, we're 0:16:24.250 --> 0:16:28.170 basically running with scissors with I, um, it's funny because 0:16:28.210 --> 0:16:31.170 I've been in the space for so long, like 90 0:16:31.210 --> 0:16:36.900 since 99. So we, uh, and I started mostly in 0:16:36.940 --> 0:16:40.180 network security. And as you move to web security, you 0:16:40.180 --> 0:16:44.700 have to relearn all the network security issues, right? We 0:16:44.700 --> 0:16:48.260 learned that those lessons for ten years, 15 years, we 0:16:48.260 --> 0:16:50.740 forget them when we move to web security, we forget 0:16:50.740 --> 0:16:53.620 them again. You go to mobile security, you forget them 0:16:53.620 --> 0:16:55.739 again a little bit when you go to cloud security. 0:16:55.860 --> 0:17:00.260 And now with AI but yeah, maybe. Well, okay, here's 0:17:00.260 --> 0:17:06.020 the question. Why is AI security picking up so fast 0:17:06.020 --> 0:17:09.940 compared to the other ones? Why is the delay shorter? 0:17:12.100 --> 0:17:16.300 Um, I think it's I think if you like, if 0:17:16.300 --> 0:17:23.419 you think about it, um, everyone understand all the products 0:17:23.420 --> 0:17:28.420 are going to have AI. And because of this fuzzy 0:17:28.420 --> 0:17:31.899 interface and that you want to you want it to 0:17:31.900 --> 0:17:37.280 be connected into your most important data sources. And I 0:17:37.280 --> 0:17:41.640 think everyone understands kind of a game of of who's 0:17:41.640 --> 0:17:45.080 going to be the first lock forward in a way. 0:17:45.119 --> 0:17:48.360 Maybe everyone just understand it's a matter of time and 0:17:48.359 --> 0:17:50.800 you don't want. It's just you don't want it to 0:17:50.800 --> 0:17:52.719 be you. The first lock for Jay. 0:17:53.400 --> 0:17:53.800 That makes. 0:17:53.800 --> 0:17:57.399 Sense. I understand I understand all the companies, like all 0:17:57.400 --> 0:18:01.080 my customers that like trying to push hard for to 0:18:01.119 --> 0:18:05.720 develop with AI, to develop AI into their products. Because 0:18:05.720 --> 0:18:08.480 if they won't do it, all the competitors will do it. 0:18:09.240 --> 0:18:11.400 I mean, it's a huge advantage. Also us as like 0:18:11.440 --> 0:18:15.679 a security vendor, we need to we're using AI to 0:18:15.720 --> 0:18:20.280 solve problems in our products to to understand code and 0:18:20.280 --> 0:18:24.520 to suggest code. Remediations. And it's something that you know, 0:18:25.440 --> 0:18:27.800 or you're going to be the first to do it 0:18:28.080 --> 0:18:30.879 and you have this advantage, or you'll be the last 0:18:30.880 --> 0:18:34.860 to do it. And you Like you lose the game. 0:18:35.820 --> 0:18:38.740 Yeah, that could be it. The the fact that it 0:18:38.740 --> 0:18:41.740 just feels so big. People just have a natural fear 0:18:41.740 --> 0:18:45.420 of it. Whereas maybe it was slower with the previous revolutions. 0:18:45.859 --> 0:18:49.780 How do you see the distinction between security of AI 0:18:49.940 --> 0:18:51.700 versus AI security. 0:18:54.180 --> 0:19:00.379 Security of AI? Basically, with every new every category in security. 0:19:00.380 --> 0:19:06.459 When you say security, it usually means securing X, right? Like, yeah, 0:19:06.700 --> 0:19:11.939 a cloud security. It's securing the cloud. SaaS security is 0:19:11.940 --> 0:19:16.700 securing SaaS somehow with AI security. Uh, it's it's still 0:19:16.700 --> 0:19:19.980 confusing because I guess it's in the early days, uh, 0:19:20.380 --> 0:19:23.420 I think we should align that AI security is securing 0:19:23.460 --> 0:19:30.540 AI and not like it's not, uh, securing the the 0:19:30.540 --> 0:19:35.760 output of AI or something like that. Um, but a 0:19:35.760 --> 0:19:36.960 time will tell, I guess. 0:19:37.480 --> 0:19:40.600 Yeah, yeah. I wonder if they start to merge. I 0:19:40.680 --> 0:19:43.840 think the reason, maybe one of the reasons that it 0:19:43.840 --> 0:19:47.840 started out being separate was this whole concept of, um, 0:19:48.359 --> 0:19:51.600 just the model, uh, remember, uh, data poisoning. It's not 0:19:51.600 --> 0:19:56.320 talked about as much as, like, um, in 22 or 23, 0:19:56.359 --> 0:19:59.560 but it was like, what is the, um, can the 0:19:59.560 --> 0:20:03.840 data be poisoned that, uh, you know, the eyes are 0:20:03.840 --> 0:20:08.159 being trained on? Right. So it was like, I don't know, 0:20:08.160 --> 0:20:11.000 there's just not nearly as much focus on that anymore. 0:20:11.040 --> 0:20:13.040 And now it's more about it. I would agree with you. 0:20:13.040 --> 0:20:14.800 I think it's actually merging more now. 0:20:16.960 --> 0:20:21.720 Yeah. Also. Yeah. Also like, uh, in the beginning everyone 0:20:21.720 --> 0:20:26.280 spoke about like, AI driven security. Um, and it's kind 0:20:26.280 --> 0:20:32.100 of funny because, uh, anomaly detection, it's basically like using 0:20:32.140 --> 0:20:36.900 AI in order to find anomalies. Um, and so many 0:20:36.900 --> 0:20:40.060 of the categories are already using heavily, heavily based on AI. 0:20:41.220 --> 0:20:43.780 But if we look in the future, there's not going 0:20:43.780 --> 0:20:47.020 to be any vendor that's not using AI. That's right. 0:20:47.060 --> 0:20:50.380 Also in application security, like your promise at the end 0:20:50.420 --> 0:20:55.780 is suggesting how to harden your code. And of course 0:20:55.780 --> 0:20:56.740 you're going to use AI. 0:20:57.540 --> 0:21:00.420 That's right. That's right. We don't have any database companies 0:21:00.420 --> 0:21:04.300 because um, what we do that that only make databases 0:21:04.300 --> 0:21:07.380 or whatever. But every company is a database company. Every 0:21:07.380 --> 0:21:11.100 company is an Excel company. Like. Yeah, it's just, uh, 0:21:11.420 --> 0:21:15.419 it's just built in, um, so so what what do 0:21:15.420 --> 0:21:18.060 you think about the current solutions? Uh, what do you 0:21:18.060 --> 0:21:20.979 think about current solutions in terms of, like, what are 0:21:20.980 --> 0:21:23.620 the current, like, appsec vendors, like the ones that have 0:21:23.619 --> 0:21:26.619 been around for, you know, 15 years or whatever? How 0:21:26.660 --> 0:21:30.670 are their solutions like By solving these problems that we've 0:21:30.670 --> 0:21:31.470 been talking about. 0:21:33.030 --> 0:21:40.070 And the really simple answer we just don't. And like 0:21:40.109 --> 0:21:44.390 a classic abstract, abstract solutions, doing a really good job 0:21:44.670 --> 0:21:49.550 in detecting some patterns in your code of vulnerabilities, like 0:21:49.590 --> 0:21:52.430 CW is at the end of the day, inherently is 0:21:52.430 --> 0:21:55.710 a pattern, and not it's not a technique to solve it. 0:21:55.710 --> 0:21:58.630 To find the CW, the way we think about it 0:21:58.630 --> 0:22:05.030 is about finding patterns and CVS, which today is maybe 0:22:05.070 --> 0:22:08.310 a bit sad day for CVS. And let's say there's 0:22:08.310 --> 0:22:14.429 many other security advisories. GA the others, you know, the 0:22:14.470 --> 0:22:19.310 GitHub security advisory, the Ruby Security advisory. So all of them, um, 0:22:19.350 --> 0:22:23.149 it's something that it's in your libraries. Um, so the 0:22:23.150 --> 0:22:26.670 way you think about it is only libraries and code issues. 0:22:26.910 --> 0:22:31.090 But the thing about AI security is that first, to 0:22:31.130 --> 0:22:34.570 even to detect these components, it's not enough to look 0:22:34.570 --> 0:22:37.929 in libraries. And libraries can give you a hint. And 0:22:37.970 --> 0:22:41.930 actually it's something it's a great thing we do. We 0:22:41.930 --> 0:22:45.490 only using the libraries tell you the hints. It it. 0:22:46.170 --> 0:22:49.369 I remember the day when we found you can do it. 0:22:49.369 --> 0:22:52.530 You can just just take the libraries even before you put, 0:22:52.570 --> 0:22:55.490 you know, some heavy scanners on all the places. Just 0:22:55.490 --> 0:22:57.850 take the libraries and extract all the hints you can 0:22:57.930 --> 0:23:00.929 about the usage of AI. And that was like a great, uh, 0:23:00.970 --> 0:23:07.810 you know, uh, Aurora for us. Um, and, uh, and 0:23:07.810 --> 0:23:10.850 that's maybe the first step, basically. How do you find models? 0:23:11.290 --> 0:23:14.810 Models is something um, or you find it the art 0:23:14.810 --> 0:23:18.890 of the model artifact, which can be either the repository 0:23:18.890 --> 0:23:23.730 in the container in some S3 bucket or spatial, uh, 0:23:23.770 --> 0:23:27.630 you know, models, repositories. So that's a new place for models. 0:23:27.630 --> 0:23:30.790 But if it's, you know, third party, if we're using 0:23:30.950 --> 0:23:35.670 some inference providers, which from my experience and most customers 0:23:35.670 --> 0:23:40.310 starting from using inference providers, most companies, they start with 0:23:40.310 --> 0:23:43.550 some prototype and they will use the easiest, you know, OpenAI, Azure, 0:23:43.550 --> 0:23:48.630 OpenAI bedrock. Yeah. And they can so so that's something 0:23:48.670 --> 0:23:51.550 you can't find anywhere. Not in the container. Not the 0:23:51.670 --> 0:23:54.709 it's not an artifact. And the only place is in 0:23:54.710 --> 0:23:58.470 the code. And none of our current solutions is like 0:23:58.670 --> 0:24:06.350 is positioned us to find it. And so, so like, uh, 0:24:06.430 --> 0:24:10.550 you need a new, new solution. And you I think 0:24:10.590 --> 0:24:12.950 the AI security companies are going to be in your 0:24:12.950 --> 0:24:17.230 products are going to be something like totally new, and 0:24:17.270 --> 0:24:20.990 that is going to be merged into the current DevSecOps 0:24:20.990 --> 0:24:22.630 and Appsec workflows. 0:24:23.630 --> 0:24:26.490 Yeah. The way I think. Think about it. Or I 0:24:26.490 --> 0:24:29.129 always used to think about it because my background is 0:24:29.450 --> 0:24:34.090 largely web security, um, which we would have a major 0:24:34.090 --> 0:24:38.250 distinction between dynamic and static security. Right. So, like, I 0:24:38.250 --> 0:24:40.210 was at 4 to 5 for a very long time, 0:24:40.250 --> 0:24:42.129 and there were the static people over there, and we 0:24:42.130 --> 0:24:45.490 were the dynamic people. I feel like the AI piece 0:24:45.970 --> 0:24:49.850 definitely is on the dynamic side. Um, it has to 0:24:49.850 --> 0:24:53.570 be right. So rather than just like web testing and 0:24:53.570 --> 0:25:00.609 API testing, it's got to be more comprehensive. Um, so 0:25:01.090 --> 0:25:02.730 let's just jump right into. 0:25:03.130 --> 0:25:06.930 We, you know, we started with, uh, with the static 0:25:07.290 --> 0:25:11.889 part of AI because we found that the biggest issue 0:25:12.090 --> 0:25:15.530 is threat modeling just to discover what you don't know 0:25:15.530 --> 0:25:19.410 you have. And we found that, uh, that's we found 0:25:19.410 --> 0:25:21.570 that it's not just a big issue. It's like huge 0:25:21.570 --> 0:25:24.540 issue because most companies just don't know what they have 0:25:25.340 --> 0:25:28.660 on the order of ten. But then we because of that, 0:25:28.660 --> 0:25:33.260 we moved into the dynamic section. And when we're now 0:25:33.300 --> 0:25:37.699 like trying to offer both because at the end of 0:25:37.700 --> 0:25:40.300 the day I a model, there's a bunch of numbers 0:25:40.660 --> 0:25:43.620 and like code you can understand. You just can't understand it. 0:25:43.660 --> 0:25:48.060 And the only way is through through a conversation, through 0:25:48.100 --> 0:25:52.500 like dynamic and simulating attacks, through pentesting basically. 0:25:53.020 --> 0:26:01.140 Yeah. Yeah. Absolutely. So. So let's think about that. So, um, 0:26:02.180 --> 0:26:06.300 just talk me through like how your solutions are set up. 0:26:06.300 --> 0:26:10.340 Like what is the the basic tagline for it like, um, 0:26:11.540 --> 0:26:15.900 is it, uh, is it asset discovery? Are you discovering 0:26:15.940 --> 0:26:20.020 like the the structure of the application? Are you enumerating 0:26:20.060 --> 0:26:23.960 like controls? Roles. Are you testing controls? What exactly is 0:26:23.960 --> 0:26:25.320 it that the suite does? 0:26:26.400 --> 0:26:31.760 Um, so it's it's kind of both. Um, we're starting from, uh, 0:26:31.920 --> 0:26:36.680 statically scanning all the assets, all the AI resources, components, 0:26:36.680 --> 0:26:39.720 you can call it in different names, and to find 0:26:39.760 --> 0:26:42.520 all the AI you have. And usually at this stage 0:26:43.080 --> 0:26:48.720 we find that usually we start like, you know. Like 0:26:48.760 --> 0:26:53.639 average company will say we have some AI components, some 0:26:53.640 --> 0:26:58.399 AI driven applications. Then where we do the initial scan, 0:26:58.560 --> 0:27:01.359 we found it's more than that by a factor of ten. 0:27:02.080 --> 0:27:07.480 And and that's every time exciting to see like and 0:27:07.480 --> 0:27:10.560 you know it's it's you in the security. It's really 0:27:10.560 --> 0:27:13.000 easy to say that it's bad. But actually it's pretty 0:27:13.000 --> 0:27:16.159 amazing how the industry is trying to push harder to 0:27:16.200 --> 0:27:21.220 push forward. So so even without the security knowing everyone, 0:27:21.220 --> 0:27:24.700 just trying to use it, trying to use it, trying 0:27:24.700 --> 0:27:30.859 to make a smarter applications and more valuable products. Um, 0:27:30.980 --> 0:27:34.699 so so we detect it. And then the question is, uh, 0:27:34.780 --> 0:27:38.899 if I have dopesick, uh, it's a drug. Maybe it's 0:27:38.900 --> 0:27:42.460 bad because rag connected to data, you know, you don't 0:27:42.460 --> 0:27:45.700 want to leak this data, and you may be concerned 0:27:45.700 --> 0:27:48.859 about dopesick unless you're in China, which is a very 0:27:48.859 --> 0:27:52.500 it's the opposite. You probably want to use dopesick. And 0:27:52.540 --> 0:27:54.860 so you just want to know what you have. Then 0:27:54.900 --> 0:27:58.580 you want to detect all the risks you have in 0:27:58.580 --> 0:28:03.540 these components. And which is kind of a composition analysis, um, 0:28:03.820 --> 0:28:06.860 when you think about it in deeply, not only libraries 0:28:06.859 --> 0:28:13.260 in SCA. Um. And that's amazing. You find, uh, legal risk. 0:28:13.300 --> 0:28:15.780 You find security risk for all these components. It can 0:28:15.780 --> 0:28:20.359 be models, uh, you know, uh, agents and speed to 0:28:20.400 --> 0:28:22.200 MCP servers, agent tools. 0:28:22.960 --> 0:28:26.160 And how are you getting all the components? Are they 0:28:26.160 --> 0:28:29.400 providing them to you, or are you getting them dynamically? Like, 0:28:29.640 --> 0:28:31.520 how are you getting these from the customer? 0:28:32.640 --> 0:28:36.840 Um, so we started with taking the hints from the 0:28:36.840 --> 0:28:40.920 open source libraries, and then we used these hints to 0:28:40.960 --> 0:28:44.760 look into the code and find, uh, all the components 0:28:44.760 --> 0:28:49.760 in code. Um, and if we have, uh, if you're 0:28:49.760 --> 0:28:54.800 using self-hosted models or like open source models, uh, we 0:28:54.800 --> 0:28:59.480 looked for artifacts. So we'll find a file that we, that, 0:28:59.520 --> 0:29:02.240 you know, from the magic of the file, from the 0:29:02.240 --> 0:29:05.640 headers of the file, we know it's a model. And 0:29:05.640 --> 0:29:09.880 then we have some fingerprinting, uh, technique to, to match 0:29:09.880 --> 0:29:14.360 it into the actual file. It's a inherit from. So 0:29:14.360 --> 0:29:16.400 if you took a file, fine. Tuned it, you know, 0:29:16.440 --> 0:29:18.980 took something from hugging face. Finding it and using it 0:29:19.700 --> 0:29:22.940 will tell you about this file and that it's related 0:29:22.940 --> 0:29:26.260 to hugging face model and hopefully not malicious one. 0:29:27.460 --> 0:29:30.820 Oh, interesting. I mean, that's that's an offering by itself, right? 0:29:30.820 --> 0:29:32.500 Just like asset discovery. 0:29:33.140 --> 0:29:39.060 Of course, you'll be surprised by how much, um, you know, 0:29:39.100 --> 0:29:43.380 there's a the proportion between what you know and what 0:29:43.380 --> 0:29:46.180 you don't know, uh, is, is large. 0:29:46.700 --> 0:29:47.100 It's pretty. 0:29:47.140 --> 0:29:47.660 Amazing. 0:29:47.940 --> 0:29:50.940 Yeah. Whenever, whenever I do security assessments, I usually have 0:29:50.980 --> 0:29:54.900 a really large visual that I'm building out throughout the week. 0:29:55.300 --> 0:29:58.340 And honestly, it's just laying out what the application does. 0:29:58.340 --> 0:30:01.380 It just lays out what the functionality is, where the 0:30:01.380 --> 0:30:04.580 data is flowing. And as I'm interviewing more and more 0:30:04.580 --> 0:30:07.420 developers and more and more people in the company, I 0:30:07.420 --> 0:30:09.420 just bring them in and show them this thing and 0:30:09.420 --> 0:30:15.870 they're like, oh yeah, everyone starts taking pictures, they start taking, 0:30:16.070 --> 0:30:18.390 they're like, oh yeah. Yeah. So because they don't have 0:30:18.390 --> 0:30:21.750 any documentation that's actually this good. And it turns out 0:30:21.750 --> 0:30:25.230 if you just see it, if you just visualize it, 0:30:25.550 --> 0:30:28.230 you're like, it's obvious to everyone who walks in the 0:30:28.230 --> 0:30:32.670 room that this is a problem and, you know, when 0:30:32.670 --> 0:30:38.350 it's not visualized, um, or it's not explicitly laid out. Yeah. 0:30:38.350 --> 0:30:41.270 You just miss the stuff. Okay. So so you have 0:30:41.270 --> 0:30:42.390 the list of components. 0:30:42.430 --> 0:30:45.790 By the way. It's a, I like like all the 0:30:45.790 --> 0:30:47.750 trend of showing topology. 0:30:48.590 --> 0:30:49.030 Yes. 0:30:49.070 --> 0:30:52.750 What you have. Yeah I love this trend. Um, I 0:30:52.750 --> 0:30:56.870 think there's a really large debate in the security industry 0:30:57.150 --> 0:31:00.390 because people say at the end of the day, it's 0:31:00.390 --> 0:31:04.150 not it's not showing the data. You need tables. But 0:31:04.190 --> 0:31:08.670 there's something about visualizations that like pass the give you 0:31:08.670 --> 0:31:12.230 the value shows it in a different way. And it's funny. 0:31:12.910 --> 0:31:15.370 I would just show an arrow and I would like 0:31:15.370 --> 0:31:18.130 color code the arrows like according I would have the 0:31:18.130 --> 0:31:22.090 data classification for the company on the board. And if 0:31:22.090 --> 0:31:26.530 it's one of the like last two data classification like, um, 0:31:27.010 --> 0:31:30.770 sensitive secret, whatever their classification is, then I would just 0:31:30.770 --> 0:31:34.650 have all the connecting dots or the connecting arrows be red. 0:31:35.730 --> 0:31:39.210 They're like, why are these red? Because, um, you know, 0:31:39.330 --> 0:31:43.330 Sarah over here or John over here said that that 0:31:43.330 --> 0:31:47.330 type of data classification is included in this data. And 0:31:47.330 --> 0:31:51.010 suddenly after you talk to 20 different people, the whole 0:31:51.010 --> 0:31:55.130 board is red, right? The whole board's red. And they're like, okay, 0:31:55.130 --> 0:31:57.770 I didn't realize the problem was this bad. Yeah. And 0:31:57.770 --> 0:32:00.490 then those documents end up being used as the official 0:32:00.490 --> 0:32:04.330 document for the application going forward. So I feel like 0:32:04.330 --> 0:32:09.090 this is this is absolutely needed, especially for I when 0:32:09.090 --> 0:32:12.090 I talk to people about AI implementations, I'm just like, 0:32:12.990 --> 0:32:17.310 Show me exactly where the agent is in this workflow. 0:32:17.950 --> 0:32:21.110 Show me exactly which APIs it has access to. And 0:32:21.110 --> 0:32:24.190 as they start writing it down, they're like, oh, well, 0:32:24.190 --> 0:32:26.350 I think I see the problem. I haven't even said 0:32:26.350 --> 0:32:27.230 anything yet. 0:32:27.270 --> 0:32:32.350 Yes. It's amazing. You know, I love threat modeling. I love, like, 0:32:32.390 --> 0:32:36.870 doing it, uh, with customers. And you started from it 0:32:36.870 --> 0:32:37.510 so much. 0:32:38.590 --> 0:32:39.310 Yeah, absolutely. 0:32:39.350 --> 0:32:41.430 And at the end of the day, uh, like, it's 0:32:41.430 --> 0:32:45.910 not enough because you need to detect the issues. Um, 0:32:46.310 --> 0:32:55.270 so there's malicious models, which is, like, surprisingly, surprisingly, surprisingly, like, uh, getting, uh, 0:32:55.910 --> 0:32:59.590 evolving a category. And because in open source models, there 0:32:59.630 --> 0:33:02.990 is a you think a model is only like a 0:33:02.990 --> 0:33:07.310 metric of numbers, but actually it has also some serialized code. 0:33:07.470 --> 0:33:09.870 It's like many of the many types of models are 0:33:09.870 --> 0:33:14.850 like pickle files. Yeah. Not necessarily. It can be a 0:33:14.850 --> 0:33:18.650 family of, uh, of types of people files, uh, which 0:33:18.650 --> 0:33:23.170 is a code that is serialized into some, like, uh, 0:33:24.210 --> 0:33:25.490 some opcodes. 0:33:25.730 --> 0:33:29.250 It's always it's always the parsers. It's always the parsers. 0:33:29.930 --> 0:33:32.610 Yes. Yeah. And it's going to, you know, pull code. 0:33:32.650 --> 0:33:36.170 It's theoretically it can pull another binary, uh, from remote 0:33:36.170 --> 0:33:39.570 and run it. Yeah. So it can be super malicious. 0:33:40.530 --> 0:33:40.810 Yeah. 0:33:41.050 --> 0:33:43.930 It's also like a known risk, you know, like other 0:33:43.930 --> 0:33:49.930 classic vulnerabilities. Um, only this week I saw a company that, uh, 0:33:50.170 --> 0:33:53.850 scanned all the papers, like, all the academic papers, and 0:33:53.850 --> 0:33:58.170 try to extract the existing attacks and to map, you know, 0:33:58.210 --> 0:34:03.130 attacks to models. Hmm. I think we still it's still not, 0:34:03.170 --> 0:34:05.290 you know, we're still not there at the end of 0:34:05.330 --> 0:34:08.049 the game. It's not like, uh, see that you have 0:34:08.050 --> 0:34:13.190 so many security advisories. I think we're getting there. And 0:34:13.950 --> 0:34:16.670 we're for sure more mature as an industry. 0:34:17.830 --> 0:34:23.030 Yeah. Okay. So let's say someone what is an ideal 0:34:23.030 --> 0:34:26.950 customer look like for you, like in terms of they 0:34:26.950 --> 0:34:28.990 come to you and they say, I have this problem 0:34:28.989 --> 0:34:32.069 or this problem or this problem and you say, okay, perfect. 0:34:32.110 --> 0:34:34.790 That's exactly what we do. What would those problems look 0:34:34.790 --> 0:34:37.030 like and what would you tell them? The solution is. 0:34:38.510 --> 0:34:43.190 Um, there's two types of companies and I see all. 0:34:43.230 --> 0:34:46.469 It's a company that's concerned about AI, but they don't 0:34:46.469 --> 0:34:49.190 know what to do. And so that's kind of the 0:34:49.230 --> 0:34:54.270 free threat modeling stage. That's that's a stage where the 0:34:54.270 --> 0:34:56.870 first thing you need to do is discover everything. You 0:34:56.870 --> 0:35:01.870 have all the agent models. Um, usually a company will say, 0:35:01.870 --> 0:35:04.310 we have a policy that says we're only using, you know, 0:35:04.350 --> 0:35:07.110 Azure AI. And then we'll find many, like a hugging 0:35:07.150 --> 0:35:12.839 face model lipstick and other service providers. And and that's 0:35:12.840 --> 0:35:15.799 the first stage. And once you we hope to do 0:35:15.800 --> 0:35:18.239 the threat modeling, we see how the companies start like 0:35:18.280 --> 0:35:21.760 thinking and getting more advanced. And the other type of 0:35:21.760 --> 0:35:25.239 companies are the a bit more sophisticated ones where they 0:35:25.239 --> 0:35:29.040 already have some like 2 to 3, let's say, or 0:35:29.080 --> 0:35:33.400 a few like major AI driven products. They know about them. 0:35:33.440 --> 0:35:37.360 They already like a threat model them. So the discovery 0:35:37.360 --> 0:35:40.920 will still help them a lot, but the more advanced 0:35:40.960 --> 0:35:46.680 they know, they have some, let's say uh, tax uh application, 0:35:47.000 --> 0:35:51.239 uh reviewer, automatic reviewer. Um, that like is very smart, 0:35:51.239 --> 0:35:54.000 but it's very risky because it's a PDF and something 0:35:54.000 --> 0:35:58.120 can happen. Usually they wouldn't know exactly what the risks. 0:35:58.120 --> 0:36:00.919 They wouldn't know that what they need is, you know, 0:36:00.960 --> 0:36:05.640 some something that will simulate attacks of sending PDF with 0:36:05.680 --> 0:36:09.299 an image inside the image. It will have some prompt injection, 0:36:10.780 --> 0:36:12.780 but they will know they will. Heard about the OWASp 0:36:12.780 --> 0:36:16.299 top ten for applications, which is, by the way, great 0:36:16.300 --> 0:36:20.460 a list of threats and, you know, great awareness. 0:36:21.660 --> 0:36:22.660 Yeah, that makes sense. 0:36:23.140 --> 0:36:25.540 And then we like tell them, hey, you have here 0:36:25.580 --> 0:36:29.580 potential a malicious model. Check it. You have here IPsec. 0:36:29.860 --> 0:36:33.700 And that's the findings from the dynamic scanning of the 0:36:33.739 --> 0:36:36.859 you know, all the attack simulations. Okay. And then we 0:36:36.860 --> 0:36:39.620 need to fine tune how to have to do what's 0:36:39.620 --> 0:36:42.660 the right attacks. What's the most important attacks to check. 0:36:43.580 --> 0:36:46.580 Nice. Okay. And then what what is the product like. 0:36:46.580 --> 0:36:49.580 What is the product suite do like what are the 0:36:49.580 --> 0:36:50.980 the pieces of functionality. 0:36:52.219 --> 0:36:56.420 And so it's basically what we spoke about. And it 0:36:56.420 --> 0:37:00.260 starts with discovery of all the components. Then it moves 0:37:00.260 --> 0:37:03.980 to the risk of each component individually. And once you 0:37:03.980 --> 0:37:06.840 know about all the components you need somehow to connect 0:37:06.840 --> 0:37:10.719 them into a behavioral risk and to to understand, to 0:37:10.760 --> 0:37:15.040 contextualize all the risk of the entire components together. And 0:37:15.040 --> 0:37:17.160 because you can't have a system prompt, you can't have 0:37:17.200 --> 0:37:20.160 a model. And you can have some, you know, rug 0:37:20.600 --> 0:37:23.280 that connects them to a database. But unless you understand 0:37:23.280 --> 0:37:26.040 you have this database, this system from twist, this model, 0:37:26.320 --> 0:37:29.520 that's the only way to understand that you have context leakage. 0:37:30.239 --> 0:37:33.680 And so for that we have these behavioral risk rating 0:37:33.680 --> 0:37:39.080 automatic rating attack simulations and drop everything. We're doing a 0:37:39.120 --> 0:37:43.720 mitigation what we call governance and mitigations and where we 0:37:43.960 --> 0:37:46.560 where you can create policies to prevent let's say if 0:37:46.560 --> 0:37:51.400 it's Rug and Leipzig block it, this facial combination. And 0:37:51.440 --> 0:37:55.640 in the near future we're going to release the ability 0:37:55.640 --> 0:38:00.240 to what we call guiderails, which is not guardrails. It's guiderails. 0:38:00.560 --> 0:38:01.040 Interesting. 0:38:01.040 --> 0:38:04.900 The concept of mitigating putting like a the mitigations into 0:38:04.900 --> 0:38:05.460 the code. 0:38:06.700 --> 0:38:07.299 Not like. 0:38:07.300 --> 0:38:07.420 A. 0:38:07.460 --> 0:38:12.420 Firewall. Like dynamic. Dynamic detections as it's coming in. 0:38:13.180 --> 0:38:16.900 No. So actually not dynamic. And the point is that 0:38:17.300 --> 0:38:20.819 integrated into the development process. And the developers will get 0:38:20.820 --> 0:38:24.819 suggestions for mitigations to the code. For example, add to 0:38:24.820 --> 0:38:28.500 the system prompt this and that in order to block 0:38:28.540 --> 0:38:32.540 this redeeming findings in order to mitigate from these findings. 0:38:32.820 --> 0:38:36.899 For example, a format your output of LLM into more 0:38:36.940 --> 0:38:39.940 like a less fuzzy format because you don't need a 0:38:39.940 --> 0:38:43.500 fuzzy output. So why, uh, like why open your attack 0:38:43.500 --> 0:38:45.220 surface and. 0:38:45.219 --> 0:38:45.580 So many. 0:38:45.580 --> 0:38:49.660 Small things that everyone has. Everyone got these issues and 0:38:49.660 --> 0:38:52.700 you have agent, maybe the same agent should not access 0:38:52.700 --> 0:38:56.460 the data and run code afterwards, because if someone will 0:38:56.660 --> 0:38:58.940 like prompt injection the agent, you can run code that 0:38:58.940 --> 0:39:02.299 access the data. And so you know these simple. There's 0:39:02.300 --> 0:39:04.350 so many simple steps no one knows. 0:39:05.350 --> 0:39:09.710 Yeah, that makes sense. Okay. So it's it's the initial 0:39:09.710 --> 0:39:14.750 assessment of, like, what the attack surface is. Um, just 0:39:14.750 --> 0:39:19.109 discovering the assets. Then there's the dynamic assessment, and then 0:39:19.110 --> 0:39:20.310 there's mitigation. 0:39:21.030 --> 0:39:21.710 Exactly. 0:39:22.710 --> 0:39:27.630 Perfect. Um. All right. What do you think is happening next? 0:39:27.630 --> 0:39:31.870 What are you worried about happening coming up? Uh, trends 0:39:31.870 --> 0:39:33.990 or risks that you see coming up soon? 0:39:35.510 --> 0:39:39.670 Um, I think we it seems like we have a 0:39:40.230 --> 0:39:44.229 every new like it seems like every, every every old 0:39:44.230 --> 0:39:48.190 category in security and need to find a way to adapt. 0:39:48.590 --> 0:39:51.550 And because, like speaking with customers and we see that 0:39:51.750 --> 0:39:56.390 identities that is like, you know, kind of an existing, uh, 0:39:56.430 --> 0:40:00.750 category with tons of issues now has a new aspect 0:40:00.790 --> 0:40:04.370 in the AI driven applications because you want to manage, 0:40:04.770 --> 0:40:06.730 you want to make sure one user can't access a 0:40:06.730 --> 0:40:11.290 different user data. And so, you know, it's old problem 0:40:11.530 --> 0:40:15.890 with a new suit, let's call it. And so. 0:40:15.930 --> 0:40:16.450 Yeah. 0:40:16.489 --> 0:40:19.729 We see so many so many, so many nutrients. And 0:40:19.730 --> 0:40:24.610 exactly like you said before, so many new same problems 0:40:24.650 --> 0:40:28.810 and new problems which basically the same. So that's one 0:40:28.810 --> 0:40:31.810 thing I think, which we need to remember it that 0:40:31.969 --> 0:40:34.090 all the new things are basically old. 0:40:35.489 --> 0:40:40.250 Yeah. Yeah. I like you're talking about um, yeah. I 0:40:40.250 --> 0:40:43.529 think the distinction between what an agent is doing and 0:40:43.530 --> 0:40:49.689 making sure it's not acting on behalf of an actual human. Right. Uh, making. Yeah, 0:40:49.730 --> 0:40:54.810 non-human identity versus human identities and making those distinctions, having 0:40:54.810 --> 0:40:58.489 separate policies, separate policies for those. I think that's going 0:40:58.489 --> 0:40:59.290 to be important. 0:41:00.190 --> 0:41:03.430 Yes. And, you know, like the same concept. You want 0:41:03.430 --> 0:41:08.030 multi-tenant also for agent. You want permissions also for agent and. 0:41:08.350 --> 0:41:11.549 Separation of duties. Like all like you said, all the 0:41:11.550 --> 0:41:16.150 old stuff we have to re-implement relearning the lessons from, 0:41:16.270 --> 0:41:17.550 you know, 25 years. 0:41:18.790 --> 0:41:22.069 Exactly. And but I think like if you, if you 0:41:22.070 --> 0:41:26.070 look on the new things classes and you see that 0:41:26.469 --> 0:41:31.390 multiple agents of course, but multiple agent frameworks, agents orchestration 0:41:31.910 --> 0:41:35.790 and create more issues because it's way more complicated to 0:41:35.790 --> 0:41:41.830 understand how it works and the communication between agents. Open 0:41:41.870 --> 0:41:47.590 the make the exploit way more complicated. It's way more complicated, 0:41:47.590 --> 0:41:51.989 but like way stronger. A very similar to to what 0:41:51.989 --> 0:41:56.350 you have when you try to exploit memory corruptions and 0:41:56.390 --> 0:42:01.049 that you try to jump between a different places in 0:42:01.050 --> 0:42:04.850 the program in order to finally run the code. And 0:42:05.090 --> 0:42:08.210 so it's very similar to here. And if the code 0:42:08.250 --> 0:42:11.969 is if you have more attack surface, when you have 0:42:12.010 --> 0:42:15.090 the code is larger and you have more places and 0:42:15.090 --> 0:42:17.770 more gadgets that you can more places you can jump 0:42:17.770 --> 0:42:21.930 between each other until you run the code. And here 0:42:21.930 --> 0:42:24.169 you have many agents. So you can you need just 0:42:24.170 --> 0:42:28.489 to find the agent, you know, to send the right 0:42:28.489 --> 0:42:31.049 prompt into to run the code, I think. 0:42:31.050 --> 0:42:33.370 I think it's worse, like you said, I think it's 0:42:33.410 --> 0:42:38.850 worse with multi-agent because that's more opportunities for tricking. Like 0:42:38.850 --> 0:42:44.770 you might have a smart one. Um, so a prompt 0:42:44.770 --> 0:42:47.489 injection might not detonate with the first one you're talking to, 0:42:47.530 --> 0:42:50.370 but it might pass it along to a dumber one 0:42:50.370 --> 0:42:55.570 behind it. And that one it will detonate on. Yeah. Interesting. Um. 0:42:56.450 --> 0:42:58.629 Also, if you think about it, when you have more 0:42:58.630 --> 0:43:02.550 components that speaking with each other, it's hard to track. 0:43:02.590 --> 0:43:05.509 What's the purpose of each one. So you're going to 0:43:05.510 --> 0:43:09.710 have these, you know, uh, let's call it a small 0:43:09.710 --> 0:43:14.709 drift in, in the communication between them. Uh, there's one 0:43:14.710 --> 0:43:16.989 that should do X, the one should do Y, but 0:43:16.989 --> 0:43:21.670 they will have somewhere like some very small interaction that 0:43:21.670 --> 0:43:23.350 will probably be exploitable. 0:43:24.830 --> 0:43:26.350 Yeah. Because for each one. 0:43:26.350 --> 0:43:29.230 Individually is totally okay. It looks fine. 0:43:30.870 --> 0:43:35.070 Yeah. So for the CISOs that are listening, like, what's 0:43:35.070 --> 0:43:38.069 the one piece of advice like what's the one thing 0:43:38.070 --> 0:43:41.270 you would say to someone who's implementing AI or trying 0:43:41.270 --> 0:43:42.070 to secure it? 0:43:44.510 --> 0:43:49.190 Um, I would say the, the easiest thing to do is, 0:43:49.630 --> 0:43:52.870 at least from my experience, is to try to create 0:43:53.630 --> 0:44:00.040 really hard and forcing policies. And that prevents everything and 0:44:00.040 --> 0:44:04.920 blocks everything. And that's really easy. Um, but I think 0:44:05.360 --> 0:44:09.759 the right way to go is to create integrated workflows 0:44:09.760 --> 0:44:16.080 like any other security issues, and that will help to enable, um, 0:44:16.120 --> 0:44:19.040 enable developers and enable the products to be really good 0:44:19.040 --> 0:44:23.239 and valuable in the AI driven, um, and more and 0:44:23.239 --> 0:44:26.880 less disable, um, and it's right for everything. And I 0:44:26.880 --> 0:44:30.480 think it's especially for AI and I see it firsthand, uh, 0:44:30.760 --> 0:44:33.000 maybe a bit too much, unfortunately. 0:44:34.200 --> 0:44:37.359 Yeah, that makes sense. And where can people learn more 0:44:37.360 --> 0:44:38.200 about the company? 0:44:39.800 --> 0:44:44.960 Um, so Mend-ooyo is an apps company? Um, traditional apps company. 0:44:44.960 --> 0:44:48.760 One of the first SCA vendors that grew into, you know, SAS, 0:44:48.760 --> 0:44:52.520 SCA container scan container image scanning. Like I spoke before 0:44:52.760 --> 0:44:58.219 about the ability technology that got acquired for and now 0:44:58.219 --> 0:45:02.060 also AI security. And we love what we do. We 0:45:02.060 --> 0:45:06.379 have a lot of customers. Um, and uh, we're I 0:45:06.460 --> 0:45:08.700 think we're the first AI security vendor in the market 0:45:08.780 --> 0:45:11.620 doing it. Shiftleft. And so we're really proud about it 0:45:11.660 --> 0:45:14.740 and hoping to make awareness in the industry about it. 0:45:15.660 --> 0:45:19.340 Awesome. Well, it was great chatting with you and, uh, 0:45:19.820 --> 0:45:21.220 look forward to chatting again. 0:45:21.940 --> 0:45:23.780 Lovely. It was my pleasure. 0:45:24.180 --> 0:45:25.180 All right. Take care. 0:45:26.500 --> 0:45:27.100 Thank you. 0:45:29.260 --> 0:45:32.820 Unsupervised learning is produced on Hindenburg Pro using an SM 0:45:32.820 --> 0:45:36.419 seven B microphone. A video version of the podcast is 0:45:36.420 --> 0:45:40.140 available on the Unsupervised Learning YouTube channel, and the text 0:45:40.140 --> 0:45:43.420 version with full links and notes is available at Daniel 0:45:43.420 --> 0:45:47.220 Miessler newsletter. We'll see you next time.