Maya Rotenberg, VP Marketing at WhiteSource, sat for an interview with Aviva Zacks of Safety Detective. They talked about her company stays ahead of the game by solving their customers’ problems by using detection and prioritization.
Safety Detective: What is it like to market for a cybersecurity company?
Maya Rotenberg: We are not a regular cybersecurity company as we sell a security solution for both security engineers and software developers. So, we can’t market our application security solutions like any other cybersecurity company.
Other security products use FUD—fear, uncertainty, and doubt:
- The next breach is right around the corner.
- Six ways to not lose your job.
We can’t do that because while it works well with security, it doesn’t work well with engineering. Engineering is all about deficiency, agility, finishing things in their timeline. Security is about prioritizing security above all, and there is a conflict between speed and security.
Application security solutions like WhiteSource need to handle both of those issues. We need to secure the application without slowing down the developers.
SD: Can you tell me about WhiteSource’s products and technology?
MR: Around 60 to 90 percent of the codebase in every single application—whether it’s a federal, LinkedIn, or e-commerce platform—is open source. Developers use open source components and focus on the 10 percent of the technology of the application that makes them unique and differentiates them from their competitors. Everything else besides that 10 percent is open source.
There’s no perfect code and there are vulnerabilities in everything, but the difference between proprietary code and open source code is that information on vulnerabilities in open source is public. In order to exploit vulnerabilities in the open-source component in your application, hackers only need to look for information about non-vulnerabilities in the open-source component and then try to exploit it on several thousand applications until they find a match.
We notify companies about open source components with known vulnerabilities and we have them remediated in a semi-automatic way. That way we help the security engineers by detecting and providing information about the security issue. We also help the developers by first detecting the vulnerability in the very early stages when it is quicker and cheaper to fix it, and we guide them on the right way to fix it and therefore save them remediation time.
SD: How does your company stay ahead of the competition?
MR: WhiteSource was the first company to offer a solution to software developers and security teams to detect and fix open source components. Before us, most of the companies had a manual process and we invented a new technology to automate that manual process. We’ve been redefining the space year after year. We’ve been anticipating the needs and building unique proprietary technology to meet that need.
In the beginning, we were about detection. Then we moved into detection and prioritization because we understood that no one can fix all vulnerabilities, so we have a prioritization engine that helps teams focus on what matters. Then we build the remediation team, which is a solution to help developers fix it quicker. It’s all about understanding the entire process of the company, understanding our customers’ challenges and pain points, and building a unique technology to help them deal with those pain points.
SD: What do you think are the worst cyberthreats today?
MR: The application layer is the most sensitive and the weakest link in most enterprises. We know based on the Verizon breach report that in the past four years, the application layer was where most data breaches occurred. And I think this is the weakest point for many enterprises because security cannot be prioritized as a top concern unlike network security and endpoint security because there is also a need of trying to market.
There’s always a need to find the right balance between speed and security. But on the other hand, the application is always the gateway to a company’s data. This is the easiest way for hackers to get control of your data, so I think this is currently the weakest point in the security of organizations. This is where they have been hit the hardest in the past four years and this is where most enterprises need to change their mindset. Before buying additional tools and fancy gadgets and implementing new technology, I think the first thing that enterprises need to change is their mindset. They need to take ownership of their applications and the security of their applications and find the right balance between security and speed in order to make sure that they won’t be easily breached.
SD: Where do you think cybersecurity is headed in the future, now that we are living through this pandemic?
MR: I think that the pandemic is accelerating a lot of innovation and not just things that are concerned with having a distributed workforce. I think the workforce itself is also being changed. For the last ten years, most companies employed full-time employees, and now the percentage of freelancers is increasing. Where people are working has changed. Everything has changed. And I think that because the workforce is changing, a lot of enterprises will need to change their perspective.
I think that this accelerated transformation is also paving the way to great technology, and I can see just by looking at the new cybersecurity startups that have been founded or announced in the past few months, we are in a time that when there is a need, there will be a startup answering that need. I think we are going to see a rapid change in cybersecurity in terms of new categories evolving and all the categories starting to die. I think five years from now, the entire issue of cybersecurity will look very, very different, with a lot of technologies that are only just starting.