Aviva Zacks of Safety Detectives recently interviewed Guy Flechter, CEO and co-founder of Cider Security. She asked him about how his company is building a new operating system for the entire Appsec ecosystem.
Safety Detectives: What motivated you and Daniel Krivelevich to start your company?
Guy Flechter: I have been in the security trenches for almost 20 years; I served in the Israeli Air Force and then became a security consultant. After a few years in consulting, I moved to LivePerson’s security team, where I met Daniel. He was leading the application security side at LivePerson, and that’s where our journey started. After a few years at LivePerson, I moved to AppsFlyer to be the company’s first CISO and to establish the entire security program. When I joined the company, there were 250 employees, and when I left, there were 1,200.
Daniel and I decided to create Cider Security because we felt a lot of frustration while we were trying to implement security as part of the engineering ecosystem and that pain was industry-wide. We felt that the industry’s situation was problematic and that the solutions were very particular and pointed to specific issues without the understanding of the broader challenge. So, we established Cider to help the security and engineering teams bridge the gaps that they had when they were trying to implement security as part of the engineering ecosystem.
SD: Tell me about your company.
GF: As we are tackling the topic of security for the CI/CD pipeline, we wanted to be clear with our name and what our focus is, yet still stay snappy and fun. We got a bit lucky that CI/CD sounds a bit like a drink that happens to be a favorite of mine, apple cider, and from there we got to Cider Security.
SD: Tell me about what your company does.
GF: We are building a new operating system for the entire Appsec ecosystem. We created a unified platform that brings you all the layers that you need to monitor and secure in your engineering ecosystem. We start by providing full visibility of what you receive initially from the developer and then all the way to the production environment. Based on that visibility and on the asset inventory, the security teams can start building all the security layers that are needed as part of the CI\CD, something that was never available before. By being able to build these layers and security with more accuracy to your environment and to your technology stack languages framework that your developers are using, we help eliminate the friction that you have today.
SD: What is it that makes your company competitive in such a large ecosystem of cybersecurity companies?
GF: I think that it’s about the team that we are building here, that are coming from the trenches and understand the pain first-hand. We are trying to solve the problems that we encountered every day.
Secondly, we are trying to bring in multiple layers. It’s not like a point solution. We’re not trying to only cover one AppSec domain, rather we are trying to cover multiple layers of problems originating from the same place in the engineering ecosystem all from a single platform.
And the third element which distinguishes us from other companies is that we are not trying to build everything by ourselves. In some places in our product, we are leveraging the power of the open-source community and also commercially available solutions. We don’t need to build fixes for every issue, but we want to be able to point our users to a tool that can help them resolve the problem then and there.
SD: What do you think are the worst cyberthreats today?
GF: There are two main vectors that have dramatically increased in the last two years, especially with COVID and the adoption of new technologies for many companies. One issue is the adoption of more and more SaaS control tools in the day-to-day of a company. The second area is the development of the engineering ecosystem. That became a highly focused area for attackers as attackers understand that leveraging an attack on the engineering ecosystem can very easily lead to the crown jewels of the company. Implementing security as part of the engineering ecosystem is very hot today, but not a lot of companies are doing anything in that area and attackers are aware of it.
SD: Do you think that the focus of different companies has to change now because of the pandemic?
GF: I think there is a lot of change. As I said, companies are adopting more and more advanced technologies, adopting SaaS capabilities, and a lot of changes also for big and traditional companies out there. In addition, the fact that we will go back to some kind of hybrid-mode world. A lot of the work time of employees will be at home, far away from the security team. Attackers are leveraging this and understand that people are less aware of the security risks.
People are becoming an easier target for adversaries because of that decrease in awareness. We have adopted new ways of working and a new way of life, which is great, but security needs to adapt to this new normal in order to help companies continue to grow in this new working environment.