RSA 2022–What a Week!
After two years of virtual events, the Mend team was beyond excited to gather in San Francisco’s Moscone Center and connect with the tech community face to face. This year’s theme was ‘transformation,’ which couldn’t be more appropriate for us as we unveiled our new company name and integrated application security platform with automated remediation for SCA and SAST.
Monday was all about exploring the event floor and diving into the conversation with attendees–we handed out our fun ‘Mend your own’ canvas bag, where attendees got to choose the design they wanted on their bags, as well as Bluetooth speakers. And naturally, we invited folks to join our Mend happy hour celebration the next day.
Tuesday started off with a bang at 10 a.m. PT as a flood of attendees poured through doors to the expo floors. Our team was excited to talk about the changing application security landscape, and how detecting vulnerabilities is not enough. To close AppSec gaps, you have to mend them, quickly and easily. That’s what we are all about.
Mend co-founder and CEO Rami Sass sat down with DevOps.com to talk about application security trends and increased activity, as we’ve seen with Log4J and Spring4Shell. Sass is particularly excited at how effectively Mend’s rebrand stands for our vision of next-gen application security. ”We want to go beyond just finding vulnerabilities,” he says. “We completely automate the process of fixing vulnerabilities–we feel that’s the right way to get the value from application security. That’s why we named ourselves Mend. It’s about mending applications, not just finding the problems and leaving you to figure out what to do with them.”
Meanwhile, CMO Arabella Hallawell joined a lunchtime panel discussion that included Ben Johnson, co-founder and CTO of Obsidian; Joe Slowik, Gigamon’s senior manager of threat intelligence and detection; and Aaron Shilts, president and CEO of NetSPI. The group had a lively discussion on the constant action-reaction nature of today’s application security landscape. As the security community transforms, attackers inevitably find a response, making for a fascinating threat landscape in constant motion. Defending against such a constant stream of innovative attacks requires a resilient outlook and strategy that prevents as much as possible while building innovations for the future.
The day was capped by a fabulous happy hour event at the W hotel, hosted by Mend and CloudBees. Sass welcomed a crowd sipping signature cocktails and happily noshing on everything from sushi to sliders and fries – not to mention the popular dessert shots of coffee and chocolate liqueur. The crowd enthusiastically queued to get a personalized story from The Bumbys, an anonymous performance art duo who use electric typewriters, along with a charming sense of humor, to provide “A Fair and Honest Appraisal of Your Appearance.”
Wednesday brought more opportunities for Sass and Hallawell to talk about Mend’s vision as well as analyze AppSec trends, as the pair sat down with Dark Reading, Protocol, and cybersecurity pundit Shira Rubinoff. Some of the key takeaways from the interviews:
- Hallawell: “Most solutions today are focused on finding and detecting problems, but we’re focused on finding and fixing. Today, about 80 percent of vulnerabilities are known but not fixed, and we find and automatically fix them. It’s about mending gaps and reducing the attack surface.”
- Sass: “A big majority of the market is still stuck in a legacy approach that is too concerned about compliance, because the market started with companies trying to pass audits rather than fixing app holes. Therefore, many existing solutions focused on detection, but just finding problems on its own is useless. Think about having a cavity and the dentist X-rays your jaw and sends you home with the picture–your jaw still hurts, so the problem is not solved. Finding and fixing is a big value add and we see a big opportunity.”
- Hallawell: “We produce the code to automatically fix vulnerabilities across open source and custom code, and nobody else is doing that. I personally think it is the way ahead for AppSec because right now it’s so burdensome and time-consuming for developers to do the research and figure out how to fix things.”
- Sass: “Longer term, we want to turn application security invisible. It won’t happen overnight but in our minds, developers eventually won’t have to worry about security at all. They will be free to work on the things they really care about. Auto-generating lines of code to fix vulnerabilities is the first step in that journey. Over time, we want to gain developer confidence where we can auto-remediate without any developer review.”
Thursday saw the Mend demo space continue to buzz with activity, as people stopped in to hear about the Mend SAST solution, a key component of our unified application security platform. There was a steady stream of people who arrived with bags full of freshly popped popcorn courtesy of the mobile Mend popcorn cart, and we heard some positive feedback on our new name. Other conversational snippets from the booth included:
- AppSec discussions in regards to SCA, SAST, and software supply chain management–there’s a lot of overlap as these issues are part of a larger strategy for many.
- Compliance came up a lot. When companies are bought or sold there is a compliance audit with open source libraries, and we can help.
- Auto remediation for SAST. It’s a new concept and it catches peoples’ attention.
- The value of taking a multi-pronged approach to cyber risk, not only via technology but also by using risk modeling to build effective insurance policies.
And that’s a wrap! (We all know that Friday is generally devoted to a sad trek away from the fun and back to our regular lives,) Hope you had as much fun as we did!
