In an exciting week of hustle and bustle in San Franciso, California, crowds filed to the city to attend RSA Conference 2022 and Lightspin’s Purple Cloud Summit Event. After years of will they / won’t they tension regarding in-person attendance at such events, it was emotional to see the large turnout and feel the joy of old friends, colleagues, and partners finally being able to engage with each other face to face.
The Lightspin Team, led by CEO and Co-Founder Vladi Sandler, attended RSA to participate in the RSA Innovation Sandbox Contest. Our team is tremendously honored to have been included as one of 10 finalists winnowed down out of 100 other startups with game-changing ideas to present to RSA’s panel of judges. See our pitch here.
Beyond RSA Meetings and Mingling
The Lightspin Team was proud to present our Purple Cloud Summit, bringing together an array of builders and leaders from all facets of the cloud security field. The day-long event presented by Lightspin, newly minted cybersecurity unicorn 🦄 Perimeter 81 (congrats on the recent Series C raise of $100M!), and Votiro, provided educational content from cloud security leaders building the future in the cloud. Here’s a quick wrap up of the sessions we held:
- Amit Bareket, CEO and Co-founder, Perimeter 81
- Vladi Sandler, CEO and Co-founder, Lightspin
- Ravi Srinivasan, CEO, Votiro
Moderator: Tanya Janca, Founder & CEO, We Hack Purple Academy
In this the first session of the Purple Cloud Summit, we asked C-Suites, “what do you think about the role of DevOps, and how is this role evolving in your organization?”
The panel discussed how the role of DevOps is shifting to a more hybrid DevSecOps role and what kind of capabilities this unlocks for organizations. Ravi Srinivasan, CEO of Votiro commented that he sees DevSecOps in a more acute manner, building “security management designed into the development process.” Ravi goes on to say that he looks at DevSecOps as a way to get capabilities out to the market faster and to differentiate their offerings. It helps organizations get the results they want – getting their features, products, etc., to the market faster and more securely. Vladi Sandler, Lightspin CEO and Co-founder commented that being able to affect the problems I see in the build or code process is a huge advantage. The team can drop the build as soon as a security finding is discovered, and it improves the ability to scale out development functions more efficiently and securely.
Amit Bareket, CEO and Co-found at Perimeter 81 also noted that integral to the success of this emerging role and functionality, is a cultural shift required within the organization itself, to empower and permit the ownership of these types of projects with security built in within the earliest stages. The perspective of this group of CEOs being that by looking at security as a functional requirement rather than an add-on, organizations will be able to deliver features and capabilities that operate securely from day 1.
- Steve Pugh, CISO, Intercontinental Exchange, Inc.
- Srinath Kuruvadi, Head of Cloud Security, Netflix
- Joe Vadakkan, EVP, Engineering & Sales, Lightstream
- Ugochukwu (Ugo) Enyioha, VP Security Engineering at Cloudflare
Moderator: Gily Netzer, VP Marketing, Perimeter 81
In this session, our panel discusses how do you manage friction between security teams? How do you put an emphasis on every action that is needed for developers to take to identify and remediate security threats?
As the market Ugo Enyioha aptly noted during this discussion, developer empathy is required to reduce the friction between teams, and with that a strong understanding of how the tools being offered to devs are being used and how they fit into the pipeline. Without this empathy and understanding, the friction that exists as more organizations move to a “shift left” model in DevSecOps roles, will persist.
Srinath Kuruvadi, Head of Cloud Security at Netflix also noted that for security to get it right, it requires a partnership with developers. Moreover, Srinath commented that developers need to be supplied with context more than anything, because context drives good action. Security should be considered by developers as a step in their pursuit of building quality features and capabilities, meaning security risks should be something developers care about as part of the process as well.
The panel also discussed trends they are seeing in the market and from the baseline to the more advanced, what organizations should be looking for as they approach cloud security.
- Gafnit Amiga, Director Security Research, Lightspin
- Ramy Rahman, Principal Cloud Security Advisor, Lightstream
- Mark Mishaev, Chief Architect, Checkmarx
- Ben Sadeghipour aka “nahamsec”, Vice President, Research and Community, Hadrian
Moderator: Ashish Rajan, Cloud Security Podcast
In this session, we talk to cloud researchers from all walks of cloud security life to discover the magic behind their vulnerability and bug finds and fixes. As the session begins, we talk to the panel about defining what exactly it means to “research the cloud?” Are they pen testing the cloud? As Gafnit Amiga, Director of Security Research at Lightspin describes, it isn’t pen testing the cloud – it is trying to understand how cloud security services work, how they are built and implemented, what functions are happening in the backend, and then going beyond that to test, “well, what would happen if I tried XYZ?” At the end of the day, the function of cloud security research is to better understand the services being provided to assist developers and users to work in their cloud environments more securely. The process is a bit of reverse engineering to see how intended services may map to functions that they shouldn’t or how someone could navigate to areas they shouldn’t be operating in, commented Ramy Rehman, Principal Cloud Security Advisor from Lightstream.
The session offers a view of why defending the cloud is so complex, why it is so important to test and publish remediation discoveries and where these researchers see the future of the cloud.
Wrapping It All Up
Between RSA 2022 and the activity at Purple Cloud Summit, the Lightspin team had a busy week in San Francisco. We are so honored to have been a finalist in RSA’s Innovation Sandbox and we enjoyed the time we spent with colleagues, friends, and new acquaintances between RSA sessions and Purple Cloud Summit.
We’d like to take the opportunity to thank our presenting sponsor Perimeter 81 and sponsors Votiro for their collaboration on putting together the summit, and a very big thank you to all our moderators and panel members for such lively discussions and taking time to be present with us for this event. We couldn’t have made this happen without you! Thanks to all that attended in-person and via our live stream, and for those of you who weren’t able to make the sessions whether in-person on live, check out Lightspin’s YouTube channel to catch up on anything you may have missed and stay tuned for the fully edited session videos!
Lightspin is the graph security platform built by cloud engineers and for cloud engineers. From workload protection, to posture management, to IaC scanning and more, get to know Lightspin by starting for free today!