Tony Loehr with DevOps Speakeasy at swampUP San Diego 2022

[Music]

so first of all thank you thank you tony

thank you so so much for joining today

for the this absolute jesus thanks for

having me

so would you like to introduce yourself

tell us a bit more about your company

sure i’m tony i’m the developer advocate

for sci code

and we offer a complete software supply

chain security solution to help

secure source code dependencies

the actual developers and pretty much

every other aspect of the software

development lifecycle oh cool yeah so

how it works what do you have in this

platform

and wait so they can know so just before

that what how is to be a developer

advocate because we are in the same

position i think it’s super interesting

to see that from other companies

definitely

um well what a lot of developer advocacy

looks like for our particular platform

is

essentially getting the word out and

letting people know all the use cases

that there are for the cyclone platform

one of the challenges of the scicode

platform is that it is truly one of the

first security solutions that analyzes

every stage of the sdlc so there is

quite a bit to talk about quite a bit to

document and a decent bit to explain but

one of the biggest strengths of this

particular platform is is able to

aggregate insights from multiple points

of the sdlc and what i mean by this is

let’s say you want to check which of

your branches have

or which of your repo’s have branch

protections enabled that’s a relatively

simple thing to check i dare say you

don’t really need too much

other than just manual checks but what

if you want to see which of your

kubernetes clusters deployed to

production and you also want to see

which of those

deployments does not have branch

protections enabled well that sounds

like something that is more of a complex

query but scicode has a knowledge graph

that is able to generate that sort of

information uh very easily

yes that sounds really cool and actually

pretty recently we created integration

we sure did yeah we sure did we actually

created an integration for jfrog’s

artifactory and pipelines as well to

help keep track of any binaries or

deployments that might happen in those

resources as well we have i believe 30

plus integrations as of now including

pretty much every source code management

system you can think of github gitlab

even garrett

yeah even gary even garrett yeah

pretty much yeah but uh probably people

still using it yeah definitely for the

people that like it they really like it

and we fully support it

but beyond just that we also support

kubernetes terraform

several other cloud distribution

platforms aws as well

yeah yeah and we are constantly adding

new integrations so

um

if your company has something that we

don’t have chances are we could probably

add it very quickly yeah i saw that by

myself whenever we added the pipelines

and already

super quickly like i think your

developers are great and

immediately

absolutely our developers are led by uh

another super frog actually door um he’s

phenomenal yeah he’s amazing yes i love

this guy

absolutely so wait a second most of your

developers are in israel right

in israel they are yes they are our r d

team is uh based in israel all right so

how you’re screening you have one base

in israel one base in the us

uh sort of uh we have a bit of a

distributed global team

we believe that uh our work can be done

largely asynchronously of course

we meet up whenever we need to

and

everyone it seems to be pretty flexible

about scheduling

everyone are super flexible pretty much

yeah that’s uh

yeah that’s largely uh about psycho nice

so how is coming i know it’s not related

to an interview at all but still how was

all these situations so i actually

started with psycho during covid uh

believe it or not right and uh they had

largely perfected their onboarding

process

when i started

that’s another uh great thing about the

company starting basically right before

cobit is uh

they very much normalize the

asynchronous workflows

that are required by a distributed team

even even as it pertains to just a team

working from home but based in the same

region

have you really met most of your team in

person i think it’s like

i’ve met most of them except for my

teammates based in israel i actually

have not even been there yet but

fingers crossed i’ll get to visit soon

yeah yeah we’ll see you in july you have

to come to yaya

absolutely i’ll definitely be applying

there and uh if uh and if my co if my uh

my founders think that uh it’s a good

idea for me to come wink wink nudge

nudge please

please

absolutely i would i would love to

that would be awesome perfect all right

so tell me a bit more about cycles what

what is different in cycle like we have

i’m sorry but we have so many security

solutions all over the world you know

that’s better than me

it’s an absolutely fair fair thing to

ask i think that one of our biggest

strengths is the fact that we can it’s

because we have oversight over the

entirety of the sdlc we can derive

complex insights that are only possible

by this high level overview

in addition this allows us to monitor

the developers involved with creating a

platform

such functionality i think can be best

shown by our anomaly detection

functionality which

let’s say you have an engineer who put

in their two weeks and

suddenly they’re cloning a bunch of

repositories an alarming amount perhaps

even a suspicious amount of repositories

we will flag that and make sure that

security has visibility into the issue

i’m sure there’s potentially innocent

reasons why that could happen but uh the

only way you can really find out is by

uh having that act to be visible and

allowing these conversations to be had

in the first place

cool so basically most of your users are

the security managers right as cso and

other team members in the group

absolutely i think that psycho’s

benefits can it’s hard to boil it down

but i think that

a few of the benefits are oversight

accountability and visibility

yes

i find that security really suffers when

there isn’t that visibility um and when

you have shadow i.t shadow dev and other

maybe even just dependencies that you’re

not aware of your uh organization using

and what about priorities like i tried

software i think it’s great but you know

whenever you’re getting a bunch of

security issues or some alerting how i

can prioritize it how i can decide what

i’m gonna do first and

i i remember that you have one of those

tools come on and please tell me more

about the knowledge graph i think it

would be cool definitely well the

knowledge graph is phenomenal in that it

can also be used to provide custom

alerting and custom queries so let’s say

you have some let’s say you’re beholden

to say pci requirements which i’m

struggling to think of an example off

the top of my head but you can actually

formulate specific queries uh based on

loyal i guess a good example is you can

force two-factor authentication to be

enabled and we can provide governance

over that ensuring that there’s no

uh that nothing slips through the cracks

on that if you will that’s cool that’s

very radical yes

and can you show me some new features or

something that we’re

i think one of our especially fun

features that we just introduced is the

threat intelligence dashboard and um

like for example there was a an attack

on rust decimal which is a rust

dependency that just happened

well we pretty much immediately after

that was discovered created a threat

dashboard alert for that

same thing with log4j is uh we provide a

an alert through our threat dashboard

that also is tied to a query that you

can then use to diagnose your own

repositories and see if you do have

log4j or rust decimal or whatever the

malicious dependency may be so it does

come back to oversight at the end of the

day i didn’t try that so it looked like

a huge dashboard that’s showing me the

problem and where i can find our

underdependency i guess

yes our executive level dashboard is

also phenomenal for identifying

violations potential

secrets that could be hardcoded

just about any other uh issue

all right

first of all thank you thank you so much

for the information i really really like

it of course thank you for having me

and tell me a bit more about swamp up

so far uh swap is phenomenal there’s

been some really incredible sessions and

about i’ve already learned quite a bit

i’m looking forward to your session

later as well

but um yes uh it’s it’s been excellent

i’m grateful i got to come this year i’m

so glad to hear that thank you so so

much for joining and go to cycles

you’re gonna love it absolutely

thank you so much thank you