Screaming in the Cloud - How Snyk Gets Buy-In to Improve Security with Chen Gour Arie
Episode Date: January 23, 2024Chen Gour Arie, Director of Engineering at Snyk, joins Corey on Screaming in the Cloud to discuss how his company, Enso Security, got acquired by Snyk and what drew him to Snyk’s mission as... a partner. Chen expands on the challenges currently facing the security space, and shares what he feels are likely outcomes for challenges like improving compliance across value-add on security tools and the increasing scope of cybersecurity at such a relatively early phase of the industry’s development. Corey and Chen also discuss what makes Snyk so appealing to developers and why that was an important part of their growth strategy, as well as Chen’s take on recent security incidents that have hit the news. About ChenChen is the Co-founder of Enso Security (part of Snyk) - the world's 1st ASPM platform. With decades of hands-on experience in cybersecurity and software development, Chen has focused his career on building effective application security tools and practices.Links Referenced:Snyk: https://snyk.ioSnyk AppRisk: https://snyk.io/product/snyk-apprisk/TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: Welcome to Screaming in the Cloud. I’m Corey Quinn. This promoted guest episode is brought to us by our friends at Snyk, and as a part of that they have given me someone rather distinct as far as career paths and trajectories go. Chen Gour Arie is currently a director of engineering over at Snyk, but in a previous life—read as about six months or so ago—he was a co-founder of Enso Security, which got acquired. Chen, thank you for joining me.Chen: Thank you for having me, Corey.Corey: So, I guess an interesting place to begin is, what has the past couple of years been like? And let’s dive in with, what is or was Enso Security?Chen: Yeah. So, Enso started for me first as friendship because I joined the team that I was working with as a contractor for a while. There was such an excellent and interesting team with a very interesting environment. And then after a while, they asked me to join that team, and then I became part of the security team of a company called Wix.com.It’s quite a large company, web do-it-yourself kind of platform, that you can build your own website with a presentation style kind of interface, and our job was to secure that. And we formed a very, very nice friendship throughout it, but we also gained a lot of experience because you work with such a large company, and you experience many challenges, including real-time attempts to penetrate, and the complexity of social engineering at large scale. You go through a lot of things. So, this was the start. And after a couple of years, we decided that we have some interesting ideas that can do good to the community in the cybersecurity industry, and we embarked on a new journey together to start Enso.Corey: I can see why you aligned with Snyk. It sounds like a lot of what you were aimed at is very much in step with how they tend to approach things. I have a number of sponsors that I can say this about, but Snyk is a particularly fun one, in that, obviously, you folks pay me to run advertisements and featured guest episodes like this, which is appreciated, but we also pay you as a customer of Snyk because it does a lot of things that we find both incredibly useful and incredibly valuable. The thread that I’ve seen running through everything coming out of Snyk has been this concept of, I think, what some folks would say shifting left, but it comes down to the idea of flagging issues as early in the process as possible rather than trying to get someone to remember what they did three months ago, and oh, yeah, go back and address that. That alone has made it one of the best approaches to things that are truly important—and yes, I consider security to be one of those things—that I’ve seen in a while on the dev tool space.Chen: Yeah, and this has been the mission of Snyk for a very long time. And when we started Enso, our mission was to help in some additional elements of the same problem space in introducing additional tools to help drive this shift left, this democratization of the security effort around and in the organization, and resolving some of the friction that is created with the, kind of, confusing ownership of security and software development. So, this was kind of the mission of Enso. The category introduced by it and the ASPM category to bring the notion of postural security, postural management to applications. And it really is a huge fit with the journey of Snyk, and we were very excited to be approached by them to join their journey and help them do further shift left and extend on problem space on the complexity of this collaboration between security and developers.Corey: A question I have around this is that it seems to me that viewing security posture management from an application perspective, and then viewing other parts of it from a cloud provider perspective and other parts of it from a variety of different things—you know, go to RSA and walk up and down the endless rows of booths, and you know, look at the 12 different things that they’re all selling because it’s all the same stuff around 12 categories or so, with different companies and logos and the rest—it feels like, on some level, that can lead very quickly to a fractured security posture where, well this is the app side of the security, and then we have the infrastructure security folks, but those groups don’t really collaborate because they’re separate and distinct. How do you square that circle?Chen: Yeah, it’s not an easy problem, and I think that the North Star of many vendors exists this notion of sometimes I think we call it CNAP or something that will unify all of it. Cloud as a solution, and the offering that exists with cloud computing enables a lot of it, enables a lot of this unification, but we have to remember that the industry is young. The software security industry in general is young. If we will look at any other industry with that size, all of them have much more history and time to mature. And inside this industry, the security itself is even younger.It has become a real problem much later than then when software started. It has become a huge problem when cloud emerged and became, like, the huge deal that it is now. And when more and more businesses are based on digital services, and more people are writing software, a lot of it is young, and it needs time to mature, and it’s time to get to—to accomplish some big parts like this unification that you are pointing out missing.Corey: I have to confess my own bias here. A lot of the stuff that I build is very small-scale, leverages serverless technologies heavily, and even when I’m dealing with things like the CDK, where I start to have my application and the infrastructure that powers it coalesce into the same sort of thing, it becomes increasingly difficult, if not outright impossible for some of these config...
Transcript
Discussion (0)
Hello, and welcome to Screaming in the Cloud, with your host, Chief Cloud Economist at the
Duckbill Group, Corey Quinn.
This weekly show features conversations with people doing interesting work in the world
of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles
for which Corey refuses to apologize.
This is Screaming in the Cloud.
Welcome to Screaming in the Cloud.
I'm Corey Quinn.
This promoted guest episode is brought to us by our friends at Sneak.
And as a part of that, they have given me someone rather distinct as far as career paths and trajectories go.
Chen Guari is currently a director of engineering over at Snyk, but in a previous life, read as
about six months or so ago, he was the co-founder of Enso Security, which got acquired. Chen,
thank you for joining me. Thank you for having me, Corey.
So I guess an interesting place to begin is what has the past couple of years been like?
And let's dive in with what is or was Enzo Security?
Yeah, so Enzo started for me first as a friendship,
because I joined the team that I was working with as a contractor for a while.
They were such an excellent and interesting team with
a very interesting environment. And then after a while, they asked me to
join that team, and then I became part of the security team of a
company called Wix.com. It's quite a large company, web do-it-yourself
kind of platform, that you can build your own website with
presentation-style kind of interface. that you can build your own website with a presentation style kind
of interface and our job was to secure that and we form a very very nice friendship throughout it
but we also gain a lot of experience as you work with such a large company and you experience many
challenges including including real-time attempts to to penetrate and complexity of software engineering at large scale,
you go through a lot of things.
So this was the start.
And after a couple of years,
we decided that we have some interesting ideas
that can do good to the community
and the cybersecurity industry.
And we embarked on a new journey together to start Enzo.
I can see why you align with Snyk.
It sounds like a lot of what you were
aimed at is very much in step with how they tend to approach things. I have a number of sponsors
that I can say this about, but Sneak is a particularly fun one in that obviously you
folks pay me to run advertisements and featured guest episodes like this, which is appreciated,
but we also pay you as a customer of Sneak because
it does a lot of things that we find both incredibly useful and incredibly valuable.
The thread that I've seen running through everything coming out of Sneak has been this
concept of, I think what some folks would say, shifting left, but it comes down to the idea of
flagging issues as early in the process as possible rather than trying to get someone
to remember what they did
three months ago
and, oh yeah, go back
and address that.
That alone has made
one of the best approaches
to things that are truly important.
And yes, I consider security
to be one of those things
that I've seen in a while
in the DevTools space.
Yeah, and this has been
the mission of Snyk
for a very long time.
And when we started Enzo, our mission was to help in some additional elements of the same problem space in introducing additional tools to help drive this shift left, this democratization of the security effort around an R&D organization and resolving some of the friction that is created
with the kind of confusing ownership of security
and software development. So this was kind of the mission
of Enzo, the category introduced by
the ASPM category to bring the notion of
security posture management to applications.
And it really is a huge fit with the journey of
Snyk.
And we were very excited to be approached by them to join their journey and help them
do further shift left and extend on problem space, on the complexity of this collaboration
between security and developers.
A question that I have around this is that it seems to me that viewing security posture management from an application perspective and then viewing other parts of it from a cloud provider perspective and other parts of it from a variety of different things.
You know, go to RSA and walk up and down the endless rows of booths and, you know, look at the 12 different things that they're all selling, because it's all the same stuff, about around 12 categories or so,
with different companies and logos and the rest.
It feels like on some level that that can lead very quickly to a fractured security posture,
where, well, this is the app side of the security,
and then we have the infrastructure security folks,
but those groups don't really collaborate because they're separate and distinct.
How do you square that circle?
Yeah, it's not an easy problem.
And I think that in the north star of many vendors
exists this notion of,
sometimes I think it could be called a synapse
or something that will unify all of it.
Cloud as a solution
and the offering that exists with cloud computing
enables a lot of it,
enables a lot of this unification.
But we have to remember that the industry is young.
The software security industry in general is young.
If we look at any other industry with that size, all of them have much more history and
time to mature.
And inside this industry, the security itself is even younger.
It has become a real problem much later than when software started. It has become a
huge problem when cloud emerged and became the huge deal that it is now.
And when more and more businesses are based on digital services
and more and more people are writing software, a lot of it is young
and it's time to mature and it's time to get to accomplish some big
parts like this unification that you are pointing out missing.
I have to confess my own bias here.
A lot of the stuff that I build is very small scale, leverages serverless technologies heavily.
And even when I'm dealing with things like the CDK, where I start to have my application and the infrastructure that powers it coalesce into the same sort of thing,
it becomes increasingly difficult,
if not outright impossible for some of these configurations,
to divorce the application security
from the rest of it.
And I come from the infrastructure world myself,
where a lot of the things I cared very much about
and the infrastructure side of the world,
I have to care about just as much
on the application side of the world. Easy example, oh about just as much on the application side of the
world. Easy example, oh, I'm building a ridiculous front-end thing that needs to talk to a back-end
API. I'm just going to go ahead and bake the credentials into the code base. How about no?
How about we do literally anything that is not that? And that feels like if viewed through the
lens of doing this properly, you'd wind up with people coming at the security challenges from different teams and different parts of the problem.
But on some level, coalescing on some things, or if you're not careful, stepping on each other's toes.
Yeah, this could happen.
But you can go build something that is more cloud-oriented, full-stack cloud application, then you can benefit a lot.
And you can consolidate a lot of the effort around security.
But the real nature of things is that you do need all hands on deck in different
directions. And it tends to happen so that in application security
there is a unique set of issues that cannot necessarily be resolved
with cloud or infrastructure security efforts that still require some
special kind of attentions,
especially as you go more to the direction
of product security that is about the business logic
and about implementing the right process
to secure specific business logic.
There are many problems,
and especially when we talk about things
like you inherit from others,
that can be managed in a more centralized
and unified processes,
but still it's harder to build them as, you know,
software is evolving and changing very, very rapidly
inside the factories that build those software.
There are a constant series of challenges and tensions in the security world.
Partly you have the, whose responsibility is security?
I know that the old trope, since I've been in this industry,
has been, oh, security is everyone's responsibility. And I think that is a great perspective,
except for the small minor point that it doesn't freaking work. Because when something is everyone's
responsibility, then it is no one's responsibility and things tend not to get done. You see in many
of the companies that I find myself talking to, security is sort of off on its own island.
They have their own terms of art.
We go back to that RSA Expo Hall, and they're using a whole bunch of acronyms that no one will bother to expand or define.
They just assume everyone knows it.
And that's great, but it's security people talking to security people.
And increasingly, I find in some companies, those groups become relatively isolated or the department of no.
And I've talked to engineers who say, oh, I didn't worry about the security aspects of this.
That'll get caught in code review when security does its thing.
That's a terrifying thing.
It is.
One of the beautiful things about Snyk is that I'm not sure if they captured it, the founders of Snyk captured it the same way I did, because I was thinking about this a little bit from a different direction as we were working on Enzo.
But in fact, when you function as a central security team, the only thing that you're after is the buy-in.
It's the buy-in of your executives and the buy-in of your developers.
You're not really after the bugs, you're not really after the security.
You are after getting their attention and their desire or their
intent to improve on
security. Your tools
are by propagating
knowledge and information
about problems that are created when
they don't behave this way, when
they don't include
better processes. But
really, you are after the buy-in.
And Snyk got, in the very early days of it,
made a very interesting move on the buying of developers,
not from the direction of,
here you will have a lot of problems,
here you can make a lot of fixes.
As a developer, you can solve it locally with your own things,
and then the buy-in comes from something that is more attached
to how developers think about problems.
They want to fix them.
They don't want to hear about so many problems.
Sneak has always respected my time in a way that Dependabot never has.
When it tells me something, it is important in almost every case.
The exceptions being like, no, no, I'm intentionally making something horrible to be funny.
Don't worry about it, at which point it just goes and holds its digital head for a while and sighs.
But yeah, that's what I want. I don't want 6,000 things that I have to fix. I want the
things that are actually impactful right now in the moment. And sneak has always been able to
thread that needle in a way that to be direct and you aren't and can't pay me to say this,
but it's a, it's like, it's magic. It just works. And that's no small thing in this space.
Absolutely. it's like it's magic it just works and that's no small thing in this space absolutely so you were
at enzo for what three and a half years give or take before the acquisition by sneak and when you
see something like that happening it's okay great is this a strategic acquisition or is it an aqua
hire is always the big question i go to your former website and it redirects to the sneak
app risk for aspm product offering so i'm just going to go on a limb website and it redirects to the sneak app risk for ASPM product offering.
So I'm just going to go on a limb here and guess that Enzo Security became app risk.
Is that directionally correct?
Directionally, it is correct.
Because it's always strange to say, yeah, we're going to sunset our current product.
The whole team is going to go work somewhere else.
And collectively, you'll never hear about what we're doing ever again. It's okay, great. I understand that there. That is an outcome that in many cases
is the right answer for everyone involved. But it's also sad when you have a product that you
know and you love. From what my understanding, what AppRisk is doing, it isn't taking a step
back from what Enzo did in any way at all. This is an acceleration for feature releases
and in value delivered to customers.
Is that correct?
Or do I have some massive backwalking I need to do now?
Yeah, I think that for me,
this is an excellent framing for the story of our company.
Because on top of the brand that we used to have in the past,
we also have some experience in the field.
And we've built some
very interesting technology to support some imported processes in this space. And our story
is the kind of story where the buyer recognizes this and takes this forward, you know? So we're
very happy about this. What was it like? I found that I was effectively unemployable for reasons
that should be blindingly obvious to anyone that's ever had more than a 30 second conversation with me. Wow, that guy'd be obnoxious to work with. In an employment context, usually. So I started this place not because I had this grand vision at the time for the mark I wanted to leave in the universe, but rather, well, what other options do I have? And I made it work, but I've never really looked at the idea of going
back the other way. Oh, we should wind up getting acquired somewhere. What's it like going from
having the autonomy and yes, also sleepless nights and constant fires of being a founder
to the relatively prosaic life of an engineering director? So I wouldn't say prosaic, just yet.
I don't want to wildly trivialize your day-to-day.
It's like, oh yeah, you work at a company that does really well.
How hard could it be?
It's like, oh no, they're not.
The problems are no better.
They're just different.
We're actually in a very exciting, very high-paced run to accomplish this, you know, the same
way I think.
I think it's not
too different than
how we would have felt
if it was just
still our company,
but we,
in some ways,
I can look at it
as a different
funding approach.
Like, you join
a big company
to bring this
vision to market,
or you get money
from another
venture capital
to continue
on your own.
So macro climate
and these kind of factors
go in, but
in terms of our vision and
the opportunity to execute
the kind of vision that we wanted,
it's still the same pace, we feel the same,
we talk about the same subjects
and the same challenges,
and we built to the same. The beautiful thing
about this was that Snick and us, we had
almost the exact vector
on what is the future of application security.
And this is why it just goes,
it's a very smooth transition, actually.
The idea of how these acquisitions play out
is always somewhat difficult to see from the outside world.
Was it something that came along and felt like,
wow, this is a real acceleration?
Was it, all right, you know what?
It would be great if we could wind up selling to a company.
Let's start a bidding war
and then we'll just see whoever winds up
throwing the largest pony at us will win.
How did that whole thing unfold?
So SNIC is very engaged with a developing partnership
and they have also a local presence here in Tel Aviv.
And as part of this partnership, we engaged in different conversations around the problem space, sharing ideas, sharing
our thinking, a little bit teasing about the kind of technology that we have and the product
approach that we have, showing off ourselves a little bit. And at some point they just...
And there's a counterpoint too, where each company has four letters in its name you have two vowels they have none i've been urging them for years to
take some of the money that they've raised and use it to buy a vowel this isn't exactly what i meant
but okay good steps yeah yeah that's also a good thing to get when you buy something
i will say this that there are certain companies and and Snyk is one of them, and they're very rare, that when they buy another company, you're excited to see what happens.
There are other companies who are not in that boat.
Let's make one up hypothetically and call it Cisco.
There was this magical hypothetical company called Cisco that bought a company called Epsilon that I was a huge fan of
and a happy customer of. Step one for me was to call them and congratulate the founders because
they were great folks. And the second was to cancel my user account with them because I couldn't stand
watching yet again something I love become something that was basically turned into glass.
Whereas when Sneak buys something, this perspective is still, and this goes far beyond me,
this is an industry-wide perception. Oh, wow, I can't wait to see what happens next. Sneak's
acquisition track record is stellar. Their company culture remains stellar, at least the perception
of it from the outside. Did that factor in at all when you were considering, is this going to be
something where the two entities merging into one
are stronger than either would be independently yeah so definitely we had a series of discussions
talking about how the we call it at that time collaboration but it's obviously a little bit
different than that but how the future of the of enzo would look like inside Snake. And we gave a lot of thought on what would be the meaning of making this step.
A question I want to talk to you about.
I've mentioned this in a number of episodes in various ways
because I find myself thinking about it constantly.
But I feel like in the aggregate,
there are two categories of problems that businesses have.
You have the proactive side of the problems.
How do we expand
revenues? How do we open new markets? How do we wind up driving new lines of business? And then
you have the reactive side of the world. Security inherently falls on this side of the universe.
My own business of fixing AWS bills falls on this side of the business. Buying fire insurance for
the office falls on this side of the world. Thingsying fire insurance for the office falls on this side of the world.
Things you have to do, like eating your vegetables,
but you can spend all your time and energy on those things
until your company goes under,
and it doesn't move you one iota closer
to your company milestones.
It feels like security is one of those things
where if you let it, it'll consume everything at a company.
It's always held in tension with feature releases
and not getting in the way.
But something you've been vocal about historically
is that cybersecurity is not necessarily the hero of the story.
Tell me more about what you mean.
Yeah, so you're spot on.
I started my career as a pen tester,
and we were guided to tell our buyer,
to tell our customers that security is a business
enabler and security can even make your business better good engineering practices could accelerate
you but security is like you said is is something that's in there to protect your business it's
and and there is no way around it and i think that now what happens is that the market is
is going to check on the
return on investment on security because of what you pointed out, because of this problem that you
pointed out. And it's a good point in time for us security folks to look in the mirror and realize
that our job is to protect something that is a little bit more significant than what we do.
What we do is to protect something else. This something is
the hero of that
story and it's almost
like software is and this amazing
machine that humankind has built
is the hero of this entire
story and our job in this
is to provide security
and to protect it. But
the main event is software
and digital services
and this amazing machine that humankind is building.
At some level, it feels that security can tip over the line into compliance.
And I have to be careful how I talk about this,
lest I be misunderstood.
Compliance is important, particularly if you're, you know, a bank, for example,
something that matters in a sense where, oh, if we get out of alignment here, there are very real harms in the
world, as opposed to in my case, where if I completely dropped the ball on the security
side of the fence for my media side of my business, people could send out spam email.
Like the risks are not equivalent. So compliance is important, but on some level, it seems to become
the reason for doing things. I've seen too many but on some level it seems to become the reason for
doing things. I've seen too many projects that are greenlit just to check a compliance box that
don't actually make anything significantly better. It feels like, left unchecked, that's a trend that
only grows. It never gets pulled back. Yeah, it makes sense. I think that compliance is
the excess payment on the attempt to standardize security.
It's like a tax system on top of the actual value in security.
If you want to make sure that everybody does this, you have to layer in more and more rules and ways to evaluate if these rules are being followed.
And on one hand, it's very costly.
On the other hand, you don't really have very effective means as a global community to regulate and
to push vendors into being more responsible.
And this is why this still exists.
And I think that we do need to invest in making compliance more accurate to providing value
add-on security, but it is going to take time.
Because the nature of this thing is that you give two
developers the same task, building the same thing. They will create completely different things with
completely different set of problems, different implementation, security and otherwise.
And to regulate safety into that is very, very hard. And this is why we experience this growing demand
and growing list of compliance
frameworks and regulations.
But I think that the future
is that as everything,
it will have its own natural evolution
and we will end up with better practices,
more out-of-the-box security,
especially with the power
of cloud services
and good practices that are coming along. And maybe the future is a little less
entangled in these spreadsheets with the checkboxes.
Honestly, there are times where getting an office for the
Duckbill group here would make it easier for us to handle the
vendor security evaluations at many of our clients. Because
it would mean that we could check the boxes people expect rather than having to have a nuanced conversation.
One of the reasons I'm not allowed to have those conversations myself is we're a distributed
company. So when you start asking me about the physical security stuff we have implemented,
I work from home. This is where my family lives. Bust in here and start threatening them. I will
log you into whatever you want
and give you a guided tour.
If that doesn't align
with the security posture requirements of my clients,
then they should make sure not to give me access
to anything that would be damaging in that context.
I don't want access to that kind of secrets anyway.
It's not necessary for what I do.
But that is a difficult and nuanced conversation to have
versus,
yup, we have locks on the doors and everyone must badge in. It's a very big gulf sometimes.
It is. It is. And I think this maybe drives the variety that you see when you go down the aisle in the RSA that you refer to a few times in this talk. It's a complicated mission to protect
things. Even think of your own house. If you step away from the reason
you talked about your house in this conversation,
how to secure your house,
your own house, is very difficult.
And then try to apply this
to the entire cyberspace.
So many different variables,
so many different things inside.
And people are trying to draw useful lines
and segment responsibilities
between different processes, different
parts of their technology. It drives
a lot of frictions in this space, but
it's a necessary part of the evolution
of software and of security.
One last topic that I want to get into
before we call this an episode is
as we record this, what's currently in the
news cycle is a sentencing for something
that happened three years ago or so,
where a then-employee of First Republic Bank
was fired for something or other
that they shouldn't have been doing.
Great, not relevant to the story.
They went home,
logged into production systems
from their not-confiscated-yet-work laptop
through access that had not yet been revoked
and damaged a bunch of First Republic systems.
Now, this person just got sentenced to two years in jail.
Great. They acted unethically. I have zero sympathy.
Don't do that.
But the real hell of it to me is First Republic, at least at the time, was a bank.
How do you not lock people out when they are terminated from employment?
And Snyk does a lot of terrific stuff, don't get me wrong,
but it all presupposes that the basic block and tackling,
like have passwords set up on your computers,
or zip up your pants when you leave the restroom style stuff,
has already been taken care of.
When mistakes like that are being made,
on some level it feels like anything more advanced
than those absolute fundamental basics
just feels like it's far future technology.
It's not, but it's easy for me at least
to come at this with a sense of,
if we can't even get the basics right,
then what's the point of all the advanced meat stuff?
Yeah, so in occasions like this,
I tend to try and look at the places where it happens
right like like we talked just a moment ago about compliance compliance men driving forces to
promote more and more of this happening right but like i feel a little bit like a broken record but
i think that the main reason for this is that this is hard. It's hard to accomplish fully proficient
security agenda across
your entire
exposure,
your entire surface.
This problem touches everywhere. It touches
the subject that you brought up before about
different security teams stepping on
each other's toes, sometimes stuff
falls between the cracks.
How does shift left affect ownership?
Many, many different subjects that are not very easy to work about, but no one said that
software security and software in general is easy.
And it's not going to remain easy, even with the promise of AI for the near future.
But we are here to try and improve it, try to make it better.
I think that you're on the right path.
As a customer, I deeply appreciate the sneak experience. Obviously, as a vendor, I appreciate
your business as well. But honestly, the things I care about the most, yeah, it's the security
piece of it. Because once, if you drop the ball on that, none of the rest of it matters. Like,
well, we're terrible at security, but we have great marketing. Does not work.
You have to do the basics.
And just frankly,
everything that you folks have done so far
and every time I've encountered you,
both in my own experiences
and in my customer accounts,
you leave them better than you found them.
And that is deeply appreciated.
Thank you.
I really want to thank you
for taking the time to speak with me.
If people want to learn more,
where should they go?
So I think the first place to go is to SNIC's website,
to read also about AppRisk, and take it from there.
And we'll, of course, put a link to that into the show notes.
Thank you so much for being so generous with your time.
I really appreciate the chance to speak with you.
Thank you so much for having me.
This has been very, very pleasant. Ren Goari, Director of Engineering at Snyk.
This featured guest episode has been brought to us by our friends at Snyk.
And I'm cloud economist, Corey Quinn.
If you've enjoyed this episode, please leave a five-star review on your podcast platform
of choice.
Whereas if you hated this episode, please leave a five-star review on your podcast platform
of choice, along with an angry, insulting comment that, depending on how crappy that comment is,
I will hope that that podcast platform gets acquired by either a great podcasting company
or by Cisco. If your AWS bill keeps rising and your blood pressure is doing the same, then you need the Duck Bill Group.
We help companies fix their AWS bill by making it smaller and less horrifying. The Duck Bill
Group works for you, not AWS. We tailor recommendations to your business and we get
to the point. Visit duckbillgroup.com to get started.