CIO Influence Interview with Jimmy Xu, Field CTO at Cycode

Jimmy Xu, Field CTO at Cycode chats about benefits and features of Application Security Posture Management (ASPM) platform, top challenges companies face when implementing DevSecOps and more in this Q&A:

————–

Hi Jimmy, welcome to our CIO Influence Interview series. Can you talk about your 20 years of experience in cybersecurity and IT journey?

Interestingly, I started my career as a software engineer. I then worked in various IT and operations roles in the public sector. Because I worked in the Department of Defense, cybersecurity had always been embedded in everything I did. During my time there, I held multiple positions from hands-on technical roles to leadership roles, which gave me a balanced perspective. I continued to expand my training and responsibilities across multiple cybersecurity domains.

Because of my background, security architecture & engineering, cloud security, and applications security were my favorite domains. After I left the public sector, I went into the private sector as a cybersecurity consultant. My consulting days helped me gain huge exposure across many private enterprises: their business goals, priorities, and challenges.

It was also the time where DevOps transformation and Cloud began to gain huge traction. I remembered it was the time people started to realize the collapse of a traditional “perimeter” and the need to focus on layers above the network – such as applications and data.

Since then, I have been at the forefront of navigating the complexities DevSecOps transformation, Cloud adoption, and securing modern applications. I have witnessed many technology evolutions and believed in the power of innovation. I then worked a few years in the systems integrator/solutions provider space leading a world-class DevSecOps practice focused on helping customers transform, select the best technology solutions, implement and operationalize them.

Also Read: With AI Everywhere, Cloud-Based Data Unification Is a Must-Have

I have led numerous successful DevSecOps transformations, built several innovation solutions that enabled modern DevSecOps patterns, and advised countless startups, investors, and industry research analysts, gaining invaluable insights into the industry’s challenges and opportunities.

Cycode is known for its Application Security Posture Management (ASPM) platform. Can you explain the core features and benefits of the ASPM platform for businesses?

Cycode is a complete ASPM platform. The platform includes:

Pipeline & Build Security.  Protection against vulnerabilities, exposure and unauthorized access across your entire software delivery system and their supply chain. This is also known as “security of the pipeline.”

Proprietary modern Application Security Testing (AST) tools. Vulnerability scanning, detection, and coverage across open source, static code, and cloud. Including SCA, SAST, IaC and container scanning. Our purpose-built modern AST tools close the gaps found in legacy solutions, so they are faster, more accurate, and easily integrated into both developer and security workflows.

Connector X – ingest, correlate, deduplicate, and prioritize all your third-party security tool data into Cycode’s Complete ASPM platform for full visibility into your security posture. We understand that application security & DevSecOps is all about enabling developers to build quality applications faster. This implies that we need to embrace the freedom of tool choices. One of the fundamental challenges in the application security space is not tools sprawl, it is the excessive duplication and lack of risk context from multiple tools that prohibited scaling and developers’ adoption. Our Connector X is designed just for that.

Cycode AI – AI built into the fabric of the Complete ASPM platform, the core AI capabilities are focused on enhancing productivity for both the security team and development teams, which include AI Material Code Change, AI Secret Detection, AI Auto Remediation and more.

Can you elaborate on the role of Cycode’s Risk Intelligence Graph (RIG) and how it enhances traceability and security across the entire Software Development Lifecycle (SDLC)?

Cycode Risk Intelligence Graph – or RIG for short – is a powerful tool that connects and correlates alerts across your entire software development lifecycle (SDLC) from code to cloud. It allows you to filter the noise so that you can focus on the vulnerabilities that matter the most. That is, the vulnerabilities that represent true risk to your organization. With the ability to leverage natural language to query across the industry’s most advanced risk graph, the graph technology intelligently maps your software architecture, identifies and prioritizes critical risks across code, dependencies, and infrastructure down to the critical 1%.

What are the top challenges companies face when implementing DevSecOps, and how can they overcome them to ensure a seamless transition?

Today’s security teams are extremely limited in capacity and limited to only trying to keep the lights on, with little to no time to reduce risk and focus on strategy. All while their pain points have exponentially increased over time:

• There is an unmanageable attack surface
• Too many security tools that do not work together or brings different teams together
• As a result, Security and Development teams are still working in silos
• And the expectations from the business remain to continue innovating super fast.

All of this contributes to a huge Gap or AppSec Chaos where Cycode’s Complete ASPM comes in to help:

• Reduce the alert fatigue and false positives
• Create a high velocity environment for development teams
• Never let security or development teams miss a critical alert
• Create a philosophy of teamwork and collaboration between Security and Development

Can you highlight how Cycode has enabled its clients to accelerate business growth and digital transformation while effectively managing cyber risks?

One of the world’s largest automotive companies, was going through a bunch of modernization initiatives across the company — one of them being migrating from GitHub on-prem to GitHub Cloud. The scale of the project was massive with over 5,000 organizations, 86,000 repositories on GitHub and more than 40,000 users. What they needed to do was an internal audit to make sure none of the repos migrated to the cloud had any hard coded secrets. 1. they had no way of doing this and 2. they did not have visibility into it as well.

Another issue that they had was that across the entire org they had way too many security tools and wanted a single pane of glass or dashboard where they can view all their security data in one place — and they were able to do that with the Cycode ASPM.

Also Read: From Trojans to Ransomware: Top Cyber Threats Every Executive Should Know

One of the largest digital payments processors in the world has more than 10,000 developers. And they have found massive challenges in scaling prioritization and remediation workflows in an efficient way — across all these dev teams and across different tenants and environments in the business.

They have vulnerabilities across different tenants. Cycode was able to provide them with complex remediation flows with a two-way Jira integration that considered multiple different tenants and teams so that vulnerabilities do not get missed if they are impacting critical parts of the business.

On top of this all…. the multiple tenant capability was only possible because of our Enterprise SSO capabilities with Cycode.

One of the largest online sports companies, they were evaluating ASPM vendors as a “do it all” application security vendor, and they ended up choosing Cycode over some well-known vendors due to product maturity in terms of Enterprise scale, and our range of scanning coverage.

They wanted a single vendor that checked as many boxes as possible, so tool consolidation was huge for them.

Looking ahead, share any five innovations and developments you anticipate in application security posture management, and how is Cycode preparing to lead in these areas?

• With Cycode AI we have laid the groundwork and foundations for the future of the ASPM space. Not only by creating the only Complete approach to ASPM in the industry today but setting the future for how security and development teams exponentially produce more secure code into production. Cycode is concurrently working on a dozen AI related projects to enhance these platform capabilities and will be unveiling these over the next 12 months.
• Similar to how CNAPP made the shift from point solutions into “platformizing” the space, application security (aka Code Security) is also experiencing a similar shift in the market with “platformization” and Cycode is extremely excited to be at the forefront of this movement in the space.
• Application Security is undergoing a major transformation. All the legacy applications security testing tools now have an ASPM, either through organic build or acquisition, while legacy ASOC or Cloud Security Automation tools are also rebranding themselves as ASPM. Additionally, existing ASPM vendors that started in the software supply chain security space are also expanding their features. Cycode is already the only complete ASPM that provides all these features. Cycode will continue to innovate and lead the market by enhancing our existing features. Cycode will also look to further enrich our risk prioritization context from runtime security vendors.

Also Read: Revolutionizing Cybersecurity: Adopting a Risk-Focused Approach in the AI Era

[To share your insights with us as part of editorial or sponsored content, please write to psen@itechseries.com]