Myrror Security Protects Organizations From Software Supply Chain Attacks

Guest: Yoad Fekete (LinkedIn)
Company: Myrror Security (Twitter)
Show: Let’s Talk

Application security company Myrror Security is helping to protect organizations from software supply chain attacks that originate from their open source. The company has built its own unique binary-to-source code technology that can verify the integrity of the software without even needing to be integrated with it. It also detects vulnerabilities and prioritizes those vulnerabilities using reachability.

In this episode of TFiR: Let’s Talk, Yoad Fekete, Co-Founder and CEO at Myrror Security, talks about how security threats have evolved over the years and how security has changed to address these changing requirements. He goes on to discuss how Myrror Security is helping organizations improve their security posture, and he goes on to explain the cultural aspect of security within organizations.

Key highlights from this video interview:

Fekete talks about his background as a DevOps engineer and how he was part of the incident response team at Microsoft following the SolarWinds attack. He talks about how this led to the founding of Myrror Security, which aimed to create a solution that could detect those sorts of attacks in an easy-to-integrate way.
Fekete discusses the evolution of security from when he started as a system administrator maintaining and building data centers and taking care of the security, which was predominantly infrastructure level. He explains how now with zero trust the perimeter has shifted from the infrastructure level to a configuration and application level.
Security threats have evolved over the years and Fekele tells us that one of the scenarios they are seeing is attackers targeting open source projects with weak security. He talks us through some ways they are trying to compromise security.
Myrror Security is based in Israel and Fekete talks about the increase in cyber attacks that they are seeing currently amid the current political situation. He tells us about his role on reserve duty enabling security on some of the defense forces. He discusses the importance of defending their perimeter and applications.
Fekete talks about the importance of open source for Myrror Security saying around 80% of their code base is open source. He gives his gratitude to open-source maintainers and discusses the process they went through to verify the open source for vulnerabilities and software integrity.
Myrror Security is helping to protect organizations in two key ways: from supply chain attacks originating from their open-source using their binary-to-source code technology to verify the integrity of software without needing to be integrated with it. It also detects vulnerabilities and prioritizes those vulnerabilities to help reduce alert fatigue.
The cultural aspect of security is just as crucial as the technology one, and Fekete discusses how engineers are primarily focused on shipping software quickly rather than security. He believes there needs to be specific security expectations in place, which need to be set in a policy that is integrated into the development ecosystem easily.
We are increasingly seeing Infrastructure-as-Code and Security-as-Code. Fekete feels that there should not be any other way to create infrastructure, but he talks about why he thinks Security-as-Code is important but not something he expects developers to do and why you do not really need to define it as code.
Fekele discusses the impact of generative AI on security saying they use a lot of it in their product: allowing you to do feedback loops with incidents, to get insights to your users on platforms. He talks about the importance of verifying what generative AI should be used for engineering.
While security professionals are very aware of known risks, unknown risks are still a challenge. Fekele talks about the JumpCloud incident and how software companies are a prime target since they have access to many other companies. He feels security professionals and executives are still not aware enough of unknown risks.
Fekele discusses the evolution of security and how application security testing should be part of the process of deploying applications. Companies today are helping reduce alert fatigue from existing products, aggregate the vulnerabilities, and provide context on top of issues that you are getting from existing products.
Having just come out of stealth, Fekele shares some of the plans they have for the future saying they are looking to expand further into the US and European markets. He talks about working with their customers to understand what they have in place currently and to learn what they need and tailor Myrror Security’s roadmap according to this.

This summary was written by Emily Nicholls.

You may also like

Apiiro wants to be the Diamond Standard for Application Security Posture Management

Akamai further fortifies its API Security with latest PCI DSS Compliance

If Iron Man has Jarvis, Transposit has Tanya

Bringing vCluster to Rancher is healthy competition: Lukas Gentele

How to choose best observability practices: Julian Fischer

Rootly’s AI-powered On-Call simplifies incident management