Dotan Nahum is an experienced and multi-disciplinary leader in tech, a 4x published author and an avid open-source contributor. Dotan is CEO and Founder at Spectral, a DevSecOps startup, and previously served as the CTO at HiredScore, Klarna TLV, and Como (Conduit). With a solid background in hacking, reverse engineering and software engineering, Dotan has spent years bridging the gap between developers, security and productivity from a developer’s point of view.
In this interview, Dotan Nahum discusses Spectral, a company that he founded with three friends in 2020, and for which he raised a $6.2 million seed round last year. The startup was recently acquired by a cyber security heavyweight, Check Point Software, for $60 million. Today, we are welcoming Dotan Nahum to CyberTalk.org. This is an interview that you won’t want to miss.
Please share a bit about the need for automated code security in cloud-based applications:
The principle is fairly simple; you don’t want to be the last one standing. In today’s world where all major processes are automated -coding, build, testing, monitoring and deployment, as well as the compute layers being fully automated (read: the cloud), where servers come and go and storage is allocated within minutes– we can leave security to be manual. Yes, it is a very careful process that needs to be regulated by a very experienced person, but the sheer complexity of keeping up with the pace of the entire SDLC requires the same experienced person and yet a different approach. It requires us to come up with a technology that can allow us to tame the complexity of figuring out security in such a rapidly changing tech world, but also to give more people a way to be security experts. Developers are now taking that role more and more, because they are, in essence, the drivers of automated code building, and so therefore – they need to also drive the process of automated code security.
How can automated code security for cloud-based applications mitigate supply chain risks?
It’s all about managing risk. A supply chain, as the name suggests, is a chain of “things” that are supplied to us; that we don’t manufacture, produce or have primary control over. If it were a chain of one, just one software component that’s supplied to us – life would be easy and we could handle regulating and auditing it. But what about thousands of components in just one service, and what about having a hundred live services in production in the cloud, and half of those get updated within just a day’s work with new components in the supply chain? That’s a whole new ball game that requires figuring out what gets changed, what are the components, and who (which people or roles) should make the changes. And so, only an automated process can digest, audit, and reason about this kind of scale and pace in the cloud. If we understand that complexity equals risk, then we understand that this is the best strategy possible to mitigate complexity and therefore mitigate risk.
Please tell us a bit about your AI-based DevOps-first security platform, Spectral
Spectral aims to do “shift left done right”, which means it focuses on the developer experience (if we’re talking shift left, we have to talk about who’s there in the “left” – developers). Before the shift left movement, developers already had a lot on their plates. They already had a schedule jam-packed with tasks and features to build, as well as a long backlog of tasks and tech debt they needed to handle. Their focus was already 100% utilized. And then shift-left happened. That meant we just demanded 200% of focus from developers and development teams, and that obviously, causes issues. With Spectral, we aim to provie the best experience, the best security for developers, but also – the best levels of productivity.
That means having a great DX (developer experience, you can visit our manifesto at: https://dxmanifesto.dev/), accurate results enhanced with AI, and a world of tool integrations and CLI features.
In mitigating risk, why are Spectral’s offerings advantageous?
“Risk” is a wide concept, and also, not all risks are created equally. We take an all-in-one approach where not only can we discover secrets and sensitive data in your code, documents, and other assets – but in the very same scan, we’ll discover how you’re lacking controls and security best practices for your source code repository (AKA code security, and the SALSA framework compliance). The same policy engine that we’ve built is doing all the hard lifting whether it’s IAC, secrets, code security, or CI CD hardening, and it takes just 3 minutes to go from signing up to having your first scan.
Tell us about how Spectral offers something different from, say, what Contrast Security offers?
With Spectral, developers get informed about the things they need to wake up at night for. Besides prioritizing – we simply offer to not bother with dumping noise at developers. There’s been a trend where “more results = more security,” which we don’t believe in, and what we do believe in is that accurate and actionable results served in a human-friendly way are actually, more security. This unique approach and motto created a huge advantage because it put the markers for our architecture, and things like – privacy first (where we don’t transmit any of your data anywhere for the sake of analysis), and security by design (where we always do secure by default), had to happen in order to be in harmony with our motto.
For more information about Spectral, please click here.
