Tsahy Shapsa is the Co-Founder & Co-CEO at Jit, a platform that that enables simplifying continuous security, so developers can build secure cloud apps by design from day zero.
You’ve been involved in cybersecurity for most of your career, what initially attracted you to the industry?
Growing up, I was always drawn to science fiction, and it was the movie “WarGames” that truly sparked my imagination about the role computers would play in the safety of our world. As I watched the film's young hacker inadvertently stumble into a high-stakes cyber conflict, I became captivated by the possibilities and challenges of a digital future. Later in life, as an adult surrounded by the innovative spirit of Israel's “Startup Nation,” I felt a strong calling to contribute to this exciting and crucial domain. This inspiration, combined with my immigration to the United States, ‘the land of opportunity’, led me to start my first cybersecurity company. I've been fortunate to play a part in shaping the future of cybersecurity while embracing the entrepreneurial spirit of my two home countries – US & Israel.
Could you share the genesis story behind Jit?
The genesis story of Jit.io began with me and my co-founders identifying a critical gap in the cybersecurity landscape. As modern engineering teams rapidly embraced the CI/CD approach, the integration of cybersecurity often lagged behind, leading to increased risk of vulnerabilities. Part of the problem was the overwhelming plethora of shift-left security tools available, with engineering teams often needing to stitch together 15-20 tools across AppSec, CI/CD, Cloud, and DAST to create a comprehensive security solution. Each of these tools came with its own onboarding, management, and developer experience, which significantly slowed down development velocity.
Driven by the mission to make it ridiculously easy for these teams to incorporate cybersecurity into their CI/CD pipelines, Jit.io was born. My team set out to accelerate DevSecOps by meticulously curating the world's best open-source security tools and packaging them into a single, unified platform. By offering a streamlined DevX, Jit.io empowers modern engineering teams to seamlessly integrate and manage their product security, eliminating the need for complex toolchain integrations and time-consuming onboarding processes. This ensures that robust application security measures are not just an afterthought, but an essential and easily attainable component of the development process.
This innovative approach has positioned Jit.io as a game-changer in the realm of cybersecurity, revolutionizing the way engineering teams tackle the ever-evolving digital threat landscape by simplifying and consolidating the implementation of essential security tools, ultimately increasing development velocity and efficiency.
For readers who are unfamiliar with the terminology DevSecOps, could you define it for us?
DevSecOps is the practice of integrating security into every stage of the software development and deployment process for modern engineering teams, unifying AppSec, CI/CD security, and cloud security. This enables developers to own their product security just as they own CI and CD, while fostering collaboration and shared responsibility among development, security, and operations teams.
Jit enables developers to own security for the products they are building from day zero, why is it so important to prioritize security at such an early stage?
Using a building construction analogy, let's consider how DevSecOps spans various aspects of the software development process, including AppSec (Application Security), CI/CD (Continuous Integration/Continuous Deployment), Cloud, and DAST (Dynamic Application Security Testing).
In the building construction process, AppSec is similar to ensuring the building materials and architectural design are secure and adhere to safety standards. CI/CD is akin to the seamless coordination of construction activities, allowing for efficient assembly and integration of different components, such as plumbing, electrical, and security systems. Cloud security represents the infrastructure and utilities supporting the building, such as water supply, electricity, and internet connectivity. Finally, DAST is comparable to conducting regular safety inspections and tests to identify and address potential vulnerabilities in the building's security systems.
By incorporating DevSecOps throughout the entire software development lifecycle, organizations can ensure that security is an integral part of each stage, from designing secure application code (AppSec) and efficiently integrating security measures into the CI/CD pipeline, to securing cloud infrastructure and conducting ongoing dynamic security tests (DAST). This holistic approach helps create more secure, reliable applications and minimizes vulnerabilities and security risks across all aspects of the software development process.
Could you describe how Jit differentiates itself from other cybersecurity tools?
Jit differentiates itself from other cybersecurity tools by offering a comprehensive, unified DevSecOps platform that simplifies the integration and management of multiple ‘shift-left’ security tools across AppSec, CI/CD, Cloud, and DAST. This approach streamlines security operations and the developer experience, allowing for seamless collaboration.
By eliminating the need for complex toolchain integrations and vendor lock-in, Jit enables product and application security engineers to choose the best-of-breed security solutions tailored to their specific needs. This adaptability empowers teams to build robust security measures while maintaining a unified, native developer experience.
Jit's focus on a seamless, consistent experience for both developers and security teams allows for more efficient monitoring, analysis, and response to threats across all aspects of the software development lifecycle. As a result, Jit accelerates the implementation of DevSecOps best practices and promotes a shared responsibility for security across the entire organization.
You often discuss avoiding ‘tool lock-in’ in order to have a future-proof DevSecOps platform, could you describe what tool lock-in is and why it is such a problem?
In the context of DevSecOps and shift-left security vendors, tool lock-in can be particularly problematic for several reasons:
- Mediocre product portfolios: Many shift-left security vendors initially gain success due to one outstanding product. However, as they expand their offerings, often through acquisitions, they may end up with a portfolio of mediocre products that don't necessarily integrate well or provide the best solutions for every aspect of security.
- Sales and marketing tactics: Vendors with a diverse portfolio often use various sales and marketing tactics to “force” customers into purchasing their entire suite of products. This approach prevents users from having the freedom to choose best-of-breed solutions and can lead to suboptimal security outcomes.
- Hindered adaptability: Tool lock-in restricts an organization's ability to adapt to evolving security threats or take advantage of advancements in technology. When locked into a specific vendor's offerings, it becomes challenging to explore and adopt better security solutions as they become available.
- Reduced innovation: Relying on a single vendor's portfolio for security can stifle innovation, as the organization may become overly focused on the capabilities of the current tools rather than seeking alternative, potentially superior solutions.
To build a future-proof DevSecOps tool-chain and avoid the pitfalls of tool lock-in, it's crucial for organizations to maintain the flexibility to choose the best-of-breed security solutions tailored to their needs. This approach enables organizations to create a more robust and effective security posture, ultimately fostering innovation and adaptability in the face of ever-changing security landscapes.
How does Jit create a unified, ‘one-stop’ solution that avoids this issue?
Jit addresses the issue of tool lock-in by prioritizing flexibility, integration, and adaptability. Here's how Jit achieves this:
- Seamless integration of multiple tools: Jit's platform is designed to integrate best-of-breed security solutions across AppSec, CI/CD, Cloud, and DAST. This allows organizations to choose the most suitable tools for their specific needs, while Jit handles the complexities of managing and integrating these disparate tools into a cohesive system.
- Flexibility and choice: Jit empowers organizations to avoid vendor lock-in by providing the freedom to select and switch between different security tools as their requirements evolve. This flexibility ensures that organizations can always adopt the most effective solutions for their security needs, without being constrained by a single vendor's portfolio.
- Unified developer and security operations experience: Jit streamlines the developer and security operations experience by providing a consistent, user-friendly interface for managing and interacting with various security tools. This unified experience simplifies the process of incorporating security practices into the software development lifecycle and ensures that developers and security teams can collaborate effectively.
- Continuous innovation and adaptability: By allowing organizations to leverage best-of-breed security solutions, Jit fosters continuous innovation and adaptability. As new security tools and technologies emerge, Jit's platform can easily accommodate these advancements, ensuring that organizations always have access to cutting-edge security solutions.
By offering a unified, flexible platform that seamlessly integrates multiple security tools while maintaining a consistent developer and security operations experience, Jit effectively avoids the pitfalls of tool lock-in and enables organizations to build future-proof DevSecOps platforms that can adapt and grow with their evolving security needs
Jit-DevSecOps describes itself as a lean, iterative approach to adding security ‘Just-In-Time'. Could you elaborate on the importance of applying security in this manner?
Jit-DevSecOps, a lean and iterative approach to adding security “Just-In-Time,” emphasizes the importance of timely and efficient security integration. This method allows for early detection and remediation of vulnerabilities, faster development cycles, and improved collaboration. Jit's change/delta-based approach focuses on addressing security issues as they arise, ensuring that the most critical vulnerabilities are fixed first. By prioritizing a fix-first mentality and adapting to changing security landscapes, Jit-DevSecOps enables organizations to maintain robust security while ensuring agility and efficiency in the development process.
What is your vision for the future of DevSecOps and cybersecurity in general?
My vision for the future of DevSecOps and cybersecurity is to harness the power of advanced technologies such as artificial intelligence, machine learning, and automation to identify and respond to threats in real-time. For example, AI-driven security solutions can help detect anomalies and potential vulnerabilities, while automated incident response can help contain and mitigate security incidents.
In addition, we will explore emerging technologies such as blockchain and encryption to enhance data security and privacy. These technologies can help ensure the integrity and confidentiality of data, and prevent unauthorized access or tampering.
Overall, my vision emphasizes the importance of collaboration, innovation, and proactive measures to stay ahead of emerging threats. And of course, we'll always remember the golden rule of cybersecurity: the only secure computer is one that's unplugged, buried in concrete, and never turned on.
Thank you for the great interview, readers who wish to learn more should visit Jit.