This interview is with Erik Costlow, Senior Director of Product Management of Azul. We will discuss cybersecurity and vulnerability detection.
My name is Erik Costlow, and my official title is Senior Director of Product Management, which means I focus on the “why” of each problem we solve. Of all the things we can do, why should we choose this? Why does it matter to people?
Now that we know why it matters, how will we solve it? Product Management is a triad of skills between engineering, sales, and marketing to understand how everything fits together.
I used to build software and thought it was cool to understand what types of corners I would cut. By looking at systems, I could “figure them out” and make them do things they weren’t supposed to do, and that was pretty fun.
A lot of the older “ivory tower” practices have been knocked down because the silo of expertise actually made things worse. By focusing on perfection instead of moving quickly with sometimes messy development, the older practices were non-implementable. I met a CISO once who had a special research matrix computer that cost millions of dollars because every algorithm was mathematically provable and verified – they used it as a doorstop because it was so hard no one could build on it.
Vulnerability Detection takes the last decade of application security and starts moving it into the JVM, where it’s automated and easy. It answers three questions: what components do I have (and where are they), are they vulnerable, and do I actually use that vulnerable code? You’ll see a lot about SBOMs in the industry, so it’s focused on that overall inventory angle.
The basic answer is that security is critically important for every technology and business ecosystem, and the consequences of unpatched vulnerabilities can be catastrophic - particularly for emerging environments. Azul has a lot of experience with cryptocurrency and gaming use cases, so being able to help them rapidly identify and remediate vulnerabilities is one of many important requirements for their next-generation applications.
Azul Vulnerability Detection is our new security product. The new SaaS solution monitors the Java code loaded by Azul JVMs and checks it against a compiled list of common vulnerabilities and exposures (CVEs). By using Azul JVMs, the system generates more precise findings, eliminates false positives, and incurs no performance cost.
Azul Vulnerability Detection was developed to mitigate the growing threat posed to businesses by attacks on their software supply chains. Around 45% of enterprises globally will have experienced attacks on their software supply chains by 2025, according to Gartner.
Log4Shell, one of the most severe software vulnerabilities in history, demonstrates the seriousness of vulnerabilities in Java libraries and components.
Failure to detect and patch known vulnerabilities in their Java application estates can expose organizations to significant impact and cost, including financial penalties running into the hundreds of millions of dollars, compromising of customer data, lower market capitalization, and turnover in executive staff.
This is a significant innovation that requires a lot of Java expertise. As the Java runtime provider, we are uniquely suited to add a lot of value to this use case. We have a strong position in this segment of the market, and we think customers are going to respond great.
It does this by monitoring the code that is loaded into Azul Java virtual machines (JVMs) and comparing it to a database that has been curated with information about common security flaws and vulnerabilities (CVEs).
Azul Vulnerability Detection identifies each component using bytecode-aware hashing techniques. It then maps these components accurately to vulnerabilities using a database updated daily with the latest CVEs from external databases, publicly available information, and more.
Customers would have seen log4j used as a component in their applications back when it was not known to be vulnerable. Once the CVEs were disclosed, knowledge of that CVE would be applied to AVD’s database, allowing customers to identify accurately and efficiently all the present and used instances of the vulnerable component across their fleet of Azul JVMs. Customers would then focus on upgrading locations where a vulnerable version was used.
Two results have really pulled through. 1) the lack of a performance penalty has consistently caused eye-popping reactions. 2) the elimination of false positives. These are two common pain points associated with traditional tools, and customers have been really excited at our improvements relative to other solutions.
We do not replace anything. Many prospects today use tools like BlackDuck, Snyk, Contrast, Checkmarx, and many others. We are happy to provide our data to them for Java and let teams focus their manual work on using those tools for other applications and languages like Node, Ruby, etc.
Instead of scanning or gating an environment, we operate in the JVM at peak speed to provide visibility into production applications. If an application ever reaches production without being scanned, other tools will miss it.
Thank you for agreeing to this interview Eric.