OpsMx is a leader in Application Security Posture Management (ASPM), helping enterprises accelerate DevSecOps and “Shift-Left” to Secure the SDLC. Pulse 2.0 interviewed OpsMx CTO Gopinath Rebala to learn more about the company.
Gopinath Rebala’s Background
What is Gopinath Rebala’s background? Rebala said:
“My educational background was in information retrieval and search engine algorithms. Since then, I’ve spent several decades working at both small and large tech companies to build secure, scalable software to solve security and IT operations problems. As the industry progressed through big data, cloud data, cloud security, data center optimization, and now AI and machine learning my focus has always been on how to make sense of large volumes of data while keeping that data secure. A few years ago, I co-authored “Introduction to Machine Learning Techniques,” a book that included a chapter on Generative AI.”
Favorite Memory
What has been Rebala’s favorite memory working for the company so far? Rebala reflected:
“My favorite memory so far was when the first version of our security product came together. We had this idea that rather than just generate alerts we should actually enforce security policies by stopping an application deployment based on vulnerabilities identified by our system. The first time I saw it work at a customer site was very exciting – one of those moments when you suddenly see what was just an idea working in the real world.”
Core Products
What are the company’s core products and features? Rebala explained:
“OpsMx offers a platform for application security. The product we call OpsMx Delivery Shield adds application security posture management, unified visibility, compliance automation, and security policy enforcement to the existing application development and delivery lifecycle.”
“A core feature is the Delivery Bill of Materials, which takes the Software Bill of Materials one step further to capture a comprehensive and consolidated record of every step in the applications software delivery and deployment process, putting security checks, approvals, policy enforcement, and audits in one place. Other features include continuous risk assessment, increased visibility, compliance automation, and vulnerability management.”
“Our big innovation here was the platform approach. As our original solution evolved, our large enterprise customers like Cisco and Western Union were increasingly focused on how they could make the software delivery pipeline more secure. Although the “shift-left” movement to increase security at the earliest stages of the development cycle was a good idea, it was frustrating developers and slowing down releases because collaboration between the security team and the development organization was difficult and inefficient. We designed our security platform to support this collaboration, provide fast feedback between the groups and support end-to-end automation.”
Challenges Faced
What challenges have Rebala and the team faced in building the company? Rebala acknowledged:
“We originally built our solution to support custom software that companies wrote themselves. Over time, however, companies began relying heavily on incorporating open-source libraries, which have fundamentally different security issues. As a result, customers and prospects began asking us to address these different security issues, and we knew that if we did not adapt our technology to the requirements of open source-assembled software, our solution would become irrelevant to the market.”
“A significant complication we faced in addressing this challenge was that there are really no standards for estimating vulnerability risk. So we began building databases to store vulnerability information about open source software, including the number of vulnerabilities in a repository, the meantime-to-repair for those vulnerabilities, and the contributors to each repository.”
“We are also using machine learning to automate the analysis of new releases of key repositories for vulnerabilities, and we combine that information with the EPSS, which rates the probability of exploitation. This gets us to a much more realistic risk assessment of the software. Then, in our platform, we tie this risk assessment to the actual software our customers are developing and the components they are using, including guidance on the severity of the risks and which risks can’t be ignored.”
“Given the degree to which security concerns around the impact of open source software on the software supply chain have increased recently, our decision to go in this direction has enabled us to successfully meet an increasingly critical market need.”
Evolution Of OpsMx’s Technology
How has the company’s technology evolved since launching? Rebala noted:
“When we started we assumed that customers already had a robust set of security tools in place and just needed the automation, intelligence, and management to unify them. What we found is that many customers actually don’t have tools in place that they think they need and are tired of paying so much money for the tools they do have. As a result, we evolved our solution from what was essentially an overlay for an existing development environment to a more comprehensive platform that includes a full suite of open-source security tools that a customer can use to build out a truly secure environment.”
Customer Success Stories
When asking Rebala about customer success stories, he highlighted:
“A fast-moving technology company that handles a lot of sensitive customer data had the security tools they needed in place, but because of the rapid pace of releases, the company was struggling to meet their compliance audit requirements. This was complicated by the fact that they offer two different types of solutions, software released to customers and a SaaS product.”
“We were able to install the OpsMx Delivery Shield product to give them a complete and continuously updated end-to-end view of application security. They could track new releases, and put policies in place to actually stop releases from going forward that did not meet their compliance requirements. Each release is automatically recorded in our Delivery Bill of Materials, which includes the security posture and approval process for those deliveries which makes audit and compliance automatic.”
Funding
When asking Rebala about the company’s funding details, he revealed:
“We’re a Series B venture-funded company based in Silicon Valley, and we’re very pleased with our current growth rate.”
Differentiation From The Competition
What differentiates the company from its competition? Rebala affirmed:
“First, we take the broadest possible view to identify security risks. We look across the SDLC, at dev, testing, staging, and production environments, as well as up and down the application stack, including source code, artifacts, databases, and the target deployment infrastructure.”
“Second, we let customers choose where they get the underlying security data from. If they have security tools such as code scanners in place that they like, they can keep using them, and we’ll pull the data we need from them. If they don’t have the security tools in place, we’ll bring them with us. We give customers the flexibility to let their developers choose the tools they want to use.”
“Last, we’ve designed our platform to be developer-friendly. We understand the frustration caused by “shift left” security responsibilities, so we’re building into our solution specific features that reduce friction and help developers stay productive while still making their applications more secure.”
Future Company Goals
What are some of the company’s future company goals? Rebala concluded:
“On the business side, we’re still early in our product journey. We have some great responses to the solution from customers, and we’re focused on getting more customers familiar with it.”
“On the technical side, we’re looking to apply GenAI in many ways, including natural language queries to accelerate SDLC diagnostics, automatic policy generation, and more advanced analytics and remediation guidance based on GenAI’s ability to consume and analyze huge amounts of internal and external data.”
“GenAI can already initiate scripts to automatically solve some very basic issues, such as identifying and shutting down a public view of a cloud development environment, and we see this ability to automatically fix issues as a huge future opportunity.”
