Dr. Jasyn Voshell runs product security at Zebra Technologies. In this video, he sits down with a small group during Black Hat 2025 to talk about his program. Give it a listen to see how product security is being built at a large enterprise!

Read Zebra Technologies Cuts SCA Noise by 97% with Endor Labs to learn more about how they're using Endor Labs.

‍

Zebra Technologies: Overview and Reach

[00:00] Jasyn Voshell: So I I I'm Jasyn, um, just call me Jasyn if you have any questions or comments. But uh, outside of the zebras in the room, how many people have heard of Zebra Technologies? Your badges, did you—I don't know if you noticed or not—but when you uh got those, they were printed on a Zebra printer. So Zebra, a long, long time ago in a galaxy far, far away (since we are doing Star Wars theme stuff) uh invented or came up with like the the barcode. It was actually done by a company called Symbol Technologies, and Zebra kind of bought them and dot dot dot dot dot now we're all Zebra stuff. So um, Zebra does everything from, as you know, printing your badges to uh anybody watch football on Sundays or are you aware that there's football on Sundays? That might be a good thing a few weeks, a few weeks from now. Have you ever watched that, they'll put something, they'll put the little circle around the player and show you how fast they go? Have you seen that? Uh, you'll see next-gen stats powered or powered by Amazon whatever, that that's not them, that's actually Zebra technology. So we have our little RFID trackers inside of all the players, the the balls, knee pads, um, anything that gets tracked from point A to point B is pretty much Zebra Technologies. Um, your phone, after COVID now, there's menus that have little QR code. Well your phone used to used to be a camera, right? It would take a picture. But today, when you hold your camera over top the QR code, what happens?

[01:10] Audience: It reads it.

[01:16] Jasyn Voshell: It reads it. What and how how does the camera know that's a? That's a called a scan engine, that's something Zebra also put in place so that our our technology is in the phones as well. So that's a lot of stuff that we we do across the board. Your FedEx package, your Amazon package, your DHL package, that's all us. Have you ever been to the hospital? Yeah, your wristband that was printed by us. Your your medication, that little label gets on it, gets printed by us. Anybody ever eat groceries from the grocery store? Yeah. So when they're tracking food on supply chain, now they track it with Zebra Technology stuff. So that I can find out that if the cabbage is bad in the supermarket, I know what row in the farm it came from. And that'd be a perfect environment, obviously they don't put that in place everywhere because they cost a lot of money. Uh, so that's kind of what they do. So we do a good deal of that. Um, COVID, this is a probably a good way to start another story on why vulnerabilities are not what we want in some of our code. When COVID came out, can someone tell me what did they have to do with the vaccines to make sure they stayed good? Do what? No. Uh, the actual vaccine itself, what do they have to do with it to make sure it stayed good? They had to keep it refrigerated. And what happens if it got over a certain temperature? They'd throw it away.

The Real-World Impact of Vulnerabilities: The COVID-19 Vaccine Example

[02:22] Jasyn Voshell: And so uh Zebra has uh these labels that go on the side of the vaccines and they have a little little transmitter in them and we can tell if the temperature goes up by a certain piece and then it would it would say, "Oh, throw those away, they're not any good." Well, when COVID came out, there were some people who were didn't want vaccines, right? "I don't want that to happen." And so we saw in some of our systems that are SaaS-based or, you know, accessed via the internet, we saw people try to hack our systems to fake the temperature going up to have people throw away the vaccines. And so you can imagine in our SaaS-based applications, if there was a vulnerability in there, it might make it a little bit easier. The vaccines would get thrown out and, you know, first it's just a waste and second of all, you know, if it if it does save lives or if it doesn't, whatever your your your thought process is, it's just not a good thing to have happen.

Shift Left and Product Security Adoption

[03:03] Jasyn Voshell: And so that's part of what we started to roll into. So our organization, product security, uh, at Zebra, probably six years ago, we did not exist. Everybody who just built the product that we have just sort of built it and did the best they could with what they've got. And so we stood up a product security organization and part of that now is we talk to our development teams and have you ever heard of something called shift left? Yeah, but no developer in here has ever heard of that at all. So right? Don't code bad in the beginning and it won't be bad at the end. Um, so part of that is what we're trying to do with with the Endor team as well and our developers. So we came in, developers weren't really scanning their code at all, uh, they were just doing best efforts. Some teams did some things, some teams did not. It was kind of kind of a little bit of chaos. So as we started to put those in place and we started scanning it, you can imagine that a lot of it lit up like a Christmas tree, right? Uh, and what did we say a lot to the teams? "Oh, you you have to go fix that. You wrote that bad code, you need to go fix that right away." And what do most developers do? They really want to go fix vulnerabilities in their code? Does anybody here go, "Yeah, they love doing that. That's their favorite thing to go do." No, they want to code so it looks really, you know, I push this button, it turns green. That's what they like to go do. So we have a lot of discussions with our teams on trying to get them to fix the vulnerabilities in the code, and one of the things I want to do is make sure that we're not wasting their time. I'm sorry, your neck's going to hurt. I'll step over here once in a while. Uh, we we make sure they don't want to waste their time doing a lot of those things. So Endor has something called reachability. Does anybody know what that is? Not you, Sunny. This guy. What's Do you know what reachability is?

[04:42] Audience: You test to see if a vulnerability that you identify is actually something that gets hit by.

Building Developer Trust with Reachability

[04:47] Jasyn Voshell: Yes! Oh, wait, hold on. He answered the question correctly. So you get a little zebra. They're squishy so you can take them to your home, to your kids. I'm going to hold one in my hand or two in my hand so if anybody falls asleep, you're also going to get one, not in the good way. So uh, yeah. So, if it does, is the vulnerability actually being used in my code? Is it important or not? And so when we put that in place, it did help our developers gain some, guess, confidence or trust. Like, "Yeah, I guess that is a real vulnerability." We did a study, I think it was 2 years ago, on all of our security scanners on how much the average the average amount of time it would take to fix something that came from this scanner, not based on its criticality, just if it came from Orca (if you don't know what Orca is, please let me know), came from Orca, or Tenable, or Snyk, or GitHub Advanced Security, or Endor. If it came from these tools, what was the average amount of time it took to fix? Okay, so I will tell you that the number one tool we have on average, vulnerabilities are fixed in five days. Five days! That's wow, that's really good. The next closest one is 30 days. Can anybody guess what number one is? It's not multiple choice. Just yell out something. What tool? It's uh, somebody said Endor. That's not right, though. Sorry, Jen, we're not there yet. Anyone want to take a guess? I'll give you a hint: it has a lot to do with the the trust of where it came from. A developer believes that to be the case, right? So if I had Tenable or Orca, they might say, "That's got tons of vulnerabilities and tons of loud noises, I don't want to pay attention to that." Okay, I've got GAS ACs on the board. Anybody else? What did you say?

[06:21] Audience: Yeah, he said GAS.

[06:33] Jasyn Voshell: Sorry, already I'm He's on the board. I'm trying to see. Anybody else has got an answer for this? You did answer, but you're not correct. You may have a squishy thing. HackerOne or bug bounty program. Can anybody tell me why they think maybe bug bounty programs things get fixed fastest?

[06:44] Audience: Not from Zebra, they're valid.

[06:47] Jasyn Voshell: Yeah, because somebody looked at it and they and it's not a waste of time. The developer believes, "Yes, that came from somebody who saw something. It got exploited. I can go fix it," and there's a lot more detail behind it. And so they're they believe it. I don't I don't get arguments. It's a lot easier in our organization to, if you make it easier to fix than it is to argue, they'll just go fix it. And that is probably one of the things we we have to work with our developers and if you have a good tool in place, that's be the case. So when Endor came around and they had that reachability piece, we started to put that in place. We started to highlight those vulnerabilities because we know, "Yes, it's a vulnerability. Yes, you're using it and yes," this gentleman said here, whose name is JT. JT said, "Yeah, I know that because it's it's reachable. It's being used and it can be exploited." And so that's one of the biggest things we're doing with Endor right now.

Integrating Endor with the Tooling Ecosystem (Nucleus & Risk Ranking)

[07:33] Jasyn Voshell: Our uh, our development teams like the way it integrates. We did just start in January. Where's where's Lynn? Lynn, when did we start Endor? We've got that in place. Uh, pretty much January, I think. January. February. Yeah. We we replaced it with uh, we had GAS before. Somebody asked what we had before. We had GAS before. Uh, one of the biggest reasons we'd shift out because we had to scan outside of GitHub and you know GAS only does inside of GitHub. GAS, by the way, is their acronym for GitHub Advanced Security. Probably the worst acronym ever, but it's their stuff, not ours. Uh, so the Endor stuff is helping us put that in place and I think um, we also swapped out to another tool called Snyk, just as if you're curious, for our SAST stuff. Um, and the reason was that this reachability, because it does lend a lot more credence to the uh, paying attention. Jerry, now you get a free zebra. So it it does help us pay attention. He's still paying attention, thank you. So it does help us and the developers gain some confidence and trust in, "Yeah, I know that's the case. I know that's a real vulnerability. I'm going to go fix it." Um, we've put that in place. Today we ingest those things into a system called Nucleus. Anybody know what Nucleus is? Who's got Nucleus?

[08:44] Audience: We're trying to get it.

[08:46] Jasyn Voshell: You're trying to get it. That's why I'm here to meet you. Oh, you're the Oh, you're the guy. I thought you were just the hitman coming after me. No, but uh, yeah. So, it's a tool called Nucleus. Uh, what it does essentially—and it's kind of I'll tie this back into Endor in a sec here—it uh all of those different tools I mentioned: HackerOne, Orca, Tenable. I mean, I bet we can name 50 more that you have in your organization today. And trying to accumulate those vulnerabilities is one thing. Two, trying to get them all in one place. Two, deduplicate them, because one tool finds the same thing another tool finds. Then, three, rank them properly. And then, four, go get them fixed. And how do I know which ones to get fixed first? Oh, because the CVE says it's a 10. Does that mean it's the highest risk or does that just mean it's a 10? Nucleus kind of pulls all those things in, deduplicates, puts them in one spot and then risk ranks them based on the asset. So it's kind of a cool thing. I don't want to do a sales pitch for them on Endor's thing, but but it does it does help us. But when those things come in, we're able to take the Endor piece of that and knowing that it's reachable on an asset that's facing the internet, that has sensitive data on it, that's business critical—see where I'm going? Your neck's going to hurt in a second and just keep going—that means the risk goes up and knowing that it's reachable says we have to go fix this now. So that helps drive the the conversation. So not just about is it reachable, but also what's CS on how important is it? And these things this really has helped us fine-tune it and gain trust with our developers. Yeah, there's still some that are out there that are like, "I don't think that's the case." You're always going to have that. But I would say generally for the most part, we're seeing teams really take a hard look at that. We started use this uh in our board report. So I send a message to the board uh our directors every quarter and we kind of talk about risk and we have seen, since we put this in place—not saying it's definitely contribut investment if you think of it that way—we have seen the trend drop in our risk across the board. If you take a step back, blow your eyes and go, "Huh, yeah, that that's that's kind of tilting in the right direction," which is what our board wants to see. Yeah, could be different factors, indeed, but the new tools do help us a lot for that. So let me pause for one second and ask any questions, comments, thoughts, answers, donations after them, though. Nobody yet.

Overcoming Adoption Challenges and Customer Conversations

[10:52] Jasyn Voshell: All right. Uh, so what are your biggest like, all of that's great. What are the biggest challenges you're facing right now? Like, what's keeping you up?

[10:57] Audience: Oh, yeah.

[11:00] Jasyn Voshell: The marketing the new marketing person for Endor. She's a total pain in the butt. Uh, uh, I see. So, what keeps us right now? Right now for us, it's the adoption. Uh, we ripped out GAS and nobody likes change. So when you rip it out and getting teams to kind of get back into the smooth of things is really hard. Regaining their trust, having to put the thing into place. You make one misstep when you're deploying a new to uh, a new software and teams just, "Ah, it's all broken. I don't like this. This is horrible. Can we just go back to the way it was?" That's kind of a hard thing for us to do. I will tell you that Endor has been pretty cooperative and right by us while we've been rolling this out and we haven't seen too many hiccups with them. Um, Lynn, that's the guy in the back there, he's my project manager. I think he can attest to, most of the calls or hiccups we get aren't from aren't from Endor. Uh, so they've been pretty good about getting us the right stuff in place. So that's a good question, indeed. Um, yeah. Any other questions?

[11:54] Audience: Not from the marketing event, I'm going to jump quick on it. What we're finding is like we used to think noise people didn't want noise because it kind of pissed off their developers and now what we're hearing more and more is I might lose a customer like so the customer is caring about the customer, it's not even just about the inside, but they're all going like, 'Yeah, I need to do this so that I, like, I'm safe, right? So that I can keep everything flowing.'

[12:25] Jasyn Voshell: Yeah, I I'd say that's uh, I've been caught flatfooted a couple times in front of a customer who's asked, "Hey, we looked at this and we see this." I'm like, "Well, that's not reachable." And that's and but still being able to know that ahead of time and put it in front of them is is relatively important. So we're actually at Zebra standing up a um, kind of a dedicated lab. And Aggie right there, she's a little lady smiling, she's helping us set that up. And she's uh, to help work with so we scan all of our products even just they're in the field uh, so even after they're not just in production, not as they're doing it, all that happens as well. But even after it's in the field, we'll scan it so that when I get in front of a customer, I know what's going on. Uh, and noise, is she's right, noise is in the thing. We don't a lot of our government deals now, um, the cyber uh, where's Sunny? Sunny, Sunny, what's that? The Cyber uh, Resiliency Act? The CRA Resiliency Act is coming in place. Are you doing stuff the right way? Do you have the right process in mind? What's happening with this? So these are important things we have to know about and some of that does help us uh, with what we've got across the tools. Good question. Anybody else? Thoughts, comments, questions?

[13:20] Audience: That's interesting. Kind of drilling into that, um, do you ever hit any issues or do you have a framework or I guess expound as you would like to on the question of like taking some of that insight on like security vulnerabilities and being able to package that up in a way that sales, customer support, customer success can handle? Like, you know, a customer might come to them and say like, 'Oh, we heard there's this critical vulnerability like JavaScript. Like, you guys use JavaScript, right?' Sales guy might not know like on the front end and this the back end vulnerability.

[13:54] Jasyn Voshell: Yeah, that never happens. Uh, James or JT, if I if I may, that your question is uh, spot on and here's here's why. So earlier this year, our chief security officer, so my role I think I'm chief security officer and then we have your traditional CISO and then product security, we've been now we've started this year, we've been engaging heavily with the sales teams on exactly what you said. Giving them some collateral like, "So if we know about it ahead of time, yeah, we know that if you scan that with whatever, we know you're going to see it. Sales team, here's the collateral so you can talk about it in a in a um intelligent way, like in an educated way," so they're not just, "I don't know what it is," and then they try to get a hold of somebody else, then we look as a company that we don't like what we're doing. So getting that information out is a very big part. We've been starting that this year. I call it our sales pillar that we're trying to put in place so that security can be it's not a detriment and when we they get questions they're not caught fly or they're not trying to call every developer in the world. And if anybody's seen um, that movie The Office where the guy's like, "I talked to the customer so the engineers don't have to," right? We don't always want our engineers talking to a customer. Sometimes they either go too deep or they they just say too much stuff and they lose they lose the customer entirely. But if our sales team can go, "Hold on, let me check," pick up a piece of collateral like a little document on it and go, "Yeah, we know about that and here it is." That's something we're trying to get more towards. We've started to do it but we're in we're in early stages. But that was a problem we had come up. Today we got something out on our website and so when something comes out like, I'm sure when Log4J come out, we got no phone calls. Um, yeah, we put something out and publish it so that when we could point people to it and point the sales team to it. But I can't do that for every vulnerability that comes across the board. Can you imagine it? It would it would be horrible. And and they get the same thing: "Oh, we heard your product uses as we think." And so we're trying to fight that quite a bit. But we are down that path and we are trying to enable our sales teams. I have calls with sales personally probably two to five times a week and it's generally around something like we're trying to renew a deal. They have questions about, "Hey, we've heard you, what are you doing for your security? Hey, I've heard this vulnerability." And trying to just answer those at a higher level is something we definitely work on. Great question. I liked it. Who else has a question? I'll dive deeper on that. Yes.

[00:16:07] Audience: Do you explain the concept of reachability to them?

[00:16:11] Jasyn Voshell: It depends who we're talking to. So if I'm if I'm getting it just from the C-level person, it's generally just, you know, kind of brush over it and we're fine to go. They start to dive into more details, I'll start to approach it and then I might have to rely on my team to help me out because they're smarter than I am. Good question. The way to set me up to tell them they're all smart. Nice. They are really good team behind me. Uh, anybody else? Questions? Come on, got to be something else.

Prioritizing Reachable vs. Non-Reachable Vulnerabilities

[00:16:32] Audience: So I'm curious on the reachability topic. Curious in your thoughts, how does that uh play into prioritization of actually, you know, updating those packages that may be vulnerable if it's not if it's not reachable? You just be like, 'Yeah, we're never going to update it,' you know, or or is it like, 'Hey, we don't have to fix it today, but next release we want that package updated so it stops popping and seeing it as a vulnerability.'

[00:17:07] Jasyn Voshell: Yeah. Uh, I would say today we're in the go fix the ones that are reachable and there because because there are quite a few. The answer tomorrow would be, "Yeah, that needs to go in the next release or at least two release. You need to have a plan." That's the you know, I sometimes we don't always dictate that much, "Shall fix it tomorrow." It's, "When can you fix it? Give me the plan now, just just hold to that." So that if I get a call from a customer, you know, "Okay, you got that. Yeah, you're aware of it. When are you fixing it?" That's like the next question out the door. And I can say, "Uh, December 30th." And so they'll they'll know. But today it's, "Let's get the ones that are reachable," because there's no argument if a customer sees it, if a hacker sees it, it's going to get tagged. So we don't want that to happen.

[00:17:48] Audience: And are you leveraging also like the ones that say aren't reachable and they're planning? Are you leveraging impact analysis to understand saying, 'Well, that one has quite a bit of impact. I think we're going to schedule that like three releases out.'

[00:18:29] Jasyn Voshell: There's a lot that has to happen there. It's part of the part of the Nucleus risk score. Like, so it takes that impact because it takes what assets it on. Like if I have that vulnerability on a server that's in a closet that's on my internet that nobody who cares, like you can't get to it, the risk is low. I take that same vulnerability and put it on a server that's internet-facing, right? Higher impact, higher risk. So we do categorize those. The reachability part pushes it to the top even more along with all that risk based approach and then teams have to fix it like they have to stay below a certain threshold so it has to go in the next release. It's just part of our our vulnerability stuff. I don't think we're that advanced yet. Okay. Yeah, good question. It's a feature. We again, we just started rolling this out in January or so. So, step one, get the teams used to it. Step two, get all the things that are reachable. Step three, something along those lines. Yeah. Quite not quite as mature as we'd like to be, but we're getting there for certain. Who else?

Advanced Security Topics: Customer Trust and DAST Utility

[00:19:08] Audience: Have you used like you talked about the reach the what? Reachable? Yes. Uh, but when it's not reachable like have you used that to convince a customer like I face a lot of that like and has that helped? I know these guys have something called Wex, but then when we talk to customers or like they don't know what—

[00:19:48] Jasyn Voshell: Yeah. So uh, if anybody didn't hear me, we kind of asking so, do do you use the fact that it's not reachable to convince a customer or anyone really? I I'll kind of take a big step, convince anyone that, "Hey, we don't we don't really need to fix that right now." That almost ties into your question a bit. I have on two occasions, I can count them on one hand. Um, it was a difficult conversation because they don't know the tool. They're not sure how do I know that for how do I know that you know this industry standard tells me it's a CVE-10? Or it's a hard conversation. We dove into it. I was able to convince them, but it was not easy. Oh, um, I just put my size 12 boot on and No. It took a lot of um, it took a lot of convincing and one of the cases we actually kind of showed like got in, showed them, tried and like, "This isn't being called." I actually had to open the hood up, which means I had to get legal involved and that was not an easy thing to do. But after we did it, they were like, "Oh, oh yeah, you're right." And now every time I talk to that customer, it's not a problem. Like I I got that trust built the first time, but it was very difficult to do. The other one was just it we just talked and we talked and we talked and we showed them. Literally we pulled it back and forth. I think I called Jake, uh, one of one of their guys from State Farm, uh, thank you, uh, and to see how we would work on that. So that that kind of helped, but it was it was hard. I'm hoping that gets easier as it it kind of goes through, but yeah, not not not simple. I like it.

[00:20:58] Aggie: How how much um customization to policies and rules and have you done thus far?

[00:21:09] Aggie: Not much. Not much. We're kind of just using the tool.

[00:21:13] Jasyn Voshell: Okay. I don't know how much customization that there is available. I'm sure people can talk about. Seen a need for customization. We really haven't. It's out of the box, turn it on and let it go and it works great. Super good.

[00:21:35] Audience: You said you're using something else for SAST. You're not using—

[00:21:38] Jasyn Voshell: Yeah, Snyk. I mean, I'll say that, yeah. And the biggest re I mean, Snyk, if you're familiar with it, it does do SAST and SCA and other things. I'll just leave it at that. Uh, the biggest selling point with the Endor was the reachability. That was not in Snyk. Y uh, they started to kind to do it, but it's like, you know, if that's if that's elementary school, they're in doctorate college or whatever. Uh, so it's there. There's, but you know, that GL gap might close. I don't know what's going to happen. But there's also a lot of the things we're using with them. So, um, yeah, good question. I like it. Anybody else? Going once? Roy Kent. You look like Roy Kent from uh God, it's been driving me crazy sitting here the whole time. Just hit me. L the face look like Roy Kent a little bit. Yeah, please don't yell at me, though. Um, anybody else? Any questions or comments? If you want to catch me after, that's fine. Um, she's got my email address, my phone number. It's on the bottom of my signature block. If you've got a card, if you want one. I do have a couple extra zebra plushes over there. People didn't fall asleep as much as I thought they would, so I didn't throw them. But if you want to grab one for your kids or for yourself or your dog, please feel free. Um, and again, catch me on LinkedIn: Nucleus, Snyk, Endor. Anything you want to talk about across the board, I'm happy to do it, especially when it comes to like some custom items as well.

[00:22:56] Audience: Huh.

[00:23:03] Jasyn Voshell: Yeah, I just laid off my GRC guy. Hey, Sunny. Sunny. Sunny does uh, Sunny's very very good in technical. He's our GRC person, but his background in like containers and cloud is is beyond reproach. So he helps us a lot with a good piece of that. Great. I think the only person I didn't mention was Keith. Keith, I don't think I And then Keith Bass. Keith runs our DAST tool. So we while we're talking about on the all the different tools we've got. So we purchased Invicti uh last last year. We had a lot of tools we brought last year. What? January? December? Yeah, we bought that. So, uh, he's he runs that tool, uh, and because Snyk doesn't really do that and Endor is not, we kind of went with that piece. So, and we're bringing all these things into Nucleus. So you can see our tools, right? Snyk and Endor and Invicti and Bug Bounty program with HackerOne, Orca, Tenable. What am I missing? Freaking everything else in the world. So, any we're bringing all that stuff in into Nucleus, which helps us do the risk racking, which helps us put the right thing in place, which helps us do all plus our plus our manual pen test. So we also have a pen testing team that Aggie and Keith are both on. So we pen test products, not just before they go out the door, but even during development. We'll do micro pen tests, cross it and Yes, we'll use that for our SDLC measurement. Yeah, we'll use that too. So, yes.

[00:24:24] Audience: Okay, it's actually really interesting about DAST. I feel bad because I have to run like now, but soccer game. Is the DAST tooling even useful? I have really tried to like operationalize some kind of DAST scan and every single finding I get, I'm like I could have just had a just look at the code. I just looked at our like deploy scripts.

[00:24:49] Keith: Keith, actually, use like it's more of like it's like quicker than doing like a pen test. So that's useful in that regard to like, if like say customer like, 'Hey, we need that, we need to scan it quickly for like some type of release.' Like, it's useful in that way, but like you're right in the way like the vulnerabilities you find is like meaningful is like a penetration testing vulnerability would be like it'd be like a random like low like security or missing or something like that. So I guess I see what you're saying in that regard. I'd say it's useful. It just depends on what you use for, I guess.

[00:25:12] Audience: Okay, that makes sense. So it's more like it's useful as like a very fast pen test versus like very slow and then like also with like the DAST, you can like schedule it out like have it do it like in the background. Pen test, like schedule it out, have like a pen do it within the DAST like it'll like say I want this specific product tested once a month or once a quarter for example, you know, it'll do it by itself like you want to do any manual, it'll do it by itself. So like if they have like any update with the solution or anything like that, like they just scan it automatically. So like and the reports be emailed to them manually as well or not automatically as well. So it's useful in that. So it's automated rather than manual.

[00:25:52] Audience: Yeah, exactly. I've also found it useful as like a starting point in pen tests. You just run a couple scanners, run Burp Suite, run your DAST.

[00:26:05] Jasyn Voshell: Yeah, exactly. And we do have customers that require us compliance things. So even, so there's your useful part. But also you heard everything Keith and Aggie just said. Does it does help them a great deal, so they recommended it. Awesome. If you need to pop out, thank you very much. Any other questions, comments?

[00:26:19] Audience: So I have a question. Helping a company that is in the development space and they literally build hundreds of apps. So what we're talking about here is like what we've all been doing like traditionally in the app development space and finding vulnerabilities, fixing vulnerabilities and that kind of thing. But how do you view moving to a scale where literally AI is building hundreds of apps a day and you want to make sure they're secure going—

[00:26:48] Jasyn Voshell: How do I view trying to keep up with AI? What you're essentially asking, specifically for app development? Yeah, yeah. Uh, so my answer is going to sound a little bit like probably Terminator is, sometimes you have to battle AI with AI. Uh, right now Keith does a pretty good job. Our team's doing it manually, but as that starts to build faster and faster, you there may be a point where it's going to have to be an AI offensive to combat how some of that's working around. It's a that's a um, very interesting space and it's a and that's a it's sometimes it's scary and sometimes it's like, "Maybe that can help us." It's just the you know, responsible use of it. Thank you.

[00:27:29] Audience: I think there's a tool called White Rabbit that people are using. Execute a bunch of trees for you. I found it to be really useful, not for like LLM pen testing but for like pen testing the apps that I think that's called.

[00:28:05] Slater: How are you in CI/CD or using the SCM integrations?

[00:28:06] Jasyn Voshell: CI/CD. Like that was an easy answer. Anybody else? Going once, going twice. All right, thanks. Jen's got my contact info if you need anything. Otherwise, there's some more food over there. Enjoy, grab a drink and we'll see you around Black Hat. Thank you.