Welcome back to “Osom to Know”! In today’s episode, we’re diving deep into the intricate world of website security and the emerging challenges within the tech landscape. Joining us is Oliver Sild, cofounder of Patchstack, to break down a plethora of critical topics—from social engineering in cybercrime to the surprising vulnerability of Gen Z to online scams.

We’ll explore how AI is both aiding and complicating cybersecurity, delve into the implications of the forthcoming Cyber Resilience Act, and discuss the issues around WordPress plugin security. Oliver will shed light on some persistent myths about website security, the ramifications of the Cyber Resilience Act for software developers, and the innovative ways Patchstack is leading the charge in vulnerability disclosure programs. We’ll also touch upon the stark realities of modern cybersecurity threats, from abandoned open-source libraries to the thriving underground market of cybercrime driven by financial motives. With Oliver sharing insightful examples and shedding light on regulatory shifts, get ready for an enlightening session that probes the future of digital security.

Oliver Sild [00:00:00]:
If you take an average WordPress website and you look into the percentage, if you take, like, all the lines of code, in many cases, you have a lot more codes on the plug ins. It’s the best example of where not to do it because it it’s not that you are building this code for yourself. You’re essentially building this code for other people to install on their sites.

Maciej Nowak [00:00:20]:
Hello, everyone. My name is Maciej Nowak, and welcome to the Osom to Know podcast where we discuss all things related to building great websites. In this episode, I talk with Oliver Sild, cofounder of Patchstack, as we talk about many security related topics. We start with typical misconceptions about security of your website, the state and reason for security status quo, and about incoming, cyber resilience act that will cover all European Union, companies. Then at the end, Oliver shares some exciting news about future of Patchstack. If you don’t want to miss new episodes and keep learning more about WordPress, subscribe to our newsletter at osomstudio.com/newsletter. This is osomstudio.com/newsletter. Without further ado, please enjoy my conversation with Oliver Sild.

Podcast Co-host [00:01:18]:
Hey, everyone. It’s good to have you here. We’re glad you decided to tune in for this episode of the Osom to Know podcast.

Maciej Nowak [00:01:25]:
Hello, Oliver. Great to have you on the podcast.

Oliver Sild [00:01:28]:
Hey, man.

Maciej Nowak [00:01:30]:
I had one one like a piece of feedback that it would be good to start with, let’s say, get to the things. Right? So I would like to start with something a little bit more concrete, and I would like to to ask you about popular misconceptions about security. Because this this conversation will be essential around security, and I would like to start with something, a little bit useful maybe. So what are the popular misconceptions about security?

Oliver Sild [00:02:00]:
I would say, like, one of the very popular one that we’ve seen over the time is that people, especially in the WordPress ecosystem, are saying that, you know, your websites are completely secure and safe as long as you run updates. So we’ve seen a lot of people saying or, like, recommending others that, oh, you don’t need any security solutions. Just keep the plugins updated. Right? Which is not necessarily, like, a very good advice because if we look at the data, then around 30% of security vulnerabilities are not actually getting patches. So from the WordPress admin panel side, you will see that all the plugins are updated, but in fact, a plugin has security vulnerability which is not patched. The same thing applies to abandoned plugins. So what we see very often is also, WordPress plugin team closing down plugins that have been abandoned or where the developer is not responding or anything like that. They can actually close down that plugin so you can download it.

Oliver Sild [00:03:05]:
But on the WordPress admin panel, nothing is being shown. Like, it just says that, you know, everything is up to date. You’re good, basically. So, again, I think, just telling people that, as long as you just basically have all the updates turned on and, like, you know, if you update plugins, you don’t need to use any kind of security solutions. I think that is one of the kind of, like, most widespread myths that I’ve kind of, like, seen.

Maciej Nowak [00:03:34]:
When when I’m hearing this, it seems like an obvious thing, I think, to, change in the, plugin repository because, it’s, like, it’s it’s it’s very dangerous because you are in the, you know, in the unknown. You have no idea. You have a problem. And like, okay. If the author of the plugin doesn’t, you know, update the plugin, then that’s one thing. But if, plugin repository has taken an action and removed that plugin, you have no way to update it.

Oliver Sild [00:04:04]:
You don’t even know that you have an issue?

Maciej Nowak [00:04:06]:
Yeah. This is the worst part. This is what I’m meaning. And you you are first to be in the unknown. Like, how else will you know what? Will you go through all of the list of plug ins and see, which one was updated a year ago or 2 years ago? Like, I I I first question, I’m very surprised. Like, I I wasn’t aware of that. And, when I’m hearing this, this is, like, obviously stupid, that’s the Stupid. Yeah.

Oliver Sild [00:04:32]:
Yeah. I was giving a talk in like, everyone can look into this talk I did in Athens in World Cup Europe, so last year. And, this was actually one of the highlights I did on the talk as well. I talked about this problem that we have in the WordPress ecosystem where we have such a huge number of plugins that have been built over the years. And there is a large part of that which are completely abandoned. Someone made, like, a, you know, a hobby project. Maybe they moved on. Maybe they are not even, you know Alive.

Oliver Sild [00:05:05]:
Related to that as well. Like, it’s a it’s a morbid morbid take on that, but, like, it’s true. They might not be alive. They might not actually be having any connections to WordPress whatsoever. But they have you know, these plugins have thousands and thousands of active installations still going strong on websites. Right? So I think this is, like, a thing that needs to be looked into by the WordPress core specifically because we already have that information on the WordPress plug ins repo that a plug in is closed for, you know, it’s discontinued, it’s abandoned. Like, we have even, like, the markers, like, you know, plug in is closed due to security reasons and things like that, which is great for the hackers to look for plug ins that are being closed. Right? But the people who actually need that information inside of the WordPress core, who actually, you know, maintain the websites and so forth, they are not getting this information because this information is not passed through into the WordPress.

Oliver Sild [00:06:05]:
So, yeah, I had actually, like, a separate slide for that on, on World Cup Europe in Athens and the QR code that was linked into a track ticket, to get this actually sorted out. So, yeah, so far, it has not been properly solved because I believe they had a blocker with the API or they needed to change something on the WordPress API. So

Maciej Nowak [00:06:29]:
But right now, it says the exact the exact opposite, actors. That information serves the exact opposite actors, in that in that field, I I guess. I like, again, I I think that if this is open for a year, you’ve been talking about this in Athens last year, and it means it was already prepared by you sometime earlier. It it’s it’s more than a year. Like you should have asked the math the question, you know, where is the, like, where are we with that issue? We just, you know, serving hackers, you know, when there is a matter speaking, there is open question, like open questions session. I I have a feeling like this is the the moment when you get things done. I think Matt directly.

Oliver Sild [00:07:12]:
I think this year someone did, and, actually, Marcek from our team, he was the one who actually created, like, a script for it as well already. So he, you know, went hands on and he created a solution for that, like, at least something to basically pull that pulls information into the WordPress score to show the same information that is being shown on the repository about the plumbing being abandoned or or being closed down for security reasons. Right? So I think it definitely got some attention. I think it also got Matt’s attention this year, but we’ll see. Like, last year, it also got a lot of attention, but it never got anywhere. So, yeah, I think, hopefully, we will get this solved because I think this is a very important thing, and we also need to take into account the, WordPress ecosystem in terms of security. We’ll need to change a lot over the upcoming years because of the new cyber resilience act that is being, introduced in in the EU, and how actually plug in developers need to start maintaining their plug ins and actually act as manufacturers in that sense, in the law sense and what that implies, you know, and what they need to take into account of how they can even release. For example, they can’t release, security fixes together with functional releases anymore, and there’s a lot of rules that come into play.

Oliver Sild [00:08:31]:
And those and that means that wordpress.org needs to become you know, they need to support that kind of a change. Right? So you would need to be able to mark different updates as, you know, functional update or a security update, for example, because that is being the law is asking that from the plugin developers, so they can’t really do that other unless the repository makes it available for them. Right? And the same thing applies to this abandoned thing and, like, all these kind of issues. So

Maciej Nowak [00:09:03]:
Yeah. I will want to dig deeper into cybersecurity act later in the conversation. But also I would like to ask you, we covered a little bit the misconceptions. Is there anything else that you would like to add to this topic of, like, misconceptions?

Oliver Sild [00:09:17]:
It’s pro probably not that much of a misconception, but I’m just like for WordPress is more than 20 years old already. Right? And, like, security has been part of it the entire time. My question has always been, like, if there has been companies working in security, why has nothing gone better? Like, why has thing why have things been pretty much the same the entire time? And I think they’re one of the reasons behind that. It’s not the security misconception, but I think it is like a collective, like, lack of security awareness or collective misunderstanding of the core basics of security where, you know, in WordPress, getting hacked is almost like hyper normalized. Right? So every it it feels like it’s such a regular thing to get your website WordPress website hacked that it feels just like a, you know, a regular Tuesday. Right? And then the thing is that the solutions that are promoted in the ecosystem as the most popular security solutions are not the ones that prevent you from getting hacked, but instead the solutions that would just kind of fix that up for you as fast as possible without actually dealing with the core consequences why the website was hacked in the first place. Yeah. Right.

Oliver Sild [00:10:38]:
Like, comparing Yeah. Exactly. And I compare it a lot with, like, a analogy of of, investing into, like, a very shiny golden bucket to throw the water out of a sinking ship. So that’s where WordPress ecosystem is right now. Like, most of the security solutions on the market have been those golden like, very fancy golden buckets that you just use to throw out, like, water out of a sinking ship as fast as possible, and then they make this bucket bigger and faster and you know? But, like, nobody has been, like, you know, just making sure that the water doesn’t get into the boat in the first place. Right? So I think this is something that WordPress has been, I think, be been a little bit behind is in terms of, like, the majority of the security solutions available in the ecosystem. And it’s not necessarily a misconception, but it’s a kind of like

Maciej Nowak [00:11:27]:
Is it because it’s open source? Everyone can contribute. And because of that, there are bet better and worse, you know, players in that in that field. Is it, like, because everyone has such a big freedom and everyone is invited and since, you know, there’s a certain number of people that will make mistakes and they are not called?

Oliver Sild [00:11:48]:
I mean, it’s 100%, like, with freedom comes responsibility. Right? But the problem in the WordPress space is that nobody has taken really the responsibility. So, you know, you give freedom, but responsibility is, you know, not being properly distributed. And I think this is one of the reasons. So, like, as an agency, if you’re building a website to a customer, you have the freedom to build whatever they want, and the customer has the freedom to own own that website essentially, choose wherever they want to host it, you know, use whatever software there is and to like, you can do anything with WordPress. Right? It’s, like, 100% customizable to, you know, last bit, basically. But, what is being not done properly is giving the information of what comes with this freedom. And this also has not been going down from the agencies.

Oliver Sild [00:12:38]:
I still see a lot of agencies who build websites to their customers. They hand it over. The customer doesn’t even get an admin access or, like or sometimes they do get an admin admin access. To be honest, it’s even worse when they usually get that admin access. But the problem is that they are not being told that they need to maintain. They are not getting any kind of they they are told how to change content on the website, but they are not being told how the maintenance should be done on the site. Like, what needs to be updated, what should, you know, what you should kind of, like, keep an eye on. Like, how how to technically keep the site running, essentially.

Oliver Sild [00:13:13]:
The only thing that is being looked at is, like, you know, how great it looks, like, you know, how to change content and things like that, but, like, everything else is, you know, being pretty much ignored. So I think that is that’s what I mean by, you know, the responsibility not being properly distributed, to those who actually need to, you know, do that. So, I mean yeah. And I think it’s the the awareness from that reason as well that has not been that has not reached the people that it actually should have reached. Right? So that’s what why you eventually have the the customers coming to you with, you know, a hacked website, essentially. And what they understand is that they have a problem. They have a site that is redirecting to somewhere else, has malware, things like that. For them, the solution is to clean it up.

Oliver Sild [00:14:03]:
Right? So that I think has, on the other hand, created the situation where on the market, you don’t have awareness around the responsibility of a site owner. Like, what is the responsibility of owning a WordPress site? Like, the fact that you need to maintain it and things like that. If you had to if you would know about this responsibility, you would maybe also look for solutions that would, you know, basically help you do that in an easier way and things like that. But since there has not been this kind of responsibility or, like, awareness there around that responsibility, then what you end up with is with customers who essentially realize that responsibility after they have already been breached, which has created the demand on the market for malware, kind of like a malware scanners, clean up services, things like that. So and then, yeah, like, wherever there is market demand, there is solutions. So I think the fact that majority of the the WordPress security products or security companies have been pretty much, like, only focusing on malware cleaning and, like, malware scanning and things like that is for that exact reason. Right? Okay.

Maciej Nowak [00:15:13]:
I I I also have a problem with code quality, I would say, in the ecosystem. Because WordPress is so inviting that everyone is in, like, invited. And this comes at the cost of, people not doing, like, very, like, good programming work, introducing, introducing bugs. Like, I have a problem with this because, again, I we see websites of clients that come to us, and this is, like, I I see this, like, firsthand. And I have no solution to this because it’s like, WordPress is for everyone to do everything. Right? And I have a feeling you can’t address this, security issue because, like, majority of people will get websites from people who don’t know how to program. They know how to build websites based on existing solutions, plugins. They are builders, but they are not developers.

Maciej Nowak [00:16:12]:
And unless the tool that they are using to build from existing blocks will be, like, nearly perfect, and while working together on one solution, which is website, we won’t get it solved for, like, forever. It’s like we are stuck with this situation, and we have to accept that, this is a little bit messy and and unsecure. And then WordPress get bad rep for that, like, naturally.

Oliver Sild [00:16:39]:
Yeah. But, like, if you think about, like, if you take an average WordPress website and you look into the percentage, if you take, like, all the lines of code, and then you take the percentage of what this website is actually like, what does it actually consist of? Then in many cases, you have a lot more codes on the plug ins. So is it even WordPress then? Like, you know, if you start first taking a percentage of code base, who is behind of that code base? Like, we see, like, on average, websites have, like, 20 plugins installed, something like that. You know, if you start taking a percentage of code base, who is behind off that code base? Like, we see, like, on average, websites have, like, 20 plugins installed, something like that. You know, it goes up and down. But, essentially, like, even if you have, like, Elementor and then you have, like, some, you know, I don’t know, foreign plugins, different kind of, caching plugins that come with huge, like, JavaScript libraries, things like that. So you will end up with the site actually having more code from plugins than from the WordPress core.

Maciej Nowak [00:17:46]:
Even WordPress core will be smaller than all of the plugins edition?

Oliver Sild [00:17:51]:
Like, yeah, like, I mean, I mean, yeah. Like, we’ve we’ve seen websites which use a lot of you know, they use like, we have sit like, we have situations where plug ins are, like, 100 100 of plug ins on the site. So the so the question is, like, okay, what is the percentage of the code actually then, you know, from WordPress Core compared to all of the all of those different plug ins that happened in Slack?

Maciej Nowak [00:18:14]:
Do you have any stats on that? That that’s interesting.

Oliver Sild [00:18:17]:
We haven’t done, like, specific stats on that, but, like, we have looked into, like, an examples like that where the core like, the the size of the code base of the core is actually less than all of the plugins that have been installed. It depends on plugins, obviously. Like, some plugins are, like, massive, like, you know, you know, WooCommerce, PuTTY what is it called? Like, PuTTYBOS? PuTTYBOS. Yeah. PuTTY yeah. Like so there’s, like, those, different, different plugins. Some of them are very large. Some of them are very, very small.

Oliver Sild [00:18:48]:
But, like, if you add them up, like, if you have 20 of them, right, so it will add up. So, I mean, the issue what it it it is funny actually about the call quality thing also is, the the the dawn of AI. Right? So, I remember when it came out, like, when Copilot was starting to get popular and, like, when people were realizing, like, oh, you can actually make chat GPT write code for me. And then we saw on Twitter and, like, on different places where people are like, hey, Luke. Oh my god. Like, you know, I got this, you know, AI generated works plug in for me. And, yes, it is functional, like, to some extent. Like, you know, it generates a plug in which does, you know, what what you asked it to do when you click on a button.

Oliver Sild [00:19:37]:
But then you look at the code and then you’re like, oh god. We’ve seen AI make up WordPress functions that doesn’t even, like, basically refer to functions inside of WordPress Core that doesn’t even exist there. They copy well, AI is basically trained on Stack Overflow. So Stack Overflow has had already before a lot of issues with having very poor recommendations given to people, where it basically recommended to, I don’t know, use some vulnerable scripts and things like that. So all these things is what has been, you know, used to train the AI. So now, essentially, people who at least in Stack Overflow, people who use that, they had to understand what this code is doing. Right? So they had to use this piece of code and, like, combine it with their own code and things like that. And now you use AI, and the people who use it, they only think the the only quality check that they can do, that they are capable of doing is the functional check.

Oliver Sild [00:20:40]:
Right? If I click on this button, does it work? But they don’t look into the code because they don’t understand it anyways. It’s generated by AI, and then they push it into the WordPress dot org repository. So, yeah, unfortunately, with the with the AI, AI is trained on a very mediocre code, or even very poor code, which has been available online. So, instead of, having AI contribute into the security, I think it’s going to at at first contribute a lot into, like, poor security because of, all of those, you know, mistakes coming, you know, popping even, like, very old vulnerabilities that we haven’t seen for a long time are now popping up because AI is basically trained on this old data. So

Maciej Nowak [00:21:28]:
Excavating them from history. And even before even before those, like, solutions with AI to generate your code, there was like, even before were problems if you were, like, copy pasting without, like, thinking what you are doing, copy pasting code from even not from Stack Overflow, but from other, let’s say, tutorial pages, solution pages. I came across something like someone was, advising very highly not to do this because there are websites where you have a solution which you see, then you copy paste some common to to to terminal. And be and because there was very, like, white letters, like one point, font, malware code between letters, you basically were in, like, executing comments in your terminal as an admin to be, like, please get me hacked. Right? Because you were, like, you you weren’t seeing what you were pasting because it was copy paste, enter run. Right? So even then, there were websites providing code with malware hidden in a in a plain sight, basically. And if you run the stuff that you didn’t understand, you could get hacked. And now I I I’m pretty sure it is also in that, let’s say, training model for ChargeGPT, all that malware is there too.

Oliver Sild [00:22:51]:
Yeah. Probably there is. Yeah. I mean, I, I’ve seen so so we are in a Google program. Right? So we are in Google AI cybersecurity program. So, Pashtak was selected there because of the amount of data that we have. But Google has shown us, like, all of the things that they have tried to basically build with AI, like the problems that they’ve tried to solve, in in terms of security, like patching code, things like that. And it’s, you know, like, large language models have their limitations.

Oliver Sild [00:23:26]:
Like, at like, it’s been said that at one point, you know, you just, like, don’t have enough data anymore, like, the publicly available data anymore to keep training those models. And the problem is that it it kind of, like, dumps down over time because it basically has to get more and more less quality data for training and so forth. So and when it comes to code code, you know, it is there’s a lot more poor stuff out there than the good stuff and, like, the ability to make a difference whether, like, the good is a good is a good thing and bad is a bad thing based on, like, the, you know, how much there is one of it in the web versus other. Because if there’s a lot of bad code in the web and there is a a small amount of good, then it might feel like, okay. Actually, the bad one is the good one and the, you know, the good one is the bad one. Right? So, there is a lot of challenges, I think, that will come when into, like, the the programming thing. And the the worst or, I guess, the most dangerous thing in my opinion is the fact where people who have no understanding of coding will start using AI to basically push It’s already happening. Code into production.

Oliver Sild [00:24:40]:
Yeah. It’s already happening, and it’s the scariest part. But for for those

Maciej Nowak [00:24:44]:
people, it’s like enabling. They are super happy. Yeah. You know, it and and as long as it’s used for your own purpose on your own computer without looking, you know, daylight, and you can automate stuff without doing any harm, that’s fine. But it’s like, you know

Oliver Sild [00:25:01]:
To make others real like, especially WordPress plug ins. I mean, it’s the exact it’s the best example of where not to do it Because it it’s not that you are building this code for yourself. You’re essentially building this code for other people to install on their sites.

Maciej Nowak [00:25:17]:
What about open source, I don’t know, small libraries, small projects that can be used by other people? This is also a similar case where it’s not working for the customers, but, let’s say, other developers. So I guess this is less, like, less damage done because, potentially, someone will have a look at that library. But then, you know, how many people did read actual, you know, open source repository code of a library doing, like, a button on iOS or a button on some somewhere else or, you know, in Laravel, let’s say. Because with we’ve, like, those, like, a big code snippets, basically, which are small libraries, open source. But, you know, yeah, you inject some code there, and then, you know, it’s populating to all of other software.

Oliver Sild [00:26:03]:
Yeah. I mean, this is happening already. Right? I mean, there is the 2 like, and that’s that actually also kind of, if we talk about the security risk of, can we’re talking essentially about the supply chain security here. Right? So, if we talk about the security risk in a more general way, then, for example, like, abandoned plug ins is a very big problem, because if a plug in is getting a, a I think there was, like, this, this, x like, z x or whatever it was, like, the the Linux kernel issue. Right? So, yeah, the recent one. Yeah. So the problem there was that the original developer was just so tired of building it essentially alone. Right? So it had a lot of people like, this library was put into, like, all different places, but, like, there it was all basically on the shoulder of a single guy.

Oliver Sild [00:26:58]:
And he was looking for help, and he was, like, getting, you know, so tired of it that he was, like, pretty much, I think, close to, like, kind of, like, a quitting on that project. And then some guy came like, hey. Like, I can help you out. Like, I can do this and that. And what he did was he, like, maliciously took took it or, like, you know, basically took it over and added, like, the backdoor into it and things like that. So the we need to be aware that this can happen also in the WordPress ecosystem because there’s even more of those components. Some of the plugins have, like, hundreds of thousands of active installations, and yet they’re completely abandoned. If someone would be taking those plugins over, then, you know, they can essentially, you know, just push, like, a remote code execution vulnerability in there.

Oliver Sild [00:27:42]:
No one would notice, and yet they have basically access to, you know, a lot of sites. I’m more than confident that this is already happening actively. But, I mean, a lot of those vulnerabilities are basically just kept, as, you know, 0 days, for for the hackers to use whenever whenever needed or whenever, they they get installed into a site that they want to actually, you know, get down. So, I mean, yeah, like, this is one of the example of, like, how the abandoned plug ins can be used for that as well, but then there’s also the, like, a, like, like, the supply chain security specifically where where you might have introduced if you introduce a vulnerability in a like, a library that is being used by another library and so forth. So, like, if we look at the data from the past or the last year, one of the highest number of vulnerabilities were actually related to Freemius because, Freemius had the SDK, which is installed to, like, 1,200 plugins. So a lot of plugins, and it had the cross site, I think it was cross site cross site scripting vulnerability. And now you just find one vulnerability in one library, and then you realize that, okay, this library is being installed to 1,200 plugins. And then those 2 1,200 plugins are installed to, like, millions of websites.

Oliver Sild [00:29:04]:
So you can see how this is basically just, like, kind of, like, a Exactly.

Maciej Nowak [00:29:07]:
Wonderful. Wonderful. Yeah. Yeah. Yeah.

Oliver Sild [00:29:10]:
And it’s quite insane. Yeah. And this is and this can get to even, like, deeper. Like, Freemius also is using libraries, like, other libraries within their own plugin, and those libraries are using additional libraries. And this is also one of the reason why, yeah, there’s more regulation also coming to the softwares kind of, like, supply chain side of things and SPOIMs and things like that are Right. Become necessary.

Maciej Nowak [00:29:33]:
Let let’s talk about this in a, like, in a second question. I wanted, to ask you a last question around that security part. Where is the boundary between your own, let’s say, security measures? Like, what’s the boundary between security measures for your website and where your own, like, personal security measures on your computer are going to influence your website. Where where is where where the boundary lies?

Oliver Sild [00:30:04]:
I don’t think that there is a boundary, to be honest. I think it’s all the same thing. I mean, a lot of websites all the WordPress websites are also getting hacked because of session hijacking or, like, basically, cookies being stolen from the devices. So there’s a lot of malware that is being injected from the browsers, places like that. So every time you log in somewhere and you have, like, an active cookie, the cookie is being sent into a feed that is being then basically harvested by the hackers as a live feed of cookies or sessions, active sessions, I would say. And then they can log in, install a plug in, take it over. Very common technique. Your password didn’t leak.

Oliver Sild [00:30:43]:
You didn’t have any vulnerabilities on the website, but you still get hacked. Right? So, yeah, your personal device security also plays a huge role in that. Password management plays a huge role in that, You know, 2 factor authentications, all that kind of stuff is very important. You know? It I think it’s the basis of, you know, having security for your company even or whatever the website is basically serving. And the website, on the other hand, acts the same way back to you. Right? So if the site is getting hacked and, you know, it can be used to basically send, like, a very, very, like, a truthful looking scam emails from your own domain to you and or, like, send emails behalf of you because, you know, you can send out if if if the domain is, you know, if the website sits on the domain that you have the same email with, then you can spoof emails and things like that. So there’s a lot of things where where the website can also be used to kind of conduct additional attacks against you. So I think we need to look into this as a, like, a holistically, like, a big picture, and it’s all like a singular kind of, like, a security posture rather than, like, kind of, like, drawing lines between them.

Maciej Nowak [00:31:57]:
Sounds like a lot work, a lot of work to cover all of those those avenues.

Oliver Sild [00:32:03]:
Yes. And the most the the sad part is that if it sounds a lot of work, a lot of people will just ignore it. But I think, yeah, like, that is why we need actually security companies in this space as well because for everyone to do it well, it is not reasonable, to be honest. Like, not that it it would be unreasonable to expect that every person in the planet will build their own home. Right? Like, I wouldn’t want to build my own home. Like, I want to to have someone build me a a home that where the the ceiling does not, like, hit my head the next day. Right? So it’s the same thing. Right? So you trust people who have devoted their entire life into, like, doing it in the best way, And then you trust them to, you know, take part of that so you can, in your life, devote your energy and time into something that you care about the most.

Maciej Nowak [00:32:58]:
Right? So Your your expertise. You have your own expertise. At the same time, the security companies are on the rise. And they’re, like, spending on the cyber security is growing, like, since obviously, since, Ukraine war. But even before that, it was already rising. Now it’s rising very much, all of the spending on the cybersecurity more attacks. Like, war in Ukraine shown, that hacking companies hacking, let’s say, countries by hacking companies within that country or or or institutions is a powerful tool. And then there is, espionage and and, intellectual property theft.

Maciej Nowak [00:33:42]:
Maybe less so for, like, general users, but still this concern. And with AI, it will get much more easy to get to to to hack other people because since you can already write easy, like like, okay, vulnerable plug in, which is not perfect but works, that button will flash that bulb. This is working the same way at like, the same way you in the same way you can use that to find, vulnerabilities on someone else’s, you know, you are a script kiddie, basically, but still you new actors are entering the space potentially.

Oliver Sild [00:34:19]:
Absolutely. I mean, it’s a good time to be a script kiddie, because you can The

Maciej Nowak [00:34:23]:
best way. Yeah. Yeah.

Oliver Sild [00:34:25]:
Yeah. But, yeah, like, I think, eventually, it’s also what what I think what what the what cybersecurity all about is all about is essentially, like, money. Right? So the question is, is there money online, and is it possible to somehow get it? So as long as there is an option to basically, do something that you’re not supposed to do and get money with it, that’s how long we are going to have basically cybercrime. So everything like, why WordPress websites are getting hacked? It’s money. Like, you know, someone is taking over resources that someone else is paying for so they can use it on their own good. Like redirecting traffic, you know, infecting the those users that they have, like, on the website, hosting malware on the website, hosting phishing pages on the website. You know, you can do all like, even, like, mining crypto was a

Maciej Nowak [00:35:26]:
thing at

Oliver Sild [00:35:27]:
one point. Like, you can do anything, really. Like and it’s all boils down into, like, how does it benefit them and they are all after money. And I think so one of the thing is obviously, like, yeah, like, the, like, the war and, like, the cove like, even on during COVID, we already see, like, a significant, spike of the increased kind of, like, you know, hacking incidents and, like, attacks and things like that. But I personally think that the main driver behind, you know, how bad it is is based on economy. Like, if the if the economical situation is getting worse, we will see more hackers, or, like, you know, we can easily call them, like, technologically advanced thieves, who who, you know, come for your money. So they see the plate they they don’t have they don’t have money, so they go and figure out way how to get it in the ways that, they should not be getting it to our or, yeah, they they abuse their, you know, skills to basically get what they want. So I think, yeah, like, the this monetary motivation, I think it only gets, gets worse as the economy is struggling.

Oliver Sild [00:36:38]:
And, honestly, right now, it is, like, a time where economy is very, very shaky. So that is why there is a lot of more kind of, like, those threats as well, why there’s a lot more hack you know, I would say attacks and different kind of things, but obviously then war, which is more about I would say, like, for war, I think, like, years ago, like, cyber security was talked about as, like, oh, that’s where all the, like, war is going to be happening and things like that. I’m not entirely sure about that. I think, OSINT, like like, every like, the the the the world has moved into, like, kind of, like, an open way where where you don’t really need to hack someone to get gain info access to some sort of, like, a personal information because everyone is putting their information online anyways. Like, the the old school spy, kind of, like, you know, QCHQ and, like, NSA and, like, they get huge amount of their state of their stuff just from the OSINT. Like, you don’t need to be a spy anymore and, like, fly to, like, some other country and then, like, wiretap and, like, listen to, like, you know, things. It still happens, but, like, you don’t need to do that as much anymore because it’s so much easier to just listen to people and things like that. And, obviously, on a on a governmental level, like, you know, using malware, things like that, you know, like, things are a lot less advanced than they’ve they they you you might think they are, but it’s, like, very often, you just, like, infect devices, you reroute, kind of, like, signals and things like that.

Oliver Sild [00:38:17]:
You listen to signals. You decrypt, you know, information, things like that. But, like, the information is very often there and, like, there’s not that like, I remember, like, at one point, everyone was talking about Stuxnet. Right? For example, like, this, you know, power plant being infected with malware and, like, you could basically make a boom or, like, hacking power creeds and stuff like that. But, like, it’s not that, like, a big of a thing anymore. Like, we see on the Ukrainian war, like, the thing what everyone is basically hyped up up about is drones, actually. And it’s not about, you know, hacking into, like, I don’t know, like some power plants or energy grid or things like that. Like, I’m sure people are trying, but it’s a lot harder than, you know, one might think.

Oliver Sild [00:39:05]:
And the benefit might also not be like, the amount of resources you need to put into it to make this happen versus the benefit you get out from it, is not that kind of, like, linear. So

Maciej Nowak [00:39:18]:
Mhmm. Yeah. That’s that that’s true. On that spying thing, there is, like, a a network of spies, basically, that was arrested, like, last week, I think, in Poland. And they started with, monitoring, the border crossing, and there was a camera with a SIM card that was uploading what was going on on that on that border. And and this is a moment when, you know, police started to looking for for for that network, and it all started with a found camera. And then they they are, like, a couple, like, couple, like, a dozen of people, I guess. So, actually, it it it it, like, it’s still happening.

Maciej Nowak [00:39:58]:
And what they they they get, they get, like, you know, number of trains, what on the trains, and and so on. So that like, I I was surprised that this is, like, that that’s the old school way. Right? And there were arsons in in Poland as well, and this was also connected with with with Russia that there were, like, 2 guys are sending, you know, plants or or or or or or, like, holes. That’s like, wow. Like but I I I guess this is, you know, we we are not hearing about this until we we hear, and then we are shocked. And then we shocked, and then we are accepting this. Okay. This is how things are are are going.

Maciej Nowak [00:40:37]:
You don’t know how they are going until you until you do, and then you’re surprised for the first time. Like

Oliver Sild [00:40:43]:
Yeah. Like, even before the Ukrainian war, people were thinking that, oh, there’s not gonna be, like, this war anymore where there’s guns and stuff. I remember so well, like, everyone’s like, oh, yeah. Like, this is not going to happen in Europe anymore. Like, the next war is going to be, like, just like robots fighting each other and, like, you know, it it felt like such a, like, a barbaric and, like, like, old kind of from the old days that, you know, people would actually go on a, like, on a field to basically shoot each other. Right?

Maciej Nowak [00:41:10]:
Especially if we are from, like, text a little bit of a text space. Right? So we, like and and, like, it our bubble said so. And to know the bubble that initiated this is to try a different bubble. So the we we, like And

Oliver Sild [00:41:25]:
so the thing is, like, things that work, they don’t change until they don’t work anymore. And for that reason as well, like, if we look into the, like, the crime on the Internet, a lot of it is powered by social engineering. Like, you know, it’s way easier to hack the person behind the keyboard to hack the computer. So, yeah, majority of, like, the large scale kind of, like, hacking like, one of the most important part of that is actually social engineering, where someone is convincing an internal employee to, I don’t know, give, like, a 2 f factor authentication code or, like, basically do something that they should not be doing, or just, like, straight up scam them and do do things like that, and then they gain unauthorized access. But in most of the cases, social engineering is part of every single, like, large scale kind of like a hacking incident that you see that you hear on media. It’s just so much easier to hack people, compared to hacking computers.

Maciej Nowak [00:42:28]:
So Yeah. That’s why I was asking about that boundary because I have a feeling that this is where this is where you have to be extra secure. There is a reason, banks are sending out every week information that they are not asking for passports. And Yeah. Yeah. There there must be a reason for that.

Oliver Sild [00:42:46]:
There is a strong reason for that. Like, one with the AI, this is a one very specific thing. One thing that AI does really well is the fact that it is mimicking human speech, the voice, the the text. Like, you can basically make any kind of text look like it’s very, like, you know, truthful. So the problem and interesting statistics that I was, looking into is, like, the like, there was, like I don’t remember where it was the source. I need to find it. But, like, there was a basically study made, like, who are the most prone to get scammed online. And you would all think about it’s like, you know, grandmas and things like that.

Oliver Sild [00:43:28]:
But it’s actually they’re like a Gen z, like, the youngest generation that we have that is basically online. They are the most, vulnerable to getting scammed because the older generation doesn’t use computers as much. Right? Like, our grandmothers, they are not surfing the web every single day and clicking every banner that they see and, like, you know, going through, like, I don’t know, weird forms and stuff like that. But, like, the younger generation, they do have that access, and they are also very much vulnerable and basically getting convinced into doing different things. So this was quite surprising to me that, like, in many cases, like, people are con like, focusing a lot on, like, you know, the the elderly people or the older older generations that, oh, they need to be kind of, like, helped with it because, you know, they’re vulnerable and so forth. But, actually, it’s the other way around. It’s actually the youngest that are the most vulnerable.

Maciej Nowak [00:44:20]:
Yeah. And and because they are young, they are, they weren’t, they didn’t hit any, like, big problems yet. They are not,

Oliver Sild [00:44:28]:
They are naive.

Maciej Nowak [00:44:29]:
Yeah. Exactly. Yeah.

Oliver Sild [00:44:31]:
Yeah. They’re naive. They they believe everything that they’re being told, and they, yeah, they basically just and they and they have the technical, like, skills to go through the entire process of getting scammed, basically. Exactly. With With older people, it’s like, oh, I don’t know. What should I do? And then, you know, they hang up the phone or, like, they’re like, oh, I don’t know this computer stuff. And they they it’s very, like, one of the things that that do not get old people scammed right now is the fact that they can’t use the computers properly. Right? So it’s it’s in a way like a good thing as well.

Oliver Sild [00:45:05]:
But, yeah, with this, youngest generation, they they they they know exactly what to do on the computer. They have all the skills to do it, but they are naive and they they are very easy to be tricked. So that’s why they are like a like a target.

Maciej Nowak [00:45:18]:
Yeah. Yeah. Alright. So let’s move to the, cyber security act. And, like, for our listeners, can you give us a short brief intro, like, high level? What’s that? When is it coming? Should we care? Shouldn’t we care?

Oliver Sild [00:45:34]:
So, yeah, in March so it’s been already, like, circulating in the European Commission for a long time. The reason why I know about this is because Patch Tech is actually like, our r and d has been, funded by the European Union for the past 2 years. So European Union actually basically funded our our kind of, like, a project and data development side of the things. So that’s why we’ve been able to build that all build a lot recently or, like, the past 2 years. But, you know, because of that, we also have a lot of visibility into, like, what is happening in the EU. We have, ability to kind of, like, do our say there and things like that. So, but yeah. So it’s been around so it’s called cyber resilience act, and it’s been been there, in the discussions for a long time.

Oliver Sild [00:46:23]:
And now in March this year, it was either late March or early April, European Commission, like, basically accepted, like, the final, how it’s like, like, resolutions or, like, like, the the main basic principles of that act. And then now we are waiting for essentially, the summer to be over, so we expect it to become, like, an actual full blown law, by the end of this year. And what it means essentially is that it takes control over how software is being produced in the web. So it it’s looking at open source software, but it’s also looking at closed source software and, like, software that is in general being produced, developed, and, like, basically shipped to the customers. So the easiest way to maybe, I don’t know, give you, like, an relatable understanding is when we bring that into the WordPress. It covers everything, but, like, I can, like, just give you, like, a, a little bit of, like, a insight into, like, how it basically translate over into the WordPress ecosystem. So one of the things that, it does is it makes difference between what is, like like, an open source stewardship, which is basically, like, like, nobody owns the software. You, hence, nobody can be responsible.

Oliver Sild [00:47:42]:
Right? So that’s like, oh, someone’s hobby project just basically, you know, being built. So, they kind of, like, give those a little bit like a lighter or like a lighter way of regulation. And then there is what they what EU calls manufacturers. So these are those who build software and who have, like, an actual team behind it or there’s, like, an ownership over that project and and or when there is, like, any kind of commercial activity either linked to that specific software or linked to the entity owning that software. Like so for example, you build a free plug in, completely free. It doesn’t have a paid version or anything. But if you if the owner of that plug in is your company that sells anything, like, does any kind of commercial activity, then you need to comply. And what the what what what it means to comply is essentially, it requires now plug in developers to or, like, software, developers to have, proper communication about security issues to the customers.

Oliver Sild [00:48:49]:
So if there’s a security vulnerability fixed or found, you need to always communicate it back to your customers or to users. Then separately, if this vulnerability is also known to become exploited, you need to also separately notify your customers that not not only it is vulnerable, but it’s also now known to be exploited in the wild. You need to separate security updates from the standard updates. So you can’t do anymore, like like, just, like, squeeze in the security fix with all the other stuff.

Maciej Nowak [00:49:22]:
Oh, nothing happened. This is just new functionalities. One functionality, 10 bugs.

Oliver Sild [00:49:27]:
Yeah. And and then you you can’t like, in the WordPress ecosystem, like, a regular thing that has been happening is that, they fix a security issue, but they don’t put it into change log or anything. They just, like, silent fix it. It’s very common in the WordPress ecosystem. Like, a lot of developers have, like, silently fixed security issues.

Maciej Nowak [00:49:46]:
Can I dig into this why is this happening? Like, they are afraid to admit the mistakes or not? Yes. Okay. Maybe not report, like, notify the hackers.

Oliver Sild [00:49:57]:
No. I mean, hackers will figure out anyways. Like like, the only thing it’s, like, it’s also a little bit of a misconception if we get back to it. It’s like like, hackers only find out, like, about vulnerabilities in this kind of, like, a change of files or, like, if you don’t let your users know about the vulnerabilities, then you’re, like, protecting them or something. But the reality is that hackers always have that advantage. Like, even we have scripts in place that are scanning change logs or, like, not change log. Right? But, like, we basically monitor the entire s v SVN of WordPress, and we see when there has been any updates released, then we look into, like, what in the code has been released. Is there new sanitizations added? Is there new non checks added? Is there, like, you know, some functions being, you know, changed? Is there comments added for security? Is there change log entries added for security? Like, all of this is being scanned all the time anyways.

Oliver Sild [00:50:50]:
So if you hide it, it’s most likely that you’re actually only hiding it from the users because the hackers will find about find out about it. You know?

Maciej Nowak [00:50:58]:
Root data is there.

Oliver Sild [00:51:00]:
Yeah. Exactly. So but, anyways, with the new law, it’s going to be illegal to do that. So you have to, you have to use that in, you have to, like, disclose every single security fix in the change log. Additionally, as you know, communicating it to all of the users. Then you also need to have a vulnerability disclosure program, like m m VDP or, like, like, PatchTech provides m VDP. It’s like a managed vulnerability disclosure program where, we basically set, like, a security policy for a specific software, and then there is, like, a process of how vulnerabilities need to be basically reported and, you know, how the timeline looks like and all this kind of stuff. So you need to have, essentially, like, a security point of contact for your plug in.

Oliver Sild [00:51:46]:
Yeah. It can’t be, like, just like support. You know? Oh, we found the security issue right to our support, and you never get the response from there. So you need to have, like, a separate vulnerability disclosure program, for your software. And then, yeah, like, there’s, there’s bunch of, like, smaller things, like, you know, you depending on, like, the size of the project, you need to have, like, a regular security audits, and things like that. So there’s there there’s a lot of stuff that needs to be unpacked, but I think this has, like, a immensely positive, like, impact on the WordPress ecosystem because, first of all, WordPress dot org needs to make it hap make needs to make this possible for the plugin developers to comply, but also plugin developers need to start complying and they need to start putting more and more attention into security. So I think it makes the ecosystem a lot more open and transparent when it comes to security, but it also pushes the ecosystem to invest into security, which I think is great for for for all the end users as well and everyone, the entire community, essentially.

Maciej Nowak [00:52:50]:
I’m thinking also that it will, like, shake the leaves of the tree so a lot of leaves will fall with Yes. Creators not wanting to take like, spend time spend money on being compliant. So all small players will be out or risk fines probably because this will be probably, you know, incentivized with fines. If you don’t do this, then there’s

Oliver Sild [00:53:16]:
no fines. It’s like, it’s either was like it was like 2 or 4% of annual revenue. The thing

Maciej Nowak [00:53:24]:
plug ins, not a lot. Like, you know, if you’re making credits. Okay?

Oliver Sild [00:53:28]:
Yeah. It’s it’s it’s it’s like GDPR.

Maciej Nowak [00:53:31]:
Exactly. I my next question.

Oliver Sild [00:53:33]:
Yeah. It’s like GDPR. So it’s either a percentage of your revenue or like a €15,000,000.

Maciej Nowak [00:53:38]:
Mhmm.

Oliver Sild [00:53:39]:
So it’s like Easy peasy. Yeah. So the fines are, like, I think, serious. Right? So and and we saw how GDPR was changing the market. Right? So we see on new products, like, we see how in some of the cases, you can’t do business with companies who are not GDPR compliant. So I think that what what we’ll see happen now is that, developers, especially professional developers from the agencies and who are building websites, when they start choosing the stack that they want to use for building sites, they will essentially start asking, like, hey. Is your plug in CRA compliant? If it’s not, then they can’t use it for their projects. So I think these are the things that are going to become, like, regular day to day things.

Oliver Sild [00:54:24]:
And I think this is an opportunity for plug ins, actually. Like, the the ones that get this compliance the fastest, these are the ones that essentially can already use that for their marketing and kind of things like that. So, in fact, we are we are we are, like, in a final testing phase of releasing a platform, a free tool essentially for plugging developers to make them compliant with cyber resilience act. So they can just go to patchstack.com and find it find this information from the it’s I think it’s called MBDP on our on our website. Let me check on the menu.

Maciej Nowak [00:55:00]:
I like that idea, you know, business wise because

Oliver Sild [00:55:02]:
Yes. It’s managed

Maciej Nowak [00:55:03]:
to be DP. It’s, I like, it it resembles GDPR a lot where the market was very much shaken and 2 groups of people that, benefited from this 3 groups, like, immensely, are end users, which is 5050, I would say, because you have to now click all of those, like, windows. And this is, like, one more window to close and without reading. On the other hand, the company, you know, can’t sell your data, which is wonderful thing. But then you are either like, you still agree to all of those, you know, like, consents. So it’s like, you know, that’s why I’m saying it’s 5050 because, laziness prevail for the end customers. But then there are lawyers who were introducing, a lot of, like, I don’t know, privacy policies. You know? Those were the people who were on the forefront of these regulations as with every law, and they were introducing this to the companies.

Maciej Nowak [00:56:05]:
And then, companies from the tech space, which were enabling, GDPR, to be applied on a, like, tech stack, like, those cookie managers, all of those all of those solutions. So the those were the 3 groups. Now with cyber resilience act cyber resilient resilience act, you’re on the on that forefront. So you’ll be providing that text text to the, plugin makers. At the same time, I’m I’m thinking also, like, it will be misapplied for many years, like, at least many months. Like, it people will have to learn about this. Again, lawyers will benefit from that because they will have to translate law into technology. And there’s only they already know how to do this trained on GDPR.

Maciej Nowak [00:56:55]:
They know how to talk with companies, and they know what to look for and train those companies. So I think this is, like again, one more, metaphor. I heard somewhere, like, when the COVID hit, I read on Twitter, I think. Someone said, like, this is, like, this crisis is too good to lose it. Like, so you you know what I mean? That this crisis is a moment of huge change, and we have to make it work for us even though we we struggle, I know, financially or or whatever. Well, how they struggle. Yeah. Too good a crisis to waste it.

Maciej Nowak [00:57:31]:
I don’t know who who said it.

Oliver Sild [00:57:33]:
Yeah. I mean, it’s true because it’s the best time to build as well. Right? So, you know, it’s the best time to build because you basically you you can see everything how, like, everything is changing. So building during that time is, you know, a very good period of time. It’s it’s cheaper to build that time because, you know, it’s harder to find jobs during the crisis and things like that. So if you have the ability to be able to be in the build mode during the crisis, it’s the best. And then as soon as the crisis gets over, then you have basically prepared everything toward the post crisis. You come out, and it’s easy to become a winner.

Oliver Sild [00:58:11]:
So so that’s why in the kind of, like, a business side of the things, currently on the market, like, a lot of startups are actually start like, a lot of startups are struggling and things like that. And, like, like, investors who have been investing into, like, a tech companies and things like that, they have been, like, also not very actively investing because they they also want to see, like, who are, like, the cockroaches and who are the ones that are, you know, surviving, and then, you know, basically investing into those who basically come through this. So, yeah, it’s very interesting times right now. And I think, yeah, with the with the with the upcoming cyber resilience act, I think, there will be a lot of shifts happening in the entire open source ecosystem because this is specifically going to affect a lot of, a lot of the kind of, like, you know, WordPress ecosystem, not only, but, like, you know, Drupal, Joomla, Magento, Laravel, everything that is open source, everything is going to be affected by the entire, you know, NPM, like, you know, repository, like, packages, everything that you see that has that is a that is a piece of software that is owned by someone who has any kind of commercial activity behind it and who has, even, like, one user in your then they need to be compliant.

Maciej Nowak [00:59:32]:
So yeah. Mhmm. And how does this apply to WordPress agencies, Omos?

Oliver Sild [00:59:39]:
I think, for agencies, it’s just a question of, like, how cyber resilience is going to be enforced. I think this is a little bit early to say, but, I mean, if you, for example, want to produce even, let’s say, you want to build a website to an enterprise or to a public sector company. Right? Then they might ask you, like, hey. Like, can you basically show us, like, the SPO m of your tech stack? Like, do you have visibility into what you’re build like, they want to have, like, the software bill of materials about the website that you are building to them. They want to see what it consists of. And when you don’t have to that to give over, then they are like, sorry. They can’t stay compliant because they have no visibility into what their techno what what is inside of their technology that they are using. Right? Because website is exactly like a technology that they use as, you know, a product of theirs or whatever.

Oliver Sild [01:00:36]:
Right? So tech technologically speaking, it’s the same. So, yeah, I think agencies will be just kind of, like, forced. So the forcing comes up, down, so they they will become basically forced into, like, hey. Like, we can’t basically do business with you if you don’t have that visibility. And then agencies need that visibility, so they force it into plug in developers, to have that visibility. So I think this will become, like, kind of, like, a full cycle in that sense.

Maciej Nowak [01:01:06]:
Mhmm. Yeah. I’m I’m asking about the agencies because, you know, with WordPress, you are using core and then you are using plugins, but then you link them together and you defacto write your own code that you sell for profit. There is no, you know, there is no, contributing here. This is, like, 100% for profit. So I guess agencies would be very much affected by, these populations.

Oliver Sild [01:01:33]:
Yeah. I mean, yeah, I think this this is a good question, actually, because but I think this comes down to I think this comes down into how it’s going to be translated in the end, like, how they how it’s being basically perceived, whether building a website will go down into building a software, or is it going to become something else?

Maciej Nowak [01:01:58]:
Like, integrator? Like, you are an integrator? Yeah. Okay.

Oliver Sild [01:02:02]:
Yeah. So, yeah, the question is, are you building something new? I would say, yes. You are. Especially in many of the cases, websites do also get quite significant amount of custom code. Because in the face of law, we also need to understand that CSS is also code. So, it’s not that you need to actually write, like, a programming language code. Whatever code you produce, whether it’s HTML or CSS as well, it’s still something that you produce. Right? So it will still get to it.

Oliver Sild [01:02:35]:
But I think this is a very interesting question. Like, I think I need to also dive deeper into that, myself as well. Because if it’s the truth that they are going to be seen as manufacturers, then this will affect, you know, old agencies, like, massively.

Maciej Nowak [01:02:52]:
So Yeah. And, also, your own company also will be affected because with releasing your platform, and, you know, Patchstack itself and then the the new platform. I’m curious. Do you see any similarities, between, Cyber Resilience Act and security certifications like SOC 2 or, ESO? No. Because they are, like, predecessors of Pan European law, I guess. Something like this.

Oliver Sild [01:03:24]:
I think, I think SOC 2 and things like that, I think they will be, like, something that people will try to say why they are compliant with cyber resilience act. I mean, company like, because it’s the same with GDPR. Like, companies are doing, like like, what’s called, like, ISO 1, like, the ISO certification certifications and, like, SOC twos and things like that. And, like and then they you they basically use those to become GDPR compliant. So I think it’s going to be something like, you know, like, GDPR is on top of, like, a data security, and under data security, you have or, like, data privacy and, like, basically, data security. And under that, you have those different kind of certifications that you can prove that you are compliant. And then I think the same thing will happen with the, with cyber resilience act where you say your cyber your your compliance with cyber resilience act and then you tell how. And one of the things is, like, you know, you do, like, regular security audits.

Oliver Sild [01:04:26]:
You have, like, some processes in place, all kinds of things like that. So

Maciej Nowak [01:04:31]:
Mhmm. And, is your new platform that you’re developing to for for the plug in makers to be compliant with the upcoming regulations? I I I think, by the way, this is, I think, very good timing. You have a lot of time to to have it done well. There is one platform. I think it’s called Vanta with v that is making, much more easier to be SOC 2 compliant, for example. So is it, like, should we think about your new product this way? Like, Vanta for, like, I don’t know, plug in makers who want to be CRI, compliant or some like

Oliver Sild [01:05:09]:
So what what this platform actually looks like, it to be honest, like, we actually built it already before we knew that cyber resilience act is getting passed. The reason why we built it is because Patch Stack has this bug bounty program, and we get a lot of security reports about plug ins coming in every single day. And we needed to find we needed a way how to build a better automation for getting those reports to the plugin developers. Because we have so many security researchers sending us information, and then we want this information to be sent directly to, the plugin devs that we needed to find a better way. And then we started to build a platform where, basically, those security researchers can log in, and then those, vulnerable, like, plug in developers can log in. And plug in developers have, like, dashboard where they see all the historic, you know, vulnerabilities affected by the of you know, vulnerabilities that have been found in their plugins, what is their statuses, how they become, like, recently exploited, all that kind of information, which just happens to be what CRA needs. So we, I think, are kind of, like, in luck as well that it just happened to be what, you know, the direction that the world is also moving and not just us. So, but, yeah, I mean, it’s, but it’s, like, all the features that we are adding there are quite literally helping plug in developers to become, CRA compliant.

Oliver Sild [01:06:33]:
So, we are currently in a process of updating our website about this as well. And and and fun fact, like, we’ve already been running this for 2 years, but in a closed way. And if you go to batchtech.com, like, you go to manage VDP, on the menu and then you see VDP directory, you can see there’s already 306 WordPress plugins that are actively using it, like, including Elementor, for example, and, you know, many of the largest plugins. So all their security reports are getting passed through our pros program. So they’re processed in the, you know, in the right way, all that kind of stuff. We control the disclosures of the vulnerabilities and things like that. So it’s this VDP that is required by the c r cyber resilience act that we are basically providing to them. Mhmm.

Maciej Nowak [01:07:19]:
Nice. Yeah. I I thought this is specifically built for new regulations. I was unaware of that, you know, this running for for some time.

Oliver Sild [01:07:28]:
Yeah. It’s been running for a for a while now. It was, yeah, just it was built for our own automation, but then the regulation came and then we realized that this is actually what makes people compliant. So Mhmm.

Maciej Nowak [01:07:41]:
Alright. Yeah. And changing topic a little bit, I might then later come back to that, CRA still. Are you using a lot of AI to automate things or, you know, within the company?

Oliver Sild [01:07:56]:
Well, we have a completely separate AI team in inside of the company. So we do so we do a lot of the stuff for, like, we can’t yet talk about too much, but we basically are working on, on all of the data that we have and on like, we are in the Google AI and cybersecurity program, so we work together with Google on some of the projects. Hopefully, we are able to release some of like, first currently, we are working for, like, on those things for, like, internal tooling for automations, but we might actually open some of the stuff up in the future for, like, an like, an open like, a separate product or, like, some sort of, like, a separate tooling, more towards plug in developers again. So so yeah. Like, I mean, my my kind of, like, opinion about AI is that it makes sense to use AI or, like, I mean, it makes sense to build products with AI if you have a lot of proprietary data. If you don’t have a very proprietary data, clean data that is, like, unique to you, then, you know, it’s it’s not very defendable. It’s not where I would invest in my kind of, like, resources and time because it’s, yeah, like, if you’re if you just build a basically a JetGPT wrapper or, like, an OpenAI wrapper, and then come up with a great, like, I don’t know, some sort of, like, a prompt, and then it will become, a popular product. And, you know, it’s a

Maciej Nowak [01:09:31]:
great short Google.

Oliver Sild [01:09:33]:
Yeah. It’s it’s, like, it’s a great short term gig, but it’s not something that is in any way, defendable, solution or there’s no innovation in it.

Maciej Nowak [01:09:43]:
Yeah. Yeah. But you are answering from the viewpoint of, building a new product on top of AI. I’m asking about, you know, that use of AI internally for making things faster, better, easier for you, you know, internally. Do you leverage AI in a way that is, you know, useful, you know, for you?

Oliver Sild [01:10:06]:
I think we don’t really. Like, we’ve automated so much stuff before that already that, we like, I think there is, like, some very small things that we do use it for, like, but these are more like experiments, I would say. Like, we have, like, AI based, summarization engine for, like, a change log monitors, like, that is basically trying like, if comp if plugins are making updates, it the AI is essentially trying to figure out, like, what this update is doing. So we use that for basically picking up, like, more, edge case scenarios for when plugins have released the security fix, but they didn’t disclose it. So we try to kind of, like, figure out, like, based on that.

Maciej Nowak [01:10:54]:
Like, if the change log matches the, code, changes, for example?

Oliver Sild [01:10:58]:
Like, yeah, it basically reads through the change log and does some other stuff. So it basically makes a summarization whether it thinks there could be a security fix hidden in there or not. So but, I mean, these are, like, a small experiment still. But, yeah, for the other stuff, we don’t really use a lot of it. It haven’t made a Our problem with AI, I think, is that we have such a small margin of error that it’s very hard for us to basically, like, use it in a in this kind of, like, a trusted or, like, on a scale. Right? We can’t trust it really. And, that is one of the reasons why we haven’t really, like, relied on that too much.

Maciej Nowak [01:11:38]:
One more question. I I, I think there is some exciting news coming from for for for PerchStack as as a company. Would you would would you like to talk a little bit more about that?

Oliver Sild [01:11:49]:
So, yeah, like, we just closed the 5,000,000 UST’s, funding round for Patch Tech, to ASP. The I think it’s quite significant round in the WordPress ecosystem. I think there’s not that often, like, a very strongly VC funded companies in the ecosystem. So, we’ve decided to go this way because all of the things that I’m talking right now, like the cyber resilience act, there’s a lot of momentum going on. We want to make sure that we are able to build the product as fast as it’s needed. And, also, our goal is to kind of, like, make this like, build what we build for, the entire open source ecosystem, not only WordPress. We feel that we have the capability of doing that. So, all it needs is essentially, resources.

Oliver Sild [01:12:42]:
So we want to yeah. Like, we feel like it is the time for us, so we want to go very hard on that. But, yeah, we got our lead investor is Karma VC, which is a very known deep tech investor, and then also a German cybersecurity, investor called Chibasti. And then maybe, something that more people are more aware of than we also onboarded Yoast founders as our, like, like, a very small angel investors into the rounds. And Yoast is going to also be directly in the board of batch tech, so he would be helping us very hands on to basically navigate, better way into the WordPress ecosystem as well. I

Maciej Nowak [01:13:24]:
think this is great. I think this is great. And when when you said that, I’m not surprised, like, but but but, yeah, I think this is great.

Oliver Sild [01:13:34]:
Yeah. Yeah. Yost is a great guy and, like, we’ve been in touch with him for a while. Been talking he was also one of the guys who was actually helping me to get the attention on the fact that WordPress core isn’t properly showing that the plug ins are getting abandoned. So he’s always been kind of, like, supportive in terms of, like, those maybe, like, hard topics, I would say, and bringing them in front of attention when they when it’s needed. So when we when we closed this round, our round was very much oversubscribed, actually. So we had to make a lot of decisions of who are the investors we even let in. And yours was yours was the literally the only angel that we actually let into the round.

Oliver Sild [01:14:18]:
We actually refused every other one. So it was very strategic and, like, there was a just a such a natural fit with him, to have him first off as an investor, but then we also invited him to be actually in the Patch Tech board as well. So, yeah, it’s we are very excited about that. And and, yeah, like, now we can start building very fast, and I’m looking forward to see, like, what we are able to basically, where we would get in the next 2 years, essentially, which is so we have some very, very big goals, in our heads.

Maciej Nowak [01:14:54]:
Mhmm. Can you share them? You know, to the extent you can. Like, what’s, like, what’s on the radar?

Oliver Sild [01:15:01]:
So I think I’ve already mentioned some of the stuff, but, obviously, like, one of the thing is that we are working with Google on AI. The other thing is that we are working on the cyber resilience act, like, everything around cyber resilience act to help, you know, plug in developers, regular developers agencies, hosting companies, everyone who are already using patch tech to become compliant, and then expanding outside of WordPress, essentially, to do this all not only for WordPress, but also for other popular content management systems, PHP in general, Laravel, and, you know, over time also expand to Node. Js and, and because they all have exactly the same problems. And we’ve already solved not solved it, but, like, we’ve already provided, like, a very, very good solution for WordPress, which by volume is the most hardest, actually. So, yeah, we we believe, like, we can we have everything in in that that that we need right now to basically go there and do it. So Mhmm.

Maciej Nowak [01:16:04]:
Is there a similar market for other technologies as it is for WordPress where you buy plug ins to like, yeah, for for for e ships like Magento, for sure. But, though are, like, I know Node. Js, is that market similar to to WordPress?

Oliver Sild [01:16:19]:
Complete the the market is completely different, but the way how it behaves internally in terms of, like, you know, you install basically libraries. Like, you they’re they don’t call it plugins, but they still call it libraries, and they have the exact same thing. They need to maintain the libraries. They need to figure out if their libraries are secure or not. They need to update their applications with the updated libraries. It’s all the same kind of, like, from the technological point of view. It’s all the same thing, but the economy behind it is a bit different.

Maciej Nowak [01:16:50]:
Mhmm. Alright. Yeah. I’m, like, I’m excited, especially, you know, with that, CRA coming. You have your own product for that specific purpose, then you have funding for, building that product further, to meet the, like, I’m thinking Vanta for plug in makers. Like, really, it’s it’s, I’m I’m excited, Really. I will pay attention to to yeah. I will pay attention to what you are building.

Oliver Sild [01:17:16]:
That’s great to hear. Yeah. We hope to get it released within a month at least. So it’s going to be available for everyone who has a plugin, and it’s completely free, so everyone can just use it.

Maciej Nowak [01:17:30]:
Alright. Alright. Thank you very much, Oliver, for the for the conversation. The there were, like, there were tones that were a little bit sad for, like, security perspective, you know, state of things not in a best of shapes. But then, I have a feeling there is also, something good coming out of it, you know, products like yours, but also maybe more, awareness for everyone, not only for end customers who are trying, like people are trying to make them aware of of of things, but also plug in makers and and, people from the space, actually. So interesting times coming, in that, cybersecurity space. Thank you very much for conversation.

Oliver Sild [01:18:15]:
Thanks. Yeah. Happy to be here, and thanks for inviting me.

Podcast Co-host [01:18:18]:
If you like what you’ve just heard, don’t forget to subscribe for more episodes. On the other hand, if you’ve got a question we haven’t answered yet, feel free to reach out to us directly. Just go to osomstudio.com/contact. Thanks for listening, and see you in the next episode of the Osom to Know podcast.