Eng. Davide Ariu (Pluribus One): "We need excellent software engineers"

(To Alessandro Rugolo)

As usual, we continue the series of interviews with Italian companies that operate in the world of cyber and more generally of new technologies, protagonists in the Italian scenario. Today we interview engineer Davide Ariu, co-founder of the company Pluribus One.

Before talking about cyber security and Artificial Intelligence, can you briefly tell us about yourself, your role in Pluribus One and the company you represent?

I would start from Pluribus One, a company that I helped found and that I have been leading for a few years. It was born as a technology company, with the intention of bringing solutions for the security of applications and Web services to the market starting from Italy. The company does this starting from a solid technological background, considering that it was born as a spin- off of the University of Cagliari, from which both I and the other founding members come.

Although the context in which we operate is not that of research but a business context where the objective is evidently to offer solutions to our customers, in building the company we decided to do so while maintaining that spirit of researchers that leads us to go at the root of the problems. We have set ourselves the goal of building a value offering based on commercial solutions entirely developed by us. In this case, the area in which we operate is that of the security of applications and Web services, where we have developed a solution that allows the end-to-end management of application vulnerabilities: from discovery to mitigation.

A few days ago I read an article that talked about Adversarial Machine Learning and the challenges that arise for companies dealing with Artificial Intelligence. Can you explain to us in simple words what this means?

In itself, the definition of Adversarial Machine Learning or more generically Adversarial AI is simple and describes the set of techniques that have the aim of invalidating and subverting the behavior of AI and Machine Learning algorithms, with the ultimate intent of compromising the normal functioning of objects and solutions that use them. This result is achieved by providing the algorithms with deliberately hostile inputs (hence the adjective adversarial) constructed taking into account factors such as the type of algorithms to be attacked, the moment in which the attack can be carried out and the intent behind the attack. attack is intended to be prosecuted.

Two of the most classic examples are, on the one hand, attacks that push systems to make an incorrect decision and on the other, those that aim to undermine the learning process during which algorithms learn from data, also known as the learning phase ( or learning or training). There has been a lot of talk about the former and continues to be talked about, for example in relation to self-driving vehicles: online there are numerous examples of self-driving cars whose control system has been deceived by modifying the road signs with duly positioned stickers. Of the latter we could provide an example in the malware detection field, assuming we have an algorithm designed to recognize malware. If the attacker had the possibility of manipulating malware samples to the point of hiding or modifying some of the characteristics that distinguish their malicious behavior and then ensuring that these samples were processed during the learning phase, those same samples would be processed during the classification phase. samples or other equivalents would not be recognized as such, thus evading the algorithm.

It should be noted that the existence of these problems does not represent an absolute novelty, at least for the world of research, which began to ask itself and address them about 20 years ago, albeit not on such a widespread scale as has happened in the last 5-6 years. years. In which, among other things, the perspective of using AI in real and large-scale contexts has radically changed, an aspect which evidently places us directly in front of the possible consequences and raises a pressing need to manage them.

Pluribus One has been dealing with the application of Artificial Intelligence research in the field of cyber security for years. This is an application field in which we must always be attentive to new studies. What are your company's relationships with the world of research?

I have always maintained and continue to do so today more than ever that cyber is one of the sectors where the boundary between research, even at the highest level, and industry is more blurred. Because applied research that thrives on data can often take place only thanks to real data which academia most of the time does not have and which industry instead naturally collects in order to conduct its business. And vice versa, the cyber industry cannot remain on the market in the long term unless it updates and innovates and therefore continuously draws from the world of research.

I have 15 years of upstream university research behind me and, strong in this belief, I have always wanted research and development to be one of the key activities for Pluribus One. Within the company we carry out a lot of research and development within European research projects, within which we have the possibility of making our solutions grow and mature by comparing ourselves in an international context made up of dozens and dozens of partners from all of Europe, from Portugal to Romania. It means working jointly with the university to also address and solve the practical problems of our customers. Problems on which we have carried out in the past - and continue to carry out today - both research activities, which when possible we publish in international contexts, and the engineering and development part to bring the resulting improvements on board our solutions. We want to demonstrate that it is also feasible in Italy and, albeit with due proportions, not only within the global IT giants.

To achieve this objective, the company has always invested significant resources and has a continuous exchange of staff with the university world. To the point that from this 2023 it will also finance a three-year doctoral scholarship at the University of Cagliari.

What do you think of the need for the dissemination of knowledge in the field of Artificial Intelligence and Cyber ​​security? What are you doing to increase the dissemination of knowledge in this sector? What is the situation in Italy?

I think it is a fundamental activity in the digital transformation process of our society. AI and digital technologies more generally offer us extraordinary opportunities. But they can project our lives at least in part towards scenarios that at best we have not experienced up to now, and which at worst we have serious difficulty imagining due to developments and possible implications, also but not only, from a cyber profile. To prevent us as a society from walking towards the unknown, it is therefore important that these issues find more and more space in mass communication, considering the possible social impacts and given that they concern us all in some way. In recent years, things have already changed: I would never have thought, not even five years ago, of hearing about Cyber ​​security during the evening news. Fortunately it happens now, and it is certainly a good thing.

But I launch a provocation. I believe it would be appropriate to think at an institutional level about a mass literacy campaign on these issues, a bit like what was done in the post-war period to spread basic training. It would be a common sense action, considering the pace at which these technologies are developed and take hold, which is not very human-like.

For our part, perhaps also a little by background, we have always preferred a non-commercial communication in favor of one oriented towards the diffusion of skills: at a time when we are the target of communication and marketing campaigns of all kinds, we believe that the best way to reaching people is to bring value and know-how.

For this reason, for example, during 2023 we created our own information format, which we called Cyber ​​Journey (https://cyberjourney.it/). It is an in-person event that we conceived as a form of journey through the themes of the cyber panorama, which has a pure dissemination objective and within which we allowed the public of Cagliari, free of charge, to get to know and interact with speakers who represent the international frontier of cyber research and industry. In the two 2023 editions we had speakers from ENISA, MICROSOFT, SAP, TRELLIX, CHECKMARX and from some of the most prestigious European universities, such as Carlos III in Madrid and the University of Amsterdam.

At the same time we have also launched an online community, "Unboxed AppSec", where we tackle application security issues on a weekly basis, trying to make them accessible. It is an online container, which I have undertaken to personally feed with articles and posts ranging from the world of research to the description of the frameworks and work tools that we use on a daily basis to guarantee software security.

In a company like yours I imagine it is necessary to always have new people with whom to develop new projects. Is it difficult to find trained staff? What do you do to keep him with you?

A company like ours lives on know-how and therefore people are one of the fundamental cornerstones on which the company is based. Think about what it means to bring, as we do in the case of our Seer Box (http://seerbox.it), a cybersecurity solution on the market.

We need excellent software engineers to ensure that our solution is efficient and scalable, can be installed with equal efficiency and indifferently in a variety of environments, from the most traditional on-premise to modern container-based cloud-native. We need offensive security skills to understand how the web applications and APIs that we will have to protect with Seer Box can be attacked. And on the opposite front we need data science, data analytics & machine learning, and defensive security skills to quickly and efficiently store, analyze and process the data useful for detecting and blocking attacks. To this we add the fact that we propose a solution that customers must install at home, and being a cybersecurity product, it is the first object of evaluation and scrutiny by our customers before they decide to install it in their infrastructure. It follows that we must pay maximum attention to the aspects of Quality Assurance, Testing, and DevSecOps.

Finally, considering that the solution must be easily accessible and usable, and also allow technical personnel who do not have specific training in Web security to operate, we must pay maximum attention to all aspects of User-Interface, User-Experience and presentation of the outputs.

The starting standard for our technical team is therefore very high and it is not easy to find ready figures on the market, especially in an Italian market where companies that develop software are not very oriented towards creating "off the shelf" solutions and even those that maintain of their solutions are very often in the SaaS world, which is completely different from ours.

But I could repeat the same thing for all the skills related to European R&D projects.

Therefore, if during the selection processes we always look for profiles that can bring complementary experiences and know-how to our own, on the other hand we try to encourage the growth of people as much as possible, and guarantee the highest quality of the working environment. Work.

We have foreseen that 10% of the weekly working time must be allocated to study activities, we carry out training at least bi-weekly on soft-skills, and we have an HR management that would be obsessive even in companies much larger than ours.

This is because as I always tell people on our team: “We want you to stay with us as long as possible. But in the meantime we want you to be able to train and grow so that if you decide to leave Pluribus One tomorrow morning you will have no problem finding an even larger and more prestigious company that can welcome you." Of course I always hope it doesn't happen.

Finally, what are Pluribus One's plans for 2024?

They are many and ambitious, but I will try to name three.

We'll get started early this year by making a free, public version of our Seer Box solution available. We want to give everyone the opportunity to easily try it, learn about it and use it to protect their applications and web services. We strongly believe in the quality of the work we have done over all these years and we want it to be appreciated.

A €4M European project will then come to life, the APPTake project, which sees us at the head of a consortium of 14 companies from 7 different countries and which has the aim of growing solutions made in Europe for DevSecOps. Given the role of coordinators that we have, it is a project that places us before an important responsibility and will open us up to the stage of the European market. So a huge opportunity.

And then in 2024 we will repeat our Cyber ​​Journey event with an even more ambitious formula.

The readers of Difesa Online are now all invited to Cagliari in June.