(energetic music plays) >> Lisa: Hey everyone, we're so glad you're here with us. theCUBE is covering Cloud Native Security Con 23. Lisa Martin here with John Furrier. This is our second day of coverage of the event. We've had some great conversations with a lot of intellectual, exciting folks, as you know cuz you've been watching. John and I are very pleased to welcome back one of our alumni to theCUBE Taylor Dolezal joins us the head of ecosystem at CNCF. Taylor, welcome back to theCUBE. Great to see you. >> Taylor: Hey everybody, great to see you again. >> Lisa: So you are on the ground in Seattle. We're jealous. We've got fomo as John would say. Talk to us about, this is a inaugural event. We were watching Priyanka keynote yesterday. Seemed like a lot of folks there, 72 sessions a lot of content, a lot of discussions. What's the buzz, what's the reception of this inaugural event from your perspective? >> Taylor: So it's been really fantastic. I think the number one thing that has come out of this conference so far is that it's a wonderful chance to come together and for people to see one another. It's, it's been a long time that we've kind of had that opportunity to be able to interact with folks or you know, it's just a couple months since last Cube Con. But this is truly a different vibe and it's nice to have that focus on security. We're seeing a lot of folks within different organizations work through different problems and then finally have a vendor neutral space in which to talk about all of those contexts and really raise everybody up with all this new knowledge and new talking points, topics, and different facets of knowledge. >> John: Taylor, we were joking on our yesterday's summary of the keynotes, Dave Vellante and I, and the guests, Lisa and I, about the CNCF having an event operating system, you know, very decoupled highly cohesive events, strung together beautifully through the Linux Foundation, you know, kind of tongue in cheek but it was kind of fun to play on words because it's a very technical community. But the business model of, of hackers is booming. The reality of businesses booming and Cloud Native is the preferred developer environment for the future application. So the emphasis, it's very clear that this is a good move to do and targeting the community around security's a solid move. Amazon's done it with reinforce and reinvent. We see that Nice segmentation. What's the goal? Because this is really where it connects to Cube Con and Cloud Native Con as well because this shift left there too. But here it's very much about hardcore Cloud Native security. What's your positioning on this? Am I getting it right or is there is that how you guys see it? >> Taylor: Yeah, so, so that's what we've see that's what we were talking about as well as we were thinking on breaking this event out. So originally this event was a co-located event during the Cube Con windows in both Europe and North America. And then it just was so consistently popular clearly a topic that people wanted to talk, which is good that people want to talk of security. And so when we saw this massive continued kind of engagement, we wanted to break this off into its own conference. When we were going through that process internally, like you had mentioned the events team is just phenomenal to work with and they, I love how easy that they make it for us to be able to do these kinds of events too though we wanted to talk through how we differentiate this event from others and really what's changed for us and kind of how we see this space is that we didn't really see any developer-centric open source kinds of conferences. Ones that were really favoring of the developer and focus on APIs and ways in which to implement these things across all of your workloads within your organization. So that's truly what we're looking to go for here during these, all of these sessions. And that's how it's been playing out so far which has been really great to see. >> John: Taylor, I want to ask you on the ecosystem obviously the built-in ecosystem at CNCF.IO with Cube Cons Cloud Cons there, this is a new ecosystem opportunity to add more people that are security focused. Is their new entrance coming into the fold and what's been the reaction? >> Taylor: So short answer is yes we've seen a huge uptick across our vendor members and those are people that are creating Cloud offerings and selling those and working with others to implement them as well as our end users. So people consuming Cloud Native projects and using them to power core parts of their business. We have gotten a lot of data from groups like IBM and security, IBM security and put 'em on institute. They gave us a cost of data breach report that Priyanka mentioned and talked about 43% of those organizations haven't started or in the early stages of updating security practices of their cloud environments and then here on the ground, you know, talking through some best practices and really sharing those out as well. So it's, I've gotten to hear pieces and parts of different conversations and and I'm certain we'll hear more about those soon but it's just really been great to, to hear everybody with that main focus of, hey, there's more that we can do within the security space and you know, let's let's help one another out on that front just because it is such a vast landscape especially in the security space. >> Lisa: It's a huge landscape. And to your point earlier, Taylor it's everyone has the feeling that it's just so great to be back together again getting folks out of the silos that they've been operating in for such a long time. But I'd love to get some of your, whatever you can share in terms of some of the Cloud Native security projects that you've heard about over the last day or so. Anything exciting that you think is really demonstrating the value already and this inaugural event? >> Taylor: Yes, so I I've been really excited to hear a lot of, personally I've really liked the talks around EBPF. There are a whole bunch of projects utilizing that as far as runtime security goes and actually getting visibility into your workloads and being able to see things that you do expect and things that you don't expect and how to remediate those. And then I keep hearing a lot of talks about open policy agents and projects like Caverno around you know, how do we actually automate different policies or within regulated industries, how do we actually start to solve those problems? So I've heard even more around CNCF projects and other contexts that have come up but truly most of them have been around the telemetry space EBPF and, and quite a few others. So really great to, to see all those projects choosing something to bind to and making it that much more accessible for folks to implement or build on top of as well. >> John: I love the reference you guys had just the ChatGPT that was mentioned in the keynote yesterday and also the reference to Dan Kaminsky who was mentioned on the reference to DNS and Bind, lot of root level security going on. It seems like this is like a Tiger team event where all the top alpha security gurus come together, Priyanka said, experts bottoms up, developer first practitioners, that's the vibe. Is that kind of how you guys want it to be more practitioners hardcore? >> Taylor: Absolutely, absolutely. I think that when it comes to security, we really want to help. It's definitely a grassroots movement. It's great to have the people that have such a deep understanding of certain security, just bits of knowledge really when it comes to EBPF. You know, we have high surveillance here that we're talking things through. Falco is here with Sysdig and so it it's great to have all of these people here, though I have seen a good spread of folks that are, you know, most people have started their security journey but they're not where they want to be. And so people that are starting at a 2 0 1, 3 0 1, 4 0 1 level of understanding definitely seeing a good spread of knowledge on that front. But it's really, it's been great to have folks from all varying experiences, but then to have the expertise of the folks that are writing these specifications and pushing the boundaries of what's possible with security to to ensure that we're all okay and updated on that front too, I think was most notable yesterday. Like you had said >> Lisa: Sorry Taylor, when we think of security, again this is an issue that, that organizations in every industry face, nobody is immune to this. We can talk about the value in it for the hackers in terms of ransomware alone for example. But you mentioned a stat that there's a good amount of organizations that are really either early in their security journeys or haven't started yet which kind of sounds a bit scary given the landscape and how much has changed in the last couple of years. But it sounds like on the good news front it isn't too late for organizations. Talk a little bit about some of the recommendations and best practices for those organizations who are behind the curve knowing that the next attack is going to happen. >> Taylor: Absolutely. So fantastic question. I think that when it comes to understanding the fact that people need to implement security and abide by best practices, it's like I I'm sure that many of us can agree on that front, you know, hopefully all of us. But when it comes to actually implementing that, that's I agree with you completely. That's where it's really difficult to find where where do I start, where do I actually look at? And there are a couple of answers on that front. So within the CNTF ecosystem we have a technical action group security, so tag security and they have a whole bunch of working groups that cover different facets of the Cloud Native experience. So if you, for example, are concerned about runtime security or application delivery concerns within there, those are some really good places to find people knowledgeable about, that even when the conference isn't going on to get a sense of what's going on. And then TAG security has also published recently version two of their security report which is free accessible online. They can actually look through that, see what some of the recent topics are and points of focus and of interest are within our community. There are also other organizations like Open SSF which is taking a deeper dive into security. You know, initially kind of having a little bit more of an academic focus on that space and then now getting further into things around software bill materials or SBOMs supply chain security and other topics as well. >> John: Well we love you guys doing this. We think it's very big deal. We think it's important. We're starting to see events post COVID take a certain formation, you know joking aside about the event operating systems smaller events are happening, but they're tied together. And so this is key. And of course the critical need is our businesses are under siege with threats, ransomware, security challenges, that's IT moves to Cloud Native, not everyone's moved over yet. So that's in progress. So there's a huge business imperative and the hackers have a business model. So this isn't like pie in the sky, this is urgent. So, that being said, how do you see this developing from who should attend the next one or who are you looking for to be involved to get input from you guys are open arms and very diverse and great great culture there, but who are you looking for? What's the makeup persona that you hope to attract and nurture and grow? >> Taylor: Absolutely. I, think that when it comes to trying the folks that we're looking for the correct answer is it varies you know, from, you know, you're asking Priyanka or our executive director or Chris Aniszczyk our CTO, I work mostly with the end users, so for me personally I really want to see folks that are operating within our ecosystem and actually pulling these down, these projects down and using them and sharing those stories. Because there are people creating these projects and contributing to them might not always have an idea of how they're used or how they can be exploited too. A lot of these groups that I work with like Mercedes or Intuit for example, they're out there in the world using these, these projects and getting a sense for, you know, what can come up. And by sharing that knowledge I think that's what's most important across the board. So really looking for those stories to be told and novel ways in which people are trying to exploit security and attacking the supply chain, or building applications, or just things we haven't thought about. So truly that that developer archetype is really helpful to have the consumers, the end users, the folks that are actually using these. And then, yeah, and I'm truly anywhere knowledgeable about security or that wants to learn more >> John: Super important, we're here to help you scale those stories up whatever you need, send them our way. We're looking forward to getting those. This is a super important movement getting the end users who are on the front lines bringing it back into the open, building, more software, making it secure and verified, all super important. We really appreciate the mission you guys are on and again we're here to help. So send those stories our way. >> Taylor: Cool, cool. We couldn't do it without you. Yeah, just everyone contributing, everyone sharing the news. This is it's people, people is the is the true operating system of our ecosystem. So really great to, really great to share. >> Lisa: That's such a great point Taylor. It is all about people. You talked about this event having a different vibe. I wanted to learn a little bit more about that as we, as we wrap up because there's so much cultural change that's required for organizations to evolve their security practices. And so people of course are at the center of culture. Talk a little bit about why that vibe is different and do you think that yeah, it's finally time. Everyone's getting on the same page here we're understanding, we're learning from each other. >> Taylor: Yes. So, so to kind of answer that, I think it's really a focus on, there's this term shift left and shift right. And talking about where do we actually put security in the mix as it comes to people adopting this and and figuring out where things go. And if you keep shifting at left, that meaning that the developers should care more deeply about this and a deeper understanding of all of these, you know, even if it's, even if they don't understand how to put it together, maybe understand a little bit about it or how these topics and, and facets of knowledge work. But you know, like with anything, if you shift everything off to one side or the other that's also not going to be efficient. You know, you want a steady stream of knowledge flowing throughout your whole organization. So I think that that's been something that has been a really interesting topic and, and hearing people kind of navigate and try to get through, especially groups that have had, you know, deployed an app and it's going to be around for 40 years as well. So I think that those are some really interesting and unique areas of focus that I've come up on the floor and then in a couple of the sessions here >> Lisa: There's got to be that, that balance there. Last question as we wrap the last 30 seconds or so what are you excited about given the success and the momentum of day one? What excites you about what's ahead for us on day two? >> Taylor: So on day two, I'm really, it's, there's just so many sessions. I think that it was very difficult for me to, you know pick which one I was actually going to go see. There are a lot of favorites that I had kind of doubled up at each of the time so I'm honestly going to be in a lot of the sessions today. So really excited about that. Supply chain security is definitely one that's close to my heart as well but I'm really curious to see what new topics, concepts or novel ideas people have to kind of exploit things. Like one for example is a package is out there it's called Browser Test but somebody came up with one called Bowser Test. Just a very simple misname and then when you go and run that it does a fake kind of like, hey you've been exploited and just even these incorrect name attacks. That's something that is really close and dear to me as well. Kind of hearing about all these wild things people wouldn't think about in terms of exploitation. So really, really excited to hear more stories on that front and better protect myself both at home and within the Cloud Community as I stand these things up. >> Lisa: Absolutely you need to clone yourself so that you can, there's so many different sessions. There needs to be multiple versions of Taylor that you can attend and then you can all get together and talk about and learn. But that's actually a really good problem to have as we mentioned when we started 72 sessions yesterday and today. Lots of great content. Taylor, we thank you for your participation. We thank you for bringing the vibe and the buzz of the event to us and we look forward as well to hearing and seeing what day two brings us today. Thank you so much for your time Taylor. >> Taylor: Thank you for having me. >> John: All right >> Lisa: Right, for our guest and John Furrier, I'm Lisa Martin. You're watching theCube's Day two coverage of Cloud Native Security Con 23. (energetic music plays)

>> Announcer: From around the globe, it's the queue with digital coverage of DockerCon live 2020. Brought to you by Docker and its ecosystem partners. >> Welcome, welcome, welcome to DockerCon 2020. We got over 50,000 people registered so there's clearly a ton of interest in the world of Docker and Eddie's as I like to call it. And we've assembled a power panel of Open Source and cloud native experts to talk about where things stand in 2020 and where we're headed. I'm Shawn Conley, I'll be the moderator for today's panel. I'm also a proud alum of JBoss, Red Hat, SpringSource, VMware and Hortonworks and I'm broadcasting from my hometown of Philly. Our panelists include; Michelle Noorali, Senior Software Engineer at Microsoft, joining us from Atlanta, Georgia. We have Kelsey Hightower, Principal developer advocate at Google Cloud, joining us from Washington State and we have Chris Aniszczyk, CTO CIO at the CNCF, joining us from Austin, Texas. So I think we have the country pretty well covered. Thank you all for spending time with us on this power panel. Chris, I'm going to start with you, let's dive right in. You've been in the middle of the Docker netease wave since the beginning with a clear focus on building a better world through open collaboration. What are your thoughts on how the Open Source landscape has evolved over the past few years? Where are we in 2020? And where are we headed from both community and a tech perspective? Just curious to get things sized up? >> Sure, when CNCF started about roughly four, over four years ago, the technology mostly focused on just the things around Kubernetes, monitoring communities with technology like Prometheus, and I think in 2020 and the future, we definitely want to move up the stack. So there's a lot of tools being built on the periphery now. So there's a lot of tools that handle running different types of workloads on Kubernetes. So things like Uvert and Shay runs VMs on Kubernetes, which is crazy, not just containers. You have folks that, Microsoft experimenting with a project called Kruslet which is trying to run web assembly workloads natively on Kubernetes. So I think what we've seen now is more and more tools built around the periphery, while the core of Kubernetes has stabilized. So different technologies and spaces such as security and different ways to run different types of workloads. And at least that's kind of what I've seen. >> So do you have a fair amount of vendors as well as end users still submitting in projects in, is there still a pretty high volume? >> Yeah, we have 48 total projects in CNCF right now and Michelle could speak a little bit more to this being on the DOC, the pipeline for new projects is quite extensive and it covers all sorts of spaces from two service meshes to security projects and so on. So it's ever so expanding and filling in gaps in that cloud native landscape that we have. >> Awesome. Michelle, Let's head to you. But before we actually dive in, let's talk a little glory days. A rumor has it that you are the Fifth Grade Kickball Championship team captain. (Michelle laughs) Are the rumors true? >> They are, my speech at the end of the year was the first talk I ever gave. But yeah, it was really fun. I wasn't captain 'cause I wasn't really great at anything else apart from constantly cheer on the team. >> A little better than my eighth grade Spelling Champ Award so I think I'd rather have the kickball. But you've definitely, spent a lot of time leading an Open Source, you've been across many projects for many years. So how does the art and science of collaboration, inclusivity and teamwork vary? 'Cause you're involved in a variety of efforts, both in the CNCF and even outside of that. And then what are some tips for expanding the tent of Open Source projects? >> That's a good question. I think it's about transparency. Just come in and tell people what you really need to do and clearly articulate your problem, more clearly articulate your problem and why you can't solve it with any other solution, the more people are going to understand what you're trying to do and be able to collaborate with you better. What I love about Open Source is that where I've seen it succeed is where incentives of different perspectives and parties align and you're just transparent about what you want. So you can collaborate where it makes sense, even if you compete as a company with another company in the same area. So I really like that, but I just feel like transparency and honesty is what it comes down to and clearly communicating those objectives. >> Yeah, and the various foundations, I think one of the things that I've seen, particularly Apache Software Foundation and others is the notion of checking your badge at the door. Because the competition might be between companies, but in many respects, you have engineers across many companies that are just kicking butt with the tech they contribute, claiming victory in one way or the other might make for interesting marketing drama. But, I think that's a little bit of the challenge. In some of the, standards-based work you're doing I know with CNI and some other things, are they similar, are they different? How would you compare and contrast into something a little more structured like CNCF? >> Yeah, so most of what I do is in the CNCF, but there's specs and there's projects. I think what CNCF does a great job at is just iterating to make it an easier place for developers to collaborate. You can ask the CNCF for basically whatever you need, and they'll try their best to figure out how to make it happen. And we just continue to work on making the processes are clearer and more transparent. And I think in terms of specs and projects, those are such different collaboration environments. Because if you're in a project, you have to say, "Okay, I want this feature or I want this bug fixed." But when you're in a spec environment, you have to think a little outside of the box and like, what framework do you want to work in? You have to think a little farther ahead in terms of is this solution or this decision we're going to make going to last for the next how many years? You have to get more of a buy in from all of the key stakeholders and maintainers. So it's a little bit of a longer process, I think. But what's so beautiful is that you have this really solid, standard or interface that opens up an ecosystem and allows people to build things that you could never have even imagined or dreamed of so-- >> Gotcha. So I'm Kelsey, we'll head over to you as your focus is on, developer advocate, you've been in the cloud native front lines for many years. Today developers are faced with a ton of moving parts, spanning containers, functions, Cloud Service primitives, including container services, server-less platforms, lots more, right? I mean, there's just a ton of choice. How do you help developers maintain a minimalist mantra in the face of such a wealth of choice? I think minimalism I hear you talk about that periodically, I know you're a fan of that. How do you pass that on and your developer advocacy in your day to day work? >> Yeah, I think, for most developers, most of this is not really the top of mind for them, is something you may see a post on Hacker News, and you might double click into it. Maybe someone on your team brought one of these tools in and maybe it leaks up into your workflow so you're forced to think about it. But for most developers, they just really want to continue writing code like they've been doing. And the best of these projects they'll never see. They just work, they get out of the way, they help them with log in, they help them run their application. But for most people, this isn't the core idea of the job for them. For people in operations, on the other hand, maybe these components fill a gap. So they look at a lot of this stuff that you see in the CNCF and Open Source space as number one, various companies or teams sharing the way that they do things, right? So these are ideas that are put into the Open Source, some of them will turn into products, some of them will just stay as projects that had mutual benefit for multiple people. But for the most part, it's like walking through an ion like Home Depot. You pick the tools that you need, you can safely ignore the ones you don't need, and maybe something looks interesting and maybe you study it to see if that if you have a problem. And for most people, if you don't have that problem that that tool solves, you should be happy. No one needs every project and I think that's where the foundation for confusion. So my main job is to help people not get stuck and confused in LAN and just be pragmatic and just use the tools that work for 'em. >> Yeah, and you've spent the last little while in the server-less space really diving into that area, compare and contrast, I guess, what you found there, minimalist approach, who are you speaking to from a server-less perspective versus that of the broader CNCF? >> The thing that really pushed me over, I was teaching my daughter how to make a website. So she's on her Chromebook, making a website, and she's hitting 127.0.0.1, and it looks like geo cities from the 90s but look, she's making website. And she wanted her friends to take a look. So she copied and paste from her browser 127.0.0.1 and none of her friends could pull it up. So this is the point where every parent has to cross that line and say, "Hey, do I really need to sit down "and teach my daughter about Linux "and Docker and Kubernetes." That isn't her main goal, her goal was to just launch her website in a way that someone else can see it. So we got Firebase installed on her laptop, she ran one command, Firebase deploy. And our site was up in a few minutes, and she sent it over to her friend and there you go, she was off and running. The whole server-less movement has that philosophy as one of the stated goal that needs to be the workflow. So, I think server-less is starting to get closer and closer, you start to see us talk about and Chris mentioned this earlier, we're moving up the stack. Where we're going to up the stack, the North Star there is feel where you get the focus on what you're doing, and not necessarily how to do it underneath. And I think server-less is not quite there yet but every type of workload, stateless web apps check, event driven workflows check, but not necessarily for things like machine learning and some other workloads that more traditional enterprises want to run so there's still work to do there. So server-less for me, serves as the North Star for why all these Projects exists for people that may have to roll their own platform, to provide the experience. >> So, Chris, on a related note, with what we were just talking about with Kelsey, what's your perspective on the explosion of the cloud native landscape? There's, a ton of individual projects, each can be used separately, but in many cases, they're like Lego blocks and used together. So things like the surface mesh interface, standardizing interfaces, so things can snap together more easily, I think, are some of the approaches but are you doing anything specifically to encourage this cross fertilization and collaboration of bug ability, because there's just a ton of projects, not only at the CNCF but outside the CNCF that need to plug in? >> Yeah, I mean, a lot of this happens organically. CNCF really provides of the neutral home where companies, competitors, could trust each other to build interesting technology. We don't force integration or collaboration, it happens on its own. We essentially allow the market to decide what a successful project is long term or what an integration is. We have a great Technical Oversight Committee that helps shepherd the overall technical vision for the organization and sometimes steps in and tries to do the right thing when it comes to potentially integrating a project. Previously, we had this issue where there was a project called Open Tracing, and an effort called Open Census, which is basically trying to standardize how you're going to deal with metrics, on the tree and so on in a cloud native world that we're essentially competing with each other. The CNCF TC and committee came together and merged those projects into one parent ever called Open Elementary and so that to me is a case study of how our committee helps, bridges things. But we don't force things, we essentially want our community of end users and vendors to decide which technology is best in the long term, and we'll support that. >> Okay, awesome. And, Michelle, you've been focused on making distributed systems digestible, which to me is about simplifying things. And so back when Docker arrived on the scene, some people referred to it as developer dopamine, which I love that term, because it's simplified a bunch of crufty stuff for developers and actually helped them focus on doing their job, writing code, delivering code, what's happening in the community to help developers wire together multi-part modern apps in a way that's elegant, digestible, feels like a dopamine rush? >> Yeah, one of the goals of the(mumbles) project was to make it easier to deploy an application on Kubernetes so that you could see what the finished product looks like. And then dig into all of the things that that application is composed of, all the resources. So we're really passionate about this kind of stuff for a while now. And I love seeing projects that come into the space that have this same goal and just iterate and make things easier. I think we have a ways to go still, I think a lot of the iOS developers and JS developers I get to talk to don't really care that much about Kubernetes. They just want to, like Kelsey said, just focus on their code. So one of the projects that I really like working with is Tilt gives you this dashboard in your CLI, aggregates all your logs from your applications, And it kind of watches your application changes, and reconfigures those changes in Kubernetes so you can see what's going on, it'll catch errors, anything with a dashboard I love these days. So Yali is like a metrics dashboard that's integrated with STL, a service graph of your service mesh, and lets you see the metrics running there. I love that, I love that dashboard so much. Linkerd has some really good service graph images, too. So anything that helps me as an end user, which I'm not technically an end user, but me as a person who's just trying to get stuff up and running and working, see the state of the world easily and digest them has been really exciting to see. And I'm seeing more and more dashboards come to light and I'm very excited about that. >> Yeah, as part of the DockerCon just as a person who will be attending some of the sessions, I'm really looking forward to see where DockerCompose is going, I know they opened up the spec to broader input. I think your point, the good one, is there's a bit more work to really embrace the wealth of application artifacts that compose a larger application. So there's definitely work the broader community needs to lean in on, I think. >> I'm glad you brought that up, actually. Compose is something that I should have mentioned and I'm glad you bring that up. I want to see programming language libraries, integrate with the Compose spec. I really want to see what happens with that I think is great that they open that up and made that a spec because obviously people really like using Compose. >> Excellent. So Kelsey, I'd be remiss if I didn't touch on your January post on changelog entitled, "Monoliths are the Future." Your post actually really resonated with me. My son works for a software company in Austin, Texas. So your hometown there, Chris. >> Yeah. >> Shout out to Will and the chorus team. His development work focuses on adding modern features via micro services as extensions to the core monolith that the company was founded on. So just share some thoughts on monoliths, micro services. And also, what's deliverance dopamine from your perspective more broadly, but people usually phrase as monoliths versus micro services, but I get the sense you don't believe it's either or. >> Yeah, I think most companies from the pragmatic so one of their argument is one of pragmatism. Most companies have trouble designing any app, monolith, deployable or microservices architecture. And then these things evolve over time. Unless you're really careful, it's really hard to know how to slice these things. So taking an idea or a problem and just knowing how to perfectly compartmentalize it into individual deployable component, that's hard for even the best people to do. And double down knowing the actual solution to the particular problem. A lot of problems people are solving they're solving for the first time. It's really interesting, our industry in general, a lot of people who work in it have never solved the particular problem that they're trying to solve for the first time. So that's interesting. The other part there is that most of these tools that are here to help are really only at the infrastructure layer. We're talking freeways and bridges and toll bridges, but there's nothing that happens in the actual developer space right there in memory. So the libraries that interface to the structure logging, the libraries that deal with rate limiting, the libraries that deal with authorization, can this person make this query with this user ID? A lot of those things are still left for developers to figure out on their own. So while we have things like the brunettes and fluid D, we have all of these tools to deploy apps into those target, most developers still have the problem of everything you do above that line. And to be honest, the majority of the complexity has to be resolved right there in the app. That's the thing that's taking requests directly from the user. And this is where maybe as an industry, we're over-correcting. So we had, you said you come from the JBoss world, I started a lot of my Cisco administration, there's where we focus a little bit more on the actual application needs, maybe from a router that as well. But now what we're seeing is things like Spring Boot, start to offer a little bit more integration points in the application space itself. So I think the biggest parts that are missing now are what are the frameworks people will use for authorization? So you have projects like OPA, Open Policy Agent for those that are new to that, it gives you this very low level framework, but you still have to understand the concepts around, what does it mean to allow someone to do something and one missed configuration, all your security goes out of the window. So I think for most developers this is where the next set of challenges lie, if not actually the original challenge. So for some people, they were able to solve most of these problems with virtualization, run some scripts, virtualize everything and be fine. And monoliths were okay for that. For some reason, we've thrown pragmatism out of the window and some people are saying the only way to solve these problems is by breaking the app into 1000 pieces. Forget the fact that you had trouble managing one piece, you're going to somehow find the ability to manage 1000 pieces with these tools underneath but still not solving the actual developer problems. So this is where you've seen it already with a couple of popular blog posts from other companies. They cut too deep. They're going from 2000, 3000 microservices back to maybe 100 or 200. So to my world, it's going to be not just one monolith, but end up maybe having 10 or 20 monoliths that maybe reflect the organization that you have versus the architectural pattern that you're at. >> I view it as like a constellation of stars and planets, et cetera. Where you you might have a star that has a variety of, which is a monolith, and you have a variety of sort of planetary microservices that float around it. But that's reality, that's the reality of modern applications, particularly if you're not starting from a clean slate. I mean your points, a good one is, in many respects, I think the infrastructure is code movement has helped automate a bit of the deployment of the platform. I've been personally focused on app development JBoss as well as springsSource. The Spring team I know that tech pretty well over the years 'cause I was involved with that. So I find that James Governor's discussion of progressive delivery really resonates with me, as a developer, not so much as an infrastructure Deployer. So continuous delivery is more of infrastructure notice notion, progressive delivery, feature flags, those types of things, or app level, concepts, minimizing the blast radius of your, the new features you're deploying, that type of stuff, I think begins to speak to the pain of application delivery. So I'll guess I'll put this up. Michelle, I might aim it to you, and then we'll go around the horn, what are your thoughts on the progressive delivery area? How could that potentially begin to impact cloud native over 2020? I'm looking for some rallying cries that move up the stack and give a set of best practices, if you will. And I think James Governor of RedMonk opened on something that's pretty important. >> Yeah, I think it's all about automating all that stuff that you don't really know about. Like Flagger is an awesome progressive delivery tool, you can just deploy something, and people have been asking for so many years, ever since I've been in this space, it's like, "How do I do AB deployment?" "How do I do Canary?" "How do I execute these different deployment strategies?" And Flagger is a really good example, for example, it's a really good way to execute these deployment strategies but then, make sure that everything's happening correctly via observing metrics, rollback if you need to, so you don't just throw your whole system. I think it solves the problem and allows you to take risks but also keeps you safe in that you can be confident as you roll out your changes that it all works, it's metrics driven. So I'm just really looking forward to seeing more tools like that. And dashboards, enable that kind of functionality. >> Chris, what are your thoughts in that progressive delivery area? >> I mean, CNCF alone has a lot of projects in that space, things like Argo that are tackling it. But I want to go back a little bit to your point around developer dopamine, as someone that probably spent about a decade of his career focused on developer tooling and in fact, if you remember the Eclipse IDE and that whole integrated experience, I was blown away recently by a demo from GitHub. They have something called code spaces, which a long time ago, I was trying to build development environments that essentially if you were an engineer that joined a team recently, you could basically get an environment quickly start it with everything configured, source code checked out, environment properly set up. And that was a very hard problem. This was like before container days and so on and to see something like code spaces where you'd go to a repo or project, open it up, behind the scenes they have a container that is set up for the environment that you need to build and just have a VS code ID integrated experience, to me is completely magical. It hits like developer dopamine immediately for me, 'cause a lot of problems when you're going to work with a project attribute, that whole initial bootstrap of, "Oh you need to make sure you have this library, this install," it's so incredibly painful on top of just setting up your developer environment. So as we continue to move up the stack, I think you're going to see an incredible amount of improvements around the developer tooling and developer experience that people have powered by a lot of this cloud native technology behind the scenes that people may not know about. >> Yeah, 'cause I've been talking with the team over at Docker, the work they're doing with that desktop, enable the aim local environment, make sure it matches as closely as possible as your deployed environments that you might be targeting. These are some of the pains, that I see. It's hard for developers to get bootstrapped up, it might take him a day or two to actually just set up their local laptop and development environment, and particularly if they change teams. So that complexity really corralling that down and not necessarily being overly prescriptive as to what tool you use. So if you're visual code, great, it should feel integrated into that environment, use a different environment or if you feel more comfortable at the command line, you should be able to opt into that. That's some of the stuff I get excited to potentially see over 2020 as things progress up the stack, as you said. So, Michelle, just from an innovation train perspective, and we've covered a little bit, what's the best way for people to get started? I think Kelsey covered a little bit of that, being very pragmatic, but all this innovation is pretty intimidating, you can get mowed over by the train, so to speak. So what's your advice for how people get started, how they get involved, et cetera. >> Yeah, it really depends on what you're looking for and what you want to learn. So, if you're someone who's new to the space, honestly, check out the case studies on cncf.io, those are incredible. You might find environments that are similar to your organization's environments, and read about what worked for them, how they set things up, any hiccups they crossed. It'll give you a broad overview of the challenges that people are trying to solve with the technology in this space. And you can use that drill into the areas that you want to learn more about, just depending on where you're coming from. I find myself watching old KubeCon talks on the cloud native computing foundations YouTube channel, so they have like playlists for all of the conferences and the special interest groups in CNCF. And I really enjoy talking, I really enjoy watching excuse me, older talks, just because they explain why things were done, the way they were done, and that helps me build the tools I built. And if you're looking to get involved, if you're building projects or tools or specs and want to contribute, we have special interest groups in the CNCF. So you can find that in the CNCF Technical Oversight Committee, TOC GitHub repo. And so for that, if you want to get involved there, choose a vertical. Do you want to learn about observability? Do you want to drill into networking? Do you care about how to deliver your app? So we have a cig called app delivery, there's a cig for each major vertical, and you can go there to see what is happening on the edge. Really, these are conversations about, okay, what's working, what's not working and what are the next changes we want to see in the next months. So if you want that kind of granularity and discussion on what's happening like that, then definitely join those those meetings. Check out those meeting notes and recordings. >> Gotcha. So on Kelsey, as you look at 2020 and beyond, I know, you've been really involved in some of the earlier emerging tech spaces, what gets you excited when you look forward? What gets your own level of dopamine up versus the broader community? What do you see coming that we should start thinking about now? >> I don't think any of the raw technology pieces get me super excited anymore. Like, I've seen the circle of around three or four times, in five years, there's going to be a new thing, there might be a new foundation, there'll be a new set of conferences, and we'll all rally up and probably do this again. So what's interesting now is what people are actually using the technology for. Some people are launching new things that maybe weren't possible because infrastructure costs were too high. People able to jump into new business segments. You start to see these channels on YouTube where everyone can buy a mic and a B app and have their own podcasts and be broadcast to the globe, just for a few bucks, if not for free. Those revolutionary things are the big deal and they're hard to come by. So I think we've done a good job democratizing these ideas, distributed systems, one company got really good at packaging applications to share with each other, I think that's great, and never going to reset again. And now what's going to be interesting is, what will people build with this stuff? If we end up building the same things we were building before, and then we're talking about another digital transformation 10 years from now because it's going to be funny but Kubernetes will be the new legacy. It's going to be the things that, "Oh, man, I got stuck in this Kubernetes thing," and there'll be some governor on TV, looking for old school Kubernetes engineers to migrate them to some new thing, that's going to happen. You got to know that. So at some point merry go round will stop. And we're going to be focused on what you do with this. So the internet is there, most people have no idea of the complexities of underwater sea cables. It's beyond one or two people, or even one or two companies to comprehend. You're at the point now, where most people that jump on the internet are talking about what you do with the internet. You can have Netflix, you can do meetings like this one, it's about what you do with it. So that's going to be interesting. And we're just not there yet with tech, tech is so, infrastructure stuff. We're so in the weeds, that most people almost burn out what's just getting to the point where you can start to look at what you do with this stuff. So that's what I keep in my eye on, is when do we get to the point when people just ship things and build things? And I think the closest I've seen so far is in the mobile space. If you're iOS developer, Android developer, you use the SDK that they gave you, every year there's some new device that enables some new things speech to text, VR, AR and you import an STK, and it just worked. And you can put it in one place and 100 million people can download it at the same time with no DevOps team, that's amazing. When can we do that for server side applications? That's going to be something I'm going to find really innovative. >> Excellent. Yeah, I mean, I could definitely relate. I was Hortonworks in 2011, so, Hadoop, in many respects, was sort of the precursor to the Kubernetes area, in that it was, as I like to refer to, it was a bunch of animals in the zoo, wasn't just the yellow elephant. And when things mature beyond it's basically talking about what kind of analytics are driving, what type of machine learning algorithms and applications are they delivering? You know that's when things tip over into a real solution space. So I definitely see that. I think the other cool thing even just outside of the container and container space, is there's just such a wealth of data related services. And I think how those two worlds come together, you brought up the fact that, in many respects, server-less is great, it's stateless, but there's just a ton of stateful patterns out there that I think also need to be addressed as these richer applications to be from a data processing and actionable insights perspective. >> I also want to be clear on one thing. So some people confuse two things here, what Michelle said earlier about, for the first time, a whole group of people get to learn about distributed systems and things that were reserved to white papers, PhDs, CF site, this stuff is now super accessible. You go to the CNCF site, all the things that you read about or we used to read about, you can actually download, see how it's implemented and actually change how it work. That is something we should never say is a waste of time. Learning is always good because someone has to build these type of systems and whether they sell it under the guise of server-less or not, this will always be important. Now the other side of this is, that there are people who are not looking to learn that stuff, the majority of the world isn't looking. And in parallel, we should also make this accessible, which should enable people that don't need to learn all of that before they can be productive. So that's two sides of the argument that can be true at the same time, a lot of people get caught up. And everything should just be server-less and everyone learning about distributed systems, and contributing and collaborating is wasting time. We can't have a world where there's only one or two companies providing all infrastructure for everyone else, and then it's a black box. We don't need that. So we need to do both of these things in parallel so I just want to make sure I'm clear that it's not one of these or the other. >> Yeah, makes sense, makes sense. So we'll just hit the final topic. Chris, I think I'll ask you to help close this out. COVID-19 clearly has changed how people work and collaborate. I figured we'd end on how do you see, so DockerCon is going to virtual events, inherently the Open Source community is distributed and is used to not face to face collaboration. But there's a lot of value that comes together by assembling a tent where people can meet, what's the best way? How do you see things playing out? What's the best way for this to evolve in the face of the new normal? >> I think in the short term, you're definitely going to see a lot of virtual events cropping up all over the place. Different themes, verticals, I've already attended a handful of virtual events the last few weeks from Red Hat summit to Open Compute summit to Cloud Native summit, you'll see more and more of these. I think, in the long term, once the world either get past COVID or there's a vaccine or something, I think the innate nature for people to want to get together and meet face to face and deal with all the serendipitous activities you would see in a conference will come back, but I think virtual events will augment these things in the short term. One benefit we've seen, like you mentioned before, DockerCon, can have 50,000 people at it. I don't remember what the last physical DockerCon had but that's definitely an order of magnitude more. So being able to do these virtual events to augment potential of physical events in the future so you can build a more inclusive community so people who cannot travel to your event or weren't lucky enough to win a scholarship could still somehow interact during the course of event to me is awesome and I hope something that we take away when we start all doing these virtual events when we get back to physical events, we find a way to ensure that these things are inclusive for everyone and not just folks that can physically make it there. So those are my thoughts on on the topic. And I wish you the best of luck planning of DockerCon and so on. So I'm excited to see how it turns out. 50,000 is a lot of people and that just terrifies me from a cloud native coupon point of view, because we'll probably be somewhere. >> Yeah, get ready. Excellent, all right. So that is a wrap on the DockerCon 2020 Open Source Power Panel. I think we covered a ton of ground. I'd like to thank Chris, Kelsey and Michelle, for sharing their perspectives on this continuing wave of Docker and cloud native innovation. I'd like to thank the DockerCon attendees for tuning in. And I hope everybody enjoys the rest of the conference. (upbeat music)