(upbeat music) >> Hello, everyone, from Palo Alto, Lisa Martin here. This is The Cube's coverage of CloudNativeSecurityCon, the inaugural event. I'm here with John Furrier in studio. In Boston, Dave Vellante joins us, and our guest, Liz Rice, one of our alumni, is joining us from Seattle. Great to have everyone here. Liz is the Chief Open Source officer at Isovalent. She's also the Emeritus Chair Technical Oversight Committee at CNCF, and a co-chair of this new event. Everyone, welcome Liz. Great to have you back on theCUBE. Thanks so much for joining us today. >> Thanks so much for having me, pleasure. >> So CloudNativeSecurityCon. This is the inaugural event, Liz, this used to be part of KubeCon, it's now its own event in its first year. Talk to us about the importance of having it as its own event from a security perspective, what's going on? Give us your opinions there. >> Yeah, I think security was becoming so- at such an important part of the conversation at KubeCon, CloudNativeCon, and the TAG security, who were organizing the co-located Cloud Native Security Day which then turned into a two day event. They were doing this amazing job, and there was so much content and so much activity and so much interest that it made sense to say "Actually this could stand alone as a dedicated event and really dedicate, you know, all the time and resources of running a full conference, just thinking about cloud native security." And I think that's proven to be true. There's plenty of really interesting talks that we're going to see. Things like a capture the flag. There's all sorts of really good things going on this week. >> Liz, great to see you, and Dave, great to see you in Boston Lisa, great intro. Liz, you've been a CUBE alumni. You've been a great contributor to our program, and being part of our team, kind of extracting that signal from the CNCF cloud native world KubeCon. This event really kind of to me is a watershed moment, because it highlights not only security as a standalone discussion event, but it's also synergistic with KubeCon. And, as co-chair, take us through the thought process on the sessions, the experts, it's got a practitioner vibe there. So we heard from Priyanka early on, bottoms up, developer first. You know KubeCon's shift left was big momentum. This seems to be a breakout of very focused security. Can you share the rationale and the thoughts behind how this is emerging, and how you see this developing? I know it's kind of a small event, kind of testing the waters it seems, but this is really a directional shift. Can you share your thoughts? >> Yeah I'm just, there's just so many different angles that you can consider security. You know, we are seeing a lot of conversations about supply chain security, but there's also runtime security. I'm really excited about eBPF tooling. There's also this opportunity to talk about how do we educate people about security, and how do security practitioners get involved in cloud native, and how do cloud native folks learn about the security concepts that they need to keep their deployments secure. So there's lots of different groups of people who I think maybe at a KubeCon, KubeCon is so wide, it's such a diverse range of topics. If you really just want to focus in, drill down on what do I need to do to run Kubernetes and cloud native applications securely, let's have a really focused event, and just drill down into all the different aspects of that. And I think that's great. It brings the right people together, the practitioners, the experts, the vendors to, you know, everyone can be here, and we can find each other at a smaller event. We are not spread out amongst the thousands of people that would attend a KubeCon. >> It's interesting, Dave, you know, when we were talking, you know, we're going to bring you in real quick, because AWS, which I think is the bellweather for, you know, cloud computing, has now two main shows, AWS re:Invent and re:Inforce. Security, again, broken out there. you see the classic security events, RSA, Black Hat, you know, those are the, kind of, the industry kind of mainstream security, very wide. But you're starting to see the cloud native developer first with both security and cloud native, kind of, really growing so fast. This is a major trend for a lot of the ecosystem >> You know, and you hear, when you mention those other conferences, John you hear a lot about, you know, shift left. There's a little bit of lip service there, and you, we heard today way more than lip service. I mean deep practitioner level conversations, and of course the runtime as well. Liz, you spent a lot of time obviously in your keynote on eBPF, and I wonder if you could share with the audience, you know, why you're so excited about that. What makes it a more effective tool compared to other traditional methods? I mean, it sounds like it simplifies things. You talked about instrumenting nodes versus workloads. Can you explain that a little bit more detail? >> Yeah, so with eBPF programs, we can load programs dynamically into the kernel, and we can attach them to all kinds of different events that could be happening anywhere on that virtual machine. And if you have the right knowledge about where to hook into, you can observe network events, you can observe file access events, you can observe pretty much anything that's interesting from a security perspective. And because eBPF programs are living in the kernel, there's only one kernel shared amongst all of the applications that are running on that particular machine. So you don't- you no longer have to instrument each individual application, or each individual pod. There's no more need to inject sidecars. We can apply eBPF based tooling on a per node basis, which just makes things operationally more straightforward, but it's also extremely performant. We can hook these programs into events that typically very lightweight, small programs, kind of, emitting an event, making a decision about whether to drop a packet, making a decision about whether to allow file access, things of that nature. There's super fast, there's no need to transition between kernel space and user space, which is usually quite a costly operation from performance perspective. So eBPF makes it really, you know, it's taking the security tooling, and other forms of tooling, networking and observability. We can take these tools into the kernel, and it's really efficient there. >> So Liz- >> So, if I may, one, just one quick follow up. You gave kind of a space age example (laughs) in your keynote. When, do you think a year from now we'll be able to see, sort of, real world examples in in action? How far away are we? >> Well, some of that is already pretty widely deployed. I mean, in my keynote I was talking about Cilium. Cilium is adopted by hundreds of really big scale deployments. You know, the users file is full of household names who've been using cilium. And as part of that they will be using network policies. And I showed some visualizations this morning of network policy, but again, network policy has been around, pretty much since the early days of Kubernetes. It can be quite fiddly to get it right, but there are plenty of people who are using it at scale today. And then we were also looking at some runtime security detections, seeing things like, in my example, exfiltrating the plans to the Death Star, you know, looking for suspicious executables. And again, that's a little bit, it's a bit newer, but we do have people running that in production today, proving that it really does work, and that eBPF is a scalable technology. It's, I've been fascinated by eBPF for years, and it's really amazing to see it being used in the real world now. >> So Liz, you're a maintainer on the Cilium project. Talk about the use of eBPF in the Cilium project. How is it contributing to cloud native security, and really helping to change the dials on that from an efficiency, from a performance perspective, as well as a, what's in it for me as a business perspective? >> So Cilium is probably best known as a networking plugin for Kubernetes. It, when you are running Kubernetes, you have to make a decision about some networking plugin that you're going to use. And Cilium is, it's an incubating project in the CNCF. It's the most mature of the different CNIs that's in the CNCF at the moment. As I say, very widely deployed. And right from day one, it was based on eBPF. And in fact some of the people who contribute to the eBPF platform within the kernel, are also working on the Cilium project. They've been kind of developed hand in hand for the last six, seven years. So really being able to bring some of that networking capability, it required changes in the kernel that have been put in place several years ago, so that now we can build these amazing tools for Kubernetes operators. So we are using eBPF to make the networking stack for Kubernetes and cloud native really efficient. We can bypass some of the parts of the network stack that aren't necessarily required in a cloud native deployment. We can use it to make these incredibly fast decisions about network policy. And we also have a sub-project called Tetragon, which is a newer part of the Cilium family which uses eBPF to observe these runtime events. The things like people opening a file, or changing the permissions on a file, or making a socket connection. All of these things that as a security engineer you are interested in. Who is running executables who is making network connections, who's accessing files, all of these operations are things that we can observe with Cilium Tetragon. >> I mean it's exciting. We've chatted in the past about that eBPF extended Berkeley Packet Filter, which is about the Linux kernel. And I bring that up Liz, because I think this is the trend I'm trying to understand with this event. It's, I hear bottoms up developer, developer first. It feels like it's an under the hood, infrastructure, security geek fest for practitioners, because Brian, in his keynote, mentioned BIND in reference the late Dan Kaminsky, who was, obviously found that error in BIND at the, in DNS. He mentioned DNS. There's a lot of things that's evolving at the silicone, kernel, kind of root levels of our infrastructure. This seems to be a major shift in focus and rightfully so. Is that something that you guys talk about, or is that coincidence, or am I just overthinking this point in terms of how nerdy it's getting in terms of the importance of, you know, getting down to the low level aspects of protecting everything. And as we heard also the quote was no software secure. (Liz chuckles) So that's up and down the stack of the, kind of the old model. What's your thoughts and reaction to that? >> Yeah, I mean I think a lot of folks who get into security really are interested in these kind of details. You know, you see write-ups of exploits and they, you know, they're quite often really involved, and really require understanding these very deep detailed technical levels. So a lot of us can really geek out about the details of that. The flip side of that is that as an application developer, you know, as- if you are working for a bank, working for a media company, you're writing applications, you shouldn't have to be worried about what's happening at the kernel level. This might be kind of geeky interesting stuff, but really, operationally, it should be taken care of for you. You've got your work cut out building business value in applications. So I think there's this interesting, kind of dual track going on almost, if you like, of the people who really want to get involved in those nitty gritty details, and understand how the underlying, you know, kernel level exploits maybe working. But then how do we make that really easy for people who are running clusters to, I mean like you said, nothing is ever secure, but trying to make things as secure as they can be easily, and make things visual, make things accessible, make things, make it easy to check whether or not you are compliant with whatever regulations you need to be compliant with. That kind of focus on making things usable for the platform team, for the application developers who deliver apps on the platform, that's the important (indistinct)- >> I noticed that the word expert was mentioned, I mentioned earlier with Priyanka. Was there a rationale on the 72 sessions, was there thinking around it or was it kind of like, these are urgent areas, they're obvious low hanging fruit. Was there, take us through the selection process of, or was it just, let's get 72 sessions going to get this (Liz laughs) thing moving? >> No, we did think quite carefully about how we wanted to, what the different focus areas we wanted to include. So we wanted to make sure that we were including things like governance and compliance, and that we talk about not just supply chain, which is clearly a very hot topic at the moment, but also to talk about, you know, threat detection, runtime security. And also really importantly, we wanted to have space to talk about education, to talk about how people can get involved. Because maybe when we talk about all these details, and we get really technical, maybe that's, you know, a bit scary for people who are new into the cloud native security space. We want to make sure that there are tracks and content that are accessible for newcomers to get involved. 'Cause, you know, given time they'll be just as excited about diving into those kind of kernel level details. But everybody needs a place to start, and we wanted to make sure there were conversations about how to get started in security, how to educate other members of your team in your organization about security. So hopefully there's something for everyone. >> That education piece- >> Liz, what's the- >> Oh sorry, Dave. >> What the buzz on on AI? We heard Dan talk about, you know, chatGPT, using it to automate spear phishing. There's always been this tension between security and speed to market, but CISOs are saying, "Hey we're going to a zero trust architecture and that's helping us move faster." Will, in your, is the talk on the floor, AI is going to slow us down a little bit until we figure it out? Or is it actually going to be used as an offensive defensive tool if I can use that angle? >> Yeah, I think all of the above. I actually had an interesting chat this morning. I was talking with Andy Martin from Control Plane, and we were talking about the risk of AI generated code that attempts to replicate what open source libraries already do. So rather than using an existing open source package, an organization might think, "Well, I'll just have my own version, and I'll have an AI write it for me." And I don't, you know, I'm not a lawyer so I dunno what the intellectual property implications of this will be, but imagine companies are just going, "Well you know, write me an SSL library." And that seems terrifying from a security perspective, 'cause there could be all sorts of very slightly different AI generated libraries that pick up the same vulnerabilities that exist in open source code. So, I think we're going to go through a pretty interesting period of vulnerabilities being found in AI generated code that look familiar, and we'll be thinking "Haven't we seen these vulnerabilities before? Yeah, we did, but they were previously in handcrafted code and now we'll see the same things being generated by AI." I mean, in the same way that if you look at an AI generated picture and it's got I don't know, extra fingers, or, you know, extra ears or something that, (Dave laughs) AI does make mistakes. >> So Liz, you talked about the education, the enablement, the 72 sessions, the importance of CloudNativeSecurityCon being its own event this year. What are your hopes and dreams for the practitioners to be able to learn from this event? How do you see the event as really supporting the growth, the development of the cloud native security community as a whole? >> Yeah, I think it's really important that we think of it as a Cloud Native Security community. You know, there are lots of interesting sort of hacker community security related community. Cloud native has been very community focused for a long time, and we really saw, particularly through the tag, the security tag, that there was this growing group of people who were, really wanted to work at that intersection between security and cloud native. And yeah, I think things are going really well this week so far, So I hope this is, you know, the first of many additions of this conference. I think it will also be interesting to see how the balance between a smaller, more focused event, compared to the giant KubeCon and cloud native cons. I, you know, I think there's space for both things, but whether or not there will be other smaller focus areas that want to stand alone and justify being able to stand alone as their own separate conferences, it speaks to the growth of cloud native in general that this is worthwhile doing. >> Yeah. >> It is, and what also speaks to, it reminds me of our tagline here at theCUBE, being able to extract the signal from the noise. Having this event as a standalone, being able to extract the value in it from a security perspective, that those practitioners and the community at large is going to be able to glean from these conversations is something that will be important, that we'll be keeping our eyes on. >> Absolutely. Makes sense for me, yes. >> Yeah, and I think, you know, one of the things, Lisa, that I want to get in, and if you don't mind asking Dave his thoughts, because he just did a breaking analysis on the security landscape. And Dave, you know, as Liz talking about some of these root level things, we talk about silicon advances, powering machine learning, we've been covering a lot of that. You've been covering the general security industry. We got RSA coming up reinforced with AWS, and as you see the cloud native developer first, really driving the standards of the super cloud, the multicloud, you're starting to see a lot more application focus around latency and kind of controlling that, These abstraction layer's starting to see a lot more growth. What's your take, Dave, on what Liz and- is talking about because, you know, you're analyzing the horses on the track, and there's sometimes the old guard security folks, and you got open source continuing to kick butt. And even on the ML side, we've been covering some of these foundation models, you're seeing a real technical growth in open source at all levels and, you know, you still got some proprietary machine learning stuff going on, but security's integrating all that. What's your take and your- what's your breaking analysis on the security piece here? >> I mean, to me the two biggest problems in cyber are just the lack of talent. I mean, it's just really hard to find super, you know, deep expertise and get it quickly. And I think the second is it's just, it's so many tools to deal with. And so the architecture of security is just this mosaic and a mess. That's why I'm excited about initiatives like eBPF because it does simplify things, and developers are being asked to do a lot. And I think one of the other things that's emerging is when you- when we talk about Industry 4.0, and IIoT, you- I'm seeing a lot of tools that are dedicated just to that, you know, slice of the world. And I don't think that's the right approach. I think that there needs to be a more comprehensive view. We're seeing, you know, zero trust architectures come together, and it's going to take some time, but I think that you're going to definitely see, you know, some rethinking of how to architect security. It's a game of whack-a-mole, but I think the industry is just- the technology industry is doing a really really good job of, you know, working hard to solve these problems. And I think the answer is not just another bespoke tool, it's a broader thinking around architectures and consolidating some of those tools, you know, with an end game of really addressing the problem in a more comprehensive fashion. >> Liz, in the last minute or so we have your thoughts on how automation and scale are driving some of these forcing functions around, you know, taking away the toil and the muck around developers, who just want stuff to be code, right? So infrastructure as code. Is that the dynamic here? Is this kind of like new, or is it kind of the same game, different kind of thing? (chuckles) 'Cause you're seeing a lot more machine learning, a lot more automation going on. What's, is that having an impact? What's your thoughts? >> Automation is one of the kind of fundamental underpinnings of cloud native. You know, we're expecting infrastructure to be written as code, We're expecting the platform to be defined in yaml essentially. You know, we are expecting the Kubernetes and surrounding tools to self-heal and to automatically scale and to do things like automated security. If we think about supply chain, you know, automated dependency scanning, think about runtime. Network policy is automated firewalling, if you like, for a cloud native era. So, I think it's all about making that platform predictable. Automation gives us some level of predictability, even if the underlying hardware changes or the scale changes, so that the application developers have something consistent and standardized that they can write to. And you know, at the end of the day, it's all about the business applications that run on top of this infrastructure >> Business applications and the business outcomes. Liz, we so appreciate your time talking to us about this inaugural event, CloudNativeSecurityCon 23. The value in it for those practitioners, all of the content that's going to be discussed and learned, and the growth of the community. Thank you so much, Liz, for sharing your insights with us today. >> Thanks for having me. >> For Liz Rice, John Furrier and Dave Vellante, I'm Lisa Martin. You're watching the Cube's coverage of CloudNativeSecurityCon 23. (electronic music)

(bright upbeat music) >> Welcome back to Detroit guys and girls. Lisa Martin here with John Furrier. We've been on the floor at KubeCon + CloudNativeCon North America for about two days now. We've been breaking news, we would have a great conversations, John. We love talking with CUBE alumni whose companies are just taking off. And we get to do that next again. >> Well, this next segment's awesome. We have former CUBE host, Brian Gracely, here who's an executive in this company. And then the entrepreneur who we're going to talk with. She was on theCUBE when it just started now they're extremely successful. It's going to be a great conversation. >> It is, Idit Levine is here, the founder and CEO of solo.io. And as John mentioned, Brian Gracely. You know Brian. He's the VP of Product Marketing and Product Strategy now at solo.io. Guys, welcome to theCUBE, great to have you here. >> Thanks for having us. >> Idit: Thank so much for having us. >> Talk about what's going on. This is a rocket ship that you're riding. I was looking at your webpage, you have some amazing customers. T-Mobile, BMW, Amex, for a marketing guy it must be like, this is just- >> Brian: Yeah, you can't beat it. >> Kid in a candy store. >> Brian: Can't beat it. >> You can't beat it. >> For giant companies like that, giant brands, global, to trust a company of our size it's trust, it's great engineering, it's trust, it's fantastic. >> Idit, talk about the fast trajectory of this company and how you've been able to garner trust with such mass organizations in such a short time period. >> Yes, I think that mainly is just being the best. Honestly, that's the best approach I can say. The team that we build, honestly, and this is a great example of one of them, right? And we're basically getting the best people in the industry. So that's helpful a lot. We are very, very active on the open source community. So basically it building it, anyway, and by doing this they see us everywhere. They see our success. You're starting with a few customers, they're extremely successful and then you're just creating this amazing partnership with them. So we have a very, very unique way we're working with them. >> So hard work, good code. >> Yes. >> Smart people, experience. >> That's all you need. >> It's simple, why doesn't everyone do it? >> It's really easy. (all laughing) >> All good, congratulations. It's been fun to watch you guys grow. Brian, great to see you kicking butt in this great company. I got to ask about the landscape because I love the ServiceMeshCon you guys had on a co-located event on day zero here as part of that program, pretty packed house. >> Brian: Yep. >> A lot of great feedback. This whole ServiceMesh and where it fits in. You got Kubernetes. What's the update? Because everything's kind of coming together- >> Brian: Right. >> It's like jello in the refrigerator it kind of comes together at the same time. Where are we? >> I think the easiest way to think about it is, and it kind of mirrors this event perfectly. So the last four or five years, all about Kubernetes, built Kubernetes. So every one of our customers are the ones who have said, look, for the last two or three years, we've been building Kubernetes, we've had a certain amount of success with it, they're building applications faster, they're deploying and then that success leads to new challenges, right? So we sort of call that first Kubernetes part sort of CloudNative 1.0, this and this show is really CloudNative 2.0. What happens after Kubernetes service mesh? Is that what happens after Kubernetes? And for us, Istio now being part of the CNCF, huge, standardized, people are excited about it. And then we think we are the best at doing Istio from a service mesh perspective. So it's kind of perfect, perfect equation. >> Well, I'll turn it on, listen to your great Cloud cast podcast, plug there for you. You always say what is it and what isn't it? >> Brian: Yeah. >> What is your product and what isn't it? >> Yeah, so our product is, from a purely product perspective it's service mesh and API gateway. We integrate them in a way that nobody else does. So we make it easier to deploy, easier to manage, easier to secure. I mean, those two things ultimately are, if it's an internal API or it's an external API, we secure it, we route it, we can observe it. So if anybody's, you're building modern applications, you need this stuff in order to be able to go to market, deploy at scale all those sort of things. >> Idit, talk about some of your customer conversations. What are the big barriers that they've had, or the challenges, that solo.io comes in and just wipes off the table? >> Yeah, so I think that a lot of them, as Brian described it, very, rarely they had a success with Kubernetes, maybe a few clusters, but then they basically started to on-ramp more application on those clusters. They need more cluster maybe they want multi-class, multi-cloud. And they mainly wanted to enable the team, right? This is why we all here, right? What we wanted to eventually is to take a piece of the infrastructure and delegate it to our customers which is basically the application team. So I think that that's where they started to see the problem because it's one thing to take some open source project and deploy it very little bit but the scale, it's all about the scale. How do you enable all those millions of developers basically working on your platform? How do you scale multi-cloud? What's going on if one of them is down, how do you fill over? So that's exactly the problem that they have >> Lisa: Which is critical for- >> As bad as COVID was as a global thing, it was an amazing enabler for us because so many companies had to say... If you're a retail company, your front door was closed, but you still wanted to do business. So you had to figure out, how do I do mobile? How do I be agile? If you were a company that was dealing with like used cars your number of hits were through the roof because regular cars weren't available. So we have all these examples of companies who literally overnight, COVID was their digital transformation enabler. >> Lisa: Yes. Yes. >> And the scale that they had to deal with, the agility they had to deal with, and we sort of fit perfectly in that. They re-looked at what's our infrastructure look like? What's our security look like? We just happened to be right place in the right time. >> And they had skillset issues- >> Skillsets. >> Yeah. >> And the remote work- >> Right, right. >> Combined with- >> Exactly. >> Modern upgrade gun-to-the-head, almost, kind of mentality. >> And we're really an interesting company. Most of the interactions we do with customers is through Slack, obviously it was remote. We would probably be a great Slack case study in terms of how to do business because our customers engage with us, with engineers all over the world, they look like one team. But we can get them up and running in a POC, in a demo, get them through their things really, really fast. It's almost like going to the public cloud, but at whatever complexity they want. >> John: Nice workflow. >> So a lot of momentum for you guys silver linings during COVID, which is awesome we do hear a lot of those stories of positive things, the acceleration of digital transformation, and how much, as consumers, we've all benefited from that. Do you have one example, Brian, as the VP of product marketing, of a customer that you really think in the last two years just is solo.io's value proposition on a platter? >> I'll give you one that I think everybody can understand. So most people, at least in the United States, you've heard of Chick-fil-A, retail, everybody likes the chicken. 2,600 stores in the US, they all shut down and their business model, it's good food but great personal customer experience. That customer experience went away literally overnight. So they went from barely anybody using the mobile application, and hence APIs in the backend, half their business now goes through that to the point where, A, they shifted their business, they shifted their customer experience, and they physically rebuilt 2,600 stores. They have two drive-throughs now that instead of one, because now they have an entire one dedicated to that mobile experience. So something like that happening overnight, you could never do the ROI for it, but it's changed who they are. >> Lisa: Absolutely transformative. >> So, things like that, that's an example I think everybody can kind of relate to. Stuff like that happened. >> Yeah. >> And I think that's also what's special is, honestly, you're probably using a product every day. You just don't know that, right? When you're swiping your credit card or when you are ordering food, or when you using your phone, honestly the amount of customer they were having, the space, it's like so, every industry- >> John: How many customers do you have? >> I think close to 200 right now. >> Brian: Yeah. >> Yeah. >> How many employees, can you gimme some stats? Funding, employees? What's the latest statistics? >> We recently found a year ago $135 million for a billion dollar valuation. >> Nice. >> So we are a unicorn. I think when you took it we were around like 50 ish people. Right now we probably around 180, and we are growing, we probably be 200 really, really quick. And I think that what's really, really special as I said the interaction that we're doing with our customers, we're basically extending their team. So for each customer is basically a Slack channel. And then there is a lot of people, we are totally global. So we have people in APAC, in Australia, New Zealand, in Singapore we have in AMEA, in UK and in Spain and Paris, and other places, and of course all over US. >> So your use case on how to run a startup, scale up, during the pandemic, complete clean sheet of paper. >> Idit: We had to. >> And what happens, you got Slack channels as your customer service collaboration slash productivity. What else did you guys do differently that you could point to that's, I would call, a modern technique for an entrepreneurial scale? >> So I think that there's a few things that we are doing different. So first of all, in Solo, honestly, there is a few things that differentiated from, in my opinion, most of the companies here. Number one is look, you see this, this is a lot, a lot of new technology and one of the things that the customer is nervous the most is choosing the wrong one because we saw what happened, right? I don't know the orchestration world, right? >> John: So choosing and also integrating multiple things at the same time. >> Idit: Exactly. >> It's hard. >> And this is, I think, where Solo is expeditious coming to place. So I mean we have one team that is dedicated like open source contribution and working with all the open source community and I think we're really good at picking the right product and basically we're usually right, which is great. So if you're looking at Kubernetes, we went there for the beginning. If you're looking at something like service mesh Istio, we were all envoy proxy and out of process. So I think that by choosing these things, and now Cilium is something that we're also focusing on. I think that by using the right technology, first of all you know that it's very expensive to migrate from one to the other if you get it wrong. So I think that's one thing that is always really good at. But then once we actually getting those portal we basically very good at going and leading those community. So we are basically bringing the customers to the community itself. So we are leading this by being in the TOC members, right? The Technical Oversight Committee. And we are leading by actually contributing a lot. So if the customer needs something immediately, we will patch it for him and walk upstream. So that's kind of like the second thing. And the third one is innovation. And that's really important to us. So we pushing the boundaries. Ambient, that we announced a month ago with Google- >> And STO, the book that's out. >> Yes, the Ambient, it's basically a modern STO which is the future of SDL. We worked on it with Google and their NDA and we were listed last month. This is exactly an example of us basically saying we can do it better. We learn from our customers, which is huge. And now we know that we can do better. So this is the third thing, and the last one is the partnership. I mean honestly we are the extension team of the customer. We are there on Slack if they need something. Honestly, there is a reason why our renewal rate is 98.9 and our net extension is 135%. I mean customers are very, very happy. >> You deploy it, you make it right. >> Idit: Exactly, exactly. >> The other thing we did, and again this was during COVID, we didn't want to be a shell-for company. We didn't want to drop stuff off and you didn't know what to do with it. We trained nearly 10,000 people. We have something called Solo Academy, which is free, online workshops, they run all the time, people can come and get hands on training. So we're building an army of people that are those specialists that have that skill set. So we don't have to walk into shops and go like, well okay, I hope six months from now you guys can figure this stuff out. They're like, they've been doing that. >> And if their friends sees their friend, sees their friend. >> The other thing, and I got to figure out as a marketing person how to do this, we have more than a few handfuls of people that they've got promoted, they got promoted, they got promoted. We keep seeing people who deploy our technologies, who, because of this stuff they're doing- >> John: That's a good sign. They're doing it at at scale, >> John: That promoter score. >> They keep getting promoted. >> Yeah, that's amazing. >> That's a powerful sort of side benefit. >> Absolutely, that's a great thing to have for marketing. Last question before we ran out of time. You and I, Idit, were talking before we went live, your sessions here are overflowing. What's your overall sentiment of KubeCon 2022 and what feedback have you gotten from all the customers bursting at the seam to come talk to you guys? >> I think first of all, there was the pre-event which we had and it was a lot of fun. We talked to a lot of customer, most of them is 500, global successful company. So I think that people definitely... I will say that much. We definitely have the market feed, people interested in this. Brian described very well what we see here which is people try to figure out the CloudNative 2.0. So that's number one. The second thing is that there is a consolidation, which I like, I mean STO becoming right now a CNCF project I think it's a huge, huge thing for all the community. I mean, we're talking about all the big tweak cloud, we partner with them. I mean I think this is a big sign of we agree which I think is extremely important in this community. >> Congratulations on all your success. >> Thank you so much. >> And where can customers go to get their hands on this, solo.io? >> Solo.io? Yeah, absolutely. >> Awesome guys, this has been great. Congratulations on the momentum. >> Thank you. >> The rocket ship that you're riding. We know you got to get to the airport we're going to let you go. But we appreciate your insights and your time so much, thank you. >> Thank you so much. >> Thanks guys, we appreciate it. >> A pleasure. >> Thanks. >> For our guests and John Furrier, This is Lisa Martin live in Detroit, had to think about that for a second, at KubeCon 2022 CloudNativeCon. We'll be right back with our final guests of the day and then the show wraps, so stick around. (gentle music)

(upbeat music) >> Hello, welcome everyone to "theCUBE" presentation of the AWS Startup Showcase, this is Season Two, Episode Four of the ongoing series covering exciting startups from the AWS ecosystem. Here to talk about Cyber Security. I'm your host John Furrier here joined by two great "CUBE" alumnus, Liz Rice who's the chief open source officer at Isovalent, and Mark Nunnikhoven who's the distinguished cloud strategist at Lacework. Folks, thanks for joining me today. >> Hi. Pleasure. >> You're in the U.K. Mark, welcome back to the U.S, I know you were overseas as well. Thanks for joining in this panel to talk about set the table for the Cybersecurity Showcase. You guys are experts out in the field. Liz we've had many conversations with the rise of open source, and all the innovations coming from out in the open source community. Mark, we've been going and covering the events, looking at all the announcements we're kind of on this next generation security conversation. It's kind of a do over in progress, happening every time we talk security in the cloud, is what people are are talking about. Amazon Web Services had reinforced, which was more of a positive vibe of, Hey, we're all on it together. Let's participate, share information. And they talk about incidents, not breaches. And then, you got Black Hat just happened, and they're like, everyone's getting hacked. It's really interesting as we report that. So, this is a new market that we're in. People are starting to think differently, but still have to solve the same problems. How do you guys see the security in the cloud era unfolding? >> Well, I guess it's always going to be an arms race. Isn't it? Everything that we do to defend cloud workloads, it becomes a new target for the bad guys, so this is never going to end. We're never going to reach a point where everything is completely safe. But I think there's been a lot of really interesting innovations in the last year or two. There's been a ton of work looking into the security of the supply chain. There's been a ton of new tooling that takes advantage of technology that I'm really involved with and very excited about called eBPF. There's been a continuation of this new generation of tooling that can help us observe when security issues are happening, and also prevent malicious activities. >> And it's on to of open source activity. Mark, scale is a big factor now, it's becoming a competitive advantage on one hand. APIs have made the cloud great. Now, you've got APIs being hacked. So, all the goodness of cloud has been great, but now we've got next level scale, it's hard to keep up with everything. And so, you start to see new ways of doing things. What's your take? >> Yeah, it is. And everything that's old is new again. And so, as you start to see data and business workloads move into new areas, you're going to see a cyber crime and security activity move with them. And I love, Liz calling out eBPF and open source efforts because what we've really seen to contrast that sort of positive and negative attitude, is that as more people come to the security table, as more developers, as more executives are aware, and the accessibility of these great open source tools, we're seeing that shift in approach of like, Hey, we know we need to find a balance, so let's figure out where we can have a nice security outcome and still meet our business needs, as opposed to the more, let's say to be polite, traditional security view that you see at some other events where it's like, it's this way or no way. And so, I love to see that positivity and that collaboration happening. >> You know, Liz, this brings up a good point. We were talking at our Super Cloud Event we had here when we were discussing the future of how cloud's emerging. One of the conversations that Adrian Cockcroft brought up, who's now retired from AWS, former with Netflix. Adrian being open source fan as well. He was pointing out that every CIO or CISO will buy an abstraction layer. They love the dream. And vendors sell the dream, so to speak. But the reality it's not a lot of uptake because it's complex, And there's a lot of non-standard things per vendor. Now, we're in an era where people are looking for some standardization, some clean, safe ways to deploy. So, what's the message to CSOs, and CIOs, and CXOs out there around eBPF, things like that, that are emerging? Because it's almost top down, was the old way, now as bottoms up with open source, you're seeing the shift. I mean, it's complete flipping the script of how companies are buying? >> Yeah. I mean, we've seen with the whole cloud native movement, how people are rather than having like ETF standards, we have more of a defacto collaborative, kind of standardization process going on. So, that things like Kubernetes become the defacto standard that we're all using. And then, that's helping enterprises be able to run their workloads in different clouds, potentially in their own data centers as well. We see things like EKS anywhere, which is allowing people to run their workloads in their data center in exactly the same way as they're running it in AWS. That sort of leveling of the playing field, if you like, can help enterprises apply the same tooling, and that's going to always help with security if you can have a consistent approach wherever you are running your workload. >> Well, Liz's take a minute to explain eBPF. The Berkeley packet filtering technology, people know from Trace Dumps and whatnot. It's kind of been around for a while, but what is it specifically? Can you take a minute to explain eBPF, and what does that mean for the customer? >> Yeah. So, you mentioned the packet filtering acronym. And honestly, these days, I tell people to just forget that, because it means so much more for. What eBPF allows you to do now, is to run custom programs inside the kernel. So, we can use that to change the way that the kernel behaves. And because the kernel has visibility over every process that's running across a machine, a virtual machine or a bare metal machine, having security tooling and observability tooling that's written using eBPF and sitting inside the kernel. It has this great perspective and ability to observe and secure what's happening across that entire machine. This is like a step change in the capabilities really of security tooling. And it means we don't have to rely on things like kernel modules, which traditionally people have been quite worried about with good reason. eBPF is- >> From a vulnerability standpoint, you mean, right? From a reliability. >> From a vulnerability standpoint, but even just from the point of view that kernel modules, if they have bugs in them, a bug in the kernel will bring the machine to a halt. And one of the things that's different with eBPF, is eBPF programs go through a verification process that ensures that they're safe to run that, but happens dynamically and ensures that the program cannot crash, will definitely run to completion. All the memory access is safe. It gives us this very sort of reassuring platform to use for building these kernel-based tools. >> And what's the bottom line for the customer and the benefit to the organization? >> I think the bottom line is this new generation of really powerful tools that are very high performance. That have this perspective across the whole set of workloads on a machine. That don't need to rely on things like a CCAR model, which can add to a lot of complexity that was perfectly rational choice for a lot of security tools and observability tools. But if you can use an abstraction that lives in the kernel, things are much more efficient and much easier to deploy. So, I think that's really what that enterprise is gaining, simpler to deploy, easier to manage, lower overhead set of tools. >> That's the dream they want. That's what they want. Mark, this is whether the trade offs that comes up. We were talking about the supercloud, and all kinds. Even at AWS, you're going to have supercloud, but you got super hackers as well. As innovation happens on one side, the hackers are innovating on the other. And you start to see a lot of advances in the lower level, AWS with their Silicon and strategies are continuing to happen and be stronger, faster, cheaper, better down the lower levels at the network lay. All these things are innovating, but this is where the hackers are going too, right? So, it's a double edge sword? >> Yeah, and it always will be. And that's the challenge of technology, is sort of the advancement for one, is an advancement for all. But I think, while Liz hit the technical aspects of the eBPF spot on, what I'm seeing with enterprises, and in general with the market movement, is all of those technical advantages are increasing the confidence in some of this security tooling. So, the long sort of anecdote or warning in security has always been things like intrusion prevention systems where they will look at network traffic and drop things they think bad. Well, for decades, people have always deployed them in detect-only mode. And that's always a horrible conversation to have with the board saying, "Well, I had this tool in place that could have stopped the attack, but I wasn't really confident that it was stable enough to turn on. So, it just warned me that it had happened after the fact." And with the stability and the performance that we're seeing out of things based on technologies like eBPF, we're seeing that confidence increase. So, people are not only deploying this new level of tooling, but they're confident that it's actually providing the security it promised. And that's giving, not necessarily a leg up, but at least that level of parody with that push forward that we're seeing, similar on the attack side. Because attackers are always advancing as well. And I think that confidence and that reliability on the tooling, can't be underestimated because that's really what's pushing things forward for security outcomes. >> Well, one of the things I want get your both perspective on real quick. And you kind of segue into this next set of conversations, is with DevOps success, Dev and Ops, it's kind of done, right? We're all happy. We're seeing DevOps being so now DevSecOps. So, CSOs were like kind of old school. Buy a bunch of tools, we have a vendor. And with cloud native, Liz, you mentioned this earlier, accelerating the developers are even driving the standards more and more. So, shifting left is a security paradigm. So, tooling, Mark, you're on top of this too, it's tooling versus how do I organize my team? What are the processes? How do I keep the CICD pipeline going, higher velocity? How can I keep my app developers programming faster? And as Adrian Cockcroft said, they don't really care about locking, they want to go faster. It's the ops teams that have to deal with everything. So, and now security teams have to deal with the speed and velocity. So, you're seeing a new kind of step function, ratchet game where ops and security teams who are living DevOps, are still having to serve the devs, and the devs need more help here. So, how do you guys see that dynamic in security? Because this is clearly the shift left's, cloud native trend impacting the companies. 'Cause now it's not just shifting left for developers, it has a ripple effect into the organization and the security posture. >> We see a lot of organizations who now have what they would call a platform team. Which is something similar to maybe what would've been an ops team and a security team, where really their role is to provide that platform that developers can use. So, they can concentrate on the business function that they don't have to really think about the underlying infrastructure. Ideally, they're using whatever common definition for their applications. And then, they just roll it out to a cloud somewhere, and they don't have to think about where that's operating. And then, that platform team may have remit that covers, not just the compute, but also the networking, the common set of tooling that allows people to debug their applications, as well as securing them. >> Mark, this is a big discussion because one, I love the team, process collaboration. But where's the team? We've got a skills gap going on too, right? So, in all this, there's a lot of action happening. What's your take on this dynamic of tooling versus process collaboration for security success? >> Yeah, it's tough. And I think what we're starting to see, and you called it out spot on, is that the developers are all about dynamic change and rapid change, and operations, and security tend to like stability, and considered change in advance. And the business needs that needle to be threaded. And what we're seeing is sort of, with these new technologies, and with the ideas of finally moving past multicloud, into, as you guys call supercloud, which I absolutely love is a term. Let's get the advantage of all these things. What we're seeing, is people have a higher demand for the outputs from their tooling, and to find that balance of the process. I think it's acknowledged now that you're not going to have complete security. We've gotten past that, it's not a yes or no binary thing. It's, let's find that balance in risk. So, if we are deploying tooling, whether that's open source, or commercial, or something we built ourselves, what is the output? And who is best to take action on that output? And sometimes that's going to be the developers, because maybe they can just fix their architecture so that it doesn't have a particular issue. Sometimes that's going to be those platform teams saying like, "Hey, this is what we're going to apply for everybody, so that's a baseline standard." But the good news, is that those discussions are happening. And I think people are realizing that it's not a one size-fits-all. 10 years ago was sort of like, "Hey, we've got a blueprint and everyone does this." That doesn't work. And I think that being out in the open, really helps deliver these better outcomes. And because it isn't simple, it's always going to be an ongoing discussion. 'Cause what we decide today, isn't going to be the same thing in a week from now when we're sprint ahead, and we've made a whole bunch of changes on the platform and in our code. >> I think the cultural change is real. And I think this is hard for security because you got so much current action happening that's really important to the business. That's hard to just kind of do a reset without having any collateral damage. So, you kind of got to mitigate and manage all the current situation, and then try to build a blueprint for the future and transform into a kind of the next level. And it kind of reminds me of, I'm dating myself. But back in the days, you had open source was new. And the common enemy was proprietary, non-innovative old guard, kind of mainframe mini computer kind of proprietary analysis, proprietary everything. Here, there is no enemy. The clouds are doing great, right? They're leaning in open source is at all time high and not stopping, it's it's now standard. So, open is not a rebel. It's not the rebel anymore, it's the standard. So, you have the innovation happening in open source, Liz, and now you have large scale cloud. And this is a cultural shift, right? How people are buying, evaluating product, and implementing solutions. And I when I say new, I mean like new within the decades or a couple decades. And it's not like open source is not been around. But like we're seeing new things emerge that are pretty super cool in the sense that you have projects defining standards, new things are emerging. So, the CIO decision making process on how to structure teams and how to tackle security is changing. Why IT department? I mean, just have a security department and a Dev team. >> I think the fact that we are using so much more open source software is a big part of this cultural shift where there are still a huge ecosystem of vendors involved in security tools and observability tools. And Mark and I both represent vendors in those spaces. But the rise of open source tools, means that you can start with something pretty powerful that you can grow with. As you are experimenting with the security tooling that works for you, you don't have to pay a giant sum to get a sort of black box. You can actually understand the open source elements of the tooling that you are going to use. And then build on that and get the enterprise features when you need those. And I think that cultural change makes it much easier for people to work security in from the get go, and really, do that shift left that we've been talking about for the last few years. >> And I think one of the things to your point, and not only can you figure out what's in the open source code, and then build on top of it, you can also leave it too. You can go to something better, faster. So, the switching costs are a lot lower than a lock in from a vendor, where you do all the big POCs and the pilots. And, Mark, this is changing the game. I mean, I would just be bold enough to say, IT is going to be irrelevant in the sense of, if you got DevOps and it works, and you got security teams, do you really need IT 'cause the DevOps is the IT? So, if everyone goes to the cloud operations, what does IT even mean? >> Yeah, and it's a very valid point. And I think what we're seeing, is where IT is still being successful, especially in large companies, is sort of the economy of scale. If you have enough of the small teams doing the same thing, it makes sense to maybe take one tool and scale it up because you've got 20 teams that are using it. So, instead of having 20 teams run it, you get one team to run it. On the economic side, you can negotiate one contract if it's a purchase tool. There is still a place for it, but I think what we're seeing and in a very positive way, is that smaller works better when it comes to this. Because really what the cloud has done and what open source continues to do, is reduce the barrier to entry. So, a team of 10 people can build something that it took a 1000 people, a decade ago. And that's wonderful. And that opens up all these new possibilities. We can work faster. But we do need to rethink it at reinforce from AWS. They had a great track about how they're approaching it from people side of things with their security champion's idea. And it's exactly about this, is embedding high end security talent in the teams who are building it. So, that changes the central role, and the central people get called in for big things like an incident response, right? Or a massive auditor reviews. But the day-to-day work is being done in context. And I think that's the real key, is they've got the context to make smarter security decisions, just like the developers and the operational work is better done by the people who are actually working on the thing, as opposed to somebody else. Because that centralized thing, it's just communication overhead most of the time. >> Yeah. I love chatting with you guys because here's are so much experts on the field. To put my positive hat on around IT, remember the old argument of, "Oh, automation's, technology's going to kill the bank teller." There's actually more tellers now than ever before. So, the ATM machine didn't kill that. So, I think IT will probably reform from a human resource perspective. And I think this is kind of where the CSO conversation comes full circle, Liz and Mark, because, okay, let's assume that this continues the trajectory to open source, DevOps, cloud scale, hybrid. It's a refactoring of personnel. So, you're going to have DevOps driving everything. So, now the IT team becomes a team. So, most CSOs we talk to are CXOs, is how do I deploy my teams? How do I structure things, my investment in people, and machines and software in a way that I get my return? At the end of the day, that's what they live for, and do it securely. So, this is the CISO's kind of thought process. How do you guys react to that? What's the message to CISOs? 'Cause they have a lot of companies to look at here. And in the marketplace, they got to spend some money, they got to get a return, they got to reconfigure. What's your advice? Liz, what's your take? Then we'll go to Mark. >> That's a really great question. I think cloud skills, cloud engineering skills, cloud security skills have never been more highly valued. And I think investing in training people to understand cloud that there are tons of really great resources out there to help ramp people up on these skills. The CNCF, AWS, there's tons of organizations who have really great courses and exams, and things that people can do to really level up their skills, which is fantastic right from a grassroots level, through to the most widely deployed global enterprise. I think we're seeing a lot of people are very excited, develop these skills. >> Mark, what's your take for the CSO, the CXO out there? They're scratching their head, they're going, "Okay, I need to invest. DevOps is happening. I see the open source, I'm now got to change over. Yeah, I lift and shift some stuff, now I got to refactor my business or I'm dead." What's your advice? >> I think the key is longer term thinking. So, I think where people fell down previously, was, okay, I've got money, I can buy tools, roll 'em out. Every tool you roll out, has not just an economic cost, but a people cost. As Liz said, those people with those skills are in high demand. And so, you want to make sure that you're getting the most value out of your people, but your tooling. So, as you're investing in your people, you will need to roll out tools. But they're not the answer. The answer is the people to get the value out of the tools. So, hold your tools to a higher standard, whether that's commercial, open source, or something from the CSP, to make sure that you're getting actionable insights and value out of them that your people can actually use to move forward. And it's that balance between the two. But I love the fact that we're finally rotating back to focus more on the people. Because really, at the end of the day, that's what's going to make it all work. >> Yeah. The hybrid work, people processes. The key, the supercloud brings up the conversation of where we're starting to see maturation into OPEX models where CapEx is a gift from the clouds. But it's not the end of bilk. Companies are still responsible for their own security. At the end of the day, you can't lean on AWS or Azure. They have infrastructure and software, but at the end of the day, every company has to maintain their own. Certainly, with hybrid and edge coming, it's here. So, this whole concept of IT, CXO, CIO, CSO, CSO, I mean, this is hotter than ever in terms of like real change. What's your reaction to that? >> I was just reading this morning that the cost of ensuring against data breaches is getting dramatically more expensive. So, organizations are going to have to take steps to implement security. You can't just sort of throw money at the problem, you're going to actually have to throw people and technology at the problem, and take security really seriously. There is this whole ecosystem of companies and folks who are really excited about security and here to help. There's a lot of people interested in having that conversation to help those CSOs secure their deployments. >> Mark, your reaction? >> Yeah. I think, anything that causes us to question what we're doing is always a positive thing. And I think everything you brought up really comes down to remembering that no matter what, and no matter where, your data is always your data. And so, you have some level of responsibility, and that just changes depending on what system you're using. And I think that's really shifting, especially in the CSO or the CSO mindset, to go back to the basics where it used to be information security and not just cyber security. So, whether that information and that data is sitting on my desk physically, in a system in our data center, or in the cloud somewhere. Looking holistically, and that's why we could keep coming back to people. That's what it's all about. And when you step back there, you start to realize there's a lot more trade offs. There's a lot more levers that you can work on, to deliver the outcome you want, to find that balance that works for you. 'Cause at the end of the day, security is just all about making sure that whatever you built and the systems you're working with, do what you want them to do, and only what you want them to do. >> Well, Liz and Mark, thank you so much for your expert perspective. You're in the trenches, and really appreciate your time and contributing with "theCUBE," and being part of our Showcase. For the last couple of minutes, let's dig into some of the things you're working on. I know network policies around Kubernetes, Liz, EKS anywhere has been fabulous with Lambda and Serverless, you seeing some cool things go on there. Mark, you're at Lacework, very successful company. And looking at a large scale observability, signaling and management, all kinds of cool things around native cloud services and microservices. Liz, give us an update. What's going on over there at Isovalent? >> Yeah. So, Isovalent is the company behind Cilium Networking Project. Its best known as a Kubernetes networking plugin. But we've seen huge amount of adoption of cilium, it's really skyrocketed since we became an incubating project in the CNCF. And now, we are extending to using eBPF to not just do networking, but incredibly in depth observability and security observability have a new sub project called Tetragon, that gives you this amazing ability to see out of policy behavior. And again, because it's using eBPF, we've got the perspective of everything that's happening across the whole machine. So, I'm really excited about the innovations that are happening here. >> Well, they're lucky to have you. You've been a great contributor to the community. We've been following your career for very, very long time. And thanks for everything that you do, really appreciate it. Thanks. >> Thank you. >> Mark, Lacework, we we've following you guys. What are you up to these days? You know, we see you're on Twitter, you're very prolific. You're also live tweeting all the events, and with us as well. What's going on over there at Lacework? And what's going on in your world? >> Yeah. Lacework, we're still focusing on the customer, helping deliver good outcomes across cloud when it comes to security. Really looking at their environments and helping them understand, from their data that they're generating off their systems, and from the cloud usage as to what's actually happening. And that pairs directly into the work that I'm doing, the community looking at just security as a practice. So, a lot of that pulling people out of the technology, and looking at the process and saying, "Hey, we have this tech for a reason." So, that people understand what they need in place from a skill set, to take advantage of the great work that folks like Liz and the community are doing. 'Cause we've got these great tools, they're outputting all this great insights. You need to be able to take actions on top of that. So, it's always exciting. More people come into security with a security mindset, love it. >> Well, thanks so much for this great conversation. Every board should watch this video, every CSO, CIO, CSO. Great conversation, thanks for unpacking and making something very difficult, clear to understand. Thanks for your time. >> Pleasure. >> Thank you. >> Okay, this is the AWS Startup Showcase, Season Two, Episode Four of the ongoing series covering the exciting startups from the AWS ecosystem. We're talking about cybersecurity, this segment. Every quarter episode, we do a segment around a category and we go deep, we feature some companies, and talk to the best people in the industry to help you understand that. I'm John Furrier your host. Thanks for watching. (upbeat music)

(upbeat music) >> Hello, and welcome back to AWS Startup Showcase, I'm John Furrier, your host. This is the Hero panel, the AWS Heroes. These are folks that have a lot of experience in Open Source, having fun building great projects and commercializing the value and best practices of Open Source innovation. We've got some great guests here. Liz Rice, Chief Open Source Officer, Isovalent. CUBE alumni, great to see you. Brian LeRoux, who is the Co-founder and CTO of begin.com. Erica Windisch who's an Architect for Developer Experience. AWS Hero, also CUBE alumni. Casey Lee, CTO Gaggle. Doing some great stuff in ed tech. Great collection of experts and experienced folks doing some fun stuff, welcome to this conversation this CUBE panel. >> Hi. >> Thanks for having us. >> Hello. >> Let's go down the line. >> I don't normally do this, but since we're remote and we have such great guests, go down the line and talk about why Open Source is important to you guys. What projects are you currently working on? And what's the coolest thing going on there? Liz we'll start with you. >> Okay, so I am very involved in the world of Cloud Native. I'm the chair of the technical oversight committee for the Cloud Native Computing Foundation. So that means I get to see a lot of what's going on across a very broad range of Cloud Native projects. More specifically, Isovalent. I focus on Cilium, which is it's based on a technology called EBPF. That is to me, probably the most exciting technology right now. And then finally, I'm also involved in an organization called OpenUK, which is really pushing for more use of open technologies here in the United Kingdom. So spread around lots of different projects. And I'm in a really fortunate position, I think, to see what's happening with lots of projects and also the commercialization of lots of projects. >> Awesome, Brian what project are you working on? >> Working project these days called Architect. It's a Open Source project built on top of AWSM. It adds a lot of sugar and terseness to the SM experience and just makes it a lot easier to work with and get started. AWS can be a little bit intimidating to people at times. And the Open Source community is stepping up to make some of that bond ramp a little bit easier. And I'm also an Apache member. And so I keep a hairy eyeball on what's going on in that reality all the time. And I've been doing this open-source thing for quite a while, and yeah, I love it. It's a great thing. It's real science. We get to verify each other's work and we get to expand and build on human knowledge. So that's a huge honor to just even be able to do that and I feel stoked to be here so thanks for having me. >> Awesome, yeah, and totally great. Erica, what's your current situation going on here? What's happening? >> Sure, so I am currently working on developer experience of a number of Open Source STKS and CLI components from my current employer. And previously, recently I left New Relic where I was working on integrating with OpenTelemetry, as well as a number of other things. Before that I was a maintainer of Docker and of OpenStack. So I've been in this game for a while as well. And I tend to just put my fingers in a lot of little pies anywhere from DVD players 20 years ago to a lot of this open telemetry and monitoring and various STKs and developer tools is where like Docker and OpenStack and the STKs that I work on now, all very much focusing on developer as the user. >> Yeah, you're always on the wave, Erica great stuff. Casey, what's going on? Do you got some great ed techs happening? What's happening with you? >> Yeah, sure. The primary Open Source project that I'm contributing to right now is ACT. This is a tool I created a couple of years back when GitHub Actions first came out, and my motivation there was I'm just impatient. And that whole commit, push, wait time where you're testing out your pipelines is painful. And so I wanted to build a tool that allowed developers to test out their GitHub Actions workflows locally. And so this tool uses Docker containers to emulate, to get up action environment and gives you fast feedback on those workflows that you're building. Lot of innovation happening at GitHub. And so we're just trying to keep up and continue to replicate those new features functionalities in the local runner. And the biggest challenge I've had with this project is just keeping up with the community. We just passed 20,000 stars, and it'd be it's a normal week to get like 10 PRs. So super excited to announce just yesterday, actually I invited four of the most active contributors to help me with maintaining the project. And so this is like a big deal for me, letting the project go and bringing other people in to help lead it. So, yeah, huge shout out to those folks that have been helping with driving that project. So looking forward to what's next for it. >> Great, we'll make sure the SiliconANGLE riders catch that quote there. Great call out. Let's start, Brian, you made me realize when you mentioned Apache and then you've been watching all the stuff going on, it brings up the question of the evolution of Open Source, and the commercialization trends have been very interesting these days. You're seeing CloudScale really impact also with the growth of code. And Liz, if you remember, the Linux Foundation keeps making projections and they keep blowing past them every year on more and more code and more and more entrance coming in, not just individuals, corporations. So you starting to see Netflix donates something, you got Lyft donate some stuff, becomes a project company forms around it. There's a lot of entrepreneurial activity that's creating this new abstraction layers, new platforms, not just tools. So you start to see a new kickup trajectory with Open Source. You guys want to comment on this because this is going to impact how fast the enterprise will see value here. >> I think a really great example of that is a project called Backstage that's just come out of Spotify. And it's going through the incubation process at the CNCF. And that's why it's front of mind for me right now, 'cause I've been working on the due diligence for that. And the reason why I thought it was interesting in relation to your question is it's spun out of Spotify. It's fully Open Source. They have a ton of different enterprises using it as this developer portal, but they're starting to see some startups emerging offering like a hosted managed version of Backstage or offering services around Backstage or offering commercial plugins into Backstage. And I think it's really fascinating to see those ecosystems building up around a project and different ways that people can. I'm a big believer. You cannot sell the Open Source code, but you can sell other things that create value around Open Source projects. So that's really exciting to see. >> Great point. Anyone else want to weigh in and react to that? Because it's the new model. It's not the old way. I mean, I remember when I was in college, we had the Pirate software. Open Source wasn't around. So you had to deal under the table. Now it's free. But I mean the old way was you had to convince the enterprise, like you've got a hard knit, it builds the community and the community manage the quality of the code. And then you had to build the company to make sure they could support it. Now the companies are actually involved in it, right? And then new startups are forming faster. And the proof points are shorter and highly accelerated for that. I mean, it's a whole new- >> It's a Cambrian explosion, and it's great. It's one of those things that it's challenging for the new developers because they come in and they're like, "Whoa, what is all this stuff that I'm supposed to figure out?" And there's no right answer and there's no wrong answer. There's just tons of it. And I think that there's a desire for us to have one sort of well-known trot and happy path, that audience we're a lot better with a more diverse community, with lots of options, with lots of ways to approach these problems. And I think it's just great. A challenge that we have with all these options and all these Cambrian explosion of projects and all these competing ideas, right now, the sustainability, it's a bit of a tricky question to answer. We know that there's a commercialization aspect that helps us fund these projects, but how we compose the open versus the commercial source is still a bit of a tricky question and a tough one for a lot of folks. >> Erica, would you chime in on that for a second. I want to get your angle on that, this experience and all this code, and I'm a new person, I'm an existing person. Do I get like a blue check mark and verify? I mean, these are questions like, well, how do you navigate? >> Yeah, I think this has been something happening for a while. I mean, back in the early OpenStack days, 2010, for instance, Rackspace Open Sourcing, OpenStack and ANSU Labs and so forth, and then trying, having all these companies forming in creating startups around this. I started at a company called Cloudccaling back in late 2010, and we had some competitors such as Piston and so forth where a lot of the ANSUL Labs people went. But then, the real winners, I think from OpenStack ended up being the enterprises that jumped in. We had Red Hat in particular, as well as HP and IBM jumping in and investing in OpenStack, and really proving out a lot of... not that it was the first time, but this is when we started seeing billions of dollars pouring into Open Source projects and Open Source Foundations, such as the OpenStack Foundation, which proceeded a lot of the things that we now see with the Linux Foundation, which was then created a little bit later. And at the same time, I'm also reflecting a little bit what Brian said because there are projects that don't get funded, that don't get the same attention, but they're also getting used quite significantly. Things like Log4j really bringing this to the spotlight in terms of projects that are used everywhere by everything with significant outsized impacts on the industry that are not getting funded, that aren't flashy enough, that aren't exciting enough because it's just logging, but a vulnerability in it brings every everything and everybody down and has possibly billions of dollars of impact to our industry because nobody wanted to fund this project. >> I think that brings up the commercialization point about maybe bringing a venture capital model in saying, "Hey, that boring little logging thing could be a key ingredient for say solving some observability problems so I think let's put some cash." Again then we'd never seen that before. Now you're starting to see that kind of a real smart investment thesis going into Open Source projects. I mean, Promethease, Crafter, these are projects that turned off companies. This is turning up companies. >> A decade ago, there was no money in Dev tools that I think that's been fully debunked now. They used to be a concept that the venture community believed, but there's just too much evidence to the contrary, the companies like Cash Court, Datadog, the list goes on and on. I think the challenge for the Open Source (indistinct) comes back to foundations and working (indistinct) these developers make this code safe and secure. >> Casey, what's your reaction to all of this? You've got, so a project has gained some traction, got some momentum. There's a lot of mission critical. I won't say white spaces, but the opportunities in the big cloud game happening. And there's a lot of, I won't say too many entrepreneurial, but there's a lot of community action happening that's precommercialization that's getting traction. How does this all develop naturally and then vector in quickly when it hits? >> Yeah, I want to go back to the Log4j topic real quick. I think that it's a great example of an area that we need to do better at. And there was a cool article that Rob Pike wrote describing how to quantify the criticality. I think that's sort of quantifying criticality was the article he wrote on how to use metrics, to determine how valuable, how important a piece of Open Source is to the community. And we really need to highlight that more. We need a way to make it more clear how important this software is, how many people depend on it and how many people are contributing to it. And because right now we all do that. Like if I'm going to evaluate an Open Source software, sure, I'll look at how many stars it has and how many contributors it has. But I got to go through and do all that work myself and come up with. It would be really great if we had an agreed upon method for ranking the criticality of software, but then also the risk, hey, that this is used by a ton of people, but nobody's contributing to it anymore. That's a concern. And that would be great to potential users of that to signal whether or not it makes sense. The Open Source Security Foundation, just getting off the ground, they're doing some work in this space, and I'm really excited to see where they go with that looking at ways to stop score critically. >> Well, this brings up a good point while we've got everyone here, let's take a plug and plug a project you think that's not getting the visibility it needs. Let's go through each of you, point out a project that you think people should be looking at and talking about that might get some free visibility here. Anyone want to highlight projects they think should be focused more on, or that needs a little bit of love? >> I think, I mean, particularly if we're talking about these sort of vulnerability issues, there's a ton of work going on, like in the Secure Software Foundation, other foundations, I think there's work going on in Apache somewhere as well around the bill of material, the software bill of materials, the Secure Software supply chain security, even enumerating your dependencies is not trivial today. So I think there's going to be a ton of people doing really good work on that, as well as the criticality aspect. It's all like that. There's a really great xkcd cartoon with your software project and some really big monolithic lumps. And then, this tiny little piece in a very important point that's maintained by somebody in his bedroom in Montana or something and if you called it out. >> Yeah, you just opened where the next lightening and a bottle comes from. And this is I think the beauty of Open Source is that you get a little collaboration, you get three feet in a cloud of dust going and you get some momentum, and if it's relevant, it rises to the top. I think that's the collective intelligence of Open Source. The question I want to ask that the panel here is when you go into an enterprise, and now that the game is changing with a much more collaborative and involved, what's the story if they say, hey, what's in it for me, how do I manage the Open Source? What's the current best practice? Because there's no doubt I can't ignore it. It's in everything we do. How do I organize around it? How do I build around it to be more efficient and more productive and reduce the risk on vulnerabilities to managing staff, making sure the right teams in place, the right agility and all those things? >> You called it, they got to get skin in the game. They need to be active and involved and donating to a sustainable Open Source project is a great way to start. But if you really want to be active, then you should be committing. You should have a goal for your organization to be contributing back to that project. Maybe not committing code, it could be committing resources into the darks or in the tests, or even tweeting about an Open Source project is contributing to it. And I think a lot of these enterprises could benefit a lot from getting more active with the Open Source Foundations that are out there. >> Liz, you've been actively involved. I know we've talked personally when the CNCF started, which had a great commercial uptake from companies. What do you think the current state-of-the-art kind of equation is has it changed a little bit? Or is it the game still the same? >> Yeah, and in the early days of the CNCF, it was very much dominated by vendors behind the project. And now we're seeing more and more membership from end-user companies, the kind of enterprises that are building their businesses on Cloud Native, but their business is not in itself. That's not there. The infrastructure is not their business. And I think seeing those companies, putting money in, putting time in, as Brian says contributing resources quite often, there's enough money, but finding the talent to do the work and finding people who are prepared to actually chop the wood and carry the water, >> Exactly. >> that it's hard. >> And if enterprises can find peoples to spend time on Open Source projects, help with those chores, it's hugely valuable. And it's one of those the rising tide floats all the boats. We can raise security, we can reduce the amount of dependency on maintain projects collectively. >> I think the business models there, I think one of the things I'll react to and then get your guys' comments is remember which CubeCon it was, it was one of the early ones. And I remember seeing Apple having a booth, but nobody was manning. It was just an Apple booth. They weren't doing anything, but they were recruiting. And I think you saw the transition of a business model where the worry about a big vendor taking over a project and having undue influence over it goes away because I think this idea of participation is also talent, but also committing that talent back into the communities as a model, as a business model, like, okay, hire some great people, but listen, don't screw up the Open Source piece of it 'cause that's a critical. >> Also hire a channel, right? They can use those contributions to source that talent and build the reputation in the communities that they depend on. And so there's really a lot of benefit to the larger organizations that can do this. They'll have a huge pipeline of really qualified engineers right out the gate without having to resort to cheesy whiteboard interviews, which is pretty great. >> Yeah, I agree with a lot of this. One of my concerns is that a lot of these corporations tend to focus very narrowly on certain projects, which they feel that they depend greatly, they'll invest in OpenStack, they'll invest in Docker, they'll invest in some of the CNCF projects. And then these other projects get ignored. Something that I've been a proponent of for a little bit for a while is observability of your dependencies. And I don't think there's quite enough projects and solutions to this. And it sounds maybe from lists, there are some projects that I don't know about, but I also know that there's some startups like Snyk and so forth that help with a little bit of this problem, but I think we need more focus on some of these edges. And I think companies need to do better, both in providing, having some sort of solution for observability of the dependencies, as well as understanding those dependencies and managing them. I've seen companies for instance, depending on software that they actively don't want to use based on a certain criteria that they already set projects, like they'll set a requirement that any project that they use has a code of conduct, but they'll then use projects that don't have codes of conduct. And if they don't have a code of conduct, then employees are prohibited from working on those projects. So you've locked yourself into a place where you're depending on software that you have instructed, your employees are not allowed to contribute to, for certain legal and other reasons. So you need to draw a line in the sand and then recognize that those projects are ones that you don't want to consume, and then not use them, and have observability around these things. >> That's a great point. I think we have 10 minutes left. I want to just shift to a topic that I think is relevant. And that is as Open Source software, software, people develop software, you see under the hood kind of software, SREs developing very quickly in the CloudScale, but also you've got your classic software developers who were writing code. So you have supply chain, software supply chain challenges. You mentioned developer experience around how to code. You have now automation in place. So you've got the development of all these things that are happening. Like I just want to write software. Some people want to get and do infrastructure as code so DevSecOps is here. So how does that look like going forward? How has the future of Open Source going to make the developers just want to code quickly? And the folks who want to tweak the infrastructure a bit more efficient, any views on that? >> At Gaggle, we're using AWS' CDK, exclusively for our infrastructure as code. And it's a great transition for developers instead of writing Yammel or Jason, or even HCL for their infrastructure code, now they're writing code in the language that they're used to Python or JavaScript, and what that's providing is an easier transition for developers into that Infrastructure as code at Gaggle here, but it's also providing an opportunity to provide reusable constructs that some Devs can build on. So if we've got a very opinionated way to deploy a serverless app in a database and do auto-scaling behind and all stuff, we can present that to a developer as a library, and they can just consume it as it is. Maybe that's as deep as they want to go and they're happy with that. But then they want to go deeper into it, they can either use some of the lower level constructs or create PRs to the platform team to have those constructs changed to fit their needs. So it provides a nice on-ramp developers to use the tools and languages they're used to, and then also go deeper as they need. >> That's awesome. Does that mean they're not full stack developers anymore that they're half stack developers they're taking care of for them? >> I don't know either. >> We'll in. >> No, only kidding. Anyway, any other reactions to this whole? I just want to code, make it easy for me, and some people want to get down and dirty under the hood. >> So I think that for me, Docker was always a key part of this. I don't know when DevSecOps was coined exactly, but I was talking with people about it back in 2012. And when I joined Docker, it was a part of that vision for me, was that Docker was applying these security principles by default for your application. It wasn't, I mean, yes, everybody adopted because of the portability and the acceleration of development, but it was for me, the fact that it was limiting what you could do from a security angle by default, and then giving you these tuna balls that you can control it further. You asked about a project that may not get enough recognition is something called DockerSlim, which is designed to optimize your containers and will make them smaller, but it also constraints the security footprint, and we'll remove capabilities from the container. It will help you build security profiles for app armor and the Red Hat one. SELinux. >> SELinux. >> Yeah, and this is something that I think a lot of developers, it's kind of outside of the realm of things that they're really thinking about. So the more that we can automate those processes and make it easier out of the box for users or for... when I say users, I mean, developers, so that it's straightforward and automatic and also giving them the capability of refining it and tuning it as needed, or simply choosing platforms like serverless offerings, which have these security constraints built in out of the box and sometimes maybe less tuneable, but very strong by default. And I think that's a good place for us to be is where we just enforced these things and make you do things in a secure way. >> Yeah, I'm a huge fan of Kubernetes, but it's not the right hammer for every nail. And there are absolutely tons of applications that are better served by something like Lambda where a lot more of that security surface is taken care of for the developer. And I think we will see better tooling around security profiling and making it easier to shrink wrap your applications that there are plenty of products out there that can help you with this in a cloud native environment. But I think for the smaller developer let's say, or an earlier stage company, yeah, it needs to be so much more straightforward. Really does. >> Really an interesting time, 10 years ago, when I was working at Adobe, we used to requisition all these analysts to tell us how many developers there were for the market. And we thought there was about 20 million developers. If GitHub's to be believed, we think there is now around 80 million developers. So both these groups are probably wrong in their numbers, but the takeaway here for me is that we've got a lot of new developers and a lot of these new developers are really struck by a paradox of choice. And they're typically starting on the front end. And so there's a lot of movement in the stack moved towards the front end. We saw that at re:Invent when Amazon was really pushing Amplify 'cause they're seeing this too. It's interesting because this is where folks start. And so a lot of the obstructions are moving in that direction, but maybe not always necessarily totally appropriate. And so finding the right balance for folks is still a work in progress. Like Lambda is a great example. It lets me focus totally on just business logic. I don't have to think about infrastructure pretty much at all. And if I'm newer to the industry, that makes a lot of sense to me. As use cases expand, all of a sudden, reality intervenes, and it might not be appropriate for everything. And so figuring out what those edges are, is still the challenge, I think. >> All right, thank you very much for coming on the CUBE here panel. AWS Heroes, thanks everyone for coming. I really appreciate it, thank you. >> Thank you. >> Thank you. >> Okay. >> Thanks for having me. >> Okay, that's a wrap here back to the program and the awesome startups. Thanks for watching. (upbeat music)