>> Announcer: Live form the Computer History Museum in Mountain View, California, it's theCUBE. Covering DevNet Create 2018. Brought to you by Cisco. >> Hi, my name is Lauren Cooney and welcome back to theCUBE. Today we're actually at down in Mountain View at DevNet Connect where we're talking to folks about Cloud, DevOps, things along those lines and really what developers are looking for in today's environment. Today I'm here with Curt. And we're going to talk a little bit about what Kurt is doing and why he's here and what's going on in your world? >> Thanks Lauren. I'm excited to be here. This is, being at a DevNet Create, where IOT is sort of a major backdrop is a change of pace for us and something that we're very excited about to get involved in. >> Great, so what, you're here for IOT, what're you really looking at within IOT? What is interesting to you? >> Well, so I work with Sonatype and our, sort of, passion and what we bring to the world of IT in general, is software supply change. We saw a gap in virtually unlimited supply of open source components that are being used to develop modern solutions and we've been helping our enterprise customers solve this problem for a while and it now occurs to us that it's just going to explode and get much bigger with IOT. >> Lauren: And all the types of devices. >> And it's all the same problems and it's the same sorts of things that we need to think about as a traditional IT, if you will. Traditional applications. >> Great. So what's an example of a customer that you would help with regards to your solution and with IOT? >> So, it would be generally a large enterprise that's looking to put some governance around what's flowing into their organization in terms of these free components: libraries, utilities, that are being packaged together and delivered. In the world of IOT, what's interesting is we also need to be very careful about what we put in there for possible exploits. And we need to be thinking about how are we going to keep them patched and updated, right? >> Lauren: Mhm. >> We have a saying at Sonatype that software ages like milk and not like wine. So it's generally just a matter of time before components start to show their age and suffer from known exploit patterns. And so we're going to need to get in front of that problem and make sure we're thinking about it as we start to develop, you know, the millions and billions of devices that are going to start to proliferate throughout our lives. >> Exactly and so how do you decide, kind of, what open source you support or what devices you support inside of that supply chain? >> Yeah, so we're focused on it. So we're looking at just the open source, right? So, it's not the proprietary stuff. It's not the commercial stuff. So we're watching like the 60 million github repositories and we're watching a million events a day trigger. And we're just looking through the forums and through the commit logs and a variety of others, you know, like a thousand plus other sources. And correlating all that data into something that's very specific and actionable, so that our customers can ultimately make an informed decision about what they're using, right? So half of the battle of managing risk is simply being aware -- >> Oh definitely. >> of what you got. The goal is not necessarily to be perfectly clean but to have really good awareness of where your weaknesses are so that you can sort of prepare or brace yourself against it or put up other mitigating controls. >> Great and so do you guys provide a dashboard, for example for a compliance team inside of a company? >> What we provide is a fully automated solution that embeds throughout your software delivery life cycle. It's designed for the modern world. It's designed to be very precise so you can automate against it and that's where traditional tools fall down. They were, sort of, built for a waterfall era, where people could take days to go through an approval process. We feel it needs to be done in a matter of minutes, so it fits in a modern pipeline. So yeah we provide that intelligence feed and then we're tied into your build and delivery process and then it does surface. It can break the pipeline and surfaces as a dashboard report where you can drill into the details and then figure out what you got to do to move forward. >> Great, and that tracks licenses and things along those lines as well? >> Yeah, licenses is sort of the original concern of open source. >> Mhm, it is. >> It's been overshadowed by more recent security concerns but licensing is a very important part too if you want to protect your IP, you need to be careful about what you're putting in these devices. >> Oh by far. Now, I was looking at your LinkedIn a little bit earlier and you have a lot of experience with DevOps and actually driving DevOps environments, tooling, things along those lines. Tell us about that. >> Yeah, so I started getting involved in DevOps sort of, when it was very first a word, if you will. I literally rebranded my team, the DevOps team and it was meant to provoke conversations. It was fairly effective at that. But I did develop a high trust team. I actually was able to implement the cultural part of that within my team. I couldn't change the whole Fortune 100 insurance company but we could demonstrate the art of the possible. It was an awesome ride. I was also inviting security to the table long before DevSecOps came on the scene, because I intuitively understand it was holistic and we needed to get everybody involved. So yeah, I'd like to think I was a little bit ahead of the curve there and had an opportunity to do some great work with some great people that continues to serve me well to this day as we as a industry mature into it. >> Yeah, I think it's really interesting. I remember going into a large customer and we were talking about, kind of, a solution for this customer. And at one end of the table was the infrastructure developers. The other end of the table was the app developers and in the middle sat the tooling guys. Right, and so it was always interesting to see how they kind of flock to their different sides and when they started working together, how, you know, a couple people would sit together and they morphed a bit. And I think that's really interesting in terms of the culture element. >> Yeah, I mean that's essentially what my team was. We were that tooling team. But we acted as the team that was bridging those relationships and bringing those teams together. The middle ware team in particular, along with our development team. Ops was a little bit further down the line. But also getting security and audit involved. Stuff like that. So yeah, it was an interesting role. And it's just neat to see that we're maturing as an industry and this is starting to become very real and the tooling now exists to make this stuff very doable, unlike five years ago. You know, there just wasn't quite the tooling there. Conceptually we knew what we wanted to do, but until the tooling shows up, it's hard to really automate it and do it the way you want. >> So, what kind of tooling is exciting you right now? What are you seeing out there, just, you know? >> So what excites me is, in addition to our own product, which is in a family of products that I would say is automated inspection. Right, and so gone are the days of late life cycle, you know, heavy lift, manual inspections and here today, now we have an ability to inspect continuously, early in the process, you know, in that CI pipeline where things are happening ten times a day. We can get that feedback to those delivery teams when it's most timely. And then so you combine that with containerization, at least in the regular application space, which gives us a converge supply change. So now my OS, my midware, everything is flowing through that pipeline, as opposed to when I was doing it. I was taking the application and ultimately deploying it to a statically provision environment. No two of which of those environments ever look quite the same. Now with containers, that problem, sort of, goes away and we have all this inspection tooling that helps us build quality in and not try to inspect it in later. >> Exactly and just, one of the things I'm looking at when I look at supply chain, the question comes to mind around Blockchain. And are you looking at Blockchain as something you might integrate into your solutions at some point in time? >> I'm personally not looking at it yet but it's hard to imagine that I won't be looking at it soon, because I can't read three articles, and one of them not be about Blockchain these days. It seems to hold a lot of promise in terms of providence and you know, basically, chain of custody type things, which are also important to this whole supply chain issue. So yeah I think it has a future. I think I've got a few things on my plate I need to get off first and then I'll have to start looking at Blockchain. >> That's great. Now, is there anything that was really wowing you from the show? I mean we've got, there's Meraki here, they're giving away something like 1.2 million dollars of equipment. You know, were you surprised to see anything or really, you know, outside of just IOT, what're you really seeing pop? >> Yeah, like I said, this is a bit of a new venue for me. I've been attending DevOps days and DevOps enterprise summit and local meetups and I've been really narrowly focused in that space in this last year. So now I'm getting more into the cloud and this is my first IOT based event. It's great to see Cisco in their second year, having such a successful event. It's really grown a lot. It's in a terrific venue. But in terms of wowing me, I think it's just access for me personally to the folks in the IOT communities, so that I can start to wrap my head around it and share our story with them, which I think is a raised some eyebrows and got some interest to think about supply chain issues in that context. >> Well I think it's absolutely necessary that you actually enable the software across the enterprise. I know that my experience in many enterprise organizations would've been a lot easier if I had had your software and the ability to do that. >> Curtis: Yeah. >> You know, I think that's great. So, you know, one of my other questions is are you partnering with DevNet? Is there a relationship there or is this just educational for you? >> No we definitely, we have a relationship with Cisco and we like to support events like this. It helps us get out. It helps us build these types of relationships. Yeah, I mean, I think this is a emerging relationship between Cisco and Sonatype and obviously IOT has such a big future. There's a lot of potential there for both parties I think. >> That's awesome. Well thank you so much for being here. Thank you so much for sharing everything that you did. And we will be right back from Cisco DevNet.