>>mhm. Hello and welcome to the cubes Ducker con coverage. I'm John Ferry, host of the Cube. We've got a great segment here with slim dot AI CEO John Amaral. Stealth mode, SAS Company. Start up in the devops space with tools today and open source around. Supply chain security with containers closed beta with developers. John, Thanks for coming on. Congratulations for being platinum sponsor here, Dr Khan. Thanks for coming on The Cube. >>Thanks so much on my pleasure. >>You know, container analysis, management optimisation. You know, that's super important. But security is at the centre of all the action we're seeing with containers. We've been talking shift left on a lot of cube conversations. What that means? Is it an outcome? Is that the product software supply chain? You seek them? A secure where malware. All these things are part of now the new normal in cloud Native. You guys at the centre of this, the surface areas change. All these things are important. Take a minute to explain what you guys are doing as a as a tools and open source. Some of the things you're doing, I know you got a stealth mode product. You probably can't talk about. But you gotta close, Beta. Can you give us a little bit of a teaser? What slim dot ai about >>sure. So someday I is about helping developers build secure containers fast, and that really plays to a few trends in the marketplace that are really apparent and important right now in a federal mandate and a bunch of really highly publicised breaches that have all been caused by software supply, chain risks and security and software supply, chain security has become a really top of mind concept for people who secure things and people who develop software and runs. SAS so slim that AI has built a bunch of capabilities and tools that allow software developers at their desks to better understand and build secure containers that really reduce software supply. Chain risk as you think about containers being run in production. And we do three things to help developers one, as we help them know everything about their software. It's a kind of a core concept of suffering supply chain security. Just know what software is in your containers to. Another core concept is only ship to production. What you need to run. That's all about risk surface and the ability for you to easily make a container small that has as much a software reduction in it as possible. And three, it's removed as many vulnerabilities as possible to Slim Toolset. Both are open source and our SAS data platform make that easy for developers to do >>so. Basically, you have a nice, clean, secure environment. Know what's in there. Don't only put in production was needed and make sure it's tight and it's trimmed down perfectly. So you're kind of teasing out this concept of slimming, which is in the name of the company. But it really is about surface area of attack around containers and super important as it becomes more and more prominent in the environment these days. What is container slimming and why is it important for supply chain security? >>Sure. So in the in the in the realm of software supply chain security, best practises right, there are three core concepts. One is the idea of an S bahn that you should know the inventory of all the software that runs in your world to its security posture, signing containers, making sure that the authenticity of the software that you use and production is well understood. And the third is, well, managing exactly what shopper you ship. The first two things I said are simply just inventory and basics about knowing what software you have. But no one answers the question. What software do I need? So I run a container and say, It's a gig and it's got all these packages in. It comes from the operating system from note, etcetera. It's got all this stuff in it. I know the parts that I write my code to. But all that other stuff, what is it? Why is it there? What's the risk in it? That slimming part is all about managing the list of things you actually shipped to the absolute minimum and with confidence that you know that that code will actually work when it gets production but be as small as possible. That's what slimming is all about, and it really reduces supply chain risk by lowering the attack surface in your container, but also trimming your supply chain to only the minimum pieces you need, which really causes a lot of improvements in in the operational overhead of having software supply chain security >>It's interesting as you get more more volume and velocity around containers, uh, and automation kicks in. Sometimes things are turning on and off you don't even know. And shift left has been a great trend for getting in the CI CD pipeline for developer productivity. Really cool. What are some of the consequences that's going on with this? Because then you start to get into some of these areas like some stuff happens that the developers have to come shift back and can take care of stuff. So, you know, C. Tus and CSOs are really worried about this container dynamic. What's the What's the new thing that's causing the problems here? What's the issue around the management that CDOs and CDOs care about? >>Sure. And I'll talk about the shift left implications as well for that exact point. So as you start to worry about software supply, chain security and get a handle on all the software you ship to prod well, part of that is knowledge is power. But it's also, um, risk and work as soon as I know about problems with my containers or the risk surface, and I got to do something about it so we're really getting into the age where everyone has to know about the software they ship. As soon as you know about that, say there's a vulnerability or a package that's a little risky or some surface area you don't really understand. The only place that can be evaded is by going back to the developers and asking them. What is that? How do I remove it? Please do that work. So the software supply chain security knowledge turns into developer security work. Now the problem is, is that historically, the knowledge was imperfect, and the developer, you know, involvement in that was, I'd say, at Hawk, meaning that developers had best practises that did the best they could. But the scrutiny we have now on minimising this kind of risk is really high. The beautiful part about containers is their portable, and it's an easily transferrable piece of software. So you have a lot of producers and a lot of consumers of containers. Consumers of containers that care about supply chain risk are now starting to push back on, producers saying, Take those vulnerabilities out, move those packages, make this thing more secure, lower the risk profile this works its way all the way back to the developers who don't really have the tools, capabilities and automation is to do the work I just described easily, and that's an opportunity that Slim is really addressing, making it easy for developers to remove risk. >>And that's really the consequences of shifting left without having the slimming. Because what you're saying is your shift left and that's kind of annulled out because you've got to go back and fix it. The work comes, >>that's right. And yeah, and it's not an easy task for a developer to understand the code that they didn't intentionally put in the container. It's like, Okay, there's a package in that operating system. What does it do? I don't know. Do I even use it? I don't know. So there's like tonnes of analytic and I would say even optimisation questions and work to be done, but they're just not equipped to, because the tooling for that is really immature Slims on a mission to make that really easy for them and do it automatically so they don't have to think about it. We just automatically remove stuff you don't use and voila! You've got this like perfectly pre optimised capability. >>You know, this suffer supply chain is huge, and I remember when open source started when I remember when I was breaking into the business. Now it's such a height in such an escalation of new developers. This it's a real issue that that's going to be resolved. It has to be because supply chain is part of open source, right? As more code comes in, you got to verify. You gotta make sure it's it's slimming where it needs to be slim and optimised. There needs to be optimised, huge trend. Um and so I just love this area. I think it's really innovative and needed. So congratulations on that, you know, have one more question for you before we get into to close out. Um, you guys are part of the Docker Extensions launch and your partner, >>Why >>is this important to participate in this programme and and what do you guys hope to hope it does for slim dot ai, >>First of all, doctors, the ubiquitous platform, their hub has millions and millions of containers. We've got millions and millions of developers using Docker desktop to actually build and work on containers. It's like literally the sandbox for all local work for building containers. It's a fair statement. So inclusion in Dr Khan and the relationship we're building with Docker is really important for developers and that we're bringing these capabilities to the place where developers work and live every day. It's where all the containers live in the world. So we want to have our technology be easy to use with docker tools. We want to keep developers workflows and systems and and tools of record be the same. We just want to help them use those tools better and optimist outputs. From that we've we've worked since our inception to make our tools really, really friendly for darker and darker environments to, um, we are building a doctor extension. Uh, they have, uh, in this darker con. They're launching their doctor extensions programme to the worldwide audience. We have been one of the lucky Cos that's been selected to build one of the early Dr desktop plug ins. It's derived from our capabilities and our Saas platform and an open source, and it's it's effectively an MRI machine, an awesome analytic tool that allows any developer to really understand the composition, security and profile of any container they work with. So it's giving the sight to the blind, so to speak, that it's this new tool to make container analysis easy. >>Well, John, you guys got a great opportunity. Container analysis, management, optimisation key to security, enabling it and maintaining and sustaining it. And it's changing. I know you guys. Your co founder also did a doctor Slim. So you guys are deep in the open source. I Congratulations on that. We'll see a Q. Khan for the remaining time. We have give a plug for the company, obviously in stealth mode price going to come out later this year. You got a developer preview? What's What's the company all about? What's the most important story here? Dr. Khan? >>Sure, just to playback. So we help developers do three important things. Know everything about the software in their containers to only ship stuff to production that you need, and and and three remove as many vulnerabilities as possible. That's really about managing and understanding the risk surface. It ties right back to software supply chain security, and any developer can use these tools today to emit and build containers that are more secure and better production grade containers, and it's easy to do. We have an open source project called Dioxin. Go check it out. Uh, it's not. It's on git Hub. It's easy to find if you go to w w w dot slim that ai you can find access to that. We have tens of thousands of developers, 500,000 plus downloads. We have developers everywhere using those tools today and open source to do the objectives. I just said You can also easily sign up for our data for our Saas platform, you can use the doctor extension, go ahead and do that and really get on your journey to make those outcomes reality for you. And really kind of make those SEC ops people downstream not have to shift anything left. It's super easy for you to be a great participant in software slash insecurity. >>All right. John Amaral, CEO slim dot ai Stealth. Most thanks for coming The Cube Cube coverage of Dr Khan. Thanks for watching. I'm John Kerry hosted the Cube back to more Dr Khan after the short break. Mhm mhm

>>And welcome to the DockerCon cube cover here on the main stage. So HIRA RA development manager at J Frogg. Welcome to the cube. You guys have been on many times, uh, with J Frogg on the cube, great product you guys are doing great. Congratulations on all the six. Thanks for coming on the cube. >>Thank you. Thank you for having >>Me. So I'm really interested in talking about the supply chain, uh, package management, supply chain, and software workflow, huge discussion. This is one of the hottest issues that's being solved on by, with, with in DevOps and DevSecOps in, in the planet. It's all over the, all over the news, a real challenge, open source, growing so fast and so successful with cloud scale and with automation, as you guys know, you gotta ha you gotta know what's trusted, so you gotta build trust into the, the product itself. So developers don't have to do all the rework. Everyone kind of knows this right now, and this is a key solve problem you guys are solving. So I gotta ask you, what is the package management issue? Why is it such an important topic when you're talking about security? >>Yeah. Uh, so if you look at, uh, look at how software is built today, about 80 to 90% of that is open source. And currently the way we, the way we pull those open source libraries, we just, we just have blind trust in, in repositories that are central, and we rely on whatever mechanism they have built to, to establish that trust, uh, with the developer who is building it. And from, from our experience, uh, we have learned that that is not sufficient, uh, that is not sufficient to tell us that that particular developer built that end product and, uh, whatever code that they build is actually coming out in the end product. So we need, we need something to bridge that gap. We need, we need a trustworthy mechanism there to bridge that gap. And there are, there are a few other, uh, elements to it. >>Um, all these center depositories are prone to, uh, single point of failures. And, you know, in, we have all experience what happens when one of those goes down and how it stops production and how it, how it stops just software, uh, development, right? And we, what we are working on is how do we build a system where we, we can actually have, uh, liquid software as a reality and just continue to build software, regardless of all these systems of being live all the time, uh, and also have a, an implicit, uh, way of mechanism to trust, uh, what is coming out of those systems? >>You know, we've talked with you guys in the past about the building blocks of software and what flows through the pipelines, all that stuff's part of what is automated these days and, and, and important. And what I gotta ask you because security these days is like, don't trust anything, you know, um, here it's, you're, you're trusting software to be in essence verified. I'm simplifying, obviously. So I gotta ask you what is being done to solve this problem, because states change, you know, you got data, you got software injections, and you got, we got containers and Kubernetes right here, helping all this is on the table now, but what is currently being done to solve the problem? Cause it's really hard. >>Yeah, it is. It is a really hard problem. And currently, right, when we develop software, we have a team, uh, which, which we work with and we trust whatever is coming out of the team. And we have, we have a, um, what do you call certified, uh, pro production mechanism to build that software and actually release it to our customers. And when it is done in house, it is easy because we are, we control all the pieces. Now what happens when, when we are doing this with open source, we don't have that chain. We need that chain, which is independent. We just independent of where the software was, you know, produced versus where it is going to be used. We need a way to have Providence of how it was built, which parts actually went in, uh, making, uh, making the end product. Uh, and, and what are the things that we see are, are, are, uh, continuing, uh, uh, continuing evidences that this software can be used. So if there is a vulnerability that is discovered now, that is discovered, and it is released in some database, and we need to do corrective action to say that this vulnerability associated with this version, and there is no, there's no automated mechanism. So we are working on an automated mechanism where, where you can run a command, which will tell you what has happened with this piece of, uh, software, this version of it, and whether it is production worthy or not. >>It's a great goal. I gotta say, but I'll tell you, I can guarantee there's gonna be a ton of skeptics on this security people. Oh, no, I don't. I doubt it's always a back door. Um, what's the relationship with Docker? How do you guys see this evolving? Obviously it's a super important mission. Um, it's not a trend that's gonna go away. Supply chain software is here to stay. Um, it's not gonna go away. And we saw this in hardware and everyone kind of knows kind of what happens when you see these vulnerabilities. Um, you gotta have trusted software, right? This is gonna be continuing what's the relationship with DockerCon? What are you guys doing with dock and here at DockerCon? >>So we, when we actually started working on this project, uh, both Docker and, uh, J frog had had similar ideas in mind of how, how do we make this, uh, this trust mechanism available to anyone, uh, who wants it, whether they're, whether they're in interacting with dock hub or, or regardless of that, right. And how do we actually make it a mechanism, uh, that just, uh, uh, that just provides this kind of, uh, this kind of trust, uh, without, without the developer having to do something. Uh, so what we worked with, uh, with Docker is actually integrating, um, integrating our solution so that anywhere there, uh, there is, uh, Docker being used currently, uh, people don't have to change those, uh, those behaviors or change those code, uh, those code lines, uh, right. Uh, because changing hand, uh, changing this a single line of code in hundreds of systems, hundreds of CI systems is gonna be really hard. Uh, and we wanted to build a seamless integration between Docker and the solution that we are building, uh, so that, so that you can continue to do Docker pro and dock push and, but get, uh, get all the benefits of the supply chain security solution that we have. >>Okay. So let's step back for a minute and let's discuss about the pro what is the project and where's the commercial J Frogg Docker intersect take that, break that apart, just step out the project for us. What's the intended goals. What is the project? Where is it? How do people get involved and how does that intersect with the commercial interest of JRO and Docker? >>Yeah. Yeah. My favorite topic to talk about. So the, the project is called Peria, uh, Peria is, uh, is an open source project. It is, it is an effort that started with JRO and, and Docker, but by no means limited to just JRO and dock contributing, we already have five companies contributing. Uh, we are actually building a working product, uh, which will demo during, uh, during our, uh, our talk. And there is more to come there's more to come. It is being built iteratively, and, and the solution is basically to provide a decentralized mechanism, uh, similar to similar to how, how you, uh, do things with GI, so that you have, you have the, uh, the packages that you are using available at your nearest peer. Uh, there is also going to be a multi load build verification mechanism, uh, and all of the information about the packages that you're going to use will be available on a Providence log. >>So you can always query that and find out what is the latest state of affairs, what ES were discovered and make, make quick decisions. And you don't have to react after the fact after it has been in the news for a while. Uh, so you can react to your customer's needs, um, uh, as quick as they happen. And we feel that the, our emphasis on open source is key here because, uh, given our experience, you know, 80 to 90% of software that is packaged, contains open source, and there is no way currently, which we, uh, or no engineering mechanisms currently that give us that, uh, that confidence that we, whatever we are building and whatever we are dependencies we are pulling is actually worthwhile putting it into production. >>I mean, you really, it's a great service. I mean, you think about like all that's coming out, open source, open source become very social, too. People are starting projects just to code and get, get in the, in the community and hang out, uh, and just get in the fray and just do stuff. And then you see venture capitals coming in funding those projects, it's a new economic system as well, not just code, so I can see this pipeline beautifully up for scale. How do people get involved with this project? Cause again, my, my questions all gonna be around integration, how frictionless it is. That's gonna be the challenge. You mentioned that, so I can see people getting involved. What's what's how do people join? What do they do? What can they do here at Docker con? >>Yeah. Uh, so we have a website, Percy, I P yr S I a.io, and you'll find all kinds of information there. Uh, we have a GI presence. Uh, we have community meetings that are open to public. We are all, we are all doing this under the, uh, under the umbrella limits foundation. We had a boots scrap project within Linux foundation. Uh, so people who have interest in, in all these areas can come in, just, just attend those meetings, uh, add, uh, you know, add comments or just attend our stand up. So we are running it like a, like a agile from, uh, process. We are doing stand up, we are doing retrospectives and we are, we are doing planning and, and we are, we are iteratively building this. So what you'll see at Dr. Conn is, is just a, a little bit of a teaser of what we have built so far and what you, what you can expect to, uh, see in, in future such events. >>So thanks for coming on the queue. We've got 30 seconds left, put a quick plug in for the swamp up, coming up. >>Yeah. Uh, so we, we will talk a lot more about Peria and our open source efforts and how we would like you all to collaborate. We'll be at swamp up, uh, in San Diego on May 26th, uh, May 24th to 26th. Uh, so hope to see you there, hope to discuss more about Peria and, and see what he will do with, uh, with this project. Thank you. >>All right. Thanks for coming on the back to the main stage. I'm John cube. Thanks for watching. >>Thank >>You.

>>Okay, welcome back to Docker. Main stage is the cube coverage of DockerCon 2022. I'm John FRA host of the cube. We're here with a special segment with sneak. We've been partnering with Docker going back to the early days, Nate cloud native container vulnerability scanning within Docker desktop in 2020. We' it Mick McCulley field strategist sneak Mick. Thanks for coming on the cube. >>Thanks for having me glad to glad to be here. Excited to have this, this, this conversation. >>Yeah, love the background. Got I. Big football fan myself, and love that little mention. There love the sneak logo too. Good, good plug there. Uh, but I want to get into that. The security you guys were of the first conversations when shift left was hot, when it just started to come and it's never going away, but now there's been a huge focus and an increase of concerns around vulnerabilities, uh, within and within the supply chain of security software. So in open source software. So what are you guys doing now? Cause this is a new focus in the industry. Everyone's talking about it, your company's making changes and mitigate that risk. What do you guys have? >>Yeah, that's, it's, it's a great question. And, and shift left is definitely a big focus of ours, right? It's it's what sort of our core foundation is what we based. Um, our whole approach to software supply chain definitely has made its way to the top of the spectrum as far as conversations. And I think it plays very well into our focus. Um, you know, one of the things that, uh, I believe a lot of organizations are focused on is trying to get a hold of understanding a lot of the implicit trust and risk associated with everything that goes into building any sort of modern application. And that's all of the components that are being used. Everything from the open source to the containers that are consumed to the process, into all of the ecosystem and tooling, that's consumed a lot of the trust layers in there. It's, it's extremely important to understand what that is. What's, what's the risk, right? And from a sneak perspective, taking that, that intelligence and trust and giving it back to the developers when they're making these decisions, is, is our focus like that, that whole concept of taking all of that security expertise and pushing it back to the individuals, making those decisions, I think is probably one of the more powerful ways that you can start to implement some more security controls and get some trust and understand your risk process, um, throughout that software supply chain. >>Okay. So you said trust three times, I'm gonna come back to that because shifting left is all about empowering developers, but what good at shifting left? If you gotta stop and then go back and research something that, that wasn't in your pipeline or something else happened. So open source obviously is growing like a weed it's continuing to exponentially grow and more people are doing it commercialization as well, but the word trust is not zero trust. You're hearing, people's use the word zero trust security, that's different, right? They're talking about developers looking for trusted code. So it's interesting, you got hackers and, and zero trust and you got developers and trust and you got software in between. This is kind of the, kind of the core issue here. Isn't it? >>It, it is, um, because of that using, I mean, there's, there's huge advantages with all of these new approaches, right? Leveraging the open source and the containers and the, and the software packages and these ecosystems to automate a lot of those software processes, but doing so means that you've got this implicit trust that's there. And so, um, taking and trying to identify and, and, and share those details with the developers when they're making those decisions, but it doesn't stop there, right? Like that's, that's one of the other important aspects of this is what organizations have to do is to not only provide that and help those individuals when they're making those decisions, but then constantly understand if that posture changes at any given time, right. And knowing where it's happening, what is it, how do I prove and have some of the Providence details of the origination of the information, how can I trust to make sure that the security was, uh, accounted for, for all the components that I'm actually leveraging and using, and then making sure that you have that visibility through that the entire life cycle. That's probably one of the other important areas. So it's not only sort of giving that information in details and trying to take advantage of all of that, that early detection response and decision making process. But it's also maintaining that understanding of what that is, and that trust plays into that, right? There's so much implicit trust associated with it. And the more that you can understand it, comprehend it, take control of it, the better your organization from a security posture's gonna be, >>Yeah. I mean, you got builders and attackers. I mean, it's clearly the spectrum and the builders want the a hundred percent trust. Um, and I think this is gonna be such an important game changing topic that has to be addressed. It's the only way with the scale you're seeing in the growth of software. And by the way, open source become much more than just open source it's community. It's social people kind of hang out and build code together and then ventures are being started over. So this is a nice progression. Makes a lot of sense. I have to ask you though, on what are some of the what's some of the data say on the attacks, is it increasing at what rate what's the complexity look like? What's it look like as it evolves, because, you know, even though it's zero geo trust on one side and trust on the other, the attackers also adjust too. >>Yeah. >>So >>What's, that's, I think it's the staff. >>It's >>A very, yeah, it's a very good question. I think that's what we're seeing is, um, and this is just a natural evolution. I think there's been, you know, an historic focus on a lot of the security associated with, with running applications and locking them down. And I was reading blog just by Docker the other day about how it's like this hardened sort of outside layer, but there's this soft squishy inside that soft squishy inside is all of those building components that are inside of there. And because of that hardened layer, it, it makes those attack vectors a little bit more difficult, right. When you're trying to, to, to penetrate those. And so what we've seen is this natural evolution is say, well, let's go find the weak link. Let's go understand if there's a way to actually bypass these security controls. And sometimes the ways to do that is to simply go into the process in which the application's being built. >>If I can go upstream and actually change some of those components and implement my attack inside of the application, it automatically gets embedded instead of trying to attack it directly. And so we're seeing that, and, and it's, what's banking a lot of the news and why some of the conversations around software supply chain are becoming very prominent, it's this ecosystem. And, um, unfortunately, you know, in a lot of organizations that, that I think some of that development area hasn't had that security focus as a lot of the traditional areas associated with applications and exposure of your organization, because of that it's left a little bit more exposed, right? That, that trust that we talked about in addition to the processes has to have a little bit more of that security ingrained inside of those processes to make sure that it's not being left open. It's not an open door, an open window that's giving sort of an easy route into the application. >>Yeah, totally. I totally see that in the next, in the last couple minutes we have left. I want to get into what you guys are doing with your customers and what our company's doing to mitigate the risks in the software supply chain. Obviously open source is not going away. It's only gonna be part of it what's going on with the customers. >>Yeah, it's, it's a great question. And a big focus of ours is to, um, help organizations understand all of those areas as much as possible, right. And to provide them that guidance. And part of this is not only the solution and how we deploy it and how we can deliver it, but it's some of the security intelligence associated with it instead of putting the burden on our customers of trying to stay on top of all of that risk. Right? What, what, where is all of these different moving parts and something changes from being completely fine one day to, you know, a high vulnerability and risk posture. How do you react to that? And so providing as much of that insight, guidance and prioritization and the details to those organizations in, in an actionable format, um, that's probably one of the more core elements to this. >>It's not just the, Hey, here's a whole list of all your problems. It's what do you do? Like how do you take all of that information, those details, those risks, how do you prioritize them? How do you then what, what's the steps that you take from an action perspective in order to address those, right. If I've got a container with some problems, what is sort of the recommended approach to solving that? What should I upgrade to? What is the guides associated with those? And so a lot of it is focused on providing not only the insight and the ability to react and understand that risk at any given time, but also more focused on what do you gotta do, right? How do you actually take steps to alleviate or remediate that risk as much as possible? Can't not, that's >>The point what's so I gotta have to ask you, what's the difference between getting it right and getting it wrong, or in other words, why do some, um, supply chain vulnerable remain fixed, uh, unfixed and, and deprioritize? What's the, why isn't it going faster? >>Yeah. And, and some of that there's there's reasons across the board, right? Some of it crossed from the perspective that there, there might not be fixes. And so in some of those cases, just being aware of what that risk is. So you can put in other mitigating controls in order to accommodate those. In other cases, it's, it's prioritizing where your risk is most important, right. And part of this also stems from the fact that I, if you fall into sort of that reactionary bucket, then, then you have to be in sort of that prioritization reactive mode. The more that you can push this back to that early process, the less that that has to occur, because you have the ability to actually make the best decision possible with the information you have during that early process. So some of it's just, you know, predicated on the fact that there's not always solutions to all of the problems. Um, and then a part of this too, is where in the, where in the phase are you actually starting to attack and handle it? >>All right, Mick. Thanks. So for coming on, really appreciate it. Business is good at sneak. Thanks for sharing your insights here on the, on the main stage. Okay. This is the queue back to the DockerCon main stage. We'll be back more. See you soon.

(upbeat music) >> Hi, everyone welcome back to theCUBE's main stage coverage of DockerCon 2022. We got a great guest from Intel here, Ajay Mungara Senior Director of Edge Software and AI at Intel talking about cloud native and AI workloads at The Edge and building a better developer ecosystem for The Edge which we all know those where the actions going cloud native, compute data, data as code. These are things we've been talking about, so Ajay, welcome to theCUBE. >> Thank you, John. I'm really happy to be here in DockerCon and everything we do Docker makes it better. >> Well, you guys have done a lot in your career and looking at your background, The Edge was manufacturing the old school IOT stuff. Now that's converged completely in with cloud native IP technologies. Everything's kind of happening now at The Edge. This is where the problems are now shifting in solving because of the goodness of the cloud and what that's done for cloud operations which essentially distributed computing is making The Edge the battleground for where the innovation's happening. Could you just share with us your view of why The Edge is so important and why it's different than what we've been seeing in pure cloud on and on premise data centers? >> Yeah, you know 75% of the data that is getting generated of late is happening at The Edge. Okay, so there's a lot of value, there's a lot of value that's getting generated at The Edge because most of the compute we want to move it where closest to the data because of latency issues, bandwidth issues, security issues all of those things is getting people to move compute storage data towards more at The Edge. There's also one big shift from a developer point of view where 51% of all of the developers in the world have deployed in somewhere the other cloud native Docker based solutions out there, okay. What we are seeing is the combination of cloud computing, networking, edge computing all of that coming together. And that is where it is pushing the envelope from The Edge perspective. And one of the big drivers is AI at The Edge as well, right. The Edge inference workloads that is really happening with camera as one of the sensors is really driving that compute. And your question about what's so different about it. The challenges at The Edge are compounded because it's bringing together the operational technology, the information technology processes and cloud computing environments along with networking all together. So when a developer wants to build a solution for The Edge they have to figure out what part of that workload sits in the cloud, how they're going to move that workload towards The Edge using some form of networking. How are they going to protect the data in transport as well as at rest, because Edge devices can get stolen, you know. So there is all of these challenges about like how do you like figure out the trade offs between price, performance, functionality, power, heat, size, weight everything matters when you talk about The Edge. So anyway, that is why we see those differences. >> It's interesting you know you do a little go back in history and distribute computing, the movies still the same. Remember back in the day when I was breaking into the business memory was the bottleneck and storage was the resource. And you had to swap out memory, and as a developer you had to deal with that. Then memory became abundant and storage was the problem. Now you got networking is the latency problem. So again, these are a challenges that developers have to weave through, I was going to ask the question of why is The Edge important for the and what's in it for the developer, why should they care about The Edge? And I think what you were saying is there's design decisions going on around how to code, can you elaborate on what's in it for the developer? Why should they care about The Edge? >> Developers have to really care about The Edge is because when you are really building a solution you cannot move the data and make all the decisions at the cloud because it's late, right, sometimes latency, your bandwidth costs, your solution costs are going to get increased. And because of security and privacy concerns sometimes you have to make those decisions at The Edge itself. You will have to figure out only take the data strategically to the cloud where it makes sense, okay. And that is the reason why developers have no choice but they have to focus on the combination of cloud networking and edge, and that's where we are seeing a large scale set of deployments that are happening today. >> Yeah, and I can see the business value too which is one of the big themes that DockerCon this year is tracks on that people talking about that. Are you seeing trends like headless retail, which is basically, it's not Shopify managed service, it's more of you build your own stack and you put the head on there which is the application and business model. >> Right. >> So again, that's an example. There's also the manufacturing, there's automotive all kinds of use cases where there's money making opportunities, right. So there's business value there, so the developer's going to be pulled to The Edge 'cause they're in the front lines now. So this is about making The Edge ready, and I want to hear your thoughts on what Intel's doing to make that developer environment ready for The Edge because we know the developer on the front lines today and that front line vanguard will be The Edge. What's it look like? >> Exactly, right, so what we have done is we have created this environment for developers which we call it as IntelDevCloud. And in this dev cloud which is Kubernetes based environment where we support all of the Docker workloads and it's based off of Red Hat OpenShift. And we thought about this a little differently. What we did is it's a cloud environment where you could use a browser to do all of your development build test and all of that. But we also took a whole range of these edge devices and we made it available in the cloud. So as a developer, you don't have to have an edge device sitting at your desk. You have an edge device or a plethora of edge devices sitting in the cloud. So you have one environment where you have cloud, you have network, and you have all these edge nodes. So you could start building your solution, you could start building your cloud native or edge native solutions, test it, benchmark it, and figure out how and what type of combination that you actually need for your final solution as you said in retail, in smart cities, in healthcare, any of these vertical markets and get your solution closer to being a deployment ready. >> Yeah, and I love your description by the way it's called a container playground. I mean, it's just comes across as fun. And I think this idea of having these nodes available you guys bring a lot of expertise at the table. That's almost like your local host for Edge devices, right? You can work with it in a safe environment, am I getting that right. >> You're getting that right, and in fact, during the pandemic when we are all working remote, right, nobody has access to these labs where you have all these Edge devices available to you, you could actually play with all these network simulators everything. Now with dev all these developers spread all over the world, you don't have access to as many of those edge devices. So now with browser, with this container playground, you could develop any of your Docker composed, Docker based container workloads and try it on all of these edge devices which may range from an Intel's point of view, CPUs, VPUs, GPUS, anything, right. >> We know there's a lot of compute at The Edge which always ever helps in Intel but your north star is about making it easier for the developers as you guys invest cloud network and The Edge and the cloud native world, that's the goal. How do you do that? And what should the developers optimize for it sounds like they're going to learn with this playground that you have the dev cloud. What are you seeing that they're going to learn to optimize for? Is it like I use the oldest school example of memory optimization, swapping memory out and that kind of thing but what's the new issues that need to be optimized for your developer. >> If you're a developer you got to optimize for your edge AI workloads, right, so that means AI inference workloads. You have to look at like saying that how can I take like a model that is developed in a some type of a cloud environment, like a TensorFlow model or a Pieto model, bring it down to The Edge. And then you have to do inference workloads. You need to understand to do this inference, what type of compute you need, what type of storage do you need? What type of memory do you need? And we give you those options where you could optimize those type of inference AI, inference workloads, you could actually do that. Then you also can decide like what type of decisions you want to make at The Edge what decisions you want to make at the cloud. We give you those options and flexibility for you to build those solutions. >> Great. >> One last point I'll make is there's a lot of legacy applications that have been developed which is traditional embedded applications. We are also want to teach developers how to take these applications and containerize them. How to take advantage of the cloud native DevOps type of paradigms that it would make your life easier when it comes to scaling your solution, deploying your solution worldwide. >> All right, Ajay, thanks so much for coming on theCUBE DevCloud, a container playground. Now back to you at the main stage at DockerCon. (upbeat music)

>>Welcome to the cubes dock, our main stage coverage here at DockerCon 2022. I'm John furrier, host of the cube. We're here with cube alumni, a partner scene, the senior director of product and the developer platform at Google cloud, a partner. Great to see you. It's been a while how's things >>Great to see you, John. Thanks for having me. >>So obviously we've covered a lot about the Google's history and open source. If you go back, I mean go back generation 2000, it all started, it continues to continue to thrive the SDO, all the different projects you guys are around the future of containers and serverless all there. Give us the update. Why are customers choosing Google cloud? We're here at Docker con what's the big update from Google cloud's perspective from a, from a developer perspective? >>Well, John, uh, Google cloud has been, uh, the early cloud on containers, um, and by all measures from, we can, from what we can see, you know, it is the preferred cloud for container native workloads. Um, I think why our customers choosing cloud there's a, there's a few different reasons. Um, definitely one of the reasons is because it is a flexible and open platform. And I think that that is, uh, distinctive about Google cloud, as you mentioned, uh, many, many open source projects coming from Google and Google cloud in particular over the last 20 years, um, spanning, um, languages, um, you know, obviously, uh, the go programming language all the way to of course, Kubernetes. Um, and then, uh, more recently Isto and, uh, K native and many more, uh Tecton is one of the leading projects as well. Um, in the C I C D space. >>So I think that, uh, history is something that really attracts the developer population. It's also very, very important for enterprises that are, uh, modernizing and looking to accelerate their, uh, developer productivity. So that's been one major reason. I think the second major reason is really the security aspect, um, of the developer tool chain and in particular related to open source secure well, and I think the third, uh, reason that comes out, um, quite frequently when we, when we talk to our enterprise customers is Google cloud is unique in the multi-cloud space. Um, you know, one of the first, I think probably the first and, uh, only cloud provider to have a very strong multi-cloud strategy, uh, and that stems from the open source roots, but also, you know, uh, bringing more than just, uh, compute, bringing many of our data services also, uh, to the multi-cloud space. I think that's, those are the three reasons why, uh, developers often choose Google cloud. >>Yeah. And you see the multi-cloud also in a distributed computing environment. It's, I mean, multi-cloud is basically distributed computing where you've got hyperscalers and then edges emerging very quickly. Of course, we've talked about that in the past, on previous interviews, how security at the edge software opensource all coming together. Again, Kubernetes launched by Google contributed to the open source world that everyone knows that, or may not know that. Um, but, but that's key. Where do you see the container position come in? Because at the end of the day, containers is standard and now you've got Kubernetes and other parts wrapped around it. Where's container technology going in the coming, coming in the future years. Is it gonna be invisible? Is it gonna be programmable? What's your vision on that? >>This is an excellent question. And you're exactly right. You're seeing containers become mainstream. And some of the latest, uh, state of the, the state of the cloud business report, you're seeing, you know, 80% of enterprises, um, having some form of a container program and I've been involved in this industry since the very early days. So this is something we've been predicting, um, and it is happening even faster than expected. So that's becoming very mainstream, which is extremely exciting for us. Now you ask, you know, what is the future and what is the evolution of it? Um, so, and, and I think, uh, this is the right question because, um, you're seeing a lot of the future actually on Google cloud. Um, we're, we've won the, uh, Gartner and Forester quadrants as far as leader quadrants in, uh, you know, container offerings. And that's not just Kubernetes, of course, uh, Google Kubernetes engine has been, has been the leading area, but there's a whole host of offerings around that. >>Um, in particular I'd like to point out serverless containers with cloud run, as well as the entire DevOps pipeline around containers. And that's a big topic in the industry right now. It brings in, uh, security as related to, uh, developers. And then of course, uh, you know, providing an automated, secure pipeline for DevOps, um, as it relates to containers, we've had several announcements and, and, and a lot of success in this space. Uh, I, I can go through some of these things with cloud run, which is our serverless container offering. We've seen, uh, four X growth in adoption and, uh, consumption of that service last year in 2021. And that is continuing, uh, so it's very, very healthy and it is very much the reason customers are adopting. It is because they don't need to learn a lot of the underlying infrastructure. They don't need to manage any of the underlying infrastructure. >>There isn't necessarily a cluster to manage all of that is taken care of, uh, for them. And they can focus on their application. They can actually use, uh, make use of the benefits of containers, such as, uh, you know, scalability, um, such as, um, application awareness, uh, and such as a lot of the integrated tool chain for, uh, delivery for application delivery, right from your source repository into production, and then being able to bring out new versions of your application, test them, and then roll over. So this is kind of the new, uh, uh, generation I think is very much tied to the pandemic and what's happening in the world post pandemic, where developers are extremely important, developer productivity and, and fact developer work, life balance is extremely >>Important. Yeah. And I, and I think also one of the things that we're seeing to piggyback on that last comment, as well as your other points is developers have always been pulled to the front lines even 10 years ago. You saw the trend towards getting more closer to the customer now with cloud and edge and with open source being the innovation equation where entrepreneurs are starting projects, companies are starting projects, then they gotta get commercialized. So supply chain is a big discussion. We're hearing at Docker con we're hearing about shifting left of security data as code. You start to see the developer on the front lines in all aspects of this, and they want, they want security, they want efficiency, they want things in the pipeline. They don't wanna have to shift left, then come back again. So again, they starting to see this kind of productivity drive the business behavior of the companies cuz that's their, the value partners. That's the application side of cloud native. What's your thoughts for the developers who are doing that? What's in it for them with Google cloud? Why, why are you important to them? >>Yeah, and I think, uh, John, this is where, uh, developers, uh, tend to prefer Google cloud. And there's a couple of reasons for that. One is, you know, we are very much, uh, centered around developers. Um, you know, my job is, uh, you know, Google cloud developer platform. And, uh, our goal is to provide ease of use the easiest cloud for developers. Something that is, um, you know, really allows them to get their work done quickly. Developers want to be exposed to the best technology. They want to be able to be exposed to it in a way that that integrates into their workflow that integrates into the tools that they're used to, um, and allows them to get their job done quickly. And so a lot of what we're doing in, in the developer space is providing an integrated stack. Um, you know, whether you're building a web application or you're building a mobile application, or you're trying to do data analytics, uh, Google cloud should be a place that you come to. >>That's easy for you to use, to get the job done. Um, and, and, and the security aspect is not something that developers like to deal with. They want that to be taken care of for them, um, troubleshooting as well, you know, troubleshooting and, and upgrading. And all of that is something that they wanna be taken care of. And so that is something that we're baking into the platform. And you'll see that in a lot of our tooling, um, you know, the build process, uh, we're providing salsa compliance, um, and, and build Providence for the security teams to be able to audit. But it's not something that the, that the developer needs to take care of. It's something that is just part of the, the build process built into, uh, say, uh, cloud run or GK built into our compute options for making >>It for them, making it easy, simple, and reduce the steps it takes to get the job done. So great stuff par, great to see you in the last 30 seconds, we have left. Just give a quick commercial for what the key projects are in open source. You're proud of that people should pay attention to, we got CubeCon coming up, uh, in, uh, Europe and north America. What are some of the successes that you like to point out? >>Well, I really encourage, uh, developers to go and take a look, a new look at, go go 1.8, add support for generics. It should open up a brand new set of applications. So I definitely encourage folks to, to take a look at that, um, of, of course ISEO and service mesh. As, as your container footprint grows, you have many microservices looking at service mesh, uh, extremely important, and it also allows you to get to that SRE type of, um, uh, DevOps model where, you know, you're securing your services. You're also, uh, being able to monitor and control, uh, service usage. And then the last one is of course Tecton and this is where secure software supply chain comes up. Part I'll >>Mention that. I wish I had 20 minutes. Love chatting with you. We'll catch up with you later on the cube we're here at DockerCon. Thanks for your time. Back to the DockerCon main stages of the cube. I'm John farrier, back to the main stage for more coverage.

(upbeat music) >> Hey, welcome back to theCUBE's cover of DockerCon Mainstage, I'm John Furrier, host of theCUBE. We're here with Shubha Rao, Senior Manager, Product Manager at AWS, in the container services. Shubha, thanks for coming on theCUBE. >> Hi, thank you very much for having me, excited to be here. >> So obviously, we're doing a lot of coverage with AWS recently, on containers, cloud native, microservices and we see you guys always at the events. But tell me about what your role is in the organization? >> Yeah, so I lead the product management and developer advocacy team, in the AWS Container Services group, where we focus on elastic containers. And what I mean by elastic containers, is that, all the AWS opinionated, out of the box solutions that we have for you, like, you know, ECS and App Runner and Elastic BeanStalk. So where we bring in our services in a way that integrates with the AWS ecosystem. And, you know, my team manages the product management and speaking to customers and developers like you all, to understand how we can improve our services for you to use it more seamlessly. >> So, I mean, I know AWS has a lot of services tha t have containers involved with them and it's a lot of integration within the cloud. Amazon's as cloud native as you're going to get at AWS. If I was a new customer, where do I start with containers if you had to give me advice? And then, where I have a nice roadmap to grow within AWS. >> Yeah, no, that's a great question a lot of customers ask us this. We recommend that the customers choose whatever is the best fit for their application needs and for their operational flexibilities. So, if you have an application which you can use, pretty abstract and like end to end managed by AWS service, we recommend that you start at the highest level of abstraction that's okay to use for your application. And that means something like App Runner, where you can bring in a web application and run it like end to end. And if there are things that you want to control and tweak, then you know, we have services like ECS, where you get control and you get flexibility to tweak it to your needs. Be it needs of like, integrations or running your own agents and running your own partner solutions or even customizing how it scales and all the, you know, characteristics related to it. And of course we have, if there are a lot of our customers also run kubernetes, so that is a requirement for you, if your apps are already packaged to run, you know, easily with the kubernetes ecosystem, then we have, yes, for you. So, like application needs, the operational, how much of the operations do you want us to handle? Or how much of it do you want to actually have control over. And with all that, like the highest level of abstraction so that we can do the work on your behalf, which is the goal of AWS. >> Yeah, well, we always hear that all that heavy lifting, undifferentiated heavy lifting, you guys handle all that. Since you're in product management, I have to ask the question 'cause you guys have a little bit longer view, as you have think about what's on the roadmap. What type of customer trends are you seeing in container services? >> We see a lot of trends about customers who want to have the plugability for their, you know, services of choice. And our EKS offerings actually help in that. And we see customers who want an opinionated, you know, give me an out of the box solution, rather than building blocks. And ECS brings you that experience. The new strengths that we are seeing is that a lot of our customer workloads are also on their data centers and in their on-prem like environments. Be it branch offices or data centers or like, you know, other areas. And so we've recently launched the, anywhere offerings for you. So, ECS anywhere, brings you an experience for letting your workloads run and management that you control, where we manage the scaling and orchestration and the whole like, you know, monitoring and troubleshooting aspects of it. Which is the new trend, which seems to be something that our customers use as a way to migrate their applications to the cloud in the long term or just to get, you know, the same experience and the same, like, constructs that they're familiar with, come onto their data centers and their environments. >> You know, Shubha, we hear a lot about containers. It's becoming standard in the enterprise now, mainstream. But customers, when we talk to them, they kind of have this evolution, they start with containers and they realize how great it is and they become container full, right. And then you start to see kind of, them trying to evolve to the next level. And then you start to see EKS come into the equation. We see that in cloud native. Is EKS a container? Or is it a service? How does that work with everything? >> So EKS is a Amazon managed service, container service, where we do the operational set up, you know, upgrades and other things for the customer on their behalf. So basically, you get the same communities APIs that you get to use for your application but we handle a little bit of the integrations and the operations selected to keeping it up and running with high availability. in a way that actually meets your needs for the applications. >> And more and more people are dipping their toe in the water, as we say, with containers. What are some of the things you've seen customers do when they jump in and start implementing that kind of phase one containers? Also, there's a lot of head room beyond that, as you mentioned. What's the first couple steps that they take? They jump in,, is it a learning process? Is it serverless? Where is the connection points all come together? >> Great, so, I want to say that, no one solution that we have, fits all needs. Like, it's not the best case, best thing for all your use cases, and not for all of your applications. So, how it all comes together is that, AWS gives you a ecosystem of tools and capabilities. Some customers want to really build the, you know, castle themselves with each of the Lego block and some customers want it to be a ready made thing. And I want, you know, one of the things that I speak to customers about is, is to rethink which of the knobs and controls do they really need to have, you know because none of the services we have is a one way door. Like, there is always flexibility and, you know ability to move from one service to the other. So, my recommendation is to always like, start with things where Amazon handles many of the heavy lifting, you know, operations for you. And that means starting with something like, serverless offerings, where, like, for example, with Lambda and Forget, we manage the host, we manage the patching, we manage the monitoring. And that would be a great place for you to use ECS offering and, you know, basically get an end to end experience in a couple of days. And over time, if you have more needs, if you have more control, you know, if you want to bring in your own agents and whatever else you have, the option to use your own EC2 Instances or to take it to other, like, you know, parts of the AWS ecosystem, where you want to, you know, tweak it to your needs. >> Well, we're seeing a lot of great traction here at DockerCon. And all the momentum around containers. And then you're starting to get into trust and security supply chain, as open source becomes more exponentially in growth, it's growing like crazy, which is a great thing. So what can we expect to see from your team in the coming months, as this rolls forward? It's not going away anytime soon. It's going to be integrated and keep on scaling. What do we expect from the team in the next month or so? Couple of months. >> Security and, you know, is our number one job. So you will continue to see more and more features, capabilities and integrations, to ensure that your workloads are secure. Availability and scaling are the things that we do, you know, as keep the lights on. So, you should expect to see all of our services growing to make it like, more user friendly, easier, you know, simpler ways to get the whole availability and scaling to your needs, better. And then like, you know, very specifically, I want to touch on a few services. So App Runner, today we have support for public facing web services. You can expect that the number of use cases that you can meet with app runner is going to increase over time. You want to invest into making it AWS end to end workflow experience for our customers because, that's the easiest journey to the cloud. And we don't want you to actually wait for months and years to actually leverage the benefits of what AWS provides. ECS, we've already launched our, like, you know, Forget and Anywhere, to bring you more flexibility in terms of easier networking capabilities, more granular controls in deployment and more controls to actually help you plug in your preferred, you know, solution ties. And in EKS, we are going to continue to keep the communities, you know, versions and, you know, bring simpler experiences for you. >> A lot of nice growth there, containers, EKS, a lot more goodness in the cloud, obviously. We have 30 seconds left. Tell us what you're most excited about personally. And what should the developers pay attention to in this conference around containers and AWS? >> I would say that AWS has a lot of offerings but, you know, speak to us, like, come to us with your questions or, you know, anything that you have, like in terms of feature requests. We are very, very eager and happy to speak to you all. You know, you can engage with us on the container store map, which is on GitHub. Or you can find, you know, many of us in events like this, AWS Summits and, you know, DockerCon and many of the other meetups. Or find us on LinkedIn, we're always happy to chat. >> Yeah, always open, open source. Open source meets cloud scale, meets commercialization. All happening, all great stuff. Shubha, thank you for coming on theCUBE. Thanks for sharing. We'll send it back now to the DockerCon Mainstage. I'm John Furrier with theCUBE. Thanks for watching. (upbeat music)

(upbeat bright music) >> Hello, welcome back to theCUBE's main stage coverage of DockerCon 2022. I'm John for your host of theCUBE. We have Knox Anderson, vice president of Product Management, Sysdig. Knox, welcome to theCUBE. >> Thanks for having me. Glad to be back. >> So IAC containers is going crazy madness in terms of adoption, standard, even mainstream enterprise, IT and cloud are all containerized. It's only getting better, and it increases the complications when you start thinking about scale and supportability. This is a huge discussion, and it ranges from how do you support, how do you run operations, how do you secure in the supply chain. All this is happening, and with the growth of cloud and server (indistinct) seeing Kubernetes at the center of everything. So I got to ask you, how has Kubernetes changed how you secure cloud infrastructure? >> Yeah, so Kubernetes is really the modern operating system for the cloud. And with that, you get a lot of facilities. So you get things like Kubernetes' network policies, you can use things like admission controllers. And with that, you're securing multiple layers, whether it's the control plane, individual workloads. And so there's a nice mixture of built-in tools, and part of the Kubernetes platform that then you can leverage to do prevention, auditing, and things like that. But it really requires an entire rethink of your stack and the tools you bring in alongside your people and processes. And so it's an exciting time because it gives you an opportunity to be more secure, but really have to rethink your approach there. >> And I want to get into the whole observability trend here 'cause you start thinking about the mobility, what containers enables. And getting all the data is everything. And then also that feeds into kind of having a good sense of what is going on. And when you hear about shift left and data as code, you know, developers don't want to get stopped coding, right? And then have to come back and go dig into things that they thought they had taken care of. So you kind of got this kind of flywheel going in the wrong direction. So that's causing teams to be disrupted. So how do teams keep up with the changes to the containerized applications or what to prioritize around that? Because if I shift left, am I done or what? And these are the things that come up all the time. >> Yeah. You have to shift left but also watch the right. Like, shifting left is a little bit harder from a people and process perspective. Like you put a tool in place, then it's a gating factor for getting in. And so that runtime context on the right is equally as important. And it's often easier to roll out a runtime tool just because you're not going in and introducing new processes. And that runtime visibility can also make shift left much better. If you're scanning a container image, you might get a thousand different vulnerabilities that you need to address, but only three of those are in packages that are actually executed at runtime. And so we recently released a feature called risk spotlight which does that exact feedback loop. And that's something that's important whether you're addressing vulnerabilities, misconfigurations, or responding to event. What's on the right, what's on the left, and then tie those together. >> Yeah, it's like left, right, it's like driving training here in the United States. You got a stop sign, you want to be moving, always be moving. I got to ask you what are some of the side effects of infrastructure automation and the result in code artifacts? >> Yeah, it's really, like, Kubernetes is nice because it's a declarative system, but it doesn't always work out that way. Like, someone might have a Helm chart and then someone else changes it in production. So understanding what is drift is really important in these environments. And then it also has enabled real remediation workflows. I think previously, you might patch something, a week later there's a new deploy, that patch gets written over. And so because Kubernetes and the rise of IAC, it's now easier to see a misconfiguration in production, open a poll request, and then fix that at source, which provides that full kind of visibility across those different environments. And it allows you to actually fix issues versus constantly being in that kind of whack-a-mole of patching things and moving on. >> Yeah, I mean this is all about cloud native development, and you look at, you know, some of the things going on, you're starting to see best practices developed. What do you guys see as a best practice for getting started with designing and securing cloud native applications? What are some of the tools that people should look at for beginners and for the entry-level position? And then as they get traction, what does that turn into? >> Yeah, so the pattern we've often seen is like someone gets started on the open source side, whether you're using Open Policy Agent or Falco, which Laurice who've you met with before created. And so really when you're starting, choose kind of the open source option. Learn from that. And then often what we've seen with customers is at scale, there's some companies like if you're in Uber, or Snapchat, and Apple, you can maybe build something around open source, but a lot of other people start to really consolidate platforms that are built on top of those open source technologies, and trying to get that really single view into what's happening in their environment, what are those events. And the thing that I would say, process wise, is most important is build that container center of excellence, that cloud center of excellence, whatever you call it, that brings together people from your ops team, your infrastructure team, your dev team, your security team. Everyone's got to have a seat at the table to have containers be successful. It's a big shift, and if you do it right, it really takes off, but each team really needs to be included there. >> Yeah, there's a lot of operational discussions going on around the devs, and the devs are being pulled to the front lines. We've been saying this for a decade, but now when you got edge computing, you got cloud native operations, on-premises, you start to see that they're getting pulled even further to the frontline. So, you know, what are you guys up to Sysdig? You know, they got a lot of developers here at DockerCon, what's in it for them? Why Sysdig, why should they care? What would you say to the old developers that are watching? What's in it for them? >> Yeah, we really make it easier for you to prioritize what to fix and what to address in your environment. I know I've built something before and like, my test suite or my scanner just lights up like a Christmas tree, and you just want to move to another task because it's just too much to deal with at that time. And so we really help you focus on what matters and get the most bang for your buck. Everyone has way too much time or too many things going on and not enough time. And so being able to understand effective risk, your different vulnerabilities, what to fix, is really key to delivering secure software. >> I mean, it's like a doctor needs to know what to work on with the patient, if you will, when to, and what's important, and then the dependencies, and you got, a system's mindset, you got to know what the consequences. So it sounds easy, just knock down a list of things, but isn't that easy. You got to want to hit things that you know that will be, to have an impact right away. That seems to be the big aha moment here. >> Yeah, definitely. >> So we're going to be at KubeCon in Europe, you guys going to have booth there, what's the quick plug for the company? Give a shout out to what's happening at Sysdig and cloud native world. >> Yeah, really excited to be in Valencia. We have a ton of people at, sorry, at DockerCon with, giving a couple different talks here. So the first is Master Your Container Security Model and then Software Supply Chain Security and Standards. On the supply chain one, we're getting deep into SBOMs. So if that's a topic that's important to you, please join that one. >> Awesome, and then that's a big topic supply chain. We've got a minute and a half left. What's the most important thing people should pay attention to as open source continues to grow in prominence, not just from a code standpoint, but as a social environment, as people's doing ventures and venture capitalists are mining the area, what should they pay attention to as supply chain becomes important, what's the big thing? >> There's a lot of companies I think going around the SBOM space, and kind of trying to certify like where did this come from, and have that providence across the entire supply chain. We, under the hood, use those SBOMs to understand kind of what have you built, what packages are used, and then tie that with that runtime data. So a lot of the things that we talked around before with RiskSpotlight is based on that deep SBOM knowledge. And that's something that, I think the standards are still getting kind of worked out where there's CycloneDX, SBX. And so people really are saying, "Hey, I need to generate SBOMs," and we're regenerating them, but there's going to be more and more applications on "Okay what do you do with that? How does it integrate with other tools?" So it's kind of I think in the little bit of the early data lake phases where it's like, "I've taken all my data, I put it here. Now I need to do more with it." And so that's where I think we'll start to see some pretty exciting things over the next year or two. >> It's super exciting. On one hand you got the attackers, and that's a zero trust environment, and you get the builders, the developers where trust is everything. You got to know what it's in the code. It's really interesting time and super important to scale. So Knox, thanks for for coming on theCUBE and sharing the Sysdig update. Appreciate it, thanks for coming on. Now back to you at the DockerCon main stage, this is theCUBE. I'm John for your host. Thanks for watching. (upbeat bright music)