>>And welcome to the DockerCon cube cover here on the main stage. So HIRA RA development manager at J Frogg. Welcome to the cube. You guys have been on many times, uh, with J Frogg on the cube, great product you guys are doing great. Congratulations on all the six. Thanks for coming on the cube. >>Thank you. Thank you for having >>Me. So I'm really interested in talking about the supply chain, uh, package management, supply chain, and software workflow, huge discussion. This is one of the hottest issues that's being solved on by, with, with in DevOps and DevSecOps in, in the planet. It's all over the, all over the news, a real challenge, open source, growing so fast and so successful with cloud scale and with automation, as you guys know, you gotta ha you gotta know what's trusted, so you gotta build trust into the, the product itself. So developers don't have to do all the rework. Everyone kind of knows this right now, and this is a key solve problem you guys are solving. So I gotta ask you, what is the package management issue? Why is it such an important topic when you're talking about security? >>Yeah. Uh, so if you look at, uh, look at how software is built today, about 80 to 90% of that is open source. And currently the way we, the way we pull those open source libraries, we just, we just have blind trust in, in repositories that are central, and we rely on whatever mechanism they have built to, to establish that trust, uh, with the developer who is building it. And from, from our experience, uh, we have learned that that is not sufficient, uh, that is not sufficient to tell us that that particular developer built that end product and, uh, whatever code that they build is actually coming out in the end product. So we need, we need something to bridge that gap. We need, we need a trustworthy mechanism there to bridge that gap. And there are, there are a few other, uh, elements to it. >>Um, all these center depositories are prone to, uh, single point of failures. And, you know, in, we have all experience what happens when one of those goes down and how it stops production and how it, how it stops just software, uh, development, right? And we, what we are working on is how do we build a system where we, we can actually have, uh, liquid software as a reality and just continue to build software, regardless of all these systems of being live all the time, uh, and also have a, an implicit, uh, way of mechanism to trust, uh, what is coming out of those systems? >>You know, we've talked with you guys in the past about the building blocks of software and what flows through the pipelines, all that stuff's part of what is automated these days and, and, and important. And what I gotta ask you because security these days is like, don't trust anything, you know, um, here it's, you're, you're trusting software to be in essence verified. I'm simplifying, obviously. So I gotta ask you what is being done to solve this problem, because states change, you know, you got data, you got software injections, and you got, we got containers and Kubernetes right here, helping all this is on the table now, but what is currently being done to solve the problem? Cause it's really hard. >>Yeah, it is. It is a really hard problem. And currently, right, when we develop software, we have a team, uh, which, which we work with and we trust whatever is coming out of the team. And we have, we have a, um, what do you call certified, uh, pro production mechanism to build that software and actually release it to our customers. And when it is done in house, it is easy because we are, we control all the pieces. Now what happens when, when we are doing this with open source, we don't have that chain. We need that chain, which is independent. We just independent of where the software was, you know, produced versus where it is going to be used. We need a way to have Providence of how it was built, which parts actually went in, uh, making, uh, making the end product. Uh, and, and what are the things that we see are, are, are, uh, continuing, uh, uh, continuing evidences that this software can be used. So if there is a vulnerability that is discovered now, that is discovered, and it is released in some database, and we need to do corrective action to say that this vulnerability associated with this version, and there is no, there's no automated mechanism. So we are working on an automated mechanism where, where you can run a command, which will tell you what has happened with this piece of, uh, software, this version of it, and whether it is production worthy or not. >>It's a great goal. I gotta say, but I'll tell you, I can guarantee there's gonna be a ton of skeptics on this security people. Oh, no, I don't. I doubt it's always a back door. Um, what's the relationship with Docker? How do you guys see this evolving? Obviously it's a super important mission. Um, it's not a trend that's gonna go away. Supply chain software is here to stay. Um, it's not gonna go away. And we saw this in hardware and everyone kind of knows kind of what happens when you see these vulnerabilities. Um, you gotta have trusted software, right? This is gonna be continuing what's the relationship with DockerCon? What are you guys doing with dock and here at DockerCon? >>So we, when we actually started working on this project, uh, both Docker and, uh, J frog had had similar ideas in mind of how, how do we make this, uh, this trust mechanism available to anyone, uh, who wants it, whether they're, whether they're in interacting with dock hub or, or regardless of that, right. And how do we actually make it a mechanism, uh, that just, uh, uh, that just provides this kind of, uh, this kind of trust, uh, without, without the developer having to do something. Uh, so what we worked with, uh, with Docker is actually integrating, um, integrating our solution so that anywhere there, uh, there is, uh, Docker being used currently, uh, people don't have to change those, uh, those behaviors or change those code, uh, those code lines, uh, right. Uh, because changing hand, uh, changing this a single line of code in hundreds of systems, hundreds of CI systems is gonna be really hard. Uh, and we wanted to build a seamless integration between Docker and the solution that we are building, uh, so that, so that you can continue to do Docker pro and dock push and, but get, uh, get all the benefits of the supply chain security solution that we have. >>Okay. So let's step back for a minute and let's discuss about the pro what is the project and where's the commercial J Frogg Docker intersect take that, break that apart, just step out the project for us. What's the intended goals. What is the project? Where is it? How do people get involved and how does that intersect with the commercial interest of JRO and Docker? >>Yeah. Yeah. My favorite topic to talk about. So the, the project is called Peria, uh, Peria is, uh, is an open source project. It is, it is an effort that started with JRO and, and Docker, but by no means limited to just JRO and dock contributing, we already have five companies contributing. Uh, we are actually building a working product, uh, which will demo during, uh, during our, uh, our talk. And there is more to come there's more to come. It is being built iteratively, and, and the solution is basically to provide a decentralized mechanism, uh, similar to similar to how, how you, uh, do things with GI, so that you have, you have the, uh, the packages that you are using available at your nearest peer. Uh, there is also going to be a multi load build verification mechanism, uh, and all of the information about the packages that you're going to use will be available on a Providence log. >>So you can always query that and find out what is the latest state of affairs, what ES were discovered and make, make quick decisions. And you don't have to react after the fact after it has been in the news for a while. Uh, so you can react to your customer's needs, um, uh, as quick as they happen. And we feel that the, our emphasis on open source is key here because, uh, given our experience, you know, 80 to 90% of software that is packaged, contains open source, and there is no way currently, which we, uh, or no engineering mechanisms currently that give us that, uh, that confidence that we, whatever we are building and whatever we are dependencies we are pulling is actually worthwhile putting it into production. >>I mean, you really, it's a great service. I mean, you think about like all that's coming out, open source, open source become very social, too. People are starting projects just to code and get, get in the, in the community and hang out, uh, and just get in the fray and just do stuff. And then you see venture capitals coming in funding those projects, it's a new economic system as well, not just code, so I can see this pipeline beautifully up for scale. How do people get involved with this project? Cause again, my, my questions all gonna be around integration, how frictionless it is. That's gonna be the challenge. You mentioned that, so I can see people getting involved. What's what's how do people join? What do they do? What can they do here at Docker con? >>Yeah. Uh, so we have a website, Percy, I P yr S I a.io, and you'll find all kinds of information there. Uh, we have a GI presence. Uh, we have community meetings that are open to public. We are all, we are all doing this under the, uh, under the umbrella limits foundation. We had a boots scrap project within Linux foundation. Uh, so people who have interest in, in all these areas can come in, just, just attend those meetings, uh, add, uh, you know, add comments or just attend our stand up. So we are running it like a, like a agile from, uh, process. We are doing stand up, we are doing retrospectives and we are, we are doing planning and, and we are, we are iteratively building this. So what you'll see at Dr. Conn is, is just a, a little bit of a teaser of what we have built so far and what you, what you can expect to, uh, see in, in future such events. >>So thanks for coming on the queue. We've got 30 seconds left, put a quick plug in for the swamp up, coming up. >>Yeah. Uh, so we, we will talk a lot more about Peria and our open source efforts and how we would like you all to collaborate. We'll be at swamp up, uh, in San Diego on May 26th, uh, May 24th to 26th. Uh, so hope to see you there, hope to discuss more about Peria and, and see what he will do with, uh, with this project. Thank you. >>All right. Thanks for coming on the back to the main stage. I'm John cube. Thanks for watching. >>Thank >>You.

>>mhm Yes. >>Hello and welcome back to the cubes coverage of dr khan 2021 virtual. I'm john Kerry hosted the Q got a great cube segment here. Simon Maple Field C T Oh it's technique. Great company security shifting left great to have you on Simon. Thanks for thanks for stopping by >>absolute pleasure. Thank you very much for having me. >>So you guys were on last year the big partnership with DR Conn remember that interview vividly because it was really the beginning at the beginning but really come to me the mainstream of shifting left as devops. It's not been it's been around for a while. But as a matter of practice as containers have been going super mainstream. Super ballistic in the developer community then you're seeing what's happening. It's containers everywhere. Security Now dev sec apps is the standard. So devops great infrastructure as code. We all know that but now it's def sec ops is standard. This is the real deal. Give us the update on what's going on with sneak. >>Absolutely, yeah. And you know, we're still tireless in our approach of trying to get make sure developers don't just have the visibility of security but are very much empowered in terms of actually fixing issues and secure development is what we're really striving for. So yeah, the update, we're still very, very deep into a partnership with DACA. We have updates on DR desktop which allows developers to scan the containers on the command line, providing developers that really fast feedback as as early as possible. We also have uh, you know, new updates and support for running Docker scan on Lennox. Um, and yeah, you know, we're still there on the Docker hub and providing that security insights um, to, to users who are going to Docker hub to grab their images. >>Well, for the folks watching maybe for the first time, the sneak Docker partnership, we went in great detail last year was the big reveal why Docker and sneak partnership, what is the evolution of that partnership over the year? They speak highly of you guys as a developer partner. Why Doctor? What's the evolution looked like? >>It's a it's a really great question. And I think, you know, when you look at the combination of DACA and sneak well actually let's take let's take each as an individual. Both companies are very, very developer focused. First of all, right, so our goals and will be strife or what we what we tirelessly spend their time doing is creating features and creating, creating an environment in which a developer you can do what they need to do as easily as possible. And that, you know, everyone says they want to be developer friendly, They want to be developer focused. But very few companies can achieve. And you look at a company like doctor, you're a company like sneak it really, really provides that developer with the developer experience that they need to actually get things done. Um, and it's not just about being in a place that a developer exists. It's not enough to do that. You need to provide a developer with that experience. So what we wanted to do was when we saw doctor and extremely developer friendly environment and a developer friendly company, when we saw the opportunity there to partner with Yoko, we wanted to provide our security developer friendliness and developer experience into an already developed a friendly tool. So what the partnership provides is the ease of, you know, deploying code in a container combined with the ease of testing your code for security issues and fixing security issues in your code and your container and pulling it together in one place. Now, one of the things which we as a as a security company um pride ourselves on is actually not necessarily saying we provide security tools. One of what our favorite way of saying is we're a developer tooling company. So we provide tools that are four developers now in doing that. It's important you go to where the developers are and developers on DACA are obviously in places like the Docker hub or the Docker Cli. And so it's important for us to embed that behavior and that ease of use inside Dhaka for us to have that uh that that flow. So the developer doesn't need to leave the Docker Cli developer that doesn't need to leave Docker hub in order to see that data. If you want to go deeper, then there are probably easier ways to find that data perhaps with sneak or on the sneak site or something like that. But the core is to get that insight to get that visibility and to get that remediation, you can see that directly in in the in the Dhaka environment. And so that's what makes the relationship so so powerful. The fact that you combine everything together and you do it at source >>and doing it at the point of code. >>Writing >>code is one of the big things I've always liked about the value proposition is simple shift left. Um So let's just step back for a second. I got to ask you this question because this I wanted to make sure we get this on the table. What are the main challenges uh and needs to, developers have with container security? What are you seeing as the main top uh A few things that they need to have right now for the challenges uh with container security? >>Yeah, it's a it's a very good question. And I think to answer that, I think we need to um we need to think of it in a couple of ways. First of all, you've just got developers security uh in general, across containers. Um And the that in itself is there are different levels at which developers engage with containers. Um In some organizations, you have security teams that are very stringent in terms of what developers can and can't do in other organizations. It's very much the developer that that chooses their environment, chooses their parent image, et cetera. And so there when a developer has many, many choices in which they need to need to decide on, some of those choices will lead to more issues, more risk. And when we look at a cloud native environment, um uh Let's take let's take a node uh image as an example, the number of different uh images tags you can choose from as a developer. It's you know, there are hundreds, probably thousands. That you can actually you can actually choose. What is the developer gonna do? Well, are they going to just copy paste from another doctor file, for example, most likely. What if there are issues in that docker file? They're just gonna copy paste that across mis configurations that exist. Not because the developer is making the wrong decision, but because the developer very often doesn't necessarily know that they need to add a specific directive in. Uh So it's not necessarily what you add in a conflict file, but it's very often what you admit. So there are a couple of things I would say from a developer point of view that are important when we think about cloud security, the first one is just that knowledge that understanding what they need to do, why they need to do it. Secure development doesn't need to be, doesn't mean they need to be deep in security. It means they need to understand how they can develop securely and what what the best decisions that could come from guard rails, from the security team that they provide the development team to offer. But that's the that's an important error of secure development. The second thing and I think one of the most important things is understanding or not understanding necessarily, but having the information to get an act on those things early. So we know the length of time that developers are uh working on a branch or working on um some some code changes that is reducing more and more and more so that we can push to production very, very quickly. Um What we need to do is make sure that as a developer is making their changes, they can make the right decision at the right time and they have the right information at that time. And a lot of this could be getting information from tools, could be getting information from your team where it could be getting information from your production environments and having that information early is extremely important to make. That decision. May be in isolation with your team in an autonomous way or with advice from the security team. But I would say those are the two things having that information that will allow you to make that action, that positive change. Um uh and and yeah, understanding and having that knowledge about how you can develop security. >>All right. So I have a security thing. So I'm a development team and by the way, this whole team's thing is a huge deal. I think we'll get to that. I want to come back to that in a second but just throw this out there. Got containers, got some security, it's out there and you got kubernetes clusters where containers are coming and going. Sometimes containers could have malware in them. Um and and this is, I've heard this out and about how do how that happens off container or off process? How do you know about it? Is that infected by someone else? I mean is it gonna be protected? How does the development team once it's released into the wild, so to speak. Not to be like that, but you get the idea, it's like, okay, I'm concerned off process this containers flying around. What is it How do you track all >>and you know, there's a there's a few things here that are kind of like potential potential areas that, you know, we can trip up when we think about malware that's running um there are certain things that we need to that we need to consider and what we're really looking at here are kind of, what do we have in place in the runtime that can kind of detect these issues are happening? How do we block that? And how do you provide that information back to the developer? The area that I think is, and that is very, very important in order to in order to be able to identify monitor that those environments and then feed that back. So that that that's the kind of thing that can be that can be fixed. Another aspect is, is the static issues and the static issues whether that's in your os in your OS packages, for example, that could be key binaries that exist in your in your in your docker container out the box as well or of course in your application, these are again, areas that are extremely important to detect and they can be detected very very early. So some things, you know, if it's malware in a package that has been identified as malware then absolutely. That can be that can be tracked very very early. Sometimes these things need to be detected a little bit later as well. But yeah, different tools for different for different environments and wear sneak is really focused. Is this static analysis as early as possible. >>Great, great insight there. Thanks for sharing that certainly. Certainly important. And you know, some companies classes are locked down and all of sudden incomes, you know, some some malware from a container, people worried about that. So I want to bring that up. Uh The other thing I want to ask you is this idea of end to end security um and this is a team formation thing we're seeing where modern teams have essentially visibility of their workload and to end. So this is a huge topic. And then by the way it might integrate their their app might integrate with other processes to that's great for containers as well and observe ability and microservices. So this is the trend. What's in it for the developer? If I work with sneak and docker, what benefits do I get if I want to go down that road of having these teams began to end, but I want the security built in. >>Mhm. Yeah, really, really important. And I think what's what's most important there is if we don't look end to end, there are component views and there are applications. If we don't look into end, we could have our development team fixing things that realistically aren't in production anyway or aren't the key risks that are potentially hurting us in our production environment. So it's important to have that end to end of you so that we have the right insights and can prioritize what we need to identify and look at early. Um, so I think, I think that visibility into end is extremely important. If we think about who, who is re fixing uh certain issues, again, this is gonna depend from dog to walk, but what we're seeing more and more is this becoming a developer lead initiative to not just find or be given that information, but ultimately fixed. They're getting more and more responsible for DR files for for I see for for their application code as well. So one of the areas which we've looked into as well is identifying and actually running in cuba Netease workloads to identify where the most important areas that a developer needs to look at and this is all about prioritization. So, you know, if the developer has just a component view and they have 100 different images, 100 different kubernetes conflicts, you know, et cetera. Where do they prioritize, where do they spend their time? They shouldn't consider everything equal. So this identification of where the workloads are running and what um is causing you the most risk as a business and as an organization, that is the data. That can be directly fed back into your, your your vulnerability data and then you can prioritize based on the kubernetes workloads that are in your production and that can be fed directly into the results in the dashboards. That's neat. Can provide you as well. So that end to end story really provides the context you need in order to not just develop securely, but act and action issues in a proper way. >>That's a great point. Context matters here because making it easy to do the right thing as early as possible, the right time is totally an efficiency productivity gain, you see in that that's clearly what people want. It's a great formula, success, reduce the time it takes to do something, reduced the steps and make it easy. Right, come on, that's a that's a formula. Okay, so I gotta bring that to the next level. When I ask you specifically around automation, this is one the hot topic and def sec ops, automation is part of it. You got scale, you got speed, you've got a I machine learning, you go out of all these new things. Microservices, how do you guys fit into the automation story? >>It's a great question. And you know, one of the recent reports that we that we did based on a survey data this year called the state of a state of cloud, native applications security. We we asked the question how automated our people in their in their deployment pipelines and we found some really strong correlations between value from a security point of view um in terms of in terms of having that automation in it, if I can take you through a couple of them and then I'll address that question about how we can be automated in that. So what we found is a really strong correlation as you would expect with security testing in ci in your source code repositories and all the way through the deployment ci and source code were the two of the most most well tested areas across the pipeline. However the most automated teams were twice as likely to test in I. D. S. And testing your CLS in local development. And now those are areas that are really hard to automate if at all because it's developers running running their cli developers running and testing in their I. D. So the having a full automation and full uh proper testing throughout the sclc actually encourages and and makes developers test more in their development environment. I'm not saying there's causation there but there's definite correlation. A couple of other things that this pushes is um Much much more likely to test daily or continuously being automated as you would expect because it's part of the bills as part of your monitoring. But crucially uh 73% of our respondents were able to fix a critical issue in less than a week as opposed to just over 30% of people that were not automated, so almost double people are More likely to fix within a week. 36% of people who are automated can fix a critical security issue in less than a day as opposed to 8% of people who aren't automated. So really strong data that correlates being automated with being able to react now. If you look at something like Sneak what if our um goals of obviously being developer friendly developer first and being able to integrate where developers are and throughout the pipeline we want to test everywhere and often. Okay, so we start as far left as we can um integrating into, you know, CLS integrating into Docker hub, integrating into into doctors can so at the command line you type in doctors can you get sneak embedded in DHAKA desktop to provide you those results so as early as possible, you get that data then all the way through to to uh get reposed providing that testing and automatically testing and importing results from there as well as as well as other repositories, container repositories, being at a poor from there and test then going into ci being able to run container tests in C I to make sure we're not regressing and to choose what we want to do their whether we break, whether we continue with with raising an issue or something like that, and then continuing beyond that into production. So we can monitor tests and automatically send pull requests, etcetera. As and when new issues or new fixes occur. So it's about integrating at every single stage, but providing some kind of action. So, for example, in our ui we provide the ability to say this is the base level you should be or could be at, it will reduce your number of vulnerabilities by X and as a result you're going to be that much more secure that action ability across the pipeline. >>That's a great, great data dump, that's a masterclass right there on automation. Thanks for sharing that sign. I appreciate it. I gotta ask you the next question that comes to my mind because I think this is kind of the dots connect for the customer is okay. I love this kind of hyper focus on containers and security. You guys are all over it, shift left as far as possible, be there all the time, test, test, test all through the life cycle of the code. Well, the one thing that is popping up as a huge growth areas, obviously hybrid cloud devops across both environments and the edge, whether it's five G industrial or intelligent edge, you're gonna have kubernetes clusters at the edge now. So you've got containers. The relationship to kubernetes and then ultimately cloud native work clothes at, say, the edge, which has data has containers. So there's a lot of stuff going on all over the place. What's your, what's your comment there for customer says, Hey, you know, I got, this is my architecture that's happening to me now. I'm building it out. We're comfortable with kubernetes put in containers everywhere, even on the edge how to sneak fit into that story. >>Yeah, really, really great question. And I think, you know, a lot of what we're doing right now is looking at a developer platform. So we care about, we care about everything that a developer can check in. Okay, so we care about get, we care about the repositories, we care about the artifact. So um, if you look at the expansion of our platform today, we've gone from code that people uh, third party libraries that people test. We added containers. We've also added infrastructure as code. So Cuban eighties conflicts, Terror form scripts and things like that. We're we're able to look at everything that the developer touches from their code with sneak code all the way through to your to your container. And I see, so I think, you know, as we see more and more of this pushing out into the edge, cuba Nitties conflict that that, you know, controls a lot of that. So much of this is now going to be or not going to be, but so much of the environment that we need to look at is in the configurations or the MIS configurations in that in those deployment scripts, um, these are some of the areas which which we care a lot about in terms of trying to identify those vulnerabilities, those miS configurations that exist within within those scripts. So I can see yeah more and more of this and there's a potential shift like that across to the edge. I think it's actually really exciting to be able to see, to be able to see those uh, those pushing across. I don't necessarily see any other, any, you know, different security threats or the threat landscape changing as a result of that. Um there could be differences in terms of configurations, in terms of miS configurations that that that could increase as a result, but, you know, a lot of this and it just needs to be dealt with in the appropriate way through tooling through, through education of of of of how that's done. >>Well, obviously threat vectors are all gonna look devops like there's no perimeter. So they're everywhere right? Looking at I think like a hacker to be being there. Great stuff. Quick question on the future relationship with DR. Obviously you're betting a lot here on that container relationship, a good place to start. A lot of benefits there. They have dependencies, they're going to have implications. People love them, they love to use them, helps old run with the new and helps the new run better. Certainly with kubernetes, everything gets better together. What's the future with the DACA relationship? Take us through how you see it. >>So yeah, I mean it's been an absolute blast the doctor and you know, even from looking at some of the internal internal chats, it's been it's been truly wonderful to see the, the way in which both the doctor and sneak from everything from an engineering point of view from a marketing, from a product team. It's been a pleasure to, it's been a pleasure to see that relationship grow and flourish. And, and I think there's two things, first of all, I think it's great that as companies, we, we both worked very, very well together. I think as as as users um seeing, you know, doctor and and and sneak work so so seamlessly and integrated a couple of things. I would love to see. Um, I think what we're gonna see more and more and this is one of the areas that I think, um you know, looking at the way sneak is going to be viewing security in general. We see a lot of components scanning a lot, a lot of people looking at a components can and seeing vulnerabilities in your components. Can I think what we need to, to to look more upon is consolidating a lot of the a lot of the data which we have in and around different scans. What I would love to see is perhaps, you know, if you're running something through doctors can how can you how can you view that data through through sneak perhaps how can we get that closer integration through the data that we that we see. So I would love to see a lot more of that occur, you know, within that relationship and these are kind of like, you know, we're getting to that at that stage where we see integration, it just various levels. So we have the integration where we have we are embedded but how can we make that better for say a sneak user who also comes to the sneak pages and wants to see that data through sneak. So I would love to see at that level uh more there where as I mentioned, we have we have some some additional support as well. So you can run doctors can from from Lenox as well. So I can see more and more of that support rolling out but but yeah, in terms of the future, that's where I would love to see us uh to grow more >>and I'll see in the landscape side on the industry side, um, security is going beyond the multiple control planes out there. Kubernetes surveillance service matches, etcetera, continues to be the horizontally scalable cloud world. I mean, and you got you mentioned the edge. So a lot more complexity to rein in and make easier. >>Yeah, I mean there's a lot more complexity, you know, from a security point of view, the technology is the ability to move quickly and react fast in production actually help security a lot because you know, being able to spin a container and make changes and and bring a container down. These things just weren't possible, you know, 10 years ago, 20 years ago. Pre that it's like it was it's insanely hard compared trying to trying to do that compared to just re spinning a container up. However, the issue I see from a security point of view, the concerns I see is more around a culture and an education point of view of we've got all this great tech and it's it's awesome but we need to do it correctly. So making sure that as you mentioned with making the right decision, what we want to make sure is that right decision is also the easy decision and the clear decision. So we just need to make sure that as we as we go down this journey and we're going down it fast and it's not gonna, I don't see it slowing down, we're going fast down that journey. How do we make, how do we prepare ourselves for that? We're already seeing, you know, miss configurations left, right and center in the news, I am roles as three buckets, etcetera. These are they're they're simpler fixes than we than we believe, right? We just need to identify them and and make those changes as needed. So we just need to make sure that that is in place as we go forward. But it's exciting times for sure. >>It's really exciting. And you got the scanning and right at the point of coding automation to help take that basic mis configuration, take that off the table. Not a lot of manual work, but ultimately get to that cloud scale cool stuff. >>Simon, thank you >>for coming on the cube dr khan coverage. Really appreciate your time. Drop some nice commentary there. Really appreciate it. Thank you. >>My pleasure. Thank you very much. >>Simon Maple Field C T. O. A sneak hot startup. Big partner with Docker Security, actually built in deVOPS, is now dead. Say cops. This is dr khan cube 2021 virtual coverage. I'm sean for your host. Thanks for watching. Mm.