>>Good morning fellow nerds and welcome back to AWS Reinvent. We are live from the show floor here in Las Vegas, Nevada. My name is Savannah Peterson, joined with my fabulous co-host John Furrier. Day two keynotes are rolling. >>Yeah. What do you thinking this? This is the day where everything comes, so the core gets popped off the bottle, all the announcements start flowing out tomorrow. You hear machine learning from swee lot more in depth around AI probably. And then developers with Verner Vos, the CTO who wrote the seminal paper in in early two thousands around web service that becames. So again, just another great year of next level cloud. Big discussion of data in the keynote bulk of the time was talking about data and business intelligence, business transformation easier. Is that what people want? They want the easy button and we're gonna talk a lot about that in this segment. I'm really looking forward to this interview. >>Easy button. We all want the >>Easy, we want the easy button. >>I love that you brought up champagne. It really feels like a champagne moment for the AWS community as a whole. Being here on the floor feels a bit like the before times. I don't want to jinx it. Our next guest, Scott Castle, from Si Sense. Thank you so much for joining us. How are you feeling? How's the show for you going so far? Oh, >>This is exciting. It's really great to see the changes that are coming in aws. It's great to see the, the excitement and the activity around how we can do so much more with data, with compute, with visualization, with reporting. It's fun. >>It is very fun. I just got a note. I think you have the coolest last name of anyone we've had on the show so far, castle. Oh, thank you. I'm here for it. I'm sure no one's ever said that before, but I'm so just in case our audience isn't familiar, tell us about >>Soy Sense is an embedded analytics platform. So we're used to take the queries and the analysis that you can power off of Aurora and Redshift and everything else and bring it to the end user in the applications they already know how to use. So it's all about embedding insights into tools. >>Embedded has been a, a real theme. Nobody wants to, it's I, I keep using the analogy of multiple tabs. Nobody wants to have to leave where they are. They want it all to come in there. Yep. Now this space is older than I think everyone at this table bis been around since 1958. Yep. How do you see Siente playing a role in the evolution there of we're in a different generation of analytics? >>Yeah, I mean, BI started, as you said, 58 with Peter Lu's paper that he wrote for IBM kind of get became popular in the late eighties and early nineties. And that was Gen one bi, that was Cognos and Business Objects and Lotus 1 23 think like green and black screen days. And the way things worked back then is if you ran a business and you wanted to get insights about that business, you went to it with a big check in your hand and said, Hey, can I have a report? And they'd come back and here's a report. And it wasn't quite right. You'd go back and cycle, cycle, cycle and eventually you'd get something. And it wasn't great. It wasn't all that accurate, but it's what we had. And then that whole thing changed in about two, 2004 when self-service BI became a thing. And the whole idea was instead of going to it with a big check in your hand, how about you make your own charts? >>And that was totally transformative. Everybody started doing this and it was great. And it was all built on semantic modeling and having very fast databases and data warehouses. Here's the problem, the tools to get to those insights needed to serve both business users like you and me and also power users who could do a lot more complex analysis and transformation. And as the tools got more complicated, the barrier to entry for everyday users got higher and higher and higher to the point where now you look, look at Gartner and Forester and IDC this year. They're all reporting in the same statistic. Between 10 and 20% of knowledge workers have learned business intelligence and everybody else is just waiting in line for a data analyst or a BI analyst to get a report for them. And that's why the focus on embedded is suddenly showing up so strong because little startups have been putting analytics into their products. People are seeing, oh my, this doesn't have to be hard. It can be easy, it can be intuitive, it can be native. Well why don't I have that for my whole business? So suddenly there's a lot of focus on how do we embed analytics seamlessly? How do we embed the investments people make in machine learning in data science? How do we bring those back to the users who can actually operationalize that? Yeah. And that's what Tysons does. Yeah. >>Yeah. It's interesting. Savannah, you know, data processing used to be what the IT department used to be called back in the day data processing. Now data processing is what everyone wants to do. There's a ton of data we got, we saw the keynote this morning at Adam Lesky. There was almost a standing of vision, big applause for his announcement around ML powered forecasting with Quick Site Cube. My point is people want automation. They want to have this embedded semantic layer in where they are not having all the process of ETL or all the muck that goes on with aligning the data. All this like a lot of stuff that goes on. How do you make it easier? >>Well, to be honest, I, I would argue that they don't want that. I think they, they think they want that, cuz that feels easier. But what users actually want is they want the insight, right? When they are about to make a decision. If you have a, you have an ML powered forecast, Andy Sense has had that built in for years, now you have an ML powered forecast. You don't need it two weeks before or a week after in a report somewhere. You need it when you're about to decide do I hire more salespeople or do I put a hundred grand into a marketing program? It's putting that insight at the point of decision that's important. And you don't wanna be waiting to dig through a lot of infrastructure to find it. You just want it when you need it. What's >>The alternative from a time standpoint? So real time insight, which is what you're saying. Yep. What's the alternative? If they don't have that, what's >>The alternative? Is what we are currently seeing in the market. You hire a bunch of BI analysts and data analysts to do the work for you and you hire enough that your business users can ask questions and get answers in a timely fashion. And by the way, if you're paying attention, there's not enough data analysts in the whole world to do that. Good luck. I am >>Time to get it. I really empathize with when I, I used to work for a 3D printing startup and I can, I have just, I mean, I would call it PTSD flashbacks of standing behind our BI guy with my list of queries and things that I wanted to learn more about our e-commerce platform in our, in our marketplace and community. And it would take weeks and I mean this was only in 2012. We're not talking 1958 here. We're talking, we're talking, well, a decade in, in startup years is, is a hundred years in the rest of the world life. But I think it's really interesting. So talk to us a little bit about infused and composable analytics. Sure. And how does this relate to embedded? Yeah. >>So embedded analytics for a long time was I want to take a dashboard I built in a BI environment. I wanna lift it and shift it into some other application so it's close to the user and that is the right direction to go. But going back to that statistic about how, hey, 10 to 20% of users know how to do something with that dashboard. Well how do you reach the rest of users? Yeah. When you think about breaking that up and making it more personalized so that instead of getting a dashboard embedded in a tool, you get individual insights, you get data visualizations, you get controls, maybe it's not even actually a visualization at all. Maybe it's just a query result that influences the ordering of a list. So like if you're a csm, you have a list of accounts in your book of business, you wanna rank those by who's priorities the most likely to churn. >>Yeah. You get that. How do you get that most likely to churn? You get it from your BI system. So how, but then the question is, how do I insert that back into the application that CSM is using? So that's what we talk about when we talk about Infusion. And SI started the infusion term about two years ago and now it's being used everywhere. We see it in marketing from Click and Tableau and from Looker just recently did a whole launch on infusion. The idea is you break this up into very small digestible pieces. You put those pieces into user experiences where they're relevant and when you need them. And to do that, you need a set of APIs, SDKs, to program it. But you also need a lot of very solid building blocks so that you're not building this from scratch, you're, you're assembling it from big pieces. >>And so what we do aty sense is we've got machine learning built in. We have an LQ built in. We have a whole bunch of AI powered features, including a knowledge graph that helps users find what else they need to know. And we, we provide those to our customers as building blocks so that they can put those into their own products, make them look and feel native and get that experience. In fact, one of the things that was most interesting this last couple of couple of quarters is that we built a technology demo. We integrated SI sensee with Office 365 with Google apps for business with Slack and MS teams. We literally just threw an Nlq box into Excel and now users can go in and say, Hey, which of my sales people in the northwest region are on track to meet their quota? And they just get the table back in Excel. They can build charts of it and PowerPoint. And then when they go to their q do their QBR next week or week after that, they just hit refresh to get live data. It makes it so much more digestible. And that's the whole point of infusion. It's bigger than just, yeah. The iframe based embedding or the JavaScript embedding we used to talk about four or five years >>Ago. APIs are very key. You brought that up. That's gonna be more of the integration piece. How does embedable and composable work as more people start getting on board? It's kind of like a Yeah. A flywheel. Yes. What, how do you guys see that progression? Cause everyone's copying you. We see that, but this is a, this means it's standard. People want this. Yeah. What's next? What's the, what's that next flywheel benefit that you guys coming out with >>Composability, fundamentally, if you read the Gartner analysis, right, they, when they talk about composable, they're talking about building pre-built analytics pieces in different business units for, for different purposes. And being able to plug those together. Think of like containers and services that can, that can talk to each other. You have a composition platform that can pull it into a presentation layer. Well, the presentation layer is where I focus. And so the, so for us, composable means I'm gonna have formulas and queries and widgets and charts and everything else that my, that my end users are gonna wanna say almost minority report style. If I'm not dating myself with that, I can put this card here, I can put that chart here. I can set these filters here and I get my own personalized view. But based on all the investments my organization's made in data and governance and quality so that all that infrastructure is supporting me without me worrying much about it. >>Well that's productivity on the user side. Talk about the software angle development. Yeah. Is your low code, no code? Is there coding involved? APIs are certainly the connective tissue. What's the impact to Yeah, the >>Developer. Oh. So if you were working on a traditional legacy BI platform, it's virtually impossible because this is an architectural thing that you have to be able to do. Every single tool that can make a chart has an API to embed that chart somewhere. But that's not the point. You need the life cycle automation to create models, to modify models, to create new dashboards and charts and queries on the fly. And be able to manage the whole life cycle of that. So that in your composable application, when you say, well I want chart and I want it to go here and I want it to do this and I want it to be filtered this way you can interact with the underlying platform. And most importantly, when you want to use big pieces like, Hey, I wanna forecast revenue for the next six months. You don't want it popping down into Python and writing that yourself. >>You wanna be able to say, okay, here's my forecasting algorithm. Here are the inputs, here's the dimensions, and then go and just put it somewhere for me. And so that's what you get withy sense. And there aren't any other analytics platforms that were built to do that. We were built that way because of our architecture. We're an API first product. But more importantly, most of the legacy BI tools are legacy. They're coming from that desktop single user, self-service, BI environment. And it's a small use case for them to go embedding. And so composable is kind of out of reach without a complete rebuild. Right? But with SI senses, because our bread and butter has always been embedding, it's all architected to be API first. It's integrated for software developers with gi, but it also has all those low code and no code capabilities for business users to do the minority report style thing. And it's assemble endless components into a workable digital workspace application. >>Talk about the strategy with aws. You're here at the ecosystem, you're in the ecosystem, you're leading product and they have a strategy. We know their strategy, they have some stuff, but then the ecosystem goes faster and ends up making a better product in most of the cases. If you compare, I know they'll take me to school on that, but I, that's pretty much what we report on. Mongo's doing a great job. They have databases. So you kind of see this balance. How are you guys playing in the ecosystem? What's the, what's the feedback? What's it like? What's going on? >>AWS is actually really our best partner. And the reason why is because AWS has been clear for many, many years. They build componentry, they build services, they build infrastructure, they build Redshift, they build all these different things, but they need, they need vendors to pull it all together into something usable. And fundamentally, that's what Cient does. I mean, we didn't invent sequel, right? We didn't invent jackal or dle. These are not, these are underlying analytics technologies, but we're taking the bricks out of the briefcase. We're assembling it into something that users can actually deploy for their use cases. And so for us, AWS is perfect because they focus on the hard bits. The the underlying technologies we assemble those make them usable for customers. And we get the distribution. And of course AWS loves that. Cause it drives more compute and it drives more, more consumption. >>How much do they pay you to say that >>Keynote, >>That was a wonderful pitch. That's >>Absolutely, we always say, hey, they got a lot of, they got a lot of great goodness in the cloud, but they're not always the best at the solutions and that they're trying to bring out, and you guys are making these solutions for customers. Yeah. That resonates with what they got with Amazon. For >>Example, we, last year we did a, a technology demo with Comprehend where we put comprehend inside of a semantic model and we would compile it and then send it back to Redshift. And it takes comprehend, which is a very cool service, but you kind of gotta be a coder to use it. >>I've been hear a lot of hype about the semantic layer. What is, what is going on with that >>Semantec layer is what connects the actual data, the tables in your database with how they're connected and what they mean so that a user like you or me who's saying I wanna bar chart with revenue over time can just work with revenue and time. And the semantic layer translates between what we did and what the database knows >>About. So it speaks English and then they converts it to data language. It's >>Exactly >>Right. >>Yeah. It's facilitating the exchange of information. And, and I love this. So I like that you actually talked about it in the beginning, the knowledge map and helping people figure out what they might not know. Yeah. I, I am not a bi analyst by trade and I, I don't always know what's possible to know. Yeah. And I think it's really great that you're doing that education piece. I'm sure, especially working with AWS companies, depending on their scale, that's gotta be a big part of it. How much is the community play a role in your product development? >>It's huge because I'll tell you, one of the challenges in embedding is someone who sees an amazing experience in outreach or in seismic. And to say, I want that. And I want it to be exactly the way my product is built, but I don't wanna learn a lot. And so you, what you want do is you want to have a community of people who have already built things who can help lead the way. And our community, we launched a new version of the SES community in early 2022 and we've seen a 450% growth in the c in that community. And we've gone from an average of one response, >>450%. I just wanna put a little exclamation point on that. Yeah, yeah. That's awesome. We, >>We've tripled our organic activity. So now if you post this Tysons community, it used to be, you'd get one response maybe from us, maybe from from a customer. Now it's up to three. And it's continuing to trend up. So we're, it's >>Amazing how much people are willing to help each other. If you just get in the platform, >>Do it. It's great. I mean, business is so >>Competitive. I think it's time for the, it's time. I think it's time. Instagram challenge. The reels on John. So we have a new thing. We're gonna run by you. Okay. We just call it the bumper sticker for reinvent. Instead of calling it the Instagram reels. If we're gonna do an Instagram reel for 30 seconds, what would be your take on what's going on this year at Reinvent? What you guys are doing? What's the most important story that you would share with folks on Instagram? >>You know, I think it's really what, what's been interesting to me is the, the story with Redshift composable, sorry. No, composable, Redshift Serverless. Yeah. One of the things I've been >>Seeing, we know you're thinking about composable a lot. Yes. Right? It's, it's just, it's in there, it's in your mouth. Yeah. >>So the fact that Redshift Serverless is now kind becoming the defacto standard, it changes something for, for my customers. Cuz one of the challenges with Redshift that I've seen in, in production is if as people use it more, you gotta get more boxes. You have to manage that. The fact that serverless is now available, it's, it's the default means it now people are just seeing Redshift as a very fast, very responsive repository. And that plays right into the story I'm telling cuz I'm telling them it's not that hard to put some analysis on top of things. So for me it's, it's a, maybe it's a narrow Instagram reel, but it's an >>Important one. Yeah. And that makes it better for you because you get to embed that. Yeah. And you get access to better data. Faster data. Yeah. Higher quality, relevant, updated. >>Yep. Awesome. As it goes into that 80% of knowledge workers, they have a consumer great expectation of experience. They're expecting that five ms response time. They're not waiting 2, 3, 4, 5, 10 seconds. They're not trained on theola expectations. And so it's, it matters a lot. >>Final question for you. Five years out from now, if things progress the way they're going with more innovation around data, this front end being very usable, semantic layer kicks in, you got the Lambda and you got serverless kind of coming in, helping out along the way. What's the experience gonna look like for a user? What's it in your mind's eye? What's that user look like? What's their experience? >>I, I think it shifts almost every role in a business towards being a quantitative one. Talking about, Hey, this is what I saw. This is my hypothesis and this is what came out of it. So here's what we should do next. I, I'm really excited to see that sort of scientific method move into more functions in the business. Cuz for decades it's been the domain of a few people like me doing strategy, but now I'm seeing it in CSMs, in support people and sales engineers and line engineers. That's gonna be a big shift. Awesome. >>Thank >>You Scott. Thank you so much. This has been a fantastic session. We wish you the best at si sense. John, always pleasure to share the, the stage with you. Thank you to everybody who's attuning in, tell us your thoughts. We're always eager to hear what, what features have got you most excited. And as you know, we will be live here from Las Vegas at reinvent from the show floor 10 to six all week except for Friday. We'll give you Friday off with John Furrier. My name's Savannah Peterson. We're the cube, the the, the leader in high tech coverage.

>>Hey guys and girls, welcome back to Motor City, Lisa Martin here with John Furrier on the Cube's third day of coverage of Coon Cloud Native Con North America. John, we've had some great conversations over the last two and a half days. We've been talking about identity and security management as a critical need for enterprises within the cloud native space. We're gonna have another quick conversation >>On that. Yeah, we got a great segment coming up from someone who's been in the industry, a long time expert, running a great company. Now it's gonna be one of those pieces that fits into what we call super cloud. Others are calling cloud operating system. Some are calling just Cloud 2.0, 3.0. But there's definitely a major trend happening around how cloud is going Next generation. We've been covering it. So this segment should be >>Great. Let's unpack those trends. One of our alumni is back with us, O Rika Zi, co-founder and CEO of Aerio. Omri. Great to have you back on the >>Cube. Thank you. Great to be here. >>So identity move to the cloud, Access authorization did not talk to us about why you found it assertive, what you guys are doing and how you're flipping that script. >>Yeah, so back 15 years ago, I helped start Azure at Microsoft. You know, one of the first few folks that you know, really focused on enterprise services within the Azure family. And at the time I was working for the guy who ran all of Windows server and you know, active directory. He called it the linchpin workload for the Windows Server franchise, like big words. But what he meant was we had 95% market share and all of these new SAS applications like ServiceNow and you know, Workday and salesforce.com, they had to invent login and they had to invent access control. And so we were like, well, we're gonna lose it unless we figure out how to replace active directory. And that's how Azure Active Directory was born. And the first thing that we had to do as an industry was fix identity, right? Yeah. So, you know, we worked on things like oof Two and Open, Id Connect and SAML and Jot as an industry and now 15 years later, no one has to go build login if you don't want to, right? You have companies like Odd Zero and Okta and one login Ping ID that solve that problem solve single sign-on, on the web. But access Control hasn't really moved forward at all in the last 15 years. And so my co-founder and I who were both involved in the early beginnings of Azure Active directory, wanted to go back to that problem. And that problem is even bigger than identity and it's far from >>Solved. Yeah, this is huge. I think, you know, self-service has been a developer thing that's, everyone knows developer productivity, we've all experienced click sign in with your LinkedIn or Twitter or Google or Apple handle. So that's single sign on check. Now the security conversation kicks in. If you look at with this no perimeter and cloud, now you've got multi-cloud or super cloud on the horizon. You've got all kinds of opportunities to innovate on the security paradigm. I think this is kind of where I'm hearing the most conversation around access control as well as operationally eliminating a lot of potential problems. So there's one clean up the siloed or fragmented access and two streamlined for security. What's your reaction to that? Do you agree? And if not, where, where am I missing that? >>Yeah, absolutely. If you look at the life of an IT pro, you know, back in the two thousands they had, you know, l d or active directory, they add in one place to configure groups and they'd map users to groups. And groups typically corresponded to roles and business applications. And it was clunky, but life was pretty simple. And now they live in dozens or hundreds of different admin consoles. So misconfigurations are rampant and over provisioning is a real problem. If you look at zero trust and the principle of lease privilege, you know, all these applications have these course grained permissions. And so when you have a breach, and it's not a matter of if, it's a matter of when you wanna limit the blast radius of you know what happened, and you can't do that unless you have fine grained access control. So all those, you know, all those reasons together are forcing us as an industry to come to terms with the fact that we really need to revisit access control and bring it to the age of cloud. >>You guys recently, just this week I saw the blog on Topaz. Congratulations. Thank you. Talk to us about what that is and some of the gaps that's gonna help sarto to fill for what's out there in the marketplace. >>Yeah, so right now there really isn't a way to go build fine grains policy based real time access control based on open source, right? We have the open policy agent, which is a great decision engine, but really optimized for infrastructure scenarios like Kubernetes admission control. And then on the other hand, you have this new, you know, generation of access control ideas. This model called relationship based access control that was popularized by Google Zanzibar system. So Zanzibar is how they do access control for Google Docs and Google Drive. If you've ever kind of looked at a Google Doc and you know you're a viewer or an owner or a commenter, Zanzibar is the system behind it. And so what we've done is we've married these two things together. We have a policy based system, OPPA based system, and at the same time we've brought together a directory, an embedded directory in Topaz that allows you to answer questions like, does this user have this permission on this object? And bringing it all together, making it open sources a real game changer from our perspective, real >>Game changer. That's good to hear. What are some of the key use cases that it's gonna help your customers address? >>So a lot of our customers really like the idea of policy based access management, but they don't know how to bring data to that decision engine. And so we basically have a, you know, a, a very opinionated way of how to model that data. So you import data out of your identity providers. So you connect us to Okta or oze or Azure, Azure Active directory. And so now you have the user data, you can define groups and then you can define, you know, your object hierarchy, your domain model. So let's say you have an applicant tracking system, you have nouns like job, you know, know job descriptions or candidates. And so you wanna model these things and you want to be able to say who has access to, you know, the candidates for this job, for example. Those are the kinds of rules that people can express really easily in Topaz and in assertive. >>What are some of the challenges that are happening right now that dissolve? What, what are you looking at to solve? Is it complexity, sprawl, logic problems? What's the main problem set you guys >>See? Yeah, so as organizations grow and they have more and more microservices, each one of these microservices does authorization differently. And so it's impossible to reason about the full surface area of, you know, permissions in your application. And more and more of these organizations are saying, You know what, we need a standard layer for this. So it's not just Google with Zanzibar, it's Intuit with Oddy, it's Carta with their own oddy system, it's Netflix, you know, it's Airbnb with heed. All of them are now talking about how they solve access control extracted into its own service to basically manage complexity and regain agility. The other thing is all about, you know, time to market and, and tco. >>So, so how do you work with those services? Do you replace them, you unify them? What is the approach that you're taking? >>So basically these organizations are saying, you know what? We want one access control service. We want all of our microservices to call that thing instead of having to roll out our own. And so we, you know, give you the guts for that service, right? Topaz is basically the way that you're gonna go implement an access control service without having to go build it the same way that you know, large companies like Airbnb or Google or, or a car to >>Have. What's the competition look like for you guys? I'm not really seeing a lot of competition out there. Are there competitors? Are there different approaches? What makes you different? >>Yeah, so I would say that, you know, the biggest competitor is roll your own. So a lot of these companies that find us, they say, We're sick and tired of investing 2, 3, 4 engineers, five engineers on this thing. You know, it's the gift that keeps on giving. We have to maintain this thing and so we can, we can use your solution at a fraction of the cost a, a fifth, a 10th of what it would cost us to maintain it locally. There are others like Sty for example, you know, they are in the space, but more in on the infrastructure side. So they solve the problem of Kubernetes submission control or things like that. So >>Rolling your own, there's a couple problems there. One is do they get all the corner cases who built a they still, it's a company. Exactly. It's heavy lifting, it's undifferentiated, you just gotta check the box. So probably will be not optimized. >>That's right. As Bezo says, only focus on the things that make your beer taste better. And access control is one of those things. It's part of your security, you know, posture, it's a critical thing to get right, but you know, I wanna work on access control, said no developer ever, right? So it's kind of like this boring, you know, like back office thing that you need to do. And so we give you the mechanisms to be able to build it securely and robustly. >>Do you have a, a customer story example that is one of your go-tos that really highlights how you're improving developer productivity? >>Yeah, so we have a couple of them actually. So there's the largest third party B2B marketplace in the us. Free retail. Instead of building their own, they actually brought in aer. And what they wanted to do with AER was be the authorization layer for both their externally facing applications as well as their internal apps. So basically every one of their applications now hooks up to AER to do authorization. They define users and groups and roles and permissions in one place and then every application can actually plug into that instead of having to roll out their own. >>I'd like to switch gears if you don't mind. I get first of all, great update on the company and progress. I'd like to get your thoughts on the cloud computing market. Obviously you were your legendary position, Azure, I mean look at the, look at the progress over the past few years. Just been spectacular from Microsoft and you set the table there. Amazon web service is still, you know, thundering away even though earnings came out, the market's kind of soft still. You know, you see the cloud hyperscalers just continuing to differentiate from software to chips. Yep. Across the board. So the hyperscalers kicking ass taking names, doing great Microsoft right up there. What's the future? Cuz you now have the conversation where, okay, we're calling it super cloud, somebody calling multi-cloud, somebody calling it distributed computing, whatever you wanna call it. The old is now new again, it just looks different as cloud becomes now the next computer industry, >>You got an operating system, you got applications, you got hardware, I mean it's all kind of playing out just on a massive global scale, but you got regions, you got all kinds of connected systems edge. What's your vision on how this plays out? Because things are starting to fall into place. Web assembly to me just points to, you know, app servers are coming back, middleware, Kubernetes containers, VMs are gonna still be there. So you got the progression. What's your, what's your take on this? How would you share, share your thoughts to a friend or the industry, the audience? So what's going on? What's, what's happening right now? What's, what's going on? >>Yeah, it's funny because you know, I remember doing this quite a few years ago with you probably in, you know, 2015 and we were talking about, back then we called it hybrid cloud, right? And it was a vision, but it is actually what's going on. It just took longer for it to get here, right? So back then, you know, the big debate was public cloud or private cloud and you know, back when we were, you know, talking about these ideas, you know, we said, well you know, some applications will always stay on-prem and some applications will move to the cloud. I was just talking to a big bank and they basically said, look, our stated objective now is to move everything we can to the public cloud and we still have a large private cloud investment that will never go away. And so now we have essentially this big operating system that can, you know, abstract all of this stuff. So we have developer platforms that can, you know, sit on top of all these different pieces of infrastructure and you know, kind of based on policy decide where these applications are gonna be scheduled. So, you know, the >>Operating schedule shows like an operating system function. >>Exactly. I mean like we now, we used to have schedulers for one CPU or you know, one box, then we had schedulers for, you know, kind of like a whole cluster and now we have schedulers across the world. >>Yeah. My final question before we kind of get run outta time is what's your thoughts on web assembly? Cuz that's getting a lot of hype here again to kind of look at this next evolution again that's lighter weight kind of feels like an app server kind of direction. What's your, what's your, it's hyped up now, what's your take on that? >>Yeah, it's interesting. I mean back, you know, what's, what's old is new again, right? So, you know, I remember back in the late nineties we got really excited about, you know, JVMs and you know, this notion of right once run anywhere and yeah, you know, I would say that web assembly provides a pretty exciting, you know, window into that where you can take the, you know, sandboxing technology from the JavaScript world, from the browser essentially. And you can, you know, compile an application down to web assembly and have it real, really truly portable. So, you know, we see for example, policies in our world, you know, with opa, one of the hottest things is to take these policies and can compile them to web assemblies so you can actually execute them at the edge, you know, wherever it is that you have a web assembly runtime. >>And so, you know, I was just talking to Scott over at Docker and you know, they're excited about kind of bringing Docker packaging, OCI packaging to web assemblies. So we're gonna see a convergence of all these technologies right now. They're kind of each, each of our, each of them are in a silo, but you know, like we'll see a lot of the patterns, like for example, OCI is gonna become the packaging format for web assemblies as it is becoming the packaging format for policies. So we did the same thing. We basically said, you know what, we want these policies to be packaged as OCI assembly so that you can sign them with cosign and bring the entire ecosystem of tools to bear on OCI packages. So convergence is I think what >>We're, and love, I love your attitude too because it's the open source community and the developers who are actually voting on the quote defacto standard. Yes. You know, if it doesn't work, right, know people know about it. Exactly. It's actually a great new production system. >>So great momentum going on to the press released earlier this week, clearly filling the gaps there that, that you and your, your co-founder saw a long time ago. What's next for the assertive business? Are you hiring? What's going on there? >>Yeah, we are really excited about launching commercially at the end of this year. So one of the things that we were, we wanted to do that we had a promise around and we delivered on our promise was open sourcing our edge authorizer. That was a huge thing for us. And we've now completed, you know, pretty much all the big pieces for AER and now it's time to commercially launch launch. We already have customers in production, you know, design partners, and you know, next year is gonna be the year to really drive commercialization. >>All right. We will be watching this space ery. Thank you so much for joining John and me on the keep. Great to have you back on the program. >>Thank you so much. It was a pleasure. >>Our pleasure as well For our guest and John Furrier, I'm Lisa Martin, you're watching The Cube Live. Michelle floor of Con Cloud Native Con 22. This is day three of our coverage. We will be back with more coverage after a short break. See that.

(upbeat music) >> Welcome back, everyone. Live coverage here at KubeCon + CloudNativeCon here in Detroit, Michigan. I'm John Furrier, your host of theCUBE for special one-on-one conversation with Scott Johnston, who's the CEO of Docker, CUBE alumni, been around the industry, multiple cycles of innovation, leading one of the most important companies in today's industry inflection point as Docker what they've done since they're, I would say restart from the old Docker to the new Docker, now modern, and the center of the conversation with containers driving the growth of Kubernetes. Scott, great to see you. Thanks for coming on theCUBE. >> John, thanks for the invite. Glad to be here. >> You guys have had great success this year with extensions. Docker as a business model's grown. Congratulations, you guys are monetizing well. Pushing up over 50 million. >> Thank you. >> I hear over pushing a hundred million maybe. What the year to the ground will tell me, but it's good sign. Plus you've got the community and nurturing of the ecosystem continuing to power away and open source is not stopping. It's thundering away growth. Younger generation coming in. >> That's right. >> Developer tool chain that you have has become consistent. Almost de facto standard. Others are coming in the market. A lot of competition emerging. You got a lot going on right now. What's going on? >> Well, I know it's fantastic time in our industry. Like all companies are becoming software companies. That means they need to build new applications. That means they need developers to be productive and to be safely productive. And we, and this wonderful CNCF ecosystem are right in the middle of that trend, so it's fantastic. >> So you have millions of developers using Docker. >> Tens of millions. >> Tens of millions of developed Docker and as the market's changing, I was commenting before we came on camera, and I'd love to get your reaction, comment on it. You guys represent the modernization of containers, open source. You haven't really changed how open source works, but you've kind of modernized it. You're starting to see developers at the front lines, more and more power going to developers. >> Scott: That's right. >> They want self-service. They vote with their code. >> That's right. >> They vote with their actions. >> Scott: That's right. >> And if you take digital transformation to its conclusion, it's not IT serves the business or it's a department, the company is IT. >> That's right. >> The company is the application, which means developers are running everything. >> Yes, yes. I mean, one of the jokes, not jokes in the valley is that Tesla is in a car company. Tesla is a computer company that happens to have wheels on the computer. And I think we can smile at that, but there's so many businesses, particularly during COVID, that realize that. What happened during COCID? If you're going to the movies, nope, you're now going to Netflix. If you're going to the gym, now you're doing Peloton. So this realization that like I have to have a digital game, not just on the side, but it has to be the forefront of my business and drive my business. That realization is now any industry, any company across the board. >> We've been reporting aggressively for past three years now. Even now we're calling some things supercloud. If companies, if they don't realize that IT is not a department, they will probably be out of business. >> That's a hundred percent. >> It's going to transform into full on invisible infrastructure. Infrastructure as code, whatever you want to call that going, configuration, operations, developers will set the pace. This has a lot to do with some of your success. You're at the beginning of it. This is just the beginning. What can you talk about that in your mind is contributing to the success of Docker? I know you're going to say team, everything, I get that, but like what specifically in the industry is driving Docker's success right now? >> Well, it did. We did have a fantastic team. We do have a fantastic team and that is one of the reasons, primary reasons our success. But what is also happening, John, is because there's a demand for applications, I'll just throw it out there. 750 million new applications are coming in the market in the next two years. That is more applications that have been developed in the entire 40 years history of IT. So just think about the productivity demands that are coming at developers. And then you also see the need to do so safely, meaning ship quickly, but ship safely. And yet 90 some percent of every application consists of open source components that are now on attack surface for criminals. And so typically our industry has had to say one or the other, okay, you can ship quickly but not safely, or you can ship safely, but it's not going to go fast. And one of the reasons I think Docker is where it is today is that we're able to offer both. We're able to unlock that you can ship quickly, safely using Docker, using the Docker toolchain, using integrations we have with all the wonderful partners here at CNCF that is unique. And that's a big reason why we're seeing the success we're seeing. >> And you're probably pleased with extensions this year. >> Yes. >> The performance of extensions that you launched at DockerCon '22. >> Yes. Well, extensions are part of that story and that developers have multiple tools. They want choice, developers like choice to be productive and Docker is part of that, but it's not the only solution. And so Docker extensions allow the monitoring providers and the observability and if you want a separate Kubernetes stack, like all of that flexibility, extensions allows. And again, offers the power and the innovation of this ecosystem to be used in a Docker development and context. >> Well, I want to get into some of the details of some of your products and how they're evolving. But first I want to get your thoughts on the trend line here that we reported at the opening segment. The hot story is WebAssembly, the Wasm, which really got a lot of traction or interest. People enthous about it. >> Interest, yeah. >> Lot of enthusiasm. Confidence we'll see how that evolves, but a lot of enthusiasm for sure. I've never seen something this hyped up since Envoy, in my opinion. So a lot of interest from developers. What is Wasm or WebAssembly is actually what it is, but Wasm is the codeword or nickname. What is Wasm? >> So in brief, WebAssembly is a new application type, full stop. And it's just enough of the components that you need and it's just a binary format that is very, very secure. And so it's lightweight, it's fast and secure. And so it opens up a lot of interesting use cases for developer, particularly on the edge. Another use case for Wasm is in the browser. Again, lightweight, fast, secure also. >> John: Sounds like an app server to me. >> And so we think it's a very, very interesting trend. And you ask, Okay, what's Docker's role in that? Well, Docker has been around eight years now, eight plus years, tens of millions developers using it. They've already made investments in skills, talent, automation, toolchains, pipelines. And Docker started with Linux containers as we know, then brought that same experience to Windows containers, then brought it to serverless functions. About 25% of Amazon Lambdas are OCI image containers. And so we were seeing that trend. We were also seeing the community actually without any prompting from us, start to fork and play with Docker and apply it to Wasm. And we're like, Huh, that's interesting. What if we helped get behind that trend, such that you changed just one line of a Docker file, now you're able to produce Wasm objects instead of Linux containers and just bring that same easy to use. >> So that's not a competition to Docker's? >> Not a competition at all. In fact, very complimentary. We showed off on Monday at the Wasm day, how in the same Docker compose application, multi-service application. One service is delivered via Linux container, Another service is delivered via Wasm. >> And Wasm is what? Multiple languages? 'Cause what is it? >> Yes. So the binary can be compiled from multiple languages. So RAS, JavaScript, on and on and on. At the end of the day, it's a smaller binary that provides a function, typically a single function that you can stand up and deploy on an edge. You can stand up and deploy on the server side or stand up and deploy on the browser. >> So from a container standpoint, from your customer standpoint, what a Linux container is is a similar thing to what a Wasm container is. >> They could implement the same function. That's right. Now a Linux container can have more capabilities that a function might not have, but that's. >> John: From a workflow standpoint. >> That's right. And that's more of a use case by use case standpoint. What we serve is we serve developers and we started out serving developers with Linux containers, then Windows containers, then Lambdas, now Wasm. Whatever other use case, what other application type comes along, we want to be there to serve developers. >> So one of the things I want to get your thoughts on, because this has come up in a couple CUBE interviews before, and we were talking before we came on camera, is developers want ease of use and simplicity. They don't want more steps to do things. They don't want things harder. >> That's right. So the classic innovation is reduce the time it takes to do something, reduce the steps, make it easier. That's a formula of success. >> Scott: That's right. >> When you start adding more toolchains into the mix, you get tool sprawl. So that's not really, that's antithesis to developer. So the argument is, okay, do I have to use a new tool chain for Wasm? Is that a fact or no? >> That's exactly right. That was what we were seeing and we thought, well, how can Docker help with this situation? And Docker can help by bringing the same existing toolchain that developers are already familiar with. The same automation, the same pipelines. And just by changing a line of Docker file, changing a single line of composed file, now they get the power of Wasm unlocked in the very same tools they were using before. >> So your position is, hey, don't adopt some toolchain for Wasm. You can just do it in line with Docker. >> No need to, no need to. We're providing it right there out of the box, ready for them. >> That's raise and extend, as they would say, build Microsoft strategy there. That's nice. Okay, so let's get back into like the secure trusted 'cause that was another theme at DockerCon. We covered that deeply. Software supply chain, I was commenting on my intro with Savannah and Lisa that at some point open source means so plentiful. You might not have to write code. You got to glue together. So as code proliferates, the question what's in there? >> That's right. This is what they call the software supply chain. You've been all over this. Where are we with this? Is it harder now? Is it easier? Was there progress? Take us through what's the state of the art. I think we're early on this one, John, in the industry because I think the realization of how much open source is inside a given app is just now hitting consciousness. And so the data we have is that for any given application, anywhere from 75 to 85% is actually not unique to the developer or the organization. It's open source components that they have put together. And it's really down to that last 15, 25%, which is their own unique code that they're adding on top of all this open source code. So right there, it's like, aha, that's a pretty interesting profile or distribution of value, which means those open source components, where are they finding them? How are they integrating them? How do they know those open source components are going to be supported and trusted and secured? And that's the challenge for us as an industry right now is to make it just obvious where to get the components, how safe they are, who's standing behind them, and how easy it is to assemble them into a working application. >> All right. So the question that I had specifically on security 'cause this had come up before. All good on the trusted and I think that message is evergreen. It's a north star. That's a north star for you. How are you making images more secure and how are you enabling organizations to identify security issues in containers? Can you share your strategy and thoughts on that particular point? >> Yes. So there's a range of things in the secure software supply chain and it starts with, are you starting with trusted open source components that you know have support, that you know are secured? So in Docker Hub today, we have 14 million applications, but a subset of that, we've worked with the upstream providers to basically designate as trusted open source content. So this is the Docker official images, Docker verified publisher images, Docker sponsored open source. And those different categories have levels of certification assurance that they must go through. Generate an SBOM, so you know what's inside that container. It has to be scanned by a scanning tool and those scanning results have to be made available. >> John: Are you guys scanning that? >> So we provide a scanner, they can use another scanner as long as they publish the results of that scan. And then the whole thing is signed. >> Are you publishing the results on your side too? >> Yeah, we published our results through an open database that's accessible to all. >> Free. >> Free, a hundred percent free. You come in and you can see every image on hub. >> So I'm a user, for free I can see security vulnerabilities that are out there that have been identified. >> By version, by layer, all the way through. And you can see tracking all the way back to the package that's upstream. So you know how to remediate and we provide recommendations on how to remediate that with the latest version. >> John: And you don't charge for that. >> We don't charge for that. We do not charge for that. And so that's the trusted upstream. >> So organization can look at the scan, they can look at the scan data and hopefully, what happens if they're not scanned? >> So we provide scanning tools both for the local environments for Docker Desktop, as well as for hub. So if you want to do your own scan, so for example, when you're that developer adding the 15, 25%, you got to scan your stuff as well. Not just leave it up to the already scanned components. And so we provide tools there. We also provide tools to track the packages that that developer might be including in their custom code, all the way back upstream to whatever MPM repo or what have you that they picked up. And then if there's a CVE 30 days later, we also track that as well. We say, Hey, that package was was safe 29 days ago, but today CVE just came out, better upgrade to the latest version and get that out there. So basically if you get down to it, it's like start with trusted components and then have observability not just on the moment. >> And scan all the time. >> Scan all the time and scanning gives you that observability and importantly not just at that moment, but through the lifecycle of the application, through lifecycle of the artifact. So end-to-end 24/7 observability of the state of your supply chain. That's what's key, John. >> That's the best practice. >> That's the key. That's the key. >> Awesome, I agree. That's great. Well, I'm glad we've dug into that's super important. Obviously organizations can get that scanning that's exceed the vulnerabilities, that can take action. That's going to be a big focus here for you, security. It's not going to stop, is it? >> It's never going to stop because criminals are incentive to keep attacking. And so it's the gift that keeps on giving, if you will. >> Okay, so let's get into some of the products. Docker Desktop seems to be doing well. Docker Hub has always been a staple of it. And how's that going? >> Yeah, Docker Hub has 18 million monthly actives hitting it and that's growing by double digits year over year. And what they're finding, going back to our previous thread, John, is that they're coming there for the trusted content. In fact, those three categories that I referenced earlier are about 2000 applications of the 14 million. And yet they represent 56% of the 15 billion downloads a month from Docker Hub. Meaning developers are identifying that, hey, I want trusted source. We raise those in the search results and we have a visual cue. And so that's the big driver of hub's growth right now, is I want trusted content, where do I go? I go to Hub, download that trusted open source and I'm ready to go. >> I have been seeing some chatter on the internet and some people's sharing that they're looking at other places, besides hub, to do some things. What's your message to folks out there around Docker Hub? Why Docker Hub and desktop together? 'Cause you mentioned the toolchain before, but those two areas, I know they've been around for a while, you continue to work on them. What's the message to the folks out there about stay with the hub? >> Sure. I mean the beauty of our ecosystem is that it's interoperable. The standards for build, share and run, we're all using them here at CNCF. So yes, there's other registries. What we would say is we have the 18 million monthly active that are pulling, we have the worldwide distribution that is 24/7 high, five nines reliability, and frankly, we're there to provide choice. And so yes, we have have our trusted content, but for example, the Tanzu apps, they also distribute through us. Red Hat applications also distribute through us because we have the reach and the distribution and offer developers choice of Dockers content, choice of Red Hats content, choice of VMware's, choice of Bitnami, so on so forth. So come to the hub for the distribution to reach and that the requirements we have for security that we put in place for our publishers, give users and publishers an extra degree of assurance. >> So the Docker Hub is an important part of the system? >> Scott: Yes, very much so. >> And desktop, what's new with desktop? >> So desktop of course is the other end of the spectrum. So if trusted components start up on Docker Hub, developers are pulling them down to the desktop to start assembling their application. And so the desktop gives that developer all the tools he or she needs to build that modern application. So you can have your build tooling, your debug tooling, your IDE sitting alongside there, your Docker run, your Docker compose up. And so the loop that we see happening is the dev will have a database they download from hub, a front-end, they'll add their code to it and they'll just rapidly iterate. They'll make a change, stand it up, do a unit test, and when they're satisfied do a git commit, off it goes into production. >> And your goal obviously is to have developers stay with Docker for their toolchain, their experience, make it their home base. >> And their trusted content. That's right. And the trusted content and the extensions are part of that. 'Cause the extensions provide complimentary tooling for that local experience. >> You guys have done an amazing job. I want to give you personal props. I've been following Docker from the beginning when they had the pivot, they sold the enterprise to Mirantis, went back to the roots, modernized, riding the wave. You guys are having a good time. I got to ask the question 'cause people always want to know 'cause open source is about transparency. How you guys making your money? Business is good. How's that work and what was the lucky, what was the not lucky strike, but what was the aha moment? What was the trigger that just made you just kick in this new monetization growth wave? >> So the monetization is per seat, per developer seat. And that changed in November 2019. We were pricing on the server side before, and as you said, we sold that off. And what changed is some of the trends we were talking about that the realization by all organizations that they had to become software companies. And Docker provided the productivity in an engineered desktop product and the trusted content, it provided the productivity safely to developers. And frankly then we priced it at a rate that is very reasonable from an economic standpoint. If you look at developer productivity, developers are paid anywhere from 150 to 300 to 400, 500,000 even higher. >> But when you're paying your developers that much, then productivity is a premium. And what we were asking for from companies from a licensing standpoint was really a modest relative to the making those developers product. >> It's not like Oracle. I mean talk about extracting the value out of the customer. But your point is your positioning is always stay quarter of the open source, but for companies that adopt the structural change to be developer first, a software company, there's a premium to pay because you devalue there. >> And need the tooling to roll it out at scales. So the companies are paying us. They're rolling it out to tens of thousand developers, John. So they need management, they need visibility, they need guardrails that are all around the desktop. So, but just to put a stat on it, so to your point about open source and the freemium wheel working, of our 13 million Docker accounts, 12 are free, about a million are paid for accounts. And that's by design because the open source. >> And you're not gouging developers per se, it's just, not gouging anyone, but you're not taking money out of their hands. It's the company. >> If the company is paying for their productivity so that they can build safely. >> More goodness more for the developer. >> That's right. That's right. >> Gouging would be more like the Oracle strategy. Don't comment. You don't need to comment. I keep saying that, but it's not like you're taxing. It's not a heavy. >> No, $5 a month, $9 a month, $24 a month depending on level. >> But I think the big aha to me and in my opinion is that you nailed the structural change culturally for a company. If they adopt the software ecosystem approach for transforming their business, they got to pay for it. So like a workflow, it's a developer. >> It's another tool. I mean, do they pay for their spreadsheet software? Do they pay for their back office ERP software? They do >> That's my point. >> to make those people popular or sorry, make those people successful, those employees successful. This is a developer tool to make developer successful. >> It's a great, great business model. Congratulations. What's next for you guys? What are you looking for? You just had your community events, you got DockerCon coming up next year. What's on the horizon for you? Put a plugin for the company. What are you looking for? Hiring? >> Yeah, so we're growing like gangbusters. We grew from 60 with the reset. We're now above 300 and we're continuing to grow despite this economic climate. Like our customers are very much investing in software capabilities. So that means they're investing in Docker. So we're looking for roles across the board, software engineers, product managers, designers, marketing, sales, customer success. So if you're interested, please reach out. The next year is going to be really interesting because we're bringing to market products that are doubling down on these areas, doubling down a developer productivity, doubling down on safety to make it even more just automatic that developers just build so they don't have to think about it. They don't need a new tool just to be safer. We hinted a bit about automating SBOM creation. You can see more of that pull through. And in particular, developers want to make the right decision. Everyone comes to work wanting to make the right decision. But what they often lack is context. They often lack like, well, is this bit of code safe or not? Or is this package that I just downloaded over here safe or not? And so you're going to see us roll out additional capabilities that give them very explicit contextual guidance of like, should you use this or not? Or here's a better version over here, a safer version over there. So stay tuned for some exciting stuff. >> It's going to be a massive developer growth wave coming even bigger we've ever seen. Final questions just while I got you here. Where do you see WebAssembly, Wasm going? If you had to throw a dart at the board out a couple years, what does it turn into? >> Yeah, so I think it's super exciting. Super exciting, John. And there's three use cases today. There's browser, there's edge, and there's service side in the data center of the cloud. We see the edge taking off in the next couple years. It's just such a straight line through from what they're doing today and the value that standing up a single service on the edge go. The service side needs some work on the Wasm runtime. The Wasm runtime is not multi-threaded today. And so there's some deep, deep technical work that's going on. The community's doing a fantastic job, but that'll take a while to play through. Browsers also making good progress. There's a component model that Wasm's working on that'll really ignite the industry. That is going to take another couple years as well. So I'd say let's start with the edge use case. Let's get everyone excited about that value proposition. And these other two use cases will come along. >> It'll all work itself out in the wash as open source always does. Scott Johnston, the Chief Executive Officer at Docker. Took over at the reset, kicking butt and taking names. Congratulations. You guys are doing great. Continue to power the developer movement. Thanks for coming on. >> John, thanks so much. Pleasure to be here. >> We're bringing you all the action here. Extracting the signal from the noise. I'm John Furrier, day one of three days of wall-to-wall live coverages. We'll be back for our next guest after this short break. (gentle music)

>>Welcome back to super cloud 22, our inaugural event. It's a pilot event here in the cube studios we're live and streaming virtually until we do it in person. Maybe next year. I'm John fury, host of the cube with Dave Lon two great guests, distinguished engineers managers, CTOs investors. Mariana Tessel is a CTO of Intuit ins Ray founder of vertex ventures. Both have a lot of DNA. Founder allow cloud here with mark Andre and Ben Horowitz, a variety of other great ventures you've done. And now you're an investor. Yep. Maria, you've been a seasoned CTO, VP of engineering, VMware Docker Intuit. Now thanks for joining us. >>Absolutely. >>So super cloud is a, is a thing. And apparently it's got a lot of momentum and you guys got stats over there at, at Intuit in, so you're investing and we were challenged on super cloud. Our initial thesis was you build on the clouds, get all that leverage like snowflake, you get a good differentiation and then you compete and then move to other clouds. Now it's becoming a thing where I can do this. Every enterprise could possibly do it. So I want to get your guys thoughts on what you think of super cloud concept and where are the holes in it, what needs to be defined. And so we'll start with you. You've done a lot of cloud things in your day. What >>Do you think? Yeah, it's the whole cloud journey started with a desire to consolidate and desire to actually provide uniformity and, and standards driven ways of doing things. And I think Amazon was a leader there. They helped kind of teach everybody else. You know, when I was in loud cloud, we were trying to do it with proprietary stacks just wouldn't work. But once everyone standardized upon Unix and you know, the chip sets no longer became as relevant. They did a lot of good things there, but what's happened since then is now you've got competing standards at the API layer at the interface layer no longer at the chip set layer, no longer at the operating system layer. Right? So the evolution of the, the, the battles are still there. When you talk about multicloud and super cloud, though, like one of the big things you have to keep in mind is latency is not free. Latency is very expensive and it's getting even more expensive now with, with multi-cloud. So you have to really understand where the separations of boundaries are between your data, your compute, and, and the network is just there as a facilitator to help binding compute and data. Right? And I think there's a lot of bets being made across different vendors like CloudFlare Akamai, as well as Amazon Google Microsoft in terms of how they think we should take computing either to the edge, from the core or back and forth. >>These, this is structural change. I mean, this is structural, >>It's desired by incumbents, but it's not something that I'm seeing from the consumption. I'd love to hear, hear from our end's per perspective, from a consumption point of view, like how much edge computing really matters. Right. >>Mario. >>So I think there's like, there's kind of a, a story of like two, like it's kind of, you can cut it for both edges. No, no pun intended on one end. It is really simplifying to actually go into like a single cloud and standardize on it and just have everything there. But I think what over time companies find is that they end up in multiple clouds, whether like, you know, through acquisitions or through like needing to use a service in another cloud. So you do find yourself in a situation where you have multi multi-cloud and you have to kind of work through it and understand how to make it all like work and latency is an issue, but also for many, many workloads, you can work around it and you can make it work where you have workloads that actually span multiple vendors and clouds. You know, again, having said that, I would say the world is such, that is still a simplifying assumption. When if you go to a single cloud, it's much easier to just go and, and bet on that >>Easier in terms of everything's integrated, IAS works with SAS, they solve a lot of problems. >>Correct. And you can do like for your developers, you can actually provide an environment that's super homogenous, simple. You can use services easily up and down the stack. And, you know, we, we actually made that deliberate decision. When we started migrating to the cloud at the beginning, it was like, oh, let's do like hybrid we'll, you know, make it, so it work anywhere. It was so complicated. It was not worth it. >>When was the, when did you give up, what was the moment? Was there a flash point where you said, oh, this is terrible. This is >>Dead. Yeah. When, when we started to try to make it interoperable and you just see what it requires to do that and the complexity of the architecture that it just became not worth it for the gains you have. >>So speaking obviously as a SAS provider, right. So it just doesn't, it didn't make business case sense for you guys to do that. So it was super cloud. Then an infrastructure thing we just heard from Ben wa deja VI that they're not, they're going beyond instantiating their, their data cloud. They're actually running, you know, their own little snow grid. They called it. And, and then when I asked him, well, what about latency? He said, well, we copied data over, you know, so, okay. That's you have to do, but that's a singular experience with the same governance or the same security. Just wasn't worth it for you guys is what I'm hearing. >>Correct. But again, like for some workload or for some services that we want to use, we are gonna go there and we are gonna then figure out what is the work around the latency issue, whether it's like copy or, you know, redundancy. >>Well, the question I have Dave on snowflake is maybe the question for you and in the panel is snowflake a tan expansion opportunity, or is there a technical reason to go to other clouds? >>I think they wanted to leverage the hyperscale infrastructure globally. And they said that they're out there, it's a free gift. We're gonna go take it. I, I think it started with we're on AWS. Do you think? And then we're on Azure and then we're on Google. And then they said, why don't we just connect all these and make it a singular experience? And yeah, I guess it's a TA expansion as a differentiator and it's, it adds value. Right. If I can share data across that global network, >>We have customers on Azure now, >>Right? Yeah. Yeah. Of course. >>You guys don't need to go CP. What do you think about that? >>Well, I think Snowflake's in a good position cuz they work mostly with analytical workloads and you have capacity. That's always gonna increase like no one subtracts, their analytical workload like ever, right. So there was just compounded growth is like 50% or 80% for, you know, many enterprises despite their best intentions, not to collect more data, they just can't stop doing it. So it's different than if you're like an Oracle or a transactional database where you don't have those, you know, like kind of infinite growth paths. So Snowflake's gonna continue to expand footprint their customers. They don't mind as long as you, they can figure out the, the lowest cost on denominator for, for that. >>Yeah. So it makes sense to be in all the clouds >>For them, for, for them, for sure. Yeah. >>But, but, but Oracle just announced with Microsoft what I would call super cloud, a, a cross cloud database service running on OCI and Azure with very low latency and a database that looks like a, the singular experience. Yeah. With, with a PAs layers >>That lost me after OCI that's >>Okay. You know, but that's the, that's the, the BS answer for all U VCs. The do nobody develops on Oracle? Well, it's a 240 billion market cap company. Show me who you all want be. >>We're gonna talk about SRDF and em C next, you >>All want Oracle. So there we go. You throw that into, you all want Oracle to buy your companies, your funding, you know, cause, cause we all wanna be like Oracle with that kinda cash flow. But, but anyway, >>Here's, here's one thing that I'm noticing that is gonna be really practical. I think for companies that do run SA is because like, you know, you have all these solutions, whether it's like analytics or like monitoring or logging or whatever. And each one of them is very data hungry and all of them have like SAS solutions that end up copy the data, moving data to their cloud, and then they might charge you by the size of your data. It does become kind of overwhelming for companies to use that many tools and basically maybe have that data kind of charge for it, multiple places because you use it for different purposes or just in general, if you have a lot of data, you know, that that is becoming an issue. So that's something that I've noticed in our, in our own kind of, you know, a world, but it's just something that I think companies need to think about how they solve because eventually a lot of companies will say, I cannot have all these solutions, so there's no way I'm gonna be willing to have so many copies of the data and actually pay for that. >>So many times, just something to think about. >>But one of the criticisms of the super cloud concept is that it's just SAS. If I'm running workload on prem and I, and I've got, you know, a connection to the cloud, which you probably do, that's, that's SAS, what's, what's the big deal and that's not anything new or different. So I'd love to get your thoughts on that. But Goldman Sachs, for instance, just announced the service last reinvent with AWS, connecting their tools, their data, and their software from on-prem to AWS, they're offering it as a service. I'm like, Hmm. Kind of looking like Supercloud, but maybe it's just SAS. >>It could be. And like, what I'm talking about is not so much like, you know, like what you wanna connect your data. But the idea is like a lot of the providers of different services, like in the past and, and like higher layer, they're actually COPI the data. They need the data in their cloud or their solution. And it just becomes complicated and expensive is, is kind of like my point. So yes, connecting it like for you to have the data in one place and then be able to connect to it. I think that is a valid, if, if that's kinda what you think about as a super cloud, that is a valid need, I think that companies will >>Have where developers actually want access to tools that might exist. >>Also the key is developers, right? Yeah. Developers decide all decisions, not database on administrators, not, you know, a hundred percent security engineers, not admins. So what's really interesting is where are the developers going next? If you look at the current winners in the current ecosystem, companies like MongoDB, I mean, they capture the minds of yeah. The JavaScript, you know, no JS developers absolutely very early on. And I started catch base and I could tell you like the difference was that capture motion was so important. So developers are basically used to this game-like experience now where they want to see tools that are free, whether it's open source or not, they actually don't care. They just want, and they want it SAS. They want it SAS delivered on demand. Right. And pay as you go. And so there's a lot of these different frameworks coming out next generation, no code, low code, whether it's Java, JavaScript, rust, you know, whatever, you know, go Lang. And there's a lot of people fighting religious wars about how to develop the next kind of modern pattern design pattern. Okay. And that's where a lot of excitement is how we look at like investment opportunities. Like where are those big bets who are, you know, frustrated developers, who are they frustrated, what's wrong with their current environment? You know, do they really enjoy using Kubernetes or trying to use Kubernetes? Yeah. Right. Like developers have a very different view than operator, >>But you mentioned couch base. I mean, I look at couch base what they're doing with Capellas as a form of Supercloud. I mean, I think that's an excellent, they're bringing that out to the edge. We're gonna hear later on from someone from couch base. That's gonna talk about that now. It's kind of a lightweight, you know, sort of, it's gonna be a, a synchronization, but it's the beginning >>A cool new venture deal that I'm not in, but was like duck DB. I'm like, what's duck DB like, well, it's an Emory database that has like this like remote store thing. I'm like, okay, that sounds interesting. Like let's call Mike Olson cuz that sounds like sleepy cat redone red distributed world. But like it's, it's like there's a lot of people refactoring design patterns that we're all grew up with since the popup days of, you know, typical round. Right? >>Yeah. That's the refactory I think that's the big pattern. So I have to ask you guys, what are you guys investing in? We've got a couple minutes left to chat about that. What are you investing at into it from a, from a, a CTO engineering perspective and what are you investing in that feels super cloud like to you? >>Well, the, the thing that like I'm focused on is to make sure that we have absolutely best in the world development environment for our engineers, where it's modern, it's easy to use and it incorporates as many things as we can into that environment. So the engineers don't have to think about it. Like one big example would be security and how we incorporated that into development environment. So again, the engineers don't have to bother with trying to think through how they secure their workloads and every step of the way their other things that we incorporated, whether it's like rollbacks or monitoring or, you know, like baly enough other things. But I think that's really an investment that has panned off for us. We actually started investing in development environment several years ago. We started measure our development velocity and we, it actually went up by six X justly investing. So >>User experience, developer experience and productivity pretty much right. >>Yeah. AB absolutely. Yeah. That's like a big investment area for us that, you know, cloud cloud >>Sounds like super cloudlike factor and I'm assuming it's you're on AWS. >>We are mostly on AWS. Yes. >>And so what are you investing in that from a VC money doling out standpoint? That feels super cloudlike >>So very similar to what we just touched on a lot of developer tool experiences. We have a company that we've invested in called ops level that the service catalogs it's, it's helping, you know, understand your, where your services live and how they could be accessed and, and you know, enterprise kind of that come with that. And then we have a company called Lugo that helps you do serverless debugging container debugging, cuz it turns out debugging distributed, you know, applications is a real problem right now just you can only do so much by log tracing, right? We have a company haven't announced yet that's in the web assembly space. So we're looking at modernizing the next generation past stack and throwing everything out the window, including Java and all of the, you know, current prebuilt components because turns out 90% of enterprise workloads are actually not used. They're they're just policy code. You compiled with they're sitting there as vulnerabilities that no one's actually accessing, but you still have to compile with all of it. So we have a lot of bloatware happening in the enterprise. So we're thinking about how do you skinny that up with the next generation paths that's enterprise capable with security context and frameworks >>Super pass. >>Well, yeah, super pass. That's a kind of good way to, well, is >>It, is it a consistent developer experience across clouds? >>It is. And, and, and, and web assembly is a very raw standard if you can call it that. I mean it's, but it's supported by every modern browser, every major platform, vendor cloud, and Adobe and others, and are using it for their uses. And it's not just about your edge browser compute. It's really, you can take the same framework and compile it down to server side as well as client site, just like JavaScript was a client side tool before it became node. Right. Right. So we're looking at that as a very interesting opportunity. It's very nascent. Yeah. >>Great patterns. Yeah. Well, thanks so much for spending the time outta your busy day. Ariana. Thanks for your commentary. Appreciate your coming on the cubes first in IGUR super cloud event, pilot. Thanks for, for sharing. Thanks for having, thanks for having us. Okay. More coverage here. Super cloud 2022. I'm Jeff David Alane stay with us. We got our cloud ARA panel coming up next.

>>Hey everyone. Welcome back to the Cube's live coverage of snowflake summit 22 live from Las Vegas. Caesar's forum. Lisa Martin here with Dave Valante. We've got a couple of guests here. We're gonna be talking about every day. AI. You wanna know what that means? You're in the right spot. Kurt UL joins us, the chief customer officer at data ICU and the mod Conn, the head of AI and ML strategy at snowflake guys. Great to have you on the program. >>It's wonderful to be here. Thank you so much. >>So we wanna understand Kurt what everyday AI means, but before we do that for the audience who might not be familiar with data, I could give them a little bit of an overview. What about what you guys do your mission and maybe a little bit about the partnership? >>Yeah, great. Uh, very happy to do so. And thanks so much for this opportunity. Um, well, data IKU, we are a collaborative platform, uh, for enterprise AI. And what that means is it's a software, you know, that sits on top of incredible infrastructure, notably snowflake that allows people from different backgrounds of data, analysts, data, scientists, data, engineers, all to come together, to work together, to build out machine learning models and ultimately the AI that's gonna be the future, uh, of their business. Um, and so we're very excited to, uh, to be here, uh, and you know, very proud to be a, a, a very close partner of snowflake. >>So Amad, what is Snowflake's AI strategy? Is it to, is it to partner? Where do, where do you pick up? And Frank said today, we, we're not doing it all. Yeah. The ecosystem by design. >>Yeah. Yeah, absolutely. So we believe in the best of breed look. Um, I think, um, we, we think that we're the best data platform and for data science and machine learning, we want our customers to really use the best tool for their use cases. Right. And, you know, data ICU is, is our leading partner in that space. And so, you know, when, when you talk about, uh, machine learning and data science, people talk about training a model, but it's really the difficult part and challenges are really, before you train the model, how do you get access to the right data? And then after you train the model, how do you then run the model? And then how do you manage the model? Uh, that's very, very important. And that's where our partnership with, with data, uh, IKU comes in place. Snowflake provides the platform that can process data at scale for the pre-processing bit and, and data IKU comes in and really, uh, simplifies the process for deploying the models and managing the model. >>Got it. Thank >>You. You talk about KD data. Aico talks about everyday AI. I wanna break that down. What do you mean by that? And how is this partnership with snowflake empowering you to deliver that to companies? >>Yeah, absolutely. So everyday AI for us is, uh, you know, kind of a future state that we are building towards where we believe that AI will become so pervasive in all of the business processes, all the decision making that organizations have to go through that it's no longer this special thing that we talk about. It's just the, the day to day life of, uh, of our businesses. And we can't do that without partners like snowflake and, uh, because they're bringing together all of that data and ensuring that there is the, uh, the computational horsepower behind that to drive that we heard that this morning in some of the keynote talking about that broad democratization and the, um, let's call it the, uh, you know, the pressure that that's going to put on the underlying infrastructure. Um, and so ultimately everyday AI for us is where companies own that AI capability. They're building it themselves very broad, uh, participation in the development of that. And all that work then is being pushed down into best of breed, uh, infrastructure, notably of course, snowflake. Well, >>You said push down, you, you guys, you there's a term in the industry push down optimization. What does that mean? How is it evolving? Why is it so important? >>So Amma, do you want to take a first step at that? >>Yeah, absolutely. So, I mean, when, when you're, you know, processing data, so saying data, um, before you train a, uh, a model, you have to do it at scale, that that, that data is, is coming from all different sources. It's human generated machine generated data, we're talking millions and billions of rows of data. Uh, and you have to make sense of it. You have to transform that data into the right kind of features into the right kind of signals that inform the machine learning model that you're trying to, uh, train. Uh, and so that's where, you know, any kind of large scale data processing is automatically pushed down by data IQ, into snowflakes, scalable infrastructure. Um, so you don't get into like memory issues. You don't get into, um, uh, situations where you're where your pipeline is running overnight, and it doesn't finish in time. Right? And so, uh, you can really take advantage of the scalable nature of cloud computing, uh, using Snowflake's infrastructure. So a lot of that processing is actually getting pushed down from data I could down into the scalable snowflake compute engine. How >>Does this affect the life of a data scientist? You always hear a data scientist spend 80% of the time wrangling data. Uh, I presume there's an infrastructure component around that you trying, we heard this morning, you're making infrastructure, my words, infrastructure, self serve, uh, does this directly address that problem and, and talk about that. And what else are you doing to address that 80% problem? >>It, it certainly does, right? Uh, that's how you solve for, uh, data scientists needing to have on demand access to computing resources, or of course, to the, uh, to the underlying data, um, is by ensuring that that work doesn't have to run on their laptop, doesn't have to run on some, you know, constrained, uh, physical machines, uh, in, in a data center somewhere. Instead it gets pushed down into snowflake and can be executed at scale with incredible parallelization. Now what's really, uh, I important is the ongoing development, uh, between the two products, uh, and within that technology. And so today snowflake, uh, announced the introduction of Python within snow park, um, which is really, really exciting, uh, because that really opens up this capability to a much wider audience. Now DataCo provides that both through a visual interface, um, in historically, uh, since last year through Java UDFs, but that's kind of the, the two extremes, right? You have people who don't code on one side, you know, very no code or a low code, uh, population, and then a very high code population. On the other side, this Python, uh, integration really allows us to, to touch really kind the, the fat center of the data science population, who, uh, who, for whom, you know, Python really is the lingua franca that they've been learning for, uh, for decades now. Sure. So >>Talking about the data scientist, I wanna elevate that a little bit because you both are enterprise customers, data ICO, and snowflake Kurt as the chief customer officer, obviously you're with customers all the time. If we look at the macro environment of all the challenges, companies have to be a data company these days, if you're not, you're not gonna be successful. It's how do we do that? Extract insights, value, action, take it. But I'm just curious if your customer conversations are elevating up to the C-suite or, or the board in terms of being able to get democratize access to data, to be competitive, new products, new services, we've seen tremendous momentum, um, on, on the, the part of customer's growth on the snowflake side. But what are you hearing from customers as they're dealing with some of these current macro pains? >>Yeah, no, I, I think it is the conversation today, uh, at that sea level is not only how do we, you know, leverage, uh, new infrastructure, right. You know, they they're, you know, most of them now are starting to have snowflake. I think Frank said, uh, you know, 50% of the, uh, fortune 500, so we can say most, um, have that in place. Um, but now the question is, how do we, how do we ensure that we're getting access to that data, to that, to that computational horsepower, to a broader group of people so that it becomes truly a transformational initiative and not just an it initiative, not just a technology initiative, but really a core business initiative. And that, that really has been a pivot. You know, I've been, you know, with my company now for almost eight years, right. Uh, and we've really seen a change in that discussion going from, you know, much more niche discussions at the team or departmental level now to truly corporate strategic level. How do we build AI into our corporate strategy? How do we really do that in practice? And >>We hear a lot about, Hey, I want to inject data into apps, AI, and machine intelligence into applications. And we've talked about, those are separate stacks. You got the data stack and analytics stack over here. You got the application development, stack the databases off in the corner. And so we see you guys bringing those worlds together. And my question is, what does that stack look like? I took a snapshot. I think it was Frank's presentation today. He had infrastructure at the lowest level live data. So infrastructure's cloud live data. That's multiple data sources coming in workload execution. You made some announcements there. Mm-hmm, <affirmative>, uh, to expend expand that application development. That's the tooling that is needed. Uh, and then marketplace, that's how you bring together this ecosystem. Yes. Monetization is how you turn data into data products and make money. Is that the stack, is that the new stack that's emerging here? Are you guys defining that? >>Absolutely. Absolutely. You talked about like the 80% of the time being spent by data scientists and part of that is actually discovering the right data. Right. Um, being able to give the right access to the right people and being able to go and discover that data. And so you, you, you go from that angle all the way to processing, training a model. And then all those predictions that are insights that are coming out of the model are being consumed downstream by data applications. And so the two major announcements I'm super excited about today is, is the ability to run Python, which is snow park, uh, in, in snowflake. Um, that will do, you know, you can now as a Python developer come and bring the processing to where the data lives rather than move the data out to where the processing lives. Right. Um, so both SQL developers, Python developers, fully enabled. Um, and then the predictions that are coming out of models that are being trained by data ICU are then being used downstream by these data applications for most of our customers. And so that's where number, the second announcement with streamlet is super exciting. I can write a complete data application without writing a single line of JavaScript CSS or HTML. I can write it completely in Python. It's it makes me super excited as, as a Python developer, myself >>And you guys have joint customers that are headed in this direction, doing this today. Where, where can you talk about >>That? Yeah, we do. Uh, you know, there's a few that we're very proud of. Um, you know, company, well known companies like, uh, like REI or emeritus. Um, but one that was mentioned today, uh, this morning by Frank again, uh, Novartis, uh, pharmaceutical company, you know, they have been extremely successful, uh, in accelerating their AI and ML development by expanding access to their data. And that's a combination of, uh, both the data ICU, uh, layer, you know, allowing for that work to be developed in that, uh, in that workspace. Um, but of course, without, you know, the, the underlying, uh, uh, platform of snowflake, right, they, they would not have been able to, to have re realized those, uh, those gains. And they were talking about, you know, very, very significant increases in inefficiency everything from data access to the actual model development to the deployment. Um, it's just really, really honestly inspiring to see. >>And it was great to see Novartis mentioned on the main stage, massive time to value there. We've actually got them on the program later this week. So that was great. Another joint customer, you mentioned re I we'll let you go, cuz you're off to do a, a session with re I, is that right? >>Yes, that's exactly right. So, uh, so we're going to be doing a fireside chat, uh, talking about, in fact, you know, much of the same, all of the success that they've had in accelerating their, uh, analytics, workflow development, uh, the actual development of AI capabilities within, uh, of course that, uh, that beloved brand. >>Excellent guys, thank you so much for joining Dave and me talking about everyday AI, what you're doing together, data ICO, and snowflake to empower organizations to actually achieve that and live it. We appreciate your insights. Thank you both. You guys. Thank you for having us for our guests and Dave ante. I'm Lisa Martin. You're watching the Cube's live coverage of snowflake summit 22 from Las Vegas. Stick around our next guest joins us momentarily.

>>Welcome back to the big apple, everybody. The Cube's continuous coverage here of MongoDB world 2022. We're at the new Javet center. It's it's quite nice. It was built during the pandemic. I believe on top of a former bus terminal. I'm told by our next guest Tony bear, who's the principal at DB insight of data and database expert, longtime analyst, Tony. Good to see you. Thanks for coming >>On. Thanks >>For having us. You face to face >>And welcome to New York. >>Yeah. Right. >>New York is open for business. >>So, yeah. And actually, you know, it's interesting. We've been doing a lot of these events lately and, and especially the ones in Vegas, it's the first time everybody's been out, you know, face to face, not so much here, you know, people have been out and about a lot of masks >>In, >>In New York city, but, but it's good. And, and this new venue is fantastic >>Much nicer than the old Javits. >>Yeah. And I would say maybe 3000 people here. >>Yeah. Probably, but I think like most conferences right now are kind of, they're going through like a slow ramp up. And like for instance, you know, sapphires had maybe about one third, their normal turnout. So I think that you're saying like one third to one half seems to be the norm right now are still figuring out how we're, how and where we're gonna get back together. Yeah. >>I think that's about right. And, and I, but I do think that that in most of the cases that we've seen, it's exceeded people's expectations at tenants, but anyway sure. Let's talk about Mongo, very interesting company. You know, we've been kind of been watching their progression from just sort of document database and all the features and functions they're adding, you just published a piece this morning in venture beat is time for Mongo to get into analytics. Yes. You know? Yes. One of your favorite topics. Well, can they expand analytics? They seem to be doing that. Let's dig into it. Well, >>They're taking, they've been taking slow. They've been taking baby steps and there's good reason for that because first thing is an operational database. The last thing you wanna do is slow it down with very complex analytics. On the other hand, there's huge value to be had if you would, if you could, you know, turn, let's say a smart, if you can turn, let's say an operational database or a transaction database into a smart transaction database. In other words, for instance, you know, let's say if you're, you're, you're doing, you know, an eCommerce site and a customer has made an order, that's basically been out of the norm. Whether it be like, you know, good or bad, it would be nice. Basically, if at that point you could then have a next best action, which is where analytics comes in. But it's a very lightweight form of analytics. It's not gonna, it's actually, I think probably the best metaphor for this is real time credit scoring. It's not that they're doing your scoring you in real time. It's that the model has been computed offline so that when you come on in real time, it can make a smart decision. >>Got it. Okay. So, and I think it was your article where I, I wrote down some examples. Sure. Operational, you know, use cases, patient data. There's certainly retail. We had Forbes on earlier, right? Obviously, so very wide range of, of use cases for operational will, will Mongo, essentially, in your view, is it positioned to replace traditional R D BMS? >>Well, okay. That's a long that's, that's much, it's >>Sort of a loaded question, but >>That's, that's a very loaded question. I think that for certain cases, I think it will replace R D BMS, but I still, I mean, where I, where I depart from Mongo is I do not believe that they're going to replace all R D D BMSs. I think, for instance, like when you're doing financial transactions, you know, the world has been used to table, you know, you know, columns and rows and tables. That's, it's a natural form for something that's very structured like that. On the other hand, when you take a look, let's say OT data, or you're taking a look at home listings that tends to more naturally represent itself as documents. And so there's a, so it's kind of like documents are the way that let's say you normally see the world. Relational is the way that you would structure the world. >>Okay. Well, I like that. So, but I mean, in the early days, obviously, and even to this day, it's like the target for Mongo has been Oracle. Yeah. Right, right. And so, and then, you know, you talk to a lot of Oracle customers as do I sure. And they are running the most mission, critical applications in the world, and it's like banking and financial and so many. And, and, and, you know, they've kind of carved out that space, but are we, should we be rethinking the definition of, of mission critical? Is that changing? >>Well, number one, I think what we've traditionally associated mission critical systems with is our financial transaction systems and to a less, and also let's say systems that schedule operations. But the fact is there are many forms of operations where for instance, let's say you're in a social network, do you need to have that very latest update? Or, you know, basically, can you go off, let's say like, you know, a server that's eventually consistent. In other words, the, do you absolutely have, you know, it's just like when you go on Twitter, do you naturally see all the latest tweets? It's not the system's not gonna crash for that reason. Whereas let's say if you're doing it, you know, let's say an ATM banking ATM system, that system better be current. So I think there's a delineation. The fact is, is that in a social network, arguably that operational system is mission critical, but it's mission critical in a different way from a, you know, from, let's say a banking system. >>So coming back to this idea of, of this hybrid, I think, you know, I think Gartner calls it H tab hybrid, transactional analytics >>Is changed by >>The minute, right. I mean, you mentioned that in, in your article, but basically it's bringing analytics to transactions bringing those, those roles together. Right. Right. And you're saying with Mongo, it's, it's lightweight now take, you use two other examples in your article, my SQL heat wave. Right. I think you had a Google example as well, DB, those are, you're saying much, much heavier analytics, is that correct? Or >>I we'll put it this way. I think they're because they're coming from a relational background. And because they also are coming from companies that already have, you know, analytic database or data warehouses, if you will, that their analytic, you know, capabilities are gonna be much more fully rounded than what Mongo has at this point. It's not a criticism of a Mongo MongoDB per >>Per, is that by design though? Or ne not necessarily. Is that a function of maturity? >>I think it's function of maturity. Oh, okay. I mean, look, to a certain extent, it's also a function of design in terms of that the document model is a little, it's not impossible to basically model it for analytics, but it takes more, you know, transformation to, to decide which, you know, let's say field in that document is gonna be a column. >>Now, the big thing about some of these other, these hybrid systems is, is eliminating the need for two databases, right? Eliminating the need for, you know, complex ETL. Is, is that a value proposition that will emerge with, with Mongo in your view? >>You know, I, I mean, put it this way. I think that if you take a look at how they've, how Mongo is basically has added more function to its operations, someone talking about analytics here, for instance, adding streaming, you know, adding, adding, search, adding time series, that's a matter of like where they've eliminated the need to do, you know, transformation ETL, but that's not for analytics per se for analytics. I think through, you know, I mean through replication, there's still gonna be some transformation in terms of turning, let's say data, that's, that's formed in a document into something that's represented by columns. There is a form of transformation, you know, so that said, and Mongo is already, you know, it has some NA you know, nascent capability there, but it's all, but this is still like at a rev 1.0 level, you know, I expect a lot more >>Of so refin you, how Amazon says in the fullness of time, all workloads will be in the cloud. And we could certainly debate that. What do we mean by cloud? So, but there's a sort of analog for Mongo that I'll ask you in the fullness of time, will Mongo be in a position to replace data warehouses or data lakes? No. Or, or, or, and we know the answer is no. So that's of course, yeah. But are these two worlds on a quasi collision course? I think they >>More on a convergence course or the collision course, because number one is I said, the first principle and operational database is the last thing you wanna do is slow it down. And to do all this complex modeling that let's say that you would do in a data bricks, or very complex analytics that you would do in a snowflake that is going to get, you know, you know, no matter how much you partition the load, you know, in Atlas, and yes, you can have separate nodes. The fact is you really do not wanna burden the operational database with that. And that's not what it's meant for, but what it is meant for is, you know, can I make a smart decision on the spot? In other words, kinda like close the loop on that. And so therefore there's a, a form of lightweight analytic that you can perform in there. And actually that's also the same principle, you know, on which let's say for instance, you know, my SQL heat wave and Allo DBR based on, they're not, they're predicated on, they're not meant to replace, you know, whether it be exit data or big query, the idea there is to do more of the lightweight stuff, you know, and keep the database, you know, keep the operations, you know, >>Operating. And, but from a practitioner's standpoint, I, I, I can and should isolate you're saying that node, right. That's what they'll do. Sure. How does that affect cuz my understanding is that that the Mon Mongo specifically, but I think document databases generally will have a primary node. Right? And then you can set up secondary nodes, which then you have to think about availability, but, but would that analytic node be sort of fenced off? Is that part of the >>Well, that's actually what they're, they've already, I mean, they already laid the groundwork for it last year, by saying that you can set up separate nodes and dedicate them to analytics and what they've >>As, as a primary, >>Right? Yes, yes. For analytics and what they've added, what they're a, what they are adding this year is the fact to say like that separate node does not have to be the same instance class, you know, as, as, as, as the, >>What, what does that mean? Explain >>That in other words, it's a, you know, you could have BA you know, for instance, you could have a node for operations, that's basically very eye ops intensive, whereas you could have a node let's say for analytics that might be more compute intensive or, or more he, or, or more heavily, you know, configured with, with memory per se. And so the idea here is you can tailor in a node to the workload. So that's, you know what they're saying with, you know, and I forget what they're calling it, but the idea that you can have a different type, you can specify a different type of node, a different type of instance for the analytic node, I think is, you know, is a major step forward >>And that, and that that's enabled by the cloud and architecture. >>Of course. Yes. I mean, we're separating, compute from data is, is, is the starter. And so yeah. Then at that point you can then start to, you know, you know, to go less vanilla. I think, you know, the re you know, the, you know, the, I guess the fruition of this is going to be when they say, okay, you can run your, let's say your operational nodes, you know, dedicated, but we'll let you run your analytic nodes serverless. Can't do it yet, but I've gotta believe that's on the roadmap. >>Yeah. So seq brings a lot of overhead. So you get MQL, but now square this circle for me, cuz now you got Mago talking sequel. >>They had to start doing that some time. I mean, and I it's been a court take I've had from them from the, from the get go, which I said, I understand that you're looking at this as an alternative to SQL and that's perfectly valid, but don't deny the validity of SQL or the reason why we, you know, we need it. The fact is that you have, okay, the number, you know, according to Ty index, JavaScript is the seventh, most popular language. Most SQL follows closely behind at the ninth, most popular language you don't want to cl. And the fact is those people exist in the enterprise and they're, and they're disproportionately concentrated in analytics. I mean, you know, it's getting a little less, so now we're seeing like, you know, basically, you know, Python, the programmatic, but still, you know, a lot of sequel expertise there. It does not make, it makes no sense for Mongo to, to, to ignore or to overlook that audience. I think now they're, you know, you know, they're taking baby steps to start, you know, reaching out to them. >>It's interesting. You see it going both ways. See Oracle announces a Mongo, DB, Mongo. I mean, it's just convergence. You called it not, I love collisions, you know, >>I know it's like, because you thrive on drama and I thrive on can't. We all love each other, but you know, act. But the thing is actually, I've been, I wrote about this. I forget when I think it was like 2014 or 2016. It's when we, I was noticed I was noting basically the, you know, the rise of all these specialized databases and probably Amazon, you know, AWS is probably the best exemplar of that. I've got 15 or 16 or however, number of databases and they're all dedicated purpose. Right. But I also was, you know, basically saw that inevitably there was gonna be some overlap. It's not that all databases were gonna become one and the same we're gonna be, we're gonna become back into like the, you know, into a pan G continent or something like that. But that you're gonna have a relational database that can do JSON and, and a, and a document database that can do relational. I mean, you know, it's, to me, that's a no brainer. >>So I asked Andy Ja one time, I'd love to get your take on this, about those, you know, multiple data stores at the time. They probably had a thousand. I think they're probably up to 15 now, right? Different APIs, different S et cetera. And his response. I said, why don't you make it easier for, for customers and maybe build an abstraction or converge these? And he said, well, it's by design. What if you buy this? And, and what your thoughts are, cuz I, you know, he's a pretty straight shooter. Yeah. It's by design because it allows us as the market moves, we can move with it. And if we, if we give developers access to those low level primitives and APIs, then they can move with, with at market speed. Right. And so that again, by design, now we heard certainly Mongo poo pooing that today they didn't mention, they didn't call out Amazon. Yeah. Oracle has no compunction about specifically calling out Amazon. They do it all the time. What do you make of that? Can't Amazon have its cake and eat it too. In other words, extend some of the functionality of those specific databases without going to the Swiss army. >>I I'll put it this way. You, you kind of tapped in you're, you're sort of like, you know, killing me softly with your song there, which is that, you know, I was actually kind of went on a rant about this, actually know in, you know, come, you know, you know, my year ahead sort of out predictions. And I said, look, cloud folks, it's great that you're making individual SAS, you know, products easy to use. But now that I have to mix and match SAS products, you know, the burden of integration is on my shoulders. Start making my life easier. I think a good, you know, a good example of this would be, you know, for instance, you could take something like, you know, let's say like a Google big query. There's no reason why I can't have a piece of that that might, you know, might be paired, say, you know, say with span or something like that. >>The idea being is that if we're all working off a common, you know, common storage, we, you know, it's in cloud native, we can separate the computer engines. It means that we can use the right engine for the right part of the task. And the thing is that maybe, you know, myself as a consumer, I should not have to be choosing between big query and span. But the thing is, I should be able to say, look, I want to, you know, globally distribute database, but I also wanna do some analytics and therefore behind the scenes, you know, new microservices, it could connect the two wouldn't >>Microsoft synapse be an example of doing that. >>It should be an example. I wish I, I would love to hear more from Microsoft about this. They've been radio silent for about the past two or three years in data. You hardly hear about it, but synapse is actually those actually one of the ideas I had in mind now keep in mind that with synapse, you're not talking about, let's say, you know, I mean, it's, it's obviously a sequel data warehouse. It's not pure spark. It's basically their, it was their curated version of spark, but that's fine. But again, I would love to hear Microsoft talk more about that. They've been very quiet. >>Yeah. You, you, the intent is there to >>Simplify >>It exactly. And create an abstraction. Exactly. Yeah. They have been quiet about it. Yeah. Yeah. You would expect that, that maybe they're still trying to figure it out. So what's your prognosis from Mongo? I mean, since this company IP, you know, usually I, I tell and I tell everybody this, especially my kids, like don't buy a stock at IPO. You'll always get a better chance at a cheaper price to buy it. Yeah. And even though that was true with Mongo, you didn't have a big window. No. Like you did, for instance, with, with Facebook, certainly that's been the case with snowflake and sure. Alibaba, I mean, I name a zillion style was almost universal. Yeah. But, but since that, that, that first, you know, few months, period, this, this company has been on a roll. Right. And it, it obviously has been some volatility, but the execution has been outstanding. >>No question about that. I mean, the thing is, look what I, what I, and I'm just gonna talk on the product side on the sales side. Yeah. But on the product side, from the get go, they made a product that was easy for developers. Whereas let's say someone's giving an example, for instance, Cosmo CB, where to do certain operations. They had to go through multiple services in, you know, including Azure portal with Atlas, it's all within Atlas. So they've really, it's been kinda like design thinking from the start initially with, with the core Mongo DB, you know, you, the on premise, both this predates Atlas, I mean, part of it was that they were coming with a language that developers knew was just Javas script. The construct that they knew, which was JS on. So they started with that home core advantage, but they weren't the only ones doing that. But they did it with tooling that was very intuitive to developers that met developers, where they lived and what I give them, you know, then additional credit for is that when they went to the cloud and it wasn't an immediate thing, Atlas was not an overnight success, but they employed that same design thinking to Atlas, they made Atlas a good cloud experience. They didn't just do a lift and shift the cloud. And so that's why today basically like five or six years later, Atlas's most of their business. >>Yeah. It's what, 60% of the business now. Yeah. And then Dave, on the, on the earning scholar, maybe it wasn't Dave and somebody else in response to question said, yeah, ultimately this is the future will be be 90% of the business. I'm not gonna predict when. So my, my question is, okay, so let's call that the midterm midterm ATLA is gonna be 90% of the business with some exceptions that people just won't move to the cloud. What's next is the edge. A new opportunity is Mongo architecturally suited for the, I mean, it's certainly suited for the right, the home Depot store. Sure. You know, at the edge. Yeah. If you, if you consider that edge, which I guess it is form of edge, but how about the far edge EVs cell towers, you know, far side, real time, AI inferencing, what's the requirement there, can Mongo fit there? Any thoughts >>On that? I think the AI and the inferencing stuff is interesting. It's something which really Mongo has not tackled yet. I think we take the same principle, which is the lightweight stuff. In other words, you'll say, do let's say a classification or a prediction or some sort of prescriptive action in other words, where you're not doing some convolution, neural networking and trying to do like, you know, text, text to voice or, or, or vice versa. Well, you're not trying to do all that really fancy stuff. I think that's, you know, if you're keeping it SIM you know, kinda like the kiss principle, I think that's very much within Mongo's future. I think with the realm they have, they basically have the infrastructure to go out to the edge. I think with the fact that they've embraced GraphQL has also made them a lot more extensible. So I think they certainly do have, you know, I, I do see the edge as being, you know, you know, in, in, you know, in their, in their pathway. I do see basically lightweight analytics and lightweight, let's say machine learning definitely in their >>Future. And, but, and they would, would you agree that they're in a better position to tap that opportunity than say a snowflake or an Oracle now maybe M and a can change that. R D can maybe change that, but fundamentally from an architectural standpoint yeah. Are they in a better position? >>Good question. I think that that Mongo snowflake by virtual fact, I mean that they've been all, you know, all cloud start off with, I think makes it more difficult, not impossible to move out to the edge, but it means that, and I, and know, and I, and I said, they're really starting to making some tentative moves in that direction. I'm looking forward to next week to, you know, seeing what, you know, hearing what we're gonna, what they're gonna be saying about that. But I do think, right. You know, you know, to answer your question directly, I'd say like right now, I'd say Mongo probably has a, you know, has a head start there. >>I'm losing track of time. I could go forever with you. Tony bear DB insight with tons of insights. Thanks so much for coming back with. >>It's only one insight insight, Dave. Good to see you again. All >>Right. Good to see you. Thank you. Okay. Keep it right there. Right back at the Java center, Mongo DB world 2022, you're watching the cube.

>>Welcome back to NYC the Cube's coverage of Mongo DB 2022, a few thousand people here at least bigger than many people, perhaps expected, and a lot of buzz going on and we're gonna talk devs. I'm really excited to welcome back. Robbie Bellson who's the developer relations lead at Verizon and Ian Massingham. Who's the vice president of developer relations at Mongo DB Jens. Good to see you. Great >>To be here. >>Thanks having you. So Robbie, we just met a few weeks ago at the, the red hat summit in Boston and was blown away by what Verizon is doing in, in developer land. And of course, Ian, you know, Mongo it's rayon Detra is, is developers start there? Why is Mongo so developer friendly from your perspective? >>Well, it's been the ethos of MongoDB since day one. You know, back when we launched the first version of MongoDB back in 2009, we've always been about making developers lives easier. And then in 2016, we announced and released MongoDB Atlas, which is our cloud managed service for MongoDB, you know, starting with a small number of regions built on top of AWS and about 2,500 adoption events per week for MongoDB Atlas. After the first year today, MongoDB Atlas provides a managed service for MongoDB developers around the world. We're present in almost a hundred cloud regions across S DCP and Azure. And that adoption number is now running at about 25,000 developers a week. So, you know, the proof are in proof is really in the metrics. MongoDB is an incredibly popular platform for developers that wanna build data-centric applications. You just can't argue with the metrics really, >>You know, Ravi, sometimes there's an analyst who come up with these theories and one of the theories I've been spouting for a long time is that developers are gonna win the edge. And now to, to see you at Verizon building out this developer community was really exciting to me. So explain how you got this started with this journey. >>Absolutely. As you think about Verizon 5g edge or mobile edge computing portfolio, we knew from the start that developers would play a central role and not only consuming the service, but shaping the roadmap for what it means to build a 5g future. And so we started this journey back in late 20, 19 and fast forward to about a year ago with Mongo, we realized, well, wait a minute, you look at the core service offerings available at the edge. We didn't know really what to do with data. We wanted to figure it out. We wanted the vote of confidence from developers. So there I was in an apartment in Colorado racing, your open source Mongo against that in the region edge versus region, what would you see? And we saw tremendous performance improvements. It was so much faster. It's more than 40% faster for thousands and thousands of rights. And we said, well, wait a minute. There's something here. So what often starts is an organic developer, led intuition or hypothesis can really expand to a much broader go to market motion that really brings in the enterprise. And that's been our strategy from day one. Well, >>It's interesting. You talk about the performance. I, I just got off of a session talking about benchmarks in the financial services industry, you know, amazing numbers. And that's one of the hallmarks of, of Mongo is it can play in a lot of different places. So you guys both have developer relations in your title. Is that how you met some formal developer relations? >>We were a >>Program. >>Yeah, I would say that Verizon is one of the few customers that we also collaborate with on a developer relations effort. You know, it's in our mutual best interest to try to drive MongoDB consumption amongst developers using Verizon's 5g edge network and their platform. So of course we work together to help, to increase awareness of MongoDB amongst mobile developers that want to use that kind of technology. >>But so what's your story on this? >>I mean, as I, as I mentioned, everything starts with an organic developer discovery. It all started. I just cold messaged a developer advocate on Twitter and here we are at MongoDB world. It's amazing how things turn out. But one of the things that's really resonated with me as I was speaking with one of, one of your leads within your organization, they were mentioning that as Mongo DVIA developed over the years, the mantra really became, we wanna make software development easy. Yep. And that really stuck with me because from a network perspective, we wanna make networking easy. Developers are not gonna care about the internals of 5g network. In fact, they want us to abstract away those complexities so that they can focus on building their apps. So what better co-innovation opportunity than taking MongoDB, making software easy, and we make the network easy. >>So how do you think about the edge? How does you know variety? I mean, to me, you know, there's a lot of edge use cases, you know, think about the home Depot or lows. Okay, great. I can put like a little mini data center in there. That's cool. That's that's edge. Like, but when I think of Verizon, I mean, you got cell towers, you've got the far edge. How do you think about edge Robbie? >>Well, the edge is a, I believe a very ambiguous term by design. The edge is the device, the mobile device, an IOT device, right? It could be the radio towers that you mentioned. It could be in the Metro edge. The CDN, no one edge is better than the other. They're all just serving different use cases. So when we talk about the edge, we're focused on the mobile edge, which we believe is most conducive to B2B applications, a fleet of IOT devices that you can control a manufacturing plant, a fleet of ground and aerial robotics. And in doing so you can create a powerful compute mesh where you could have a private network and private mobile edge computing by way of say an AWS outpost and then public mobile edge computing by way of AWS wavelength. And why keep them separate. You could have a single compute mesh even with MongoDB. And this is something that we've been exploring. You can extend Atlas, take a cluster, leave it in the region and then use realm the mobile portfolio and spread it all across the edge. So you're creating that unified compute and data mesh together. >>So you're describing what we've been expecting is a new architecture emerging, and that's gonna probably bring new economics of new use cases, right? Where are we today in that first of all, is that a reasonable premise that this is a sort of a new architecture that's being built out and where are we in that build out? How, how do you think about the, the future of >>That? Absolutely. It's definitely early days. I think we're still trying to figure it out, but the architecture is definitely changing the idea to rip out a mobile device that was initially built and envisioned for the device and only for the device and say, well, wait a minute. Why can't it live at the edge? And ultimately become multi-tenant if that's the data volume that may be produced to each of those edge zones with hypothesis that was validated by developers that we continue to build out, but we recognize that we can't, we can't get that static. We gotta keep evolving. So one of our newest ideas as we think about, well, wait a minute, how can Mongo play in the 5g future? We started to get really clever with our 5g network APIs. And I, I think we talked about this briefly last time, 5g, programmability and network APIs have been talked about for a while, but developers haven't had a chance to really use them and our edge discovery service answering the question in this case of which database is the closest database, doesn't have to be invoked by the device anymore. You can take a thin client model and invoke it from the cloud using Atlas functions. So we're constantly permuting across the entire portfolio edge or otherwise for what it means to build at the edge. We've seen such tremendous results. >>So how does Mongo think about the edge and, and, and playing, you know, we've been wondering, okay, which database is actually gonna be positioned best for the edge? >>Well, I think if you've got an ultra low latency access network using data technology, that adds latency is probably not a great idea. So MongoDB since the very formative years of the company and product has been built with performance and scalability in mind, including things like in memory storage for the storage engine that we run as well. So really trying to match the performance characteristics of the data infrastructure with the evolution in the mobile network, I think is really fundamentally important. And that first principles build of MongoDB with performance and scalability in mind is actually really important here. >>So was that a lighter weight instance of, of Mongo or not >>Necessarily? No, not necessarily. No, no, not necessarily. We do have edge cashing with realm, the mobile databases Robbie's already mentioned, but the core database is designed from day one with those performance and scalability characteristics in mind, >>I've been playing around with this. This is kind of a, I get a lot of heat for this term, but super cloud. So super cloud, you might have data on Preem. You might have data in various clouds. You're gonna have data out at the edge. And, and you've got an abstraction that allows a developer to, to, to tap services without necessarily if, if he or she wants to go deep into the S great, but then there's a higher level of services that they can actually build for their customers. So is that a technical reality from a developer standpoint, in your view, >>We support that with the Mongo DB multi-cloud deployment model. So you can place Mongo DB, Atlas nodes in any one of the three hyperscalers that we mentioned, AWS, GCP or Azure, and you can distribute your data across nodes within a cluster that is spread across different cloud providers. So that kinds of an kind of answers the question about how you do data placement inside the MongoDB clustered environment that you run across the different providers. And then for the abstraction layer. When you say that I hear, you know, drivers ODMs the other intermediary software components that we provide to make developers more productive in manipulating data in MongoDB. This is one of the most interesting things about the technology. We're not forcing developers to learn a different dialect or language in order to interact with MongoDB. We meet them where they are by providing idiomatic interfaces to MongoDB in JavaScript in C sharp, in Python, in rust, in that in fact in 12 different pro programming languages that we support as a first party plus additional community contributed programming languages that the community have created drivers for ODMs for. So there's really that model that you've described in hypothesis exist in reality, using >>Those different Compli. It's not just a series of siloed instances in, >>In different it's the, it's the fabric essentially. Yeah. >>What, what does the Verizon developer look like? Where does that individual come from? We talked about this a little bit a few weeks ago, but I wonder if you could describe it. >>Absolutely. My view is that the Verizon or just mobile edge ecosystem in general for developers are present at this very conference. They're everywhere. They're building apps. And as Ian mentioned, those idiomatic interfaces, we need to take our network APIs, take the infrastructure that's being exposed and make sure that it's leveraging languages, frameworks, automation, tools, the likes of Terraform and beyond. We wanna meet developers where they are and build tools that are easy for them to use. And so you had talked about the super cloud. I often call it the cloud continuum. So we, we took it P abstraction by abstraction. We started with, will it work in one edge? Will it work in multiple edges, public and private? Will it work in all of the edges for a given region, public or private, will it work in multiple regions? Could it work in multi clouds? We've taken it piece by piece by piece and in doing so abstracting way, the complexity of the network, meaning developers, where they are providing those idiomatic interfaces to interact with our API. So think the edge discovery, but not in a silo within Atlas functions. So the way that we're able to converge portfolios, using tools that dev developers already use know and love just makes it that much easier. Do, >>Do you feel like I like the cloud continuum cause that's really what it is. The super cloud does the security model, how does the security model evolve with that? >>At least in the context of the mobile edge, the attack surface is a lot smaller because it's only for mobile traffic not to say that there couldn't be various configuration and human error that could be entertained by a given application experience, but it is a much more secure and also reliable environment from a failure domain perspective, there's more edge zones. So it's less conducive to a regionwide failure because there's so many more availability zones. And that goes hand in hand with security. Mm. >>Thoughts on security from your perspective, I mean, you added, you've made some announcements this week, the, the, the encryption component that you guys announced. >>Yeah. We, we issued a press release this morning about a capability called queryable encryption, which actually as we record this Mark Porter, our CTO is talking about in his keynote, and this is really the next generation of security for data stored within databases. So the trade off within field level encryption within databases has always been very hard, very, very rigid. Either you have keys stored within your database, which means that your memory, so your data is decrypted while it's resident in memory on your database engine. This allow, of course, allows you to perform query operations on that data. Or you have keys that are managed and stored in the client, which means the data is permanently OBS from the engine. And therefore you can't offload query capabilities to your data platform. You've gotta do everything in the client. So if you want 10 records, but you've got a million encrypted records, you have to pull a million encrypted records to the client, decrypt them all and see performance hit in there. Big performance hit what we've got with queryable encryption, which we announced today is the ability to keep data encrypted in memory in the engine, in the database, in the data platform, issue queries from the client, but use a technology called structural encryption to allow the database engine, to make decisions, operate queries, and find data without ever being able to see it without it ever being decrypted in the memory of the engine. So it's groundbreaking technology based on research in the field of structured encryption with a first commercial database provided to bring this to market. >>So how does the mobile edge developer think about that? I mean, you hear a lot about shifting left and not bolting on security. I mean, is this, is this an example of that? >>It certainly could be, but I think the mobile edge developer still stuck with how does this stuff even work? And I think we need to, we need to be mindful of that as we build out learning journeys. So one of my favorite moments with Mongo was an immersion day. We had hosted earlier last year where we, our, from an enterprise perspective, we're focused on BW BS, but there's nothing stopping us. You're building a B2C app based on the theme of the winner Olympics. At the time, you could take a picture of Sean White or of Nathan Chen and see that it was in fact that athlete and then overlaid on that web app was the number of medals they accrued with the little trumpeteer congratulating you for selecting that athlete. So I think it's important to build trust and drive education with developers with a more simple experience and then rapidly evolve overlaying the features that Ian just mentioned over time. >>I think one of the keys with cryptography is back to the familiar messaging for the cloud offloading heavy lifting. You actually need to make it difficult to impossible for developers to get this wrong, and you wanna make it as easy as possible for developers to deal with cryptography. And that of course is what we're trying to do with our driver technology combined with structure encryption, with query encryption. >>But Robbie, your point is lots of opportunity for education. I mean, I have to say the developers that I work with, it's, I'm, I'm in awe of how they solve problems and I, and the way they solve problems, if they don't know the answer, they figure out how to go get it. So how, how are your two communities and other communities, you know, how are they coming together to, to solve such problems and share whether it's best practices or how do I do this? >>Well, I'm not gonna lie in person. Events are a bunch of fun. And one of the easiest domain knowledge exchange opportunities, when you're all in person, you can ideate, you can whiteboard, you can brainstorm. And often those conversations are what leads to that infrastructure module that an immersion day features. And it's just amazing what in person events can do, but community groups of interest, whether it's a Twitch stream, whether it's a particular code sample, we rely heavily on digital means today to upscale the developer community, but also build on by, by means of a simple port request, introduce new features that maybe you weren't even thinking of before. >>Yeah. You know, that's a really important point because when you meet people face to face, you build a connection. And so if you ask a question, you're more likely perhaps to get an answer, or if one doesn't exist in a, in a search, you know, you, oh, Hey, we met at the, at the conference and let's collaborate on this guys. Congratulations on, on this brave new world. You're in a really interesting spot. You know, developers, developers, developers, as Steve bomber says screamed. And I was glad to see Dave was not screaming and jumping up and down on the stage like that, but, but the message still resonates. So thank you, definitely appreciate. All right, keep it right there. This is Dave ante for the cubes coverage of Mago DB world 2022 from New York city. We'll be right back.

>> Narrator: The cube presents, the Kubecon and Cloudnativecon Europe, 2022 brought to you by Red Hat, the cloud native computing foundation and its ecosystem partners. >> Welcome to Valencia, Spain in Kubecon and Cloudnativecon Europe, 2022. I'm your host Keith Townsend. It's been a amazing day, three days of coverage 7,500 people, 170 sponsors, a good mix of end user organizations, vendors, just people with open source at large. I've loved the conversations. We're not going to stop that coverage just because this is the last session of the conference. Colin Murphy, senior software engineer, Adobe, >> Adobe. >> Oh, wow. This is going to be fun. And then Liam Randall, the chair of CNCF Cloud Native WebAssembly Day. >> That's correct. >> And CNCF & CEO of Cosmonic. >> That's right. >> All right. First off, let's talk about the show. How has this been different than other, if at all of other Kubecons? >> Well, first I think we all have to do a tremendous round of applause, not only for the vendors, but the CNC staff and all the attendees for coming out. And you have to say, Kubecon is back. The online experiences have been awesome but this was the first one, where Hallwaycon was in full effect. And you had the opportunity to sit down and meet with so many intelligent and inspiring peers and really have a chance to learn about all the exciting innovations that have happened over the last year. >> Colin. >> Yeah, it's been my most enjoyable Kubecon I've ever been to. And I've been to a bunch of them over the last few years. Just the quality of people. The problems that we're solving right now, everywhere from this newer stuff that we're talking about today with WebAssembly but then all these big enterprises trying to getting involved in Kubernetes >> Colin, to your point about the problems that we're solving, in many ways the pandemic has dramatically accelerated the pace of innovation, especially inside the CNCF, which is by far the most critical repository of open source projects that enterprises, governments and individuals rely on around the world, in order to deliver new experiences and to have coped and scaled out within the pandemic over the last few years. >> Yeah, I'm getting this feel, this vibe of the overall show that feels like we're on the cuff for something. There's other shows throughout the year, that's more vendor focused that talk about cloud native. But I think this is going to be the industry conference where we're just getting together and talking about it and it's going to probably be, in the next couple of years, the biggest conference of the year, that's just my personal opinion. >> I actually really strongly agree with you. And I think that the reason for that is the diversity that we get from the open source focus of Kubecon Kubecon has started where the industry really started which was in shared community projects. And I was the executive at Capital One that led the donation of cloud custodian into the CNCF. And I've started and put many projects here. And one of the reasons that you do that is so that you can build real scalable communities, Vendors that oftentimes even have competing interest but it gives us a place where we can truly collaborate where we can set aside our personal agendas and our company's agendas. And we can focus on the problems at hand. And how do we really raise the bar for technology for everybody. >> Now you two are representing a project that, you know as we look at kind of, how the web has evolved the past few decades, there's standards, there's things that we know that work, there's things that we know that don't work and we're beyond cloud native, we're kind of resistant to change. Funny enough. >> That's right. >> So WebAssembly, talk to me about what problem is WebAssembly solving that need solving? >> I think it's fitting that here on the last day of Kubecon, we're starting with the newest standard for the web and for background, there's only four languages that make up what we think of as the modern web. There's JavaScript, there's HTML, there's CSS, and now there's a new idea that's WebAssembly. And it's maybe not a new idea but it's certainly a new standard, that's got massive adoption and acceleration. WebAssembly is best thought of as almost like a portable little virtual machine. And like a lot of great ideas like JavaScript, it was originally designed to bring new experiences to browsers everywhere. And as organizations looked at the portability and security value props that come from this tiny little virtual machine, it's made a wonderful addition to backend servers and as a platform for portability to bring solutions all the way out to the edge. >> So what are some of the business cases for WebAssembly? Like what problem, what business problem are we solving? >> So it, you know, we would not have been able to bring Photoshop to the web without WASM. >> Wow. >> And just to be clear, I had nothing to do with that effort. So I want to make sure everybody understands, but if you have a lot of C++ or C code and you want to bring that experience to the web browser which is a great cost savings, cause it's running on the client's machines, really low latency, high performance experiences in the browser, WASM, really the only way to go. >> So I'm getting hints of fruit berry, Java. >> Liam: Yeah, absolutely. >> Colin: Definitely. >> You know, the look, WebAssembly sounds similar to promises you've heard before, right ones, run anywhere. The difference is, is that WebAssembly is not driven by any one particular vendor. So there's no one vendor that's trying to bring a plug in to every single device. WebAssembly was a recognition, much like Kubecon, the point that we started with around the diversity of thought ideas and representation of shared interest, of how do we have a platform that's polyglot? Many people can bring languages to it, and solutions that we can share and then build from there. And it is unlocking some of the most amazing and innovative experiences, both on the web backend servers and all the way to the edge. Because WebAssembly is a tiny little virtual machine that runs everywhere. Adobe's leadership is absolutely incredible with the things that they're doing with WebAssembly. They did this awesome blog post with the Google Chrome team that talked about other performance improvements that were brought into Chrome and other browsers, in order to enable that kind of experience. >> So I get the general concept of WebAssembly and it's one of those things that I have to ask the question, and I appreciate that Adobe uses it but without the community, I mean, I've dedicated some of my team's resources over the years to some really cool projects and products that just died on the buying cause there was no community around. >> Yeah. >> Who else uses WebAssembly? >> Yeah, I think so. We actually, inside the CNCF now, have an entire day devoted just to WebAssembly and as the co-chair of the CNCF Cloud Native WebAssembly Day, we really focus on bringing those case studies to the forefront. So some of the more interesting talks that we had here and at some of the precursor weekend conferences were from BMW, for example, they talked about how they were excited about not only WebAssembly, but a framework that they use on WebAssembly called WASM cloud, that lets them a flexibly scale machine learning models from their own edge, in their own vehicles through to their developer's workstations and even take that data onto their regular cloud Kubernetes and scale analysis and analytics. They invested and they just released a machine learning framework for one of the many great WebAssembly projects called WASM cloud, which is a CNCF project, a member project here in the CNCF. >> So how does that fit in overall landscape? >> So think of WebAssembly, like you think of HTML. It's a technology that gives you a lot of concept and to accelerate your journey on those technologies, people create frameworks. For example, if you were going to write a UI, you would not very likely start with an empty document you'd start with a react or view. And in a similar vein, if you were going to start a new microservice or backend application, project for WebAssembly, you might use WASM cloud or you might use ATMO or you might use a Spin. Those are three different types of projects. They all have their own different value props and their own different opinions that they bring to them. But the point is is that this is a quickly evolving space and it's going to dramatically change the type of experiences that we bring, not only to web browsers but to servers and edges everywhere. >> So Colin, you mentioned C+ >> Colin: Yeah. >> And other coding. Well , talk to me about the ramp up. >> Oh, well, so, yeah, so, C++ there was a lot of work done in scripting, at Adobe. Taking our C++ code and bringing it into the browser. A lot of new instructions, Cimdi, that were brought to make a really powerful experience, but what's new now is the server side aspect of things. So, just what kind of, what Liam was talking about. Now we can run this stuff in the data center. It's not just for people's browsers anymore. And then we can also bring it out to the edge too, which is a new space that we can take advantage of really almost only through WebAssembly and some JavaScript. >> So wait, let me get this kind of under hook. Before, if I wanted a rich experience, I have to run a heavy VDI instance on the back end so that I'm basically getting remote desktop calls from a light thin client back to my backend server, that's heavy. >> That is heavy. >> WebAssembly is alternative to that? >> Yes, absolutely. Think of WebAssembly as a tiny little CPU that is a shim, that we can take the places that don't even traditionally have a concept of a processor. So inside the browser, for example, traditionally cloud native development on the backend has been dominated by things like Docker and Docker is a wonderful technology and Container is a wonderful technology that really drove the last 10 years of cloud native with the great lift and shift, if you will. Take our existing applications, package them up in this virtual desktop and then deliver them. But to deliver the next 10 years of experiences, we need solutions that let us have portability first and a security model that's portable across the entire landscape. So this isn't just browsers and servers on the back end, WebAssembly creates an a layer of equality from truly edge to edge. It's can transcend different CPUs, different operating systems. So where containers have this lower bound off you need to be running Linux and you need to be in a place where you're going to bring Kubernetes. WebAssembly is so small and portable, it transcends that lower bound. It can go to places like iOS. It can go to places like web browsers. It can even go to teeny tiny CPUs that don't even traditionally have a full on operating systems inside them. >> Colin: Right, places where you can't run Docker. >> So as I think about that, and I'm a developer and I'm running my back end and I'm running whatever web stack that I want, how does this work? Like, how do I get started with it? >> Well, there's some great stuff Liam already mentioned with WASM cloud and Frmion Spin. Microsoft is heavily involved now on providing cloud products that can take advantage of WebAssembly. So we've got a lot of languages, new languages coming in.net and Ruby, Rust is a big one, TinyGo, really just a lot of places to get involved. A lot of places to get started. >> At the highest level Finton Ryan, when he was at Gartner, he's a really well known analyst. He wrote something profound a few years ago. He said, WebAssembly is the one technology, You don't need a strategy to adopt. >> Mm. >> Because frankly you're already using it because there's so many wonderful experiences and products that are out there, like what Adobe's doing. This virtual CPU is not just a platform to run on cloud native and to build applications towards the edge. You can embed this virtual CPU inside of applications. So cases where you would want to allow your users to customize an application or to extend functionality. Give you an example, Shopify is a big believer in WebAssembly because while their platform covers, two standard deviations or 80% of the use cases, they have a wonderful marketplace of extensions that folks can use in order to customize the checkout process or apply specialized discounts or integrate into a partner ecosystem. So when you think about the requirements for those scenarios, they line up to the same requirements that we have in browsers and servers. I want real security. I want portability. I want reuseability. And ultimately I want to save money and go faster. So organizations everywhere should take a few minutes and do a heads up and think about one, where WebAssembly is already in their environment, inside of places like Envoy and Istio, some of the most popular projects in the cloud native ecosystem, outside of Kubernetes. And they should perhaps consider studying, how WebAssembly can help them to transform the experiences that they're delivering for their customers. This may be the last day of Kubecon, but this is certainly not the last time we're going to be talking about WebAssembly, I'll tell you that. >> So, last question, we've talked a lot about how to get started. How about day two, when I'm thinking about performance troubleshooting and ensuring clients have a great experience what's day two operation like? >> That's a really good question. So there's, I know that each language kind of brings their own tool chain and their, and you know we saw some great stuff on, on WASM day. You can look it up around the .net experience for debugging, They really tried to make it as seamless and the same as it was for native code. So, yeah, I think that's a great question. I mean, right now it's still trying to figure out server side, It's still, as Liam said, a shifting landscape. But we've got some great stuff out here already >> You know, I'd make an even bigger call than that. When I think about the last 20 years as computing has evolved, we've continued to move through these epics of tech that were dominated by a key abstraction. Think about the rise of virtualization with VMware and the transition to the cloud. The rise of containerization, we virtualized to OS. The rise of Kubernetes and CNCF itself, where we virtualize cloud APIs. I firmly believe that WebAssembly represents the next epic of tech. So I think that day two WebAssembly continues to become one of the dominant themes, not only across cloud native but across the entire technical computing landscape. And it represents a fundamentally gigantic opportunity for organizations such as Adobe, that are always market leading and at the cutting edge of tech, to bring new experiences to their customers and for vendors to bring new platforms and tools to companies that want to execute on that opportunity. >> Colin Murphy, Liam Randall, I want to thank you for joining the Cube at Kubecon Cloudnativecon 2022. I'm now having a JavaScript based app that I want to re-look at, and maybe re-platforming that to WebAssembly. It's some lot of good stuff there. We want to thank you for tuning in to our coverage of Kubecon Cloudnativecon. And we want to thank the organization for hosting us, here from Valencia, Spain. I'm Keith Townsend, and you're watching the Cube, the leader in high tech coverage. (bright music)

>>Okay, welcome back everyone. Cube's coverage here. Live on the floor at AWS summit, 2022, an in person event in San Francisco. Of course, AWS summit, 2022 in New York city is coming up this summer. The cube will be there as well. Make sure you check us out then too, but we day two of coverage had a great guest here. I Han VP of developer relations, Mongo DB, formally of AWS. We've been known each other for a long time doing, uh, developer relations at Mongo DB. Welcome to the queue. Good to see >>You. Thank to be here. Thanks for inviting me, John. It's great >>To, so Mongo DB is, um, first of all, stocks' doing really well right now. Businesswise is good, but I still think it's undervalue. A lot of people think is, is a lot more going huge success with Atlas. So congratulations to the team over there. Um, what's the update? What's the relationship withs, you know, guys have been great partners for years. What's the new thing. Yeah. >>So MongoDB Atlas obviously runs on several different major cloud providers, but AWS is the largest partner that we work with in the public cloud. So the majority of our Atlas workloads for our customers are running on the AWS platform. And just earlier this year, we announced a new strategic collaboration agreement with AWS. That's gonna further strengthen and deepen that partnership that we have with them. >>What's the main product value right now on the scale on, on Atlas, what's the drive in the revenue momentum. >>So, I mean, you know, there's a huge trend in the industry towards cloud managed databases, right? You look back 10, 15 years ago when we first met, most customers were only and operating their own data infrastructure, either running it in their own data centers, or maybe if they were really early using the primitives that cloud providers like AWS offered to run their databases in the cloud when Amazon launched RDS back in 2009, I think it was, we started to see this trend towards cloud managed databases. We followed that with our own Atlas offering back in 2016. And as Andy jazzy from AWS would say very often it's offloading that UND differentiated, heavy lifting, allowing developers to focus on building applications. They don't have to win and operate the data infrastructure. We do it for them, and that has proven incredibly popular amongst our customers. You know, Atlas route right now is growing at 50, sorry, 85% car year on year growth. >>You know, um, I've been following MongoDB for a long, long time. I mean, going back to the lamp stack days, you know, and you think about what Mongo has done as a product because of the developer traction, you know, Mongo can't do this, just keeps getting better every year. And, and the, I think the stickiness with developers is a real big part of that. Can you your view there cuz you're in VE relations. I mean, developers all love Mongo. They're teaching in school. People are picking up a side hustles, they're coding on it, using it all everywhere. I mean it's well known. >>There's a few different reasons for that. I think the main one is the, the document orientated model that we use, the document data models that are used by Mongo DB, just a net way for developers to work with data. And then, uh, we've invested in creating 16 first party drivers that allow developers using various different programming languages, whether that's JavaScript or Python or rust to integrate MongoDB, natively and idiomatic with their software. So it's very, very easy for a developer to pick up MongoDB, grab one of these drivers from their package manager of their choice and then build applications that natively manipulate data inside MongoDB, whether that's MongoDB Atlas or our enterprise edition on their own premises. They get a very consistent and very easy to, I easy to use developer experience with our, with our platform. >>Talk about the go to market with AWS. You guys also have a tightly coupled relationships. There's been announcements there recently. Uh, what's changing most right now that people should pay attention to. Well, >>The first thing is there's a huge amount of technical integration between MongoDB and AWS services. And that's the basis for many of our customers choosing to run Mon Mongo DB on AWS. We're active in 23 AWS regions around the world. And there's many other integration points as well, like cryptographic protection of Mongo MongoDB, stored data using Amazon cryptographic services, for example, or building serverless applications with AWS Lambda and MongoDB servers. So there's a ton of technical integration. Yeah, but what we started to work on now is go to market integration with AWS as well. So you can buy Mongo DB Atlas through AWS's marketplace. You can use the payer, you go offering to pay for it with your AWS bill. And then we're collaborating with AWS on migrations and other joint go to market activities as well. That >>Means get incentives, the sales people at AWS. >>Of course our moreover I mean, it's just really easy for customers, really easy for developers to consume. Yeah, they don't need to contract with MongoDB. They can use their existing AWS contracting, their existing discounting relationships and pre purchasing arrangements with AWS to consume Atlas. >>It's the classic meet the customers where they >>Are exactly right. Meet the developer where they are and meet the customers where they are now with this new model as well. >>Yeah. I love marketplace. I think it's been great. You know, even with its kind of catalog and vibe, I think it's gonna get better and better, uh, over there teams doing good work. Um, and it's easy to consume. That's key. >>Yeah. Super easy. Reduce that friction and make it real easy for developers to adopt this. Right. >>Talk about some of the top customers that you guys share with AWS. What are some of the customers you guys have together and what the benefits of the >>Relationship joint references that we talk about? A lot, one of them is Shutterfly. So in the photographic products area, they built a eCommerce offering with MongoDB and AWS. The second is seven 11 with seven 11. We're doing a lot in the mobile space. So edge applications, we've got a feature in MongoDB Atlas that allows you to synchronize data with databases on mobile devices. Those can be phones point of sale devices or handheld devices that might be used in the parcel industry, for example. So seven 11 using us in that way. And then lastly with Pitney Bowes, we've got a big digital transformation project with Pitney Bowes where they've reimagined their, uh, postage and packaging services, delivering those to their customers, using MongoDB as a data store as well. >>I wanna get in some of the trends, you've got a great per you know, you know, Mongo from Amazon side and now you're there. Um, Mongo's, as you pointed out has, has been around for a long time. What are some of the stats? I mean, how many customers, how many countries? Well, it's pretty massive >>Mind. We've got almost quarter of a billion downloads today, 240 million MongoDB downloads since we launched the first product <laugh>, we've got 33,000 active customers that are using MongoDB Atlas today and we're running well over a million free tier clusters on MongoDB Atlas across all of the different providers where we operate the service as well. So these numbers are, you know, mind blowing in terms of scale. Uh, but of course at the core of that is operational excellence. Customers love Mongo DBS because they don't have to operate it themselves. They don't have to deal with fairly conditions. They don't have to deal with scaling. They don't have to deal with deployment. We all, we do all of those things as part of the service offering and customers get an endpoint that they can use with their applications to store and retrieve data reliably. And with consistently high perform, >>You know, it's, you know, in the media, something has to be dead. Someone's the death of the iPhone, the death of this, nothing that really dies. Mongo DB has always been kind of like talked about, well, it doesn't scale on the high end. Of course, Oracle was saying that, I mean, all the, all the big database vendors were kind of throwing darts at, at Mongo, uh, DB, uh, but it kept scaling. Atlas is a whole nother. Could you just unpack that a little bit more? Why is it so important? Because scale is just, I mean, it's, it's horizontal, but it's also performant. >>Exactly. Right. So with, uh, Mongo DB's document access model that I've described already, you break some of the limitations that exist inside traditional relational databases. So, you know, they don't scale well, if you've got high concurrent and see of data access, and they're typically difficult and expensive to scale because you need to share data. Once you grow beyond individual cluster nodes, and you'll know that all relational databases suffer from these same kinds of issues with non relational systems, no SQL systems like MongoDB, you have to think a little bit more about design at the beginning. So designing database to cater for the different access patterns that you have, but in return for that upfront preparation, that design work, you get near limitless, scalability and performance will scale nearly linearly with that scalability as well. So very much more high performance, very much more simplicity for the developer as their database gets larger and their cluster gets larger to support it. >>Yeah. You know, Amazon web service has always had an a and D jazz. We talk to us all the time, every interview I've done with Swami and Matt wood or whoever on the team and executive levels always said the same thing. There's not one database to rule the world, right? Obvious you're talking about Oracle, but even within AWS customers, they're mixing and matching databases based on use cases. So in distributed environment, they're all working together. So, um, you guys fit nicely into that. So how does that, >>I think strategy slightly counterbalances that so, you know, they would say use the specific tool for the specific task that you have in hand. Yeah. What we try to focus on is creating the simple and most effective developer experience that we can, and then supporting different facets to the product in order to allow developers to different use cases. A really good example with something like MongoDB Atlas search. So we integrated Apache Luine into MongoDB Atlas. Customers can very simply apply Apache Luine search indexes to the data that they've got in MongoDB. And then they can interact with that search data using the same drivers as an API. Yeah, yeah. That they use for regular queries. So if you want to run search on your application data, you don't need a separate open search or elastic search cluster, just turn on MongoDB Atlas search and use that, that search facet. So it's interest and we have other capabilities that it's >>Vertically integrating inside within Mongo, >>Correct? Yes. That's better. Yeah. With the guy, all of creating a really simple and effective developer experience, boosting developer productivity and helping developers get more done in less time. >>You mentioned serverless earlier, what's the serverless angle with AWS when Mongo, >>Is there one? Yeah. So we have MongoDB serverless currently in preview, uh, has the same kind of characteristics that you would, or the characteristics that you would expect from a serverless data base. So consumption based model, you provision an endpoint and that will scale elastically in accordance with your usage and you get billed by consumption units so much like the serverless paradigm that we've seen delivered by AWS, the same kind of model for Mongo, DB, Atlas serverless. >>What, what attracted you to Mongo DBS? So you knew them before, or you moved over there. Um, what's going on there? What's the culture like right now? Oh, >>The culture's great. I mean, it's a much smaller company than AWS where I was before, you know, it's a very large organization. And one of the things that I really like about MongoDB is, as I've said earlier, we can serve the different use cases that a developer might have with a single product, with different aspects, to it, different facets to it. Uh, and it's a really great conversation to have with a, with a developer, with a developer customer, to be able to offer one thing that helps them solve five or six different problems that have traditionally been quite hard for them to wrestle with quite difficult for them to, to deal with. And then we've got this focus on developer experience through these driver packages that we have as well. So it's really great to have as a developer relations pro have that kind of tooling in my kit bag that can help developers become more effective. >>Talk about tooling, cuz you know, I always have, uh, kind of moments where I waffle between more. I love platforms, tools are being over overused, too many tools tool with the tool, you know, the expressions, but we're seeing from developers, the ones that don't want to go into the hood, we serverless plays beautifully. Yep. They want tools. They do. And, and the, the new engineering developers that are coming outta college and universities, they love tools. >>Yeah. And we actually have quite a few of those built into Mongo, DB Atlas. So inside Mongo, DB Atlas, we've got things like an index optimizer, which will suggest the best way that you might index your data for better perform months inside MongoDB, running on Atlas, we've got a data Explorer, which is much like another product that we've got called MongoDB compass that allows you to see and manipulate the data that you have stored within your database natively within the Atlas interface. Uh, and then we also have, uh, whole slew of different metrics, monitoring capabilities built into the platform as well. So these are aspects of Atlas that developers can take advantage of. And then over on the client side, visual studio code plugins. Yeah. So you can manipulate and operate with data directly inside visual studio code, which is obviously the most common and popular IDE out there today, as well as integration with things like infrastructure is code tools. So we support cloud formation for provisioning. We have CDK constructs inside. Yeah. The CDK construct library. We also have a lot of customers using Terraform to provision MongoDB across both AWS and other providers. So having that developer tooling of course is super important. Yeah. Aspect of the developer experience, trying to >>Build out deploying observability is a big one. How does that fit in? Cuz you knew need to talk and not only measure everything here, but talk to other systems. >>Yeah. So we recently announced a provider for Prometheus and Grafana. So we can emit metrics into those providers. Obviously CNCF projects, very common and popular inside customers that are running on Kubernetes. We've got a Kubernetes operator for MongoDB Atlas as well. Good. So you can provision MongoDB Atlas from within Kubernetes as well as having our own native metrics directly within Atlas as well. >>Ian you're crushing it. You got all the, the data, the fingertips. Are you gonna be at Cuban this year? Uh, >>I will be, but some of our team members will definitely be there. >>Yeah, we'll be at, uh, EU. The cube will be there. Great. Thanks for coming on. Appreciate the insight final world. I'll give you the last word. Tell the audience what's going on. What's at Mongo DB. What should they pay attention to? If they've used Mongo and are aware of it? What's the update. What's >>The so you should come to MongoDB world actually in New York at the beginning of June, June 7th, the ninth in the Javit center in New York. Gonna have our own show there. And of course we'd love to see you there. >>Okay. Cube comes here day two of eight, us summit, 2020, this Cub I'm John for your host. Stay with us more. Our coverage as day two winds down. Great coverage.

(upbeat music) >> Hello, and welcome back to AWS Startup Showcase, I'm John Furrier, your host. This is the Hero panel, the AWS Heroes. These are folks that have a lot of experience in Open Source, having fun building great projects and commercializing the value and best practices of Open Source innovation. We've got some great guests here. Liz Rice, Chief Open Source Officer, Isovalent. CUBE alumni, great to see you. Brian LeRoux, who is the Co-founder and CTO of begin.com. Erica Windisch who's an Architect for Developer Experience. AWS Hero, also CUBE alumni. Casey Lee, CTO Gaggle. Doing some great stuff in ed tech. Great collection of experts and experienced folks doing some fun stuff, welcome to this conversation this CUBE panel. >> Hi. >> Thanks for having us. >> Hello. >> Let's go down the line. >> I don't normally do this, but since we're remote and we have such great guests, go down the line and talk about why Open Source is important to you guys. What projects are you currently working on? And what's the coolest thing going on there? Liz we'll start with you. >> Okay, so I am very involved in the world of Cloud Native. I'm the chair of the technical oversight committee for the Cloud Native Computing Foundation. So that means I get to see a lot of what's going on across a very broad range of Cloud Native projects. More specifically, Isovalent. I focus on Cilium, which is it's based on a technology called EBPF. That is to me, probably the most exciting technology right now. And then finally, I'm also involved in an organization called OpenUK, which is really pushing for more use of open technologies here in the United Kingdom. So spread around lots of different projects. And I'm in a really fortunate position, I think, to see what's happening with lots of projects and also the commercialization of lots of projects. >> Awesome, Brian what project are you working on? >> Working project these days called Architect. It's a Open Source project built on top of AWSM. It adds a lot of sugar and terseness to the SM experience and just makes it a lot easier to work with and get started. AWS can be a little bit intimidating to people at times. And the Open Source community is stepping up to make some of that bond ramp a little bit easier. And I'm also an Apache member. And so I keep a hairy eyeball on what's going on in that reality all the time. And I've been doing this open-source thing for quite a while, and yeah, I love it. It's a great thing. It's real science. We get to verify each other's work and we get to expand and build on human knowledge. So that's a huge honor to just even be able to do that and I feel stoked to be here so thanks for having me. >> Awesome, yeah, and totally great. Erica, what's your current situation going on here? What's happening? >> Sure, so I am currently working on developer experience of a number of Open Source STKS and CLI components from my current employer. And previously, recently I left New Relic where I was working on integrating with OpenTelemetry, as well as a number of other things. Before that I was a maintainer of Docker and of OpenStack. So I've been in this game for a while as well. And I tend to just put my fingers in a lot of little pies anywhere from DVD players 20 years ago to a lot of this open telemetry and monitoring and various STKs and developer tools is where like Docker and OpenStack and the STKs that I work on now, all very much focusing on developer as the user. >> Yeah, you're always on the wave, Erica great stuff. Casey, what's going on? Do you got some great ed techs happening? What's happening with you? >> Yeah, sure. The primary Open Source project that I'm contributing to right now is ACT. This is a tool I created a couple of years back when GitHub Actions first came out, and my motivation there was I'm just impatient. And that whole commit, push, wait time where you're testing out your pipelines is painful. And so I wanted to build a tool that allowed developers to test out their GitHub Actions workflows locally. And so this tool uses Docker containers to emulate, to get up action environment and gives you fast feedback on those workflows that you're building. Lot of innovation happening at GitHub. And so we're just trying to keep up and continue to replicate those new features functionalities in the local runner. And the biggest challenge I've had with this project is just keeping up with the community. We just passed 20,000 stars, and it'd be it's a normal week to get like 10 PRs. So super excited to announce just yesterday, actually I invited four of the most active contributors to help me with maintaining the project. And so this is like a big deal for me, letting the project go and bringing other people in to help lead it. So, yeah, huge shout out to those folks that have been helping with driving that project. So looking forward to what's next for it. >> Great, we'll make sure the SiliconANGLE riders catch that quote there. Great call out. Let's start, Brian, you made me realize when you mentioned Apache and then you've been watching all the stuff going on, it brings up the question of the evolution of Open Source, and the commercialization trends have been very interesting these days. You're seeing CloudScale really impact also with the growth of code. And Liz, if you remember, the Linux Foundation keeps making projections and they keep blowing past them every year on more and more code and more and more entrance coming in, not just individuals, corporations. So you starting to see Netflix donates something, you got Lyft donate some stuff, becomes a project company forms around it. There's a lot of entrepreneurial activity that's creating this new abstraction layers, new platforms, not just tools. So you start to see a new kickup trajectory with Open Source. You guys want to comment on this because this is going to impact how fast the enterprise will see value here. >> I think a really great example of that is a project called Backstage that's just come out of Spotify. And it's going through the incubation process at the CNCF. And that's why it's front of mind for me right now, 'cause I've been working on the due diligence for that. And the reason why I thought it was interesting in relation to your question is it's spun out of Spotify. It's fully Open Source. They have a ton of different enterprises using it as this developer portal, but they're starting to see some startups emerging offering like a hosted managed version of Backstage or offering services around Backstage or offering commercial plugins into Backstage. And I think it's really fascinating to see those ecosystems building up around a project and different ways that people can. I'm a big believer. You cannot sell the Open Source code, but you can sell other things that create value around Open Source projects. So that's really exciting to see. >> Great point. Anyone else want to weigh in and react to that? Because it's the new model. It's not the old way. I mean, I remember when I was in college, we had the Pirate software. Open Source wasn't around. So you had to deal under the table. Now it's free. But I mean the old way was you had to convince the enterprise, like you've got a hard knit, it builds the community and the community manage the quality of the code. And then you had to build the company to make sure they could support it. Now the companies are actually involved in it, right? And then new startups are forming faster. And the proof points are shorter and highly accelerated for that. I mean, it's a whole new- >> It's a Cambrian explosion, and it's great. It's one of those things that it's challenging for the new developers because they come in and they're like, "Whoa, what is all this stuff that I'm supposed to figure out?" And there's no right answer and there's no wrong answer. There's just tons of it. And I think that there's a desire for us to have one sort of well-known trot and happy path, that audience we're a lot better with a more diverse community, with lots of options, with lots of ways to approach these problems. And I think it's just great. A challenge that we have with all these options and all these Cambrian explosion of projects and all these competing ideas, right now, the sustainability, it's a bit of a tricky question to answer. We know that there's a commercialization aspect that helps us fund these projects, but how we compose the open versus the commercial source is still a bit of a tricky question and a tough one for a lot of folks. >> Erica, would you chime in on that for a second. I want to get your angle on that, this experience and all this code, and I'm a new person, I'm an existing person. Do I get like a blue check mark and verify? I mean, these are questions like, well, how do you navigate? >> Yeah, I think this has been something happening for a while. I mean, back in the early OpenStack days, 2010, for instance, Rackspace Open Sourcing, OpenStack and ANSU Labs and so forth, and then trying, having all these companies forming in creating startups around this. I started at a company called Cloudccaling back in late 2010, and we had some competitors such as Piston and so forth where a lot of the ANSUL Labs people went. But then, the real winners, I think from OpenStack ended up being the enterprises that jumped in. We had Red Hat in particular, as well as HP and IBM jumping in and investing in OpenStack, and really proving out a lot of... not that it was the first time, but this is when we started seeing billions of dollars pouring into Open Source projects and Open Source Foundations, such as the OpenStack Foundation, which proceeded a lot of the things that we now see with the Linux Foundation, which was then created a little bit later. And at the same time, I'm also reflecting a little bit what Brian said because there are projects that don't get funded, that don't get the same attention, but they're also getting used quite significantly. Things like Log4j really bringing this to the spotlight in terms of projects that are used everywhere by everything with significant outsized impacts on the industry that are not getting funded, that aren't flashy enough, that aren't exciting enough because it's just logging, but a vulnerability in it brings every everything and everybody down and has possibly billions of dollars of impact to our industry because nobody wanted to fund this project. >> I think that brings up the commercialization point about maybe bringing a venture capital model in saying, "Hey, that boring little logging thing could be a key ingredient for say solving some observability problems so I think let's put some cash." Again then we'd never seen that before. Now you're starting to see that kind of a real smart investment thesis going into Open Source projects. I mean, Promethease, Crafter, these are projects that turned off companies. This is turning up companies. >> A decade ago, there was no money in Dev tools that I think that's been fully debunked now. They used to be a concept that the venture community believed, but there's just too much evidence to the contrary, the companies like Cash Court, Datadog, the list goes on and on. I think the challenge for the Open Source (indistinct) comes back to foundations and working (indistinct) these developers make this code safe and secure. >> Casey, what's your reaction to all of this? You've got, so a project has gained some traction, got some momentum. There's a lot of mission critical. I won't say white spaces, but the opportunities in the big cloud game happening. And there's a lot of, I won't say too many entrepreneurial, but there's a lot of community action happening that's precommercialization that's getting traction. How does this all develop naturally and then vector in quickly when it hits? >> Yeah, I want to go back to the Log4j topic real quick. I think that it's a great example of an area that we need to do better at. And there was a cool article that Rob Pike wrote describing how to quantify the criticality. I think that's sort of quantifying criticality was the article he wrote on how to use metrics, to determine how valuable, how important a piece of Open Source is to the community. And we really need to highlight that more. We need a way to make it more clear how important this software is, how many people depend on it and how many people are contributing to it. And because right now we all do that. Like if I'm going to evaluate an Open Source software, sure, I'll look at how many stars it has and how many contributors it has. But I got to go through and do all that work myself and come up with. It would be really great if we had an agreed upon method for ranking the criticality of software, but then also the risk, hey, that this is used by a ton of people, but nobody's contributing to it anymore. That's a concern. And that would be great to potential users of that to signal whether or not it makes sense. The Open Source Security Foundation, just getting off the ground, they're doing some work in this space, and I'm really excited to see where they go with that looking at ways to stop score critically. >> Well, this brings up a good point while we've got everyone here, let's take a plug and plug a project you think that's not getting the visibility it needs. Let's go through each of you, point out a project that you think people should be looking at and talking about that might get some free visibility here. Anyone want to highlight projects they think should be focused more on, or that needs a little bit of love? >> I think, I mean, particularly if we're talking about these sort of vulnerability issues, there's a ton of work going on, like in the Secure Software Foundation, other foundations, I think there's work going on in Apache somewhere as well around the bill of material, the software bill of materials, the Secure Software supply chain security, even enumerating your dependencies is not trivial today. So I think there's going to be a ton of people doing really good work on that, as well as the criticality aspect. It's all like that. There's a really great xkcd cartoon with your software project and some really big monolithic lumps. And then, this tiny little piece in a very important point that's maintained by somebody in his bedroom in Montana or something and if you called it out. >> Yeah, you just opened where the next lightening and a bottle comes from. And this is I think the beauty of Open Source is that you get a little collaboration, you get three feet in a cloud of dust going and you get some momentum, and if it's relevant, it rises to the top. I think that's the collective intelligence of Open Source. The question I want to ask that the panel here is when you go into an enterprise, and now that the game is changing with a much more collaborative and involved, what's the story if they say, hey, what's in it for me, how do I manage the Open Source? What's the current best practice? Because there's no doubt I can't ignore it. It's in everything we do. How do I organize around it? How do I build around it to be more efficient and more productive and reduce the risk on vulnerabilities to managing staff, making sure the right teams in place, the right agility and all those things? >> You called it, they got to get skin in the game. They need to be active and involved and donating to a sustainable Open Source project is a great way to start. But if you really want to be active, then you should be committing. You should have a goal for your organization to be contributing back to that project. Maybe not committing code, it could be committing resources into the darks or in the tests, or even tweeting about an Open Source project is contributing to it. And I think a lot of these enterprises could benefit a lot from getting more active with the Open Source Foundations that are out there. >> Liz, you've been actively involved. I know we've talked personally when the CNCF started, which had a great commercial uptake from companies. What do you think the current state-of-the-art kind of equation is has it changed a little bit? Or is it the game still the same? >> Yeah, and in the early days of the CNCF, it was very much dominated by vendors behind the project. And now we're seeing more and more membership from end-user companies, the kind of enterprises that are building their businesses on Cloud Native, but their business is not in itself. That's not there. The infrastructure is not their business. And I think seeing those companies, putting money in, putting time in, as Brian says contributing resources quite often, there's enough money, but finding the talent to do the work and finding people who are prepared to actually chop the wood and carry the water, >> Exactly. >> that it's hard. >> And if enterprises can find peoples to spend time on Open Source projects, help with those chores, it's hugely valuable. And it's one of those the rising tide floats all the boats. We can raise security, we can reduce the amount of dependency on maintain projects collectively. >> I think the business models there, I think one of the things I'll react to and then get your guys' comments is remember which CubeCon it was, it was one of the early ones. And I remember seeing Apple having a booth, but nobody was manning. It was just an Apple booth. They weren't doing anything, but they were recruiting. And I think you saw the transition of a business model where the worry about a big vendor taking over a project and having undue influence over it goes away because I think this idea of participation is also talent, but also committing that talent back into the communities as a model, as a business model, like, okay, hire some great people, but listen, don't screw up the Open Source piece of it 'cause that's a critical. >> Also hire a channel, right? They can use those contributions to source that talent and build the reputation in the communities that they depend on. And so there's really a lot of benefit to the larger organizations that can do this. They'll have a huge pipeline of really qualified engineers right out the gate without having to resort to cheesy whiteboard interviews, which is pretty great. >> Yeah, I agree with a lot of this. One of my concerns is that a lot of these corporations tend to focus very narrowly on certain projects, which they feel that they depend greatly, they'll invest in OpenStack, they'll invest in Docker, they'll invest in some of the CNCF projects. And then these other projects get ignored. Something that I've been a proponent of for a little bit for a while is observability of your dependencies. And I don't think there's quite enough projects and solutions to this. And it sounds maybe from lists, there are some projects that I don't know about, but I also know that there's some startups like Snyk and so forth that help with a little bit of this problem, but I think we need more focus on some of these edges. And I think companies need to do better, both in providing, having some sort of solution for observability of the dependencies, as well as understanding those dependencies and managing them. I've seen companies for instance, depending on software that they actively don't want to use based on a certain criteria that they already set projects, like they'll set a requirement that any project that they use has a code of conduct, but they'll then use projects that don't have codes of conduct. And if they don't have a code of conduct, then employees are prohibited from working on those projects. So you've locked yourself into a place where you're depending on software that you have instructed, your employees are not allowed to contribute to, for certain legal and other reasons. So you need to draw a line in the sand and then recognize that those projects are ones that you don't want to consume, and then not use them, and have observability around these things. >> That's a great point. I think we have 10 minutes left. I want to just shift to a topic that I think is relevant. And that is as Open Source software, software, people develop software, you see under the hood kind of software, SREs developing very quickly in the CloudScale, but also you've got your classic software developers who were writing code. So you have supply chain, software supply chain challenges. You mentioned developer experience around how to code. You have now automation in place. So you've got the development of all these things that are happening. Like I just want to write software. Some people want to get and do infrastructure as code so DevSecOps is here. So how does that look like going forward? How has the future of Open Source going to make the developers just want to code quickly? And the folks who want to tweak the infrastructure a bit more efficient, any views on that? >> At Gaggle, we're using AWS' CDK, exclusively for our infrastructure as code. And it's a great transition for developers instead of writing Yammel or Jason, or even HCL for their infrastructure code, now they're writing code in the language that they're used to Python or JavaScript, and what that's providing is an easier transition for developers into that Infrastructure as code at Gaggle here, but it's also providing an opportunity to provide reusable constructs that some Devs can build on. So if we've got a very opinionated way to deploy a serverless app in a database and do auto-scaling behind and all stuff, we can present that to a developer as a library, and they can just consume it as it is. Maybe that's as deep as they want to go and they're happy with that. But then they want to go deeper into it, they can either use some of the lower level constructs or create PRs to the platform team to have those constructs changed to fit their needs. So it provides a nice on-ramp developers to use the tools and languages they're used to, and then also go deeper as they need. >> That's awesome. Does that mean they're not full stack developers anymore that they're half stack developers they're taking care of for them? >> I don't know either. >> We'll in. >> No, only kidding. Anyway, any other reactions to this whole? I just want to code, make it easy for me, and some people want to get down and dirty under the hood. >> So I think that for me, Docker was always a key part of this. I don't know when DevSecOps was coined exactly, but I was talking with people about it back in 2012. And when I joined Docker, it was a part of that vision for me, was that Docker was applying these security principles by default for your application. It wasn't, I mean, yes, everybody adopted because of the portability and the acceleration of development, but it was for me, the fact that it was limiting what you could do from a security angle by default, and then giving you these tuna balls that you can control it further. You asked about a project that may not get enough recognition is something called DockerSlim, which is designed to optimize your containers and will make them smaller, but it also constraints the security footprint, and we'll remove capabilities from the container. It will help you build security profiles for app armor and the Red Hat one. SELinux. >> SELinux. >> Yeah, and this is something that I think a lot of developers, it's kind of outside of the realm of things that they're really thinking about. So the more that we can automate those processes and make it easier out of the box for users or for... when I say users, I mean, developers, so that it's straightforward and automatic and also giving them the capability of refining it and tuning it as needed, or simply choosing platforms like serverless offerings, which have these security constraints built in out of the box and sometimes maybe less tuneable, but very strong by default. And I think that's a good place for us to be is where we just enforced these things and make you do things in a secure way. >> Yeah, I'm a huge fan of Kubernetes, but it's not the right hammer for every nail. And there are absolutely tons of applications that are better served by something like Lambda where a lot more of that security surface is taken care of for the developer. And I think we will see better tooling around security profiling and making it easier to shrink wrap your applications that there are plenty of products out there that can help you with this in a cloud native environment. But I think for the smaller developer let's say, or an earlier stage company, yeah, it needs to be so much more straightforward. Really does. >> Really an interesting time, 10 years ago, when I was working at Adobe, we used to requisition all these analysts to tell us how many developers there were for the market. And we thought there was about 20 million developers. If GitHub's to be believed, we think there is now around 80 million developers. So both these groups are probably wrong in their numbers, but the takeaway here for me is that we've got a lot of new developers and a lot of these new developers are really struck by a paradox of choice. And they're typically starting on the front end. And so there's a lot of movement in the stack moved towards the front end. We saw that at re:Invent when Amazon was really pushing Amplify 'cause they're seeing this too. It's interesting because this is where folks start. And so a lot of the obstructions are moving in that direction, but maybe not always necessarily totally appropriate. And so finding the right balance for folks is still a work in progress. Like Lambda is a great example. It lets me focus totally on just business logic. I don't have to think about infrastructure pretty much at all. And if I'm newer to the industry, that makes a lot of sense to me. As use cases expand, all of a sudden, reality intervenes, and it might not be appropriate for everything. And so figuring out what those edges are, is still the challenge, I think. >> All right, thank you very much for coming on the CUBE here panel. AWS Heroes, thanks everyone for coming. I really appreciate it, thank you. >> Thank you. >> Thank you. >> Okay. >> Thanks for having me. >> Okay, that's a wrap here back to the program and the awesome startups. Thanks for watching. (upbeat music)

>>Welcome everyone to the cubes presentation of the AWS startup showcase open cloud innovations. This is season two episode one of the ongoing series and we're covering exciting and innovative startups from the AWS ecosystem. Today. We're going to focus on the open source community. I'm your host, Dave Vellante. And right now we're going to talk about open source security and mitigating risk in light of a recent discovery of a zero day flaw in log for J a Java logging utility and a related white house executive order that points to the FTC pursuing companies that don't properly secure consumer data as a result of this vulnerability and with me to discuss this critical issue and how to more broadly address software supply chain risk is Don Fisher. Who's the CEO of tide lift. Thank you for coming on the program, Donald. >>Thanks for having me excited to be here. Yeah, pleasure. >>So look, there's a lot of buzz. You open the news, you go to your favorite news site and you see this, you know, a log for J this is an, a project otherwise known as logged for shell. It's this logging tool. My understanding is it's, it's both ubiquitous and very easy to exploit. Maybe you could explain that in a little bit more detail. And how do you think this vulnerability is going to affect things this year? >>Yeah, happy to, happy to dig in a little bit in orient around this. So, you know, just a little definitions to start with. So log for J is a very widely used course component that's been around for quite a while. It's actually an amazing piece of technology log for J is used in practically every serious enterprise Java application over the last 10 going on 20 years. So it's, you know, log for J itself is fantastic. The challenge that organization organizations have been facing relate to a specific security vulnerability that was discovered in log for J and that has been given this sort of brand's name as it happens these days. Folks may remember Heartbleed around the openness to sell vulnerability some years back. This one has been dubbed logged for shell. And the reason why it was given that name is that this is a form of security vulnerability that actually allows attackers. >>You know, if a system is found that hasn't been patched to remediate it, it allows hackers to get full control of a, of a system of a server that has the software running on it, or includes this log for J component. And that means that they can do anything. They can access, you know, private customer data on that system, or really do anything and so-called shell level access. So, you know, that's the sort of definitions of what it is, but the reason why it's important is in the, in the small, you know, this is a open door, right? It's a, if, if organizations haven't patched this, they need to respond to it. But one of the things that's kind of, you know, I think important to recognize here is that this log for J is just one of literally thousands of independently created open source components that flow into the applications that almost every organization built and all of them all software is going to have security vulnerabilities. And so I think that log for J is, has been a catalyst for organizations to say, okay, we've got to solve this specific problem, but we all also have to think ahead about how is this all gonna work. If our software supply chain originates with independent creators across thousands of projects across the internet, how are we going to put a better plan in place to think ahead to the next log for J log for shell style incident? And for sure there will be more >>Okay. So you see this incident as a catalyst to maybe more broadly thinking about how to secure the, the digital supply chain. >>Absolutely. Yeah, it's a, this is proving a point that, you know, a variety of folks have been making for a number of years. Hey, we depend, I mean, honestly these days more than 70% of most applications, most custom applications are comprised of this third party open source code. Project's very similar in origin and governance to log for J that's just reality. It's actually great. That's an amazing thing that the humans collaborating on the internet have caused to be possible that we have this rich comments of open source software to build with, but we also have to be practical about it and say, Hey, how are we going to work together to make sure that that software as much as possible is vetted to ensure that it meets commercial standards, enterprise standards ahead of time. And then when the inevitable issues arise like this incident around the log for J library, that we have a great plan in place to respond to it and to, you know, close the close the door on vulnerabilities when they, when they show up. >>I mean, you know, when you listen to the high level narrative, it's easy to point fingers at organizations, Hey, you're not doing enough now. Of course the U S government has definitely made attempts to emphasize this and, and shore up in, in, in, in, in push people to shore up the software supply chain, they've released an executive order last may, but, but specifically, I mean, it's just a complicated situation. So what steps should organizations really take to make sure that they don't fall prey to these future supply chain attacks, which, you know, are, as you pointed out are inevitable. >>Yeah. I mean, it's, it's a great point that you make that the us federal government has taken proactive steps starting last year, 2021 in the fallout of the solar winds breach, you know, about 12 months ago from the time that we're talking, talking here, the U S government actually was a bit ahead of the game, both in flagging the severity of this, you know, area of concern and also directing organizations on how to respond to it. So the, in May, 2021, the white house issued an executive order on cybersecurity and it S directed federal agencies to undertake a whole bunch of new measures to ensure the security of different aspects of their technology and software supply chain specifically called out open source software as an area where they put, you know, hard requirements around federal agencies when they're acquiring technology. And one of the things that the federal government that the white house cybersecurity executive order directed was that organizations need to start with creating a list of the third-party open source. >>That's flowing into their applications, just that even have a table of contents or an index to start working with. And that's, that's called a, a software bill of materials or S bomb is how some people pronounce that acronym. So th the federal government basically requires federal agencies to now create Nessbaum for their applications to demand a software bill of materials from vendors that are doing business with the government and the strategy there has been to expressly use the purchasing power of the us government to level up industry as a whole, and create the necessary incentives for organizations to, to take this seriously. >>You know, I, I feel like the solar winds hack that you mentioned, of course it was widely affected the government. So we kind of woke them up, but I feel like it was almost like a stuck set Stuxnet moment. Donald were very sophisticated. I mean, for the first time patches that were supposed to be helping us protect, now we have to be careful with them. And you mentioned the, the bill of its software, bill of materials. We have to really inspect that. And so let's get to what you guys do. How do you help organizations deal with this problem and secure their open source software supply chain? >>Yeah, absolutely happy to tell you about, about tide lift and, and how we're looking to help. So, you know, the company, I co-founded the company with a couple of colleagues, all of whom are long-term open source folks. You know, I've been working in around commercializing open source for the last 20 years that companies like red hat and, and a number of others as have my co-founders the opportunity that we saw is that, you know, while there have been vendors for some of the traditional systems level, open source components and stacks like Linux, you know, of course there's red hat and other vendors for Linux, or for Kubernetes, or for some of the databases, you know, there's standalone companies for these logs, for shell style projects, there just hasn't been a vendor for them. And part of it is there's a challenge to cover a really vast territory, a typical enterprise that we inspect has, you know, upwards of 10,000 log for shell log for J like components flowing into their application. >>So how do they get a hand around their hands around that challenge of managing that and ensuring it needs, you know, reasonable commercial standards. That's what tide lifts sets out to do. And we do it through a combination of two elements, both of which are fairly unique in the market. The first of those is a purpose-built software solution that we've created that keeps track of the third-party open source, flowing into your applications, inserts itself into your DevSecOps tool chain, your developer tooling, your application development process. And you can kind of think of it as next to the point in your release process, where you run your unit test to ensure the business logic in the code that your team is writing is accurate and sort of passes tests. We do a inspection to look at the state of the third-party open source packages like Apache log for J that are flowing into your, into your application. >>So there's a software element to it. That's a multi-tenant SAS service. We're excited to be partnered with, with AWS. And one of the reasons why we're here in this venue, talking about how we are making that available jointly with AWS to, to drink customers deploying on AWS platforms. Now, the other piece of the, of our solution is really, really unique. And that's the set of relationships that Tyler has built directly with these independent open source maintainers, the folks behind these open source packages that organizations rely on. And, you know, this is where we sort of have this idea. Somebody is making that software in the first place, right? And so would those folks be interested? Could we create a set of aligned incentives to encourage them, to make sure that that software meets a bunch of enterprise standards and areas around security, like, you know, relating to the log for J vulnerability, but also other complicated parts of open source consumption like licensing and open source license, accuracy, and compatibility, and also maintenance. >>Like if somebody looking after the software going forward. So just trying to basically invite open source creators, to partner with us, to level up their packages through those relationships, we get really, really clean, clear first party data from the folks who create, maintain the software. And we can flow that through the tools that I described so that end organizations can know that they're building with open source components that have been vetted to meet these standards, by the way, there's a really cool side effect of this business model, which is that we pay these open source maintainers to do this work with us. And so now we're creating a new income stream around what previously had been primarily a volunteer activity done for impact in this universe of open source software. We're helping these open source maintainers kind of GoPro on an aspect of what they do around open source. And that means they can spend more time applying more process and tools and methodology to making that open source software even better. And that's good for our customers. And it's good for everyone who relies on open source software, which is really everyone in society these days. That's interesting. I >>Was going to ask you what's their incentive other than doing the right thing. Can you give us an example of, of maybe a example of an open source maintainer that you're working with? >>Yeah. I mean, w we're working with hundreds of open source maintainers and a few of the key open source foundations in different areas across JavaScript, Java PHP, Ruby python.net, and, you know, like examples of categories of projects that we're working with, just to be clear, are things like, you know, web frameworks or parser libraries or logging libraries, like a, you know, log for J and all the other languages, right? Or, you know, time and date manipulation libraries. I mean, they, these are sort of the, you know, kind of core building blocks of applications and individually, they, you know, they may seem like, you know, maybe a minor, a minor thing, but when you multiply them across how many applications these get used in and log for J is a really, really clarifying case for folks to understand this, you know, what can seemingly a small part of your overall application estate can have disproportionate impact on, on your operations? As we saw with many organizations that spent, you know, a weekend or a week, or a large part of the holidays, scrambling to patch and remediate this, a single vulnerability in one of those thousands of packages in that case log. >>Okay, got it. So you have this two, two headed, two vectors that I'm going to call it, your ecosystem, your relationship with these open source maintainers is kind of a, that just didn't happen overnight, and it develop those relationships. And now you get first party data. You monetize that with a software service that is purpose built as the monitor of the probe that actually tracks that third, third party activity. So >>Exactly right. Got it. >>Okay. So a lot of companies, Donald, I mean, this is, like I said before, it's a complicated situation. You know, a lot of people don't have the skillsets to deal with this. And so many companies just kind of stick their head in the sand and, you know, hope for the best, but that's not a great strategy. What are the implications for organizations if they don't really put the tools and processes into place to manage their open source, digital supply chain. >>Yeah. Ignoring the problem is not a viable strategy anymore, you know, and it's just become increasingly clear as these big headline incidents that happened like Heartbleed and solar winds. And now this logged for shell vulnerability. So you can, you can bet on that. Continuing into the future and organizations I think are, are realizing the ones that haven't gotten ahead of this problem are realizing this is a critical issue that they need to address, but they have help, right. You know, the federal government, another action beyond that cybersecurity executive order that was directed at federal agencies early last year, just in the last week or so, the FTC of the U S federal trade commission has made a much more direct warning to private companies and industry saying that, you know, issues like this log for J vulnerability risk exposing private, you know, consumer data. That is one of the express mandates of the FTC is to avoid that the FTC has said that this is, you know, bears on both the federal trade commission act, as well as the Gramm-Leach-Bliley act, which relates to consumer data privacy. >>And the FTC just came right out and said it, they said they cited the $700 million settlements that Equifax was subject to for their data breach that also related to open source component, by the way, that that had not been patched by, by Equifax. And they said the FTC intents to use its full legal authority to pursue companies that failed to take reasonable steps, to protect consumer data from exposure as a result of log for J or similar known vulnerabilities in the future. So the FTC is saying, you know, this is a critical issue for consumer privacy and consumer data. We are going to enforce against companies that do not take reasonable precautions. What are reasonable precautions? I think it's kind of a mosaic of solutions, but I'm glad to say tide lift is contributing a really different and novel solution to the mix that we hope will help organizations contend with this and avoid that kind of enforcement action from FTC or other regulators. >>Well, and the good news is that you can tap a tooling like tide lift in the cloud as a service and you know, much easier today than it was 10 or 15 years ago to, to resolve, or at least begin to demonstrate that you're taking action against this problem. >>Absolutely. There's new challenges. Now I'm moving into a world where we build on a foundation of independently created open source. We need new solutions and new ideas, and that's a, you know, that's part of what we're, we're, we're showing up with from the tide lift angle, but there's many other elements that are going to be necessary to provide the full solution around securing the open source supply chain going forward. >>Well, Donald Fisher of tide lift, thanks so much for coming to the cube and best of luck to your organization. Thanks for the good work that you guys do. >>Thanks, Dave. Really appreciate your partnership on this, getting the word out and yeah, thanks so much for today. >>Very welcome. And you are watching the AWS startup showcase open cloud innovations. Keep it right there for more action on the cube, your leader in enterprise tech coverage.

(upbeat music) >> Hello, everyone. Welcome to theCUBE's coverage of the "AWS Startup Showcase", season two, episode one. I'm Lisa Martin, and I'm excited to be joined by Snyk, next in this episode. Liran Tal joins me, the director of developer advocacy. Liran, welcome to the program. >> Lisa, thank you for having me. This is so cool. >> Isn't it cool? (Liran chuckles) All the things that we can do remotely. So I had the opportunity to speak with your CEO, Peter McKay, just about a month or so ago at AWS re:Invent. So much growth and momentum going on with Snyk, it's incredible. But I wanted to talk to you about specifically, let's start with your role from a developer advocate perspective, 'cause Snyk is saying modern development is changing, so traditional AppSec gatekeeping doesn't apply anymore. Talk to me about your role as a developer advocate. >> It is definitely. The landscape is changing, both developer and security, it's just not what it was before, and what we're seeing is developers need to be empowered. They need some help, just working through all of those security issues, security incidents happening, using open source, building cloud native applications. So my role is basically about making them successful, helping them any way we can. And so getting that security awareness out, or making sure people are having those best practices, making sure we understand what are the frustrations developers have, what are the things that we can help them with, to be successful day to day. And how they can be a really good part of the organization in terms of fixing security issues, not just knowing about it, but actually being proactively on it. >> And one of the things also that I was reading is, Shift Left is not a new concept. We've been talking about it for a long time. But Snyk's saying it was missing some things and proactivity is one of those things that it was missing. What else was it missing and how does Snyk help to fix that gap? >> So I think Shift Left is a good idea. In general, the idea is we want to fix security issues as soon as we can. We want to find them. Which I think that is a small nuance that what's kind of missing in the industry. And usually what we've seen with traditional security before was, 'cause notice that, the security department has like a silo that organizations once they find some findings they push it over to the development team, the R&D leader or things like that, but until it actually trickles down, it takes a lot of time. And what we needed to do is basically put those developer security tools, which is what Snyk is building, this whole security platform. Is putting that at the hands and at the scale of, and speed of modern development into developers. So, for example, instead of just finding security issues in your open source dependencies, what we actually do at Snyk is not just tell you about them, but you actually open a poll request to your source codes version and management system. And through that we are able to tell you, now you can actually merge it, you can actually review it, you can actually have it as part of your day-to-day workflows. And we're doing that through so many other ways that are really helpful and actually remediating the problem. So another example would be the IDE. So we are actually embedding an extension within your IDEs. So, once you actually type in your own codes, that is when we actually find the vulnerabilities that could exist within your own code, if that's like insecure code, and we can tell you about it as you hit Command + S and you will save the file. Which is totally different than what SaaS tools starting up application security testing was before because, when things started, you usually had SaaS tools running in the background and like CI jobs at the weekend and in deltas of code bases, because they were so slow to run, but developers really need to be at speed. They're developing really fast. They need to deploy. One development is deployed to production several times a day. So we need to really enable developers to find and fix those security issues as fast as we can. >> Yeah, that speed that you mentioned is absolutely critical to their workflow and what they're expecting. And one of the unique things about Snyk, you mentioned, the integration into how this works within development workflow with IDE, CIDC, they get environment enabling them to work at speed and not have to be security experts. I imagine are two important elements to the culture of the developer environment, right? >> Correct, yes. It says, a large part is we don't expect developers to be security experts. We want to help them, we want to, again, give them the tools, give them the knowledge. So we do it in several ways. For example, that IDE extension has a really cool thing that's like kind of unique to it that I really like, and that is, when we find, for example, you're writing code and maybe there's a batch traversal vulnerability in the function that you just wrote, what we'll actually do when we tell you about it, it will actually tell you, hey, look, these are some other commits made by other open source projects where we found the same vulnerability and those commits actually fixed it. So actually giving you example cases of what potentially good code looks like. So if you think about it, like who knows what patch reversal is, but prototype pollution like many types of vulnerabilities, but at the same time, we don't expect developers to actually know, the deep aspects of security. So they're left off with, having some findings, but not really, they want to fix them, but they don't really have the expertise to do it. So what we're doing is we're bridging that gap and we're being helpful. So I think this is what really proactive security is for developers, that says helping them remediate it. And I can give like more examples, like the security database, it's like a wonderful place where we also like provide examples and references of like, where does their vulnerability come from if there's like, what's fogging in open-source package? And we highlight that with a lot of references that provide you with things, the pull requests that fixed date, or the issue with where this was discussed. You have like an entire context of what is the... What made this vulnerability happen. So you have like a little bit more context than just specifically, emerging some stuff and updating, and there's a ton more. I'm happy to like dive more into this. >> Well, I can hear your enthusiasm for it, a developer advocate it seems like you are. But talking about the burdens of the gaps that you guys are filling it also seems like the developers and the security folks that this is also a bridge for those teams to work better together. >> Correct. I think that is not siloed anymore. I think the idea of having security champions or having threat modeling activities are really, really good, or like insightful both like developers and security, but more than just being insightful, useful practices that organizations should actually do actually bringing a discussion together to actually creating a more cohesive environment for both of those kind of like expertise, development and security to work together towards some of these aspects of like just mitigating security issues. And one of the things that actually Snyk is doing in that, in bringing their security into the developer mindset is also providing them with the ability to prioritize and understand what policies to put in place. So a lot of the times security organizations actually, the security org wants to do is put just, guardrails to make sure that developers have a good leeway to work around, but they're not like doing things that like, they definitely shouldn't do that, like prior to bringing a big risk into today organizations. And that's what I think we're doing also like great, which is the fact that we're providing the security folks to like put the policies in place and then developers who actually like, work really well within those understand how to prioritize vulnerabilities is an important part. And we kind of like quantify that, we put like an urgency score that says, hey, you should fix this vulnerability first. Why? Because it has, first of all, well, you can upgrade really quickly. It has a fix right there. Secondly, there's like an exploit in the wild. It means potentially an attacker can weaponize this vulnerability and like attack your organizations, in an automated fashion. So you definitely want to put that put like a lead on that, on that broken window, if so to say. So we ended up other kind of metrics that we can quantify and put this as like an urgency score, which we called a priority score that helps again, developers really know what to fix first, because like they could get a scan of like hundreds of vulnerabilities, but like, what do I start first with? So I find that like very useful for both the security and the developers working together. >> Right, and especially now, as we've seen such changes in the last couple of years to the threat landscape, the vulnerabilities, the security issues that are impacting every industry. The ability to empower developers to not only work at the speed with which they are accustomed and need to work, but also to be able to find those vulnerabilities faster prioritize which ones need to be fixed. I mean, I think of Log4Shell, for example, and when the challenge is going on with the supply chain, that this is really a critical capability from a developer empowerment perspective, but also from a overall business health and growth perspective. >> Definitely. I think, first of all, like if you want to step just a step back in terms of like, what has changed. Like what is the landscape? So I think we're seeing several things happening. First of all, there's this big, tremendous... I would call it a trend, but now it's like the default. Like of the growth of open source software. So first of all as developers are using more and more open source and that's like a growing trend of have like drafts of this. And it's like always increasing across, by the way, every ecosystem go, rust, .net, Java, JavaScript, whatever you're building, that's probably like on a growing trend, more open source. And that is, we will talk about it in a second what are the risks there. But that is one trend that we're saying. The other one is cloud native applications, which is also worth to like, I think dive deep into it in terms of the way that we're building applications today has completely shifted. And I think what AWS is doing in that sense is also creating a tremendous shift in the mindset of things. For example, out of the cloud infrastructure has basically democratized infrastructure. I do not need to, own my servers and own my monitoring and configure everything out. I can actually write codes that when I deploy it, when something parses this and runs this, it actually creates servers and monitoring, logging, different kinds of things for me. So it democratize the whole sense of building applications from what it was decades ago. And this whole thing is important and really, really fast. It makes things scalable. It also introduces some rates. For example, some of these configuration. So there's a lot that has been changed. And in that landscape of like what modern developer is and I think in that sense, we kind of can need a lead to a little bit more, be helpful to developers and help them like avoid all those cases. And I'm like happy to dive into like the open source and the cloud native. That was like follow-ups on this one. >> I want to get into a little bit more about your relationship with AWS. When I spoke with Peter McKay for re:Invent, he talked about the partnership being a couple of years old, but there's some kind of really interesting things that AWS is doing in terms of leveraging, Snyk. Talk to me about that. >> Indeed. So Snyky integrates with almost, I think probably a lot of services, but probably almost all of those that are unique and related to developers building on top of the AWS platform. And for example, that would be, if you actually are building your code, it connects like the source code editor. If you are pushing that code over, it integrates with code commits. As you build and CIS are running, maybe code build is something you're using that's in code pipeline. That is something that you have like native integrations. At the end of the day, like you have your container registry or Lambda. If you're using like functions as a service for your obligations, what we're doing is integrating with all of that. So at the end of the day, you really have all of that... It depends where you're integrating, but on all of those points of integration, you have like Snyk there to help you out and like make sure that if we find on any of those, any potential issues, anything from like licenses to vulnerabilities in your containers or just your code or your open source code in those, they actually find it at that point and mitigate the issue. So this kind of like if you're using Snyk, when you're a development machine, it kind of like accompanies you through this journey all over what a CIC kind of like landscape looks like as an architectural landscape for development, kind of like all the way there. And I think what you kind of might be I think more interested, I think to like put your on and an emphasis would be this recent integration with the Amazon Inspector. Which is as it's like very pivotal parts on the AWS platform to provide a lot of, integrate a lot of services and provide you with those insights on security. And I think the idea that now that is able to leverage vulnerability data from the Snyk's security intelligence database that says that's tremendous. And we can talk about that. We'd look for shell and recent issues. >> Yeah. Let's dig into that. We've have a few minutes left, but that was obviously a huge issue in November of 2021, when obviously we're in a very dynamic global situation period, but it's now not a matter of if an organization is going to be hit by vulnerabilities and security threats. It's a matter of when. Talk to me about really how impactful Snyk was in the Log4Shell vulnerability and how you help customers evade probably some serious threats, and that could have really impacted revenue growth, customer satisfaction, brand reputation. >> Definitely. The Log4Shell is, well, I mean was a vulnerability that was disclosed, but it's probably still a major part and going to be probably for the foreseeable future. An issue for organizations as they would need to deal with us. And we'll dive in a second and figure out like why, but in like a summary here, Log4Shell was the vulnerability that actually was found in Java library called Log4J. A logging library that is so popular today and used. And the thing is having the ability to react fast to those new vulnerabilities being disclosed is really a vital part of the organizations, because when it is asking factful, as we've seen Log4Shell being that is when, it determines where the security tool you're using is actually helping you, or is like just an added thing on like a checkbox to do. And that is what I think made Snyk's so unique in the sense. We have a team of those folks that are really boats, manually curating the ecosystem of CVEs and like finding by ourselves, but also there's like an entire, kind of like an intelligence platform beyond us. So we get a lot of notifications on chatter that happens. And so when someone opens an issue on an open source repository says, Hey, I found an issue here. Maybe that's an XSS or code injection or something like that. We find it really fast. And we at that point, before it goes to CVE requirement and stuff like that through like a miter and NVD, we find it really fast and can add it to the database. So this has been something that we've done with Log4Shell, where we found that as it was disclosed, not on the open source, but just on the open source system, but it was generally disclosed to everyone at that point. But not only that, because look for J as the library had several iterations of fixes they needed. So they fixed one version. Then that was the recommendation to upgrade to then that was actually found as vulnerable. So they needed to fix the another time and then another time and so on. So being able to react fast, which is, what I think helped a ton of customers and users of Snyk is that aspect. And what I really liked in the way that this has been received very well is we were very fast on creating those command line tools that allow developers to actually find cases of the Log4J library, embedded into (indistinct) but not true a package manifest. So sometimes you have those like legacy applications, deployed somewhere, probably not even legacy, just like the Log4J libraries, like bundled into a net or Java source code base. So you may not even know that you're using it in a sense. And so what we've done is we've like exposed with Snyk CLI tool and a command line argument that allows you to search for all of those cases. Like we can find them and help you, try and mitigate those issues. So that has been amazing. >> So you've talked in great length, Liran about, and detail about how Snyk is really enabling and empowering developers. One last question for you is when I spoke with Peter last month at re:Invent, he talked about the goal of reaching 28 million developers. Your passion as a director of developer advocacy is palpable. I can feel it through the screen here. Talk to me about where you guys are on that journey of reaching those 28 million developers and what personally excites you about what you're doing here. >> Oh, yeah. So many things. (laughs) Don't know where to start. We are constantly talking to developers on community days and things like that. So it's a couple of examples. We have like this dev site community, which is a growing and kicking community of developers and security people coming together and trying to work and understand, and like, just learn from each other. We have those events coming up. We actually have this, "The Big Fix". It's a big security event that we're launching on February 25th. And the idea is, want to help the ecosystem secure security obligations, open source or even if it's closed source. We like help you fix that though that yeah, it's like helping them. We've launched this Snyk ambassadors program, which is developers and security people, CSOs are even in there. And the idea is how can we help them also be helpful to the community? Because they are like known, they are passionate as we are, on application security and like helping developers code securely, build securely. So we launching all of those programs. We have like social impact related programs and the way that we like work with organizations, like maybe non-profit maybe they just need help, like getting, the security part of things kind of like figured out, students and things like that. Like, there's like a ton of those initiatives all over the boards, helping basically the world be a little bit more secure. >> Well, we could absolutely use Snyk's help in making the world more secure. Liran it's been great talking to you. Like I said, your passion for what you do and what Snyk is able to facilitate and enable is palpable. And it was a great conversation. I appreciate that. And we look forward to hearing what transpires during 2022 for Snyk so you got to come back. >> I will. Thank you. Thank you, Lisa. This has been fun. >> All right. Excellent. Liran Tal, I'm Lisa Martin. You're watching theCUBE's second season, season two of the "AWS Startup Showcase". This has been episode one. Stay tuned for more great episodes, full of fantastic content. We'll see you soon. (upbeat music)

>> From theCUBE Studios in Palo Alto in Boston, bringing you data-driven insights from theCUBE and ETR. This is "Breaking Analysis" with Dave Vellante. >> When Facebook changed its name to Meta last fall, it catalyzed a chain reaction throughout the tech industry. Software firms, gaming companies, chip makers, device manufacturers, and others have joined in hype machine. Now, it's easy to dismiss the metaverse as futuristic hyperbole, but do we really believe that tapping on a smartphone, or staring at a screen, or two-dimensional Zoom meetings are the future of how we work, play, and communicate? As the internet itself proved to be larger than we ever imagined, it's very possible, and even quite likely that the combination of massive processing power, cheap storage, AI, blockchains, crypto, sensors, AR, VR, brain interfaces, and other emerging technologies will combine to create new and unimaginable consumer experiences, and massive wealth for creators of the metaverse. Hello, and welcome to this week's Wiki Bond Cube Insights, powered by ETR. In this "Breaking Analysis" we welcome in cyber expert, hacker gamer, NFT expert, and founder of ORE System, Nick Donarski. Nick, welcome, thanks so much for coming on theCUBE. >> Thank you, sir, glad to be here. >> Yeah, okay, so today we're going to traverse two parallel paths, one that took Nick from security expert and PenTester to NFTs, tokens, and the metaverse. And we'll simultaneously explore the complicated world of cybersecurity in the enterprise, and how the blockchain, crypto, and NFTs will provide key underpinnings for digital ownership in the metaverse. We're going to talk a little bit about blockchain, and crypto, and get things started there, and some of the realities and misconceptions, and how innovations in those worlds have led to the NFT craze. We'll look at what's really going on in NFTs and why they're important as both a technology and societal trend. Then, we're going to dig into the tech and try to explain why and how blockchain and NFTs are going to lay the foundation for the metaverse. And, finally, who's going to build the metaverse. And how long is it going to take? All right, Nick, let's start with you. Tell us a little bit about your background, your career. You started as a hacker at a really, really young age, and then got deep into cyber as a PenTester. You did some pretty crazy stuff. You have some great stories about sneaking into buildings. You weren't just doing it all remote. Tell us about yourself. >> Yeah, so I mean, really, I started a long time ago. My dad was really the foray into technology. I wrote my first program on an Apple IIe in BASIC in 1989. So, I like to say I was born on the internet, if you will. But, yeah, in high school at 16, I incorporated my first company, did just tech support for parents and teachers. And then in 2000 I transitioned really into security and focused there ever since. I joined Rapid7 and after they picked up Medis boy, I joined HP. I was one of their founding members of Shadowlabs and really have been part of the information security and the cyber community all throughout, whether it's training at various different conferences or talking. My biggest thing and my most awesome moments as various things of being broken into, is really when I get to actually work with somebody that's coming up in the industry and who's new and actually has that light bulb moment of really kind of understanding of technology, understanding an idea, or getting it when it comes to that kind of stuff. >> Yeah, and when you think about what's going on in crypto and NFTs and okay, now the metaverse it's you get to see some of the most innovative people. Now I want to first share a little bit of data on enterprise security and maybe Nick get you to comment. We've reported over the past several years on the complexity in the security business and the numerous vendor choices that SecOps Pros face. And this chart really tells that story in the cybersecurity space. It's an X,Y graph. We've shown it many times from the ETR surveys where the vertical axis, it's a measure of spending momentum called net score. And the horizontal axis is market share, which represents each company's presence in the data set, and a couple of points stand out. First, it's really crowded. In that red dotted line that you see there, that's 40%, above that line on the net score axis, marks highly elevated spending momentum. Now, let's just zoom in a bit and I've cut the data by those companies that have more than a hundred responses in the survey. And you can see here on this next chart, it's still very crowded, but a few call-outs are noteworthy. First companies like SentinelOne, Elastic, Tanium, Datadog, Netskope and Darktrace. They were all above that 40% line in the previous chart, but they've fallen off. They still have actually a decent presence in the survey over 60 responses, but under that hundred. And you can see Auth0 now Okta, big $7 billion acquisition. They got the highest net score CrowdStrike's up there, Okta classic they're kind of enterprise business, and Zscaler and others above that line. You see Palo Alto Networks and Microsoft very impressive because they're both big and they're above that elevated spending velocity. So Nick, kind of a long-winded intro, but it was a little bit off topic, but I wanted to start here because this is the life of a SecOps pro. They lack the talent in a capacity to keep bad guys fully at bay. And so they have to keep throwing tooling at the problem, which adds to the complexity and as a PenTester and hacker, this chaos and complexity means cash for the bad guys. Doesn't it? >> Absolutely. You know, the more systems that these organizations find to integrate into the systems, means that there's more components, more dollars and cents as far as the amount of time and the engineers that need to actually be responsible for these tools. There's a lot of reasons that, the more, I guess, hands in the cookie jar, if you will, when it comes to the security architecture, the more links that are, or avenues for attack built into the system. And really one of the biggest things that organizations face is being able to have engineers that are qualified and technical enough to be able to support that architecture as well, 'cause buying it from a vendor and deploying it, putting it onto a shelf is good, but if it's not tuned properly, or if it's not connected properly, that security tool can just hold up more avenues of attack for you. >> Right, okay, thank you. Now, let's get into the meat of the discussion for today and talk a little bit about blockchain and crypto for a bit. I saw sub stack post the other day, and it was ripping Matt Damon for pedaling crypto on TV ads and how crypto is just this big pyramid scheme. And it's all about allowing criminals to be anonymous and it's ransomware and drug trafficking. And yes, there are definitely scams and you got to be careful and lots of dangers out there, but these are common criticisms in the mainstream press, that overlooked the fact by the way that IPO's and specs are just as much of a pyramid scheme. Now, I'm not saying there shouldn't be more regulation, there should, but Bitcoin was born out of the 2008 financial crisis, cryptocurrency, and you think about, it's really the confluence of software engineering, cryptography and game theory. And there's some really powerful innovation being created by the blockchain community. Crypto and blockchain are really at the heart of a new decentralized platform being built out. And where today, you got a few, large internet companies. They control the protocols and the platform. Now the aspiration of people like yourself, is to create new value opportunities. And there are many more chances for the little guys and girls to get in on the ground floor and blockchain technology underpins all this. So Nick, what's your take, what are some of the biggest misconceptions around blockchain and crypto? And do you even pair those two in the same context? What are your thoughts? >> So, I mean, really, we like to separate ourselves and say that we are a blockchain company, as opposed to necessarily saying(indistinct) anything like that. We leverage those tools. We leverage cryptocurrencies, we leverage NFTs and those types of things within there, but blockchain is a technology, which is the underlying piece, is something that can be used and utilized in a very large number of different organizations out there. So, cryptocurrency and a lot of that negative context comes with a fear of something new, without having that regulation in place, without having the rules in place. And we were a big proponent of, we want the regulation, right? We want to do right. We want to do it by the rules. We want to do it under the context of, this is what should be done. And we also want to help write those rules as well, because a lot of the lawmakers, a lot of the lobbyists and things, they have a certain aspect or a certain goal of when they're trying to get these things. Our goal is simplicity. We want the ability for the normal average person to be able to interact with crypto, interact with NFTs, interact with the blockchain. And basically by saying, blockchain in quotes, it's very ambiguous 'cause there's many different things that blockchain can be, the easiest way, right? The easiest way to understand blockchain is simply a distributed database. That's really the core of what blockchain is. It's a record keeping mechanism that allows you to reference that. And the beauty of it, is that it's quote unquote immutable. You can't edit that data. So, especially when we're talking about blockchain, being underlying for technologies in the future, things like security, where you have logging, you have keeping, whether you're talking about sales, where you may have to have multiple different locations (indistinct) users from different locations around the globe. It creates a central repository that provides distribution and security in the way that you're ensuring your data, ensuring the validation of where that data exists when it was created. Those types of things that blockchain really is. If you go to the historical, right, the very early on Bitcoin absolutely was made to have a way of not having to deal with the fed. That was the core functionality of the initial crypto. And then you had a lot of the illicit trades, those black markets that jumped onto it because of what it could do. The maturity of the technology though, of where we are now versus say back in 97 is a much different world of blockchain, and there's a much different world of cryptocurrency. You still have to be careful because with any fed, you're still going to have that FUD that goes out there and sells that fear, uncertainty and doubt, which spurs a lot of those types of scams, and a lot of those things that target end users that we face as security professionals today. You still get mailers that go out, looking for people to give their social security number over during tax time. Snail mail is considered a very ancient technology, but it still works. You still get a portion of the population that falls for those tricks, fishing, whatever it might be. It's all about trying to make sure that you have fear about what is that change. And I think that as we move forward, and move into the future, the simpler and the more comfortable these types of technologies become, the easier it is to utilize and indoctrinate normal users, to be able to use these things. >> You know, I want to ask you about that, Nick, because you mentioned immutability, there's a lot of misconceptions about that. I had somebody tell me one time, "Blockchain's Bs," and they say, "Well, oh, hold on a second. They say, oh, they say it's a mutable, but you can hack Coinbase, whatever it is." So I guess a couple of things, one is that the killer app for blockchain became money. And so we learned a lot through that. And you had Bitcoin and it really wasn't programmable through its interface. And then Ethereum comes out. I know, you know a lot about Ether and you have solidity, which is a lot simpler, but it ain't JavaScript, which is ubiquitous. And so now you have a lot of potential for the initial ICO's and probably still the ones today, the white papers, a lot of security flaws in there. I'm sure you can talk to that, but maybe you can help square that circle about immutability and security. I've mentioned game theory before, it's harder to hack Bitcoin and the Bitcoin blockchain than it is to mine. So that's why people mine, but maybe you could add some context to that. >> Yeah, you know it goes to just about any technology out there. Now, when you're talking about blockchain specifically, the majority of the attacks happen with the applications and the smart contracts that are actually running on the blockchain, as opposed to necessarily the blockchain itself. And like you said, the impact for whether that's loss of revenue or loss of tokens or whatever it is, in most cases that results from something that was a phishing attack, you gave up your credentials, somebody said, paste your private key in here, and you win a cookie or whatever it might be, but those are still the fundamental pieces. When you're talking about various different networks out there, depending on the blockchain, depends on how much the overall security really is. The more distributed it is, and the more stable it is as the network goes, the better or the more stable any of the code is going to be. The underlying architecture of any system is the key to success when it comes to the overall security. So the blockchain itself is immutable, in the case that the owner are ones have to be trusted. If you look at distributed networks, something like Ethereum or Bitcoin, where you have those proof of work systems, that disperses that information at a much more remote location, So the more disperse that information is, the less likely it is to be able to be impacted by one small instance. If you look at like the DAO Hack, or if you look at a lot of the other vulnerabilities that exist on the blockchain, it's more about the code. And like you said, solidity being as new as it is, it's not JavaScript. The industry is very early and very infantile, as far as the developers that are skilled in doing this. And with that just comes the inexperience and the lack of information that you don't learn until JavaScript is 10 or 12 years old. >> And the last thing I'll say about this topic, and we'll move on to NFTs, but NFTs relate is that, again, I said earlier that the big internet giants have pretty much co-opted the platform. You know, if you wanted to invest in Linux in the early days, there was no way to do that. You maybe have to wait until red hat came up with its IPO and there's your pyramid scheme folks. But with crypto it, which is again, as Nick was explaining underpinning is the blockchain, you can actually participate in early projects. Now you got to be careful 'cause there are a lot of scams and many of them are going to blow out if not most of them, but there are some, gems out there, because as Nick was describing, you've got this decentralized platform that causes scaling issues or performance issues, and people are solving those problems, essentially building out a new internet. But I want to get into NFTs, because it's sort of the next big thing here before we get into the metaverse, what Nick, why should people pay attention to NFTs? Why do they matter? Are they really an important trend? And what are the societal and technological impacts that you see in this space? >> Yeah, I mean, NFTs are a very new technology and ultimately it's just another entry on the blockchain. It's just another piece of data in the database. But how it's leveraged in the grand scheme of how we, as users see it, it can be the classic idea of an NFT is just the art, or as good as the poster on your wall. But in the case of some of the new applications, is where are you actually get that utility function. Now, in the case of say video games, video games and gamers in general, already utilize digital items. They already utilize digital points. As in the case of like Call of Duty points, those are just different versions of digital currencies. You know, World of Warcraft Gold, I like to affectionately say, was the very first cryptocurrency. There was a Harvard course taught on the economy of WOW, there was a black market where you could trade your end game gold for Fiat currencies. And there's even places around the world that you can purchase real world items and stay at hotels for World of Warcraft Gold. So the adoption of blockchain just simply gives a more stable and a more diverse technology for those same types of systems. You're going to see that carry over into shipping and logistics, where you need to have data that is single repository for being able to have multiple locations, multiple shippers from multiple global efforts out there that need to have access to that data. But in the current context, it's either sitting on a shipping log, it's sitting on somebody's desk. All of those types of paper transactions can be leveraged as NFTs on the blockchain. It's just simply that representation. And once you break the idea of this is just a piece of art, or this is a cryptocurrency, you get into a world where you can apply that NFT technology to a lot more things than I think most people think of today. >> Yeah, and of course you mentioned art a couple of times when people sold as digital art for whatever, it was 60, 65 million, 69 million, that caught a lot of people's attention, but you're seeing, I mean, there's virtually infinite number of applications for this. One of the Washington wizards, tokenized portions of his contract, maybe he was creating a new bond, that's really interesting use cases and opportunities, and that kind of segues into the latest, hot topic, which is the metaverse. And you've said yourself that blockchain and NFTs are the foundation of the metaverse, they're foundational elements. So first, what is the metaverse to you and where do blockchain and NFTs, fit in? >> Sure, so, I mean, I affectionately refer to the metaverse just a VR and essentially, we've been playing virtual reality games and all the rest for a long time. And VR has really kind of been out there for a long time. So most people's interpretation or idea of what the metaverse is, is a virtual reality version of yourself and this right, that idea of once it becomes yourself, is where things like NFT items, where blockchain and digital currencies are going to come in, because if you have a manufacturer, so you take on an organization like Nike, and they want to put their shoes into the metaverse because we, as humans, want to individualize ourselves. We go out and we want to have that one of one shoe or that, t-shirt or whatever it is, we're going to want to represent that same type of individuality in our virtual self. So NFTs, crypto and all of those digital currencies, like I was saying that we've known as gamers are going to play that very similar role inside of the metaverse. >> Yeah. Okay. So basically you're going to take your physical world into the metaverse. You're going to be able to, as you just mentioned, acquire things- I loved your WOW example. And so let's stay on this for a bit, if we may, of course, Facebook spawned a lot of speculation and discussion about the concept of the metaverse and really, as you pointed out, it's not new. You talked about why second life, really started in 2003, and it's still around today. It's small, I read recently, it's creators coming back into the company and books were written in the early 90s that used the term metaverse. But Nick, talk about how you see this evolving, what role you hope to play with your company and your community in the future, and who builds the metaverse, when is it going to be here? >> Yeah, so, I mean, right now, and we actually just got back from CES last week. And the Metaverse is a very big buzzword. You're going to see a lot of integration of what people are calling, quote unquote, the metaverse. And there was organizations that were showing virtual office space, virtual malls, virtual concerts, and those types of experiences. And the one thing right now that I don't think that a lot of organizations have grasp is how to make one metaverse. There's no real player one, if you will always this yet, There's a lot of organizations that are creating their version of the metaverse, which then again, just like every other software and game vendor out there has their version of cryptocurrency and their version of NFTs. You're going to see it start to pop up, especially as Oculus is going to come down in price, especially as you get new technologies, like some of the VR glasses that look more augmented reality and look more like regular glasses that you're wearing, things like that, the easier that those technologies become as in adopting into our normal lifestyle, as far as like looks and feels, the faster that stuff's going to actually come out to the world. But when it comes to like, what we're doing is we believe that the metaverse should actually span multiple different blockchains, multiple different segments, if you will. So what ORE system is doing, is we're actually building the underlying architecture and technologies for developers to bring their metaverse too. You can leverage the ORE Systems NFTs, where we like to call our utility NFTs as an in-game item in one game, or you can take it over and it could be a t-shirt in another game. The ability for having that cross support within the ecosystem is what really no one has grasp on yet. Most of the organizations out there are using a very classic business model. Get the user in the game, make them spend their money in the game, make all their game stuff as only good in their game. And that's where the developer has you, they have you in their bubble. Our goal, and what we like to affectionately say is, we want to bring white collar tools and technology to blue collar folks, We want to make it simple. We want to make it off the shelf, and we want to make it a less cost prohibitive, faster, and cheaper to actually get out to all the users. We do it by supporting the technology. That's our angle. If you support the technology and you support the platform, you can build a community that will build all of the metaverse around them. >> Well, and so this is interesting because, if you think about some of the big names, we've Microsoft is talking about it, obviously we mentioned Facebook. They have essentially walled gardens. Now, yeah, okay, I could take Tik Tok and pump it into Instagram is fine, but they're really siloed off. And what you're saying is in the metaverse, you should be able to buy a pair of sneakers in one location and then bring it to another one. >> Absolutely, that's exactly it. >> And so my original kind of investment in attractiveness, if you will, to crypto, was that, the little guy can get an early, but I worry that some of these walled gardens, these big internet giants are going to try to co-op this. So I think what you're doing is right on, and I think it's aligned with the objectives of consumers and the users who don't want to be forced in to a pen. They want to be able to live freely. And that's really what you're trying to do. >> That's exactly it. You know, when you buy an item, say a Skin in Fortnite or Skin in Call of Duty, it's only good in that game. And not even in the franchise, it's only good in that version of the game. In the case of what we want to do is, you can not only have that carry over and your character. So say you buy a really cool shirt, and you've got that in your Call of Duty or in our case, we're really Osiris Protocol, which is our proof of concept video game to show that this all thing actually works, but you can actually go in and you can get a gun in Osiris Protocol. And if we release, Osiris Protocol two, you'll be able to take that to Osiris Protocol two. Now the benefit of that is, is you're going to be the only one in the next version with that item, if you haven't sold it or traded it or whatever else. So we don't lock you into a game. We don't lock you into a specific application. You own that, you can trade that freely with other users. You can sell that on the open market. We're embracing what used to be considered the black market. I don't understand why a lot of video games, we're always against the skins and mods and all the rest. For me as a gamer and coming up, through the many, many years of various different Call of Duties and everything in my time, I wish I could still have some this year. I still have a World of Warcraft account. I wasn't on, Vanilla, Burning Crusade was my foray, but I still have a character. If you look at it that way, if I had that wild character and that gear was NFTs, in theory, I could actually pass that onto my kid who could carry on that character. And it would actually increase in value because they're NFT back then. And then if needed, you could trade those on the open market and all the rest. It just makes gaming a much different thing. >> I love it. All right, Nick, hey, we're out of time, but I got to say, Nick Donarski, thanks so much for coming on the program today, sharing your insights and really good luck to you and building out your technology platform and your community. >> Thank you, sir, it's been an absolute pleasure. >> And thank you for watching. Remember, all these episodes are available as podcasts, just search "Breaking Analysis Podcast", and you'll find them. I publish pretty much every week on siliconangle.com and wikibond.com. And you can reach me @dvellante on Twitter or comment on my LinkedIn posts. You can always email me david.vellante@siliconangle.com. And don't forget, check out etr.plus for all the survey data. This is Dave Vellante for theCUBE Insights, powered by ETR, happy 2022 be well, and we'll see you next time. (upbeat music)

(upbeat music) >> Welcome to this CUBE Conversation. This is part of the second season of the AWS startup showcase, season two, episode one. I'm Dave Nicholson, and I am joined with a very special guest, CEO and co-founder of Tidelift, Mr. Donald Fischer. Donald, welcome to the CUBE. >> Thanks David. Really glad to be here. >> So, first and foremost, tell us about Tidelift. >> Happy to, yeah, so, at Tidelift we're on a mission. Our mission is to make open source software work better for everyone, and when we say that, we mean, make it work better for all the organizations and governments and everybody that depends on open source software to build the applications that we all rely on. But also part of our mission, is making open source work better for the creators of open source. The independent open source maintainers, who are behind so many of those building blocks, technology building blocks that our commerce industry and society is comprised of these days. They've got a hard task to hold up all of that stuff and make sure that it meets, you know, professional grade standards and that we can all rely on it. And so, we want to do our part to help both sides of that equation. >> Fantastic, well, I want to double click on a few of the things that you said, but I think I want to format this by starting out with a little role play between the two of us, if you don't mind. I know you're CEO, but for the sake of this, you're going to be the CIO and I'm going to be the CEO, and we're going to play off some recent events here. So, hey Donald, come on in, sit down. Listen, I want to talk to you about this whole log shell, log for something, or another thing that's going on. So, let me get this straight. Our multinational Fortune 500 company is dependent upon software, that's free, and somehow we've been running this and the people who maintain it, do it for free, we don't pay for it, but somehow this has opened us up to a threat from people who can log into a system we're using to keep track of stuff, and then, what's going on? By the way, you're fired, but I want to know if, I want to know if you can stay on for the next 90 days to train your replacement, but, explain to me what's going on with this whole open-source nonsense? >> Yeah. Don't panic boss. Only about 70 or 80% of the software in our enterprise that is third-party open source software. So, there's definitely, like 20 or 30% that's not, and we're on top of it. Now, yeah, I think it's a, you know, you're right to say, we are completely dependent on this software, that's being created by these, you know, amazing folks on the internet. Boss, you told me that we had to have a global corporation here with modern digital customer experience. We're not going to be able to do it using Microsoft front page from 1997, and there's no other path to take than to build with modern building blocks. And today in, you know, the modern era, that means building on open source packages and technologies across a whole slew of language, ecosystems, like JavaScript and Java PHP, Ruby, Python, .NET, Rust, Go, we use all of it here, boss, and, we don't get to have a business unless we do. >> Okay, so, I didn't understand a word that you just said, but it was enough to convince me to let you keep your job. So, end-scene, we're not getting paid scale wages to do this, Donald, so I think we can go back to our normal personas. So, how does Tidelift play into all of this? I'd really want to hear about this concept of what an open source maintainer is, because these are largely volunteers, aren't they, in terms of the maintenance that they're doing? >> Yeah, so, I mean, open source, there's a lot of different models for open source software development. There certainly are a number of foundational open source projects, certainly at the infrastructure level, like operating systems, databases and things like that, that tend to be, you know, predominantly driven by vendors, software vendors, you know, like you can think of Red Hat, VMware organizations like that. But when you get up to the application development world, teams, building, you know, websites, web applications, mobile applications, most of the building blocks at that tier in these a programming language ecosystems, most of the software there is actually being created, that enterprise organizations use, is being created by individual, independent, open source maintainers, where it's not their day job, it's a side hustle for them. And it's a really interesting question, like, how did we get here? You know, why are these folks doing it? It sort of rhymes with the question I asked myself years ago, like, who's typing all this stuff into Wikipedia, and why? Like, it's amazing resource, I'm so glad it's there, but why are they doing this, right? And it turns out that there's a bunch of motivations there's some cynical motivations for the open source maintainers that people attribute that are practical too, you know, people say your GitHub repository is your resume in as a modern developer, things like that helps you get a reputation, you can use that to get a job. But, when we've talked to the maintainers of the most widely used open source packages, and by that, I mean, thousands of packages that every major organization that builds software relies on, the main reason why they do it is actually impact. We find we've actually done direct surveys of this audience and the reason why they spend their nights and weekends and carve out time, where they could be, you know, getting paid to do something else or going skiing or going to the beach, is it really feels good to have this activity that they put out into the world, and, you know, they know that folks use this stuff and rely on it, and there's a pride in their work and the impact that they're making. But the challenge with this model is that when it's only an impact and pride, and sort of a, you know, a good feeling driven effort, it means that maybe all of the things that organizations might want their standards that organizations might want their software to meet doesn't get done, right? Like it's one thing, if you've got a job as a software engineer, building corporate software, or even as a, you know, a maintainer at a corporate open source company, and you have a checklist of, you know, standard enterprise software development, commercial grade software development tasks that you need to be completing, if you're doing it as a side hustle for good reasons, like impact and, you know, releasing your creative juice, you might not get to some of the more boring aspects of commercial software engineering, like security engineering and some of the documentation and release engineering and, you know, making sure there's structured metadata around all the elements of it. And then that's the gap that we're really trying to fill at Tidelift, by connecting these two audiences. >> Yeah. How? How? You want to fill the gap, you want to connect the audiences, but, how do you do that? >> Yeah, perfect, so, we do it by paying the maintainers, paying the open source maintainers, actual dollars, or the currency of their preference, and what we're paying them for is not just to sort of hack on their projects, or hack on their projects more, we're asking them to help us ensure that the software that the organizations that we work with depend on meets certain specific concrete enterprise standards, and those standards fall into three categories, security, licensing, and maintenance. So, on the security front, you know, a baseline standard, there is making sure that we have known versions of the open source packages that are free of known defects, right? So there's like a catalog of known security defects that the industry uses called the National Vulnerability Database, you may have seen the terminology CVE referred to in passing, that's the identifier for these things. So, we work with the open-source maintainers to make sure that we've figured out, mapped out, which versions of software packages are impacted by known security vulnerabilities. And then we also look forward and make sure that we have a plan in place for what happens in the future when there are security vulnerabilities. So, you know, traditional commercial software, there's a security response team, who's kind of standing by 24/7, ready to respond, and then there's a defined protocol of what's going to happen, in terms of what's called responsible disclosure, telling the right folks in the right sequence, that there is a vulnerability causing there to be a patch version of the software available, communicating that through, you know, traditional commercial software vendors for, you know, years have been doing that internally, that doesn't exist by default for volunteer, you know, part-time open source, independent open source maintainers. So we fill that gap and we pre-wire that with them to make sure that that first track security is can be buttoned up. >> So, you're paying them, are you and your co-founders wealthy philanthropists that are just doing this, or what's the business model here? Now you're pulling these people who were doing it for free, they're happy, but how does that translate into a business model for Tidelift. >> Perfect, so, the work that they're doing, you know, I talked a little bit about security, we also do similar things on those other attributes, like licensing, making sure that the licenses are completely accurate, and we kind of know who wrote the software, et cetera, and then maintenance, is it being proactively cared for going forward? Is somebody still on the case with these projects? Now, the result of all of that work, is we create a vetted catalog of known good open source releases that we've vetted with the experts, often the individuals and teams that wrote the code in the first place, usually, we vet that it meets these enterprise standards. That's a really useful tool for organizations that are building with that. So, the way that we convey that to organizations that are building software in a useful way is we have a SAS service software, that as a service platform, that's what Tidelift is, and basically, the teams that use this stuff, they plug us into their software development process, typically alongside other tools that they might have, like CI/CD tools that are running tests on their application logic, they'll plug in Tidelift into their release process to ensure that those, the 70 or 80% of the software that they ship, that comes from GitHub, comes from the Python package index, or NPM, or the Maven Central Repository for Java, we're vetting that that meets their enterprise standards and ensuring that the ingredients, the building blocks that go into their applications are known good and vetted to these concrete standards. And they are, you know, this is an unsolved problem for almost every serious organization. There's a couple of, you know, over-performing organizations, like Google has done some amazing internal work on this, Amazon has an incredible dedicated team that does this internally for Amazon developers, very few other organizations, even some of the largest multinational companies have a dedicated internal function doing this comprehensively and systematically. Tidelift is that function that these organizations can use. They can work with us and our network, our unique network of hundreds of these independent open source maintainers, to ensure that there is a feed of known good vetted packages to go into their applications. >> So, were maintainers going in and auditing, and editing, and vetting software that was essentially created by others? That's one question, and then the other question that kind of goes along with that is, are you vetting a gold copy of something and saying, this software meets certain criteria, you should feel okay using it, that's one thing. Validating that the actual distribution, you know, the actual code that's being executed in their enterprise is secure and hasn't been tampered with is another thing. So where do you sit in that distribution channel or that supply chain? >> Sure, so, on the distribution front, you can think of us, we're sort of a GPS system that your application developers can use to know which versions of software are going to meet your enterprise standards. We don't create a separate world where we have our own, you know, side copy of the entire development ecosystem. It's not what these organizations want. They don't want to use some weird enterprise world set of open source packages, they want to just, you know, type NPM install have the, you know, software flow into their organization, but they also want it to not have no insecurity vulnerabilities in it, and they don't want to get bitten two weeks or two years later with a license violation, because there was kind of fuzzy, or incomplete data around the open source license. So what we do is, we help them consume the open source software, you know, knowing that it's been vetted to these standards. And then we also work with the open source community to cause the software to be changed to meet those standards, right? So back to the first part of your question, We work with a lot of projects with the prime maintainers, often the authors, as I said, and we've actually been extending our model over the years to work with these open source maintainers to cover not just their own project, but, some of those neighboring projects, right? Like the core projects that their project depends on, other projects that are co-used with them, they have a lot of expertise, and also, you know, relationships with the surrounding open source community there. So, they're working with us as curators, if you will, our ambassadors that help us get on the community and cover as much of the landscape as possible. >> And, so, what's the relationship with AWS? This is, you know, we're talking here as part of the AWS startup showcase season two, episode one, which is, that's actually pretty cool. So we need to, you know, the challenge here is, season one was awesome, much like Ted Lasso, season two, we have big shoes to fill here, Donald. So, what's the-- >> We got to up our game. >> (laughs) What's the relationship with AWS? And, I mean, why would they call you out as someone interesting for us to talk to? >> Yeah, so, we've had a great relationship that we've been investing in, and working on together with AWS. So, every one of AWS's customers faces this challenge around the software workloads that they're deploying on AWS. You know, it's just, you can't argue against the fact that the vast majority of the application software in the modern world is comprised majority of this third-party open source software. And so, it's really important whether it's running on a device, you know, an Edge device, or whether it's running in a Cloud data center, that those applications meet these standards, especially on the security front. So, AWS recognizes this need and opportunity for their customers, and so we've been working really well jointly with them. We're glad to say that we're an ISV, and AWS ISV accelerate partner now, which gives us the ability to co-engage with AWS and work together to solve mutual customers challenges, and we've had a great time working with the AWS team to help scale up our efforts to get the word word out around this important area, and then more importantly, give organizations the tools to address it and make sure that they have a comprehensive strategy for managing their open source in place. >> Fantastic, Donald, we're up against time, but I do have a 10 second answer I'd like from you. Tidelift, is that a reference to a rising tide lifting all boats, or is it an admonishment not to build a house on the beach in Malibu? >> It's the former, you know, think about this network of independent open source maintainers, working together, a rising tide lifts all boats. >> Eight seconds, that was like four seconds. Perfect. Donald Fischer, from Tidelift, thank you so much. For me, Dave Nicholson here at the CUBE. This has been a CUBE Conversation, as part of AWS's startup showcase, season two, episode one. Come to the CUBE for the best in tech coverage. (soft music)