(upbeat music) >> Welcome to this CUBE Conversation. This is part of the second season of the AWS startup showcase, season two, episode one. I'm Dave Nicholson, and I am joined with a very special guest, CEO and co-founder of Tidelift, Mr. Donald Fischer. Donald, welcome to the CUBE. >> Thanks David. Really glad to be here. >> So, first and foremost, tell us about Tidelift. >> Happy to, yeah, so, at Tidelift we're on a mission. Our mission is to make open source software work better for everyone, and when we say that, we mean, make it work better for all the organizations and governments and everybody that depends on open source software to build the applications that we all rely on. But also part of our mission, is making open source work better for the creators of open source. The independent open source maintainers, who are behind so many of those building blocks, technology building blocks that our commerce industry and society is comprised of these days. They've got a hard task to hold up all of that stuff and make sure that it meets, you know, professional grade standards and that we can all rely on it. And so, we want to do our part to help both sides of that equation. >> Fantastic, well, I want to double click on a few of the things that you said, but I think I want to format this by starting out with a little role play between the two of us, if you don't mind. I know you're CEO, but for the sake of this, you're going to be the CIO and I'm going to be the CEO, and we're going to play off some recent events here. So, hey Donald, come on in, sit down. Listen, I want to talk to you about this whole log shell, log for something, or another thing that's going on. So, let me get this straight. Our multinational Fortune 500 company is dependent upon software, that's free, and somehow we've been running this and the people who maintain it, do it for free, we don't pay for it, but somehow this has opened us up to a threat from people who can log into a system we're using to keep track of stuff, and then, what's going on? By the way, you're fired, but I want to know if, I want to know if you can stay on for the next 90 days to train your replacement, but, explain to me what's going on with this whole open-source nonsense? >> Yeah. Don't panic boss. Only about 70 or 80% of the software in our enterprise that is third-party open source software. So, there's definitely, like 20 or 30% that's not, and we're on top of it. Now, yeah, I think it's a, you know, you're right to say, we are completely dependent on this software, that's being created by these, you know, amazing folks on the internet. Boss, you told me that we had to have a global corporation here with modern digital customer experience. We're not going to be able to do it using Microsoft front page from 1997, and there's no other path to take than to build with modern building blocks. And today in, you know, the modern era, that means building on open source packages and technologies across a whole slew of language, ecosystems, like JavaScript and Java PHP, Ruby, Python, .NET, Rust, Go, we use all of it here, boss, and, we don't get to have a business unless we do. >> Okay, so, I didn't understand a word that you just said, but it was enough to convince me to let you keep your job. So, end-scene, we're not getting paid scale wages to do this, Donald, so I think we can go back to our normal personas. So, how does Tidelift play into all of this? I'd really want to hear about this concept of what an open source maintainer is, because these are largely volunteers, aren't they, in terms of the maintenance that they're doing? >> Yeah, so, I mean, open source, there's a lot of different models for open source software development. There certainly are a number of foundational open source projects, certainly at the infrastructure level, like operating systems, databases and things like that, that tend to be, you know, predominantly driven by vendors, software vendors, you know, like you can think of Red Hat, VMware organizations like that. But when you get up to the application development world, teams, building, you know, websites, web applications, mobile applications, most of the building blocks at that tier in these a programming language ecosystems, most of the software there is actually being created, that enterprise organizations use, is being created by individual, independent, open source maintainers, where it's not their day job, it's a side hustle for them. And it's a really interesting question, like, how did we get here? You know, why are these folks doing it? It sort of rhymes with the question I asked myself years ago, like, who's typing all this stuff into Wikipedia, and why? Like, it's amazing resource, I'm so glad it's there, but why are they doing this, right? And it turns out that there's a bunch of motivations there's some cynical motivations for the open source maintainers that people attribute that are practical too, you know, people say your GitHub repository is your resume in as a modern developer, things like that helps you get a reputation, you can use that to get a job. But, when we've talked to the maintainers of the most widely used open source packages, and by that, I mean, thousands of packages that every major organization that builds software relies on, the main reason why they do it is actually impact. We find we've actually done direct surveys of this audience and the reason why they spend their nights and weekends and carve out time, where they could be, you know, getting paid to do something else or going skiing or going to the beach, is it really feels good to have this activity that they put out into the world, and, you know, they know that folks use this stuff and rely on it, and there's a pride in their work and the impact that they're making. But the challenge with this model is that when it's only an impact and pride, and sort of a, you know, a good feeling driven effort, it means that maybe all of the things that organizations might want their standards that organizations might want their software to meet doesn't get done, right? Like it's one thing, if you've got a job as a software engineer, building corporate software, or even as a, you know, a maintainer at a corporate open source company, and you have a checklist of, you know, standard enterprise software development, commercial grade software development tasks that you need to be completing, if you're doing it as a side hustle for good reasons, like impact and, you know, releasing your creative juice, you might not get to some of the more boring aspects of commercial software engineering, like security engineering and some of the documentation and release engineering and, you know, making sure there's structured metadata around all the elements of it. And then that's the gap that we're really trying to fill at Tidelift, by connecting these two audiences. >> Yeah. How? How? You want to fill the gap, you want to connect the audiences, but, how do you do that? >> Yeah, perfect, so, we do it by paying the maintainers, paying the open source maintainers, actual dollars, or the currency of their preference, and what we're paying them for is not just to sort of hack on their projects, or hack on their projects more, we're asking them to help us ensure that the software that the organizations that we work with depend on meets certain specific concrete enterprise standards, and those standards fall into three categories, security, licensing, and maintenance. So, on the security front, you know, a baseline standard, there is making sure that we have known versions of the open source packages that are free of known defects, right? So there's like a catalog of known security defects that the industry uses called the National Vulnerability Database, you may have seen the terminology CVE referred to in passing, that's the identifier for these things. So, we work with the open-source maintainers to make sure that we've figured out, mapped out, which versions of software packages are impacted by known security vulnerabilities. And then we also look forward and make sure that we have a plan in place for what happens in the future when there are security vulnerabilities. So, you know, traditional commercial software, there's a security response team, who's kind of standing by 24/7, ready to respond, and then there's a defined protocol of what's going to happen, in terms of what's called responsible disclosure, telling the right folks in the right sequence, that there is a vulnerability causing there to be a patch version of the software available, communicating that through, you know, traditional commercial software vendors for, you know, years have been doing that internally, that doesn't exist by default for volunteer, you know, part-time open source, independent open source maintainers. So we fill that gap and we pre-wire that with them to make sure that that first track security is can be buttoned up. >> So, you're paying them, are you and your co-founders wealthy philanthropists that are just doing this, or what's the business model here? Now you're pulling these people who were doing it for free, they're happy, but how does that translate into a business model for Tidelift. >> Perfect, so, the work that they're doing, you know, I talked a little bit about security, we also do similar things on those other attributes, like licensing, making sure that the licenses are completely accurate, and we kind of know who wrote the software, et cetera, and then maintenance, is it being proactively cared for going forward? Is somebody still on the case with these projects? Now, the result of all of that work, is we create a vetted catalog of known good open source releases that we've vetted with the experts, often the individuals and teams that wrote the code in the first place, usually, we vet that it meets these enterprise standards. That's a really useful tool for organizations that are building with that. So, the way that we convey that to organizations that are building software in a useful way is we have a SAS service software, that as a service platform, that's what Tidelift is, and basically, the teams that use this stuff, they plug us into their software development process, typically alongside other tools that they might have, like CI/CD tools that are running tests on their application logic, they'll plug in Tidelift into their release process to ensure that those, the 70 or 80% of the software that they ship, that comes from GitHub, comes from the Python package index, or NPM, or the Maven Central Repository for Java, we're vetting that that meets their enterprise standards and ensuring that the ingredients, the building blocks that go into their applications are known good and vetted to these concrete standards. And they are, you know, this is an unsolved problem for almost every serious organization. There's a couple of, you know, over-performing organizations, like Google has done some amazing internal work on this, Amazon has an incredible dedicated team that does this internally for Amazon developers, very few other organizations, even some of the largest multinational companies have a dedicated internal function doing this comprehensively and systematically. Tidelift is that function that these organizations can use. They can work with us and our network, our unique network of hundreds of these independent open source maintainers, to ensure that there is a feed of known good vetted packages to go into their applications. >> So, were maintainers going in and auditing, and editing, and vetting software that was essentially created by others? That's one question, and then the other question that kind of goes along with that is, are you vetting a gold copy of something and saying, this software meets certain criteria, you should feel okay using it, that's one thing. Validating that the actual distribution, you know, the actual code that's being executed in their enterprise is secure and hasn't been tampered with is another thing. So where do you sit in that distribution channel or that supply chain? >> Sure, so, on the distribution front, you can think of us, we're sort of a GPS system that your application developers can use to know which versions of software are going to meet your enterprise standards. We don't create a separate world where we have our own, you know, side copy of the entire development ecosystem. It's not what these organizations want. They don't want to use some weird enterprise world set of open source packages, they want to just, you know, type NPM install have the, you know, software flow into their organization, but they also want it to not have no insecurity vulnerabilities in it, and they don't want to get bitten two weeks or two years later with a license violation, because there was kind of fuzzy, or incomplete data around the open source license. So what we do is, we help them consume the open source software, you know, knowing that it's been vetted to these standards. And then we also work with the open source community to cause the software to be changed to meet those standards, right? So back to the first part of your question, We work with a lot of projects with the prime maintainers, often the authors, as I said, and we've actually been extending our model over the years to work with these open source maintainers to cover not just their own project, but, some of those neighboring projects, right? Like the core projects that their project depends on, other projects that are co-used with them, they have a lot of expertise, and also, you know, relationships with the surrounding open source community there. So, they're working with us as curators, if you will, our ambassadors that help us get on the community and cover as much of the landscape as possible. >> And, so, what's the relationship with AWS? This is, you know, we're talking here as part of the AWS startup showcase season two, episode one, which is, that's actually pretty cool. So we need to, you know, the challenge here is, season one was awesome, much like Ted Lasso, season two, we have big shoes to fill here, Donald. So, what's the-- >> We got to up our game. >> (laughs) What's the relationship with AWS? And, I mean, why would they call you out as someone interesting for us to talk to? >> Yeah, so, we've had a great relationship that we've been investing in, and working on together with AWS. So, every one of AWS's customers faces this challenge around the software workloads that they're deploying on AWS. You know, it's just, you can't argue against the fact that the vast majority of the application software in the modern world is comprised majority of this third-party open source software. And so, it's really important whether it's running on a device, you know, an Edge device, or whether it's running in a Cloud data center, that those applications meet these standards, especially on the security front. So, AWS recognizes this need and opportunity for their customers, and so we've been working really well jointly with them. We're glad to say that we're an ISV, and AWS ISV accelerate partner now, which gives us the ability to co-engage with AWS and work together to solve mutual customers challenges, and we've had a great time working with the AWS team to help scale up our efforts to get the word word out around this important area, and then more importantly, give organizations the tools to address it and make sure that they have a comprehensive strategy for managing their open source in place. >> Fantastic, Donald, we're up against time, but I do have a 10 second answer I'd like from you. Tidelift, is that a reference to a rising tide lifting all boats, or is it an admonishment not to build a house on the beach in Malibu? >> It's the former, you know, think about this network of independent open source maintainers, working together, a rising tide lifts all boats. >> Eight seconds, that was like four seconds. Perfect. Donald Fischer, from Tidelift, thank you so much. For me, Dave Nicholson here at the CUBE. This has been a CUBE Conversation, as part of AWS's startup showcase, season two, episode one. Come to the CUBE for the best in tech coverage. (soft music)

(string music) >> Welcome to the Cube conversation here at the Cube studios in Palo Alto California, I'm John Furrier, cohost of the Cube and cofounder of Slip and Angle Media. We're here with Shlomi Ben Haim who's the founder and CEO of Jfrog, hot startup. I asked him to come in to chat about his business. In the dev/op space, we see him at a lot of shows, your company's doing well, we love the marketing, the frog thing is great, love it, very cool. But there's a lot of real serious action going on in the enterprise and in the cloud and in emerging tech, whether it's AI or machine learning, whether its innovative things, developers are front and center in the marketplace and there's a boatload of noise out there, there's like this approach, this approach, there's a lot of different approaches, but at the end of the day, the devs are driving a lot of innovation. You guys are at the center of it so welcome to the Cube. >> Thank you. >> First question for you, just take a minute to talk about what you guys do, Jfrog, what's your company, what's your business, what are you guys up to, what's your deal? >> The way I think that the community will describe us would be that we are the binaries people, we are taking care of your binaries. As you know in the dev/ops world, everything you do you do with your binaries, with your software artifacts, so I heard some of the community members call us the database of dev/ops and we are the providers of artifactory, bintray, xray and mission control which take care of your binaries, managing them, host them, distribute them and secure them. >> Open source event we were at, we saw you guys because I was doing all the interviews and you guys were right on the edge there, then you guys got some nice background images off the Cube videos, but it was really interesting. The trend is your friend as the saying goes and the number of open source projects is increasing, the actual lines of code is exponentially going to grow from 22 million to 200, 400 million lines of code over the next couple of years, that's hockey stick. More developers are coming in, not old school like me that built their own stuff from scratch, there's a lot of lego blocks in fact Jim Samlin said that 10% of the code will probably be original ideas and differentiation, 90% of most of the code will be a code sandwich, which I believe, I think that's the legit direction. How do you guys fit into that trend and what does that mean for your business because I can imagine, there's a ton of Git Hub stuff going on, tons of forking, tons of projects, you got block chain catching the world by storm, there is a massive developer tsunami going on. How do you guys help them? >> It's very interesting, when we started Jfrog, actually my co-founder Yoav Landman started by providing developers with a very dummy, basic solution to proxy, public repositories like Maven central and it was not about the code for the first time, it was about the binaries. Code is great and the line of code, as you said, it's going to go enormous but what happened is that when you need to automate, when you need to rebuild, when you need to release faster, you go down to the binary level, to the software artifact level and guess what, no one took care of your binaries before, you were just throwing your binaries to your version controller or file store, maybe you were hosting them. >> They were messy, it's like a kid with their room, all the stuff spread around all over the place, where's that binary, no one keeps track of it. >> Nobody care about that, but this is the one thing that you keep consuming, keep building with, keep recompiling and in the era of dev/ops, is the one asset that you need to automate and reuse. This is where we, >> The core problem if I get this right, is that compiling is going to be, if you think of dev/ops, it's infrastructure as code, as the phrase goes as we always say and programming infrastructure is what dev guys want to do, they don't want to be in the business of switching configurations, getting in the routers and the network. They want it to be just one layer of resource, serverless is a great trend for you, more and more developers are going to love this. They want to program, so when you're programming, the inherent next step is where's the code, who's compiling it, does it need to be compiled? Is that the core problem, that there's more and more stuff going on under the hood that needs to be managed? Is that growing part of your business solution or is the problem just lost binaries, what's the core problem? >> It's a perfect question. First of all, we are providers, we are the providers of the only universal solution. Binaries are not just for java developers, they are not just for python developers, they are not just for dot net developers, they are not just for docker users and the way you package it, binaries happens between your get and your CI server, let's say Jenkins, get and Jenkins and your Kubernetes. Something happens between those two sites. Your orchestration tool and your code repository tool. In this land is where binaries play a very significant role and this is where we are a major player. >> Is the problem error prone in that zone, in that zone it's like the wild west, it's like a black hole if you will, think about what you're saying, if I get it right. There's a lot of stuff that goes on in there, is it mismanagement, what's the core thing that you guys got to do there? >> Tons of binaries, too much public repositories that the community cannot rely on. You need to manage and host your own binaries, the ones that you create yourself, and to provide and this is the last strength we see in the market, big organization need to provide dev/ops as a service to their own developers, so they need to ask this very important asset that we call software artifact and binaries or darker images or whatever you want to call it. >> Yeah a lot of great trends going on, obviously containers and Kubernetes you mentioned. Let's get into those, that's driving a lot of change. Certainly containers has been around for a while, whether you call it wrappers or whatever, it's a great magical thing, we love containers, Kubernetes really gets the trend right, if you look at the google trend, you see Kubernetes has got so much more traction than containers, although I'm not saying one's more relevant than the other, certainly orchestration's important, linking and loading all these containers together. Why is Kubernetes accelerating the binary conversation? Is it because more rapid development is going on, more programmability's going on, why is Kubernetes impacting the binaries components more now than ever? >> Putting aside the need for automating and integrating, this whole orchestration solution requires some work on the binary level but if you think about what Kubernetes is trying to solve, or what the containers are all trying to solve is a better, faster release, better, faster deployment, better, faster delivery and then you can do it only if you will combine the power of the developers and the power of the machine and release faster. This is what we say in Jfrog, release fast or die because it's all about how fast can you release? >> Before we get into some of the product specific stuff, I want to ask you some pointed questions on that. I want to ask you about automation. AI is obviously hot, I love AI, even though it's hyped up, it still promotes great software development, machine learning really is where the meat on the bone is there, so machine learning and automation bots, whatever you want to look at it, is an opportunity to actually to create adaptive code. How did that new software paradigm affect binaries because I can almost imagine that if you got a bot going wild, it could screw up the binaries. >> Completely. >> So can you comment on that, that area. Obviously we want more bots, automation is a good thing on one level, but how do you guys look at that market as an opportunity, as a challenge, what's that whole AI thing look like? >> Well if we take a step back, I think the dev/ops started with the need to automate and release faster. It was like the playground of developers, we need a better integration, we need a continuous integration, we need better delivery, we need continuous delivery. If you think about it now, in 20/20 perspective, you understand that this was all milestones. The next big challenge is continuous updates. People like me, people like you, just want their devices and machines to be updated. >> And secure, look at Equifax. Equifax is a great example, they didn't update the code. >> Absolutely and it's flowing and just happening and secure and in the world of automation, the world of AI, I think that the big challenge or the next big challenge of dev/ops is how can I create a continuous update machine which is also secure and software update will just flow. It will not be something that you press I agree, I reboot and do any kind of crazy stuff in order just to get your software update. It's more about the user experience of all of us. It's not just developers and dev/ops companies anymore. >> That's a great vision by the way, I love that. It should work like that and programmable infrastructure for dev/ops should be programmable and always available and highly reliable. Mark Zuckerberg used to have the saying, move fast, break stuff, that's not a dev/ops ethos by the way, they built their own dev/ops, but then he kind of quickly waffled back to move fast, be reliable, because he got some religion on ops. Totally get that, let's go into today's world. That gives us a little future view, what is a use case for a customer? Take me through the day and the life of a customer that's using Jfrog, what are their problems, what are some of the things that are burning in their office? Where's the smoke, what's the problem that they have that they need to take care of the binaries? Sprawl of code, just mismanagement, what are some of the signals? Share with your view there. >> It starts with the fact that it's not your developer anymore that builds software. You have a CI server there that never goes to a lunch break, never take a break with Facebook, which by the way, it's a great company but sometimes it stop giving the time during the work time and you keep building and building like crazy. Your CI server keep producing binaries. >> It's an always on code machine basically. >> It's a binaries machine and it's being built 24 by seven and yes, you use just a portion of it but you have to host and manage all of it and if you will host it in your version controller, it will explode, if you will put it in a file store, it will not be something, >> Explode because of capacity? >> Because you cannot do any cleanups on the version controller, not get or subversion or the false or any of them, you don't do cleanups on version control. >> Hygiene is an issue. >> Yes, plus integration. You need to integrate with your records system, plus promotion, you need to allow and automate promotion of the specific bites that you build. >> So that's why people call you the database or I would even say the brains of binaries, you got to keep track of the goods if you will, it's like the crown jewel is the binary. >> Right. >> If I get that right, okay let's take it to the next level. You have good hygiene, you have good stuff going on, what are you guys doing specifically that gives you a differentiation of the market because is it software, is it hardware, what is the Jfrog differentiation? >> I think that the first thing that happened to us was that we realized that binaries is for everyone. If you remember Jfrog's slogans from 2010, it was binaries for the people. We felt like we are leading the revolution of taking care of your binaries and therefore, we decided that whatever we build, our philosophy base, our concept will be universal. We started with the Java community, Maven and Gradel and then the dot net community with Nougat and then when it came to be more like a dev/ops industry in 2013 or '14 was it, >> Roughly, 2008 to 2014 was really the cloud errati and then it grew and then it matured a little bit. >> And the combination of dev and ops and IT and then we started to support packages like Debian and RPM, beyond repositories, docker registry, we were the first docker registry in the market. >> You were riding the wave from the beginning. >> Yes. >> You were right there riding the binary wave with the native cloud growth, public cloud growth big time which by the way had a lot of iterations quickly. >> Which is also one of our differentiators, we are the only hybrid providers for your binary solution. We have it in the cloud, any cloud or on prem. >> Who's the competition? >> It's a very good question, on a niche level, we have companies like docker that provide a docker registry we have Cores that provide docker registry, by the way, anyone in the market now that want to have a docker registry, a container registry. On the Java Maven domains, Sonotype provide a nexus which is a binary repository manager for Java for Maven builds. NPM provide a solution for NPM but if you think about the universal solution that supports other, >> Those are siloed platform specific binaries. >> Yes. >> You're taking much more of a wholistic, horizontally scalable, any binary any time management. >> Exactly, we don't do the before and after, but in the binaries world, we want to be one solution for all. >> I get the whole registry thing, love that positioning. Just a dumb question, when someone's coming in and managing intermittently in the registry, how do you guys handle that piece? How do you know that a Java request coming in from a Java registry, you guys have a front end to this thing, is it your software, how do you guys manage the integration of requests to and from the binaries. >> The read and write to the repository you mean? >> Yes. >> Artifactor is a very sophisticated repository if I may say it's built more like a database, it's based on a check sum mechanism and not just a basic file store. >> You verify it coming in on the front end. >> Right, the parts and machine caching, managing, hosting and distributing, it's all happening in artifactor. >> And performance is as good? No problems with performance? >> Well we are the only provider that has a highly available solution with over 4000 customers, so I guess it is. >> You got a smile yeah, I see you at the shows. You got a good reputation so it's great to have you come in. I want to just take a minute to pause because I know we're having a great conversation, I could talk about CI servers til the cows come home, one of my favorite topics dev/ops, as people who have been following me since 2008 know, I love the cloud, cloud native vision from day one. There's a lot of people out there who don't know what the hell a binary is, so take a minute and explain, what is a binary and why is it such an important thing right now in context to open source growth, more developers coming in, context to enterprises trying to be cloud like and just for the general purpose, why are binaries important? Why should the general public, how would you talk about what is a binary? >> I'll try. I think that the main difference is that binaries are more like, maybe it's a basic metaphor, but binaries are more like fresh food, unlike freeze food. Your source code is freezed, you're not allowed to touch it, you're not allowed to clean it, you're not allowed to change it. Your one dot seal would be my one dot seal. It's kind of freeze food, this is why in dev for get and other player in this market are so important. We see how bit bucket with the class in and Git Hub are growing and still playing a significant role binaries are different, binaries is the fresh food. Something that you keep changing, any minute and you build with a specific binary something and then something else and it become another binary if I may say so. I think that the flexibility that you need to gain when you go on full automation and full integration is the flexibility that you can get on the binary level. You cannot get it on the code level. Therefore, binaries playing a very significant role in the cloud era and in the dev/ops era. >> Sure it allows for extensibility of source code. In a way what you're saying. You can eat the frozen food or you can chop up your own organic meal yourself. >> Exactly. >> Okay I get that, final question for you, thanks for coming in, appreciate the one on one on binaries there. People can always just go on Wikipedia and look at other definitions on stack overflow and whatnot. What is the customer value proposition for Jfrog? Why should I work with you, what's the main reason for you to have 4000 customers? What's driving them to use you? Is it just convenience? Is it scalability, all of the above? Just take a minute to explain why customers go to you and if people don't work with you, why should they work with you? >> I think that the biggest challenge today is that you want to treat binaries as first level citizens and instead of having an NPM repository, docker registry, Maven repository, python repository and there is no single organization that will have just one repository, you can have it all with Jfrog. The second thing we are the providers of highly available solution to protect your data centers so if you don't want your 1000 developers sitting down, waiting for the binary repository to be up and running and to allow the environment, then you probably want to, >> Productivity right there is one. >> Productivity and efficiency, absolutely. We are also providing it to secure your binary flow and the platform that distributes your binaries. We take binaries very seriously, over two billion downloads a month on bintray, our distribution hub and we work with the community and for the community, we are developers ourself, coming from the open source community so it's all bottom up and community friendly. >> Shlomi, great commentary, I want to just get a personal, take your Jfrog hat off for a minute, put your developer, executive, industry expert hat on. Share with the audience your view on the developer market. There's been a lot of negative press around the brogrammer lately and all these things, but trends are clear that you have massive growth in open source, comment on the role open source plays as it goes into some argue fifth generation, fourth, fifth generation, I remember when the first generation I was coding on. Those were the days but different, it's changed. You have so much code, it's really a party right now in open source, there's so much good stuff happening. Google's donating tensorflow, all these people putting real big libraries out there to code on. Kubernetes is just so awesome, system guys specifically love what's going on in the cloud. But cloud is exploding a lot of opportunities, IoT and AI, what's the developer market like right now, just share your thoughts, what's the sentiment, what's the excitement, what are the young kids doing? What are some of the big things that you see happening? >> From business perspective, what we see in the market is developers first of all taking decisions. They hear their managers coming with the pain and expect it to solve it and the bottom up process is something we never saw in the market. The last five, six years, we see more and more developers kind of educating their managers with how to do it and how to do it faster. The second thing and this is, >> So bottom up's happening now you're saying. >> Happening for the last five years and it's growing. The second thing we see in the cloud, you see it more than I am, Google and Amazon and Microsoft and Red Hat, everyone want a piece of the cloud, Orca now just announced two days ago, three days ago. Everyone want a piece of the cloud and everybody understand that data traffic comes from developers, it's not individuals, it's communities, the open source community is giant and it's a very, there's a very important player in the data traffic of what we call the cloud highway. >> And the communities are very most important piece, you would agree with that, right? We're very community focused, that's the key, right? >> Yes, absolutely. >> I think the world will be developer indoctrinated with basically developer premises across all business, so it's not a department anymore, it's permeating all through organizations. >> Right and also impact our user experience. People like simple people that doesn't understand code, they're not contributing to the open source world still need software updates and competitive analysis are talking about that, how fast can you release? >> Well Stu Miniman and Dave Alante and Peter Burris and I always talk about community is the key in open source, you guys have been very successful in the community. Congratulations, obviously we're very community focused with our content, with the Cube. If you like the Cube, check us out at cube.net, give us a call, come in the studio if you're a thought leader, love to chat with you. I'm John Furrier with the Cube, more thought leadership coverage in Palo Alto here inside the Cube. We'll be right back, thanks for watching. (electronic music)

>> Announcer: Live from San Francisco, it's theCUBE, covering DevNet Create 2017, brought to you by Cisco. >> Welcome back everyone, we're here live in San Francisco for theCUBE's special exclusive coverage of Cisco's inaugural event, DevNet Create, a foray into the developer opensource world as they extend their classic DevNet core developer program, three years old now, going into the opensource world, this is theCUBE, I'm John Furrier with my cohost, Peter Burris, our next guest is Matt Howard, EVP and CMO of Sonatype, knows something about opensource, Matt, great to have you on theCUBE, thanks for joining us. >> Thanks for having me. >> So first, talk about Sonatype, what do you guys do? Give a quick minute to describe the company, then I got some pointed questions for you. >> Well, we provide tools and intelligence to modern development organizations to basically reinvent how opensource components are flowing through the pipeline, through the value chain, through the development lifecycle. >> You guys are a service, SaaS service, are you guys a subscription? >> It's a subscription service, and we provide two products, there's a product which is a repository manager called Nexus where you store, organize, and distribute software binaries into the development lifecycle, and then there's a second server product called Nexus IQ, which provides intelligence on top of those binary, so think of it as like FDA food labeling database, so if you're looking at a bag of potato chips as a consumer, you can see that there's calories, sugar, salt, it's gluten-free. If you're looking at a software binary, you're able to see metadata that we provide, which allows you as a developer to make intelligent decisions with respect to, this component's good for my application 'cause it's properly licensed, or this component's good for my application because it doesn't have any-- >> So you're a verifying code, basically, in a way. >> Yeah, absolutely. Verifying and qualifying the opensource-- >> John: And the problem you solve for the customer as well. >> The customer basically gets to build applications at scale, at speed, with quality opensource components. >> So you take the worries off, like, with the licensing, does it work well, you're like Yelp for software? There're comments? >> Sort of, more like Amazon reviews for opensource binaries. >> Okay, great, cool, thanks for taking the time. So we was just talking in our intro, opensource, I'm old enough to know when we used to pirate software, and then opensource, woo, this is great, and then it became a tier two in the enterprise player, Red Hat brought it to tier one. It's booming. Communities are changing. You're in the middle of it, what's happening? Give us your take on how opensource is evolving, because it's the classic case of cliche, opensource, I'm standing on the shoulders of giants before me, and now the next generation is standing on the current generations of shoulders, a new generation's happening, what's going on? >> So, just think of supply and demand, simple supply. We live in a world right now where development organizations are facing an infinite supply of opensource, there's a thousand new opensource projects a day, 10,000 new versions and 14 releases per year. The supply is massive. And in a world where supply is incredible, consumption is equally incredible, last year alone, there were 52 billion download requests from Maven Central for Java binaries, 50 billion-plus requests for NPM packages in the JavaScript ecosystem, so we are basically dealing with a world where software is no longer a marginal cost to doing business, it is the business. Developers are king, developers are the lifeblood that's flowing through every great enterprise today, because innovation is ultimately the thing that will allow companies to compete and win on a global playing field! >> I mean, it's almost intoxicating for these guys who are just drinking from the trough of free software, because if you compound the new projects with the fact that Google and these guys are donating awesome libraries, Amazons, machine-learning stuff, it's not something to shake a stick at, it's great software! >> Yeah! >> TensorFlow, Spanner, I mean, all this stuff-- >> It's great software, and just think, in a world of infinite choice, which is the world we're living in, how do you make the best choice? >> So where's the growth coming from? Peter and I were speculating that, in talking to Abby Kearns yesterday from Cloud Foundry, and then with the Cloud Native Foundation, a lot of money's coming in so the business model for players and vendors are coming in, and suppliers now helping out and donating software, but we're speculating that there's a whole growth area that's different than we've seen before. Are we on that? Your comment to that, your thoughts on where this evolution's coming from, the next wave, is it horizontal? >> Our view is that the devops transformation from waterfall-native development to devops-native software development is happening and it's real, and it's arguably in the early days, but it's no stopping that train now. As organizations continue to reconcile demand from board members and shareholders and CEOs, how do you remain relevant, how do you be, put yourself into a position where you're innovating with software fast enough to remain competitive? And that's a tremendous pressure, and it's driving transformational change like devops, and so as that demand for speed continues to grow, we think it only increases the appetite for opensource, and it creates opportunities for organizations like ours to basically automate how that opensource innovation happens. >> We do a lot of crowd chats, to surface the landscape and the common theme that comes up is, oh, your organizational mindset has to change, and were commenting, Peter and I were talking yesterday about, if your org's not set up, you'll have, what's the law? >> Conway's law. >> Conway's law, where the output matches the organization, but the bigger question is, Ford CEO got fired, he's been in the job for less than four years, he didn't have time to transform, so the question is, how does opensource help people transform faster, do you have any observations around that? Because that's the number one question we get is, okay, I need to configure resources to do that, and then the other theme that we're hearing, I'd love to get your reaction on is, "Oh my God, I'm going to lose my job through automation." And certainly Cisco has networking guys who are looking down the barrel of potentially being irrelevant if they don't make the network programmable, so this is, we've lived through cycles, is it the mainframe guys who kind of lose their jobs, kind of thing going on? Or is it a transformative opportunity for the people as well? >> Yeah, it's a great question, there's a lot there, but I think the notion that they say software eats the world, a different way of viewing is automation eats the world, and if you look at, we refer to the 100-10-1 rule, today, in every large IT organization, you got 100 developers for every 10 IT operations professionals for every one security professional. It's impossible for the application security professionals to maintain governance over 100 software developers. If the old way of doing something like application security in this world where we're talking about infinite supply of opensource, needs to be automated with machine intelligence, it needs to be scalable early, everywhere, and throughout the entire development lifecycle, and unless it's not, you're going to basically get some of the benefit of opensource, but not all of the benefit of opensource. >> I want to push you a little bit in this, Matt, because, one might argue, and I'm going to be a little bit apocryphal here for a second, but one might argue that we also have an infinite supply of different types of bubblegum. And at the end of the day, one can say, "Well, do we need another bubblegum?" And we may or may not, and yet we do. So the reason why I'm bringing that up is I want to square the infinite supply, which I don't disagree with, with the idea that, certainly our clients, especially the big data side, are still concerned about the fact that they can't find tooling, or combinations of opensource tooling, that can help them with their use case. And so as you think about, one of the things that intrigued me about what your company does is the idea of to what degree can you start with a business problem, use that business problem to do some design work, and then based on that, start finding the tooling that will be most appropriate for solving the problem. >> Yeah, it's a great question, and I think it goes back to this idea of automation, let's just give a real world use case, this is one of many, but if the demand for speed and innovation is what shareholders, boards, and CEOs are looking for out of their IT organizations and their development teams, then the first thing you do, in the theory of constraints is you look for where is the friction, right? So theory of constraints basically points to something like the process inside of a large financial organization that involves a developer requesting approval for using an opensource component. How long does that take? How many people are involved in that process? How many hours, how many dollars? Does it have to be that hard? Or can you basically create policy, and define policy, and build, effectively, a firewall that then automatically governs the flow of opensource, healthy opensource components, into the development lifecycle? With no human intervention at pace, right? And that's the idea of what we're doing when we talk about scaling opensource innovation early, everywhere, and across the entire development lifecycle, it starts at the perimeter, the moment the development requests the opensource component for use, it has to be automated, you can't afford to take three months to approve it, he needs it now! >> So let me turn that around, and see if this is a service that you are providing, or actually could provide. Given that you probably visibility into a lot of the problems that the developer's trying to solve, and therefore, their ability to check opensource in and out from a variety of different sources, are you also gaining visibility in the types of stuff that people can't find, and making that information available to the world about, here's some of the places where the opensource world could step up and do perhaps a better job of delivering that software? And I'm specifically thinking of the big data universe, because there's so many, for example, I got a client, big financial institution, who is tearing his hair out right now trying to come up with some standard components for complex machine-learning pipelines. Real, real hard job, a lot of different tools, they work together at some level, but they're not solving the problem, 'cause they're more focused on solving each other project's problem. Am I making this? >> You are making a lot of sense, and you should introduce us to your friend, because we would love to have a conversation and talk exactly how it is that you can create prescriptive architectures with opensource components to remove friction back to the theory of constraints concept, I mean, this process of innovation has to flatten out, and we are very narrowly focused on one particular piece of that pipeline, and it is the making sure that the development organization is benefiting from all of the greatness that opensource has to offer, but none of the bad, and you have to do that with automation. >> So just really quick, John, for those of you who don't know, the theory of constraints, to a computer science person, looks like Amdahl's law. Speed up that which you do most frequently, for those of you who've ever done computer design. >> Herbie the Boy Scout. >> Exactly, so it's speed up the thing that is causing the most pain. >> Right, right, right. >> So the question I have for you this, okay, given what you guys do, which is a great service, cutting edge, it's in the devops wheelhouse, so, what is, in your opinion, the most important metric for your customer's success, vis a vis devops, okay, I'm in, I've been hearing about this cloud native thing and devops, we've got to change to Agile, we wrote a manifesto, we changed the organization, what is the important metric that you think they should look for for success? >> You know, there's a lot of metrics, there's no one answer, but I'll give you a really great one, since you mentioned Red Hat earlier. Red Hat is an amazing company that has probably done more for the evolution of opensource than anyone. They have a phenomenal track record of managing RHEL, the Red Hat Enterprise Linux stack, upstream and downstream, to the point where today, they publicly tell that the Red Hat Summit just recently in Boston, I think it's a day or two meantime to repair for a zero-day vulnerability. They understand the supply chain for RHEL extremely well, and from our perspective, we are trying to create the same type of hygiene for custom software development that RHEL has long practiced in support of Red Hat, Red Hat has long practiced in support of RHEL, and so meantime to repair, for example. If a zero-day vulnerability hits, do you have a software bill of materials? Are you wondering where that particular component is? Do you even have the component? How many applications in production are affected? I mean, this is a real-world scenario, just two weeks ago, with Struts 2, how many organizations are still working today to figure out the answer to that question? You'd be surprised, it takes organizations months-- >> Peter: But this is more than a library. >> This is more than a library. >> So explain why it's more than a library. >> Struts 2? >> No, what you're doing. >> What we're basically doing is imagining a software supply chain, so step back and imagine a world where you could build software applications the same way that Toyota builds cars. You have Deming's principles, which says you basically take and source the components or the parts from the fewer suppliers, and you source the absolute best parts, and you track and trace the location of those parts to every step of the supply chain all the way into production, so that Toyota recently had to conduct an orderly and effective recall for four million Takata airbags. Right? In software terms, the next time you're basically sitting on top of a zero day, you need the equivalent of that orderly effective recall so you can in a matter of minutes, not months, patch that vulnerability. >> Hence why you use Goldratt's theory of constraints, so in many respects, this is a digital supply chain tool? >> We believe it's software supply chain automation. >> What about digital? Can I also think about how digital objects can be included in that? Again, going back-- >> Containers? >> Going back to the big data notion? >> Yeah, absolutely, this is, supply chain theory is well understood in a physical goods world, certainly, if you look at how physical goods move through a supply chain, and you come to grips with what's happening in digital transformation today and the evolution of devops and the proliferation of opensource, continuous integration, continuous delivery, speed is king, it's all going in the direction of a supply chain. >> So, when you have so much bubblegum, as Peter said, after it loses its flavor, you get a new piece, right? So, same with software. Final question for you. You guys are doing well, I can imagine that operationally, as coming to operational as opensource, you're a key component there, and that seems like a good opportunity. How early are you on that operational progress? I mean, you just get started, you're making some money, which is good. >> To be frank-- >> You're the customer on the journey, in other words, people realize, "I got a operation on," so they're just doing it, not having a checks and balance. >> Our business is really interesting in the sense that product market fit for any young company can take quite a while, and we're fortunate enough to have a CEO who is remarkably patient and savvy and experienced, his name is Wayne Jackson, for anybody knows, here at the Cisco conference, he was previously the CEO of Sourcefire, so an interesting connection there, but patience is key, and we're being rewarded right now because all of the trends that you guys have already talked about here, and everything we've talked about at Cisco DevNet point to a simple fact, which is that software is key to how companies will compete and win in the future, and as long as that's true, they're going to be looking for ways to improve innovation. Right now, our business is early, we're still creating budget in some situations, but that's increasingly changing, and I would say that you should expect our business to continue to grow-- >> So people are operationalizing opensource, and they're getting serious about some of these things-- >> We're seeing budget now that we didn't see last year, for operationalizing the flow of opensource into a devops-- >> Final, final question, since I want to get your take on the show, Cisco's moves here into this world, obviously, a good move in our opinion, I'm sure you agree, risky for them, a good move, progress, what should they do next? Your thoughts and reaction to DevNet Create, 'cause man, they got DevNet, a growing, robust community of Cisco developers. DevNet Create, a new opportunity, what's your thoughts? >> I've learned a lot, I'm glad to be here, and just saw some things yesterday that make it very, very clear that DevNet Create and what Cisco's doing with it is a great move, I mean, my personal belief is that developers are king, and as you expose core services, network services to developers, an innovation happens, and value gets created, and so they've done so much at the network layer for so many years, and if they're now exposing that network sort of innovation to developers, it'll be exciting to see what kind of innovation happens. >> Matt, thanks for coming on theCUBE, really appreciate it, I'm glad we got you in, great to meet you last night, and congratulations on your startup that you're working with, and growth, and been around the industry a long time, you've seen a lot of waves, and appreciate the insight here on theCUBE, appreciate it. >> Appreciate you having me. >> Alright, we are live in San Francisco for exclusive coverage of Cisco's inaugural event DevNet Create, I'm John Furrier, Peter Burris, stay with us for more day two coverage after this short break. >> Hi, I'm April Mitchell, and I'm the Senior Director of Strategy and Planning for Cisco.