>> From the Silicon Angle Media Office in Boston Massachusetts, it's "The Cube." (groovy techno music) Now, here's your host, Dave Vellante. >> Hello, everyone. The rise of open source is really powering the digital economy. And in a world where every company is essentially under pressure to become a software firm, open source software really becomes the linchpin of digital services for both incumbents and, of course, digital natives. Here's the challenge, is when developers tap and apply open source, they're often bringing in hundreds, or even thousands of lines of code that reside in open sourced packages and libraries. And these code bases, they have dependencies, and essentially hidden traps. Now typically, security vulnerabilities in code, they're attacked after the software's developed. Or maybe thrown over the fence to the sec-ops team and SNYK is a company that set out to solve this problem within the application development life cycle, not after the fact as a built-on. Now, with us to talk about this mega-trend is Peter McKay, a friend of The Cube and CEO of SNYK. Peter, great to see you again. >> Good to see you, dude. >> So I got to start with the name. SNYK, what does it mean? >> SNYK, So Now You Know. You know, people it's sneakers sneak. And they tend to use the snick. So it's SNYK or snick. But it is SNYK and it stands for So Now You Know. Kind of a security, so now you know a lot more about your applications than you ever did before. So it's kind of a fitting name. >> So you heard my narrative upfront. Maybe you can add a little color to that and provide some additional background. >> Yeah, I mean, it's a, you know, when you think of the larger trends that are going on in the market, you know, every company is going through this digital transformation. You know, and every CEO, it's the number one priority. We've got to change our business from, you know, financial services, healthcare, insurance company, whatever, are all switching to digital, you know, more of a software company. And with that, more software equals more software risk and cybersecurity continues to be, you know, a major. I think 72% of CEOs worry about cybersecurity as a top issue in protecting companies' data. And so for us, we've been in the software in the security space for the four and a half years. I've been in the security space since, you know, Watchfire 20 years ago. And right now, with more and more, as you said, open source and containers, the challenge of being able to address the cybersecurity issues that have never been more challenging. And so especially when you add the gap between the need for security professionals and what they have. I think it's four million open positions for security people. So you know, with all this added risk, more and more open source, more and more digitization, it's created this opportunity in the market where you're traditional approaches to addressing security don't work today, you know? Like you said, throwing it over the fence and having someone in security, you know, check and make sure and finding all these vulnerabilities, and throw it back to developers to fix is very slow and something at this point is not driving to success. >> So talk a little bit more about what attracted you to SNYK early. I mean, you've been with the company, you're at least involved in the company for a couple years now. What were the trends that you saw, and what was it about SNYK that, you know, led you to become an investor and ultimately, CEO? >> Yeah, so four years involved in the business. So you know, I've always loved the security space. I've been in it for a number, almost 20 years. So I enjoy the space. You know, I've watched it. The founder, Guy Podjarny, one of the founders of SNYK, has been a friend of mine for 16 years from back in the Watchfire days. So we've always stayed connected. I've always worked well together with him. And so when you started, and I was on the board, the first board member of the company, so I could see what was going on, and it was this, you know, changing, kind of the right place at the right time in terms of developer first security. Really taking all the things that are going on in the security space that impacts a developer or can be addressed by the developer, and embedding it into the software into that developer community, in a way that developers use, the tools that they use. So it's a developer-first mindset with security expertise built-in. And so when you look at the market, the number of open source container evolution, you know, it's a huge market opportunity. Then you look at the business momentum, just took off over the past, you know, four years. That it was something that I was getting more and more involved in. And then when Guy asked me to join as the CEO, it was like, "Sure, what took you so long?" (Dave laughing) >> We had Guy on at Node JS Summit. I want to say it was a couple years ago now. And what he was describing is when you package, take the example of Node. When you package code in Node, you bring in all these dependencies, kind of what I was talking about there, but the challenge that he sort of described was really making it seamless as part of the development workflow. It seems like that's unique to SNYK. Maybe you could talk about-- >> Yeah, it is. And you know, we've built it from the ground up. You know, it's very difficult. If it was a security tool for security people, and then say, "Oh, let's adapt it for the developer," that is almost impossible. Why I think we've been so successful from the 400,000 developers in the community using Freemium to paid, was we built it from the ground up for developer, embedded into the application-development life cycle. Into their process, the look and feel, easy for them to use, easy for them to try it, and then we focused on just developer adoption. A great experience, developers will continue to use it and expand with it. And most of our opportunities that we've been successful at, the customers, we have over 400 customers. That had been this try, you know, start it with the community. They used the Freemium, they tried it for their new application, then they tried it for all their new, and then they go back and replace the old. So it was kind of this Freemium, land and expand has been a great way for developers to try it, use it. Does it work, yes, buy more. And that's the way we work. >> We're really happy, Peter, that you came on because you've got some news today that you're choosing to share with us in our Cube community. So it's around financing, bring us up to date. What's the news? >> Yeah so you know, I'd say four months ago, five months ago, we raised a $70 million round from great investors. And that was really led by one of our existing investors, who kind of knew us the best and it was you know, Excel Venture, and then Excel Growth came in and led the $70 million round. And part of that was a few new investors that came in and Stripes, which is you know a very large growth equity investor were part of that $70 million round said you know, preempted it and said, "Look it, we know you don't need the money, but we want to," you know, "We want to preempt. We believe your customer momentum," here we did, you know, five or six really large deals. You know, one, 700, seven million, 7.4 million, one's 3.5 million. So we started getting these bigger deals and we doubled since the $70 million round. And so we said, "Okay, we want to make money not the issue." So they led the next round, which is $150 million round, at a valuation of over a billion. That really allows us now to, with the number of other really top tier, (mumbles) and Tiger and Trend and others, who have been part of watching the space and understand the market. And are really helping us grow this business internationally. So it's an exciting time. So you know, again, we weren't looking to raise. This was something that kind of came to us and you know, when people are that excited about it like we are and they know us the best because they've been part of our board of directors since their round, it allows us to do the things that we want to do faster. >> So $150 million raise this round, brings you up to the 250, is that correct? >> Yes, 250. >> And obviously, an up-round. So congratulations, that's great. >> Yeah, you know, I think a big part of that is you know, we're not, I mean, we've always been very fiscally responsible. I mean, yes we have the money and most of it's still in the bank. We're growing at the pace that we think is right for us and right for the market. You know, we continue to invest product, product, product, is making sure we continue our product-led organization. You know, from that bottoms up, which is something we continue to do. This allows us to accelerate that more aggressively, but also the community, which is a big part of what makes that, you know, when you have a bottoms up, you need to have that community. And we've grown that and we're going to continue to invest aggressively and build in that community. And lastly, go to market. Not only invest, invest aggressively in the North America, but also Europe and APJ, which, you know, a lot of the things we've learned from my Veeam experience, you know how to grow fast, go big or go home. You know, are things that we're going to do but we're going to do it in the right way. >> So the Golden Rule is product and sales, right? >> Yes, you're either building it or selling it. >> Right, that's kind of where you're going to put your money. You know, you talk a lot about people, companies will do IPOs to get seen, but companies today, I mean, even software companies, which is a capital-efficient industry, they raise a lot of dough and they put it towards promotion to compete. What are your thoughts on that? >> You know, we've had, the model is very straightforward. It's bottoms up, you know? Developers, you know, there's 28 million developers in the world, you know? What we want is every one of those 28 million to be using our product. Whether it's free or paid, I want SNYK used in every application-development life cycle. If you're one developer, or you're a sales force with standardized on 12,000 developers, we want them using SNYK. So for us, it's get it in the hands. And that, you know, it's not like-- developers aren't going to look at Super Bowl ads, they're not going to be looking. It's you know, it's finding the ways, like the conference. We bought the DevSecCon, you know, the conference for developer security. Another way to promote kind of our, you know, security for developers and grow that developer community. That's not to say that there isn't a security part. Because, you know, what we do is help security organizations with visibility and finding a much more scalable way that gets them out of the, you know, the slows-down, the speed bump to the moving apps more aggressively into production. And so this is very much about helping security people. A lot of times the budgets do come from security or dev-ops. But it's because of our focus on the developer and the success of fixing, finding, fixing, and auto-remediating that developer environment is what makes us special. >> And it's sounds like a key to your success is you're not asking developer to context switch into a new environment, right? It's part of their existing workflow. >> It has to be, right? Don't change how they do their job, right? I mean, their job is to develop incredible applications that are better than the competitors, get them to market faster than they can, than they've ever been able to do before and faster than the competitor, but do it securely. Our goal is to do the third, but not sacrifice on one and two, right? Help you drive it, help you get your applications to market, help you beat your competition, but do it in a secure fashion. So don't slow them down. >> Well, the other thing I like about you guys is the emphasis is on fixing. It's not just alerting people that there's a problem. I mean, for instance, a company like Red Hat, is that they're going to put a lot of fixes in. But you, of course, have to go implement them. What you're doing is saying, "Hey, we're going to do that for you. Push the button and then we'll do it," right? So that, to me, that's important because it enables automation, it enables scale. >> Exactly, and I think this has been one of the challenges for kind of more of the traditional legacy, is they find a whole bunch of vulnerabilities, right? And we feel as though just that alone, we're the best in the world at. Finding vulnerabilities in applications in open source container. And so the other part of it is, okay, you find all them, but prioritizing what it is that I should fix first? And that's become really big issue because the vulnerabilities, as you can imagine, continue to grow. But focusing on hey, fix this top 10%, then the next, and to the extent you can, auto-fix. Auto-remediate those problems, that's ultimately, we're measured by how many vulnerabilities do we fix, right? I mean, finding them, that's one thing. But fixing them is how we judge a successful customer. And now it's possible. Before, it was like, "Oh, okay, you're just going to show me more things." No, when you talk about Google and Salesforce and Intuit, and all of our customers, they're actually getting far better. They're seeing what they have in terms of their exposure, and they're fixing the problems. And that's ultimately what we're focused on. >> So some of those big whales that you just mentioned, it seems to me that the value proposition for those guys, Peter, is the quality of the code that they can develop and obviously, the time that it takes to do that. But if you think about it more of a traditional enterprise, which I'm sure is part of your (mumbles), they'll tell you, the (mumbles) will tell you our biggest problem is we don't have enough people with the skills. Does this help? >> It absolutely-- >> And how so? >> Yeah, I mean, there's a massive gap in security expertise. And the current approach, the tools, are, you know, like you said at the very beginning, it's I'm doing too late in the process. I need to do it upstream. So you've got to leverage the 28 million developers that are developing the applications. It's the only way to solve the problem of, you know, this application security challenge. We call it Cloud Dative Application Security, which all these applications usually are new apps that they're moving into the Cloud. And so to really fix it, to solve the problem, you got to embed it, make it really easy for developers to leverage SNYK in their whole, we call it, you know, it's that concept of shift left, you know? Our view is that it needs to be embedded within the development process. And that's how you fix the problem. >> And talk about the business model again. You said it's Freemium model, you just talked about a big seven figure deals that you're doing and that starts with a Freemium, and then what? I upgrade to a subscription and then it's a land and expand? Describe that. >> Yeah we call it, it's you know, it's the community. Let's get every developer in a community. 28 million, we want to get into our community. From there, you know, leverage our Freemium, use it. You know, we encourage you to use it. Everybody to use our Freemium. And it's full functionality. It's not restricted in anyway. You can use it. And there's a subset of those that are ready to say, "Look it, I want to use the paid version," which allows me to get more visibility across more developers. So as you get larger organization, you want to leverage the power of kind of a bigger, managing multiple developers, like a lot of, in different teams. And so that kind of gets that shift to that paid. Then it goes into that Freemium, land, expand, we call it explode. Sales force, kind of explode. And then renew. That's been our model. Get in the door, get them using Freemium, we have a great experience, go to paid. And that's usually for an application, then it goes to 10 applications, and then 300 developers and then the way we price is by developer. So the more developers who use, the better your developer adoption, the bigger the ultimate opportunity is for us. >> There's a subscription service right? >> All subscription. >> Okay and then you guys have experts that are identifying vulnerabilities, right? You put them into a database, presumably, and then you sort of operationalize that into your software and your service. >> Yeah, we have 15 people in our security team that do nothing everyday but looking for the next vulnerability. That's our vulnerability database, in a large case, is a lot of our big companies start with the database. Because you think of like Netflix and you think of Facebook, all of these companies have large security organizations that are looking for issues, looking for vulnerabilities. And they're saying, "Well okay, if I can get that feed from you, why do I have my own?" And so a lot of companies start just with the database feed and say, "Look, I'll get rid of mine, and use yours." And then eventually, we'll use this scanning and we'll evolve down the process. But there's no doubt in the market people who use our solution or other solution will say our known the database of known vulnerabilities, is far better than anybody else in the market. >> And who do you sell to, again? Who are the constituencies? Is it sec-ops, is it, you know, software engineering? Is it developers, dev-ops? >> Users are always developers. In some cases dev-ops, or dev-sec. Apps-sec, you're starting to see kind of the world, the developer security becoming bigger. You know, as you get larger, you're definitely security becomes a bigger part of the journey and some of the budget comes from the security teams. Or the risk or dev-ops. But I think if we were to, you know, with the user and some of the influencers from developers, dev-ops, and security are kind of the key people in the equation. >> Is your, you have a lot of experience in the enterprise. How do you see your go to market in this world different, given that it's really a developer constituency that you're targeting? I mean, normally, you'd go out, hire a bunch of expensive sales guys, go to market, is that the model or is it a little different here because of the target? >> Yeah, you know, to be honest, a lot of the momentum that we've had at this point has been inbound. Like most of the opportunities that come in, come to us from the community, from this ground up. And so we have a very large inside sales team that just kind of follows up on the inbound interest. And that's still, you know, 65, 70% of the opportunities that come to us both here and Europe and APJ, are coming from the community inbound. Okay, I'm using 10 licenses of SNYK, you know, I want to get the enterprise version of it. And so that's been how we've grown. Very much of a very cost-effective inside sales. Now, when you get to the Googles and Salesforces and Nordstroms of the world, and they have already 500 licenses us, either paid or free, then we usually have more of a, you know, senior sales person that will be involved in those deals. >> To sort of mine those accounts. But it's really all about driving the efficiency of that inbound, and then at some point driving more inbound and sort of getting that flywheel effect. >> Developer adoption, developer adoption. That's the number one driver for everybody in our company. We have a customer success team, developer adoption. You know, just make the developer successful and good things happen to all the other parts of the organization. >> Okay, so that's a key performance indicator. What are the, let's wrap kind of the milestones and the things that you want to accomplish in the next, let's call it 12 months, 18 months? What should we be watching? >> Yeah, so I mean it continues to be the community, right? The community, recruiting more developers around the globe. We're expanding, you know, APJ's becoming a bigger part. And a lot of it is through just our efforts and just building out this community. We now have 20 people, their sole job is to build out, is to continue to build our developer community. Which is, you know, content, you know, information, how to learn, you know, webinars, all these things that are very separate and apart from the commercial side of the business and the community side of the business. So community adoption is a critical measurement for us, you know, yeah, you look at Freemium adoption. And then, you know, new customers. How are we adding new customers and retaining our existing customers? And you know, we have a 95% retention rate. So it's very sticky because you're getting the data feed, is a daily data feed. So it's like, you know, it's not one that you're going to hook on and then stop at any time soon. So you know, those are the measurements. You look at your community, you look at your Freemium, you look at your customer growth, your retention rates, those are all the things that we measure our business by. >> And your big pockets of brain power here, obviously in Boston, kind of CEO's prerogative, you got a big presence in London, right? And also in Israel, is that correct? >> Yeah, I would say we have four hubs and then we have a lot of remote employees. So, you know, Tel Aviv, where a lot of our security expertise is, in London, a lot of engineering. So between London and Tel Aviv is kind of the security teams, the developers are all in the community is kind of there. You know, Boston, is kind of more go to market side of things, and then we have Ottawa, which is kind of where Watchfire started, so a lot of good security experience there. And then, you know, we've, like a lot of modern companies, we hired the best people wherever we can find them. You know, we have some in Sydney, we've got some all around the world. Especially security, where finding really good security talent is a challenge. And so we're always looking for the best and brightest wherever they are. >> Well, Peter, congratulations on the raise, the new role, really, thank you for coming in and sharing with The Cube community. Really appreciate it. >> Well, it's great to be here. Always enjoy the conversations, especially the Patriots, Red Sox, kind of banter back and forth. It's always good. >> Well, how do you feel about that? >> Which one? >> Well, the Patriots, you know, sort of strange that they're not deep into the playoffs, I mean, for us. But how about the Red Sox now? Is it a team of shame? All my friends who were sort of jealous of Boston sports are saying you should be embarrassed, what are your thoughts? >> It's all about Houston, you know? Alex Cora, was one of the assistant coaches at Houston where all the issues are, I'm not sure those issues apply to Boston, but we'll see, TBD. TBD, I am optimistic as usual. I'm a Boston fan making sure that there isn't any spillover from the Houston world. >> Well we just got our Sox tickets, so you know, hopefully, they'll recover quickly, you know, from this. >> They will, they got to get a coach first. >> Yeah, they got to get a coach first. >> We need something to distract us from the Patriots. >> So you're not ready to attach an asterisk yet to 2018? >> No, no. No, no, no. >> All right, I like the optimism. Maybe you made the right call on Tom Brady. >> Did I? >> Yeah a couple years ago. >> Still since we talked what, two in one. And they won one. >> So they were in two, won one, and he threw for what, 600 yards in the first one so you can't, it wasn't his fault. >> And they'll sign him again, he'll be back. >> Is that your prediction? I hope so. >> I do, I do. >> All right, Peter. Always a pleasure, man. >> Great to see you. >> Thank you so much, and thank you for watching everybody, we'll see you next time. (groovy techno music)

>> From the Silicon Angle Media Office, in Boston Massachusetts, it's theCUBE. Now, here's your host Dave Vellante. >> Hi everybody, welcome to this breaking analysis where we try to provide you some insights on theCUBE. My name is Dave Vellante. I'm here with Jim Kobielus who was up today, and Jim we were just off of the VMworld 2019. Big show, lot of energy, lot of announcements. I specifically want to focus on containers and the impact that containers are having on VMware, specifically the broader ecosystem and the industry at large. So, first of all, what was you take on VMworld 2019? >> Well, my take was that VMware is growing fast, and they're investing in the future, which is fairly clearly cloud and native computing on containers with Kubernetes and all that. But really that's the future and so, what VMware is doing is they're making significant bets that containers will rule the roost in cloud computing and application infrastructures going forward. But in fact virtual machines, VMs hypervisors are hotter than ever and that was well established last week by the fact that the core predominate announcement last week was a VMware Tanzu, which is not yet a production solution, but is in a limited preview, which is the new platform for coexistence of containers and vSphere. A container run time embedded in vSphere, so that customers can run containers in a highly-iso workloads, in a highly isolated VM environment. In other words, VMware is saying, we're saying to their customers, "You don't have to migrate away from VMs "until you're good and ready. "You can continue to run whatever containers "you build on vShpere, "but we more than encourage you to continue to run VMs "until you're good and ready "to migrate, if ever." >> All right. So, I want to come back and unpack that a little bit, but does your data, does your analysis, when you're talking to customers and the industry at large, is there any evidence from what you see that containers are hurting VMware's business? >> I don't get any sense that containers are hurting VMware's business. I get the strong sense that containers, they've just of course acquired Pivotal, a very additive to the revenue mix at VMware. And VMware, most of their announcements last week were in fact all around Kubernetes, and containers, and products that are very much for those customers who are going deep down the container road. >> So that was a setup question. >> You've got lots of products for them. >> So that was a setup question. So I have some data on this. >> Go ahead >> Right answer. So, I want to show you this. So, Alex, if you wouldn't mind bringing up that slide. And we shared this with you last week when we were prepping for VMworld. This is data from Enterprise Technology Research ETR, and they have a panel of 4500 end user customers that they go out and do spending surveys with them. So, what this shows is, this is container customers spending on VMware. So, you can see it goes back to early January. Now it's a little deceiving here. You see that big spike, but what it shows it that, A, that big spike is the number of shared customers. So, you really didn't have many customers back then that were doing both containers and VMware that ETR found. But as the N gets bigger, 186, 248, 257, 361, across those 461 customers, those are the shared customers in the green. And you can see that it's kind of a flat line. It's holding very well in the high 30's percent range, which is their sort of proprietary metric. So, there's absolutely no evidence, Jim, that containers, thus far anyway, are hurting VMware's business. Which of course was the narrative, containers are going to kill VMware, no evidence of that. But then why would they acquire Pivotal? Are they concerned about the future, what's your-- >> Well, they're concerned about cross selling their existing customer base who are primarily on V's, fearing the hypervisors, cross selling them on the new world of Kubernetes base products for cloud computing, and so forth and so on. In other words it's all about how do they grow their revenue base? VMware's been around for more than 20 years now. They rule the roost on the hypervisors. Where do they go from here, in terms of their product mix? Well, Kubernetes and beyond that, things like serverless will clearly be in the range of the things that they could add on. Their customers could add on to their existing deploys. I mean, look at Pivotal. Pivotal has a really strong Kubernetes distribution, which of course VMware co-developed with them. Pivotal also has a strong functions as a service backplane, the Pivotal function service for, serverless environments. So, this acquisition of Pivotal very much positions VMware to capitalize on those opportunities to sell those products when that market actually develops. But I see some evidence that virtual machines are going like gang busters in terms of customer deployments. Last week on theCUBE at VMworld, Mark Lohmeyer who's an SVP at a VMware for one of their cloud business unit, said that in the last year, for example, customers who are using a VMware cloud on AWS, VMware grew the customer base by 400% last year, and grew the number of VMs running in VMware, cloud, and AWS by 900%, which would imply that on average each customer more than doubled the number of VMs they're running on that particular cloud service. That means VMs are very much relevant now, and probably will be going forward. And why is that? That's a good question, we can debate that. >> Well, so the naysayers at VMworld in the audience were tweeting that, "Oh, I though we started Pivotal. "We launched Pivotal so that we didn't have to run VMs on, "or run containers on VMs, "so we could run them on bare metal." Are people running containers on virtual machines? >> Well, they are, yes. In fact, there's a broad range of industry initiatives, not just Tanzu at VMware, to do just that. To run containers on VMs. I mean, there is the KubeVirt, open source project over at CNCF, that's been going for a couple years now. But also, Google has Gvisor, Intel has the Kata containers initiative, I believe that there are a few others. Oh yeah, AWS with Firecracker, last year's reinvent. All this would imply, strongly indicate that these large cloud and tech vendors wouldn't be investing heavily into convergence of containers and VMs and hypervisors, if there weren't a strong demand from customers for hybrid environments where they're going to run both stacks as it were in parallel, why? Well, one of the strong advantages of VMs is workload isolation at the hardware level, which is something that typically container run times don't offer. For example, the workload isolation seems to be one of the strong features that VMware's touting for Tanzu going forward. >> So, VMware is--the centerpiece of VMware's strategy is obviously multicloud, Kubernetes as a lynch pin to enable running applications on different platforms. Will, in your opinion, and of course VMware is hard core enterprise, right? Will VMware, two things, will they be able to attract the developers, number one. And number two, will those developers build on top of VMware's platform or are they going to look to their cloud? >> That's a very important question. Last week at VMworld, I didn't get a sense that VMware has a strong developer story. I think that's a really open issue going forward for them. Why would a developer turn to VMware as their core solution provider when they don't offer a strong workbench for building these hybridized VM, /container/serverless applications that seem to be springing up all over? AWS and Microsoft and Google are much stronger in that area with their respective portfolios. >> So, I guess the obvious answer there is Pivotal is their answer to the developer quandary. >> Yes. >> And so, let's talk about that. So, Pivotal was struggling. I talked last week in my analysis, you saw the IPO price and then it dipped down, it never made it back up. Essentially the price that VMware paid the public shareholders for Pivotal was about half of it's initial IPO price, so, okay. So, the stock was struggling, the company didn't have the kind of momentum that, I think, that it wanted, so VMware picks it up. Can VMware fold in Pivotal, and use its go-to-market, and its largess to really prop up Pivotal and make it a leader? >> Well, possibly because Cloud Foundry, Pivotal Cloud Foundry could be the lynch pin of VMware's emerging developer story, if they position in that and really invest in the product in that regard. So yeah, in other words this could very much make VMware a go-to-vendor for the developers who are building the new generation of applications that present serverless functional interfaces, but will have containers under the cover, but also have VMs under the cover providing strong workload isolation in a multi-tenant environment. That would be the promise. >> Now, a couple things. You mentioned Microsoft, of course as you're in the clouding, and Google. The ETR data that I dug into when I wanted to understand, better understand multicloud. Who's got the multicloud momentum? Well, guess who has the most multicloud momentum? It's the cloud guys. Now, AWS doesn't specifically say they participate in multicloud. Certainly their marketing suggest that multicloud is for somebody else, that really they want to have uni-cloud. Whereas Google, and as you're kind of embracing multicloud and Kubernetes specifically, now of course AWS has a Kubernetes offering, but I suspect it's not something that they want to promote hard in the market place because it makes it easier for people to get off of AWS. Your thoughts on multicloud generally, but specifically Kubernetes, and containers as it relates to the big cloud providers. >> Yeah, well my thoughts on multicloud generally is that multicloud is the strategy of the second tier cloud vendors, obviously. If they can't dominate the entire space, at least they can maintain a strong, provide a strong connective tissue for the clouds that actually are deployed in their customer's environments. So, in other words, the Ciscos of the world, the VMwares of the world, IBM. In other words, these are not among the top tier of the public cloud players, hence where do they go to remain relevant? Well, they provide the connective tissue, and they provide the virtualized networking backbones, and they provide the AI ops that enables end-to-end automated monitoring management of the entire mesh. The whole notion of a mesh architecture is something that grew up with IBM and Google for lots of reasons, especially due to the fact that they themselves, as vendors, didn't dominate the public cloud. >> Well, so I agree with you. The only issue I would take is I think Microsoft is a leader in public cloud, but because it has a big On-Prem presence, it's in its best interest to push containers and Kubernetes, and so forth. But you're right about the others. Cisco doesn't have a public cloud, VMware doesn't have a public cloud, IBM has a public cloud but it's really small market share, and so it's in those companies, and Google is behind, but it's in those companies best interest really to promote multicloud, try to use it as a bull work against AWS, who's got an obviously awesome market momentum. The other thing that's interesting in the ETR data when I poke in there, it seems like there are more people looking at Google. Now maybe that's 'cause they have such strong strength in data and analytics, maybe it's 'cause they're looking for a hedge on AWS, but the spending data suggests that more and more people are kicking the tires, and more than kicking the tires on Google. Who of course is obviously behind Kubernetes and that container movement, and open source, your thoughts? >> Yeah, well, many ways, you have to think, that Google has developed the key pieces of the new stack for application development in the multicloud. Clearly they developed Kubernetes, its open source, and also they developed TensorFlow open sources, it's the predominant AI workbench essentially for the new generation of AI driven applications, which is everything. But also, if you look at Google developed Node JS for web applications and so forth. So really, Google now is the go-to-vendor for the new generation of open source application development, and increasingly DevOps in a multicloud environment, running over Istio meshes and so forth. So, I think that's, so, look at one of the announcements last weekend at VMworld. VMware and NVIDIA, their announcement of their collaboration, their joint offering to enable AI workloads, training workloads to run in GPUs in an optimal high performance fashion within a distributive of VMware cloud end-to-end. So really, I think VMware recognizes that the new workloads in the multicloud are predominately, increasingly AI workloads. And in order to, as the market goes towards those kinds of workloads, VMware very much recognizes they need to have a strong developer play, and they do with NVIDIA in a sense. Very much so because NVIDIA with the rapid framework and so forth, and NVIDIA being the predominant GPU vendor, very much is a very strategic partner for VMware as they're going forward, as they hope to line up the AI developers. But Google still is the vendor to beat as regards to AI developers of the world, in that regard, so-- >> So we're entering a world we sometimes call the post-virtual machine world. John Furrier is kind of tongue and cheek on a play on web tudauto. He calls it cloud tudauto, which is a world of multiple clouds. As I've said many times, I'm not sure multicloud is necessarily a coherent strategy yet as opposed to sort of a multi-vendor situation, Shadow IT, >> Yes. >> Lines on business, et cetera. But Jim, thanks very much-- >> Sure. >> For coming on and breaking down the container market, and VMworld 2019. It was great to see you. >> Likewise. >> All right, thank you for watching everybody. This is Dave Vellante with Jim Kobielus. We'll see you next time on theCUBE. (upbeat music)

>> Announcer: Live from Las Vegas. It's the Cube. Covering VMWorld 2017 brought to you by VMWare. And its ecosystem partners. (techno music) >> Okay welcome back everyone we are live here in Las Vegas for VMWorld 2017. We are on the floor. I'm John Furrier with the Cube with Dave Vellante our next guest is Juan Vega director ready solutions product manager for Dell EMC. Welcome to the Cube. >> Thank you. For my first time, really looking forward to it. >> Okay first what's ready solutions mean? >> So ready solutions are literally a bunch of services that we apply to infrastructure to help build confidence, convenience, and a better customer experience. For folks who are consuming a do-it-yourself, who want to take a do-it-yourself approach to converge systems or SDDS. >> John: So I got the button that says Node-a-Rama. What does that that button? >> Node-a-Rama well, we're launching a bunch of nodes this year right. We have a lot of nodes that we're putting out there for a variety of workloads including vSAN right and with vSAN we're introducing 14 G technology to this you know this show. We just launched it recently and we're bringing lots of new performance technologies in that 14 G space. It'll help a bunch with software defined storage. >> Node-a-Rama, John likes developers, he thought it was node JS or something, he was getting excited. So I wonder if you could talk to something that we've been addressing all week here on the Cube. You see in VM Ware's results a lot of momentum and it's not just, doesn't look like it's a one quarter, I mean three quarters of growth appears to be some momemtum. The AWS deal sort of clarified for customers the Cloud strategy and I think the other piece that we've been talking about is the reality that customers have that you're not able to reform their business and stick it in the Cloud. They're really trying to take the Cloud model and bring it to their data and in order to do that they need simplification. So first of all do you buy that and what are you guys doing to facilitate that? >> I absolutely buy it. I mean if I look at Dell EMC's capabilities across the spectrum right, there's a broad variety of services that we can offer a customer to help them adopt that technology right. We call it sort of absorbing their tech debt as it were. And we can do that from very basic do-it-yourself hardware infrastructure right all the way up through you talked to Colin earlier today and we talked about VxRail and VxRack. We're actually providing sort of life cycle management for those environments. With ready nodes and ready bundles, between those two. There's a little bit more service, a little bit more confidence, a little bit more convenience, a little faster time to value right, on that infrastructure, without really moving the customer to a, an environment where we manage it for them. >> Okay and so why do you need to do that you know? I though VMWare was so simple, push a button and go. Talk about sort of how you're closing that gap. >> It can be simple and once you're in the virtualization layer it absolutely is simple but there's a relationship between the virtualization layer and the hardware that has to be maintained. So why is there an HCL right? Why is, why do we that? Because there's a known relationship between that software and that hardware that enables that virtualization. We're making that easier and easier for customers all the time. >> And virtualization does not equate to Cloud. >> Juan: Of course. >> So how do you look at Cloud. How do you sort of, I don't want to get into what do you define as Cloud but, at what point do customers say yes, this is a viable alternative for me to attack my IT labor problem, to for me to tick the box with my management that I'm you know cutting cost. You know et cetera, what are those attributes that you are driving toward that you see customers demanding today? >> Well I see that space evolving right. And the part that we're focusing on ready nodes, is really focused on that software defined storage component. So as that piece of the puzzle evolves, all right we're trying to remove complexity in that environment right. Go back to that ability to confidently present you with a hardware solution that is absolutely adapted for that software environment. Make it faster time to value so that it's showing up pre-configured with services that help you enable that environment more quickly right and then should something need to be done, you know downstream, say a drive fails or whatever right, we can provide a better support experience by contextualizing that hardware in that environment. So it's a space for customers who are still very much doing it themselves, very much building their own environment right in the software defined storage space. But we're providing a set of services that increase that confidence for them right and make it more convenient, give them a better experience. >> It's interesting you know, this is our eighth VM World. Dave and I have been here since 2010. It's been great run, thank everyone for watching the Cube, we love coming every year. But it's been interesting watching the journey. Software defined data center, the hype was what five years ago? Maybe four years ago. But now it's reality. NSX is baked in there, crown jewel. Crowd native coming in over the top. vSAN has been like this rising star. Server SAN from Wikibon has crushed it on the research side. But I got to ask you, now we're hearing customers deploy new use cases under digital transformation that merged software stacks with hardware stacks. What is the biggest challenge that customers have 'cause they want more vSAN. How are you guys helping customers get more vSAN and what are some of the key challenges that you guys solve. >> Well I think there's a couple things that we're doing. First of all we're enabling a very broad set of hardware including cutting edge technologies that are helping them improve the performance, improve the reliability of their implementations in this space. So today we're looking at six different hardware platforms with about 15 different configurations on the HCL and we're expanding that this month significantly. All of those can be delivered. >> John: On the hardware side. >> On the hardware side. >> Okay got it. >> All those can be delivered in a way that they fit seamlessly into a data center environment that's deploying software defined storage. So, I think helping them simplify that is really how we're trying to make this more of a reality and Dell has always brought strong operationalization to any customer we worked with. >> So I got to ask you on the software side, again software's eating the world, Wikibon's true private Cloud report really validating a lot of the success that vSAN's having. I mean all the actions on premise. Transforming the Cloud operating model which is to be more agile. What is the key software piece of it because now you've got DevOps, the Cloud native side saying hey infrastructure is code. I want you to run invisible. The Ops guys saying wait a minute, we got hardware stacks, you got software stacks, they got to come together. >> Absolutely, so our open manage enterprise solution is our software connection for helping manage that hardware in the vSan vCenter environment. And it allows them to actually move all of the controls for updating and managing that system into one pane of glass which is their vSAN vCenter pane of glass. And so we're really trying to help drive that automation, enable that capability for the do-it-yourself customer. Now if the customer wants to have significantly less tech debt then we're happy to talk to them about VxRail and VxRack where we start adding more management software capabilities to help drive an even better experience. >> One more thing you mentioned tech debts. I want to get that on the table. Real issue is technology debt meaning trying to move faster, take some short cuts or you know move the needle too fast. What are some of the technical debts that customers are getting into and where's, what's good technical debt and what's a bad technical debt? >> Oh that's a tough question. I think that in terms of good, of bad technical debt, let's start there right. Anything is going to be sort of routine, spread across lots of different customers within a base that could be off, offloaded to a service provider who can provide that sort of scale is bad technical debt. So things like driver updates, managing your HCL, paying attention to how to go about replacing a hard drive in a server that's gone down in a node. Right those are sort of bad technical debt. You shouldn't be wasting your resources that are focused on your business outcomes on that sort of technical debt. And even at our most basic level, the ready node, we're starting to provide that level of service to the customer. And I think we advance that even more as we get into our rails and racks. In terms of good technical debt, yet to be determined but I would suspect that a lot of that has to do with developing the code. >> John: Debt you can pay back. >> Right, that you can pay back. >> As I tell Dave, we don't want to take on too much debt and then can't pay it back. We'll be bankrupt. >> And that's the sort of code that's directly tied to your environment right. So for example all of the AI infrastructure that they were building in the keynote today for the pizza company right. That's a good example of I'm developing code that's intellectual property for my business, that's good technical debt. I'm going to pay it off. Gives me a competitive advantage. >> That you could use. >> Exactly right. >> Dave: To pay off the... >> Precisely. >> The investments that you've made. So you, you're a disrupter of sets. I mean you've got John talked about the server SAN. We, it's something we published years ago. And basically you're disrupting an install base that you guys own. Right? >> Sounds like a story I heard a long time ago when virtualization first came on the scene. Oh we're going to be running out of servers. That didn't happen, we're selling more servers than we ever have. >> Oh yeah not that you'll stop selling but you, you've got this massive install base and you're essentially, where appropriate migrating that install base to a new way. >> Of course. >> I wonder if you could talk about that dynamic and what those customer conversations are like. >> Well I think it's important to us to be a trusted advisor to our customers. It's always been Dell's sort of way of doing business right. We roll up our sleeves and we get to work with you. So as this transition is applying, is happening to the industry, I think it's up to us to provide those kind of you know feet on the street services that make it easier for customers to absorb and deal with that transition right. And again I know I sound like the broken record here but it's about helping them have confidence that as they move into this transition, they're not having to deal with all the vagaries of mismatched hardware and software incompatibilities. It's about being able to get faster time to value because we did some of the basic steps like pre-configuring that system so it's just ready to go right. >> And what about workloads? How do you see those evolving? 'Cause that's one piece is simplification and you know tacking the IT labor problem with non-differentiated patching and other stuff. The bad technical debt you guys were talking about. What about workloads, what are you seeing emerge in terms of the types of workloads that have an affinity to these types of systems. >> Well I think you know we heard Chad talk earlier about how the network was becoming sort of the bottleneck right. And I think that we're seeing more and more storage, workloads with an affinity for storage moving into the Cloud space, right into the converted space as that technology begins to evolve. And we're seeing things like the new NVME drives in our 14 G servers. All right we have six X the capacity that we had before which means applications, workloads that have a storage affinity are able to actually start moving into this more, I know you'd only use the work virtualized, but this more software defined space. >> Right. >> All right bottom line if a customer's ready node, you guys are doing some good stuff, vSAN's hot, Gelsinger said the world's going to get much faster, today's the slowest day of your life going forward, or something along those lines. There's the implying that it's going to get pretty crazy. Peter Burris head of research for Wikibon.com said the whole computer industry's been turned upside down, it's going to be landing on the table and it's going to re-sort itself out. When you deal with customers, how, what's that conversation like because they're scrambling to lock down their true private Cloud on on premise. They see hybrid Cloud as that pathway to multi Cloud. That's their end stage but right now they got to take care of business at home. That's like cleaning up their own house in IT, what are some of those conversations when that kind of disruption, chaos, complexity. >> Sure, I think everyone's looking for a little bit more of that confidence right and the whole relationship with their supply chain. We're doing it, our customers are doing it and every time we have that conversation with them it basically boils down to what can you do for me that is going to make it easier for me to deal with this transition. How can I trust that these-- >> So ease of use. Is a big thing. >> Juan: I'm sorry? >> Ease of use. Pretty big deal? >> Not just ease of use, but trust that I'll be supported downstream right. So a ready node builds that for example into its value proposition. We want to make sure that you understand that downstream we know what you're using it for and we're able to help you in that context and that's a real key example of how I think we help build that trust with our customers. >> Michael Dell, final question for you talk about just really, final question for you is that Michael Dell was mentioning the technology synergy between Dell technologies cross the portfolio including VMWare. So the question for you is what are some of the synergies that you guys are getting with VMWare? How does that put it to motion? >> Sure, there are several actually. We've done a lot of our development work in the VxRail space around management in conjunction with VMWare. I think that the evolution of the software defined space is being driven by them and we're happy to participate in it in every way we can. So I think there's a lot of, a lot of development and tech support opportunities that we're finding in that relationship. >> So positive outcomes you guys are having a good time. Certainly VMWare's doing great. Good to see Pat Gelsinger on the upslope in terms of stock prices up over a hundred and four. As of yesterday, I haven't even checked what it was today but certainly clarity in the community, clarity in the ecosystem, clarity in the product. Cloud and IoT Edge. I mean the wave slide is pretty much baked at this point. >> Yup. >> And execution. >> And I'm excited to see Dell EMC having a presence across that whole breadth. >> Yeah Dave was commenting it seems like that new Dell technologies is much more sanity now in the community, it's all sorted out. Looking good, congratulations. >> Thank you, thank you very much. >> Juan Vega director, ready solutions with Dell EMC's product management. He's the product czar. Thanks for spending the time. It's the Cube coverage live here at VMWorld 2017, day two of three days of wall to wall coverage. Be right back with more after this short break. (techno music)

>> Hey welcome back everybody, Jeff Frick here with theCUBE. We are in downtown San Francisco at the Mission Bay Convention Center at Node Summit 2017. We've been coming to Node Summit off and on for a number of years. And it's pretty amazing, the growth of this application for development. It really seems to take off. There's about 800 or 900 people here. It's kind of the limits of the facility here at Mission Bay. But we're really excited to be here. And it's not surprising to have me see Intel is here in full force. Our first guest is Monica Ene-Pietrosanu. And she is the Director of Software Engineering for Intel, welcome. >> Thank you, hello, and thank you very much for inviting me. It's definitely exciting to be here. Node is this dynamic community that grows in one year, like others can. So it's always exciting to be part one of these events. And present about the work we are doing for Node. >> So you're on a panel later on Taking Benchmarking to the Next Level. So what is that all about? >> That is part of the work we are doing for Node. And I want to mention here the word stewardship. Intel is a long time contributor in the open source communities. And has assumed a performance leadership in many of these communities. We are doing the same for Node. We are driving, we are trying to be a steward for the performance in OJS. And what this means, is we are watching to make sure that every check in that happens, doesn't impact performance. We are also optimizing Nodes, so it give the best of the hardware, Node runs best on the newest hardware that we have. And also, we are developing, right now new measures, new benchmarks which better reflect the reality of the data center use cases. The way your Node is getting used in the Cloud. The way Node is getting used in the data center. There are very few ways to measure that today. And with this fast development of the ecosystem, my team has also taken this role of working with the industry partners and coming up with realistic measures for the performance. >> Right, so these new benchmarks that you're defining around the capabilities of Node. Or are you using old benchmarks? Or how are you kind of addressing that challenge? >> We started by running what was available. And most of the benchmarks were quite, let's say, isolated. They were focused on single Node, one operation, not realistic in terms of what the measurements were being done for the data center. Especially, in the data center everything is evolving. So nothing is just running with one single computer. Everything is impacted by network latencies. We have a significant number of servers out there. We have multiple software components interacting. So it's way more complex. And then you have containers coming into the picture. And everything makes it harder and harder to evaluate from the performance perspective. And I think Node is doing a pretty good job from the performance perspective. But who's watching that it stays the same? I think performance is one of those things that you value when you don't have it, right? Otherwise you just take it as granted, like it's there. So, my team at Intel is focused on top tier scripting languages. We are part of this larger software organization called Software and Services Group. And we are, right now, optimizing and writing the performance for Python, No-gs, PHP HHVM, and for some of the top tier languages used in the data centers. So Node is actually our interesting story in terms of evolution. Because we've seen, also, an extraordinary growth. We've seen, it's probably the one who's doubled for the past three years. The community has doubled. Everything has doubled for Node, right? Even, the number of commits, it depends on which statuses you look-- >> They're all up and to the right, very steep. >> Yeah, so then it's a very fast progress which we need to keep pace with. And one thing that is important for us is to make sure that we expose the best of our hardware to the software. With Node that is taking an interesting approach. Because Node is one of, what we called CPU front end bounce. It's having a large footprint. It's one of the largest footprint applications that we've seen. And for this we want to make sure that the newest CPUs we bring to market are able to handle it. >> I was just going to say, they have Trevor Livingston on it from HomeAway. Kicked off things today. We're talking about the growth. He said a year ago, they had one Node JS project. And this is a big site that competes with, like, Air B&B. That's now owned by Expedia. Now they say, he said, they had, "15 projects in production. "22 almost in production, and 75 other internal projects." In one year, from one. So that shows pretty amazing growth and the power of the application. And from Intel's point of view, you guys are all in on cloud. You're all in on data centers. You've all seen all the adds. So you guys are really, aggressively taking on the optimization, for the unique challenges and special environment that is Cloud. Which is computing everywhere, computing nowhere. But at the end of the day, it's got to sit on somebody's servers. And there's got to be a CPU in the background. So you look at all these different languages. Why do you think Node has gone so crazy? >> I think there are several reasons. And my background is a C++ developer, coming and security. So coming into the Node space, one thing amazed me. Like, only 2% of the code is yours, when you write an application. So that is like-- >> Jeff: 2%? >> So where is the other 98% coming from? Or it's already pre developed. It's an ecosystem, you just pull in those libraries. So that's what brings, in addition to the security risks you have. It brings a fantastic time to market. So it enables you as the developer to launch an application in a matter of days, instead of months or a year. So time to market is an unbeatable proposition. And I think that's what drives this space. When you need to launch new applications faster and faster, and upgrade. For us, that's also an interesting challenge. Because we have, our super road maps are not days, right? Are years? So what we want to make sure is that we feed back into the CPU road map the developments we are seeing into this space. I have on my team, I have several principal engineers who are working with the CPU architects to make sure that we are continuously providing this information back. One thing I wanted to mention is, as you probably know, since you've been talking to other Intel people, we've been launching recently, the latest generation server, Skylake. And on this latest generation Nodes. So all the Node workloads we've been optimizing and measuring. So one point five x performance improvement, from the prior generation. So this is a fantastic boost. And this doesn't happen only from hardware. It happens from a combination of hardware and software. And we are continuing to work now with the CPU architects to make sure that the future generation also keeps space with the developments. >> It's interesting, kind of the three horsemen of computing, if you will, right? There's compute, there's store, and there's IO. And now we're working, and it's interesting that Ryan Dahl, it's funny, they brought up Ryan Dahl. We interviewed him back at the Node JS, I think back in 2011? Still one of our most popular segments on theCUBE. We do thousands of interviews a year. He's still one of the most popular. But to really rethink the IO problem, in this asynchronous form, seems to be just another real breakthrough that opens up all types of capacity in compute and store. When you don't have to sit and wait. So that must be another thing that you guys have addressed from coming from the hardware and the software perspective? >> You are right on spot, because I think Node, comparing to other scripting languages brings more into the picture, the whole platform. So it's not only a CPU. It's also a networking. It's also related to storage. Also, it makes the entire platform to shine if it's optimized to the right capability. And we've been investing a lot into this. We have all our work is made available is open source. All our contributions are up-streamed back into the mainstream. We also started an effort to work with the industry in developing these new workloads. So last year at Node Interactive, we launched one new workload, benchmark, for Node. Which we called Node DC. With his first use case, which is an employee information system, simulating what a large data center distributed application will be doing. This year, now at Node Summit, we will be presenting the updated version of that, one point zero, this time. It was version zero point nine, last time. Where we added support for containers. We included several capabilities to be able to run, in a configural manner, in as many configurations as needed. And we are also contributing this back. We submitted it to the Node Foundation. So it becomes an official benchmark for the Node Foundation. Which means, every night, after the build system runs, this will be run as part of the regressions. To make sure that the performance doesn't degrade. So that's part of our work. And that's also continuing an effort we started with what we call the languages performance portal. If you go to languagesperformance.intel.com we have an entire lab behind that portal, in which every night we build this top tier scripting languages. Including Python, including Node, including PHP, and we run performance regressions on the latest Intel architecture. So we are contributing the results back into the open source community, to make sure that the community is aware if any regression happens. And we have a team of engineers who jumps on those regression center root causes and analyzes it. So to figure it out. >> So Monica, but we're almost out of time. But before I let you go, we talked before we got started, I love Kim Stevenson, I've interviewed her a bunch of times. And one of the conversations that we had was about Moore's Law. And that Moore's Law's really an attitude. And it's kind of a way to do things more than hitting the physical limitations on chips, which I think is a silly conversation. You're in a constantly, the role of constantly optimizing. And making things better, faster, cheaper. As you sit back and look at, kind of, what you've done to date, and looking forward, do you see any slowdown in this ability to continue to tweak, optimize, tweak, optimize? And just get more and more performance out of some of these new technologies? >> I wouldn't see slow down. At least from where I sit on the software side. I'm seeing only acceleration. So, the hardware brings a 30%, 40% improvement. We add, on top of that, the software optimizations. Which bring 10%, 20% improvements as well. So that continuously is going on. And I am not seeing it improving. I'm seeing it becoming more, there is a need for customization. So that's where when we design the workloads, we need to make them customizable. Because there are different use cases across the data center customers. So they are used differently. And we want to make sure that we reflect the reality. That's how they're in the world. And that's how our customers, our partners can also leverage them, to measure something that's meaningful for them. So in terms of speed, now, we want to make sure that we fully utilize our CPU. And we grow to more and more cores and increase frequency. We also grow to more capabilities. And our focus is also to make the entire platform to shine. And when we talk about platform we talk about networking. We talk about non volatile memory. We talk about storage as well as CPU. >> So Gordon's safe. You're safe, Gordon Moore. Your law's still solid. Monica, thanks for taking a few minutes out of your day and good luck on your panel later this afternoon. >> Thank you very much for having me here. It was pleasure. >> Absolutely, all right, Jeff Frick checking in from Node Summit 2017 in San Francisco. We'll be right back after this short break. Thanks for watching. (upbeat music)

>> Hey welcome back everybody Jeff Frick here with theCUBE. We're at Node Summit 2015 in Downtown San Francisco Mission Bay Conference Center. About 800 people talking about nodes, Node JS. The crazy growth in this application development platform and we're excited to have our next guest to talk about security. Which I don't think we've talked about yet. He's Guy Podjarny, I'm sorry. >> Podjarny Correct. >> Welcome, he's a CEO of Snyk, not spelled like Snyk. (laughing) You'll see it on the lower third. >> It's amazing how often we that question. How do you pronounce Snyk? >> Well I know, obviously people that have never had this start up and tried to go through a URL search. >> Indeed. >> Just don't know what's it's all about. >> It's sort of Google dominance. It's short for so now you know. So now you know. >> Oh, so now you know. Okay perfect, super. First off welcome, great to see you. >> Thank you. Thanks for having me. >> You said this is your second year at the conference. Just kind of share your general impressions of what's going on here. >> Sure, well I think Node Summit is an awesome conference. I think this year's event is bigger, better organized. I don't know if it's bigger people wise but definitely feels that way. It sort of feels more structured. It's nice to see in the audience as well. Just an increased amount of larger organizations that are around and talking about their challenges and a little bit a lot earlier in the conference but a little bit of more experienced conversations. So conversations about hey, we've used node and we've encountered these issues versus we're about to use it. We're thinking of using it so definitely can see the enterprise adoption kind of growing up. That's my primary impression so far. >> Yeah and it's it in 'cause you're a start up but Microsoft is here, Google's here, Intel is here, IBM is here so a lot of the big players. Who've demonstrated in other open source communities that they have completely embraced open source as a method and way to get actually more than the software is getting closer to development community. >> Yeah, agreed and I think another adjacent trend that's happening is ServerList and ServerList has grown ridiculously, by massive amounts in these last while. And Node JS is sort of the de facto default language for ServerList. LAM just started with it and AWS and many of the other platforms only support it. I think that contribution also brings the giants a little bit more in here. The Cloud giants but also I think again just sort of boost the Node JS. As though the Node JS echo system needed a boost. They get another amplifier. Just raise enterprise awareness and general usage. >> Okay, so what's the Snyk all about? Gives us, some people aren't familiar with the company. >> Cool, so Snyk deals with open source security and specifically in Node JS, the world of MPMs. MPM is amazing and it allows us to build on the shoulders of giants and all the others in the community. But there are some inherent security risks with just pulling code off the internet and running it in your application. >> Jeff: Right, right. >> What we do at Snyk is we help you find known security flaws, known vulnerabilities in MPM packages, and do that in a natural fashion as part of your continuous development process, and then fix those efficiently and monitor for them over time. That's basically. >> That's your focus is really keeping track of all these other packages that people are using to their development. Precisely and we're helping you just use open source code and stay secure. The word node is our flag ship and it's where we started and build and now we support a bunch of other systems as well. >> It's interesting, Monica from Intel said that in some of their work they found that some of these applications. The actual developers only contributing 2% of the code 'cause they're pulling in all this other stuff. >> Precisely, I have this example I use in a bunch of my talks that shows ServerList example that has 19 lines of codes. Copies some file from URL and puts it on S3. That's 19 lines of codes which is awesome. Uses two packages which in turn use 19 packages which bring in 190,000 lines of code. >> Wow. >> That's a massive-- >> So what is that step function again? Start from the beginning. >> 19 to 190,000. >> It starts at two? >> 19 lines of code use two MPM packages. They use 19 packages because every package uses other packages as well, and combined those 19 packages bring in 190,000 lines of code. >> Wow, that's amazing. That's an extreme example but you see that pattern. You see this again and again that the majority of your code in your applications especially node is not first party it's third party code. >> Jeff: Right. >> And that means most of your security risks. Most of your vulnerabilities, they come from there so there is a lot of challenges around managing dependencies. I know it's called dependency help for a reason but specifically security is still not sufficiently taken care of. It's still overlooked and we need to make sure that it's not just addressed by security people. But it's addressed a part of the development process by developers. >> How do you keep up? Both with the number as the proliferation grows as well as the revisions and versions inside of any particular package? You kind of chasing a multi headed beast there. >> It's definitely tough. First of all the short answer is automation. Any scale solution has to start with automation. I've got a security research team in Israel that has a vulnerability pipeline that feeds in from activity in the open source world. Some developer opens an issue and gets helps that say SQL injection in some package and that disappears into the ether. So we try to surface those, get it to our security analysts, determine if it's a real vulnerability curated in our database, and then just build that database with your own research but a lot of it is around tapping into community. And then subsequently when you consume this if you want to be able to apply security correctly as you develop your applications Node JS or otherwise. It has to come to you. The security tool has to be a seamless integration with how you currently work. If you impose another step, another two steps, another three steps on the developers. They're just not going to use it. That's a lot of our emphasis is scale on the consumption and the tracking of the database and simplicity and ease of use on the developer on the user side. >> And do you help with just like flagging. Flagging is a problem or is there an alternative. I mean I would imagine with all these interdependencies, you find one rotten apple kind of have a huge impact. It's a huge scale of impact right. >> Absolutely so we do really what our moniker is that we don't find vulnerabilities, we fix them and our goal is to fix vulnerabilities. So we actually, first of all in the flow we have single click, open a fixed PR. We figure out what changes we need to do. What upgrades you need to make the vulnerability go away. Literally click a button to fix it. Put on one bat for everything and then what we also do. We build patches, sort of a little known fact is in the world of operation systems RedHat and Canonical. They build a lot of fixes or they back port a lot open source fixes, and they put them into their repository. You can just say on updates or upgrade and just get those fixes. You don't even know which vulnerabilities you're fixing. You're just getting the fixes so we build patches for our MPM packages as well to allow you to patch vulnerabilities you can not upgrade away. A lot of it is around fix. Make fix easy. >> Right and then the other part as you said is baking security in the development all the way through which we hear over and over and over. >> Build it in and bolt it in. >> The cast in method doesn't work anymore. You've got to have it throughout the application so you said you're speaking on a panel tomorrow. And I wondered if you can just highlight some of the topics for tomorrow for the folks that aren't going to be here and see the panel. When you look at ServerList security. Say that three times fast. What are some of the real special challenges that people need to be thinking about? >> Sure, so you know I actually have two talks tomorrow. One is a panel on Node JS security as a whole and that's sort of a broader panel. We have a few other colleagues in there and we talk about the evolution of Node JS security that includes the platform itself which is increasingly well handled by the foundation. Definitely some improvements there over the years and some of it is around best practices like the ones that was just discussed which is understanding known pitfalls and Node JS sort of security mistakes that you might do as well as handling the MPM echo system. The other talk that I have later in the day is around ServerList security. ServerList security is interesting because a lot of the promise of ServerList is function as a service is that a lot of the concerns. A lot of the earlier or lower levels get abstracted away from you. You don't need to manage servers. You don't need to manage operation systems and with those auto security concerns go away. Which in turns focuses the attackers and should focus you on the application. As attackers are not just going to give up because they can't hack the operating system that the pros are managing. They would look at the next low hanging fruit and that would be the application. Platform as a service and function as a service really increase the importance of dealing with application security as a whole. So my talk is a lot about that but also deals with other security concerns that you might of course any new methodology introduces its own concerns so talk a little bit about how to address those. ServerList like Node JS is an opportunity to build security into the culture and into our methodologies from the early day so trying to help us get that right. >> Alright, as you look forward, the next 12 months. I won't say more than 12 months, 6 months, 9 months, 12 months. What are some of your priorities at Snyk? What are you working on if we get together a year from now, what will we be talking about? I think, so two primary ones. One is continuing the emphasis on fix. Making fixing trivial in the Node JS environments as well as others. I think we've done well there but there is more work to be done. It needs to be as seamless as possible. The other aspect is indeed in this sort of past and fast world and platform and function as a service. Where increasingly there is this awareness as we work with different platforms to the blind spot that they have to open source libraries. They fix your NGX vulnerabilities but not your express vulnerabilities. I sometimes refer to MPM packages or open source packages as sprinkles of infrastructure that are just scattered through your application. And today, all of these Cloud platforms are blind to it so I expect us at Snyk to be helping past and fast users dealing with that security concerns efficiently. >> Alright, well I look forwards to the conversation. >> Thanks. >> Thanks for stopping by. >> Thank you. >> He's Guy Podjarny. He is from Snyk. The CEO of Snyk. I'm Jeff Frick, you're watching theCUBE. (uptempo techno music)