>> Live from San Francisco. It's the Cube. Covering Google Cloud Next '19. Brought to you by Google Cloud and its ecosystem partners. >> Hey welcome back, everyone, we're your live coverage with the Cube here in San Francisco for Google Cloud Next 2019. I'm John Furrier, my co-host Stu Miniman. I've got two great guests here from Google. Guemmy Kim, who's a group product manager for Google, Google Security Access and Christiaan Brand, Product Manager at Google. Talking about the security key, fallen as your security key and security in general. Thanks for joining us. >> Of course, thanks for having us. >> So, actually security's the hottest topic in Cloud and any world these days, but you guys have innovation and news, so first let's get the news out of the way. All the work, giz, mottos, all of the blogs have picked it up. >> [Christiaan Brand] Right. >> Security key, titan, tell us. >> [Christiaan Brand] Okay, sure. Uh, high votes on Christiaan. So uh, last year and next we introduced the Titan Security Key which is the strongest form of multifactor certification we offer at Google. Uh, this little kind of gizmo protects you against most of the common phishing threats online. We think that's the number one problem these days. About 81% of account breaches was as a result of phishing or bad passwords. So passwords are really becoming a problem. This old man stat uh making sure that not only do you enter your password, you also need to present this little thing at the point in time when you're logging in. But it does something more, this also makes sure that you're interacting with a legitimate website at the point in time when you're trying to log in. Easy for users to fool victim to phishing, because the site looks legitimate, you enter your username and password, bad guy gets all of it. Security key makes sure that you're interacting with a legitimate website and it will not give away it's secrets, without that assurance that you're not interacting with a phishing website. >> [Christiaan Brand] News this week though is saying that these things are really cool and we recommend users use them. Uh, especially if you're like a high-risk individual or maybe an enterprise user or acts sensitive data you know Google call admin. But what we're really doing this week is we are saying "okay this is cool" but the convenience aspect has been a bit lacking right? Uh, I have to carry this with me if I want to sign in. This week we are saying this mobile phone, now also does the exact same thing as the Security Key. Gives you that level of assurance, making sure you're not interacting with the phishing website and the way we do that is by establishing a local Bluetooth link between the device you're signing in on and the mobile phone. It works on any Android N so Android 7 and later devices this week. Uh and essentially all you need is a Google account and a device with Bluetooth capability to make that work. >> Alright, so, we come to a show like this and a lot of people we geek out as like okay what are the security places that we are going to button, the cloud, and all of these environments. We are actually going to talk about something that I think most people understand is okay I don't care what policies and software you put in place, but the actual person actually needs to be responsible and did you think about things? Explain a little bit what you do, and the security pieces that you know individuals need to be thinking about and how you help them and recommend for them that they can be more secure. >> In general, yeah, I think one of the things that we see from talking to real users and customers is that people tend to underestimate the risks that they are under. And so, we've talked to people like people in the admin space or people who are in the political space and other customers of Google cloud. And they are like, why do I even need to protect my account? And like, we actually had to go and do a lot of education to actually show them that they're actually in much higher risk than they think they are. One of the things that we've seen over time, is phishing obviously is one of the most effective ways that people's accounts get compromised and you have over 70% of organizations saying that they have been victims of phishing in the last year. Then the question is, how do we actually then reduce the phishing that's happening? Because at the end of the day, the humans that are in your organization are going to be your weakest link. And over time, I think that the phishers do recognize that and they'll employ very sophisticated techniques and to try to do that. And so what we tried to do on our end is what can we do on from an algorithmic and automatic and machine side to actually catch things that human eye can't catch and Security Key is definitely one of those things. Also employed with a bunch of other like anti-phishing, anti-spear phishing type things that we will do as well. >> This is important because one of the big cloud admin problems has been human misconfiguration. >> Yeah. >> And we've seen that a lot on Amazon S3 Buckets, and they now passed practices for that but this has become just a human problem. Talk about what you guys are doing to help solve that because if I got router, server access I can't, I don't want to be sharing passwords, that's kind of of a past practices but what other tech can I put in place? What are you guys offering to give me some confidence if I'm going to be using Google cloud. >> Yeah well, I think one of the things is that as much as you can educate your workforce to do the right things like do they recognize phishing emails? Do they recognize that uh, you know this email that is coming from somebody who claims is the CEO, isn't and some of these other techniques people are using. Uh again, like there's human fallacy, there's also things that are just impossible for humans to detect. But fortunately, especially with our Cloud Services, we have very advanced techniques that administrators can actually turn on and enforce for all of the users. And this includes everything from advanced, you know malware and phishing detection techniques to things like enforcing security keys across your organization. And so we're giving administrators that power to actually say, it's not actually up to individual users, I'm actually going to put on these much stronger controls and make it available to everybody at my organization. >> And you guys see a lot of data so you have a lot of collective intelligence across a lot of signals. I mean spear phishing is the worst, it's like phishing is hard to solve. >> [Christiaan Brand] If you think about we have a demo over here just a couple of steps to the right here uh, where we take users through kind of what phishing looks like. Uh, we say that over 99.99% of kind of those types of attack will never even make it through right? The problem is spear phishing as you said, when someone is targeting a specific individual at one company. At that point, we might have not seen those signals before uh that's really where something like a Security Key kind of comes in. >> That's totally right. >> [Christiaan Brand] At that very last line of defense and that's basically what we are targeting here that .1% of users. >> Spear phishing is the most effective because it's highly targeted, no patter recognition. >> Yeah >> So question, one of the things I like we are talking about here is we need to make it easier for users to stay secure. You see, too often, it's like we have all these policies in place and use the VPN and it's like uh forget it, I'm going to use my second phone or log in over here or let me take my files over here and work on them over here and oh my gosh I've just bypassed all of the policy we put in place because you know, how do you just fundamentally think about the product needs to be simple, and it needs to be what the user needs not just the corporate security mandate? >> Yeah, I mean that's a great question. At Google we actually try a nearly completely different way of like kind of access to organizational networks. Like, for example Google kind of deprecated the VPN. Right? So for our employees if we want to access data uh on the company network, we don't use VPNs anymore we have something called kind of BeyondCorp that's like more of a kind of overarching principle than a specific technology. Although we see a lot of companies, even at the show this year that doing kind of technology and product based on that principle of zero trust or BeyondCorp. That makes it really easy for users to interact with services wherever they are and it's all based on trust on the endpoint rather than trust on the network, right? What we've seen is data breaches and things happen you know? Malicious software crawls into a network and from that point it has access to all of the crown jewels. What we are trying to say is like nowhere in being at a privilege point in the network gives you any elevated access. The elevated access is in the context that your device has, the fact that is has a screen lock, the fact that it's maybe issued by your corporation, the fact that it's approved, I don't know, the fact that is has drive instruction turned on, uh you know it's coming from a certain you know location. Those are all kind of contextual signals that we use to make up this uh, you know, our installation of BeyondCorp. This is being offered to customers today, Security Keys again, plays a vital part in all of that. Uh, you know there's trust in the end point, but there's also trust in authentication. If the user is really who they say they are, uh and this kind of gives us that elevated level of trust. >> I think this is a modern approach, that I think is worth highlighting because the old days we had a parameter, access methods were simply, you know, access servers authenticated in and you're in. But you nailed, I think the key point which is: If you don't trust anything and you just say everything is not trustworthy, you need multi-factor authentication. Now, this is the big topic in the industry because architecturally you have to be set up for it, culturally you got to buy into it. So kind of two dimensions of complexity, plus you're going down a whole new road. So you guys must do a lot more than just two factor, three factor, you got to imbed it into the phone. It could be facial recognition, it could be your patterns. So talk about what MFA, Multi-factor Authentication, how's it evolving and how fast is MFA evolving? >> Well, I think the point that you brought up earlier, that it actually has to be usable. And when I look at usability, it has to work for both your end users as well as the idea administrators who are uh putting these on for the systems and we look at both. Uh, so that's actually why we are very excited about things like the built in security key that's on your phone that we launched because it actually is that step to saying how can you take the phone that you already have that users are already familiar using, and then put it into this technology that's like super secure and that most users weren't familiar with before. And so it's concepts like that were we try to merry. Uh, that being said, we've also developed other kind of second factors specific for enterprises in the last year. For example, we are looking at things like your employee ID, like how can an organization actually use that were an outside attacker doesn't have access to that kind of information and it helps to keep you secure. So we are constantly looking at, especially for enterprises, like how do we actually do more and more things that are tailored for usability for both support cause, for the IT organization, as well as the end users themselves. >> Maybe just to add to that, I think the technology, security keys, even in the way that it's being configured today which is built into your phone, that's going into the right direction, it's making things easier. But, I think we still think there's a lot that can be done uh to really bring this technology to the end consumer at some point. So, we kind of have our own interval roadmap, we are working towards in making it even easier. So hopefully, by the time we sit here next year, we can share some more innovations on how this has just become part of everyday life for most users, without them really realizing it. >> More aware of all brain waves, whatever. >> Full story. Yup, yup, yup. >> One of the things that really I think struck a cord with a lot of people in the Keynote was Google Cloud's policy on privacy. Talk about, you on your data, we don't uh you know, some might look and say well uh I'm familiar with some of the consumer you know, ads and search and things like that. And if I think about the discussion of security as a corporate employee is oh my gosh they're going to track everything I am doing, and monitoring everything I need to have my privacy but I still want to be secure. How do you strike that balance and product and working with customers to make sure that they're not living in some authoritarian state, where every second they're monitored? >> That's a good question. Kim if you want to take that, if not I'm happy to do. >> Go ahead. >> Alright, so that is a great question. And I think this year we've really try to emphasize that point and take it home. Google has a big advertising business as everyone knows. We are trying to make the point this year, to say that these two things are separate. If you bring your data to Google Cloud, it's your data, you put that in there. The only way that data would kind of be I guess used is with the terms of service that you signed up for. And those terms of service states: it's your data, it'll be access the way that you want it to be access. And we are going one step further with access transparency this year alright. We have known something where we say well even if a Google user or Googler or Google employee needs access to that data on your behalf, lets say you have a problem with storage buckets, right, something is corrupted. You call uh support and say hey please help me fix this. There will be a near real time log that you can look at which will tell you every single access and basically this is the technology uh we've had in production for quite some time internally at Google. If someone needs to look... >> Look at the data. >> Right, exactly right if I need to look at some you know customers data, because they followed the ticket and there's some problem. These things are stringently long, access is extremely oriented, it's not that someone can just go in and look at data anywhere and the same thing applies to Cloud. It has always applied to Cloud but this year we are exposing that to the user in these kind of transparency reports making sure that the user is absolutely aware of who's accessing their data and for which reason. >> And that's a trust issue as well, it's not just using the check and giving them the benefit... >> [Christiaan Brand] Absolutely. >> But it's basically giving them a trust equation saying look they'll be no God handle access... >> Right, right, exactly. >> You heard with Uber and these other stories that are on the web, and that's huge for you guys. I mean internally just you guys are hardcore on this and you hear this all the time. >> Yeah uh >> Separate building, Sunnyvale... >> No, not separate building. But you know uh, so I've worked in privacy as well for a number of years and I'm actually very proud like as a company I feel like we actually have pushed the floor front on how privacy principles actually should be applied to the technology uh and for examples we have been working very collaboratively with regulators around the world, cause their interest is in protecting the businesses and the citizens kind of for their various countries. And uh we definitely have a commitment to make sure that you know, whether it's organization's or individuals like their privacy actually is protected, the data is secure, and certainly the whole process of how we develop products at Google like there's definitely privacy checkpoints in place so that we're doing the right thing with that data. >> Yeah, I can say I've been following Google for a long time. You guys sometimes got a bad rep because it's easy to attack Google and you guys to a great job with privacy. You pay attention to it and you have the technology, you don't just kind of talk about it. You actually implement it and you dog food it as to or you eat and drink your own champagne. I mean that's how bore became, started became Kubernetes you know? And Spanner was internal first and then became out here. This is the trend that Google, the same trend that you guys are doing with the phones, testing it out internally to see if it works. >> Yeah, yeah. >> Absolutely right, so Security Keys will start there like we uh Krebs published an article last year, just before the event saying we had zero incidents of possible phishers with Googlers since they deploying the technology. We had this inside Google for a long time, and it was kind of born out of necessity, right. We knew there was positive phishing was a problem, even Googlers fall for this kind of thing. It's impossible to train your users not to fall for this type of scam, it just is right. We can view any location all we want, but in the end like we need technology to better protect the user, even your employees. So that's were we started deploying this technology, then we said we want to go one step further. We want to kind of implement this on the mobile phone, so we've been testing this technology internally uh for quite a few months. Uh, kind of making sure that things are shaping out. We released this new beta this week uh so it's not a J product quite yet. Uh, you know as you know there is Bluetooth, there is Chrome, there is Android, there's quite a few things involved. Android Ecosystem is kind of a little bit fragmented, right, there is many OEMs. We want to make this technology available to everyone, everyone who has an Android phone, so we are kind of working on the last little things but we think the technology is in a pretty good place after doing this "drinking of champagne." >> So it's got to be bulletproof. So now, on the current news just to get back to the current news, the phone, the Android phone that has a security key is available or is it data that is available? >> [Christiaan Brand] So it's interesting. In on the Cloud side, the way that we normally launch products there is we do an alpha, which is kind of like a closed liked selection. The moment that we move and do beta, beta is open, anyone can deploy it but it has certain like terms of service limitation and other things. Which says hey don't rely on this as your sole way of accessing an account. For example, if you happening to try and sign in on a device that doesn't have Bluetooth the technology clearly will not work. So we're saying please make sure you have a backup, please keep a physical security key for the time being. But start using this technology, we think for the most popular platforms it should be well shaken out. But beta is more of a designation that we kind of reserve for saying we're starting... >> You're setting expectations. >> But also, one thing I want to clarify that just because it's in beta it doesn't mean it less secure. The worst thing that will happen is that you can be locked out of your account because you know, the Bluetooth could fail to communicate or other things like that. So I want to assure people, even though it's beta you can use it, your account is secure. >> Google has the beta kind of uh which means you either take it out to a select group of people or set expectations on terms of service. >> Right. >> Just to kind of keep an eye on it. But just to clarify, which phones again are available for the Android? >> [Christiaan Brand] Uh, we wanted to make sure that we cover as large a population as possible, so we kind of have to look at the trade offs, you know at which point in time we make this available going forward. Uh, we wanted to make sure that we cover more than 50% of the Android devices out there today. That level that we wanted to reach, kind of coincided with the Android 7, Android Nougat, is kind of the line that we've drawn. Anything Android 7 and above, it doesn't have to be a Pixel phone, it doesn't have to a Nexus phone, it doesn't have to a Samsung phone, any phone 7 and up should work with the technology. Uh and there's a little special treat for folks that have a Pixel 3 as you alluded to earlier we have the Titan M chip that we announced last year in Pixel. There we actually make use of this cryptographic chip but on other devices you have the same technology and you have the same assurance. >> Well certainly an exciting area both on from a device standpoint, everybody loves to geek out on the new phones as Google I know is coming up I'm sure it'll be a fun time to talk about that. But overall, on Cloud security is number one, access, human, errors, fixing those, automating, a very important area. So we're going to be keeping track of what's going on, thanks for coming on. >> Thanks. >> And sharing your insight, I appreciate it. >> Of course, thanks for having us. >> Okay, live Cube coverage here in San Francisco. More after this short break. Here Day 3 of 3 days of wall-to-wall coverage. I'm John Furrier and Stu Miniman, stay with us, we'll be back after this short break. (energetic music)

(string music) >> Welcome to the Cube conversation here at the Cube studios in Palo Alto California, I'm John Furrier, cohost of the Cube and cofounder of Slip and Angle Media. We're here with Shlomi Ben Haim who's the founder and CEO of Jfrog, hot startup. I asked him to come in to chat about his business. In the dev/op space, we see him at a lot of shows, your company's doing well, we love the marketing, the frog thing is great, love it, very cool. But there's a lot of real serious action going on in the enterprise and in the cloud and in emerging tech, whether it's AI or machine learning, whether its innovative things, developers are front and center in the marketplace and there's a boatload of noise out there, there's like this approach, this approach, there's a lot of different approaches, but at the end of the day, the devs are driving a lot of innovation. You guys are at the center of it so welcome to the Cube. >> Thank you. >> First question for you, just take a minute to talk about what you guys do, Jfrog, what's your company, what's your business, what are you guys up to, what's your deal? >> The way I think that the community will describe us would be that we are the binaries people, we are taking care of your binaries. As you know in the dev/ops world, everything you do you do with your binaries, with your software artifacts, so I heard some of the community members call us the database of dev/ops and we are the providers of artifactory, bintray, xray and mission control which take care of your binaries, managing them, host them, distribute them and secure them. >> Open source event we were at, we saw you guys because I was doing all the interviews and you guys were right on the edge there, then you guys got some nice background images off the Cube videos, but it was really interesting. The trend is your friend as the saying goes and the number of open source projects is increasing, the actual lines of code is exponentially going to grow from 22 million to 200, 400 million lines of code over the next couple of years, that's hockey stick. More developers are coming in, not old school like me that built their own stuff from scratch, there's a lot of lego blocks in fact Jim Samlin said that 10% of the code will probably be original ideas and differentiation, 90% of most of the code will be a code sandwich, which I believe, I think that's the legit direction. How do you guys fit into that trend and what does that mean for your business because I can imagine, there's a ton of Git Hub stuff going on, tons of forking, tons of projects, you got block chain catching the world by storm, there is a massive developer tsunami going on. How do you guys help them? >> It's very interesting, when we started Jfrog, actually my co-founder Yoav Landman started by providing developers with a very dummy, basic solution to proxy, public repositories like Maven central and it was not about the code for the first time, it was about the binaries. Code is great and the line of code, as you said, it's going to go enormous but what happened is that when you need to automate, when you need to rebuild, when you need to release faster, you go down to the binary level, to the software artifact level and guess what, no one took care of your binaries before, you were just throwing your binaries to your version controller or file store, maybe you were hosting them. >> They were messy, it's like a kid with their room, all the stuff spread around all over the place, where's that binary, no one keeps track of it. >> Nobody care about that, but this is the one thing that you keep consuming, keep building with, keep recompiling and in the era of dev/ops, is the one asset that you need to automate and reuse. This is where we, >> The core problem if I get this right, is that compiling is going to be, if you think of dev/ops, it's infrastructure as code, as the phrase goes as we always say and programming infrastructure is what dev guys want to do, they don't want to be in the business of switching configurations, getting in the routers and the network. They want it to be just one layer of resource, serverless is a great trend for you, more and more developers are going to love this. They want to program, so when you're programming, the inherent next step is where's the code, who's compiling it, does it need to be compiled? Is that the core problem, that there's more and more stuff going on under the hood that needs to be managed? Is that growing part of your business solution or is the problem just lost binaries, what's the core problem? >> It's a perfect question. First of all, we are providers, we are the providers of the only universal solution. Binaries are not just for java developers, they are not just for python developers, they are not just for dot net developers, they are not just for docker users and the way you package it, binaries happens between your get and your CI server, let's say Jenkins, get and Jenkins and your Kubernetes. Something happens between those two sites. Your orchestration tool and your code repository tool. In this land is where binaries play a very significant role and this is where we are a major player. >> Is the problem error prone in that zone, in that zone it's like the wild west, it's like a black hole if you will, think about what you're saying, if I get it right. There's a lot of stuff that goes on in there, is it mismanagement, what's the core thing that you guys got to do there? >> Tons of binaries, too much public repositories that the community cannot rely on. You need to manage and host your own binaries, the ones that you create yourself, and to provide and this is the last strength we see in the market, big organization need to provide dev/ops as a service to their own developers, so they need to ask this very important asset that we call software artifact and binaries or darker images or whatever you want to call it. >> Yeah a lot of great trends going on, obviously containers and Kubernetes you mentioned. Let's get into those, that's driving a lot of change. Certainly containers has been around for a while, whether you call it wrappers or whatever, it's a great magical thing, we love containers, Kubernetes really gets the trend right, if you look at the google trend, you see Kubernetes has got so much more traction than containers, although I'm not saying one's more relevant than the other, certainly orchestration's important, linking and loading all these containers together. Why is Kubernetes accelerating the binary conversation? Is it because more rapid development is going on, more programmability's going on, why is Kubernetes impacting the binaries components more now than ever? >> Putting aside the need for automating and integrating, this whole orchestration solution requires some work on the binary level but if you think about what Kubernetes is trying to solve, or what the containers are all trying to solve is a better, faster release, better, faster deployment, better, faster delivery and then you can do it only if you will combine the power of the developers and the power of the machine and release faster. This is what we say in Jfrog, release fast or die because it's all about how fast can you release? >> Before we get into some of the product specific stuff, I want to ask you some pointed questions on that. I want to ask you about automation. AI is obviously hot, I love AI, even though it's hyped up, it still promotes great software development, machine learning really is where the meat on the bone is there, so machine learning and automation bots, whatever you want to look at it, is an opportunity to actually to create adaptive code. How did that new software paradigm affect binaries because I can almost imagine that if you got a bot going wild, it could screw up the binaries. >> Completely. >> So can you comment on that, that area. Obviously we want more bots, automation is a good thing on one level, but how do you guys look at that market as an opportunity, as a challenge, what's that whole AI thing look like? >> Well if we take a step back, I think the dev/ops started with the need to automate and release faster. It was like the playground of developers, we need a better integration, we need a continuous integration, we need better delivery, we need continuous delivery. If you think about it now, in 20/20 perspective, you understand that this was all milestones. The next big challenge is continuous updates. People like me, people like you, just want their devices and machines to be updated. >> And secure, look at Equifax. Equifax is a great example, they didn't update the code. >> Absolutely and it's flowing and just happening and secure and in the world of automation, the world of AI, I think that the big challenge or the next big challenge of dev/ops is how can I create a continuous update machine which is also secure and software update will just flow. It will not be something that you press I agree, I reboot and do any kind of crazy stuff in order just to get your software update. It's more about the user experience of all of us. It's not just developers and dev/ops companies anymore. >> That's a great vision by the way, I love that. It should work like that and programmable infrastructure for dev/ops should be programmable and always available and highly reliable. Mark Zuckerberg used to have the saying, move fast, break stuff, that's not a dev/ops ethos by the way, they built their own dev/ops, but then he kind of quickly waffled back to move fast, be reliable, because he got some religion on ops. Totally get that, let's go into today's world. That gives us a little future view, what is a use case for a customer? Take me through the day and the life of a customer that's using Jfrog, what are their problems, what are some of the things that are burning in their office? Where's the smoke, what's the problem that they have that they need to take care of the binaries? Sprawl of code, just mismanagement, what are some of the signals? Share with your view there. >> It starts with the fact that it's not your developer anymore that builds software. You have a CI server there that never goes to a lunch break, never take a break with Facebook, which by the way, it's a great company but sometimes it stop giving the time during the work time and you keep building and building like crazy. Your CI server keep producing binaries. >> It's an always on code machine basically. >> It's a binaries machine and it's being built 24 by seven and yes, you use just a portion of it but you have to host and manage all of it and if you will host it in your version controller, it will explode, if you will put it in a file store, it will not be something, >> Explode because of capacity? >> Because you cannot do any cleanups on the version controller, not get or subversion or the false or any of them, you don't do cleanups on version control. >> Hygiene is an issue. >> Yes, plus integration. You need to integrate with your records system, plus promotion, you need to allow and automate promotion of the specific bites that you build. >> So that's why people call you the database or I would even say the brains of binaries, you got to keep track of the goods if you will, it's like the crown jewel is the binary. >> Right. >> If I get that right, okay let's take it to the next level. You have good hygiene, you have good stuff going on, what are you guys doing specifically that gives you a differentiation of the market because is it software, is it hardware, what is the Jfrog differentiation? >> I think that the first thing that happened to us was that we realized that binaries is for everyone. If you remember Jfrog's slogans from 2010, it was binaries for the people. We felt like we are leading the revolution of taking care of your binaries and therefore, we decided that whatever we build, our philosophy base, our concept will be universal. We started with the Java community, Maven and Gradel and then the dot net community with Nougat and then when it came to be more like a dev/ops industry in 2013 or '14 was it, >> Roughly, 2008 to 2014 was really the cloud errati and then it grew and then it matured a little bit. >> And the combination of dev and ops and IT and then we started to support packages like Debian and RPM, beyond repositories, docker registry, we were the first docker registry in the market. >> You were riding the wave from the beginning. >> Yes. >> You were right there riding the binary wave with the native cloud growth, public cloud growth big time which by the way had a lot of iterations quickly. >> Which is also one of our differentiators, we are the only hybrid providers for your binary solution. We have it in the cloud, any cloud or on prem. >> Who's the competition? >> It's a very good question, on a niche level, we have companies like docker that provide a docker registry we have Cores that provide docker registry, by the way, anyone in the market now that want to have a docker registry, a container registry. On the Java Maven domains, Sonotype provide a nexus which is a binary repository manager for Java for Maven builds. NPM provide a solution for NPM but if you think about the universal solution that supports other, >> Those are siloed platform specific binaries. >> Yes. >> You're taking much more of a wholistic, horizontally scalable, any binary any time management. >> Exactly, we don't do the before and after, but in the binaries world, we want to be one solution for all. >> I get the whole registry thing, love that positioning. Just a dumb question, when someone's coming in and managing intermittently in the registry, how do you guys handle that piece? How do you know that a Java request coming in from a Java registry, you guys have a front end to this thing, is it your software, how do you guys manage the integration of requests to and from the binaries. >> The read and write to the repository you mean? >> Yes. >> Artifactor is a very sophisticated repository if I may say it's built more like a database, it's based on a check sum mechanism and not just a basic file store. >> You verify it coming in on the front end. >> Right, the parts and machine caching, managing, hosting and distributing, it's all happening in artifactor. >> And performance is as good? No problems with performance? >> Well we are the only provider that has a highly available solution with over 4000 customers, so I guess it is. >> You got a smile yeah, I see you at the shows. You got a good reputation so it's great to have you come in. I want to just take a minute to pause because I know we're having a great conversation, I could talk about CI servers til the cows come home, one of my favorite topics dev/ops, as people who have been following me since 2008 know, I love the cloud, cloud native vision from day one. There's a lot of people out there who don't know what the hell a binary is, so take a minute and explain, what is a binary and why is it such an important thing right now in context to open source growth, more developers coming in, context to enterprises trying to be cloud like and just for the general purpose, why are binaries important? Why should the general public, how would you talk about what is a binary? >> I'll try. I think that the main difference is that binaries are more like, maybe it's a basic metaphor, but binaries are more like fresh food, unlike freeze food. Your source code is freezed, you're not allowed to touch it, you're not allowed to clean it, you're not allowed to change it. Your one dot seal would be my one dot seal. It's kind of freeze food, this is why in dev for get and other player in this market are so important. We see how bit bucket with the class in and Git Hub are growing and still playing a significant role binaries are different, binaries is the fresh food. Something that you keep changing, any minute and you build with a specific binary something and then something else and it become another binary if I may say so. I think that the flexibility that you need to gain when you go on full automation and full integration is the flexibility that you can get on the binary level. You cannot get it on the code level. Therefore, binaries playing a very significant role in the cloud era and in the dev/ops era. >> Sure it allows for extensibility of source code. In a way what you're saying. You can eat the frozen food or you can chop up your own organic meal yourself. >> Exactly. >> Okay I get that, final question for you, thanks for coming in, appreciate the one on one on binaries there. People can always just go on Wikipedia and look at other definitions on stack overflow and whatnot. What is the customer value proposition for Jfrog? Why should I work with you, what's the main reason for you to have 4000 customers? What's driving them to use you? Is it just convenience? Is it scalability, all of the above? Just take a minute to explain why customers go to you and if people don't work with you, why should they work with you? >> I think that the biggest challenge today is that you want to treat binaries as first level citizens and instead of having an NPM repository, docker registry, Maven repository, python repository and there is no single organization that will have just one repository, you can have it all with Jfrog. The second thing we are the providers of highly available solution to protect your data centers so if you don't want your 1000 developers sitting down, waiting for the binary repository to be up and running and to allow the environment, then you probably want to, >> Productivity right there is one. >> Productivity and efficiency, absolutely. We are also providing it to secure your binary flow and the platform that distributes your binaries. We take binaries very seriously, over two billion downloads a month on bintray, our distribution hub and we work with the community and for the community, we are developers ourself, coming from the open source community so it's all bottom up and community friendly. >> Shlomi, great commentary, I want to just get a personal, take your Jfrog hat off for a minute, put your developer, executive, industry expert hat on. Share with the audience your view on the developer market. There's been a lot of negative press around the brogrammer lately and all these things, but trends are clear that you have massive growth in open source, comment on the role open source plays as it goes into some argue fifth generation, fourth, fifth generation, I remember when the first generation I was coding on. Those were the days but different, it's changed. You have so much code, it's really a party right now in open source, there's so much good stuff happening. Google's donating tensorflow, all these people putting real big libraries out there to code on. Kubernetes is just so awesome, system guys specifically love what's going on in the cloud. But cloud is exploding a lot of opportunities, IoT and AI, what's the developer market like right now, just share your thoughts, what's the sentiment, what's the excitement, what are the young kids doing? What are some of the big things that you see happening? >> From business perspective, what we see in the market is developers first of all taking decisions. They hear their managers coming with the pain and expect it to solve it and the bottom up process is something we never saw in the market. The last five, six years, we see more and more developers kind of educating their managers with how to do it and how to do it faster. The second thing and this is, >> So bottom up's happening now you're saying. >> Happening for the last five years and it's growing. The second thing we see in the cloud, you see it more than I am, Google and Amazon and Microsoft and Red Hat, everyone want a piece of the cloud, Orca now just announced two days ago, three days ago. Everyone want a piece of the cloud and everybody understand that data traffic comes from developers, it's not individuals, it's communities, the open source community is giant and it's a very, there's a very important player in the data traffic of what we call the cloud highway. >> And the communities are very most important piece, you would agree with that, right? We're very community focused, that's the key, right? >> Yes, absolutely. >> I think the world will be developer indoctrinated with basically developer premises across all business, so it's not a department anymore, it's permeating all through organizations. >> Right and also impact our user experience. People like simple people that doesn't understand code, they're not contributing to the open source world still need software updates and competitive analysis are talking about that, how fast can you release? >> Well Stu Miniman and Dave Alante and Peter Burris and I always talk about community is the key in open source, you guys have been very successful in the community. Congratulations, obviously we're very community focused with our content, with the Cube. If you like the Cube, check us out at cube.net, give us a call, come in the studio if you're a thought leader, love to chat with you. I'm John Furrier with the Cube, more thought leadership coverage in Palo Alto here inside the Cube. We'll be right back, thanks for watching. (electronic music)