(upbeat music) >> Hello everyone, welcome back to theCUBE's coverage of Cloud Native SecurityCon North America 2023. Obviously, CUBE's coverage with our CUBE Center Report. We're not there on the ground, but we have folks and our CUBE Alumni there. We have entrepreneurs there. Of course, we want to be there in person, but we're remote. We've got Ben Hirschberg, CTO and Co-Founder of Armo, a cloud native security startup, well positioned in this industry. He's there in Seattle. Ben, thank you for coming on and sharing what's going on with theCUBE. >> Yeah, it's great to be here, John. >> So we had written on you guys up on SiliconANGLE. Congratulations on your momentum and traction. But let's first get into what's going on there on the ground? What are some of the key trends? What's the most important story being told there? What is the vibe? What's the most important story right now? >> So I think, I would like to start here with the I think the most important thing was that I think the event is very successful. Usually, the Cloud Native Security Day usually was part of KubeCon in the previous years and now it became its own conference of its own and really kudos to all the organizers who brought this up in, actually in a short time. And it wasn't really clear how many people will turn up, but at the end, we see a really nice turn up and really great talks and keynotes around here. I think that one of the biggest trends, which haven't started like in this conference, but already we're talking for a while is supply chain. Supply chain is security. I think it's, right now, the biggest trend in the talks, in the keynotes. And I think that we start to see companies, big companies, who are adopting themselves into this direction. There is a clear industry need. There is a clear problem and I think that the cloud native security teams are coming up with tooling around it. I think for right now we see more tools than adoption, but the adoption is always following the tooling. And I think it already proves itself. So we have just a very interesting talk this morning about the OpenSSL vulnerability, which was I think around Halloween, which came out and everyone thought that it's going to be a critical issue for the whole cloud native and internet infrastructure and at the end it turned out to be a lesser problem, but the reason why I think it was understood that to be a lesser problem real soon was that because people started to use (indistinct) store software composition information in the environment so security teams could look into, look up in their systems okay, what, where they're using OpenSSL, which version they are using. It became really soon real clear that this version is not adopted by a wide array of software out there so the tech surface is relatively small and I think it already proved itself that the direction if everyone is talking about. >> Yeah, we agree, we're very bullish on this move from the Cloud Native Foundation CNCF that do the security conference. Amazon Web Services has re:Invent. That's their big show, but they also have re:Inforce, the security show, so clearly they work together. I like the decoupling, very cohesive. But you guys have Kubescape of Kubernetes security. Talk about the conversations that are there and that you're hearing around why there's different event what's different around KubeCon and CloudNativeCon than this Cloud Native SecurityCon. It's not called KubeSucSecCon, it's called Cloud Native SecurityCon. What's the difference? Are people confused? Is it clear? What's the difference between the two shows? What are you hearing? >> So I think that, you know, there is a good question. Okay, where is Cloud Native Computing Foundation came from? Obviously everyone knows that it was somewhat coupled with the adoption of Kubernetes. It was a clear understanding in the industry that there are different efforts where the industry needs to come together without looking be very vendor-specific and try to sort out a lot of issues in order to enable adoption and bring great value and I think that the main difference here between KubeCon and the Cloud Native Security Conference is really the focus, and not just on Kubernetes, but the whole ecosystem behind that. The way we are delivering software, the way we are monitoring software, and all where Kubernetes is only just, you know, maybe the biggest clog in the system, but, you know, just one of the others and it gives great overview of what you have in the whole ecosystem. >> Yeah, I think it's a good call. I would add that what I'm hearing too is that security is so critical to the business model of every company. It's so mainstream. The hackers have a great business model. They make money, their costs are lower than the revenue. So the business of hacking in breaches, ransomware all over the place is so successful that they're playing offense, everyone's playing defense, so it's about time we can get focus to really be faster and more nimble and agile on solving some of these security challenges in open source. So I think that to me is a great focus and so I give total props to the CNC. I call it the event operating system. You got the security group over here decoupled from the main kernel, but they work together. Good call and so this brings back up to some of the things that are going on so I have to ask you, as your startup as a CTO, you guys have the Kubescape platform, how do you guys fit into the landscape and what's different from your tools for Kubernetes environments versus what's out there? >> So I think that our journey is really interesting in the solution space because I think that our mode really tries to understand where security can meet the actual adoption because as you just said, somehow we have to sort out together how security is going to be automated and integrated in its best way. So Kubescape project started as a Kubernetes security posture tool. Just, you know, when people are really early in their adoption of Kubernetes systems, they want to understand whether the installation is is secure, whether the basic configurations are look okay, and giving them instant feedback on that, both in live systems and in the CICD, this is where Kubescape came from. We started as an open source project because we are big believers of open source, of the power of open source security, and I can, you know I think maybe this is my first interview when I can say that Kubescape was accepted to be a CNCF Sandbox project so Armo was actually donating the project to the CNCF, I think, which is a huge milestone and a great way to further the adoption of Kubernetes security and from now on we want to see where the users in Armo and Kubescape project want to see where the users are going, their Kubernetes security journey and help them to automatize, help them to to implement security more fast in the way the developers are using it working. >> Okay, if you don't mind, I want to just get clarification. What's the difference between the Armo platform and Kubescape because you have Kubescape Sandbox project and Armo platform. Could you talk about the differences and interaction? >> Sure, Kubescape is an open source project and Armo platform is actually a managed platform which runs Kubescape in the cloud for you because Kubescape is part, it has several parts. One part is, which is running inside the Kubernetes cluster in the CICD processes of the user, and there is another part which we call the backend where the results are stored and can be analyzed further. So Armo platform gives you managed way to run the backend, but I can tell you that backend is also, will be available within a month or two also for everyone to install on their premises as well, because again, we are an open source company and we are, we want to enable users, so the difference is that Armo platform is a managed platform behind Kubescape. >> How does Kubescape differ from closed proprietary sourced solutions? >> So I can tell you that there are closed proprietary solutions which are very good security solutions, but I think that the main difference, if I had to pick beyond the very specific technicalities is the worldview. The way we see that our user is not the CISO. Our user is not necessarily the security team. From our perspective, the user is the DevOps and the developers who are working on the Kubernetes cluster day to day and we want to enable them to improve their security. So actually our approach is more developer-friendly, if I would need to define it very shortly. >> What does this risk calculation score you guys have in Kubscape? That's come up and we cover that in our story. Can you explain to the folks how that fits in? Is it Kubescape is the platform and what's the benefit, what's the purpose? >> So the risk calculation is actually a score we are giving to clusters in order for the users to understand where they are standing in the general population, how they are faring against a perfect hardened cluster. It is based on the number of different tests we are making. And I don't want to go into, you know, the very specifics of the mathematical functions, but in general it takes into account how many functions are failing, security tests are failing inside your cluster. How many nodes you are having, how many workloads are having, and creating this number which enables you to understand where you are standing in the global, in the world. >> What's the customer value that you guys pitching? What's the pitch for the Armo platform? When you go and talk to a customer, are they like, "We need you." Do they come to you? Is it word of mouth? You guys have a strategy? What's the pitch? What's so appealing to the customers? Why are they enthusiastic about you guys? >> So John, I can tell you, maybe it's not so easy to to say the words, but I nearly 20 years in the industry and though I've been always around cyber and the defense industry and I can tell you that I never had this journey where before where I could say that the the customers are coming to us and not we are pitching to customers. Simply because people want to, this is very easy tool, very very easy to use, very understandable and it very helps the engineers to improve security posture. And they're coming to us and they're saying, "Well, awesome, okay, how we can like use it. Do you have a graphical interface?" And we are pointing them to the Armor platform and they are falling in love and coming to us even more and we can tell you that we have a big number of active users behind the platform itself. >> You know, one of the things that comes up every time at KubeCon and Cloud NativeCon when we're there, and we'll be in Amsterdam, so folks watching, you know, we'll see onsite, developer productivity is like the number one thing everyone talks about and security is so important. It's become by default a blocker or anchor or a drag on productivity. This is big, the things that you're mentioning, easy to use, engineering supporting it, developer adoption, you know we've always said on theCUBE, developers will be the de facto standards bodies by their choices 'cause developers make all the decisions. So if I can go faster and I can have security kind of programmed in, I'm not shifting left, it's just I'm just having security kind of in there. That's the dream state. Is that what you guys are trying to do here? Because that's the nirvana, everyone wants to do that. >> Yeah, I think your definition is like perfect because really we had like this, for a very long time we had this world where we decoupled security teams from developers and even for sometimes from engineering at all and I think for multiple reasons, we are more seeing a big convergence. Security teams are becoming part of the engineering and the engineering becoming part of the security and as you're saying, okay, the day-to-day world of developers are becoming very tangled up in the good way with security, so the think about it that today, one of my developers at Armo is creating a pull request. He's already, code is already scanned by security scanners for to test for different security problems. It's already, you know, before he already gets feedback on his first time where he's sharing his code and if there is an issue, he already can solve it and this is just solving issues much faster, much cheaper, and also you asked me about, you know, the wipe in the conference and we know no one can deny the current economic wipe we have and this also relates to security teams and security teams has to be much more efficient. And one of the things that everyone is talking, okay, we need more automation, we need more, better tooling and I think we are really fitting into this. >> Yeah, and I talked to venture capitalists yesterday and today, an angel investor. Best time for startup is right now and again, open source is driving a lot of value. Ben, it's been great to have you on and sharing with us what's going on on the ground there as well as talking about some of the traction you have. Just final question, how old's the company? How much funding do you have? Where you guys located? Put a plug in for the company. You guys looking to hire? Tell us about the company. Were you guys located? How much capital do you have? >> So, okay, the company's here for three years. We've passed a round last March with Tiger and Hyperwise capitals. We are located, most of the company's located today in Israel in Tel Aviv, but we have like great team also in Ukraine and also great guys are in Europe and right now also Craig Box joined us as an open source VP and he's like right now located in New Zealand, so we are a really global team, which I think it's really helps us to strengthen ourselves. >> Yeah, and I think this is the entrepreneurial equation for the future. It's really great to see that global. We heard that in Priyanka Sharma's keynote. It's a global culture, global community. >> Right. >> And so really, really props you guys. Congratulations on Armo and thanks for coming on theCUBE and sharing insights and expertise and also what's happening on the ground. Appreciate it, Ben, thanks for coming on. >> Thank you, John. >> Okay, cheers. Okay, this is CUB coverage here of the Cloud Native SecurityCon in North America 2023. I'm John Furrier for Lisa Martin, Dave Vellante. We're back with more of wrap up of the event after this short break. (gentle upbeat music)

>> From theCUBE studios in Palo Alto and Boston, connecting with thought-leaders all around the world, this is a Cube Conversation. >> Hi everybody, this is Dave Vellante. Welcome to this Cube Conversation. We're really excited to have Wim Coekaerts in, he is the senior vice-president of software development at Oracle. Wim, it's great to have you on, and, you know I often say I wish we were face-to-face but if we were you'd have to cut off my tie, cause developers and ties just don't go together. >> No, I know, and this is my normal outfit, so this is me wherever I go. Hi again, good to see you. >> Yeah, great to see you. So, of course, you know a lot of people are confused about Oracle, and open-source, they say "Oracle? Open-source? What is that all about?" But I think you're misunderstood. People don't, first of all, realize you as the leader of the software-development community inside of Oracle, I mean, you've been involved in Linux since the early 90s. But you guys have a lot of committers, you do a lot. I want to talk about that. What is up with Oracle, and open-source? >> Ah, well, it's a broad question. So, you know, a couple of things. One is, we have many different areas within the company that are dealing with open-source. So we have the cloud team doing a lot of stuff around cloud SDKs and support for different languages like Python and Go, and of course Java and so forth, so they do a lot around ensuring that the Oracle ecosystem is integrated in the open-source tools that customers use, or developers use, Terraform companies and so forth. And then you have the Java team, and so forth. Java is open-source and then the Graal project, GraalVM which is a polyglot compiler that can run Java, and Python, and Javascript and so forth together in one. VM do really cool optimizations, that's an open-source project, also on GitHub. There's of course MySQL, which is along with Java, they're probably the two most popular and widely used open-source projects out there. There's VirtualBox which is of course also a very popular project that's open-source. There's all the work we do around Linux. And I think one of the things is that, when you have so many different areas, doing things that are for that area, then as a developer or as a customer, you typically just deal with that group. And what you see is, oh you're talking to the Java developers, so you know what's going on around Java. The Java developers might not necessarily say, "Oh well we also do MySQL, and we do Linux and VirtualBox and so forth," and so you get a rather myopic, narrow view of the larger company. When you add all these things up, and there will be one big slide that says "This is Oracle, these are all these open source projects," and there's multiple ways. One is, we have projects that we've open-sourced and all the code came from us and we made it publicly available, we're the main contributor and we get contributions back. There are other projects where we contribute to third-party in terms of enhancing things, like I said with the Cloud Team, and then in general something like Linux where we're part of an external project and we participate in development of that project at large. And so there's these three different ways, when you count up all the developers that we have that deal with open-source on a daily basis. And in terms of contributions, in terms of bug fixes, testing, and so forth, it's thousands, literally, full-time paid developers. And of course, all the projects are all either on GitHub or similar sites that are very popular. So yeah, I think the misunderstood is probably a lack of knowledge of the breadth of what we do. And, you know, our primary goal is to provide services and products to customers, and so the open-source part is sort of embedded in a development methodology. But that's not something we sell or market separately, we just work with customers and products and services, and so in some cases it's not well-understood. >> Yeah. Well, we're talking of course, we're talking about the state of the penguin, I think it's important for people to understand, Oracle got into the Linux game in the 90s, maybe the latter part of the 90s and Oracle, of course, wants to make Linux-- wants to make Oracle, it's applications and database run better on Linux, but as you're pointing out, your Linux distro, full support, end-to-end, thousands of people in your open-source community, and the contributions that you make to Linux, many if not most, they go upstream, everybody can benefit from those, but of course you want an Oracle distro that is going to make Oracle stuff run better, that's always kind of been the Oracle way. >> Well, so, yes, two things though. One is, so everything we do is upstream. So we have no Linux patches that are not contributed upstream; There's no proprietary code in Oracle Linux at all, it's all completely open, publicly available: the source code, the change log, all the commits, it's fully open and public, which sometimes is not well-understood, but it's completely open. And, everything we do in terms of feature development or functionality or bug fixes goes upstream to the Linux kernel mail-list. It's actually, it's the only way to be able to manage a Linux distribution and be a Linux vendor is to live in that eco-system. Otherwise, the cost of maintaining your own fork, so to speak, is very high and it doesn't really solve the problem. Now, the functionality we work on obviously is focused on making Oracle products run better, making Oracle Cloud run better, and so forth. However, again, what's important to understand, though, is an Oracle database is a program running on an operating system. It does IO, it does networking, it deals with memory management, lots of processing. So, for the most part, the things that we work on to improve that helps everyone out, right? It helps every other database run better, or helps every other language run better. So none of these changes are specific to Oracle, they're just things that we found doing performance benchmarks and testing and so forth, where we say "Hey, if Linux did the following, it would make boot-up faster. Now boot-up has nothing to do with the database. But our customers run on 1-terabyte, 4-terabyte, 8-terabyte systems, and so booting up, and Linux starting up, and cleaning up memory takes a long time. So we want to reduce that from an availability point of view. So here, we're now talking about just enterprise for you. So there's this broad set of things we work on that definitely help us, but they're actually really completely generic and help everyone out. >> Yeah, that's great. So I wanted to kind of get that out of the way and help our audience understand that. So let's get into it a little bit; What are you seeing, what's going on in IT, pick your observation space and your vision of what you see happening out there. >> Well, you know, it's very interesting, it's sort of, there's two... there's sort of two worlds, right, there's the cloud world and the move to cloud, and there's the on-premises world, where people run their systems on their own. And, one of the things that we've learned is, when you talk about machine-learning, obviously, is something that's very popular these days, and automation. And so in order to rely on machine-learning well, and have algorithms that are very effective, you need lots of data. And so being a cloud vendor, and having Linux in our cloud on tens of thousands, or hundreds of thousands of servers, or more, allows us to have a view of how an operating system works across an incredibly large scale. So we get lots of data. And so for us to figure out which algorithms work well in terms of how can we do network optimizations, how can we discover anomalies on the storage site, and deal with it and so forth, we can do that at scale. And what's interesting is, how do we then bring that on-prem? Well, if we can get the data and the learning done, the training done, in our cloud directly, then when we provide that service also for people running Oracle Linux on premises then that will work. The alternative is to have point solutions where you provide something to a customer, and he needs to learn something from small amounts of data. That doesn't work so well. So I think having both worlds, on-prem and cloud directly, allows us to kind of benefit from that. And I think that's important, because lots of customers are interested in going to cloud. Many of the enterprises have not yet. You know, they're starting, but there's still a huge on-premises space that's important. And so by being able to get them familiar with how these things work at scale, autonomy is again important, right, Autonomous Database is incredibly popular and so forth, that allows us to then say, "Here, try these things out here, it's a service. We can show you the benefits right away," and then as that improves we bring that, to a certain extent, on-premises as well. And then they can have it in both places. And that, I think, is something, again, that's relatively unique but also very important, is that we want to provide services and products that act similarly on-premises as well as in cloud, because at some point when people move we want to make that transition seamless. And what you have today for the most part is one world that's on-prem, and then the cloud world is completely different. And that is a big barrier of moving, and so we want to reduce that, we can run the same operating system local as well as cloud, you can the same functionality, and then that helps transition people over much easier. >> Yeah, well Oracle actually was one of the -- I think Oracle was the first company to actually market same-same, you actually used that term. Others put forth that concept, but Oracle was the first to announce products like Cloud at Customer, that were same-same, now it took some time to actually get it perfected, and get it to market, but the point is, and we've written about this, is Oracle, because of the ascendancy of cloud, flipped and has a cloud-first mentality, and you just kind of referenced that, you just said, "And you can bring that to on-prem." So I wonder if you could talk about that cloud-first mentality, and the impact on hybrid. >> So yeah, I think the cloud-first part is of course in cloud we work on services moreso than products that we deliver. And there's a number of things that are happening. So one is that we obviously continue to provide products to customers, you can download Oracle Linux, you can download the database and what not, you can install it on your own, you can do the traditional way of working. Then in the cloud-world, what typically happens is "Oh, I use a database service. I'm not installing anything, I push a button and I get an IP address and a SQL that connects extremely quickly to the database." And we take care of everything underneath that is on this database. Now, in order to do that, you need a whole infrastructure in place, you need log-in agents, you need a back-end that captures all that stuff, you need monitoring tools, you need all the automation scripts for bringing the service up and monitor it. And so, that takes a lot of time to do right, and we learn a lot by doing this. And so the cloud-first part of these services means that we get to experience this ourselves with direct access to everything. Now taking that service with all of the additional features like autonomy, and bringing that to an on-premises world, we have to make sure we can package that so that all these pieces around it go along with it. And that takes a little bit more time, so we can do everything at the same time. And so what we've done with Autonomous Database is we created everything in Oracle Cloud, we have the whole system running really well, and then we've been able to sort of package that and shrink it into something that can be installed on-premises, but then connected into Oracle Cloud again. And so that way we can get all the telemetry over the metric, and that allows us to scale. Because part of providing a cloud service that runs on-prem in the customer environment is that we need to be able to remotely manage that similar to how that runs in our own cloud. Right, otherwise it doesn't scale. And so that takes a little bit of time, but we've done all that work, and now with Cloud at Customer Database that's really in place. >> Yeah, you really want to have that same cloud experience, whether with on-prem, in the public cloud, hybrid, et cetera. So, I want to explore a little bit more who is using Oracle Linux, and what's the driver for using it. Can you describe maybe some of the types of customers and why they buy? >> Sure, so we started this fourteen years ago, in 2006, October 25th, 2006. I remember that day very well; Penguins on stage and a big launch for Oracle Linux in San Francisco Moscone Center. So, look, the initial driver for Oracle Linux was to ensure that Oracle database customers or Oracle product customers had a good operating system experience, and the ability to be able to handle critical issues when that occurs, because typically a database runs the company's critical data: the most essential stuff that a company has is typically in a database, an Oracle database. And so when that thing has issues with the operating system, you don't want just to talk to multiple vendors and have finger-pointing, and having to explain to an operating system vendor how the database works. In the Unix world, we had a good relationship with the OS vendors, and the hardware vendors, they were the same. And they knew our products really well, and in the Linux world, that was very different. The OS vendor basically did not want to understand or learn anything about the products living on top. And so while to a certain extent that makes sense, it's an enterprise world where time is of the essence, and downtime needs to be limited absolutely. We can't have these arguments and such. And that was the driver, initially, for doing Oracle Linux. It was to ensure there was a Linux distribution really backed by us, that we could fix, that we could fully support. That was completely the original intent. And so the early customer base was database customers. Database and middleware. Mostly database. But that has then evolved quickly, and so what happened was, people say "Look, I have a thousand servers, a hundred run Oracle, so we'll run Oracle Linux on those hundred, and we'll run something else on those other nine-hundred." Now after a year or so, they realize that our support is really good; We fix all these issues, and so then they're like "Why are we having two Linux distributions? This thing works really well, it runs any application, it's fully compatible, so we'll do a thousand with Oracle Linux." And so the early days, the first few years, was definitely Oracle Database as the core driver, and then it sort of expanded to the rest of the estate. And over the years, we've added lots of features and functionality, like Ksplice, and so forth. We have an attractive pricing model for running on servers, and so now lots of our customers have a very small Oracle percentage running and many other things running. So it's really become a all-or-nothing play in the Linux space, and we're well-known now, so it's actually very good. >> You just mentioned Ksplice. We've been talking about cloud, and on-prem, and hybrid. Let's talk about security, because security really is a differentiator, particularly if you're going to start to put stuff in the cloud. Talk about Ksplice specifically, but generally security and your policy there. >> So, "Security first" is sort of what you hear us say and do, in everything we do. The database obviously security, on the Linux site security matters. Ksplice as a technology is there to do critical bug-fixing and make sure that we can apply security vulnerability fixes without affecting the customer, and not have downtime. And if you look at most of the cases or many of the cases where you have security vulnerabilities and exploits, it tends to be because systems were not patched. Why were they not patched? Well not that our customer doesn't understand that it's important, but it's a whole train of events that needs to happen. You have to, you get notified that there's a security issue in your operating system or application. Then, well, an application typically means it's a multi-layered setup. So if you have to bring your database server down, then you first have to coordinate with the application users to bring the app server down, cause that talks to the database. So to patch one system, you basically have to bring down the whole application stack. You have to negotiate with the DBAs, you have to negotiate with the app admins, you have to negotiate with the user. It takes weeks to do that and find time. Well during that time, you're vulnerable. So the only way, really, to address security in a scalable and reducing that window of time is to do it without affecting the customer. And so Casewise is something that, it's a company we acquired in 2009, and have since evolved in terms of capabilities, and so it allows us to patch the Linux terminal without downtime. We lock the kernel for 8 microseconds. It's literally no downtime. You don't have to bring down applications, the user doesn't see it, there's no hang, there's no delay. And so by doing that, you can run a Linux operating system, or gLinux, and you can be fully patched on a system that hasn't rebooted for 3 years. You don't even know it. And so by doing that type of stuff, it makes customers more secure, and it avoids them-- It saves them a lot of money in terms of dealing with project management and so forth, but it really keeps them secure. And so we do that for the Linux kernel, we do that for some of the libraries on top that are critical like OpenSSL and 2 LVC, and, you know one example-- I can give you two examples. So one example is, Heartbleed was this bug in OpenSSL a number of years ago. And so everyone had to patch their SSH server. And that meant, basically, systems around the world had to reboot. Like a whole IT reboot across the world. With Ksplice today, if Heartbleed were to happen tomorrow, we would be able to patch this online for all the Oracle Linux customers without any downtime. No reboots, no restarting of applications, everything keeps running. The amount of money saved would be massive, and also, of course, the headache. Another example is, and this was in Oracle Cloud, when some of these CPU bugs that happened a few years ago that were rather damaging on the cloud side, where you could basically see memory potentially of other CPUs running, the cloud is incredibly critical. We were basically able to basically patch our entire cloud in four hours. And the customer didn't know, right, a hundred and twenty million patches, or something, that we applied within four hours, all online, without any downtime. And so that technology has been really helpful, both for us to run our cloud, but the exact same patches and same fixes go to customers on-premises as well. But this comes back to the whole, what we do in cloud we also do for customer. And I think that's a unique thing that we have at Oracle which is quite fascinating. The operating system we run for our customers, the operating system that's the host part of VMs, is the exact same binary and source code that we make available, just to be clear, the exact same binaries are the ones that you run as a customer on-premises. So if you run Oracle Linux with KVM, you run VMs, you're actually running the exact same stuff as we run underneath our customer's stuff. Nobody else does that, everyone else has a black box. So I think that helps a little bit with transparency as well. >> Yeah, and that homogeneity just creates an environment, you're talking about that sort of security mindset, it's critical, you're not just bolting it on, it's part of the culture. But you started your career, and then of course you were a Linux person when you came to Oracle, but then I think you spent some time in database, back in the day when there were serious database wars going on, before Oracle became the king of database. So now you've got, obviously, this great portfolio, and a lot of really sharp software developers; What should we expect going forward, from Oracle? What should we look for? >> You know, I was talking to some, I was welcoming some interns to the company, for their summer internship yesterday, and one of the things I mentioned to them was that -- so cloud obviously gives us a lot of opportunities, but there's a number of things. One is, we have such a breadth of applications and software and hardware together. We have the servers, we have the storage, we have the operating systems, we have the database layer and so forth, and we have the cloud side, and one of the great opportunities, and I think we've shown a lot of this happening with the ability to create something like Autonomous Database, is to combine all these things. Right, we have such a broad portfolio of really cool technology that by itself is okay, but if you combine the things it really becomes awesome. You cannot create autonomous database without having autonomous learning. You cannot create those two and make them really safe without also controlling the firmware on the hardware and so forth. So by being able to combine all these layers, and by having a really great relationship across the teams within the company, that opens up a lot of opportunities to do stuff really quickly. And having the scale for that. I think that has been, for the last few years, a really great thing, but I can see that being one of the advantages that we have going forward. We have Oracle Fusion Applications, which is incredibly popular, and has great growth, and then we have that running on Oracle Cloud, that talks to Oracle Autonomous Database, so we bring all these pieces together. And no other SaaS vendor can do that, because they don't have these other pieces. They have one area, we have all of them. And so that's the exciting part for me, it's not so much about making my own world better, and having Linux be better, and Casewise and so forth, which is important, but that becoming part of the bigger picture. And that's the exciting part. >> Well, Oracle's always invested in RND, we've made that point many, many times. Whether it's database, you know Fusion was a painful but worthy effort, the whole public cloud piece, obviously many acquisitions, but the investments that you've made in open-source as well, Wim, you're a great spokesperson, and a great representative of the open-source community generally, and then Oracle specifically, so thanks very much for coming on theCUBE and sharing with us the state of the penguin, and best of luck. >> You're welcome. Thank you, thanks for having me. >> Alright, and thank you for watching, everybody. This is Dave Vellante for theCUBE. We'll see you next time. (cheerful music).

>> From theCUBE studios in Palo Alto and Boston, connecting with thought-leaders all around the world, this is a Cube Conversation. >> Hi everybody, this is Dave Vellante. Welcome to this Cube Conversation. We're really excited to have Wim Coekaerts in, he is the senior vice-president of software development at Oracle. Wim, it's great to have you on, and, you know I often say I wish we were face-to-face but if we were you'd have to cut off my tie, cause developers and ties just don't go together. >> No, I know, and this is my normal outfit, so this is me wherever I go. Hi again, good to see you. >> Yeah, great to see you. So, of course, you know a lot of people are confused about Oracle, and open-source, they say "Oracle? Open-source? What is that all about?" But I think you're misunderstood. People don't, first of all, realize you as the leader of the software-development community inside of Oracle, I mean, you've been involved in Linux since the early 90s. But you guys have a lot of committers, you do a lot. I want to talk about that. What is up with Oracle, and open-source? >> Ah, well, it's a broad question. So, you know, a couple of things. One is, we have many different areas within the company that are dealing with open-source. So we have the cloud team doing a lot of stuff around cloud SDKs and support for different languages like Python and Go, and of course Java and so forth, so they do a lot around ensuring that the Oracle ecosystem is integrated in the open-source tools that customers use, or developers use, Terraform companies and so forth. And then you have the Java team, and so forth. Java is open-source and then the Graal project, GraalVM which is a polyglot compiler that can run Java, and Python, and Javascript and so forth together in one. VM do really cool optimizations, that's an open-source project, also on GitHub. There's of course MySQL, which is along with Java, they're probably the two most popular and widely used open-source projects out there. There's VirtualBox which is of course also a very popular project that's open-source. There's all the work we do around Linux. And I think one of the things is that, when you have so many different areas, doing things that are for that area, then as a developer or as a customer, you typically just deal with that group. And what you see is, oh you're talking to the Java developers, so you know what's going on around Java. The Java developers might not necessarily say, "Oh well we also do MySQL, and we do Linux and VirtualBox and so forth," and so you get a rather myopic, narrow view of the larger company. When you add all these things up, and there will be one big slide that says "This is Oracle, these are all these open source projects," and there's multiple ways. One is, we have projects that we've open-sourced and all the code came from us and we made it publicly available, we're the main contributor and we get contributions back. There are other projects where we contribute to third-party in terms of enhancing things, like I said with the Cloud Team, and then in general something like Linux where we're part of an external project and we participate in development of that project at large. And so there's these three different ways, when you count up all the developers that we have that deal with open-source on a daily basis. And in terms of contributions, in terms of bug fixes, testing, and so forth, it's thousands, literally, full-time paid developers. And of course, all the projects are all either on GitHub or similar sites that are very popular. So yeah, I think the misunderstood is probably a lack of knowledge of the breadth of what we do. And, you know, our primary goal is to provide services and products to customers, and so the open-source part is sort of embedded in a development methodology. But that's not something we sell or market separately, we just work with customers and products and services, and so in some cases it's not well-understood. >> Yeah. Well, we're talking of course, we're talking about the state of the penguin, I think it's important for people to understand, Oracle got into the Linux game in the 90s, maybe the latter part of the 90s and Oracle, of course, wants to make Linux-- wants to make Oracle, it's applications and database run better on Linux, but as you're pointing out, your Linux distro, full support, end-to-end, thousands of people in your open-source community, and the contributions that you make to Linux, many if not most, they go upstream, everybody can benefit from those, but of course you want an Oracle distro that is going to make Oracle stuff run better, that's always kind of been the Oracle way. >> Well, so, yes, two things though. One is, so everything we do is upstream. So we have no Linux patches that are not contributed upstream; There's no proprietary code in Oracle Linux at all, it's all completely open, publicly available: the source code, the change log, all the commits, it's fully open and public, which sometimes is not well-understood, but it's completely open. And, everything we do in terms of feature development or functionality or bug fixes goes upstream to the Linux kernel mail-list. It's actually, it's the only way to be able to manage a Linux distribution and be a Linux vendor is to live in that eco-system. Otherwise, the cost of maintaining your own fork, so to speak, is very high and it doesn't really solve the problem. Now, the functionality we work on obviously is focused on making Oracle products run better, making Oracle Cloud run better, and so forth. However, again, what's important to understand, though, is an Oracle database is a program running on an operating system. It does IO, it does networking, it deals with memory management, lots of processing. So, for the most part, the things that we work on to improve that helps everyone out, right? It helps every other database run better, or helps every other language run better. So none of these changes are specific to Oracle, they're just things that we found doing performance benchmarks and testing and so forth, where we say "Hey, if Linux did the following, it would make boot-up faster. Now boot-up has nothing to do with the database. But our customers run on 1-terabyte, 4-terabyte, 8-terabyte systems, and so booting up, and Linux starting up, and cleaning up memory takes a long time. So we want to reduce that from an availability point of view. So here, we're now talking about just enterprise for you. So there's this broad set of things we work on that definitely help us, but they're actually really completely generic and help everyone out. >> Yeah, that's great. So I wanted to kind of get that out of the way and help our audience understand that. So let's get into it a little bit; What are you seeing, what's going on in IT, pick your observation space and your vision of what you see happening out there. >> Well, you know, it's very interesting, it's sort of, there's two... there's sort of two worlds, right, there's the cloud world and the move to cloud, and there's the on-premises world, where people run their systems on their own. And, one of the things that we've learned is, when you talk about machine-learning, obviously, is something that's very popular these days, and automation. And so in order to rely on machine-learning well, and have algorithms that are very effective, you need lots of data. And so being a cloud vendor, and having Linux in our cloud on tens of thousands, or hundreds of thousands of servers, or more, allows us to have a view of how an operating system works across an incredibly large scale. So we get lots of data. And so for us to figure out which algorithms work well in terms of how can we do network optimizations, how can we discover anomalies on the storage site, and deal with it and so forth, we can do that at scale. And what's interesting is, how do we then bring that on-prem? Well, if we can get the data and the learning done, the training done, in our cloud directly, then when we provide that service also for people running Oracle Linux on premises then that will work. The alternative is to have point solutions where you provide something to a customer, and he needs to learn something from small amounts of data. That doesn't work so well. So I think having both worlds, on-prem and cloud directly, allows us to kind of benefit from that. And I think that's important, because lots of customers are interested in going to cloud. Many of the enterprises have not yet. You know, they're starting, but there's still a huge on-premises space that's important. And so by being able to get them familiar with how these things work at scale, autonomy is again important, right, Autonomous Database is incredibly popular and so forth, that allows us to then say, "Here, try these things out here, it's a service. We can show you the benefits right away," and then as that improves we bring that, to a certain extent, on-premises as well. And then they can have it in both places. And that, I think, is something, again, that's relatively unique but also very important, is that we want to provide services and products that act similarly on-premises as well as in cloud, because at some point when people move we want to make that transition seamless. And what you have today for the most part is one world that's on-prem, and then the cloud world is completely different. And that is a big barrier of moving, and so we want to reduce that, we can run the same operating system local as well as cloud, you can the same functionality, and then that helps transition people over much easier. >> Yeah, well Oracle actually was one of the -- I think Oracle was the first company to actually market same-same, you actually used that term. Others put forth that concept, but Oracle was the first to announce products like Cloud at Customer, that were same-same, now it took some time to actually get it perfected, and get it to market, but the point is, and we've written about this, is Oracle, because of the ascendancy of cloud, flipped and has a cloud-first mentality, and you just kind of referenced that, you just said, "And you can bring that to on-prem." So I wonder if you could talk about that cloud-first mentality, and the impact on hybrid. >> So yeah, I think the cloud-first part is of course in cloud we work on services moreso than products that we deliver. And there's a number of things that are happening. So one is that we obviously continue to provide products to customers, you can download Oracle Linux, you can download the database and what not, you can install it on your own, you can do the traditional way of working. Then in the cloud-world, what typically happens is "Oh, I use a database service. I'm not installing anything, I push a button and I get an IP address and a SQL that connects extremely quickly to the database." And we take care of everything underneath that is on this database. Now, in order to do that, you need a whole infrastructure in place, you need log-in agents, you need a back-end that captures all that stuff, you need monitoring tools, you need all the automation scripts for bringing the service up and monitor it. And so, that takes a lot of time to do right, and we learn a lot by doing this. And so the cloud-first part of these services means that we get to experience this ourselves with direct access to everything. Now taking that service with all of the additional features like autonomy, and bringing that to an on-premises world, we have to make sure we can package that so that all these pieces around it go along with it. And that takes a little bit more time, so we can do everything at the same time. And so what we've done with Autonomous Database is we created everything in Oracle Cloud, we have the whole system running really well, and then we've been able to sort of package that and shrink it into something that can be installed on-premises, but then connected into Oracle Cloud again. And so that way we can get all the telemetry over the metric, and that allows us to scale. Because part of providing a cloud service that runs on-prem in the customer environment is that we need to be able to remotely manage that similar to how that runs in our own cloud. Right, otherwise it doesn't scale. And so that takes a little bit of time, but we've done all that work, and now with Cloud at Customer Database that's really in place. >> Yeah, you really want to have that same cloud experience, whether with on-prem, in the public cloud, hybrid, et cetera. So, I want to explore a little bit more who is using Oracle Linux, and what's the driver for using it. Can you describe maybe some of the types of customers and why they buy? >> Sure, so we started this fourteen years ago, in 2006, October 25th, 2006. I remember that day very well; Penguins on stage and a big launch for Oracle Linux in San Francisco Moscone Center. So, look, the initial driver for Oracle Linux was to ensure that Oracle database customers or Oracle product customers had a good operating system experience, and the ability to be able to handle critical issues when that occurs, because typically a database runs the company's critical data: the most essential stuff that a company has is typically in a database, an Oracle database. And so when that thing has issues with the operating system, you don't want just to talk to multiple vendors and have finger-pointing, and having to explain to an operating system vendor how the database works. In the Unix world, we had a good relationship with the OS vendors, and the hardware vendors, they were the same. And they knew our products really well, and in the Linux world, that was very different. The OS vendor basically did not want to understand or learn anything about the products living on top. And so while to a certain extent that makes sense, it's an enterprise world where time is of the essence, and downtime needs to be limited absolutely. We can't have these arguments and such. And that was the driver, initially, for doing Oracle Linux. It was to ensure there was a Linux distribution really backed by us, that we could fix, that we could fully support. That was completely the original intent. And so the early customer base was database customers. Database and middleware. Mostly database. But that has then evolved quickly, and so what happened was, people say "Look, I have a thousand servers, a hundred run Oracle, so we'll run Oracle Linux on those hundred, and we'll run something else on those other nine-hundred." Now after a year or so, they realize that our support is really good; We fix all these issues, and so then they're like "Why are we having two Linux distributions? This thing works really well, it runs any application, it's fully compatible, so we'll do a thousand with Oracle Linux." And so the early days, the first few years, was definitely Oracle Database as the core driver, and then it sort of expanded to the rest of the estate. And over the years, we've added lots of features and functionality, like Ksplice, and so forth. We have an attractive pricing model for running on servers, and so now lots of our customers have a very small Oracle percentage running and many other things running. So it's really become a all-or-nothing play in the Linux space, and we're well-known now, so it's actually very good. >> You just mentioned Ksplice. We've been talking about cloud, and on-prem, and hybrid. Let's talk about security, because security really is a differentiator, particularly if you're going to start to put stuff in the cloud. Talk about Ksplice specifically, but generally security and your policy there. >> So, "Security first" is sort of what you hear us say and do, in everything we do. The database obviously security, on the Linux site security matters. Ksplice as a technology is there to do critical bug-fixing and make sure that we can apply security vulnerability fixes without affecting the customer, and not have downtime. And if you look at most of the cases or many of the cases where you have security vulnerabilities and exploits, it tends to be because systems were not patched. Why were they not patched? Well not that our customer doesn't understand that it's important, but it's a whole train of events that needs to happen. You have to, you get notified that there's a security issue in your operating system or application. Then, well, an application typically means it's a multi-layered setup. So if you have to bring your database server down, then you first have to coordinate with the application users to bring the app server down, cause that talks to the database. So to patch one system, you basically have to bring down the whole application stack. You have to negotiate with the DBAs, you have to negotiate with the app admins, you have to negotiate with the user. It takes weeks to do that and find time. Well during that time, you're vulnerable. So the only way, really, to address security in a scalable and reducing that window of time is to do it without affecting the customer. And so Casewise is something that, it's a company we acquired in 2009, and have since evolved in terms of capabilities, and so it allows us to patch the Linux terminal without downtime. We lock the kernel for 8 microseconds. It's literally no downtime. You don't have to bring down applications, the user doesn't see it, there's no hang, there's no delay. And so by doing that, you can run a Linux operating system, or gLinux, and you can be fully patched on a system that hasn't rebooted for 3 years. You don't even know it. And so by doing that type of stuff, it makes customers more secure, and it avoids them-- It saves them a lot of money in terms of dealing with project management and so forth, but it really keeps them secure. And so we do that for the Linux kernel, we do that for some of the libraries on top that are critical like OpenSSL and 2 LVC, and, you know one example-- I can give you two examples. So one example is, Heartbleed was this bug in OpenSSL a number of years ago. And so everyone had to patch their SSH server. And that meant, basically, systems around the world had to reboot. Like a whole IT reboot across the world. With Ksplice today, if Heartbleed were to happen tomorrow, we would be able to patch this online for all the Oracle Linux customers without any downtime. No reboots, no restarting of applications, everything keeps running. The amount of money saved would be massive, and also, of course, the headache. Another example is, and this was in Oracle Cloud, when some of these CPU bugs that happened a few years ago that were rather damaging on the cloud side, where you could basically see memory potentially of other CPUs running, the cloud is incredibly critical. We were basically able to basically patch our entire cloud in four hours. And the customer didn't know, right, a hundred and twenty million patches, or something, that we applied within four hours, all online, without any downtime. And so that technology has been really helpful, both for us to run our cloud, but the exact same patches and same fixes go to customers on-premises as well. But this comes back to the whole, what we do in cloud we also do for customer. And I think that's a unique thing that we have at Oracle which is quite fascinating. The operating system we run for our customers, the operating system that's the host part of VMs, is the exact same binary and source code that we make available, just to be clear, the exact same binaries are the ones that you run as a customer on-premises. So if you run Oracle Linux with KVM, you run VMs, you're actually running the exact same stuff as we run underneath our customer's stuff. Nobody else does that, everyone else has a black box. So I think that helps a little bit with transparency as well. >> Yeah, and that homogeneity just creates an environment, you're talking about that sort of security mindset, it's critical, you're not just bolting it on, it's part of the culture. But you started your career, and then of course you were a Linux person when you came to Oracle, but then I think you spent some time in database, back in the day when there were serious database wars going on, before Oracle became the king of database. So now you've got, obviously, this great portfolio, and a lot of really sharp software developers; What should we expect going forward, from Oracle? What should we look for? >> You know, I was talking to some, I was welcoming some interns to the company, for their summer internship yesterday, and one of the things I mentioned to them was that -- so cloud obviously gives us a lot of opportunities, but there's a number of things. One is, we have such a breadth of applications and software and hardware together. We have the servers, we have the storage, we have the operating systems, we have the database layer and so forth, and we have the cloud side, and one of the great opportunities, and I think we've shown a lot of this happening with the ability to create something like Autonomous Database, is to combine all these things. Right, we have such a broad portfolio of really cool technology that by itself is okay, but if you combine the things it really becomes awesome. You cannot create autonomous database without having autonomous learning. You cannot create those two and make them really safe without also controlling the firmware on the hardware and so forth. So by being able to combine all these layers, and by having a really great relationship across the teams within the company, that opens up a lot of opportunities to do stuff really quickly. And having the scale for that. I think that has been, for the last few years, a really great thing, but I can see that being one of the advantages that we have going forward. We have Oracle Fusion Applications, which is incredibly popular, and has great girth, and then we have that running on Oracle Cloud, that talks to Oracle Autonomous Database, so we bring all these pieces together. And no other SaaS vendor can do that, because they don't have these other pieces. They have one area, we have all of them. And so that's the exciting part for me, it's not so much about making my own world better, and having Linux be better, and Casewise and so forth, which is important, but that becoming part of the bigger picture. And that's the exciting part. >> Well, Oracle's always invested in RND, we've made that point many, many times. Whether it's database, you know Fusion was a painful but worthy effort, the whole public cloud piece, obviously many acquisitions, but the investments that you've made in open-source as well, Wim, you're a great spokesperson, and a great representative of the open-source community generally, and then Oracle specifically, so thanks very much for coming on theCUBE and sharing with us the state of the penguin, and best of luck. >> You're welcome. Thank you, thanks for having me. >> Alright, and thank you for watching, everybody. This is Dave Vellante for theCUBE. We'll see you next time. (cheerful music).

>> Announcer: From theCUBE Studios in Palo Alto in Boston, connecting with thought leaders all around the world. This is a Cube Conversation. >> Hi everybody, this is Dave Vellante and welcome to this Cube Conversation. Really excited to have Wim Coekaerts and he is the senior vice president of software development at Oracle. Wim, it's great to have you on. And you know what I often say I wish we were face to face but if we were you'd have to cut off my tie 'cause developers and ties just don't go together. >> No, I know, and this is my normal outfit so this is me, wherever I go. Hi again, good to see you. >> Yeah, great to see you. So of course, you know a lot of people are confused about Oracle and open source. They say, Oracle, open source? What is that all about? But I think you misunderstood. People don't first of all realize you as the leader of the software development community inside of Oracle, I mean, you've been involved in Linux since the early '90s but you guys have a lot of committers. You do a lot, I want to talk about that. What is up with Oracle and open source? >> Well, it's a broad question. So you know, a couple of things. One is we have many different areas within the company that are dealing with open source, right? So we have the cloud team doing a lot of stuff around the cloud SDKs and support for different languages like Python and go and of course Java and so forth. So they do a lot around ensuring that the Oracle ecosystem is integrated in the open source tools that customers use, or developers use Terraform, so on and so forth. And then you have the Java team, and so of course Java is open source. And then, the Graal project, GraalVM, which is a polyglot compiler that run Java and Python and JavaScript and so forth together in one VM, do really cool optimizations, that's an open source project. Also on GitHub, there's of course MySQL which is along with Java, they're probably the two most popular and widely used open source projects out there. There's VirtualBox which is of course also a very popular project that's open sources is all the work we do around Linux. And I think one of the things is that when you have so many different areas doing things that are for that area, then as a developer or as a customer, you typically just deal with that group and what you see is, oh, you're talking to the Java developers so you know what's going on around Java. The Java developers might not necessarily say, oh, and we also do MySQL and we do Linux and VirtualBox and so forth. And so you get sort of a rather myopic narrow view of the larger company. When you add all these things up and there would be one big slide that says, "This is Oracle, these are all these open source projects there". And there's multiple ways, right? One is we have projects that we've opened sourced and all the code came from us and we made it publicly available. We are the main distributor and we get contributions back. There are other projects where we contribute to third party in terms of enhancing things, like a separate the cloud team. And then in general, something like Linux where, you know, we're part of an external project and we participate in the development of that project at large. And so there's these three different ways when you count up all the developers that we have that deal with open source on a daily basis and in terms of contributions, in terms of both Pyxis testing and so forth, it's thousands, literally, full time developers. And of course all the projects is on GitHub or similar sites that are very popular. So yeah, I think the misunderstood is probably a lack of knowledge of the breadth of what we do. And our primary goal is to provide services and products to customers. And so the open source part is sort of embedded in the development methodology, but that's not something we sell or market separately. We just work with customers and products and services. And so in some cases it's not well understood. >> Yeah, well, we're talking, of course we're talking about the state of the Penguin. I think it's part of what people understand. I mean, Oracle got into the Linux game, in the '90s, maybe the latter part of the '90s and Oracle of course wants to make Linux, wants to make Oracle its applications and database run better on Linux. But as you're pointing out you're Linux distro, full support, end-to-end, thousands of people in your open source community and the contributions that you make to Linux, many if not most, they go upstream, everybody can benefit from those. But of course you want an Oracle distro that is going to make Oracle stuff run better. That's always kind of been the Oracle way. >> Well, so yes, two things. The one is that, so everything we do is upstream. So we have no Linux patches that are not contributed upstream. There's no proprietary code in Oracle Linux at all. It's all completely open, publicly available. The source code, the change log, all the commits, everything. It's fully open and public, which sometimes is not well understood, but it's completely open. And everything we do in terms of feature development or functionality or bug fixes goes upstream to the Linux kernel mailers. It's actually, it's the only way to be able to manage a Linux distribution and be a Linux vendor is to live in that ecosystem. Otherwise, the cost of maintaining your own forks so to speak is very high and it doesn't really solve problems. Now the functionality we worked on obviously is focused on making Oracle products run better, making Oracle cloud run better and so forth. However, again, what's important to understand though is an Oracle database is a program running on an operating system that does IO, it does networking, it does memory, it deals with memory management, lots of processes. So for the most part, the things we work on to improve that, helps everyone out, right? It helps every other database run better or it helps every other language run better. So none of these changes are specific to Oracle. They're just things that we found doing performance benchmarks and testing and so forth. But we say, "Hey, if Linux did the following, it would make boot up fast." Now boot up has nothing to do with the database. But if our customers run on one terabyte, four terabyte, eight terabyte systems, and so booting up and Linux starting up and cleaning up memory takes a long time. So we want to reduce that from an availability point of view. So here we're now talking about just enterprise, right? And so there's this broad set of things we work on that definitely help us, but they're actually really completely generic and help everyone customer. >> Yeah, that's great, good. So I wanted to kind of get that out of the way and help our audience understand it. So let's get into it a little bit. What are you seeing, what's going on in IT? Pick your observation space and your vision of what you see happening out there? >> Well it's very interesting. There's sort of two worlds, right? There's the cloud world and move to cloud and there's the on-premise world where people run their systems on their own. And one of the things that we've learned is, when you talk about machine learning obviously is something that's very popular these days and automation. And so in order to rely on machine learning well and have algorithms that are very effective, you need lots of data. And so being a cloud vendor and having Linux in our cloud on tens of thousands or hundreds of thousands of servers or more allows us to have a view of how an operating system works across incredibly large scale. So we get lots of data and so for us to figure out which algorithms work well in terms of, how can we do network customizations, how can we discover anomalies on the storage side and deal with it and so forth, we can do that at scale. And what's interesting is how do we then bring that to on-prem? Well, if we can get the data and the learning done the training done in our cloud directly, then when we provide that service also to people running Oracle Linux on-premises, then that will work. The alternative is to have point solutions where you provide something to a customer and he needs to learn something from small amounts of data. That doesn't work so well. So I think having both worlds on-prem and cloud directly allows us to kind of benefit from that. And I think that's important because lots of customers are interested in going to cloud. Many of the enterprises have not yet, you know, they're starting, but there's still a huge on-premises space that's important. And so by being able to get them familiar with how these things work at scale, autonomy is again important, right? Autonomous database is incredibly popular and so forth. That allows us to then say, "Here, try these things out here. "It's a service, we can show you the benefits right away". And then as that improves, we bring that on to a certain extent on-premise as well and then they can have it in both places. And that I think is something, again, that's relatively unique but also very important is that we want to create an... we want to provide services and products that act similarly on-premises as well as the cloud. Because at some point when people move, we want to make that transition seamless. And what you have today for the most part is one world that's on-prem and then the cloud world is completely different and that is a big barrier of moving. And so we want to reduce that. You can run the same operating system local as well as cloud, you can get the same banality and then that helps transition people over much easier. >> Yeah, well, Oracle actually was one of the... I think but Oracle was the first company to actually market same-same, you actually use that term. Others put forth that concept, but Oracle was the first to announce products like cloud to customer that was same-same now it took some time to actually get it perfective and get it to market. But the point is, and we've written about this is that Oracle, because of the ascendancy of cloud flipped and has a cloud first mentality and you just kind of referenced that you just said, "And you can bring that to on-prem". So I wonder if you could talk about that cloud first mentality and the impact on hype? >> So yeah, I think the clouds first part is of course in cloud we work on services more so than products that we deliver and there's a number of things that are happening. So one is we obviously continue to provide products across you can download Oracle Linux, you can download the database in web blog, you can install it on your own, right? You can do to the traditional way of working. Then in a cloud world, what typically happens is, oh, I use a database service. I'm not installing anything. I push a button and I get an IP address and a SQL, and a connect string and connect to a database. And we take care of everything underneath the database. Now, in order to do that, you need to hold infrastructure in place, right? You need lugging agents, you need a backend that captures all that stuff, you need monitoring tools, you need all the automation scripts for bringing this service up and monitor it. And so that takes a lot of time to do, right? And we learned a lot by doing this. And so the cloud first part of the services means that we get to experience this ourselves with direct access to everything. Now taking that service with all of the additional features like autonomy and bringing that to an on-premises world, we have to make sure we can package that so that all these pieces around it go along with it. And that takes a little bit more time, so we can't do everything at the same time. And so what we've done with autonomous database is we created everything in Oracle cloud, you have the whole system running really well. And then we've been able to sort of package that and shrink it into something that can be installed on-premises but then connected into Oracle cloud again. And so that way we can get all the telemetry, all the metrics, and that allows us to scale because part of providing a cloud service that runs on-prem in the customer environment is that we need to be able to remotely manage that, similar to how we manage something that runs in their own cloud, right? Otherwise it doesn't scale. And so that takes a little bit of time, but we've done all that work and now we've got our customer database that that's really in place. >> Yeah, you really want to have that same cloud experience, whether it's on-prem, in the public cloud, hybrid, et cetera. So I want to explore a little bit more. Who is using Oracle Linux and what's the driver for using it? Can you describe maybe some of the types of customers and why they buy? >> Sure, so we started 14 years ago, right? 2006, October 25th, 2006 (giggles). I remember that day very well. Penguin's on stage and a big launch for Linux in San Francisco Moscone Center. So look, the initial driver for Oracle Linux was to ensure that Oracle database customers or Oracle product customers had a good operating system experience, right? And the ability to be able to handle critical issues when that occurs because typically a database runs the company's critical data. The most essential stuff that a company has is typically in a database, in Oracle database. And so when that thing has issues with the operating system, you don't want just to talk to multiple vendors and have finger pointing and having to explain to an operating system vendor how the database works. In the Unix world, we had a glitch relationship with the OS vendors and the hardware vendors. They were the same. And they knew our products really well, and in the Linux world that was very different. The OS vendor basically did not want to understand or learn anything about products living on top. And so, while, to a certain extent, that makes sense. It's an enterprise world where time is of the essence and downtime needs to be limited absolutely. We can't have these arguments and such. And so that was the driver initially for doing Oracle. So it was to ensure there was a Linux distribution really backed by us that we could fix and we could fully support, right? That was completely the original intent. And so the early customer base was database customers. Database and middleware, mostly database. So but that has then evolved quickly, and so, (clears throat) sorry. What happened was, people would say, "Look, have a thousand servers, a hundred run Oracle, "so we'll run Oracle Linux on those hundred "and we run, something else on those other 900." Now after a year or so, they realized that our support was really good. We fixed all these issues and so then they're like, "Why are we having two Linux distributions? "This thing works really well. "It's runs any application, it's fully compatible. "So we'll just go a thousand with Oracle Linux". And so the early days, the first few years was definitely Oracle database as the core driver and then it sort of expanded to the rest of the estate. And over the years (clears throat), we've added lots of features and functionality, like Ksplice and so forth. We have an attractive pricing model for running on servers. And so now lots of our customers have a very small Oracle percentage running and many other things running. So it's really become a all or nothing play in the Linux space and we're well known now, so it's been actually very good. >> You just mentioned Ksplice. I mean, we've been talking about cloud and on-prem and hybrid and let's talk about security because security really is a differentiator but particularly if you're going to start to put stuff into the cloud. Talk about Ksplice specifically, but generally security and your policy there. >> So security first is sort of what you hear us say and do in everything we do, right? The database obviously security on the Linux side, security matters, Ksplice as the technology is there to do critical bug fixing and make sure that we can apply security vulnerability fixes without affecting the customer and not have downtime, right? And if you look at, most of the cases or many of the cases where you have security vulnerabilities and exploits, it tends to be because systems were not patched. Why were they not patched? Well, not that a customer doesn't understand that it's important, but it's a whole train of events that needed to happen. You have to get notified that there's a security issue in your operating system or application. Then, well, an application typically means it's a multi-tiered set up. So if you have to bring your database server down, then you first have to coordinate with the application users to bring the app server down because that talks to the database. So to patch one system, you basically have to bring down all application stacks. You have to negotiate with the DBAs, you have to negotiate with the app admins, you have to negotiate with the user. It takes weeks to do that and find time. Well, during that time you're vulnerable. So the only way really to address security in a scalable way and reducing that window of time is to do it without effecting the customer, right? And so Ksplice is something that... It's a company we acquired in 2009 and have since evolved in terms of capabilities. And so it allows us to patch the Linux kernel without downtime, right? We lock the kernel for a microsecond, so it's literally no downtime. You don't have to bring down applications. The user doesn't see it. There's no hang, there's no delay. And so by doing that, you can run the Linux operating system, Oracle Linux, and you can be fully patched on a system that hasn't rebooted for three years and you don't even know it. And so by doing that type of stuff, it makes customers more secure and it avoids them... It saves them a lot of money in terms of dealing with project management and so forth, but it really keeps them secure. And so we do that for the Linux kernel. We do that for some of the libraries on up that are critical, like OpenSSL and glibc and one example, I can give you two examples. So one example is Heartbleed was this bug in OpenSSL a number of years ago and so everyone had to patch their SSH server. And that meant basically, systems around the world had to reboot, like a whole active reboot across the world. With the Ksplice today if Heartbleed were to happen tomorrow, we would be able to patch this online for all the Oracle Linux customers without any downtime. No reboots, no restarting of applications, everything keeps running. The amount of money saved would be massive, right? And also of course, the headache. Another example is, (clears throat) and this was an Oracle cloud when some of these CPU bugs that happened a few years ago that were rather damaging on the cloud side, right? Where you could basically see memory of potentially of other machines running that the cloud it's incredibly critical. We were basically able to patch our entire cloud in four hours and the customer didn't know, right? 120 million patches or something that we applied within four hours all online without any down time. And so that technology has been really helpful both for us to run our cloud, but the exact same patches and same fixes go to customers on-premises as well. But this comes back to the whole what we do in cloud, we also do for customer, and I think that's a unique thing that we have at Oracle, which is quite fascinating, right? The operating system we run for our customers, the operating system that's the host for the VM is the exact same binary and source code that we make available, just to be clear. The exact same binaries are the ones that you run as a customer on premises. So you run Oracle Linux with KVM, you run VMs, you're actually running the same stuff as we do for our... That we run underneath our customer stuff. Nobody else does that. Everyone else has a black box. So I think that helps a little bit with transparency as well. >> Yeah, and that homogeneity just creates an environment you're talking about sort of the security mindset is critical. You're not just bolting it on, it's part of the culture. Look, you were, you know, started your career, and then of course you were a Linux person when you came to Oracle, but then I think you've spent some time in the database back in the day when there were some serious database wars going on before Oracle, became the king of database. So now you've got obviously this great portfolio and a lot of really sharp software developers. What should we expect going forward from Oracle? What should we look for? >> I was welcoming some interns to the company, (clears throat) for their summer internship yesterday. And one of the things that I, (clears throat) I'm sorry. One of the things I mentioned to them, was that one of the... So cloud obviously gives us a lot of opportunities, but there's a number of things. One is we have such a breadth of applications and software and hardware together, right? We have the servers, we have the storage, we have the operating systems, we have the database layer and so forth, and we have the cloud side. And one of the great opportunities and I think we've shown a lot of this happening with the ability to create something like autonomous database is to combine all these things, right? We have such a broad portfolio of really cool technology that by itself is okay, but if you combine the things, it really becomes awesome, right? You cannot create autonomous database without having autonomous Linux, right? You cannot create those two and make them really safe without also controlling the firmware on the hardware and so forth. So by being able to combine all these layers and by having a really great relationship across the teams within the company, that opens up a lot of opportunities to do stuff really quickly and having the scale for that. I think that has been for the last few years a really great thing but I can see that being one of the advantages that we have going forward, right? We have Oracle Fusion Applications, which is incredibly popular and has great growth. And then we have that running on Oracle cloud that talks to our autonomous database. So we bring all these pieces together and no other SaaS vendor can do that because they don't have these other pieces. They have one area, we have all of them. And so that's the exciting part for me is basic... It's not so much about making my own world better and having Linux be better and Ksplice and so forth, which is important, but that becoming part of the bigger picture. And that's the exciting part. >> Well, Oracle has always invested in R&D. We've made that point many many times, whether it's database, fusion was a painful but worthy (giggles) effort. The whole public cloud piece, obviously many acquisitions but the investments that you've made in open source as well. Wim, you're a great spokesperson and a great representative of the open source community generally, and an Oracle specifically. So thanks very much for coming on theCUBE and sharing with us the state of the Penguin. The best of luck. >> You're welcome. Thank you, thanks for having me. >> All right, and thank you for watching everybody. This is Dave Vellante for theCUBE. We'll see you next time. (soft music)

>> From San Francisco, it's theCUBE, covering Day2IQ, brought to you by Day2IQ. >> Hey, welcome back, everybody. Jeff Frick here with theCUBE. We're in downtown San Francisco at the Day2IQ headquarters. They used to be called Mesosphere. They rebranded the company. They've got a much bigger focus than just Mesos and supporting Mesos. So we're here to get the story, really talk about enterprise's journey to cloud native, and we're excited to have our first guest. He's Brian Kenyon, the chief strategy officer. Brian, great to see you. >> Thanks for having me. >> Absolutely. So DayQI, Day2IQ. >> Correct. >> I'm going to get it eventually, by the end of the day. Interesting name. What does Day2IQ mean? Why did you guys rebrand the company that? >> Yeah, absolutely. So we were formerly known as Mesosphere, and the technology that we founded the company on was an open source package called Mesos, so the name naturally had a very close tie with Mesos and Mesosphere. So as we looked to rebrand the company and really enter the market with some of the changes we've seen in the evolution of cloud native, we focused on where customers were having trouble, where they were focused on operations, how they were going to take these concepts and these great ideas that were pervasive in the concept of cloud native and make them institutionalized and operationalized inside their companies. And what we found was, you know, day zero is when you played around and tested things, and day one is when you got it installed and stood up, but day two is when you really focused on the operations. How do I make this enterprise-ready? How do I make this fit my business? All of that happened on day two and after. So we saw that as a pretty natural way to focus our energy and focus our market penetration on day two. >> Right. And you also expanded beyond just kind of the Mesos ecosystem into some other areas, in containers, in Kubernetes, also data. So you guys are taking a little broader approach than maybe the company had at the original launch. >> Yeah, absolutely. And you've heard from one of our founders already and you spoke to our head of engineering. So I'm the newest of those, right? I joined in February, so I'm just, you know, almost 10 months in. So when I joined, I spent a lot of time meeting with our customers, talking to partners, talking to other folks and vendors in the space, and what we saw was there was a massive shift happening from where cloud native started maybe three, four, five years ago to where it is today, and one of the biggest changes has been around the emergence of Kubernetes, which has turned into a de facto standard for containers in cloud native. And so as we've evolved and moved into this D2IQ name, as we've started focusing on meeting our customer, we've obviously taken on a bigger stance inside the Kubernetes community and the Kubernetes product lines. >> Right. So what did you see? I mean, you're a long-time security executive. You've been in strategy and security for years and years and years. What did you see in this opportunity with a small start-up to get you to leave kind of the safe, comfortable, pretty standard corporate job into jumping back into this-- >> Nobody's ever said security's safe, so that's awesome. >> Well, safe certainly in terms of job security. (mumbles) my goodness, a big shill out there these days. >> It is, it is. >> But what did you see? >> I saw the future, is really what I saw. When you really took a step back and you looked at where compute was going and how organizations were starting to adopt new application methodologies, new application architectures, it was very clear that cloud had taken on a big portion of that and the concept of cloud native and open source technologies was becoming more and more prominent. And so as we looked at this, not only did we see a unique opportunity with the cloud native space, but if you fast forward a couple years, customers are going to be coming back around and starting to have conversations around security. How do I secure this? What, how do my CISOs and my operational folks in security understand this and how do they really start to apply the same controls and visibility to it? So it was a unique opportunity to get in and focus on where the future of our industry's going. >> Right. So it's an interesting thing with open source, and open source specifically in the enterprise. I think my favorite open source quote is, yeah, it's free like a puppy. You know, it's not free. You need support and you need training and you need a lot of help. So when you guys work with enterprises and they're incorporating more and more open source into their technology stack, what are some of the challenges that you guys are coming in to help them to actually get beyond a simple free download and the latest cool version to actually running in production, heavy duty loads, really important workloads. >> Absolutely. Yeah, one of the biggest shortfalls we see is obviously expertise, right? So there's a massive amount of innovation and capability that can be, can really be captured through open source software. The challenge is, it's all community-based. So folks contribute code, they sign it in, it's available for everybody to use, but how long is that code updated for? How long is it maintained? How do new features get added? What you see is you see a huge spike in interest and enthusiasm, and then just like every other hype cycle, you get to a trough of disillusionment where people move on to the next thing and the next thing in the open source community. And so organizations who want to leverage that innovation, want to focus their operations around open source, either for cost savings or time to market, find themselves a couple years later looking at code that's been abandoned, projects that aren't maintained anymore. We saw this in security with things like OpenSSL, right? One of the largest SSL libraries used across the entire security landscape. There were two people in the world maintaining that code. And so when a massive security vulnerability hit, organizations were scrambling. We want to stop that now for organizations that want to use open source. We, Day2IQ, want to bring our innovation, our expertise, to bring that open source to the customers and make sure that it's enterprise-ready, it's enterprise-supported, and it's enterprise-scalable. >> Right. So you guys have basically three market offerings, if I understand right. You've got a solution set where you're taking the core software and building solutions around it. You've got services, professional services, to get it in, get it up, and probably supported, so I have a 1-800 somebody to call, please, which, you couldn't call those two people in that case. >> Exactly. >> And then training, is that right? So those are how you're basically enterprise-hardening an open source kernel to get to a great solution for the customer. >> Yeah, what I'd also add in there is services. So whether it's advisory services, implementation services, or just kind of more traditional, our focus is really about meeting the customer where they need us. If you look at cloud and cloud native today, almost every customer across the globe is at a different evolution or a different maturity in that journey, and so some are at the very beginning where they're learning. Others are more towards the end where they're focused on operations and how do I streamline this, how do I hire the right folks. So we've taken a product, services, support, and training strategy that allows us to meet our customers where they are in their cloud native journey and assures us that we can provide the right level of expertise regardless of where they are. >> Right. What's been the biggest, of all the challenges that you see when people are getting started, what's some of the biggest challenges that you just see over and over and over again that you know you're going to get walking in the door? >> Over and over, you see training is just a constant, across the entire industry. No matter where a customer is in their evolution or their journey, they're constantly having to train, whether they're hiring and then training folks on the new way of developing or they're taking developers who have been building code and building applications in virtual machines or old monoliths for years that they want to train to this new paradigm. Training is a huge constant. The other piece is people are looking to rationalize their infrastructure. So services, we are in a very services-led industry right now where we can come in and help customers get stock of where are we today and where do we want to go long-term, and then put them on a plan, put them on a program or a path where they can achieve those outcomes, but do it in a way that's not disruptive or adds (mumbles). >> Right, 'cause the complexity just continues to increase. It's funny, you know, both Amazon introduced a piece of Amazon Cloud you can stick in your data center, and Google introduced a piece of Google Cloud that you can stick in your data center, and Microsoft recently introduced a piece of Azure that you can stick in your data center. So kind of this, you know, kind of real aggressive embracing of hybrid and this real embracing of complex setups where you can partition your workload based on where you think that workload should run today is really gaining hold. So the complexity is only going up, not going down. >> It is, you're absolutely right. And I will tell you, what you just brought up is a great example of why the complexity's going up. On-prem is a massively different, materially different environment than the clouds. The clouds are built on a margin, right? They're built on, if I take the same server and do this over and over again, I get repeatability, I get consistency, I get a very finite platform. If you look at how on-prem is, the traditional data center, you buy some servers from Dell, some servers from HP, storage from EMC, storage from HP. You've got all different types of hardware and software in there. So fixing that on-prem cloud is hard, and the clouds are struggling with this because the concept of taking their very clean, vanilla infrastructure and bringing that to the traditional on-premise is failing. That's where we shine. That's where we've built. That's where Mesosphere got their initial start was taking the cloud concept and bring it to the traditional data center. So we're helping clouds extend now by being that on-prem piece that speaks seamlessly with the clouds that our customers choose to use. >> Right. So I think, too, initially, the cloud was seen as a way to save money, and I've seen that evolve over time. It's really much more about speed and agility in your development cycles and getting new products to market. Do customers grok that? Are they still kind of wrestling with the cost savings and this is kind of an alternative way to buy compute and networking and capacity, or are they really moving fast because of the speed and the competitive threats? >> So I think it's interesting, and it varies, but I will tell you just from my lens, I'll say that a lot of customers are confused. They went to the cloud initially because they believe they wanted to be out of the data center game. It was easier for Amazon or Microsoft or Google to manage the data center than it was for their own IT teams. And so they shifted infrastructure up there, and then what they saw was the promises of hyperscaling, the promises of this elasticity. Your application grows as more users show up. They never realized that because those applications were built under a different premise, under a different architecture, and don't leverage the cloud native capabilities. So you're seeing a shift of people who've moved infrastructure or applications to the cloud to get out of the data center are now saying, okay, I'm kind of locked in, but where do I get my operational efficiency? Where do I get my hyperscaling? How do I get that? And now you're staring to see that shift from just using the clouds as infrastructure to more moving towards microservices, containers, and some of the things that Day2IQ helps with. >> Right, right. It's pretty funny, too, right? 'Cause the apps used to have to be built for the infrastructure on which you were going to deploy them. >> That's right. >> That's now flipped upside down, right? Now the app, the infrastructure needs to support the app. The app comes first, the infrastructure second. >> That's right. >> So having an architecture, you got to have the new architecture. As you said, you just can't simply flip the functionality of an old architecture into a new paradigm. >> And then expect you're going to get the same outcomes. >> Right, right. >> Yeah, very true. >> All right, so before I let you go, I want to get your perspective specifically on security, 'cause again, you were in the security space for a long time. Security's a hot space. Everyone says security has to be baked in everywhere. It can't be the castle and moat anymore. So with your security hat on as you kind of see these migrations and you see these new deployments and you see this move to cloud native, what do you think about from security? Are people baking it in enough? Are they thinking about it in the right way? Is it just such a fundamental shift that they need to think about security and really baking it in from the bottom to the top? >> They absolutely do. And I'll tell you what the scariest thing is, if I go through my CISO networks and talk to folks who are on that side of the fence, they're not even educated to this cloud native space yet. They don't really understand how it's happening and how it's evolving and what that means. So there's a huge education that needs to happen in security, but these things need to be bolted on from the beginning. I'll give you an example. Some of the value that comes from operating cloud native is that your ability to push code and push changes is very agile and quick. So it's encouraged in a cloud native type of architecture that a company can make 100 to 200, 300 code changes a day. >> Right. >> Right? When I grew up, you'd make those monthly, quarterly, right? 'Cause you had a whole bunch of testing. And how they push code multiple times a day. If you don't have your security team in lockstep with those developers and operations staff, how quickly can you get out of compliance? How quickly can you erode your security posture? These are all questions that have to be answered, and we're just at the very earliest stages of getting that. >> Right, and we didn't even talk about IoT and edge devices. >> Absolutely. >> Which opens up a whole different kind of threat surface. >> Absolutely. >> Yeah. >> Absolutely. >> All right, Brian, well, thanks for taking a few minutes. Good luck on the journey and hope things go super for you here. >> Thanks for having me. >> All right, he's Brian, I'm Jeff. You're watching theCUBE. We're at Day2 headquarters, Day2IQ headquarters in downtown San Francisco. Thanks for watching. We'll see you next time. (techno music)

>> Announcer: Live from Los Angeles it's The Cube covering Open Source Summit North America 2017. Brought to you by the Linux Foundation and Red Hat. >> Hey, welcome back everyone. We're here live in L.A. for the Linux Foundation Open Source Summit North America. I'm John Furrier, your host, with Stu Miniman, my co-host. Our next guest Jim Zemlin, Executive Director of the Linux Foundation, runs the whole show. Welcome back to The Cube, great to see you. >> Thank you, thank you. Runs the whole show is a little bit of an overstatement. >> Well, certainly great keynote up there, I mean, a lot of things coming together. Just some structural things. Let's get the update on what's going on structurally with the Linux Foundation, one, and then two, the keynote today, this morning, really kind of laid out the state of the union, if you will, and all cylinders are pumping, no doubt, on open source. So give the quick update on kind of what's going on with the Linux Foundation and then let's get in some of the trends inside the open source movement. >> Yeah, I mean, our organization has grown quite a bit in the last few years as evident by all the people who are here at this event. But our focus is really on the projects that are important to, you know, the stability, security, and growth of the global internet and of large-scale systems. And when you look at Linux or Node.js or things like our networking projects which are powering the production networks for 3 1/2 billion people, what we're really focused on is making sure those projects are healthy, making sure that they have great developers who write incredible code, that it's used to power things like China Mobile's network or AT&T's production network. And then, those firms are employing the developers who then write more code, you get more solutions, products, services based on Linux or whatever. More reinvestment, lather, rinse, repeat. It's that cycle we're trying to promote. >> So before we get into some of the stats, structurally, I know this show, we've Cube comments out there, clarify the structure. How the shows are rolling out, how are you guys putting together the big-tent events, and how developers can get involved in the specific events across, but now there's a ton of projects. But just at a high level, what's the structure? >> Yeah, so, you know, and I'll throw out a few stats. We have about 25,000 developers that attend all of our events which are all over the world. But we have our Open Source Summit which is really sort of a summit to come together and talk about these big-picture issues around sustainability to allow for cross-project collaboration. We have project-specific events so the CloudNativeCon, KubeCon event which is coming up in Austin which is going to be blow-out, you know, I'm expecting thousands of people. I think probably three, 4,000 people. >> And even more platinum sponsors than I've ever seen on any project before so huge demand. >> It's crazy, yeah. Yeah, you know, get it while it's good, right? All these things kind of go up and down but they're on the upswing. So we have project-specific and then in the networking sector, we have have the Open Networking Summit which is sort of similar to the Open Source Summit but much more focused on networking technology, SDN, and NFD, and that is going to be in L.A. next year and we'll have a U.S. event and then a European and an Asian. >> And this show's purpose is what? How would you position the Open Source Summit? >> The Open Source Summit is where all the projects come together and do cross-pollination. I mean, the idea here is that if you're just always in your silo, you can't actually appreciate what someone else is doing that may improve your project. >> And Jim, there's a couple of events that came together to make this 'cause it was LinuxCon, ContainerCon, and MesosCon is also co-resident so. >> Exactly, so we just decided after a while that all these events could come together and again, this cross-pollination of ideas. >> And they kind of did, they're just different hotels in Seattle last time. >> Yeah, exactly. That's enough, it's just going to be Open Source-- >> It's a big-tent event. >> It's a big-tent event and it really reflects how open source has gone mainstream in a way that I don't think any of us would've predicted even maybe five, six years ago. >> It's pretty massive. Just to quote some stats. 23 million plus open source developers, what you shared onstage there, want to get to your keynote. 41 billion lines of code. 1,000 plus new projects a day. 10,000 new versions pushed per day. 64 million repos on GitHub. Just amazing growth so this kind of points to obviously the rising tide is floating all boats. I made a comment, I tweeted, in the spirit of the joke of standing on the shoulders of giants before you, it's like, what shoulders are we standing on now? Because there's so many projects. Is there going to be like a legacy like the dual-star, badge values, been around for a while? You mentioned old news and you bring up Linus onstage. I mean, some projects are older, more mature, Bruce Wayne, Tier One, meat and potatoes, some got a little bit more flair and fashion to it, if you will. So you got new dynamics going on. Share your thoughts on this. >> Yeah, I mean, it's like the shoulders you're standing on are almost like stage-diving, right? Where it's just lots of people's shoulders that you're really bouncing around on. But the idea here, and what we really focus on, is what are the most important projects in the world and how do we make sure we sustain those projects. So those are the ones that you're going to generally see focused on here. Like, you know, if you've got two people contributing to one small repo for a very small project, that's probably not something that's going to be super high-profile here. But what we're trying to do is bring together sort of the big projects and also the key contributors. You know, if you look at the distribution of contribution, and this is the thing, I think, if you're a developer listening to something like this, someone who gives just one commit to a project to solve some kind of problem they might have, that's the vast majority of people. Somebody who does maybe five to 10 commits, you know, a little bit less, quite a bit less. The vast majority of code, people who give 25 or more commits to a project, small group of folks, they're here. >> I know Stu wants to ask a question, one final question on the growth 'cause this kind of reminds me of sports as we're like the ESPN of tech here for the community. If you look at the growth, you put a slide in there by SourceClear that show the projection, by 2026, at 400 million libraries, putting it today around, I think, 64 million. This is going to be like an owners meeting. It's kind of like they get together, this event because you are going to have so many projects 'cause this is kind of the vibe you got going on in here. The scale is massive, this is going to be almost like the owners meeting, the teams. Expansion's going to be coming, you have to deal with that, that's challenging. >> We're ready to grow, I mean, we've been working on systems and staffing and processes to help scale with that. You know, we take seriously that that code runs modern society. It keeps us private or doesn't as we saw with the Equifax hack which was a CVE in an open source project and we want to be ready to up our game. Let's say we could have secure coding class at this very event for the greatest developers who are working on our most important projects in the world. Would that make all of our lives better? Yes, absolutely. >> Yes, absolutely would. Yeah and you want to enable that, that's where you're going. >> That's exactly where we're going. >> Jim, the quote that jumped out at me that you gave in the keynote was, projects with sustainable ecosystems are the ones that matter. How do we balance all this? I heard in, you know, Linus's Q and A it was, look, individual's important but companies are important. You put up a slide and said, there's thousands and thousands of projects, sometimes we're going to get some really awesome stuff from three people contributing code versus the massive ecosystem with all the platinum providers so, it's always in technology, it's an and and it's very nuanced but how do we get our arms around this? How do we know where to focus? >> It's worth going back in time to understand where the future is going and study innovation theory, you know, Eric von Hippel at MIT, or Karim Lakhani at Harvard Business School. And you look at the framework, which is, you have corporations who underwrite a lot of development by hiring developers who have an equal importance in this and then users of that software. So those are your main constituents and sometimes they're the same people, right, or the same things. They're not mutually exclusive, they're actually self-reinforcing if you get the formula right and you make sure that the project is in good shape so that it gives confidence to industry or society that, hey, we can count on that. I think Heartbleed and OpenSSL maybe rattled people's cages like, hey, can we count on, not just this project, but can we count on open source period? So we spent a ton of time working with that project to provide them millions in resources, audited their code, expanded their testing, and we learned a hell of a lot about how to support these communities in the most important developer projects in the world and create that positive feedback loop, that's what we're doing. >> Yeah and Jim, it's, as an analyst, one of the things we're always asked is, right, how do I choose the right technology? Whereas companies now are contributing here so it's not just I'm putting dollars in, I'm putting manpower into this. And the foundations sometimes get a lot of lung from people, saying it's like, oh well, people throw money and what do they get out of it? I liked what I heard today, you talking about this cycle, and maybe talk to our audience a little bit about CHAOSS which I though was a nice, tongue-in-cheek acronym to say how you're actually going to bring order to the chaos that we see in the open source world. >> I'm going to come to this but I want to answer one quick question about the roles of organizations like ours. We are the roadies, the supporting cast, and the plumbers and the janitors of the system that keep things going but the real rock stars are the developers. If you think about it, Linux is worth $10 billion. An average kernel developer makes probably, let's say $150,000 a year, by the way, they make more than your average developer because they're in such high demand. The role of organizations like ours is such a tiny fraction financially of what is really fueling this model but it's an important one. What we ask ourselves all the time is, why do you need us? Who cares, right? Like, throw your code up on GitHub, you don't need the Linux Foundation, right? Why do we even exist? And the answer is to do things like this Community Health Analytics for Open Source Software, to provide the infrastructure for sustainability. Sustainability is something that we need to measure, right? How many developers are contributing to a project? Are they from a diverse community so that if one group goes away, there'll be somebody else there to do that work? How much test coverage do they have? Are there code quality metrics that we could look at? Do they have security practices like a responsible disclosure policy, a security mailing list? Have they recently fuzzed their code? Are they a community that's welcoming for people of different backgrounds? And so on and so forth. If you don't have a healthy project, you kind of don't want to bet your company on this project by using it in a production system, right? But here's the interesting thing, how many people are using that code in production also is a metric for health, right? Because that's where the reinvestment is going to come in the form of developers who are working on it. >> There's a difference between being proactive and jamming something down someone's throat. So you're taking an approach, if I get this right, to be kind of the same open source ethos, use some KPIs, key performance indicators, to give them a sense of success. But it's not an edict saying-- >> No, no, it can't be an edict. What you want to do is preserve the organic innovation that goes on in open source and get projects to go, and you'll notice that curve of sort of value to volume goes up and to the left, we could've written it to the right but, you know, the whole copyleft thing we love. How do you get that organic innovation to kind of go from this small project up and to the left? How do you capture that? Well, give tools to everyone so that they can better self-analyze. >> John: You get exponential growth with that. >> Exactly. >> If you try to control, it's linear but you bring it to the community, you get exponential growth. >> Exactly, so we studied a ton of innovation theory, we looked at how we could build frameworks to facilitate this kind of form of mass innovation and so that's where tools like CHAOSS which is being worked on by Red Hat and a lot of companies who want to figure out which project should I work on? How can I spot that one earlier? And we're excited about it. >> You know, I always joke, being the old guy that I am, in the late '80s, early '90s, '80s particularly when I was coding. We did everything, we wrote all the code. You bring up an interesting stat and you put the finger on, at least for me, and I think this is where a lot of us old timers who had to do all the libraries from scratch. You mentioned the code sandwich, the code club, the club sandwich, how code's being made and the interesting thing, as you point out, 90% of most great software is done with open source where the 10% innovation is done with original code or original content, if you will, and that that is the norm. So open source is now called the code sandwich because you can put your differentiation and that's a good use of time. >> That's the meat, right. >> That's the meat, it's not a wish sandwich to use the old Blues Brothers example but I mean look, the thing is is that that's dynamic is real, the code is leverageable, and that this is the dynamic so where'd the number come from? Because that seems really high to me but I love it. >> So that number came from a combination of Sonatype, SourceClear, and other organizations that monitor commercial reuse of software on a global basis. So these are the folks who are actually working with commercial industry to look at the makeup of their code, basically. You don't have to go far to look at a Node.js developer, they're using Node.js, they're taking packages out of NPM, and they're writing, they're cut and paste masters, but they write this critical component that's the meat of their application, it's what they do. >> But that's the innovation fabric that's happening. >> It also is a requirement because let's look at a modern, luxury vehicle today. It has 100 million lines of code in it. That's more than an F-35, like, fighter jet. That's an unbelievable amount of code. Toyota, who we work with, and you know, our AGL, our Automotive Grade Linux, is in their Camry. They couldn't write that code on their own. It's just too much. And this is how we get to autonomous vehicle control and things like that. >> I know you got a tight schedule, I want to make one more comment, get your reaction to it. I made a tweet and said, it's open bar in open source and with a reference to all the goodness being donated by companies, Google TensorFlow, there's a lot of other things coming in, these libraries. A lot of people are bringing really, really big IP to the table, IoT, and I kind of made an open remark 'cause a lot of the young kids, they think this is normal, like, well it's going to get better. Keep on drinking that open source. Is this normal? Is it going to be more like this in the future? Because you have essentially real intellectual property, like say from Google, being given to the open source communities as a gift for innovation. I mean, that is just unprecedented greatness. >> The reason for that is they're not doing it necessarily altruistically although I think you can take it that way, they're doing it in a way that betters themselves and others at the same time. I mean, it is a form of collective capitalism where they've realized, my value's over here, it is better for me to collaborate on underlying infrastructure software that my customers don't care about that's not critical to my system but I absolutely have to have and I'm going to focus on data or I'm going to focus on much higher-level innovation. And what that's doing is creating this hockey stick of innovation where, as we share more and more and more infrastructure software, and as that keeps moving up and up the stack, we all benefit. >> So in the theory of the management, bring up management theory, their theory, I'd love to get your thoughts on, is that they're betting on scale rather than trying to go for profits in the short-term, they'd much rather share intellectual property on the back-end value of scale and scale's the new competitive advantage. >> Exactly, take Kubernetes as an example. The fact that, today, and just even a couple years ago this wasn't known, we didn't quite know where this was going to be, but today you can take Node.js, build a container, you know, take an application, throw it into a container, and use Kubernetes to run it on Azure, Amazon, Google, or in a private cloud. That definition, the ability to do that, unlocks this massive developer productivity which creates more value which is more business opportunity for all these guys. You know, they're not doing it 'cause they're nice people, they're doing it 'cause they're unlocking market potential. >> And they're the real rock stars. Jim you're doing a great job. Congratulations on your success. You got a lot of growth in front of you, a lot of challenges and opportunities certainly with that and of course, the tech athletes out there doing the coding, they're the real rock stars, they're the real athletes. Of course, we get more on The Cube, thanks for your support with The Cube as well, appreciate that. >> Jim: Thank you, thanks for everything. >> Alright, this is live coverage from Open Source Summit North America in Los Angeles, California. I'm John Furrier, Stu Miniman, we'll be back with more live coverage after this short break.