(upbeat music) >> Welcome back. We're winding down theCUBE's coverage of Red Hat Summit 2022. We're here at the Seaport in Boston. It's been two days of a little different Red Hat Summit. We're used to eight, 9,000 people. It's much smaller event this year, fewer developers or actually in terms of the mix, a lot more suits this year, which is kind of interesting to see that evolution and a big virtual audience. And I love the way, the keynotes we've noticed are a lot tighter. They're pithy, on time, they're not keeping us in the hall for three hours. So we appreciate that kind of catering to the virtual audience. Dave Vellante here with my co-host, Paul Gillin. As to say things are winding down, there was an analyst event here today, that's ended, but luckily we have Jim Mercer here as a research director at IDC. He's going to share maybe some of the learnings from that event today and this event overall, we're going to talk about DevSecOps. And Kirsten Newcomer is director of security, product management and hybrid platforms at Red Hat. Folks, welcome. >> Thank you. >> Thank you. >> Great to see you. >> Great to be here. >> Security's everywhere, right? You and I have spoken about the supply chain hacks, we've done some sort of interesting work around that and reporting around that. I feel like SolarWinds created a new awareness. You see these moments, it's Stuxnet, or WannaCry and now is SolarWinds very insidious, but security, Red Hat, it's everywhere in your portfolio. Maybe talk about the strategy. >> Sure, absolutely. We feel strongly that it's really important that security be something that is managed in a holistic way present throughout the application stack, starting with the operating system and also throughout the life cycle, which is partly where DevSecOps comes in. So Red Hat has kind of had a long history here, right? Think SELinux and Red Hat Enterprise Linux for mandatory access control. That's been a key component of securing containers in a Kubernetes environment. SELinux has demonstrated the ability to prevent or mitigate container escapes to the file system. And we just have continued to work up the stack as we go, our acquisition of stack rocks a little over a year ago, now known as Red Hat Advanced Cluster Security, gives us the opportunity to really deliver on that DevSecOps component. So Kubernetes native security solution with the ability to both help shift security left for the developers by integrating in the supply chain, but also providing a SecOps perspective for the operations and the security team and feeding information between the two to really try and do that closed infinity loop and then an additional investment more recently in sigstore and some technologies. >> Interesting. >> Yeah, is interesting. >> Go ahead. >> But Shift Left, explain to people what you mean by Shift Left for people might not be familiar with that term. >> Fair enough. For many, many years, right, IT security has been something that's largely been part of an operations environment and not something that developers tended to need to be engaged in with the exception of say source code static analysis tools. We started to see vulnerability management tools get added, but even then they tend to come after the application has been built. And I even ran a few years ago, I ran into a customer who said my security team won't let me get this information early. So Shift Left is all about making sure that there are security gates in the app dev process and information provided to the developer as early as possible. In fact, even in the IDE, Red Hat code ready dependency analytics does that, so that the developers are part of the solution and don't have to wait and get their apps stalled just before it's ready to go into deployment. >> Thank you. You've also been advocating for supply chain security, software supply chain. First of all, explain what a software supply chain is and then, what is unique about the security needs of that environment? >> Sure. And the SolarWinds example, as Dave said, really kind of has raised awareness around this. So just like we use the term supply chain, most people given kind of what's been happening with the pandemic, they've started hearing that term a lot more than they used to, right? So there's a supply chain to get your groceries, to the grocery store, food to the grocery store. There's a supply chain for manufacturing, where do the parts come for the laptops that we're all using, right? And where do they get assembled? Software has a supply chain also, right? So for years and even more so now, developers have been including open source components into the applications they build. So some of the supplies for the applications, the components of those applications, they can come from anywhere in the world. They can come from a wide range of open source projects. Developers are adding their custom code to that. All of this needs to be built together, delivered together and so when we think about a supply chain and the SolarWinds hack, right, there are a couple of elements of supply chain security that are particularly key. The executive order from May of last year, I think was partly in direct response to the SolarWinds hack. And it calls out that we need a software bill of materials. Now again, in manufacturing that's something folks are used to, I actually had the opportunity to contribute to the software package data exchange format, SPDX when it was first started, I've lost track of when that was. But an S-bomb is all about saying, what are all of those components that I'm delivering in my solution? It might be an application layer. It might be the host operating system layer, but at every layer. And if I know what's in what I'm delivering, I have the opportunity to learn more information about those components to track where does Log4Shell, right? When the Log4j or Spring4Shell, which followed shortly thereafter. When those hit, how do I find out which solutions that I'm running have the vulnerable components in them and where are they? The software bill of materials helps with that but you also have to know where, right. And that's the Ops side. I feel like I missed a piece of your question. >> No, it's not a silver bullet though, to your point and Log4j very widely used, but let's bring Jim into the conversation. So Jim, we've been talking about some of these trends, what's your focus area of research? What are you seeing as some of the mega trends in this space? >> I mean, I focus in DevOps and DevSecOps and it's interesting just talking about trends. Kirsten was mentioning the open source and if you look back five, six, seven years ago and you went to any major financial institution, you asked them if they use an open source. Oh, no. >> True. >> We don't use that, right. We wrote it all here. It's all from our developers-- >> Witchcraft. >> Yeah, right, exactly. But the reality is, they probably use a little open source back then but they didn't realize it. >> It's exactly true. >> However, today, not only are they not on versed to open source, they're seeking it out, right. So we have survey data that kind of indicates... A survey that was run kind of in late 2021 that shows that 70% of those who responded said that within the next two years 90% of their applications will be made up of open source. In other words, the content of an application, 10% will be written by themselves and 90% will come from other sources. So we're seeing these more kind of composite applications. Not, everybody's kind of, if you will, at that 90%, but applications are much more composite than they were before. So I'm pulling in pieces, but I'm taking the innovation of the community. So I not only have the innovation of my developers, but I can expand that. I can take the innovation to the community and bring that in and do things much quicker. I can also not have my developers worry about things that, maybe just kind of common stuff that's out there that might have already been written. In other words, just focus on the business logic, don't focus on, how to get orders or how to move widgets and those types of things that everybody does 'cause that's out there in open source. I'll just take that, right. I'll take it, somebody's perfected it, better than I'll ever do. I'll take that in and then I'll just focus and build my business logic on top of that. So open source has been a boom for growth. And I think we've heard a little bit of that (Kirsten laughs) in the last two days-- >> In the Keynotes. >> From Red Hat, right. But talking about the software bill of materials, and then you think about now I taking all that stuff in, I have my first level open source that I took in, it's called it component A. But behind component A is all these transitive dependencies. In other words, open source also uses open source, right? So there's this kind of this, if you will, web or nest, if you want to call it that, of transitive dependencies that need to be understood. And if I have five, six layers deep, I have a vulnerability in another component and I'm over here. Well, guess what? I picked up that vulnerability, right. Even though I didn't explicitly go for that component. So that's where understanding that software bill of materials is really important. I like to explain it as, during the pandemic, we've all experienced, there was all this contact tracing. It was a term where all came to mind. The software bill of materials is like the contact tracing for your open source, right. >> Good analogy. >> Anything that I've come in contact with, just because I came in contact with it, even though I didn't explicitly go looking for COVID, if you will, I got it, right. So in the same regard, that's how I do the contact tracing for my software. >> That 90% figure is really striking. 90% open source use is really striking, considering that it wasn't that long ago that one of the wraps on open source was it's insecure because anybody can see the code, therefore anybody can see the vulnerabilities. What changed? >> I'll say that, what changed is kind of first, the understanding that I can leapfrog and innovate with open source, right? There's more open source content out there. So as organizations had to digitally transform themselves and we've all heard the terminology around, well, hey, with the pandemic, we've leapfrog up five years of digital transformation or something along those lines, right? Open source is part of what helps those teams to do that type of leapfrog and do that type of innovation. You had to develop all of that natively, it just takes too long, or you might not have the talent to do it, right. And to find that talent to do it. So it kind of gives you that benefit. The interesting thing about what you mentioned there was, now we're hearing about all these vulnerabilities, right, in open source, that we need to contend with because the bad guys realize that I'm taking a lot of open source and they're saying, geez, that's a great way to get myself into applications. If I get myself into this one open source component, I'll get into thousands or more applications. So it's a fast path into the supply chain. And that's why it's so important that you understand where your vulnerabilities are in the software-- >> I think the visibility cuts two ways though. So when people say, it's insecure because it's visible. In fact, actually the visibility helps with security. The reality that I can go see the code, that there is a community working on finding and fixing vulnerabilities in that code. Whereas in code that is not open source it's a little bit more security by obscurity, which isn't really security. And there could well be vulnerabilities that a good hacker is going to find, but are not disclosed. So one of the other things we feel strongly about at Red Hat, frankly, is if there is a CVE that affects our code, we disclose that publicly, we have a public CVE database. And it's actually really important to us that we share that, we think we share way more information about issues in our code than most other users or consumers of open source and we work that through the broad community as well. And then also for our enterprise customers, if an issue needs to be fixed, we don't just fix it in the most recent version of the open source. We will backport that fix. And one of the challenges, if you're only addressing the most recent version, that may not be well tested, it might have other bugs, it might have other issues. When we backport a security vulnerability fix, we're able to do that to a stable version, give the customers the benefit of all the testing and use that's gone on while also fixing. >> Kirsten, can you talk about the announcements 'cause everybody's wondering, okay, now what do I do about this? What technology is there to help me? Obviously this framework, you got to follow the right processes, skill sets, all that, not to dismiss that, that's the most important part, but the announcements that you made at Red Hat Summit and how does the StackRox acquisition fit into those? >> Sure. So in particular, if we stick with DevSecOps a minute, but again, I'll do. Again for me, DevSecOps is the full life cycle and many people think of it as just that Shift Left piece. But for me, it's the whole thing. So StackRox ACS has had the ability to integrate into the CI/CD pipeline before we bought them. That continues. They don't just assess for vulnerabilities, but also for application misconfigurations, excess proof requests and helm charts, deployment YAML. So kind of the big, there are two sort of major things in the DevSecOps angle of the announcement or the supply chain angle of the announcement, which is the investment that we've been making in sigstore, signing, getting integrity of the components, the elements you're deploying is important. I have been asked for years about the ability to sign container images. The reality is that the signing technology and Red Hat signs everything we ship and always have, but the signing technology wasn't designed to be used in a CI/CD pipeline and sigstore is explicitly designed for that use case to make it easy for developers, as well as you can back it with full CO, you can back it with an OIDC based signing, keyless signing, throw away the key. Or if you want that enterprise CA, you can have that backing there too. >> And you can establish that as a protocol where you must. >> You can, right. So our pattern-- >> So that would've helped with SolarWinds. >> Absolutely. >> Because they were putting in malware and then taking it out, seeing what happened. My question was, could sigstore help? I always evaluate now everything and I'm not a security expert, but would this have helped with SolarWinds? A lot of times the answer is no. >> It's a combination. So a combination of sigstore integrated with Tekton Chains. So we ship Tekton, which is a Kubernetes supply chain pipeline. As OpenShift pipelines, we added chains to that. Chains allows you to attest every step in your pipeline. And you're doing that attestation by signing those steps so that you can validate that those steps have not changed. And in fact, the folks at SolarWinds are using Tekton Chains. They did a great talk in October at KubeCon North America on the changes they've made to their supply chain. So they're using both Tekton Chains and sigstore as part of their updated pipeline. Our pattern will allow our customers to deploy OpenShift, advanced cluster manager, advanced cluster security and Quay with security gates in place. And that include a pipeline built on Tekton with Tekton Chains there to sign those steps in the pipeline to enable signing of the code that's moving through that pipeline to store that signature in Quay and to validate the image signature upon deployment with advanced cluster security. >> So Jim, your perspective on this, Red Hat's, I mean, you care about security, security's everywhere, but you're not a security company. You follow security companies. There's like far too many of them. CISOs all say my number one challenge is lack of talent, but I have all these tools to deal with. You see new emerging companies that are doing pretty well. And then you see a company that's highly respected, like an Okta screw up the communications on a pretty benign hack. Actually, when you peel the onion on that, it's just this mess (chuckles) and it doesn't seem like it's going to get any simpler. Maybe the answer is companies like Red Hat kind of absorbing that and taking care of it. What do you see there? I mean, maybe it's great for business 'cause you've got so many companies. >> There's a lot of companies and there's certainly a lot of innovation out there and unique ways to make security easier, right. I mean, one of the keys here is to be able to make security easier for developers, right. One of the challenges with adopting DevSecOps is if DevSecOps creates a lot of friction in the process, it's hard to really... I can do it once, but I can't keep doing that and get the same kind of velocity. So I need to take the friction out of the process. And one of the challenges a lot of organizations have, and I've heard this from the development side, but I've also heard it from the InfoSec side, right. Because I take inquiry for people on InfoSec, and they're like, how do I get these developers to do what I want? And part of the challenge they have is like, I got these teams using these tools. I got those teams using those tools. And it's a similar challenge that we saw on DevOps where there's just too many, if you will, too many dang tools, right. So that is a challenge for organizations is, they're trying to kind of normalize the tools. Interestingly, we did a survey, I think around last August or something. And one of the questions was around, where do you want your security? Where do you want to get your DevSecOps security from, do you want to get it from individual vendors? Or do you want to get it from like, your platforms that you're using and deploying changes in Kubernetes. >> Great question. What did they say? >> The majority of them, they're hoping they can get it built into the platform. That's really what they want. And you see a lot of the security vendors are trying to build security platforms. Like we're not just assess tool, we're desk, we're this, whatever. And they're building platforms to kind of be that end-to-end security platform, trying to solve that problem, right, to make it easier to kind of consume the product overall, without a bunch of individual tools along the way. But certainly tool sprawl is definitely a challenge out there. Just one other point around the sigstore stuff which I love. Because that goes back to the supply chain and talking about digital providence, right. Understanding where things... How do I validate that what I gave you is what you thought it was, right. And what I like about it with Tekton Chains is because there's a couple things. Well, first of all, I don't want to just sign things after I built the binary. Well, I mean, I do want to sign it, but I want to just sign things once, right. Because all through the process, I think of it as a manufacturing plant, right. I'm making automobiles. If I check the quality of the automobile at one stage and I don't check it to the other, things have changed, right. How do I know that I did something wasn't compromised, right. So with sigstore kind of tied in with Tekton Chains, kind of gives me that view. And the other aspect I like it about is, this kind of transparency in the log, right-- >> The report component. >> Exactly. So I can see what was going on. So there is some this kind of like public scrutiny, like if something bad happened, you could go back and see what happened there and it wasn't as you were expected. >> As with most discussions on this topic, we could go for an hour because it's really important. And thank you guys for coming on and sharing your perspectives, the data. >> Our pleasure. >> And keep up the good work. Kirsten, it's on you. >> Thanks so much. >> The IDC survey said it, they want it in platforms. You're up. >> (laughs) That's right. >> All right. Good luck to both you. >> Thank you both so much. >> All right. And thank you for watching. We're back to wrap right after this short break. This is Dave Vellante for Paul Gill. You're watching theCUBE. (upbeat music)

(upbeat music) >> Welcome to this special CUBE program. We're going to help you better understand how to manage risk by securing your digital supply chain. And we're going to first give you a high level preview of what's happening in the market. And with me, is Ben Fischer, who's Emerging Security Technology Advocate at Red Hat. Hello, Ben. Good to see you again. >> Nice to meet you, David. I'm (indistinct) >> Yeah, so let's set it up. What can people expect to hear from this program? >> So today, I'm going to start off and you're going to, we're going to have a conversation about some of the business challenges related to the software supply chain. And then the next video will be with Vincent Danen, Red Hat's VP of product security, and Luke Hinds, our security lead from the office of the CTO. And they're going to discuss more of the security aspects of the software supply chain. Thirdly, you'll (indistinct) the newcomer director of hybrid platforms, security product management. We'll dig into some of the practices and the technologies, and that will be followed up by Andrea Hall and Andrew Block. Andrea is a specialist solution architect, and Andrew is a distinguished architect, and they're going to cover some of the change in environments. There's a lot of change in environments related to the regulations and different movements in the industry and organizations. And then lastly, we'll have a video from an interview you did with Luke Hinds, discussing a software sign in tool called Sigstore and how it can improve security supply chain. >> Excellent. Thank you for that. Okay. So Ben, people hear the term software supply chain, and makes them, "Oh. That's an interesting name." But what do we mean by the term software supply chain, Ben? >> So it's a loaded term. Simply, it's the supply chain but of software. And people think, "Oh well. I just go to a store, and I buy software and it comes packaged," maybe in the old days. But these days, we've got open source software. So there's repositories and collaboration upstream where a lot of people in a community contribute to all these different pieces of the software. It's kind of like when you go to a store. You go to a store and you just see this one piece, but that store carries lots of different products. And for each of those products, they have relationships with different vendors and different distributors to gather all those products into a store. And it's pretty complex. So there's been this kind of curation of products and softwares that's kind of come about kind of like a warehouse club. So like you would trust a warehouse club to be kind of a place to reduce the amount of shopping you might have, or you can kind of go there and you trust that they have good products that you'll like, and that fulfill most of your needs for your family, and you can go there and you can kind of get most of your shopping out of one place versus having to drive all around town to go get a bunch of different products that are carried in different stores, and then having to research all those products, warehouse clubs make that experience very simple. And so there's been kind of an upsurge of organizations like Red Hat that just help simplify your choices and do that curation. And the value there is in trying to not just give you everything, but also curate and try to make sure that what you have is secure. Make sure what you have is up to date. Kind of do all these kinds of nuanced things. The software supply chain is kind of complex in that there's all these extra details you need to be kind of aware of, and it's true. You know, you could run around town and shop for every product you would like yourself, just like in a software supply chain, you could go directly and get all the pieces of software and manage them and update them and do all the work yourself. But it it's a lot of work, and it is, as the word implies, it's a chain. So it's not just one relationship. It's a whole chain of relationships. And having a trusted entity as kind of a proxy, that you could put your faith in, and knowing that they're kind of doing some of that work for you makes life a lot easier just like in the warehouse club, right? You want to kind of go one place, get all your shopping done and be satisfied. And so just like you would in traditional times. You Know, before open source came about, there was a lot of proprietary software, and you'd put your trust and faith into them, that they would satisfy all of your needs, and they service you entirely. But even proprietary software now is an open source software so it comes into the same problem. So you need to have a trusted partner basically to help you understand and give you that level of trust in the software you're buying. >> Makes sense, yeah. And Red Hat plays that critical role. >> Yeah. >> So let's explain why all of a sudden this topic of digital supply chain, software supply chain has taken center stage. Ben, what should people understand about the digital supply chain and how it impacts their respective businesses? >> Well, the digital supply chain is really, really critical, I mean, if nothing else. I mean to bring up the kind of the COVID analogy, right? Everything changed with COVID. Things just got accelerated because we realized that the old way of doing things in person and a lot of physical ways slowed things down. And so when we were trying to social distance and have space, the pressure for doing everything in a digital form, and to make it easier to, you know, order your groceries and have them delivered to your door, or, you know, do a trunk delivery of your pizza at the local pizza shop, all this became really critical. So yeah. It's just, honestly, the COVID experience really accelerated the whole need for digital transformation. I'm not trying to go there, but that was part of the supply chain because all those companies also needed to have that digital experience with all of their vendors, and it's kind of accelerated in that respect. So the supply chain in general is something that's gotten a lot of attention. I think people actually understand, maybe have an idea what the word means over the last two years with all the incidents that have happened, and kind of the power of having it in digital electronic form, really really, I think, has hit home for a lot of people. And it's critical because now, I just don't feel like the world can ever really kind of go back from that. We're all so dependent on transacting in a digital form. Our businesses rely on it. We rely on a daily checking of phones, checking websites for information, doing everything. All this is run on software, right? And it's not just software that maybe one person wrote and can maintain for the rest of their lives, and do it in a perfect form. At some point, the software, you know, almost all of it, is using different parts of software that are open source and out there and available. And the pieces that were already developed, cause there's no reason to recreate the wheel. And they just kind of pulled in all these little open source components. If they didn't make a program, it was the programming around that to kind of make that usable for their particular use case. And everyone's just gotten very, very comfortable with this model of pulling software, what we would say, from the upstream down to the downstream and consume it and utilize it themselves. It's just pervasive everywhere. It's just, you know, open source, they say, is kind of eating the world and that's kind of where it's come from. >> Right. Yeah. And this is really a major issue for folks. We're seeing all kinds of new techniques. And for example, just imagine you've got dozens or even hundreds of suppliers, and the bad guys are targeting, you know, a victim, and they might put a piece of malware in an individual, one of the suppliers, you know. They'll get in to one of the suppliers, and that's a benign piece of code, but when it gets actually through the victims', you know, the targets' firewall, things will start to self-form in ways that we've really not seen before. And so this is really a big issue. There's a lot of talk coming from policymakers. Of course, the POTUS has issued an executive order and is putting pressure on businesses and technology companies to improve their security posture. I wish it were as easy as a sort of a swipe of a pen, but what's behind these trends, Ben? >> So, oh, there's so much behind there. So I think you're alluding to something really, really, really important. So in the security world, I mean, most of the issues in the security world is due to, you know, breaches, I should say. Hacks are due to kind of unpatched vulnerabilities. So the problem with that is then the answer is, well, you should patch and patch regularly, and that's absolutely true. You should patch as much as you can where it's not causing business disruptions. But when you get into a supply chain, or a digital supply chain issue, if you have a hacker who is able to penetrate into a vendor's software, and they're able to play something that gets placed into their update mechanism and then gets pushed out to all of our customers, it can be catastrophic and it can be, it will spread very fast and all the customers that are doing the right thing normally, by doing constant updates, will get infected. This is kind of the scary thing. Obviously, it is the right thing to do. And the right thing is for those vendors to secure their environment as much as possible and do everything they can to make that as tight as possible. But also, as in anything, it's really, we're in a world now where it's not if you're going to be breached or, you know, it's going to be when. Everybody in the world, especially the United States, we've all had breaches with our confidential information exposed, right? It's kind of the world we live in. It's what we expect. So with that understanding, you know, it becomes more about how we'll react to that. You know, if your credit card number gets exposed, you just don't throw your hands up in the air. You go, "Okay. Well, I need to put a credit freeze. I need to do certain diligent actions." Same thing in the industry. You know if something happens like that, an organization needs to respond properly and fast to share with the industry what has happened to stop those updates from continuing to perpetrate and provide guidance on what they can do. And this is one of the wonderful things, I think, about the security industry, is actually the willingness and interest to share. You'd kind of think of people in the old days wanting to hide their security secrets. Hide and protect what they do to make sure that, to safeguard all their assets and safeguard the company, their data, everything. And I'm not saying that everything is exposed, but there's a more willingness to share information on threats they're seeing and collaborate on fixes, and work through very difficult issues in a collaborative way, which is, I think it's really wonderful, and it plays perfectly in my mind, kind of the open source mentality of doing things together, out in the open, across organizations. >> Right. So, I mean, again, it's, you know, the very things that, the good behavior we're supposed to be doing with patching and what everybody's advising us to do, we have to be really careful. That can actually turn around and bite you. So how should we think about trust with software? What does that even mean today, Ben? >> Well, it's becoming more important than ever before, because before, you know, there, like I'll tell you way back when I, long time ago, when I was quite young, you'd just download software. And you would share it with friends and copy it, and there was no such thing as antivirus. And everybody was fine with that, and you didn't even think of an issue. And then I remember the first antivirus or viruses came out and then you went down to your local computer software store, and they're handing out free discs as antivirus fixes for that one particular issue. So you went down and you got it and you'd patch it up. And that was that. And you didn't really have any worries beyond that. These days, you know, and that's because you trust the store, and you knew there was only one issue and nobody was, it's kind of a free environment where nobody thought that anything bad would really happen. Today though, we hear in the news constantly about cyber attacks, about breaches, about just endless numbers of things that are happening. Ransomware. There's so many different types of attacks and it's happening in so many different ways across every industry, every geography. It's everywhere, you know. It's really, in my mind, the world's largest industry, cyber crime. And that's just a scary thing and that's because it's profitable. And so, you know, when you think of it as that, as a kind of an evil industry, if you will, it puts things into a little bit of a perspective that, okay, their motives, for the most part are money, and they're trying to do this. So if that's the case, then you're just trying to create enough friction that it's just not profitable for them. And so it's not about doing everything in terms of security. It's about trying to do, you know, for the right things to mitigate the risks for organization. And so getting back to your point about trust, how do you trust the software that you're given? You know, if you download a piece of software, you should be thinking about where's the software being downloaded from? There's lots of sites. There's lots and lots of ways to get it. There's absolutely millions of different pieces of open source code that's out there. And just because you downloaded it from a site, you don't know who posted it, you don't know a lot of these issues. So it can be scary. And as an organization, you can choose to take on all or part of that risk by trying to understand which locations are safe. You can try to understand, you know, which code is safe, and which code you can basically feel comfortable that there's a level of trust. Or simply you can shift that risk over to an organization that might do some of that work for you, like kind of in any business model. Red Hat is an entity, and it focuses on open source software. So, you know, you can go out and you could download any bit of open source software that Red Hat sells, and you can run it today. There's nothing stopping you, and that's wonderful, and we're happy that you're doing that, but Red Hat plays a particular role in that. We're trying to kind of curate that software. We're trying to pick the best piece of software that we feel we can trust. We have a lot of people in those communities, working with the people who actually work on that software. We believe in the open source model, partly because not only is it collaborative and just open and transparent, but in that transparency and in that collaboration, there is review of all the code that gets submitted. So if you can go to the right upstream article repositories, and you can work with those people, you have insight into what's happening, and you can pull down the pieces and the components that you feel are best that you can package into a product that you feel can meet all the needs for your particular customers, and you can do that in a particular way. And then having that close proximity to those communities, you also have an idea when there's updates and patches and you get to work on those, and that allows you to consume those faster, and bring those to your customers faster. And so this is part of the trust element. It's a matter of do you want to do it yourself? Like, you know, warehouse club analogy? Do you want to go to 100 stores when you do a shopping list, or, you know, 20, 30 stores driving around the whole day? I don't know. I don't want to do that on my Saturday. Or, you know, do you want to go to warehouse stuff? Yeah, you might pay a little bit more. There's a premium there. You have to have that warehouse club membership, but then you kind of go to one store and maybe get 80% of your shopping done there, and that's really good. And maybe get the 20% from a couple other stores down the street, but you're done in a matter of a few hours versus the whole day. And so I would implore you, in terms of trust, you need to think about what are the critical pieces of software that you have in your organization, right? What are the critical digital processes that your organization runs? Think about them, and also not just think about what the risks are around them, but also think about beyond them, what the risks are to the people you're trusting. So whether it's Red Hat, or whether it's a particular website you might be wanting to download that open source software from, you need to think about it's a whole chain of things. So you will need to know that, okay, I have access to these things. I have this information, and I have these risks. Now, if I extend that out one degree further, then what risks are those folks are exposed to? What do they have knowledge of? And do that, and then think about it, and think about and evaluate who has the most information? Where are the risks? And think about what makes sense for the organization in terms of mitigating those risks and giving you the best ability to respond when something does happen. I think you can reduce your risk exposure with an organization that curates open source, or even closed source, but also you can also kind of reduce the blast radius, I think, because if they can get you those updates faster, respond faster than you could yourself, then that's hugely valuable too. >> Yeah. I mean, you know, to your point about it's very lucrative for the hackers. I mean, the criminal algorithm is actually pretty simple. It's all about ROI for them, which is how much value can they extract and what does it cost them to extract that in a numerator denominator? And so to the extent that you can increase the cost to the hacker, there's less value to them, and they will go look somewhere else. So question is, what are the parameters of trust in software that can potentially help organizations increase that denominator? And how do you define trustworthy software? What are the attributes? >> Yeah. So there's a lot of attributes. Yeah. I come back to kind of warehouse club analogy. When you kind of go to the warehouse club, they've kind of already pre-picked for various use cases, kind of, you know. Here's the, you know. Here's the two brands of shavers and we have it in the disposable form and the replacement blade form. And you just have a few options there. And it's you know a nice, simple selection, and you look at it and, you know, you can see the price and you know the quantity and you have certain information. And if you did want to look up more information, it's either on the package or you pull out your phone and get more information. In the open source world, you know, some things you want to look at, you want to see its transparency. So everything in open source is very transparent. If you do want to go with a closed source provider, that's fine too. But you know, you do want to have as much transparency as possible. So you want to build up a good relationship, whether it's Red Hat, open source or a closed source vendor, you want to have that relationship to get insight. And if it's closed source, it's more important because you need to go deeper into that relationship to understand what's happening behind that veiled curtain. Accountability. So, you know, whether it is software that you're getting through another organization, you want to make sure you know who in that organization is accountable. You want to know how they're going to be accountable, how they're going to respond. If it's upstream, right now, one thing that's coming through is, and they call it S bomb, software bills and material, which has details about kind of an ingredient list, if you will, of that software. And that is something that will, in the future, make it a little bit easier for everybody, but also if you're going to get software yourself directly, give you an understanding of maybe who's accountable, who actually wrote the software or made the patch, or submitted the last update to a branch. That type of information is very useful because you need, at some point, you may need to know who did this to verify if something is trustworthy, if something was intentional or not, if you see something that might be curious or, I don't know, questionable in some nature. And traceability. You want to be able to have that ability to understand all the changes that have been done in that software, right? Software is, you know, it's highly versioned. So there's constantly new features or updates or patches. And you want to be able to go through and know what's happened there. So not only for the benefit of understanding the things that have been added and the benefits that have been added to the software, but if something happened or you were trying to make sure nothing bad happened, you'd want to make sure maybe there has been no malicious submissions into that code stream as well. And so by tracing that, that's good. And then the whole auditability of it, to go back and look at the software, and having somebody understand what might have happened by kind of digging into all the records for that particular software. I'd also say risk management, because you, as an organization, you really need to know what your risks are, and you need to be able to not just do that at the macro level, but now with the software supply chain, you need to bring that down to kind of a software level and really understand, you know, if my business relies on a particular software component, like open SSL for VPN software and site-to-site networking and whatnot, I need to make sure that if anything happens to this piece of software, which is a critical component for me operating my business, what am I going to do about it? You know do I just terminate all my VPN connections and leave my rural workers stranded and, you know, disable site-to-site networking so my different sites don't have direct networking connections? You have to kind think about what are the risks and, you know, what's my plan B? How would I possibly manage things? And it feels very overwhelming when you think about the number of components. And so this is where understanding this and trying to find ways to mitigate risk and manage it and make things a little bit simpler so you can really focus on things that matter and think are important. And then incident response, which is, there's going to be something that happens sometimes to some piece of software that your organization has. So how are you going to respond? How are you going to even find out? How are you going to know that something happened? How are you monitoring for vulnerabilities in the software? How are you connecting with the upstream communities and being aware that something is happening wrong, and there's a bunch of developers scrambling to try to fix something quick because maybe there's a known (indistinct) of some software out in the wild. So having that awareness and having that ability to building to respond really is probably one of the most critical things here. >> Ben, can you give us a sense of just kind of the scope of this problem? Are there metrics you can share to kind of frame the issue for the audience? >> Yeah. So in terms of open source supply chain attacks, some type, a software vendor, actually has reports every year. And they've reported that there was a 650% increase in open source supply chain attacks in the past year. And this is on top of a 430% increase the prior year. So it's scary, but it's basically literally exploding in terms of the threats happening in the supply chain attacks. Supply chain attacks are not new, but they've become quite popular. And the power of the supply chain, as an amplifying factor, is starting to get exploited really well by the attackers these days. >> Mm-hmm. Okay. So let's kind of go to best practice. I mean, what are businesses doing about these today? These problems today? What should they be doing that maybe they're not doing? >> So with the explosion, you can understand that with the spike of these supply chain attacks, organizations are honestly, and understandably pretty caught off guard. So while organizations have been working on their cybersecurity programs for some time now, they're mostly trying to react. And by react, they're reacting with maybe not the most efficient of incident response plans yet. And these attacks are spreading like wildfire, but as an industry, you know, it's not really helping us get ahead. So, you know, it's the unfortunate place where we're at. You mentioned that there's, obviously there's some guidance from POTUS and other folks in the industry, and various efforts in the industry to work on improving the supply chain, work on improving different components that can help make things dramatically better for the industry, but they're still pretty early stage. There's still a lot of work to be done. So as far as kind of what we can be doing as an industry, obviously, you know, I'll say collaboration again, because, you know, by working together, whether it's with the government or in an upstream organization setting standards, these things are all really important. And especially within verticals, I think it's really important to kind of get together because even if you have a general standard, things can vary quite a bit within the verticals. But besides that outwardly looking action, looking inside and trying to understand, in a sense, it's kind of a simple thing. It's a business process engineering a question of, okay, what are your critical business processes? You know, what do those business processes rely upon? You know, what software components are there? And then okay, for those pieces of software, they also have different components. So even if you go to, you know, whether you go to an open source provider or a closed source provider, there are open source components. So understanding the software that you use, understanding where you get that software from, and understanding the components in those software and how those are digested, whether it's from an organization like Red Hat that's open source, or maybe a closed source provider, is really important. Developing the relationships that you have, that bi-directional trust with those organizations that are running that critical software for your organization is really important. So it's a lot more of a mapping and awareness type exercise, because from there, you can start asking a bunch of different questions. And by engaging in conversations about those questions, you're going to learn more and more and more. And that will continue to lead forward. Eventually, you'll get an understanding of, "I have these risks," and you may not necessarily know everything, but along the way, you'll start developing awareness of risks, and then you can ask yourself along the way, "Okay. As an organization, let's come together and figure out how can we- Let's look at these risks and how can we think about mitigating these right within our budget? To meet our business needs," et cetera. But it's a hard question because there's so many software out there. Our businesses are so critical on so many ways. There's so much software, and each software has so many different components. It's a pretty overbearing problem. I just not trying to scare anybody, but it's just important to just take some time and think about it and understand what you have, and be diligent about kind of walking through those business processes, and start with the most critical ones and kind of keep walking forward. And as you're mitigating them, think about, do you want to have an organization help you with these, or do you want to hire people and have them invest their time into doing the work that an outside organization might do for you? >> Right. Hey, Ben, I've taken a lot of your time. Really appreciate your insights, and really great to have you on. Thank you. >> Well, thank you for having me, Dave. Appreciate it. >> And thank you for watching the CUBE. This is Dave Vellante, and we are the leader in enterprise technology coverage. (upbeat music)

(cheery synth music) >> Hello, this is theCUBE. I'm John Furrier, your host. We're here for a KubeCon CloudNativeCon preview for the North America show in Los Angeles, here in person and a virtual event. Two of the co-chairs are with me again this year, Constance Caramanolis, principal engineer at Splunk, and of course, Stephen Augustus, head of Open Source at Cisco. Great to see you guys. Hey, thanks for coming on, virtually, for the preview. >> Great to be had! >> Constance: Thank you for having us. >> Stephen: Great to see you again John. (laughing) >> Constance: Yeah. >> So I love... well, KubeCon has gotten, It's my favorite event every year. This is where the DevOps actually, where the people are reading the tea leaves, connecting the dots, but also meeting up and doing what communities do best, which is set the agenda for the next, next generation that's happening in person. Last year, it was virtual. We had the European virtual KubeCon, CloudNativeCon. This year a mix. Give us a taste of updates that you want to share. Let's get, let's get into it. >> Sure. Uh, so I think, you know, um, I-I-I think uh, seeing this event in particular and uh, you know, one, we've got this, we've got this hopeful r-return to you know, some semblance of normalcy. I know that you know, over the last year and change, we've been uh, we've been kind of itching t-t-to see each other in person. And, and you know, and, and I-I think I say on a lot of uh, interviews that I, you know, one of my favorite parts of any conference is the, is the hallway track, right? It's really hard to, and, and we've- we've made, you know, we've made strides to replicate it, but there's- I don't think there's anything uh, you know, close t-to being in person, right? And, and getting to, to bounce i-ideas off of uh, your, your co-conspirators, (laughs) co-conspirators or compatriots. Um, so I'm- I'm really excited for that, um, I love the, I love the um, the mandates that we've put in place, uh, to make sure that people are uh, a little bit more safe. Um, and, you know, overall, like seeing uh- I-I think one of the things that gets me most excited is the, is the uh, the set of day zero events, right? Um, I-I think the, the increase in the uh, day zero events, we, we've got uh, Constance, what's the, what's the count at now? I'm, I'm looking over it and, and it's uh, it's, it's massive, right? You know, SupplyChainSecurityCon, Uh, the, you know, the Cloud Native for Eclipse Foundation, it's beyond, >> Too, hmm, too many to count right off the bat when I'm looking at it. >> Too many, too many to count! >> And it's also like, this is a reduced number because some people decide or some, not people, like projects, decide to do virtual uh, days or a non-conference outside of the normal KubeCon cycle because of... >> Yeah, well, let's get, let's get- >> that thing that should not be named. >> Let's get into some of the data. >> I want to jump into the trends. But just for the folks watching, this is a hybrid event, and- >> Yeah. >> There's going to be this day zero, which is the pre-programming. Which by the way, I think has evolved into a format that's just tremendous. You got the pregame, pre-event action. Very dynamic, very ad-hoc, ephemeral in the, in the, in the, in the, in the people getting together and making things happen. Then you got the structured event. It's uh, the 11th to the 12th on the pre-programming, day zero stuff, which you talked about, and then the 13th to the 15th, the main conference. It's in-person and virtual, so it's going to be a hybrid event, which should be dynamic because you have an in-person dynamic where it's a scarce resource of the face-to-face, working and trying to create synchronicity with the asynchronous environment on virtuals. So it should be an action packed and a must-watch event. So I'm personally excited, we'll be there in person. But I got to ask you guys, the co-chairs, how are you guys handling this? How are the papers coming, what's the call for talks? How are you structuring things? Can you just give a quick overview of what's, what's happening on the talks? >> Uh, talks, uh, I feel like it went really well this round. >> Um, really like, wide variety. I know it's pretty vague, but there's a wide variety of topics, uh, things that are getting I think, I feel like more popularity, like security is getting more popular. Uh, business value, one thing that I'm really passionate about, is getting a lot more traction. Uh, student track 101 is also, as always, I guess, as ever since it's been, since inception has been popular, um, it's definitely getting to the point where we're actually, well not to the point, but maybe it's just being more highlighted that a lot of the, like, like, some of the like great content from the day zeros are also showing up in KubeCon and then like, vice versa and they're kind of everywhere. Uh, Yeah, the talks I think was really- >> John: The sessions, the sessions are always driving it. Stephen I'm like from a, from a, from a maturisation standpoint, you have the, the, the people developing and then you got the f... the things are getting hardened. Can you talk about the trends around, what's kind of hardening out from a project basis on these sessions and what's forming relative to the trend line this year. >> Yeah. So, you know, so to Constance's point, I think that we're, we're starting to see some diversity in, or continued diversity and kind of the personas that are coming into the conference, right? So whether you're talking about that continuing 101 track or, the student track, which, you know, a lot of people have, have kind of jumped in and seeing that as an opportunity to, to, to not only start becoming part of the community, but also to immediately contribute to content. And then you've got that For me? It's, it's security, all day, right? I think, you know, I think that, you know, there's not a week, there's not a week that passes that I don't have a chat with someone around what's happening in security lately. And I think you'll see that highlighted in in all of the keynotes that we have planned there are, there's not one, not two, but three uh, keynotes around software supply chain security, and some of the different things that you have to consider as we're kind of walking into the space of you know, protecting, protecting your, your build pipeline, protecting your production artifacts, so that's something that really, you know, that goes to that, you know, that goes to my work on that, you know, in Kubernetes for SIG release, release engineering, that's, you know, something that we, we know that there are countless downstream consumers, right? So, some, you know, some that we may not have even had contact with yet from the upstream perspective, right? So it's, it's paramount for us to make sure that, you know, everything that we're pushing out to the community and to the wider world is safe to consume. So, so security is definitely top of mind for me. I would say for, you know, lots of things around you know, continue, continuing to talk about uh, GitOps observability. And I think, and I think that, you know, each of these, what's, you know, what's fun about um, each of these, uh, the, each of these topics, each of these areas is that they're all interconnected, right? So more and more you're seeing, you're seeing, oh, well, you know, the, you know, the Tekton folks are, you know, are talking to the Flux folks. And, and they're talking to the, the folks who are working on uh, Sigstore and Rekor and, and, and all of these fun tools about how to integrate into, you know, how to integrate into those respective areas. Um, so it's, it's, it's really a time of um, collaboration underscored by um, you know, protecting, protecting the community and the, and the end users. >> John: Yeah. We're seeing a lot of ah, um, you know, the security discussions. I mean, how far can you shift left before it becomes like standard, right? So like, you know, we're seeing that being built in. I got to ask you guys also on the trend of DevOps there's been a lot of conversations around Cloud Native, around obsolete management and in terms of ability, but data, the role of data has been different approaches on how people are leveraging machine learning and AI, can you, did that come up a lot in, in some of the, the discussions and the analysis? Because everyone's slapping machine learning on things these days, and there's a little bit of that going on, but it seems to be data and machine learning and horizontal scale, classic DevOps, things are happening. What's your reaction to, to some of those things that are happening? Can you guys, is there anything happening there? >> I feel like this year wasn't that big of a machine learning year in terms of submissions. >> Yes. >> I'm certain you agree with that, but it wasn't, as I think, like, security took a lot and, and, like, and this might also just be like, thinking about it holistically now, like security was, had such amazing submissions that it probably took a little bit of the spotlight off of when we were looking at the machine learning ones. Um... >> John: So security... >> Also I'm biased, so I think >> John: So security dominated more than, than everyone else did. >> Yeah. I think, you know, I think for this year, security is, security is dominating. I, you know, I think we even talked about this in the last uh, chat we had, um, the, you know, kind of from the AI side, I think you're, we're, we're running, there have been discussions around the, uh, you know, bias in, in AI models and um, you know, how we work through that, um, I'm not sure that we have any content for that this time around, but I think it, yeah, but I think, you know, as we start to talk about like how we collect data, you know, are, are we collecting the right types of data, how we serve it, especially as a, those relate to like collecting data at the edge, right? Like, how do we, how do we, how, how do we even deploy applications at the edge? We, we have a lot of potential solutions for that. But when you combine that with, well, how do we, how do we scrape information from the things that we're deploying from the edge, right? Or, or, or some, some of the things you'll see in the, in the program. >> Constance and Stephen, talk about the community vibe right now, because you know, that's the biggest part of this conference is seeing how the people come together, but it's also the vibe sets the tone. What's, what's the current vibe in the community that you're seeing and what do we expect this year at KubeCon, CloudNativeCon? >> Yeah, I'm going to say, I imagine the community's tired and it's been a long few, two years. It feels like 10 years, it feels like forever. And a lot of the in-person aspect that used to be like social validation, we just get like is lacking, so, but that being said, there's still been amazing, like collaboration from like the open, from like the Observability and Open Telemetry part. Like, I am seeing so many projects within the tag Observability collaborate together and making that a focus. And so even though we are tired, it's still, we're still doing good work. And we're still making a point of trying to keep that community tight even though it's much harder on Zoom and right, you know, it's going to try and do the awkward, like Zoom handshake. It just doesn't do the same thing there. But to Stephen's keynote, can't remember how long ago it is, about like resiliency. We are pretty resilient. And we're also, I think we're all learning to work at a slower pace because maybe we were working too fast beforehand. And I think that, I think that's a really good takeaway from all of this. So I think it's going to, for as safe as it can be to have some variation, it's probably going to just be like, it's going to be a big party because we're going to finally get to see each other after a long time then. >> John: Yeah. >> I hope we get to do that in a safe way. >> Stephen, you bring it in, Steve, you go. Oh, Steve, you always got the energy certainly on camera, but in person as well. >> (laughs) >> This in-person dynamic this year is huge. >> Yeah, we, >> Wh-what do you think is going to happen? What, give us your take. >> Yeah, so I mean, I, you know, I would echo Constance in saying that, you know, we're, we're, we're all tired, we're all very tired at this point. Um, but I, you know, but, they, they, the conference tagline for, for North America is, uh, is 'Resilience Realized', right? I think that, you know, throughout this, this year, um, the, the contributors, maintainers of, of all of these, you know, CNCF projects have made incredible strides uh, to empower the communities to, to, uh, to be together, to be family, to, to work better together, um, in spite of, you know, in spite of uh, location, location uh, boundaries, in spite of, you know, uh, uh, health concerns, like we've, we've really made the effort to um, to show up for each other. Um, so I think that, you know, what we'll see in the conference and, and, you know, one of my favorite tracks personally um, is the, the community track, um, so lots of, lots of content around, you know, a-around community building, around uh, I think more of the, the meta of, of maintaining communities, right? So the, you know, the, the, the, the code of conduct committee, as well as uh, steering committee uh, for Kubernetes got together um, last conference to, to talk about the values and principles of the community, right? And, and I think that, you know, that, that needs to continue to be highlighted, um, you know, some of the conversations that we've had around um, how you maintain groups, you know, how do you maintain groups, especially as um, especially as a, the, the, the size of the group grows, right? Once you escape that kind of like Dunbar's number uh, area, like it gets harder and harder to s have the s the same bandwidth conversations that you would in a smaller group, right? So making sure that we're continuing to, to have valuable conversations, but also be inclusive while we're doing that is, um, is something that will continue to be highlighted over the next year and change really. >> Well. I'm really impressed by what you guys do. And I know we're all tired getting, and we want to get back and, hats off to pulling it together and creating a great program because your, your group and your community is a social construct. It's, it's, we're all social animals. And this whole COVID virtual, now hybrid really is going to, going to show in real world as all playing out, and we're going to see how it evolves, and evolution is part of social communities. And I think that the progress has been made and, you know, and with the team and you guys putting together this great event. So my hat's off to you guys, thanks for, for doing that. Appreciate, great stuff. >> Thank you, thank you. >> Now, final question, um, what do you expect? Given, I mean, this is a social organization, um, things evolve, we're social organisms. We're going to be face to face. We're going to have virtual. We're going to have great talks, security obviously is prime time, Mainstream Enterprise Adoption in Kubernetes and Cloud Native. This is crunch time, so what do you guys expect for this event? Share your thoughts. >> Yeah, I-I think there's going to be lots of um, lots of fun, uh, I think uh more social conversations, less structured. Um, you know, i-if you have, if you haven't had the opportunity to kind of hang out on CNCF Slack, while one of these events are happening, we, we've spun up something of like a hallway track. Um, so, so people are hanging out, they're giving their takes during the um, you know, you know, in between uh talks, there, there was also a, you know, kind of after conference uh, hangout for, for the hallway track that we did. Um, so w we definitely want to continue some of that stuff. Um, as you know, between the last few conferences we've launched uh, Cloud Native TV um, and lots of great producers uh, and, and, and content over there. So you'll see, you'll see, kind of, us start to break the wall between um, that virtual content that we've created uh, across the last few months, as well as, you know, th s seeing that turn physical, right? Um, so how do we, you know, how, how do we, how do we manage that and h-how do we make that seamless for people who may be maybe participating virtually as opposed to physically, right. That there's going to be a bit of um, there, there's an aspect of like, you're, you're almost running two conferences, right. Simultaneously. So. >> It's a total experiment in the real world, but it's, it's all important. It's super important. Constance, your thoughts on, on the event, what people are expecting to see and surprises that might emerge, what do you, what's your thoughts? >> Um, I, well actually, see while you were saying something, I had an idea that I think we can make it more connected, So I just wrote it down, um, uh, I, I have some silly ideas when it comes to the conference stuff, which is why Stephen's laughing, although you can't see it. >> (both men laughing) >> Um, my, I, like, I'm, I'm trying to go in with no expectations, mostly because I'm so excited. I don't want to be disappointed um, and I don't want to miss out. I think, I actually think that probably a lot of the discussions are just going to be like, hi, like, it's so nice to actually meet you and just talk about random things. Maybe not as much technology discussions as maybe there would be at a normal, I like, ah, I don't want to say normal, right? Because we are in a new normal, like what KubeCon was several years ago. Um, I think that I do. I think that it would be probably a little painful, this hybrid part, since we don't know what to expect. I think there's going to be so many things that we're going to look back and be like, face palm and be like, oh, we should've thought about these things. So for anyone who's attending virtually, apologies in advance, and please give us feedback. There's so many things I know we're going to have to improve, we just, we don't know them yet. So please be patient with us and know that we wish that you could be there in person with us too. >> Um, uh, I don't know. >> Well, that's the thing, that's the thing. >> I'm just going to go in there with an open mind. Well that's the thing, it's, it's new, it's all new, virtual. So it's, it's, we're learning together. That's, I think, people put too much pressure. I think people like expecting, you know, some magic to happen, but it's all evolving. And I think the magic is the event. And I think, I think it's going to work out great. And by the way, there's no downside it's, you know, learn. >> Exactly! >> So, yeah. So, you know, so one of the things that I um, I, I have this spiel that I give to um, the release team, the Kubernetes release team, every time we start a new cycle, right? Um, you've got a set of returning contributors. You've got a set of uh, net new contributors, right? And um, and, and moving into the release team, you're kind of like thrown right into the fire of Kubernetes, right? So it's, it's, it's one of those things. I, I, I come in and, and, and, essentially say, um, be curious, question everything. Um, this is like, it's a, it's, it's very much like a human experience, right? And I think that, you know uh, to, to Constance's point, we're all here to, to learn and grow, make this a better experience for everyone. Um, so bring yourself, like bring yourself to the conference, right? I think it's, you know, in, in terms of offering feedback, we have, you know, feedback forms for every one of the, you know, every one of the, the talks that you attend, um, you can feel free to reach out to Constance, and myself and, and Jasmine, um, if you have feedback that you want to give personally, you know, there, there are, there are ways to get in touch with us. There are ways to make the event better. And I think that every time we, we uh, we incorporate, like, we incorporate a lot of this feedback into the next conference. So every time um, you provide some piece of information for us, that gives us an opportunity to make it better, right? So this conference is built, uh, this conference is built by the community, right? The, you know, it's not just a, you know, it's not a, you know, it's not a body just uh making, making decisions kind of off the cuff, it's, we are taking your ideas and we're trying to turn them into a program, right? So it's, it's the maintainers, it's the end users. It's the students, it's people who have never used Kubernetes in their lives, or never used Cloud Native technology in their lives. It's folks who are coming from the, you know, the, the corporate IT kind of classic uh, background, and, and just trying to understand how to be effective in this, in this new world for them. Um so it's like, it takes all kinds and we, we don't get it done without your feedback. So please, um, as you're coming to the conference, whether it's in-person or virtually, like, bring yourselves, be curious, ask questions, um, provide that feedback. And then um, and I think, you know, from the, you know, th-the kind of from the uh, the, yes, we need to be human, but we also need to um recognize some of the, the requirements, uh, that, that are, that we have going into this conference. So reminder that, you know, all of, all of the events are under, you know, under a code of conduct, please make sure to familiarize yourself with uh, code of conduct. I think that um, you know, I-I think that coming back into a physical space for a lot of people, the um, the, some of the social skills can, can erode over time. So please not just bring yourself, bring your best self. And, you know, be sure to review all of the policies around health and, and safety as we go into this. >> Constance, Stephen, that's great stuff. Love talking with you guys. Constance, you want to add something? Go ahead. >> I want to add one thing, also be gentle with yourself and like, be really kind to yourself and others, because this is going to be really overwhelming. I haven't been around more than 10 people at once in almost two years. And so, just remember to be kind as well, always be curious and question everything. >> Yeah. That's great stuff. Great reminder. This is what it's all about, face-to-face. Face-to-face, presence, being together, but also having the openness and the community around you. A lot of mentoring, you guys have a great community for people coming in that are new and there's great mentors, people are open and cool, great community. Thanks for coming on for this special preview for KubeCon CloudNativeCon, thank you so much. >> Thanks for having us. >> Thank you. >> Okay, this is theCUBE's coverage of Kubecon CloudNative, and we've been every year of KubeCon. It's been in fantastic growth. Going the next level again in person, a lot of security, real time adoption should be uh, should be great, virtual and in-person. I'm John Furrier, thanks for watching. (cheery synth music)