>> Announcer: Live from San Francisco, it's theCUBE, covering DevNet Create 2017, brought to you by Cisco. >> Welcome back everyone, we're here live in San Francisco for theCUBE's special exclusive coverage of Cisco's inaugural event, DevNet Create, a foray into the developer opensource world as they extend their classic DevNet core developer program, three years old now, going into the opensource world, this is theCUBE, I'm John Furrier with my cohost, Peter Burris, our next guest is Matt Howard, EVP and CMO of Sonatype, knows something about opensource, Matt, great to have you on theCUBE, thanks for joining us. >> Thanks for having me. >> So first, talk about Sonatype, what do you guys do? Give a quick minute to describe the company, then I got some pointed questions for you. >> Well, we provide tools and intelligence to modern development organizations to basically reinvent how opensource components are flowing through the pipeline, through the value chain, through the development lifecycle. >> You guys are a service, SaaS service, are you guys a subscription? >> It's a subscription service, and we provide two products, there's a product which is a repository manager called Nexus where you store, organize, and distribute software binaries into the development lifecycle, and then there's a second server product called Nexus IQ, which provides intelligence on top of those binary, so think of it as like FDA food labeling database, so if you're looking at a bag of potato chips as a consumer, you can see that there's calories, sugar, salt, it's gluten-free. If you're looking at a software binary, you're able to see metadata that we provide, which allows you as a developer to make intelligent decisions with respect to, this component's good for my application 'cause it's properly licensed, or this component's good for my application because it doesn't have any-- >> So you're a verifying code, basically, in a way. >> Yeah, absolutely. Verifying and qualifying the opensource-- >> John: And the problem you solve for the customer as well. >> The customer basically gets to build applications at scale, at speed, with quality opensource components. >> So you take the worries off, like, with the licensing, does it work well, you're like Yelp for software? There're comments? >> Sort of, more like Amazon reviews for opensource binaries. >> Okay, great, cool, thanks for taking the time. So we was just talking in our intro, opensource, I'm old enough to know when we used to pirate software, and then opensource, woo, this is great, and then it became a tier two in the enterprise player, Red Hat brought it to tier one. It's booming. Communities are changing. You're in the middle of it, what's happening? Give us your take on how opensource is evolving, because it's the classic case of cliche, opensource, I'm standing on the shoulders of giants before me, and now the next generation is standing on the current generations of shoulders, a new generation's happening, what's going on? >> So, just think of supply and demand, simple supply. We live in a world right now where development organizations are facing an infinite supply of opensource, there's a thousand new opensource projects a day, 10,000 new versions and 14 releases per year. The supply is massive. And in a world where supply is incredible, consumption is equally incredible, last year alone, there were 52 billion download requests from Maven Central for Java binaries, 50 billion-plus requests for NPM packages in the JavaScript ecosystem, so we are basically dealing with a world where software is no longer a marginal cost to doing business, it is the business. Developers are king, developers are the lifeblood that's flowing through every great enterprise today, because innovation is ultimately the thing that will allow companies to compete and win on a global playing field! >> I mean, it's almost intoxicating for these guys who are just drinking from the trough of free software, because if you compound the new projects with the fact that Google and these guys are donating awesome libraries, Amazons, machine-learning stuff, it's not something to shake a stick at, it's great software! >> Yeah! >> TensorFlow, Spanner, I mean, all this stuff-- >> It's great software, and just think, in a world of infinite choice, which is the world we're living in, how do you make the best choice? >> So where's the growth coming from? Peter and I were speculating that, in talking to Abby Kearns yesterday from Cloud Foundry, and then with the Cloud Native Foundation, a lot of money's coming in so the business model for players and vendors are coming in, and suppliers now helping out and donating software, but we're speculating that there's a whole growth area that's different than we've seen before. Are we on that? Your comment to that, your thoughts on where this evolution's coming from, the next wave, is it horizontal? >> Our view is that the devops transformation from waterfall-native development to devops-native software development is happening and it's real, and it's arguably in the early days, but it's no stopping that train now. As organizations continue to reconcile demand from board members and shareholders and CEOs, how do you remain relevant, how do you be, put yourself into a position where you're innovating with software fast enough to remain competitive? And that's a tremendous pressure, and it's driving transformational change like devops, and so as that demand for speed continues to grow, we think it only increases the appetite for opensource, and it creates opportunities for organizations like ours to basically automate how that opensource innovation happens. >> We do a lot of crowd chats, to surface the landscape and the common theme that comes up is, oh, your organizational mindset has to change, and were commenting, Peter and I were talking yesterday about, if your org's not set up, you'll have, what's the law? >> Conway's law. >> Conway's law, where the output matches the organization, but the bigger question is, Ford CEO got fired, he's been in the job for less than four years, he didn't have time to transform, so the question is, how does opensource help people transform faster, do you have any observations around that? Because that's the number one question we get is, okay, I need to configure resources to do that, and then the other theme that we're hearing, I'd love to get your reaction on is, "Oh my God, I'm going to lose my job through automation." And certainly Cisco has networking guys who are looking down the barrel of potentially being irrelevant if they don't make the network programmable, so this is, we've lived through cycles, is it the mainframe guys who kind of lose their jobs, kind of thing going on? Or is it a transformative opportunity for the people as well? >> Yeah, it's a great question, there's a lot there, but I think the notion that they say software eats the world, a different way of viewing is automation eats the world, and if you look at, we refer to the 100-10-1 rule, today, in every large IT organization, you got 100 developers for every 10 IT operations professionals for every one security professional. It's impossible for the application security professionals to maintain governance over 100 software developers. If the old way of doing something like application security in this world where we're talking about infinite supply of opensource, needs to be automated with machine intelligence, it needs to be scalable early, everywhere, and throughout the entire development lifecycle, and unless it's not, you're going to basically get some of the benefit of opensource, but not all of the benefit of opensource. >> I want to push you a little bit in this, Matt, because, one might argue, and I'm going to be a little bit apocryphal here for a second, but one might argue that we also have an infinite supply of different types of bubblegum. And at the end of the day, one can say, "Well, do we need another bubblegum?" And we may or may not, and yet we do. So the reason why I'm bringing that up is I want to square the infinite supply, which I don't disagree with, with the idea that, certainly our clients, especially the big data side, are still concerned about the fact that they can't find tooling, or combinations of opensource tooling, that can help them with their use case. And so as you think about, one of the things that intrigued me about what your company does is the idea of to what degree can you start with a business problem, use that business problem to do some design work, and then based on that, start finding the tooling that will be most appropriate for solving the problem. >> Yeah, it's a great question, and I think it goes back to this idea of automation, let's just give a real world use case, this is one of many, but if the demand for speed and innovation is what shareholders, boards, and CEOs are looking for out of their IT organizations and their development teams, then the first thing you do, in the theory of constraints is you look for where is the friction, right? So theory of constraints basically points to something like the process inside of a large financial organization that involves a developer requesting approval for using an opensource component. How long does that take? How many people are involved in that process? How many hours, how many dollars? Does it have to be that hard? Or can you basically create policy, and define policy, and build, effectively, a firewall that then automatically governs the flow of opensource, healthy opensource components, into the development lifecycle? With no human intervention at pace, right? And that's the idea of what we're doing when we talk about scaling opensource innovation early, everywhere, and across the entire development lifecycle, it starts at the perimeter, the moment the development requests the opensource component for use, it has to be automated, you can't afford to take three months to approve it, he needs it now! >> So let me turn that around, and see if this is a service that you are providing, or actually could provide. Given that you probably visibility into a lot of the problems that the developer's trying to solve, and therefore, their ability to check opensource in and out from a variety of different sources, are you also gaining visibility in the types of stuff that people can't find, and making that information available to the world about, here's some of the places where the opensource world could step up and do perhaps a better job of delivering that software? And I'm specifically thinking of the big data universe, because there's so many, for example, I got a client, big financial institution, who is tearing his hair out right now trying to come up with some standard components for complex machine-learning pipelines. Real, real hard job, a lot of different tools, they work together at some level, but they're not solving the problem, 'cause they're more focused on solving each other project's problem. Am I making this? >> You are making a lot of sense, and you should introduce us to your friend, because we would love to have a conversation and talk exactly how it is that you can create prescriptive architectures with opensource components to remove friction back to the theory of constraints concept, I mean, this process of innovation has to flatten out, and we are very narrowly focused on one particular piece of that pipeline, and it is the making sure that the development organization is benefiting from all of the greatness that opensource has to offer, but none of the bad, and you have to do that with automation. >> So just really quick, John, for those of you who don't know, the theory of constraints, to a computer science person, looks like Amdahl's law. Speed up that which you do most frequently, for those of you who've ever done computer design. >> Herbie the Boy Scout. >> Exactly, so it's speed up the thing that is causing the most pain. >> Right, right, right. >> So the question I have for you this, okay, given what you guys do, which is a great service, cutting edge, it's in the devops wheelhouse, so, what is, in your opinion, the most important metric for your customer's success, vis a vis devops, okay, I'm in, I've been hearing about this cloud native thing and devops, we've got to change to Agile, we wrote a manifesto, we changed the organization, what is the important metric that you think they should look for for success? >> You know, there's a lot of metrics, there's no one answer, but I'll give you a really great one, since you mentioned Red Hat earlier. Red Hat is an amazing company that has probably done more for the evolution of opensource than anyone. They have a phenomenal track record of managing RHEL, the Red Hat Enterprise Linux stack, upstream and downstream, to the point where today, they publicly tell that the Red Hat Summit just recently in Boston, I think it's a day or two meantime to repair for a zero-day vulnerability. They understand the supply chain for RHEL extremely well, and from our perspective, we are trying to create the same type of hygiene for custom software development that RHEL has long practiced in support of Red Hat, Red Hat has long practiced in support of RHEL, and so meantime to repair, for example. If a zero-day vulnerability hits, do you have a software bill of materials? Are you wondering where that particular component is? Do you even have the component? How many applications in production are affected? I mean, this is a real-world scenario, just two weeks ago, with Struts 2, how many organizations are still working today to figure out the answer to that question? You'd be surprised, it takes organizations months-- >> Peter: But this is more than a library. >> This is more than a library. >> So explain why it's more than a library. >> Struts 2? >> No, what you're doing. >> What we're basically doing is imagining a software supply chain, so step back and imagine a world where you could build software applications the same way that Toyota builds cars. You have Deming's principles, which says you basically take and source the components or the parts from the fewer suppliers, and you source the absolute best parts, and you track and trace the location of those parts to every step of the supply chain all the way into production, so that Toyota recently had to conduct an orderly and effective recall for four million Takata airbags. Right? In software terms, the next time you're basically sitting on top of a zero day, you need the equivalent of that orderly effective recall so you can in a matter of minutes, not months, patch that vulnerability. >> Hence why you use Goldratt's theory of constraints, so in many respects, this is a digital supply chain tool? >> We believe it's software supply chain automation. >> What about digital? Can I also think about how digital objects can be included in that? Again, going back-- >> Containers? >> Going back to the big data notion? >> Yeah, absolutely, this is, supply chain theory is well understood in a physical goods world, certainly, if you look at how physical goods move through a supply chain, and you come to grips with what's happening in digital transformation today and the evolution of devops and the proliferation of opensource, continuous integration, continuous delivery, speed is king, it's all going in the direction of a supply chain. >> So, when you have so much bubblegum, as Peter said, after it loses its flavor, you get a new piece, right? So, same with software. Final question for you. You guys are doing well, I can imagine that operationally, as coming to operational as opensource, you're a key component there, and that seems like a good opportunity. How early are you on that operational progress? I mean, you just get started, you're making some money, which is good. >> To be frank-- >> You're the customer on the journey, in other words, people realize, "I got a operation on," so they're just doing it, not having a checks and balance. >> Our business is really interesting in the sense that product market fit for any young company can take quite a while, and we're fortunate enough to have a CEO who is remarkably patient and savvy and experienced, his name is Wayne Jackson, for anybody knows, here at the Cisco conference, he was previously the CEO of Sourcefire, so an interesting connection there, but patience is key, and we're being rewarded right now because all of the trends that you guys have already talked about here, and everything we've talked about at Cisco DevNet point to a simple fact, which is that software is key to how companies will compete and win in the future, and as long as that's true, they're going to be looking for ways to improve innovation. Right now, our business is early, we're still creating budget in some situations, but that's increasingly changing, and I would say that you should expect our business to continue to grow-- >> So people are operationalizing opensource, and they're getting serious about some of these things-- >> We're seeing budget now that we didn't see last year, for operationalizing the flow of opensource into a devops-- >> Final, final question, since I want to get your take on the show, Cisco's moves here into this world, obviously, a good move in our opinion, I'm sure you agree, risky for them, a good move, progress, what should they do next? Your thoughts and reaction to DevNet Create, 'cause man, they got DevNet, a growing, robust community of Cisco developers. DevNet Create, a new opportunity, what's your thoughts? >> I've learned a lot, I'm glad to be here, and just saw some things yesterday that make it very, very clear that DevNet Create and what Cisco's doing with it is a great move, I mean, my personal belief is that developers are king, and as you expose core services, network services to developers, an innovation happens, and value gets created, and so they've done so much at the network layer for so many years, and if they're now exposing that network sort of innovation to developers, it'll be exciting to see what kind of innovation happens. >> Matt, thanks for coming on theCUBE, really appreciate it, I'm glad we got you in, great to meet you last night, and congratulations on your startup that you're working with, and growth, and been around the industry a long time, you've seen a lot of waves, and appreciate the insight here on theCUBE, appreciate it. >> Appreciate you having me. >> Alright, we are live in San Francisco for exclusive coverage of Cisco's inaugural event DevNet Create, I'm John Furrier, Peter Burris, stay with us for more day two coverage after this short break. >> Hi, I'm April Mitchell, and I'm the Senior Director of Strategy and Planning for Cisco.