(bouncy string music) >> TheCUBE presents KubeCon and CloudNativeCon Europe 2022, brought to you by Red Hat, the cloud native computing foundation, and its ecosystem partners. >> Welcome to Valencia, Spain in KubeCon and CloudNativeCon Europe 2022. I'm your host, Keith Townsend. And we're getting to the end of the day, but the energy level has not subsided on the show floors. Still plenty of activity, plenty of folks talking. I have, as a second time guest, this KubeCon, which is unusual, but not, I don't think, disappointing in any way, we're going to have plenty of content for you. Owen, you're the CPO, Owen Garrett, you're the CPO of... >> Of Deepfence. >> App Deepfence. >> Yeah. >> We're going to shift the conversation a little bit. Let's talk about open source availability, open source security availability for everybody. I drive a pretty nice SUV back home and it has all these cool safety features, that warns me when I'm dozing off, it lets me know when I'm steering into another lane, and I'm thinking, why isn't it just a standard thing on every vehicle? Isn't safety important? Think about that for open source security. Why isn't open source security just this thing available to every project and product? >> Keith, I love that analogy. And thanks for having me back! We had a lot of fun yesterday. >> Yeah, we did. >> Yeah. We, at Deepfence, we really believe security is something that everybody should benefit from. Because if applications aren't secure, if vulnerabilities find their way into production, then your mother, my aunt, uncle, using the internet, use an app, their identity is stolen, through no fault of their own, because the developer of that application didn't have access to the tools that he or she needed to secure the application. Security is built around public knowledge. When there are vulnerabilities, they're shared with the community. And we firmly believe that we should provide open source, accessible tools that takes that public knowledge and makes it easy for anybody to benefit from it. So at Deepfence, we've created a software platform, it's 100% open source, called ThreatMapper. And the job of this platform is to scan your applications as they're running and find, identify, are there security vulnerabilities that will find their way into production? So we'll look for these vulnerabilities, we'll use the wisdom of the community to inform that, and we'll help you find the vulnerabilities and identify which ones you've got to fix first. >> So when you say use the wisdom of the community, usually one of the hard things to crack is the definitions, what we called virus definitions in the past. >> Yes. How do we identify the latest threats? And that's usually something that's locked behind value. How do you do that >> You're right. when it comes to open source? >> You're right. And it's worrying, 'cause some organizations will take that and they'll hide that extra value and they'll only make it available to paying customers. Ethically, I think that's really wrong. That value is out there. It's just about getting it into hands of users, of developers. And what we will do is we'll take public feeds, like the CVEs from the NVD, National Vulnerability Database, we'll take feeds from operating system vendors, for language packs, and then we help organizations understand the context so they can unlock the value. The problem with security scanning is you find hundreds of thousands of false positives. Like in your SUV. As you drive down the street there are hundreds of things that you could hit. >> You're right. >> But you don't hit any of them. They're false positives, you don't need to worry about them. It's the one that walks across the road that you've got to avoid, you need to know about. We do the same with security vulnerabilities. We help you understand of these thousands of issues that might be present in your applications, which are the ones that really important? 'Cause developers, they're short of time. They can't fix everything. So we help them focus on the things that are going to give the biggest bang for their time. Not for the buck, because we're not charging them for it, but for their time. So when they invest time in improving the security of the applications, we, with our open source, accessible projects, will help guide them to invest that as best as possible. >> So I'm a small developer. I lead a smaller project, just a couple of developers. I don't have a dedicated security person. What's my experience in adopting this open source solution? Now I biting off more than I can chew and creating too much overhead? >> We try and make it as easy as possible to consume. So you're a developer, you're building applications, you're here at KubeCon, so you're probably deploying them onto Kubernetes, and you've probably used tools already to check them and make sure that there aren't vulnerabilities. But, nevertheless, you've got to let some of those vulnerable packages into production and there could be issues that were disclosed after you scanned. So with our tool, you place a little agent in your Kubernetes cluster, it's a DaemonSet, it's a one held command to push it out, and that talks back to the console that you own. So everything stays with you. Nothing comes to us, we respect your privacy. And you can use that to then scan and inventory your applications anytime you want and say, is this application still secure or are there new vulnerabilities disclosed recently that I didn't know about? And we make the user experience as easy as we can. We've had some fantastic chats on the demo booth here at KubeCon, and hey, if times were different, I'd love to have you across the booth, and we'll click and see. The user experience is as quick and as sweet and as joyable as we can make it. >> All right. We've had a nice casual chat up to this point, but we're going to flip the switch a little bit. I'm going to change personalities. >> All right. >> It's almost like, if you're an comic book fan, the Incredible Hulk. Keith, the mild-mannered guy with a button up shirt. Matter of fact, I'm going to unbutton my jacket. >> Okay. >> And we're going to get a little less formal. A little less formal, but a little bit more serious, and we're going to, in a second, start CUBE clock and you're going to give me the spiel. You're going to go from open source to commercial and you're going to try and convince me- >> Okay. >> In 60 seconds, or less, you can leave five seconds on the table and say you're done, why you should do- >> Here's the challenge. >> Why I should listen to you. >> Owen: Why you should listen to Deepfence. >> Why should you listen to app Deepfence? So I'm going to put the shot clock in my ear. Again, people never start on time. You need to use your whole 60 seconds. Start, CUBE clock. >> Keith, (dramatic horn music) you build and deploy applications, on Kubernetes or in the cloud. Your developers have ticked it off and signed off- >> Zero from zero is still zero. >> Saying they're secure, but do you know if they're still secure when they're running in production? With Deepfence ThreatMapper, it's an open source tool. >> You've got to call- >> You can scan them. >> Before you ball. You can find the issues >> Like you just thought out. >> In those applications running in your production environment and prioritize them so you know what to fix first. But, Keith, you can't always fix them straight away. >> Brands need to (indistinct). >> So deploy ThreatStryker, our enterprise platform, to then monitor those applications, see what's happening in real time. (dramatic horn music) Is someone attacking them? Are they gaining control? And if we see >> Success without, the exploits happening- success without passion- >> We will step in, >> Is nothing. >> Tell you what's going on. >> You got to have passion! >> And we can put the thumb on the attacker. We can stop them reaching the application by fire rolling just them. We can freeze the application (dramatic horn music) so it restarts, so you can go and investigate later. >> Keith: Five seconds. >> Be safe, shift left, (dramatic string music) but also, secure on the right hand side. >> That's it. I think you hit it out the park. Great job on- >> Cheers, Keith. >> Cheers. You did well under the pressure. TheCUBE, we bring the values. We're separating the signal from the noise. 60 seconds. That's a great explanation. From Valencia, Spain, I'm Keith Townsend, and you're watching theCUBE, the leader in high tech coverage. (bouncy percussive music)