 Okay, so next up we have Connor Rogers and Ryan Gibbons and they're going to be talking about CNCF best practices for software supply Jane Hello everybody It's great to be here at the CNCF Conference my name is Connor Rogers. I'm a technology leader with saligent systems We're a branch of emphasis We're an AWS Consultancy partner and I'm lucky enough to have gotten the opportunity to work with Ryan after 25 years in old school configuration management build management Release management technical management lean agile all this kind of stuff I got the opportunity to work with a security team and 3m of which Ryan is a senior leader, right Ryan Gibbons It's great to work with Connor. We have a lot of fun together. You'll see that while we talk today I'm part of the 3m digital science community So 3m is yes They make the post-it notes and all the things you're used to but we also have a technology kind of incubator here and in Dublin Well, I'm in Spain now, but I started as a developer many years ago and then spent a lifetime in information security So when they said hey security starting to shift left back in development I said sign me up So we have a lot of fun together and we're gonna tell a little bit of story It started a couple years ago on on how our journey has progressed along this whole paradigm of shifting security left And we'll we'll get into that in a little bit But first can I find out just what how the audience is distributed technical or more like program So how many folks primarily spend their time working on technical problems show of hands? Okay, and how many are more like on the projects and programs and the resources Okay, so mostly technical but scattering a few. Okay. Thank you Okay, so here's here's the situation framing it not particularly for 3m But just in general they're shifting left again, and I always like to say this is guys. This is shifting left This is not dumping left. This is not a push. This should be a poll right? We will need to give developers the tools and the the capabilities and the training and everything else they need So we can move this responsibly and not just have audit and compliance go hey developers. You do all the stuff now There's a huge lack of awareness in the software supply chain Right, we've been doing manifests and things for many many years But that some people are still kind of new to some of these things. So that's okay. We've got there's limited guidance It's been getting better over the last couple years But when we started this journey a couple years ago, there was kind of sparse You could read some DoD documents and this had some things and they're really focused on kind of traditional SDLC type of things But but not necessarily the tool chain. So so there were some problems Solar winds raised awareness quite a bit. Is everybody here? I'm sure is aware Salsa from Google also up quite a bit and To do this we start as I mentioned before Big company 3M very diverse technical environment. So a little bit challenging lots of different groups. Oh And one other thing I want to mention here and then yeah, so on the security integration little circle We have there We had a lot of coverage in in the whole operate, right? So that's the traditional space where the stuff runs and in the plans They had all these risk things you had to go through and and Architecture reviews and everything else, but as soon as it goes to build it was like just scan your code And that seemed really that's right. That's right I'm I'll come a lean background release management dev ops better faster cheaper better faster cheaper Let's go faster. Let's get us out there shorter increments And oftentimes in my career Dev ops was conflicted against legacy style security organizations The department of no but no ryan's focus here is to improve The security posture of the application application code delivery and what that means is not being the department of no It means being department of collaboration. Okay, and First time ever I got to work in a dev ops agile way with the security team that builds solutions Okay, we like this. Yeah. Yeah, that makes it so much more fun We get to be the builders not the no people so How this worked at 3m we really we knew we're kind of introducing an entirely new category of Considerations for senior executive leadership So I had to be able to tell this as a story I had to capture their imagination I had to get them bought into that this is a thing and we're going to need to spend time and Prioritize resources away from just delivering stuff to making sure how we deliver it is secure. So 3m knows supply chains They're very good at this stuff. They've seen some briefings from how they do it and they're fantastic So I just needed to leverage what I already had and of course everything in here You have to adapt to your own organizations, but for us it was okay. They understand supply chains So I actually use this image when cncf released it But I had an earlier version of this which wasn't as good you guys know supply chains So you have materials and you build the thing and then you have to deliver it to your store And then it gets consumed Software is the same way. This was new for them because they're they don't didn't know software quite as well Software you have components and code and you bring them in and you have to compile them together in a pipeline And then you you know you put it into an operating environment It's kind of like sending it to a store So I had to use what they understood and put it in terms that they get and I knew I was being successful When I started hearing about this in other meetings. Oh, yeah, there's this team doing the secure software supply chain So that's how I kind of captured this interest that we need to secure our software supply chain Just like you have physical security controls. Yeah, I'm I'm an stlc guy. I've always been stlc And you've got to realize everybody must realize at this stage, you know, it is a complete software supply chain and A lot of the components are coming from the outside and a picture tells a thousand words Well, Ryan isn't telling you here is how diverse our organization is and how many different stlc's we have How many different approaches and we've got some legacy and we've got some very very contemporary innovative approaches as well and the executives That line has to deal with our many and diverse and they don't often have a lot of time to Read the big document or take it in so a picture tells a thousand words and that's part of you know our knowledge Propagation upwards, but also downwards and that's very important In the space that we play. Yeah, we had to we had to make sure that this story was going both up and down And so we actually had different versions of how we would message it depending on who our audience was very important And we enhance that with the data that we had so I mean what is The critical security control number one. What's number one many others one for 20 critical controls used to be called Yeah Nope not firewalls. Good one Set users the user is very important to I mean these are kind of in all those things but most of what they teach you and Critical security controls as they start with an inventory because you can't protect what you don't know And then you have to know both hardware and software inventory and then you kind of go along So we're like well, let's follow the same pattern. I mean we're doing as a security piece Let's follow the best practices so step number one How much code do we have and how many components do we have in our environment and how many build pipelines and how many? Code repositories and how many like let's let's just identify all that and to make it fun We kind of went to a lot of the tech leaders and said how much do you think you have? How much do you think you have how many code repositories do you have? How many? Yeah, so I really like this Ryan leads with vision. Okay, but up above vision You need something you need so many principles and standards and that allows you to be too Lagnostic, okay, you bring it up to what does good look like let's not worry about what the brand name or the tool name or the Software utility name is we start up there at that higher level Yeah, then we can work down and that that was a lot of fun And so then at the end we kind of showed how much How many different types of technology and how much code each group had against each other It's nice to have kind of healthy visibility. I'll say not necessarily competition But just look so you have this much this person has this much You thought you had a lot look at this guy, right? And so having an organization lover that that makes them sit up and pay attention Oh, how am I doing against the people I'm having to compete for resources with so we kind of got into that conversation And then they started using what us and what we found is as part of the conversation So you can lead with your threats and say this is the current news. This is the current hack What's our exposure? What's the probability of that happening? So you have to have visibility and discovery of your inventory Yeah, worst code level at your build level at your orchestrator level at your deployment level. God knows the old CMDB. Yeah, you know, where is it gone to? Okay, where is it on our outside? And indeed all of our internal tools are critically important as well because that's where the Software supply chains attacks are coming. They're not coming on your perimeter They're going inside and they hit much more when they get out. Yeah, that helped us to tie it to risk. So And we built some reputation too. So where did we start so on our team just a little bit of context So I set the kind of general scale, but just for us We already had an application security program had been running for a while We kind of started a new one We called it the code security team because we don't deal so much with a runtime environment We're just we're all the way until you build it and then once it's built and we secure the tool chain and all the tests of You know than other teams are so we kind of carved our little niche We'd already been we had some resources some people we'd already been looking at some of the best practice So so that's kind of where we were we weren't just starting out when this document came So just a little bit of context from from where our journey goes in here You'll see that you know we'd already kind of started and we'll talk about Yeah, so we came here to tell you a little bit more about our story and had the CNCF helped us That's really the message that we're here to give you is that there's a really good artifact that people should look at and read That's it and how it came to us and how we were able to leverage that Yep, how we were able to communicate that to our organization and we always use so while we're on this journey so We had started solar winds came out and really advanced the conversation and it went from my my boss and bosses boss saying so What are you guys doing out there exactly? How does this relate to so-and-so and then then it was like oh solar winds All right, so now I was on the table, which is nice And then a year later we've got log for Jay and now everybody's like hey Can you guys come help so we've made a lot of progress in the last year so there's some cultural messages here as well So Ryan is a great cultural leader. He's got a security vision He also has a good security team, but underneath that if you're building solutions, you've got to have some good Technologists yeah, okay, so we want to build cloud native Technology solutions that are enterprise available for a vast enterprise so good vision good strategy good culture We're lean. We're agile and we got some good Technologists to put that kind of technology in underneath the security best practices not everybody is a security expert We all can't be security experts not everybody can be a full-stack engineer But we have to have some specialists to put some meat on the bone Yep So we had had good people on the team and a good good partnerships And we actually started this was our strategy before the CNCF best practices document came out So this is what we're gonna show you before and after because we first it was nice because it mapped pretty well And second we made some improvements So we wanted to release these capabilities So we talked about before shifting security left is not dumping everything on developers So we wanted to build capabilities that help developers to be able to handle these new demands that compliance and everybody else is putting on So we approached it. Hey, we're your partners. We're gonna help you protect the code and in the code repositories We're gonna help you make sure you're getting the right licenses We're gonna make sure you've got clean components and have tools and keep and environments and repositories like we just heard from To do that We're gonna make sure that the scans are done and that they're easy and then and then get a little fuzzy at the end We're like yeah and build pipelines. We didn't have a lot of Thoughts there yet because we were kind of just starting that but but then we knew that that was gonna be a big focus We had some resources assigned to it. So this was our starting place. It was great and it was early 2021 I started working with Ryan. He started talking to me about a strategy and this is so appealing to me Okay, it's simple and it covers a lot of my career actually today You know, but it's very much a capability view at this point And then what are we going to do protect our source code do some sca scanning do some credentials discovery? Use good components and then out here. We got this big piece of securing the pipelines Yeah, which we didn't have well-defined. We're doing some basic things and we'll talk about that a little bit And we were just calling it securing our applications source code. That's right. That's right. Yeah So picture tells a thousand words Okay DevSecOps, what's DevSecOps? What does it mean across the SDLC? And for me, you know, it was always Can we get the code? From here to the customer as quickly as possible Was it a waterfall and then we go agile now we can do this faster and then in the new world Okay, we're taking in these components. We were always taking customer off the shelf components But now there's huge amounts of OSF and the attacks are coming the whole way along here I'm saying to Ryan, you know Ryan You know if we're gonna protect the front door, we've got to stop the stuff coming in at the back door Let's protect our ingestion boundary. So I drew this picture and I tried to make it principles and standards based Anagnostic yeah, I'm agnostic and we needed a map to have these conversations because we jump in and go Okay, remember this part in the pipeline. We need to start talking about that and people would just have the people in The room just check out. Sorry. Okay. Let's build the map we'll get input from other people and Didn't get as much input as we thought they were just like, yeah, okay That's I mean we could we can have conversations here. You've got some major processes We didn't want to make it too detailed and we didn't make want to make it too high level So we tried to find the right way that we knew how to talk about where to put the security pieces So we found we developed we found we could we could talk to the waterfall guys We could talk to the agile guys. You can actually fit a container pipeline in here Which we have yeah, so this was our map and we have our security services across the top This is how we were trying to communicate to people. Well, how we fit in to the work that they're doing So this was our starting point And then well, you know, so we were discussing all this and we're just about to launch to the process Well Joe Biden is executive cybersecurity order we better go and have a good look at this And I think everybody probably knows broadly what's in there You know protect the federal government protect the infrastructure There's a big section in it called secure software supply chains and this is in response to solar winds And of course then it's the S bomb the S bomb I've been doing builds and materials for a long time generally. They're in your make file or your manifest Do you check on the other end? Do you attest do you verify? So this is a standard space desk bomb, okay? One that's transferable and interchangeable and this gave us some leverage because 3M it does a lot of business with the federal government and other Defense departments and stuff and we're saying guys. They're taking this very seriously We need to make sure we're staying ahead of the game because you never want to be caught behind where they're like I need this by next month and you're like, well, we don't do that yet So we need to make sure we deliver whatever it is that they look like they're going to ask for it And I'm like, oh, hey, we've already got plans for these things. This is yeah. Absolutely, and it's I'm not a security guy At that stage. Well, I am but I think everybody should be a security guy. I think everybody should be a DevOps guy It's not that guy over there is full. We're all in this game together and it's resonating with me And we're going hang on. We've been trying to get ahead of this game and they're talking about it What happens next this well two days later? two days later this wonderful document drops from the CNCF and I'm doing my normal examination of what's new in the world of hacking and software supply chains The document comes out. It is a wonderful document. I Read it. I said to Ryan. I said Ryan, you know, we're not that far off, you know We got to put some more meat in the bone But look what we're just after getting here from the CNCF document. So Recommended reading for everybody in the room So, what is it about and for me? It's about principles and standards at the high level. There's really good governance There's really good principles about your risk environments your risk appetite But general principles trust trust at every stage and every job in the pipeline. So attestation and verification It's high on that. It's also high on automation better faster cheaper better faster cheaper. No, no Better faster cheaper and more secure. Okay, so that you have consistency The investment in automation is paid back later because you have consistency less effort. It's automated Clarity at every stage know where it happens control that environment Build nodes as we heard earlier on hardening your pipelines You must be able to reproduce the build at any time and anybody else who needs to do it People think often, you know, oh, we'll move the source code system from here to here Yeah, we'll just lift and shift it. No, you got to bring the pipelines the processes and all the builds with them Which means okay bit for bit bite for bite your artifact at the end has to be the same before and after that migration So clarity is really important and then of course the MFA mutual authentication every step of the way everybody needs to be authorized and accessed and Certified so that's critical. Okay So what does the document actually have in it and lo and behold it breaks down the software supply chain Securing your source code protect your code at rest Okay, so it's 22 good principles in there that everybody should be looking at How to secure the integrity of your code your access to your code the integrity of your environments And there's some pretty high bars that you would have to meet Signing your source code with GPG and mind keys. It's difficult for some systems to achieve And and also in these controls that each of the section have or each of the statements or requirements There's different levels. What would you do if you're just trying to low? And this is coming like for public people public repositories for a medium or moderate levels Which would be more like internal system confidential types of things and then high which would be Missiles systems air traffic control banking phi data Okay, and some of these are high bar to achieve and when you assess that you look at it don't forget all the branch protections and all those Configuration source code management one-on-one stuff. It's all there, but called out and clear principles to remind us Next section is securing the materials. So you have your source code And you have all your materials where your materials come from Okay, so a lot of OSS and probably some cuts off the shelf tools as well Okay, so attestation sea analysis s bombs from your vendors and again verification Automation all the way through some really good practices there. I think 33 When you get down into securing your build pipelines, that's a great section of the document Everybody should read it and the presentation earlier on Securing your build pipelines with kubernetes and tecton. Yeah, I think they're hitting a lot of the ballast there But that you know what we're talking about is immutable pipelines Okay, so that nobody can get in the administrators not getting in there and changing it on the fly We don't want any snowflakes. We want to have build workers that are reproducible Continuously typically now in a container that you can spin it up and it is Certified as well. So in total is big here big recommendation Very high bar to reach but we're gonna hang on. Let's not let perfect get in the way of better. Okay It's a journey. We're on this journey through Amazon. This journey digital transformation is a journey We have to go there, but don't be put off by some of that really high-level stuff Measure your risk appetite to where you are well That's part of how we'd recommend using this is find the ones that work for your organization You don't want it to be too far of a reach. You also don't want to make it too easy So we spent a lot of time like your moderate plus maybe this one and this one there, you know Security artifacts at the end of the build. Okay, so you got your build you got your manufacturer put it in a repo Okay, put a checksum on it put a hash on it promote it to your QA environments Make sure that it's the same one with the same license and all the same code in it that your team actually Released promote that to your environment do your unit test system test integration test performance test all of your tests When you're ready to go you might bring it closer to a target environment That's where it should come from just your CD is taking it and putting it out there And then the last piece the CD. Okay, make sure and we've spoken already today about the TUF framework It's big on the TUF framework there. So attestation verification Clarity trust every step in the way and then lease privilege and separation of duties and reproducibility and automation This is gold us this document. Okay. Very good. So Connor. What did you do when the document came out? Well, I had to read it a few times And actually I read it a couple of times since I left Dublin We're both in Dublin here at the moment. This is like every time I read it I was reading on I get I get a new one. I'm just going I have to think about that again. You know, what are we gonna do? So what do we do? Well, you broke it out. I did I parsed it out into clauses and I put the clauses into categories He's like Ryan check this out. I've got this whole thing in a big spreadsheet for you. I'm like, whoa Yeah, absolutely. And then Ron goes Well, that's amazing. That's good. But hang on. How are we gonna make this work for 3am? Yeah, it's 3am has its own culture and its own vernacular, right? Okay, and we got to translate that into the words people commonly use but we had a framework Okay, so it gave us a good reference. It told us where we were weak told us where we were strong It told us some bits that we hadn't covered So and then we took we took those phrases those different pieces We simplified the language a little bit to make it more consumable and then we went we kind of put it into controls Listen, I'm like, I've done this before I've done these. This looks like a controls framework So I put it on the bottom you see I put control objectives and numberings on there And who's the owner and evidence required and everything else We just start filling it out like this and and it was quite enlightening as we went through we started seeing a lot of patterns and We had some great discussions when we came up with well What evidence what would we expect someone to give us they were going to meet this control? And these would be this would be targeted more for the toolchain owners and less towards the application owners, right? so Absolutely, and then you know all this control policy These are big hammers that you can bring into an organization, but we're a team that likes solutions. Yeah, okay We do not want to leave how good are our current solutions How do they measure up against this? Yeah, you know Which ones how do these different tool sets measure up against each other because we would like to converge But not necessarily be completely rigid and and how not to make friends is to come in with this real hard Requirement that there's no tool to be able to do yet and say go figure it out, right? That's a terrible position Your baby is ugly. Yeah, so we're like let's let's find out what we can do And then we're gonna work with the tool owners and we come to them and we're gonna say our job right now is to make you the Gold standard for the company. We're gonna try to get you up to that level so so work with us for a few months We're gonna do an assessment of your tool find out where we're deficient See if we can get some items on the backlog and see if we can get these things fixed for the different tools that are supporting this out there and The natural way that conversation worked is after they saw that initial pass. They're either. Oh, yeah, okay Well, that's doable. We can we can fix those things and we'll secure this pipeline or Yeah, our technology. We just can't do that We're gonna decommission this and move to some more of the more modern ones, which is great I didn't have to be the bad guy. We're just like hey, yeah, they'll admit to you know But respectful conversations transparent conversations collaboration partnership really important But we do come in with the know-how on the show how the show how is how do you actually prove that you? Rotate your keys. Yeah, you know So here's a couple examples of how we do this and we can get into more detail if we if people want to get it I have questions later, but here's two of them. I just pulled out one's a little fudged because I First I had to get this the legal review and second. I didn't have a lot of screen space I want to just put this together. So first one would be securing your source code So are you doing secret scanning or preventing secrets from getting in? Well secrets preventing false positive cause problems, and we're still working on the prevention part But we said for right now. Let's just make sure we've got scanning make sure that it's Magic stuff that it's on and that developers are getting these findings and it's going to the vulnerability team too So they can help track that that's where we want to be for right now The lucky person who's the owner would be the owner of the github or TFS or whatever technology was doing this And we want to make sure the secret scanner is working So and I can report on their stewardship of that technology Yeah, and we're not bringing somebody he liked to shine the lights into their eyes, you know We're saying tell us how we can help you improve this should you be doing or is this a service? We should provide you so you can do this right that's the approach so second one securing materials Software composition analysis. Those are like your black ducks and some of types and other things You can either integrate black duck or whatever tool into your pipeline and make sure this scans happening every time Or you can just have to get your stuff like they just mentioned from Artifactory or Nexus that's already been wrapped and approved and nothing gets in unless it's approved And so as long as you're pulling your stuff from that then you meet this control So this is kind of the approach that we took on how we get the evidence and it depends on you know Obviously, this is subdivided and there's multiple a little bit more complicated But the other groups don't need to see that they just need to know we've got it organized And it's by a person who can actually make it wrong You also you also interleaved some of that with some standard controls that we actually have for logging and monitoring everything We also had to move some pieces around a little bit because we had a two-year strategy and we didn't want to go I know it's what we have we wanted to pin our strategy at the top and then have those capabilities underneath so For example Das scanning we can put das scanning into merge clean components. Okay, or possibly in the QA However, SCA we put it there and also yeah, I think Ryan and The building artifacts the storing the artifacts and clean deployments. That's a lot to take in for somebody So we crushed that into your to build pipe. We'll talk about that in just a sec In fact, maybe I'll skip to it now. So we I'll skip to the strategy and we'll talk about how it helped but we took the structure that they had and kind of used it to simplify so You know secure build and deploy became we kind of merged a couple of those in and and now we have definitions behind all of it Like I know how to assess people against those different things That's your software build materials certified build pipeline a certified delivery mechanisms all those things Then we just simplified the strategy in general because you know license and components were kind of you know They merged it in the in the best practices document. We're like, oh, yeah, that makes a lot of sense So it helped us to simplify our message we aligned it with the best practices document and and this is really easy to communicate to executives I can go in and say Here's what a software's secure software supply chain looks like you have these pieces by the way Here's our strategy you implement this and you have a secure software supply chain and they just go Great, what do you need? I mean It's a much easier conversation it is they they ask us to come there because something like log for j happens And it's so nice when you've got this plan, and I know how much time it's going to take We didn't get into this but we can talk about you know resources and ROI for this and yeah Yeah, Brian deeply understands how to get that message up there. What does value mean? security costs Okay, but it also reduces costs. Okay, if you have automated security you can prove reduced costs Your CIA your CFO may not understand STLC and the secure software supply chain But he can understand our supply chain and he can understand cost reduction and effort. Yeah, that's a big one So with this one thing I found really really helpful is to actually get good estimates on how much time it would take to Do this manually or how much time it would be if you can automate this and I actually put that into hours And we deliver that monthly and it was really painful at the beginning But as you do anything you iterate on you get better at it and better at it So now I can show every month both legacy projects We kind of get a residual because it still helps those but any new project that comes in I'm like if you were to do this manually would have taken you this long our tools do it in this much time right it's automated and the CFOs love that stuff because they're like well I can spend money because I see my ROI here, and it's it's legitimate They have to do it either way you might as well do it the fast easy automated way and we're helping you do that Absolutely, and remember I mentioned the old-style CM DB. That was fine when you had 20 servers But now we've got containers with very short life cycle. So this dynamic inventory of where is it? Where has it gone to how did it get there if you have your operations teams? Continue trying to figure out what's out there, and they don't know because there's been no trail back no audit trail No release note with the S bomb. Where did it go to? That's your cost saving right there? So we've talked about how we only have a couple minutes left We've talked about how it really helped having this best practices document come and then reinforce our strategy Now we could leverage an industry standard and we're talking to all these tool owners, and I mean it was just really nice in that perspective But I want to end with this. Yeah, so Here's some advice some lessons learned along the way We did not do everything right in fact about some of the stuff we're doing now is wrong See if they have ideas we'd love to hear from them We just we learn and we fail and we do better next time We're open and transparent right we're open on transparent. We like making new mistakes. That's right Create these alliances a partnership like we're never trying to embarrass teams We always want to give people plenty of time before the results are published Before anything comes to you know so we always work with the groups trying to get things up before other people find out about it Absolutely, we don't want to crush them into a corner, and we want people to be open with us So we're very respectful we understand their problems from a security perspective and from a development perspective But we want them to acknowledge once is the first part to that journey Yeah, and we've made lots of friends along the way I mean, it's this is ultimately I'm convinced a culture change It's a culture change for how developers do their work in a lot of cases for how managers prioritize the work and for How people pay for software? I mean there was a paradigm especially in some of the acquisitions where it's like hey We're just gonna do You know we're gonna do things really agile We're gonna use all free software and it's gonna be super cheap And we don't have to pay for licenses that way and we can just be fast and we're like Okay, well show me how you meet these requirements with this thing you've cobbled together over a weekend And so if you're gonna meet all these security requirements It's better to use on one of the items on what we call the paved road Right if you use this technology and this component management and this pipeline and this things We will do your compliance stuff for you because it's all already automated if you do it by yourself I'm gonna need all these deliverables all these evidence to show me that you're doing it And so it kind of restricts To people adding risk because they're doing it on their own way a little bit and and also gets more engagement in the big processes Because if those aren't working for them, they need to give that feedback so we can add the features and so we don't come in with the policy Framework and say no no no this is wrong. We'll come in with a paved road Okay, we build solutions and we go how about this way over here look Yeah, this way works and guess what leaders lead those who want to follow We want everybody to be security. They'll come with us. There will be an ugly tail perhaps But guess what? You know policy will harden as we improve behind us and then you know We're making it easier for developers to do the right thing and not as Ryan says dumping to the left Yeah, we're not dumping to the left. It's all about people These are professionals. They want to do what's right if you show them the right way to do it We found that they just love it there. They're very grateful for hey good Thank you for letting me know exactly what was needed giving me the tools to do it, right? I haven't found anyone in 3m that's like nah, I want to do things insecure like nobody says that They're they say well, I'd like to do that, but I'm getting all these business pressure Right so we can give them some air cover by talking to their executives and making sure that they've got the air cover and And also well what you're asking me to do is really really hard. Can you help make it easy? Yeah, we can do that and if you do that we found that we have really great results and it's been a great journey Connors legitimate this guy. He's fantastic And it's been a pleasure to work with him and when he's done helping us You should be lining up at the door to get all I just want to say it's a pleasure to be on the stage here I can talk techie and he can talk leadership. It's a pleasure to work with him But most importantly to say thank you to the CNCF. Yeah, great document I don't know how much time we have we have time for questions or you can Talk to us after Probably get one. Okay one question. I guess they're talking to you after they're talking to us after then So talk to fast Connor, right? Ron comes from Utah, but he's his inner Irish minus coming at that's it I'm not even allowed to kiss the Blarney stone. I can just go I was gonna wear my hat up here. Thank you. Thank you