 Hello and welcome back to theCUBE's coverage of DockerCon 2021. I'm John Furrier, your host of theCUBE. A great guest here, CUBE alumni, Steven Chin, Vice President of Developer Relations for JFrog. Steven, great to see you. Again, just remote this time. This last time was in person on our last physical event we had you in theCUBE. But great to see you. Thanks for coming in remotely. No, no, very glad to be here. And also it was awesome to be in person at RSA conference when we last talked. And the last year has been super exciting with a whole bunch of crazy things like the IPO and doing virtual events. So we've, we're transitioning to the new normal. We're looking forward to things getting to be hybrid. Great success with JFrog. We've been documenting the history of this company, very developer focused, the successful IPO and just the continuation that you guys have transitioned beautifully to virtual because you know, developer company runs virtual. And but also you guys have been all about simplicity for developers. And we've been talking for many, many years with you guys on this. This is the theme at DockerCon again. This is a developer conference, not so much an operator conference, but more of a dev dev developer focused. You guys have been there from the beginning, nationally reported on it, but talk about JFrog and the Docker partnership and why is this event so important for you? Yeah, so I think like, like you said, JFrog has and always is a developer focused company. So we build tools and things which focus on developer use cases, how you get your code to production and streamlining the entire DevOps pipeline. And one of the things which we believe very strongly in, and I think we're very aligned with Docker on this is having secure, clean upstream dependencies for your Docker images, for other package and language dependencies. And you know, with the announcement of DockerCon and Docker hubs model changing, we wanted to make sure that we had the best integration with Docker and also the best support for our customers with Docker hub. So one of the things we did strategically is we combined our platforms. So you can get the best in class developer tools for managing images from Docker. Everyone uses their desktop tools for building and managing your containers. And then you can push them right to the best container registry for managing Docker images, which is the JFrog platform. And just like Docker has free tools available for developers to use, we have a free tier which integrates nicely with their offerings. And one of the things which we collaborate with them on is for anybody using our free tier in the cloud, there's no limits on the Docker images. You can pull no rate limiting, no throttling. So it just makes a clean seamless developer experience to manage your cloud native projects and applications. What's the role of the container registry in cloud native? You brought that up, but can you just expand on that point? Yeah, so I think when you're doing deployments to production, you wanna make sure both that you have the best security, so that you're making sure that you're scanning and checking for vulnerabilities in your application and also that you have a complete traceability. Basically, you need a database and a log of everything you're pushing out to production. So what container registries allow you to do is they keep all of the releases, all of the Docker images which you're pushing out. You can go back and roll back to a previous version. You can see exactly what's included in those Docker images. And we, at JFrog, we have a product called Xray, which does deep scanning of container images. So it'll go into the Docker image. It'll go into any packages installed. It'll go into application libraries. And it does kind of this onion peel apart of your entire Docker image to figure out exactly what you're using. Are there any vulnerabilities? The funny thing about Docker images is because of the number of libraries and packages and installed things which you haven't given Docker image, if you just take your released Docker image and let it sit on the shelf for a month, you'll have thousands of vulnerabilities. Just by accruing from different reported zero-day vulnerabilities over time. So it's extremely important that you know what those are. You can evaluate the risk to your organization and then mitigate it as quickly as possible if there's anything which can impact your customers. I mean, you bring up a great point right there and that is ultimately a developer thing that's been, that's generational. I mean, depending on what generation you come from and that's always the problem. Getting the patches in the old days, getting the new code updated. Now when you have cloud native, that's more important than ever. And I also want to get your thoughts on this because you guys have been early on shift left too. I mean, years ago, shift left was not a new thing for you guys ever. So you got shift left, build in security at the point of coding, but you're bringing up a whole nother thing which is, okay, automation. How do you make it so that the developer doesn't have to stop what they're doing and then get back and say, okay, what's out there in my containers? So how do you simplify that role? Because that's where the partnership, I think really people are looking to you guys and Docker on is, how do you make my life easier? Bottom line, what's it about? Yeah, so I think when you're looking at trying to manage large applications which are deployed to big Kubernetes clusters and you have kind of all this infrastructure behind it. One of the challenges is, how do you know what you have out in production? So how do you know exactly what's released and what dependencies are out there and how easily can you trace those back? And one of the things which we're gonna be talking about at SwampUp next week is managing the overall DevOps life cycle from code all the way through to production. And we have a great platform for doing package management for doing vulnerability scanning, for doing CI CD, but you need a bunch of other tools too. So you need integrations like Docker so you can get trusted packages into your system. You need integrations with observability tools like Datadog, Elastic, and you need ITSM tools for doing incident management like PagerDuty. And what we've built out is we built out an ecosystem of partner integrations which with the JFrog platform at the center let you manage your entire end to end life cycle of DevOps infrastructure. And this addresses security, it addresses the need to do quick patches and fixes in production and it kind of stitches together all the tools which all of the successful companies are using to manage their fast moving continuous release cycle and puts all that information together with seamless integration with even developer tools which folks are using on a day-to-day basis like Slack, JIRA, and MS Teams. So the bottom line then for the developer is you take the best-of-breed stuff and make it all work together easily, is that right? Yeah, I mean it's like it's seamless from you get an incident, you click a button that sticks a JIRA ticket in for you to resolve, you can tie that with the code commits which you're doing and then directly to the security vulnerability which is reported by X-ray. So it stitches all these different tools and technologies together for a seamless developer experience. And I think the great relationship we have with Docker offers developers again this best-in-class container management and trusted images combined with the world's best container registry. Awesome, well let's get into that container issue because I think that's a fascinating and super important thing that you guys solve a big problem for. So I got to ask you what are the security risks of using unverified and outdated Docker containers? Could you share your thoughts on what people should pay attention to? Because if they got unverified and outdated Docker containers, you mentioned vulnerabilities, what are those specific risks to them? Yeah, so there's a lot of different instances where you can see in the news or even some of the new government mandates coming out that if you're not taking the right measures to secure your production applications and to patch critical vulnerabilities and libraries you're using, you end up with supply chain vulnerability risks like what happened to SolarWinds and what's been fueling the recent government mandates. So I think there's a whole class of different vulnerabilities which bad actors can exploit. It can actually go quite deep with folks exploiting application software in either your company or in other people's systems with the move to cloud native. We also have heavily interconnected systems with a lot of different attack points from the container to the application level to the operating system level. So there's multiple different attack vectors for people to get into your software and the best defense is an organization against security vulnerabilities is to know about them quickly and to mitigate them and fix them in production as quickly as possible. And this requires having a fast, continuous deployment strategy for how you can update your code quickly, very quick identification of vulnerabilities with tools like X-ray and other security scanning tools and just good integration with tools developers are using because at the end of the day it's the developers who both are picking the libraries and dependencies which are going to be pushed into production and also they're the ones who have to react and fix it when there's a production incident. You know, machine learning and automation is always, I love that tech because it's always kind of cool because it's DevOps in action. But you know, it's not like a silver bullet. Your machine learning is only as good as your data and the code it's written on same with automation if you're not automating the right things or wrong things, it's all subjective on what you're doing and you know, beauty's in the eye of the beholder when you do things like that. So I want to give you thoughts on automation because that's really been a big part of the story here both on simplicity and making the load lighter for developers. So when you have to go out and look at modifying code updates and looking at say unverified containers or one that gets a little bit of a, you know, hair on it with more updates that are needed. As we say, what's the role of automation? How do you guys view that and how do you talk to the developers out there when posturing for a strategy and a playbook for automation? Yeah, so I think you're touching on one of the most critical parts of any good DevOps platform is from end to end, everything should be automated with the right quality gates inserted at different points so that if there's a test failure, if you have a build failure, if you have a security vulnerability, the automatic points in there will be triggered so that your release process will be stopped. That you have automated rollbacks in production so that you can make sure that there are issues which affect your customers, you can quickly roll back. And once you get into production, having the right tools for observability so that you can actually sift through what is essentially a big data problem. So with large systems, you get so much data coming back from your application, from the production systems from all these different sources that you need an easy way to sift through and identify what are the messages coming back telling you that there's a problem, that there's a real issue that you need to address versus what's just background noise about different processes or different application alerts which really don't affect the security of the functionality of your application. So I think this end to end automation gives you the visibility and the single pane of glass to know how to manage and diagnose your DevOps infrastructure. You know, Steven, you bring up a great point. I love this conversation because it always highlights to me why I love KubeCon and CloudNativeCon, part of the CNCF and DockerCon because to me it's like a microcosm of two worlds that are living together, right? You got, I think KubeCon has proven it's more operator but not like operator, operator, it's like developer operators. And you got DockerCon, almost pure software development but now becoming operator. So you got that, almost those two worlds are fusing together where they are running together. You have operating concerns, like will the parachute open? Will it work? And how do I roll back? These roll back, these are like operating questions that now developers got to think about. So I think we're seeing this kind of confluence of true DevOps next level where you can't, you can be just a developer and have a little bit of ops in you and not be a problem, right? Or get down under the hood and be an operator whenever you want. So there's a seeing of flex. What's your thoughts on this? It's just more about my observation kind of in real time here. Yeah, I know. So I think it's an interesting observation on the industry and I think, I've been doing DevOps for a long time now and I started as a developer who needed to push to production, needed to have the ability to manage releases and packages and be able to automate everything. And this naturally leads you on a path of doing more operations, being able to manage your production, being able to have fewer incidents and issues. I think DevOps has evolved to become a very complicated set of tools and problems which it solves. And even Kubernetes as an example is not easy to set up. Like setting up a Kubernetes cluster and managing it is a full-time job. Now that said, I think what you're seeing now is more and more companies are shifting back to developers as a focus because teams and developers are the king makers and with the rise of cloud computing, you don't need a full operations team. You don't need a huge infrastructure stack. You can easily get set up in the cloud on Amazon, Google or Azure and start deploying today to production from a small team straight from code to production. And I think as we evolve and as we get better tools, simpler ways of managing your deployments, of managing your packages, this makes it possible for development teams to do that entire life cycle from code through to production with good quality checks, with good security and also with the ability to manage simple production incidents all by themselves. So I think that's coming where DevOps is shifting back to development teams. It's great to have your leadership and your experience right there. That's a great call out, great observation. Nice gem there. I think that's right on it. I think I want to get your thoughts if you don't mind going to the next level because you're nailing what I see is the successful companies having these teams that could be end to end workflows and have a mix of a team. I was talking with Dana Lawson who's the VP of engineering at GitHub and she and I were riffing on this idea that you don't have to have a monolithic team because you no longer have a monolithic environment. So you have this microservices and now you can have these, I don't want to call them micro teams, but you're starting to see an SRE on the team. That's the developer, right? So this idea of having an SRE department, maybe for big companies that could be cool if you're a hyperscaler, but these development teams are having certain formations. What's your observation to your customer base in terms of how your customers are organizing? Because I think you nailed the success form of how teams are executing because it's so much more agile. You get the reliability, you need to have the security baked in. You want end to end visibility because you got services starting and stopping. How are teams, how are you seeing developers? What's the state of the art in your mind for formation? Yeah, so I think we work with a lot of the biggest companies who were really at the bleeding edge of innovation and DevOps and continuous delivery. And when you look at those teams, they have very, very small teams supporting thousands of developer teams building and deploying applications. So when you think of SRE and DevOps folks, there is actually a very small number of those folks who typically support humongous organizations. And I think what we're hearing from them is they're increasingly getting requirements from the teams who want to be self-service, right? They want to be able to take their applications, have simple platforms to deploy it themselves, to manage things. They don't want to go through heavyweight processes. They want it to be automated and lightweight. And I think this is putting pressure on DevOps teams to evolve and to adopt more platforms and services which allowed developers to do things themselves. And I think over time, this doesn't get rid of the need for DevOps and for SRE roles in organizations, but it changes because now they become the enablers of success in good development teams. It's kind of like how IT organizations, they support you with automated rollouts, with all these tools rather than in person. As much as they can do with automation, that helps the entire organization. I think DevOps is becoming the same thing where they're now simplifying and automating how developers can be self-service in organizations. Yeah, and I think it's a great revolution too because that makes total sense because it is kind of like what the IT used to do in the old days, but it's the scale is different, the services are different, the DevOps tools are different. And so they really are enabling, not just the cost center, but they're really driving value. And this brings up the whole next thread. I'd love to get your thoughts because you guys are, have been doing this with developers for a while, tools versus platform, right? Because this whole platform, oh, we're a platform, we're a control plane. There's still a need for tooling for developers. How do we thread the needle between what's good for a tool, what's good for a platform? Yeah, so I think that there's always a lot of focus and it's easier if you can take an end-to-end platform which solves a bunch of different use cases together. But I think a lot of folks, when you're looking at what you need and how you wanna apply DevOps practices to your organization, ideally you wanna be able to use best and breed tools to be able to solve exactly what your use case is. And this is one of the reasons why as a company with JFrog, we try to be as open as possible to integrations with the entire vendor ecosystem. So it doesn't matter what CI CD tool you're using, you could be using Jenkins, CircleCI, Spinnaker, Tecton, it doesn't matter what observability platform you're using in production, it doesn't matter what tools you're using for collaboration. We support that whole ecosystem and we make it possible for you to select the best-to-breed tools and technologies that you need to be successful as an organization. And I think the risk is if you kind of accept vendor lock-in on a single platform or a single cloud platform even, then you're not getting the best and breed tools and technologies which you need to stay ahead of the curve. And DevOps is a very, very fast-moving discipline along with all the cloud-native technologies which you use for application development and for production. So if you're not staying at the bleeding edge and kind of pushing things forward, then you're behind. And if you're behind, you're not be able to keep up with the releases, the deployments you need to be secure. So I think what you see is the leading organizations are pushing the envelope on security, on deployments, and they're using the best tools in the industry to make that happen. Steven, great to have you on theCUBE. I want to just get your thoughts on JFrog and the Docker partnership to wrap this up. Could you take a minute to explain what's the most important thing that developers should pay attention to when it comes to security for Docker images? Yeah, so I think when you're a developer and you're looking at your security strategy, you want tools that help you, that come to you and that help you. So you want things which are gonna give you alerts in your IDE, things which are gonna trigger your CICD and your build process, and which make it easy for you to identify, mitigate, and release, things which will help you do that. So we provide a lot of those tools with JFrog and our Docker partnership, and I think if you look at our push towards helping developers to become more productive, build better applications, and more secure applications, this is something the entire industry needs for us to address what's increasingly a risk to software development, which is higher profile vulnerabilities, which are affecting our entire industry. Great stuff, big fan of JFrog, watching you guys be so successful, making things easy for developers and simpler and reducing the steps it takes to do things as I say is the classic magic formula for any company. Make it easier, reduce the steps it takes to do something and make it simple. Good success formula. Great stuff, great to have you on. For a minute or two, take a minute to plug what's going on at JFrog and share what's the latest and greatest with the company, what you guys are doing, obviously a public company, great place to work, getting awards for that. Give the update on JFrog, put a plug in. Yeah, I don't know, so JFrog, I've been having a lot of fun working at JFrog. It's very, very fast growing. We have a lot of awesome announcements at SwampUp, like the partnerships we're doing, secure release bundles for deployments and just a range of advances. I think the number of new features and innovation we've put into the product in the past six months since IPO is astounding. So we're really trying to push the edge on DevOps. And we're also gonna be announcing and talking about stuff at DockerCon as well and continue to invest in the cloud native and the DevOps ecosystem with our support of the Continuous Delivery Foundation and the CNCF, which I'm also heavily involved in. So it's exciting time to be in the DevOps industry. And I think you can see that we're really helping software developers to improve their art to become better at release, again, managing production applications. Yeah, and the ecosystem is just flourishing. It's only the beginning and, again, bringing the craft back in Agile, which is a super big theme this year. Stephen, great to see you. Thanks for dropping those gems and insights here on theCUBE here at DockerCon 2021 in virtual. Thanks for coming on. Yeah, no, thank you, John. Okay, DockerCon 2021 in coverage virtual. I'm John Furrier, host of theCUBE. Thanks for watching.