 Hey everyone, we're so glad you're here with us. The CUBE is covering cloud native security con 23. Lisa Martin here with John Furrier. This is our second day of coverage of the event. We've had some great conversations with a lot of intellectual, exciting folks, as you know, because you've been watching. John and I are very pleased to welcome back one of our alumni to theCUBE, Taylor Dolezal joins us, the head of ecosystem at CNCF. Taylor, welcome back to theCUBE, great to see you. Hey everybody, great to see you again. So you are on the ground in Seattle. We're jealous. We've got FOMO as John would say. Talk to us about, this is inaugural event. We were watching Priyanka's keynote yesterday. It seemed like a lot of folks there, 72 sessions, a lot of content, a lot of discussions. What's the buzz? What's the reception of this inaugural event from your perspective? So it's been really fantastic. I think the number one thing that has come out of this conference so far is that it's a wonderful chance to come together and for people to see one another. It's been a long time that we've kind of had that opportunity to be able to interact with folks. Or you know, it's just a couple of months since last KubeCon, but this is truly a different vibe. And it's nice to have that focus on security. We're seeing a lot of folks within different organizations, work through different problems and then finally have a vendor neutral space in which to talk about all of those contexts and really raise everybody up with all of this new knowledge and new talking points, topics and different facets of knowledge. Taylor, we were joking on our yesterday's summary of the keynotes, Dave Vellante and I and the guests, Lisa and I, about the CNCF being, having an event operating system, you know, very decoupled, highly cohesive events strung together beautifully at the Linux Foundation. You know, kind of tongue-in-cheek but it was kind of fun to play on words because it was a very technical community but the business model of hackers is booming. The reality of business is booming and CloudNative is the preferred developer environment for the future applications. So the emphasis, it's very clear that this is a good move to do and targeting the community around securities, a solid move, Amazon's done it with reinforce and reinvent, we see that. Nice segmentation. What's the goal? Because this is really where it connects to KubeCon and CloudNativeCon as well because there's shift left there too. Here it's very much about hardcore CloudNative security. What's your positioning on this? Am I getting it right or is that how you guys see it? Yeah, so that's what we're talking about as well as we were thinking on breaking this event out. So originally this event was a co-located event during the KubeCon Windows in both Europe and North America and then it just was so consistently popular, clearly a topic that people wanted to talk about. Which is good that people want to talk of security. And so when we saw this massive continued kind of engagement, we wanted to break this off into its own conference. When we were going through that process internally, like you had mentioned, the events team is just phenomenal to work with and I love how easy that they make it for us to be able to do these kinds of events too. So we wanted to talk through how we differentiate this event from others. And really what's changed for us and kind of how we see this space is that we didn't really see any developer-centric open source kinds of conferences. Ones that were really favoring of the developer and focused on APIs and ways in which to implement these things across all of your workloads within your organization. So that's truly what we're looking to go for here during all of these sessions and that's how it's been playing out so far which has been really great to see. Taylor, I want to ask you on the ecosystem, obviously the built-in ecosystem at CNCF.io with KubeCon, CloudIncon's there. This is a new ecosystem opportunity to add more people that are security focused. Is there new entrance coming into the fold and what's been the reaction? So short answer is yes. We've seen a huge uptick across our vendor members and those are people that are creating cloud offerings and selling those and working with others to implement them as well as our end users. So people consuming cloud-native projects and using them to power core parts of their business. We have gotten a lot of data from groups like IBM and security, IBM security and Putnam Institute. They gave us a cost of data breach report that Priyanka mentioned and talked about 43% of those organizations haven't started or in the early stages updating security practices of their cloud environments. And then here on the ground, talking through some best practices and really sharing those out as well. So I've gotten to hear pieces and parts of different conversations and I'm certain we'll hear more about those soon but it's just really been great to hear everybody with that main focus of, hey, there's more that we can do within the security space and let's help one another out on that front just because it is such a vast landscape especially in the security space. It's a huge landscape and to your point earlier, Taylor, it's everyone has the feeling that it's just so great to be back together again getting folks out of the silos that they've been operating in for such a long time but I'd love to get some of your, whatever you can share in terms of some of the cloud-native security projects that you've heard about over the last day or so. Anything exciting that you think is really demonstrating the value already in this inaugural event? Yes, so I've been really excited to hear a lot of, personally, I've really liked the talks around EVPF there are a whole bunch of projects utilizing that as far as runtime security goes and actually getting visibility into your workloads and being able to see things that you do expect and things that you don't expect and how to remediate those. And then I keep hearing a lot of talks about open policy agents and projects like Coverno around how do we actually automate different policies or within regulated industries? How do we actually start to solve those problems? So I've heard even more around CNCF projects and other contexts that have come up but truly most of them have been around the telemetry space, EVPF and quite a few others. So really great to see all those projects choosing something to bind to and making it that much more accessible for folks to implement or build on top of as well. I love the reference you guys had just the chat GPT that was mentioned in the keynote yesterday and also the reference to Dan Kaminski who was mentioned on the reference to DNS and bind a lot of root level security going on. It seems like this is like a tiger team event where all the top alpha security gurus come together. Priyanka said experts bottoms up developer first practitioners that's the vibe. Is that kind of how you guys want it to be more practitioners hardcore? Absolutely, absolutely. I think that when it comes to security we really want to help. It's definitely a grassroots movement. It's great to have the people that have such a deep understanding of certain security just bits of knowledge really when it comes to EVPF we have high surveillance here that we're talking things through. Valgo is here with Cystig and so it's great to have all of these people here. Though I have seen a good spread of folks that are most people have started their security journey but they're not where they want to be. And so people that are starting at a 201, 301, 401 level of understanding definitely seeing a good spread of knowledge on that front. But it's really, it's been great to have folks from all varying experiences but then to have the expertise of the folks that are writing these specifications and pushing the boundaries of what's possible with security to ensure that we're all safe and updated on that front too. That I think was most notable yesterday, like you had said. Sorry Taylor, when we think of security again this is an issue that organizations in every industry face, nobody is immune to this. We can talk about the value in it for the hackers in terms of ransomware alone for example but you mentioned a stat that there's a good amount of organizations that are really either early in their security journeys or haven't started yet which kind of sounds a bit scary given the landscape and how much has changed in the last couple of years but it sounds like on the good news front it isn't too late for organizations. Talk a little bit about some of the recommendations and best practices for those organizations who are behind the curve knowing that the next attack is gonna happen. Absolutely, so fantastic question. I think that when it comes to understanding the fact that people need to implement security and abide by best practices it's like I'm sure that many of us can agree on that front. Hopefully all of us but when it comes to actually implementing that, I agree with you completely. That's where it's really difficult to find where do I start, what do I actually look at? And there are a couple of answers on that front. So within the CNTF ecosystem we have a technical action group security. So tag security and they have a whole bunch of working groups that cover different facets of the cloud native experience. So if you for example are concerned about runtime security or application delivery concerns within there those are some really good places to find people knowledgeable about that even when the conference isn't going on to get a sense of what's going on. And then tag security has also published recently version two of their security report which is on freely accessible online you can actually look through that see what some of the recent topics are and points of focus and of interest are within our community. There are also other organizations like OpenSSF which is taking a deeper dive into security initially kind of having a little bit more of an academic focus on that space and then now getting further into things around software build materials or S-bombs, the pie chain security and other topics as well. Well we love you guys doing this we think it's a very big deal and we think it's important we're starting to see events post COVID take a certain formation joking aside about the event operating systems smaller events are happening but they're tied together. And so this is key and of course the critical need is our businesses are under siege with threats ransomware security challenges as IT moves to cloud native not everyone's moved over yet. So that's in progress. So there's a huge business imperative and the hackers have a business model. So this isn't like pie in the sky this is urgent. And so get being said how do you see this developing from who should attend the next one or who are you looking for to be involved to get input from you guys are open arms and very diverse and great culture there but who are you looking for? What's the makeup persona that you hope to attract and nurture and grow? Absolutely. I think that when it comes to trying to the folks that we're looking for the correct answer is it varies from if you're asking Priyanka our executive director or Chris Anna check our CTO. I work mostly with the end users. So for me personally I really want to see folks that are operating within our ecosystem and actually pulling these projects down and using them and sharing those stories because there are people creating these projects and contributing to them might not always have an idea of how they're used or how they can be exploited too. A lot of these groups that I work with like Mercedes or Intuit for example, they're out there in the world using these projects and getting a sense for what can come up and by sharing that knowledge I think that's what's most important across the board. So really looking for those stories to be told and novel ways in which people are trying to exploit security in attacking the supply chain or building applications or just things we haven't thought about. So truly that developer archetype is really helpful to have the consumers, the end users, the folks that are actually using these and then truly anyone knowledgeable about security or that wants to learn more. Super important. We're here to help you scale those stories up whatever you need. Send them our way. We're looking forward to getting those said. This is a super important movement. Getting the end users who are on the front lines bringing it back into the open, building more software, making it secure and verified. All super important. We really appreciate the mission you guys are on. And again, we're here to help. So send those stories our way. Cool, cool. We couldn't do it without you. It's just everyone contributing, everyone sharing the news. This is, it's people. People is the true operating system of our ecosystem. So really great to share. That's such a great point, Taylor. It is all about people. You talked about this event having a different vibe. I wanted to learn a little bit more about that as we wrap up because there's so much cultural change that's required for organizations to evolve their security practices. And so people of course are at the center of culture. Talk a little bit about why that vibe is different. And do you think that, yeah, it's finally time everyone's getting on the same page here. We're understanding, we're learning from each other. Yes. So to kind of answer that, I think it's really a focus on, there's this term shift left and shift right and talking about where do we actually put security in the mix as it comes to people adopting this and figuring out where things go. And if you keep shifting at left, that meaning that the developers should care more deeply about the deeper understanding of all of these, even if they don't understand how to put it together, maybe understand a little bit about it or how these topics and facets of knowledge work. But like with anything, if you shift everything off to one side or the other, that's also not going to be efficient. You want a steady stream of knowledge flowing throughout your whole organization. So I think that that's been something that has been a really interesting topic and hearing people kind of navigate and try to get through, especially groups that have deployed an app and it's going to be around for 40 years as well. So I think that those are some really interesting and unique areas of focus that have come up on the floor and then in a couple of the sessions here. There's got to be that balance there. Last question as we wrap the last 30 seconds or so, what are you excited about? Given the success and the momentum of day one, what excites you about what's ahead for us on day two? So on day two, I'm really, there's just so many sessions. I think that it was very difficult for me to, which one I was actually going to go see. There are a lot of favorites that I had kind of doubled up at each of the times. So I'm honestly going to be in a lot of the sessions today. So really excited about that. Supply chain security is definitely one that's close in my heart as well, but I'm really curious to see what new topics, concepts or novel ideas people have to kind of exploit things. Like one, for example, is a package that is out there. It's called browser test, but somebody came up with one called bowser test, just a very simple misname. And then when you go and run that, it does a fake kind of like, hey, you've been exploited and just even these incorrect name attacks. That's something that is really close and dear to me as well. Kind of hearing about all these wild things people wouldn't think about in terms of exploitation. So really, really excited to hear more stories on that front than better protect myself both at home and within the cloud community as I stand with things up. Absolutely. You need to clone yourself so that you can, there's so many different sessions. There needs to be multiple versions of Taylor that you can attend. And then you can all get together and talk about and learn, but that's actually a really good problem to have as we mentioned when we started 72 sessions yesterday and today, lots of great content. Taylor, we thank you for your participation. We thank you for bringing the vibe and the buzz of the event to us. And we look forward as well to hearing and seeing what day two brings us today. Thank you so much for your time, Taylor. Thank you for having me. For our guests and John Furrier, I'm Lisa Martin. You're watching theCUBE's day two coverage of cloud native security con 23.