 It's theCUBE. Here is your host, Jeff Crick. Hi, Jeff Crick here with theCUBE. We're on the ground at Santa Clara Convention Center at the Open Daylight Summit. It's the second year they've had the show, about 800 people talking, everything's software-defined, networking, and we're excited to have our next guest coming all the way across the Pacific to be on theCUBE, David Jorm, Senior Manager of Product Security from IAX, welcome. Yeah, it's great to be here. So this must be a really big event for you to come all the way over here. It is, it's huge. I mean, Open Daylight Summit, like you said, it's only the second one. The number of attendees here is amazing. So to have the opportunity to come here and hear everything that's going on in the SDN space is really good opportunity. So IAX is an exciting new company. We covered the Pure.2.0 conference last year. So for the folks that aren't familiar with IAX, give them a little background. Yeah, so IAX, we're calling it the Software-Defined Interconnect Company. So I guess people listening to this probably know about software-defined networking, probably know what that's about. The idea is applying the sort of concepts behind software-defined networking to establishing connections between different networks. So think about you've got a couple of big network operators, maybe you've got AT&T or Verizon, then you've got maybe Google or Facebook or LinkedIn that serves a lot of content to those networks and they'd like to establish a direct connection from one network to the other so that an eyeball network could consume all the content from say a cloud service provider and we're automating the process of provisioning those connections. So that's what we're calling Software-Defined Interconnect. And I don't think a lot of people understand quite how much peer-to-peer stuff is going on in most of the content that they consume every day. It's huge and we're trying to actually shy away from the term peer-to-peer because it's overloaded. If you speak to people about peer-to-peer, they say, oh, so like sharing video media or so and you say, no, no, no, that's one kind of peer-to-peer but peering and what we're calling direct-interconnect is huge. So it's where two networks connect to each other and exchange traffic without traversing the public internet. And that's actually how the core of the internet is formed. If you look at all the big network providers, the way that they actually interchange data with each other is by going into an internet exchange point and directly connecting. It's a kind of hidden ecosystem but it's actually at the core of how the internet functions. And your specialty is security. So you're here, you're giving a talk on security, world-class security. So tell us a little bit about what you're gonna be speaking about for the folks that aren't gonna make your session. Certainly. So back in December, 2014, I first started to get involved with the Open Daylight Project and back then it was kind of more in its infancy and there were some security issues. There were some vulnerabilities that had been published and there were no patches. Nobody was kind of cottoning onto the fact that these security issues existed. This is an Open Daylight. This is an Open Daylight. So I came in, you know, as a security guy saying, ah, okay, we need to fix this. So I established the Open Daylight Security Response Team, documented a process, had that process ratified by the TSC and now we're executing it. So we have a really solid security response process that's in place. If you report a vulnerability in Open Daylight, we can keep it private. We can coordinate disclosure. We can ship a patch. That's all there. The next step, though, is actually getting ahead of the game and establishing some proactive efforts. How can we reduce the risk of there being security vulnerabilities in the future? And that's what my presentation this year is gonna be all about. So it's interesting, you know, the power of a foundation like this where you, as an individual, I assume you're an individual, you know, you can spot something that's a significant problem and really kind of jump in with both feet and not only make a contribution, but really set a trend in an ongoing effort to plug that hole. Yeah, and I was actually really amazed by how welcoming the community was. I've participated in open source communities before. I worked for Red Hat for five years, so I'm very familiar with how it works. And a lot of open source communities are actually a little bit confrontational, particularly if you say something that's potentially negative. Hey, you've got a problem with security here. A lot of people will become very defensive. They won't want to let you contribute. The Open Daylight community was really welcoming and they just said, great, yeah, can you help us? Tell us how to do it. And so it was a great opportunity, yeah. So it's interesting, so then what lessons can you share with the Open Daylight community based on your old Red Hat experience to make sure that this project stays on track, doesn't get forked, you know, they always hear about, you know, conflicts between kind of management and direction and forking and all kinds of things that can go sideways. What are some of the really keys for Open Daylight to really stay on track and continue to deliver a lot of value to its members? That's a great question. I'd say from my perspective, two things. The first is keeping it open, open to collaboration. So that speaks to the experience I had back in December. Everybody was really welcoming. They said, just tell us how you'd like to do this. We'll review your process and we'll implement it. There was no barrier, there were no egos, so we need to keep that. The other is keeping it vendor-neutral because otherwise you'll have a situation where a vendor wants a particular feature for their business reasons. That won't be accepted upstream, so they'll fork. And if we can keep it vendor-neutral, we'll avoid that problem as well. Okay, so what are you working on next? What's the next great hurdle to overcome? Yeah, so like I said, the next step is to actually try and get ahead of the game and do some proactive security work. So I've actually got an intern that's working with me through the Open Daylight Summer Internship Project and he's nearly finished that. So what he's implemented is a bunch of automated checks and balances in the build system. So when you kick off a build, it will actually automatically inspect the code, it'll look for patterns of vulnerabilities, it'll look at the dependency tree and see whether any of the packages that you're bringing in have a known vulnerability. And if it sees them, it will fail the build. So this will allow us to automatically detect at least some of the security issues before they enter a stable build of Open Daylight. Okay, excellent. And I think we can save the date. There's a big save the date coming up for IAX later this fall. So can we see, can we see, we gotta see you there? Yeah, I'll be there. September 9th at the San Francisco Masonics Center. Save the date, it's gonna be exciting. One more time, what date, September 9th? September 9th, yeah. Save the date, the cube will be there, Dave will be there, bunch of people will be there, Al will be there, Will will be there. Excellent, well thanks for stopping by and good luck on your talk tomorrow. Fantastic, thank you. And I'm Jeff Frick, this is David Jordan. You're watching theCUBE, we're at Open Daylight Summit.