 Good afternoon, brilliant humans, and welcome back to Fabulous Chicago. We're live streaming here from KubeCon, CloudNativeCon, CNCF's largest North American event. My name is Savannah Peterson, and I am joined by two really interesting people. First off, my co-host, Rob, you're doing an absolutely stellar job. I appreciate that. Yeah, you're going to be interesting in this. I'm going to try to step up my game and get up to the scene. I just introduced you to interesting, so let's hope we can get you out of it. We're going to try to step up my game today, so. I love that. We are also celebrating women in tech with Inc on the show today. Just casually, please welcome Emily. Welcome to the show. Thank you so much for having me. You're like a star here today. This is your fourth appearance at various things. How are you feeling? What's it like to be on the KubeCon show floor? It's good. It's nice to actually be here after co-chairing KubeCon for a couple of times now. I get to enjoy the conference in between interviews. That is good. So you used to be a co-chair, Silar? No, no longer a co-chair. My last circuit was in Amsterdam, so I did my three tours and I'm done for a while. I sense that that's great. You've done your contribution and now you're ready to go. That's exactly right. Ready to ride. So tell us a little bit about what you're doing at Red Hat and what's going on for you now. So I'm new to Red Hat. I've only been here less than three months now, but I'm there. Congrats on the new game. Thank you. I lead our security team in emerging technologies, which is a group that is focused around understanding a little bit more about where technology is headed, what are some of the new innovations and how do we grow those communities and those ecosystems and turn them into more robust projects and eventually products for Red Hat. I'm also our security community architect working with our open source program office to identify security community ecosystems like the open source security foundation, technical advisory group for security and CNCF and understanding more about where they're headed, what is it that they're looking at and bringing that back into Red Hat. So you're very much kind of on the future forward front of the boat here. Yes, it's super fun. Yeah, that sounds super interesting. Ooh man, since you're in your first 90 days, what's gotten you the most excited since you joined? Continuation of software supply chain security because that's kind of like my forte and where I really came in, but some of the other things that I'm learning about now like edge computing, AI security, as well as remote attestation for nodes, post quantum group photography is another area that I'm looking into for how do we bring those from the open source upstream projects all the way into operating systems that consumers don't have to deal with how to update those libraries. So with seeing it's your belly wick with supply chain, for me, how far do we need to go beyond S-bombs? A lot, S-bombs are not a silver bullet. I gave a talk about this a long time ago that they're not going to solve all of our software supply chain problems. They're just one important component, but there's so much more in software supply chain security that needs to happen. We've done a great job since log for shell happened and since SolarWinds and understanding more about like what is good security practices for software development and DevSecOps movements helped shift a lot of that focus and attention left. So we've got more capabilities like Sigstore and doing commit signing and signing artifacts, that's great, but we still have the user education side that goes with it. It's great if we're signing things, but you also have to be checking to make sure that they're signed by who you expect them to be and verifying that content. In addition to that, software building materials are great. A lot of organizations are starting to produce them, but they don't necessarily understand how they should be using them. So learning more about technologies like Guac, which are actually creating mechanisms for consumers of software to understand what's in them and where they're being deployed and what that risk is is very important. Well, it was funny cause you bringing that up and it was, we had on some of your colleagues from Red Hat earlier today, and we were talking about one of my favorite things, which is backstage and the backstage plugins that are now going through secure, they're being secured. Yeah, I hadn't even thought about the fact that hey, these plugins, I have to go recode to plug them in, but I have no way of verifying. And now there's a marketplace for that and some verification. Are you seeing a lot more about how you're looking towards the future, how you bring that kind of attestation to all of the different pieces? Because to me, that's the biggest, always the biggest question mark with open sources. Is it secure or not? Where did it come from? How do I know it's valid before I go plug it in in my environment and then, oh well. Introduce chaos. Yeah, introduce some malware that I didn't know how it got in there. It's funny that you mentioned that. So without the advancements that we've made post log for Shell, we wouldn't be able to have some of these conversations and software supply chain security is actually driving a lot of the zero trust conversations that are now coming to the forefront because it's not necessarily about just signing and verification. It's actually understanding what went into the build and whether or not you can make decisions about that information because what is an acceptable security posture for you is going to be very different from somebody that works in a national security systems and they have higher considerations and assurance guarantees that need to occur. So yes, definitely. We're seeing a lot more of these principles and concepts being applied across different technology areas and now starting to have conversations about it for AI systems as well. I was going to say, because to me, that's one of the things is injecting in through prompt engineering, injecting in malicious, either code or actually data into it so that it is returning false negatives or injecting if you're using a code pilot or what have you. Is that, are you starting to see those attacks like starting to come up? Or I've heard about one, but. I'm not necessarily seeing them but a good security person doesn't necessarily need to know the exploit is out there running in the wild to be prepared for it. So having these conversations now before we have a SolarWinds like event for AI is very important. Getting people to start understanding that with large language models, there's an integrity mechanism that needs to be verified so that you know that the data that went into the model to train it is producing kind of the expected results that you're looking for and having the ability to independently verify that. It's just like when you build a software artifact, you want all that metadata so you can say, all right, it's allowed to go in this environment but not this one because these certain things weren't performed. We want to be able to do the same thing with AI workloads is verifying where they came from, what went into their creation, are they subject to hallucination, for instance, and then what their confidence score is as well. What percentage of the conversations that you're having since you touch a lot of things in the future for Android and AI is such a hot topic as you said the show is AI, AI, AI, AI. What percentage of the conversations that you're having are focused on AI versus on other emerging tools and tech? A lot of them are around AI because a lot of people don't understand the space very well. I'm still learning, I'm still figuring that out. We are all still learning. There are very few true experts out there. Don't believe the armchair experts folks they're pulling your leg right now. But a lot of it has been around AI because people see it as a huge disrupter. I was in a conversation earlier today where somebody had made mention that it's going to have about the same impact as kind of the internet is. So a lot of the things that we're saying. A lot of the things that we're talking about today on AI possibilities and AI security may not be true in a year and two years and three years as we start learning more about them. But it's a balanced conversation. AI is really just another workload with special needs that we need to design cloud native technologies to accommodate but also how do we take large language models or predictive AI and use that to improve our infrastructure. How do we help balance the conversation around AI use and sustainable compute utilization as well. Another topic that we've been having. And right now they're butting heads. I keep hearing the conversation of this is a problem and yet here's the solution. But we kind of want to have our cake and eat it too, unfortunately. Well and that's in the cryptography space whether we're talking about blockchain or we're talking about AI or we're talking about any of this. It is the compute challenge and there is power. I mean you mentioned earlier Rob, I love this stat. Two glasses of water, 18 ounces of water, every five. 16 ounces of water for every chat GPT. Five chat GPT prompts that go through Microsoft's data center in Idaho. And I mean when you're talking about 16 ounce bottle of water evaporating. Yeah, two glasses of water, it's chaos. Yes, I guess it is too classy. I was just a little step ahead on the math there. It's okay, we'll get you there. And math, it's running me right now, it's okay. But I think what's interesting around security in general and again being in the office of the CTO and really getting to look forward on that is the fact that there's also been a lot around social engineering that's come into this as well. I mean the MGM thing was totally socially engineered but there's things to factor authentication that could have been used. There's different types of keys versus SMS. And I came out of that complaining about a bank I used that was still using SMS and it drives me nuts. What other things in Kubernetes are, as you look at the entire security plane there are big red flashing flags that really people are aiming at right now to go and address what we're not there yet. That need more help, need more resources put on it. Well, I'm just going to say flat out the entire ecosystem needs more contributors. Those are the resources that we actually need. And Kubernetes is a really good example of this because it's been so prolific within the cloud native ecosystem when we have so many users of that project we're not seeing the return come back in from a contributions perspective. So when you're an adopting organization and you have demands or wants and features of Kubernetes or any of the cloud native projects what the concern then comes in is we don't have enough people to do it. And we have to start being very selective of which features we're going to work on and how we're going to do it. Because if you're not there to speak up and champion it and put in the work, chop the wood and carry the water it's not really going to happen. That to me is the biggest risk in the ecosystem from a security perspective is we've got all these great projects. They've now become that little piece that everybody relies on as part of the internet working. What happens when everybody decides to retire and move to the mountains? We need to have that pipeline of contributors to fix those problems. I think that's such an astute and powerful observation. I think it's really important. I mean, since yet, this is all about the community. Exactly. You used to be one of the co-chairs without everyone here contributing. There literally isn't all of us sitting in this room. Correct. Let alone the tools that so many companies and people are relying on. Exactly. How, I actually really want to ask you this because I think this is interesting. How would you, or how are you actively recruiting to more community members or more interest in this space? If someone's watching this that say that maybe is not as deep down the Kubernetes hole as the rest of us at this table, what would you tell them about contributing to the ecosystem and collaborating and being involved? Start by showing up to a meeting. I'm actually glad that you asked this question because I was talking with somebody about it today is that the CNCF has technical advisory groups and they really serve an entire domain of technology area like security or like environmental sustainability and runtime. Those are all examples of them. The nice thing about getting involved there is you don't need to be an expert on any project or technology. You can come in with a learning mindset and just do the work, roll up your sleeves, figure out what needs to be done to advance that domain forward. And during that process, you get exposed to a lot of cloud native projects. It's a great way to familiarize yourself with projects like Falco or like Spiffy Inspire or a key cloak which is kind of like where I got involved in those projects was through TAGS security and through the CNCF technical oversight committee. So there's a lot of opportunities just by showing up, asking questions, driving the conversation and don't be afraid to try something new. I mean, even as we were talking and I was asking you about an acronym, you said there are no stupid questions and I think, I mean, just speaking frankly, I knew absolutely nothing about Kubernetes until about four years ago. I did not know what was going on in this ecosystem and it's been so fun to learn and I've really felt like a lot of people to your exact example have helped teach me. I mean, you included Tommy something earlier today and will probably continue to teach me as time goes on. I think that's great, particularly because I'm sure you've noticed there's a line for the men's room and not for the ladies room. I don't normally like to play the gender game but we've got two strong inked lasses on this stage right now and so I am gonna call it out. What do you think other folks in our ecosystem could be doing to encourage more allyship across the board doesn't just have to be gender and then how do we recruit more awesome people like us to be talking and passionate about? I think there's still some not necessarily unconscious bias but I think there is this kind of broken rung I think is the correct term that allows non men to get into technical positions and to do contributions to the projects. A lot of women in tech that I have talked to have felt that as long as they do the work and they get recognized for it, they're great but a lot of the difference between men going into technical contribution roles and even technical leadership roles a lot of them see it as here's the potential that I can provide you whereas with women we're like look at what I already did but it's probably not that great and that's something that we also need to overcome. The tonal shift. So for us within the TOC being able to recognize contributors for the work that they've done and demonstrate the impact both to them like you did this thing and it had this impact on the ecosystem and then allowing them to take that content and give it back to their employer so that they understand the value of that because we don't do enough thank you's in technology. We don't do enough embrace. Amen. And we don't have enough empathy for each other and I feel like that is something that needs to become more paramount because the more empathetic conversations that you have the more like hey let's have a conversation. How can I help you? What challenges are you experiencing? I might not have the answers but I can certainly connect you with somebody that might. Having that kind of discussion that's how we bring more non males into the ecosystem and that's what makes Cloud Native Computing Foundation so attractive to a more diverse contributor base. Oh yeah. And we still have a long way to go but we've made a lot of strides. We have and every time I see Priyanka up there talking it makes me feel good. Yeah, think about all those little girls watching for the first time. We've got Cassandra from one of the daughters of the JFrog team who teaches teenagers by using Fippy and how to learn Kubernetes. I mean there's so many things in this space that really do give me hope but I think you hit on, you gave me chills when you said there's not enough thank you's in technology and I think you're absolutely right. We forget, we talk about how the machines might take our jobs. We forget that we treat each other like machines in our jobs already half the time and it's honestly quite heartbreaking. So I just want to say thank you for bringing that up. I'm glad you asked the question. It's not often talked about enough and the more that we can discuss it in an open and frank manner in the effort to improve things the better we're going to get. Absolutely and I love that you brought up that mirror showing people what they've really done because there is that bashfulness, that tall puppy, that modesty and it comes across the industry in a lot of different ways but saying hey no no you did this. Reinforcing that I think is really special and helping them amplify. It's the positive side of accountability that we don't ever exercise about. It is the positive side of accountability. We always think we're going to get in trouble. God forbid we celebrate the wins. Yeah. Yeah I think it's also and again not being female like you know I don't live in that world but from the folks. You're an ally though Rob. Absolutely and I think from the people that I've been on my teams as I've headed a product at multiple startups what I saw was it was exactly that, that mirror and how do you help them get past you know almost the imposter you know. That's what it is. You know scenario where they're thinking hey I can't do that versus giving them hey positive reinforcement about hey when I went and first did this I wasn't a hundred percent right on it and nobody's ever a hundred percent right on it the first time don't worry about it keep going and keep you know pushing forward on these activities and you will have success and I think that definitely you know I have a young daughter and that's you know she's going off into a STEM field and she's very happy about that. Good job dad. Yeah I try I mean again and I look at it with her and I think because she's been raised that way and I think that that is my little hope for you know more balance and more people in that is that again we do talk about it here openly and have that discussion so. It's funny that you mentioned that Fred Coutts talked about this earlier today during one of the keynotes he was recalling an inscription that Chris Nova had provided him in a book that she had written and it was thank you for believing in me and as parents we do that for our kids and as community members we should be doing that for each other letting somebody know that you believe that they're capable of doing something sometimes is the thing that they need to unlock that potential. I want us just to give a masterclass on empowerment up here I mean I love everything that we're talking about I love what we're talking about security talking about software supply chain which is also everything we've talked about in the last few minutes is not talked about enough so I'm so glad that we're having this conversation so definitely have to be another conversation that we continue I love the parent piece we had Michael from your team up here earlier and he was saying that his four year old daughter was reading him some of the cloud native books. That's awesome. Just last night he actually showed me a picture it melted my heart she was also a dinosaur for Halloween which is absolutely just precious but do you think that that's you've been a part of a lot of communities you're clearly passionate in the DevOps space do you think that that's one of the very unique things about the CNCF community or do you think that's open source community at large? I think it's something that's unique to CNCF and I think that's what makes us so successful is our community and the open embracing culture that we have when it works the way it should we're not perfect by all means and we can always iterate and improve upon like where we are today to where we need to be in the next two to five years but for us it's that sense of community and camaraderie like looking around at the end memoriam this morning and seeing like a lot of people that I know and people I don't know in tears and choked up at the losses that we've experienced this year it's because they're almost like family for us like I check in with community members I talk to hey are you doing okay I saw this was going on how can I help you let me know if you need any kind of support or if you want me to take the workload off of your plate because sometimes that's what we need we need to be able to step away and we don't encourage that as a safe thing to do and that's something that we can certainly improve on as well. Well and we for you know I think you're absolutely right I think it's one of the beautiful things I talk about community here all the time community is really special and that separates us from the machines but it is that how are you really doing not just what are you doing? Yep. How is your heart, how's your soul it's been a savage couple of years. It has been and a lot of people like since the pandemic it they would kind of withdrew a little bit from society so we're all relearning how to behave around each other. Yeah, as the last few Kubecons have shown this is a general social awkwardness level 10 for sure. Right, but it's through like getting together in these kinds of events either in person or even virtually online because there is a large virtual attendance for Kubecon we want to make sure that people have those opportunities to connect with folks either within their time zone or outside of it because cloud native is an international community which means we have all sorts of different cultures and perspectives and everybody has their own job that they do every single day and cloud native is just yet another hat that they wear. They're like wonderful hobby that helps make the world better. I mean, there's something really magical about people who go home and are like and I'm going to continue to build with my friends somewhere else that I may or may not ever meet. I think it's pretty spectacular. All right Emily, I've got a question I've ever asked anyone this but I think since we talked about the journey a lot where'd you get your confidence from? It's inspiring. A lot of it is fake it till you make it. I kind of go in. That's adulting. Yeah, that's true. I go into a lot of stuff with like an open mind because I'm not an expert on everything and nor will I try to be but I look to learn as much as I can and part of that is being confident that I'm in a learning place and that I can always learn from others and I also firmly believe in like sharing the information that I've gained. So like I've talked about this in several of my keynotes about knowledge glaciers and sharing information and leading the way to bring others along and that's a skill that as technologists we don't do a good enough job at. How do we communicate effectively with our peers to get our point across? If you can't successfully sell your project through an elevator pitch we have a communication challenge. You should be able to do that. And if it's too complex- Oh gosh, yeah. Look how that's some of the boost out here in the back. Thanks, seriously. It needs to be simple and a lot of that is practice, be open to change understand that you're going to have limitations and it's okay to be vulnerable and humble about that. Oh, God, yes. Amen, everybody needs to drink a coffee of that confidence right there. And it's true, it's the curiosity, it's okay to be curious, ask questions. And this community in particular unlike some of the uptight tech bros that live with me in the Silicon Valley is extremely welcoming and embracing. All right, final question for you because I've got a unicorn on my body and I'm not sure which cam we're looking at but I'll look at all three. You self-identify as a security unicorn. Yes. What does that mean? So I feel like I'm in a very strange part of the security community. When I talk to other security professionals they're either hackers, they do penetration testing, maybe they do a little bit of design work. That's the first thing I think of, yeah. I kind of came at security from a very different perspective. Prior to joining technology, I was a creative director for an entertainment company so running events and doing kind of event management is my jam. But because I wasn't born into hacking all the time I'm not a coder. I don't program if you saw my code, it's atrocious. So I bring a very different perspective to it. So I ask very different questions than what most software engineers are used to. Exactly, that's right. And that's what I feel makes me a security unicorn or in some cases I say I'm a security T-Rex. I might be a little old school in tech but even still I'm new and I'm kind of novel. Do you have a favorite dinosaur? Stegosaurus. Beautiful. Dinosaurs have been a theme at the show somehow today and I'm loving it. I'm feeling the Dino vibes. My gosh, Emily Fox, thank you so much for being here. Seriously. It's been a pleasure. Absolutely wonderful to have you. I'm very confident you'll be chatting with us many more times. The Moxie Fox, if you want to find her on the internet folks, Emily Fox of Red Hat. Rob, thank you so much for the wonderful conversation as always and thank you all for tolerating, listening to me for a little bit longer than usual because that was far too entertaining to wrap in 15 minutes. Ladies and gentlemen, my name is Savannah Peterson, live here from Chicago at CNCF's KubeCon CloudNativeCon and you're watching the Kube, the leading source for emerging tech news.