 Welcome to the CUBE's coverage of KubeCon EU 2024, live from Paris, France. Join hosts Savannah Peterson, Dustin Kirkland, and Rob Streche, as they interview some of the brightest minds in cloud-native computing. Coverage of KubeCon cloud-native con is brought to you by Red Hat, CNCF, and its ecosystem partners. The CUBE's coverage of KubeCon EU 2024 begins right now. Welcome back to KubeCon, cloud-native con, EU, live from Paris, here on theCUBE. I'm Rob Streche, and I'm so pleased to be joined by Melinda Marks and my compadre, Dustin, who's back with me, and I think this one is fun. We used to work together, but I think you just bring such a great security and cloud-native perspective that I was thrilled when you said you'd come on, because I know you do a lot of research in this space and you're out talking, probably exhausted from walking around and doing all of these... No, I love it. Yeah, so let's kind of jump into it. What has kind of been what you've been hearing as you've gone around and done a lot of briefings and things that this week, what are you coming away with from here? Yeah, I always come to these conferences with a perspective of what do I tell security teams, what do I tell security leaders that they need to know about to make sure that they can be enabled for success in their organizations? Our research shows that they're dealing with more and more workloads in the cloud, modern development processes, and this is hard for security teams. They're used to traditional security methods and approaches, they're used to using the tools that they know and love, and for me, I'm always telling them you've got to talk to your developers, see what they're doing, see what they're using. At this conference, the big theme was GenAI, which means security teams are going to have to embrace themselves and figure out what they're going to do because all of these performance improvements, all of these aids to make it easy for developers to increase, it's all about productivity, right? The move to cloud native is always about efficiency, productivity, security needs to make sure that they have efficiency and can scale to keep up, and that's challenging. Yeah, it definitely feels like we're in the move fast break things section and then after you've broken things, then we've got to fix things, secure things, and then hopefully redeploy them with a little more security in mind the second time around, right? Yes, and I'm the person who, I hear about the trends and I always think of what does that mean for cybersecurity, uh-oh, we need to make sure that we can do this securely or things are going to break and then you have to go backwards. You can't continue to move forward and you don't want the security teams or the leaders to be a part of the reason why you can't move forward. You want to make sure that they're armed for success. Yeah, we were actually talking earlier with Notary Project, which is doing a signing of Kubernetes containers and things of that nature and they're looking at it and we actually had this discussion because I go, well, what about the models? What about attestation? And they are thinking down that road, but I think it just, the tech is moving so fast and I was saying when we first got here, the one thing, the theme I didn't hear on the first day was security. Yeah, it suddenly. And I was kind of disappointed. Yeah, there hasn't been as much security content at this show that I was hoping for. There was good content on software supply chain security, which is a big topic for developers. Saw a really great session. Joshua Locke from Verizon did a really great session on software supply chain security without using acronyms, which I love. I love that concept. So I highly recommend that. He did, he spelled it out and they said, I promise no acronyms, but this isn't an acronym that everyone talks to about softwares. It was a packed room of developers wanting to know what they should know about software supply chain security. And it wasn't in security terms, it was what developers need to know. So that was a great session. A lot of good content like that. You said it was packed. There was standing room only. Yeah, standing room only. And yeah. That shows the interest at least in the topic from the crowd. Exactly. And it was just, again, very well. I highly encourage folks to check that out. I tweeted some of the slides if anyone wants to look at my Twitter, but because I couldn't stay for the whole session, but it was great. I told what your Twitter is, so that they... Oh, Melinda Marks. It's just at Melinda Marks, at my ex. Your ex, yeah, I know, I know, we'll get... Yeah. That always catches me as well, but how are you seeing kind of evolution between IT and security? I mean, we talked about this. I feel like we've been talking about this for three years. Yes. With platform engineering kind of being that center of excellence and sort of marrying up with sect dev ops and things of that nature. What are you seeing out of that? Yeah, and this has to do with my background. So I have a background working in infrastructure. I had worked at VMware in the early days, kind of not early, early in my career, but kind of mid-career. So when I moved into cybersecurity, that was always something I was thinking about. So when I got into cybersecurity, it was a vulnerability management company. I didn't know anything about it. And the whole time I'm thinking, well, what's going to happen when everybody moves to the cloud? How is that going to be secured? What is the cloud? What is the CSP going to do? What's going to happen at the infrastructure level? What are developers going to do? But I saw it as an opportunity because when you think of traditional vulnerability management or risk management, it's about things like software patches, finding what's out of date. So with the move to cloud native, everything is about efficiency and productivity. Everything is scaling really fast. And these old concepts of I'm an app sec team. I need to secure all the things. I need to use the tools that I know and love from all the vendors that I know and love that all gets disrupted with cloud native because you can't just add more testing and get more alerts. Like that just doesn't scale with cloud native. So I've seen this evolution happen where it was oh shoot, security can't be a bottleneck. So we need to talk about shifting left. So developers have responsibility, but then security trying to force developer tools onto, or security vendors trying to force security tools onto developers isn't going to work because they don't want to context switch and look at some- Or friction. Yeah, exactly. It ended up as shelf wear. Whatever the security vendors were trying to put out for developers and then you had security not seeing what developers were doing. They were using a lot of open source and then on the monitoring side, they were doing some monitoring, but by the time things are happening, it's too late to fix it. So you had a very antagonistic relationship and then you've seen the evolution of oh, security is starting to understand that they need better developer focused tools. So I did some research on that when I came to ESG is can you shift left? How successful have you been? And there's more of an understanding. Talked a lot. I know it's a little controversy about how much I hate the term shift left, but it is shifting to developers, but it's not shifting. It's collaborating with them. It's throughout the software development life cycle and it's using the advantages of cloud native and the technology and the life cycle to try to better incorporate security in a way that it fixes these problems that we had and think of remediation in different ways. Think of, there's always this debate and security of do I invest more in preventative proactive tools and instead of reactive tools. Well with cloud native it's, there's no clear line drawn. It's push things out, update, update. So and you need to be able to get to that complete model where you can continuously improve your security program if you're taking the insights from runtime and plugging that back into tying the right policies, working with developers to improve versus all these silo tools or thinking of what am I doing at which part of the life cycle? You have to bring all of that together and it's not easy. It's all complex and we see this evolution. Yeah, it's not one or the other proactive or reactive. You've got to have both. Fundamentally the part about shift left that is interesting is about not putting your organization into a situation where you have to have an incident response. Tom Carr gave us a preview of some of the work OpenSSF is doing around teaching organizations how to have a tabletop or an incident response session but I think what you're saying is let's get out of the situation where we're dealing with as many incident responses. Exactly and we did a cloud detection and response study. So John Oldsik and I, my colleague at ESG, we did this study because he covered security operations and Sims and I was always telling him with cloud native SecOps isn't going to work the same way and some cloud native companies don't have those security teams or SecOps or SOCs and so we wanted to do this study and there was an interesting finding where there was an understanding that if you have security better integrated into developer processes, then it helps SecOps and you could be more successful. So that is these types of things that we can see with the research are good evolutions to see. And I think that the positive thing and we were on yesterday and we heard that there was a security breakout session and the line was down the hall to get into it like to the point where everybody's wondering why didn't they redo it if they had that many people. Are you seeing that where developers are leaning in and wanting to get more knowledge on this now? Yeah and I think this is a good thing to see but I also see our research shows that more developers want security teams involved as long as they're educated and understand them better. So we ask a lot of questions on what are the challenges with faster release cycles, what are the challenges for security teams, what are challenges for developers and we are seeing the research showing that they want to work together, they want to collaborate. Another interesting finding in some of a couple of my studies is we ask what are the APSEC goals and they're not, they're security focused but they're the same as the app development goals which are things like uptime protecting data and that's what I was going to say too about the Gen AI stuff that was kind of lacking here is there with Gen AI what the security teams really need to brace for is there's a lot of stuff that's already really challenging and it's going to be even harder with Gen AI and AI. There's a lot of challenges with API security, understanding the different attack exposures and attack surfaces. There's a lot of challenges with identities. So not only human identities but machine identities. All of these things are going to increase data security knowing where the data is. Where, how are you going to protect it? How are you going to keep it where it needs to be? Those are things that the security teams are going to need to address and I hope that's addressed more in the future. Yeah, and scalability I think is an important point that sort of ties all this together, right? As development scales, teams scale that the complexity of the interoperability of getting those teams to work well together such that things don't fall through the crack and create security problems. Yes, and ideally the tools, it's nice to see when the tools are creating, making it easier for teams to collaborate. So when we do these research studies we also ask things like which different roles and titles are sending policy for different aspects and you see these duplications and it's like that's not efficient. These are areas that really show a call for a need for improvement because if you want security to keep up with cloud native development and all of this speed and efficiency and productivity slowing them down with multiple people trying to set policies, multiple people trying to look at different tools and analyzing, it's not going to work. And this is another thing that comes out in the research is how many things are manual processes? Like tracking data, tracking identities, like that just is not going to work, these need attention. Yeah, I think it's one of these things that as fast as everything moves, security is always playing catch up to a certain extent with some of these technologies. I think to your earlier point is how does it, and we had several conversations with several different projects around this, is how do you think about working together across so you're not reinventing the wheel over and over again? The one that I bring up all the time is on the observability side. Many of those projects kind of overlap with certain ones and trying to figure out which one to go and use. And I think security is another place where there are a lot of different ways to secure things. There's not one like happy path to security. And I think that's where, again, there has to be collaboration. And I think also it is when we've had some discussions about things like backstage and making guardrails around development portals, so that security has a place where they can go put their things in there so that things can get checked out without having to involve somebody from security on every level, but they're using the right tooling and they feel like they're collaborative so they know where to go and do that. Are you seeing that kind of collaboration and automation really starting to hit? I do, yeah. And it's also, and we talked about this before at ESG when we were talking about the relationship between developers. When they realize that security can help them, save them time, they hate remediation work, they hate having to go back and fix something, or if they get a message that they have to fix something and they want the context, they just want to understand. And if security teams can work with them and they build that respect, it makes it a lot better. And it's the same with the CISOs. You see a lot of, like I talked to a lot of companies about what they're doing for security and I'm always interested in, well, who's driving it? Is it IT, is it, sometimes it's, a lot of times it's ops, especially for cloud native. And then it's always, well, how involved is your CISO? And it's either, oh, we're partners, we've worked together since the beginning, okay, great. Because ideally, the CISO isn't reactive to all the technologies. They have a seat at the table to pick their CSP or whatever technology it is. But sometimes it's, oh no, I don't even want to work with the CISO because they're going to put all these gates and tell me all these, and I talked to CISOs who say, I just think of cloud native, I'm going to hire pentesting and I'm going to set a bunch of policies and then you sit there going, oh, that's not really going to work, you need to align on your goals because you have common goals to help the business, enable growth, enable productivity and then figure out how you can make it work and not be the team of no, be the, okay, that, you know, how can we make this work? Yeah, I'm leading engineering teams, software engineering teams, I've certainly seen the pattern where a little bit of investment early in security is way better than a lot of investment late or after it's too late in security, so. I think there is that awareness too of just wanting to avoid technical debt. There's that like, oh, we'll move too fast and then we'll add stuff and we'll have to rip it out. Like there's efforts to be more thoughtful about what their strategy is going to be, what solutions they're going to use. So last question to you, it's been fantastic. What are you looking forward to when you get to June and you get to SecurityCon? What are you expecting to see there or what do you hope to see there at that show? Definitely addressing the Gen AI, addressing things like data security. So some new areas that we're seeing a lot of interest in is things like data security, data security posture management is a new category that has come up and we're doing a new research study on that. Also again, the identity and access management, like how identity and access plays because we see that as a top issue. Also, another upcoming research topic, we have a new analyst who is his area is risk management and vulnerability management. And again, it's bread and butter what you need to do for security. But as there's higher percentages of workloads that are in the cloud, how is your typical vulnerability or risk management program affected by that move and what do you need to think of? So I think those kinds of topics, there's a lot of talk about posture management but it's how do you think of vulnerabilities differently for a cloud native? How do you think of how you manage risk because most of your application, you're trying to get an advantage by building really complex applications probably on Kubernetes and with all of these APIs and all of these complex architectures, what are you going to do to manage risk and protect your data, protect your customer data, meet your business goals? Well, I appreciate you coming on board because I think again, as we were both surprised about how little security noise there was out there, we've definitely tried to solve that today with the entire afternoon of security capped off with you. So I really appreciate you coming on board and helping us kind of bring a bow to that. And Melinda, and I forgot to say congratulations on becoming the practice director. I hadn't seen you since then. So I think again, looking forward to maybe when you have those studies done, having you on again. So thank you for coming on. Thanks. Thank you, Dustin. And thank you all for watching KubeCon, CloudNativeCon, EU here on theCUBE, the leader in high tech news and analysis. See you soon.