 Hi, this is your host up in Bhartiya and welcome to a special edition of Tifa. Let's talk We are here at Kewkaneeo in Amsterdam and today we have with us once again Ian Riepel Chief customer officer at slim.ai Ian is great to have you on the show. Thanks. I mean yeah So tell us a bit about you know What has been your experience at the show from the perspective of what you folks announced here What kind of crowd you saw what what questions you heard from them so that you know Just just give you a kind of you know What you heard and saw here. Yeah, so There's been a lot of interest in what we're doing. So the the show has been incredibly well attended And what's interesting is everyone's trying to find a solution to this container security hardening challenge and so With our announcement around is having an automatic way to actually integrate into your CI and ship more secure slimmer containers We've had a lot of interest a lot of people coming by to learn more about it and Happy to work with them and that's what I think you folks also announced automated container hardening you know talking a bit about what it is and Of course, you talked about it. There is a kind of you know Desire for container hardening, but I think container security has been you know ever since the Docker and containers came into existence So so talk a bit about why is it's still a problem which led to the the launch of this This product or service and how does it work? Yeah, so Today from an industry perspective, right our best practice is to start with a pre-hardened container something like an alpine or something like that and then you iterate on that and you develop on top of it and You know do your best practices from a vulnerability scan perspective and ship at the end of the day a container that has As few vulnerabilities as possible at that moment of time What we're seeing though is over time. There's a dramatic uptick in the number of vulnerabilities As you're even continuing to patch the containers and future versions So very very rarely do the when the fixes come out for maybe a vulnerability if there is one Then when you apply that fix and you re-release the container that may fix the problem in the short term But now your container size has maybe increased by 10 20% And so there's this constant growth that's taking place in our pursuit to trying to chase down vulnerabilities Even though we're starting with this minimize base image our approach is the opposite We say let your developers develop on whatever they want You can start with a minimized image or you can start with basic Debian latest whatever you'd like and go through that process and At the very end just before you're going to do your EDE before you're going to put it into staging that's when you should really be focusing on coming up with a minimized hardened container and what we find is when you take a Someone that goes kind of through that traditional best practice flow versus our flow We will almost always have a smaller container More secure container with less vulnerabilities not just today But also tomorrow and next month and the month after because there's a less attack surface there to be used Is it a product in the project and service? What is it? Yeah, so it's a SaaS based solution that will actually integrate with your pipeline and Our platform will work with your registry and with your CICD to Automatically reduce the number of vulnerabilities and reduce the container sizes and if you look at the whole container world You know, there are a lot of projects. There are a lot of solutions there that do work towards hardening So talk about what is the what is the benefit that? This you know automated container hardening is bringing to the whole ecosystem. How's it different or what value it adds on top of? Yeah, so, you know, when we think about the space is evolving so quickly so when we think about Vulnerability detection within containers that was an area that got really noisy really quick So now everyone's starting to talk about okay. Well, you have all these vulnerabilities now Let's determine which ones are real which ones are exploitable We're saying Why go through all that process when you don't actually need 50 60 70 80 percent of the code that's actually in that container You still are gonna have to go through cycles of justifying or having mitigations in place for the vulnerabilities that are surfacing Let's just take it all out and never have to talk about them at all and so it's a much more simple approach not just from a developer standpoint, but also from a security and Management perspective security is often, you know kind of slows developer down So talk about you know that with this automated container hardening service How it helps developer maintain their velocity and you know also last time we also talked about developer experience Yeah, so this is one of the things that makes me really excited about the solution Because we're born out of kind of a developer centric project Addressing a need of that impacting everyone on the cyber side we're able to Make lives a lot easier and allow them to be a lot more creative And by shifting I don't want to say we're still left But we're shifting more to the right within to the left within the left So instead of us instead of making all these problems From the base image on a developer problem from us to make sure that they're doing best practices around security we're saying let them develop and be creative and Produce the best features and functions and code that they can and want to And then let's do security as the final step because at the end of the day the deliverable is better than Tying their hands earlier in the process when you are here at coupon Of course everybody likes to talk about security, but you know what you're doing about it is more important than no Yes, we want security. So what you're seeing there, you know, where is security when you look at all these players developers? Sorry, yes. Yeah, so it's interesting because we see a couple of different Couple of different camps we have the folks that are very aware of Security their security posture what they need to deliver Especially if they're delivering to regulated industries to government critical infrastructure and they tend to be very aware and Are trying to do the right thing and have made huge investments in this kind of start with a base golden image and kind of build from there and Or we have the other side, which is I like to just say that YOLO They create it and they create their containers and they ship it out And if they get feedback that there's a concern or security issue then they'll then they'll kind of go patch it or try to fix it after the fact What we're saying is Your more people are going to be put into the camp of where they're going to have to be more proactive about this and we're Already seeing some large organizations and government entities actually in the US There's a mandate that goes into an executive order that goes into effect that any Container producer that ships code that is utilized by the US federal government or Company that supports the US federal government. So there's a flowdown effect. We'll have to ship an S-bomb With their code and actually burn down their vulnerabilities over time So like it or not there is some more regulation that's gonna be coming into this space here in the very near future It's gonna be very relevant and thank you so much for taking time out today And not only give us an update on you know what slim the AI is doing sharing about the automated Container harming and also the wider picture in how the security landscape is evolving and changing Thanks for all those insights and as usual, I'd love to have you back on the show. Thank you. Thank you