 Live from San Francisco, it's theCUBE, covering DevNet Create 2017, brought to you by Cisco. Welcome back everyone, we're here live in San Francisco for theCUBE's special exclusive coverage of Cisco's inaugural event DevNet Create, a foray into the developer open source world as they extend their classic DevNet core developer program three years old now going into the open source world. This is theCUBE, I'm John Furrier, my co is Peter Burris, the next guest is Matt Howard, EVP and CMO of Sonatype, know something about open source, Matt, great to have you on theCUBE, thanks for joining us. Thanks for having me. So first, talk about Sonatype, what do you guys do? Give a quick minute to describe the company, then I got some pointed questions for you. Well, we provide tools and intelligence to modern development organizations to basically reinvent how open source components are flowing through the pipeline, through the value chain, through the development life cycle. You guys are a service, SaaS service, are you guys a subscription? It's a subscription service and we provide two products. There's a product, which is a repository manager called Nexus where you store, organize and distribute software binaries into the development life cycle. And then there's a second server product called Nexus IQ, which provides intelligence on top of those binaries. So think of it as like FDA food labeling database. So if you're looking at a bag of potato chips as a consumer, you can see that there's calories, sugar, salt, it's gluten free. If you're looking at a software binary, you're able to see metadata that we provide which allows you as a developer to make intelligent decisions with respect to this component's good for my application because it's properly licensed or this component's good for my application because it doesn't have any security. You're verifying the code basically, in a way. Yeah, absolutely. Verifying and qualifying the open source. And the problem you solve for the customer is what? The customer basically gets to build applications at scale, at speed with quality open source components. So you take the worries off, like whether the licensing is a work well. Licensing security support. Is it like the Yelp for software? No, more like Amazon reviews for open source binaries. Okay, great, cool. Thanks for taking the time. So we was just talking on our intro, open source, I'm old enough to know one. We used to pirate software and then open source. Woo, this is great. Now, and then it became a tier two in the enterprise player. Red Hat brought it to tier one. It's booming. Communities are changing. You're in the middle of it. What's happening? Give us your take on how open source is evolving because it's the classic case of cliche open source. I'm standing on the shoulders of giants before me. And when you now the next generation is standing on the current generations of shoulders, a new generation is happening. What's going on? So just think of supply and demand, simple supply. We live in a world right now where development organizations are facing an infinite supply of open source. I mean, there's a thousand new open source projects a day, 10,000 new versions and 14 releases per year. The supply is massive. And in a world where supply is incredible, consumption is equally incredible. Last year alone, there were 52 billion download requests from Maven Central for Java binaries, 50 billion plus requests for NPM packages in the JavaScript ecosystem. So we are basically dealing with a world where software is no longer a marginal cost to doing business, it is the business. I mean, developers are king, developers are the lifeblood that's flowing through every great enterprise today because innovation is ultimately the thing that will allow companies to compete and win on a global plane. I mean, it's almost intoxicating for these guys who are just drinking from the trough of free software because if you compound the new projects with the fact that Google and these guys are donating like awesome libraries, Amazon's machine learning stuff is not something to shake a stick at. It's great software. TensorFlow, Spanner, I mean, all this stuff. It's great software and just think it. In a world of infinite choice, which is what the world we're living in, how do you make the best choice? So where's the growth coming from? Peter and I were speculating that in talking to Abby Kerns yesterday from Cloud Foundry and then with the Cloud Native Foundation. A lot of money's coming in so the business model for players and vendors are coming in and suppliers now helping out and donating software. But we're speculating that there's a whole growth area that's different than we've seen before. Are we on that? Your comment to that and your thoughts on where this evolution's coming from the next wave. Is it horizontal? You know, our view is that the DevOps transformation from waterfall native development to DevOps native software development is happening and it's real and it's arguably in the early days but it's no stopping that train now. As organizations continue to sort of reconcile demand from board members and shareholders and CEOs, I mean, how do you remain relevant? How do you put yourself into a position where you're innovating with software fast enough to remain competitive? And that's a tremendous pressure and it's driving transformational change like DevOps and so is that demand for speed continues to grow? We think it only increases the appetite for open source and it creates opportunities for organizations like ours to basically automate how that open source innovation happens. We do a lot of crowd chats and we surface the landscape and the common theme that comes up is oh, your organizational mindset has to change and we were commenting, Peter and I were talking yesterday about if your org's not set up, you'll have, what's the law? Conway's law where the output matches the organization. But the bigger question is, you know, Ford CEO got fired. He's been in the job for less than four years. He didn't have time to transform. So the question is, how does open source help people transform faster? Do you have any observations around that? Because that's the number one question we get is, okay, I need to configure resources to do that. And then the other theme that we're here and I'd love to get your reaction on is, oh my God, I'm going to lose my job through automation. And certainly Cisco has networking guys who are looking down the barrel of potentially being irrelevant if they don't make the network programmable. So this is, we've lived through the cycles. Is it the mainframe guys who kind of lose their jobs, kind of thing going on? Or is it a transformative opportunity for the people as well? Yeah, that's a great question. I mean, there's a lot there, but I think the notion that, they say software eats the world. I mean, a different way of viewing is automation eats the world. And if you look at, we refer to the 110 one rule. Today in every large IT organization, you got 100 developers for every 10 IT operations professionals for every one security professional. It's impossible for the application security professionals to maintain governance over 100 software developers. I mean, it's just the old way of doing something like application security in this world where we're talking about infinite supply of open source needs to be automated with machine intelligence. It needs to be scalable early, everywhere and throughout the entire development lifecycle. And unless it's not, you're going to basically get some of the benefit of open source, but not all of the benefit of open source. Well, I want to push you a little bit on this, Matt, because we, one might argue, and I'm going to be a little bit apocryphal here for a second, but one might argue that we also have an infinite supply of different types of bubblegum. And at the end of the day, one can say, well, do we need another bubblegum? We may or may not, and yet we do. So the reason why I'm bringing that up is I want to square the infinite supply, which I don't disagree with, with the idea that certainly our clients, especially in the big data side, are still concerned about the fact that they can't find tooling or combinations of open source tooling that can help them with their use case. And so as you think about, one of the things that intrigued me about what your company does is the idea of to what degree can you start with a business problem, use that business problem to do some design work, and then based on that, start finding the tooling that will be most appropriate for solving the problem. Yeah, it's a great question, and I think it goes back to this idea of automation. Let's just give a real world use case. This is one of many, but if the demand for speed and innovation is what shareholders, boards, and CEOs are looking for out of their IT organizations and their development teams, then the first thing you do, in the theory of constraints, as you look for, where is the friction? Right? And so theory of constraints basically points to something like the process inside of a large financial organization that involves a developer requesting approval for using an open source component. How long does that take? How many people are involved in that process? How many hours? How many dollars? Does it have to be that hard? Or can you basically create policy and define policy and build effectively a firewall that then automatically governs the flow of open source, healthy open source components into the development lifecycle with no human intervention at pace, right? And that's the idea of what we're doing. When we talk about scaling open source and innovation early, everywhere, and across the entire development lifecycle, it starts at the perimeter. The moment the developer requests the open source component for use, it has to be automated. You can't afford to take three months to approve it. He needs it now. So let me turn it around and see if this is a service that you are providing or actually could provide. Given that you probably have visibility into a lot of the problems that the developer's trying to solve, and therefore their ability to check open source in and out from the variety of different sources, are you also gaining visibility in the types of stuff that people can't find and making that information available to the world about, here's some of the places where the open source world could step up and do perhaps a better job of delivering that software. And I'm specifically thinking of the big data universe because there are so many, for example, I got a client, big financial institution, who is tearing his hair out right now, trying to come up with some standard componentry for complex machine learning pipelines. Real, real hard job, a lot of different tools. They work together at some level, but they're not solving the problem because they're more focused on serving, of solving each other's, each other projects problem. Am I making sense? You are making a lot of sense and you should introduce us to your friend because we would love to have a conversation and talk exactly how it is that you can create prescriptive architectures with open source components to remove friction back to the theory of constraints concept. I mean, this process of innovation has to flatten out and we are very narrowly focused on one particular piece of that pipeline and it is making sure that the development organization is benefiting from all of the greatness that open source has to offer, but none of the bad. And you have to do that with automation. So just really quick, John, for those of you who don't know, the theory of constraints to a computer science person looks like Andal's law. Speed up that which you do most frequently for those of you who've ever done a computer design. Herbie the Boy Scout. Exactly, so it's speed up the thing that is causing the most pain. Right, right, right. So the question I have for you is, okay, given what you guys do, which is great service, cutting edge, it's in the DevOps wheelhouse, so what is in your opinion the most important metric for your customer's success? These are V DevOps, okay? I'm in, I've been hearing about this cloud native thing in DevOps, we got a change to Agile, we wrote a manifesto, we changed our organization. What is the important metric that you think they should look for for success? You know, there's a lot of metrics. There's no one answer, but I'll give you a really great one. Since you mentioned Red Hat earlier, Red Hat is an amazing company that has probably done more for the evolution of open source than anyone. They have a phenomenal track record of managing, you know, REL, the Red Hat Enterprise Linux stack, upstream and downstream, to the point where today, they publicly touted at the Red Hat Summit just recently in Boston, you know, I think it's a day or two, meantime to repair for a zero-day vulnerability. They understand the supply chain for REL extremely well, and you know, from our perspective, we are trying to create the same type of hygiene for custom software development that REL has long practiced in support of Red Hat. Red Hat has long practiced in support of REL, and so meantime to repair, for example, if a zero-day vulnerability hits, do you have a software bill of materials? Are you wondering where that particular component is? Do you even have the component? How many applications in production are affected? I mean, this is a real-world scenario just two weeks ago with Struts 2. How many, you know, how many organizations are still working today to figure out the answer to that question? You'd be surprised. It takes organizations months. But this is more than a library. This is more than a library. So explain why it's more than a library. Struts 2? No, what you're doing. What we're basically doing is imagining a software supply chain. So step back and sort of imagine a world where you could build software applications the same way that Toyota builds cars, right? You have Deming's Principles, which says you basically take and source the components or the parts from the fewer suppliers and you source the absolute best parts and you track and trace the location of those parts through every step of the supply chain all the way into production. So that Toyota recently had to conduct an orderly and effective recall for four million Takata airbags, right? In software terms, the next time you're basically sitting on top of a zero day, you need the equivalent of that orderly, effective recall so you can, in a matter of minutes, not months, you know, patch that vulnerability. Hence why I use gold rates theory of constraints. So in many respects, this is a digital supply chain tool. We believe it's software supply chain automation. What about digital? Can I also think about how digital objects can be included in that? Again, going back to the big data notion. Yeah, absolutely. I mean, this is supply chain theory as well understood in a physical goods world. Certainly, if you look at how physical goods move through a supply chain and you come to grips with what's happening in sort of digital transformation today and the evolution of DevOps and the proliferation of open source, you know, continuous integration, continuous delivery, speed is king, you know, it's all going in the direction of a supply chain. So when you have so much bubble gum, as Peter said, after it loses its flavor, you get a new piece, right? So same with software. Final question for you. You guys are doing well. I can imagine that operationally as companies operationalize open source, your key component there. And that seems like a good opportunity. How early are you on that operational progress? I mean, I guess you're just going to start and you're making some money, which is good. Yeah, well, you know, to be frank. We're a customer on the journey. In other words, people realize that I got to operationalize, are they just doing it and not kind of having a checks and balance? Our business is really interesting in the sense that, you know, product market fit for any young company can take quite a while. And, you know, we're fortunate enough to have a CEO who is remarkably patient and savvy and experienced. And his name is Wayne Jackson. For anybody knows here at the Cisco conference, he was previously the CEO of Sourcefire. So an interesting connection there. But patience is key. And we're being rewarded right now because all of the trends that you guys have already talked about here and everything we've talked about at Cisco DevNet, point to a simple fact, which is that software is key to how companies will compete and win in the future. And as long as that's true, they're going to be looking for ways to improve innovation. Right now, our business is early. We're still creating budget in some situations, but that's increasingly changing. And I would say that you should expect our business to continue to grow. People are operationalizing with the source line and getting serious about some of these things. We're seeing budget now that we didn't see last year. For operationalizing the flow of open source into a DevOps pipeline. Final, final question, since I want to get your take on the show. Cisco's moves here into this world, obviously a good move in our opinion, I'm sure you agree. Risky for them, a good move, progress. What should they do next? Your thoughts and reaction to DevNet create? Because men, they've got DevNet, a growing, robust community of Cisco developers. DevNet create a new opportunity. What's your thoughts? You know, I've learned a lot. I mean, I'm glad to be here and just saw some things yesterday that make it very, very clear that DevNet create and what Cisco is doing with it is a great move. I mean, my personal belief is that developers are king and as you expose core services, network services to developers and innovation happens and value gets created. And so they've done so much at the network layer for so many years and if they're now exposing that network sort of innovation to developers, it'll be exciting to see what kind of innovation happens. Matt, thanks for coming on theCUBE. Really appreciate it. I'm glad we got you in. Great to meet you last night and congratulations on your startup that you're working with and growth and been around the industry a long time. You've seen a lot of waves and appreciate the insight here on theCUBE. Appreciate it. Appreciate you having me. All right, we are live in San Francisco for exclusive coverage of Cisco's inaugural event, DevNet Create. I'm John Furrier, Peter Burst. Stay with us for more day two coverage after this short break. Hi, I'm April Mitchell and I'm the Senior Director of Strategy and Planning for Cisco.