 From around the globe, it's theCUBE with digital coverage of DockerCon Live 2020. Brought to you by Docker and its ecosystem partners. Hello, welcome back to our DockerCon 2020, DockerCon 20 coverage. This is theCUBE virtual here in the Palo Alto Studios with our quarantine crew. I'm John Furrier, your host. We've got two great guests here. Scott Johnson is the CEO of Docker and Peter McKay, CEO of Sneak. Hot security startup with some big news. You guys have rolled out, but really it's got an impact to developers. Scott, Peter, great to see you guys again. Great to see you, John. Good to see you, John. I'm glad we can at least talk remotely. I wish we were face-to-face, but obviously we're living in a time of crisis where you're starting to see a Cambrian explosion starting to emerge where all people are recognizing that a lot's going to come out of this. You guys have announced a strategic alliance. Can you guys take a minute to explain what is this alliance and what does it mean? Scott, we'll start with you. Absolutely. And thank you, Peter. Thank you, John, for this chance to share with you all that's going on. It's very exciting. Look, what we saw together as teams, both Peters and ours, was the developer experience is getting better and better in terms of faster and faster iterations, but we weren't in the world of the Docker desktop and Docker Hub experience, having kind of security as a first-class citizen that was really right in front and center with developer workflow. And so in working with Peter's team, we realized that the two companies had the same vision of like, let's bring that developer first security just front and center in the user experience, in the command line, in the tooling, and just make it natural so that developers could continue to iterate rapidly, continue to ship values, ship features fast, but in addition to doing that, do so in a secure fashion, in a secure manner. And really that's what this partnership is about, is making security just kind of built-in, natural developer-friendly developer first. We're very, very excited to partner with Sneak and bring this to the development community. Peter, you guys have a unique business model, your developer first security. What does this mean to you? Docker's got millions of developers out there who know containers, they're certainly developer first. What does this alliance mean to you guys at Sneak? Yeah, when you think of the developer community, you think of Docker, right? I mean, when we looked at the front end of our funnel, the people who we go after and our users, it's developers. And when you think developers, you think Docker. And so Scott and I got together very, I'd say four or five months ago when we started talking about building a tighter relationship together, the synergies between what he was doing and the team was doing a Docker. And what we were trying to do is kind of embed developer experience and develop and integrate security into that really made a very compelling value proposition together for developers and embedding that security into that application development, into your containers and your image in your application development lifecycle, just made a better developer experience overall. We've been talking to a lot of developers, certainly for DockerCon and just outside in the industry anecdotally, is that Docker really revolutionized. Container ideas has been such a great win for developers, containerizing applications really has changed the game. It has spawned the generation of Kubernetes and cloud native microservices. What specifically is going on with you guys in this partnership? Where does the security fit in? Because can I just do a scan and scan the vulnerabilities? I mean, what's unique here? What does this mean for developers? What is this, what's going on with the Alliance? Yeah, I'll take it first Peter, but then jump in. So John, in the history of application development so often security is not addressed until the end. And so developers, they're shipping rapidly, they're iterating quickly, but then it gets right before production and the alarm goes off and security team swoops in and security is often seen as a point of friction or a way to delay applications from getting the market and delivering value quickly. And this partnership completely reverses that where instead of having security be further down the stream of the tool chain or of the application development lifecycle, we're pulling it right up in front and having it be right alongside all the other activities that a developer is doing around building their code, around testing their code, around running their code locally. And it's the whole shift left meme that I'm sure you've seen out there and we are shifting this as far left as it can be where it's right there on the local Docker desktop in the command line as primary a motion and as primary a tool to building a great secure application as any other aspect of the tool chain. And that was really the focus of the partnership which is like make this just native and as far left as possible and not make security an afterthought or something that gets taken place by other ops people downstream. Peter. Can you think about that? That's the whole concept of how Sneak was founded. We all came from an application security background where it was security tools for security people and that really the whole industry needed this fundamental shift in the approach. And as Scott said, that whole shifting left concept to really scale security in the right way and is to embed it into that application development lifecycle and to embed it into the tools that developers use each and every day. So they wanted to be a security expert. A developer doesn't need to be someone who knows all the vulnerabilities. They just need to know how to develop the most creative and be the most agile organization to develop much better applications. And if they can do it in a more secure way they would obviously do it but don't make them do something dramatically different and don't ask them to be security experts. And that's what we've tried to do in the partnership with Docker allows us to embed that continuous security insights into that whole development loop. So when they develop these applications they're secure when they're done. And all the way through that development lifecycle you're testing for vulnerabilities in auto remediating along the way. So it allows them to develop very creative at the pace in which they want to develop and it makes them more secure by doing it. Yeah, let me pick up on Peter's point there which is so often security has been something that's discovered late in the process, right? Either just before production or sometimes even in production. And they just think about that feedback loop. It's got to go all the way back upstream all the way to the development team developers got to go find what they're working on maybe not hours ago could have been days ago could even be weeks ago and then go figure out how to remediate get it all the way through the inner loop and the outer loop. We're completely blowing that up and disrupting that by bringing it all the way forward such the feedback is right then and there with the developer in the moment on the laptop in their inner loop and giving them the immediate response that they need and the single they need to take action remediate and then move on to the next creative thing they can do. And so just thinking about shortening that whole feedback loop and really as Peter said that building security in from the get go because the signal is there to give them an indication of what they need to do right then and there. Great, I want to get into the I mean I can see the workflow advantage so I totally get that. I've heard on theCUBE many times that security's got to be built in from the beginning. I've heard that before many times. I don't think I've heard security discussed this way combined with the trends around automation. So can you guys talk about how that fits in? Because okay I get shifting left all that workflow, all goodness but now I'm assuming there's a whole ops side of security and then if I'm trying to automate things and that's the real trend we're seeing here how does that all work? Does that all come together? And is this kind of unique that you guys are doing? Can you unpack that a little bit and clarify? Yeah, I mean this has been something that we've been focused on quite a bit. I mean the first it's used to be that you used to find a lot of vulnerabilities and yes we find a lot of vulnerabilities and what we tried to do is focus on the prioritization and really hear the critical ones that developers need to fix first, second, third and fourth based on severity. And we build that all in and that's something that you that we learn that we built into the process. And then the last phase is this auto remediation. To the extent we can auto correct and auto fix which is becoming increasingly a bigger part because the more you learn about the vulnerabilities and some of the fixes, the more you can automate and remediate that just makes the whole development process that much more productive and efficient. And that's really what we're trying to do. It's not only just find vulnerabilities, prioritize them. What are the ones that are what the team feels as severity one, twos and threes embed that into the process so you fix these, these are the ones you're fixing first, second and third and to the extent they could be auto remediated then fix them automatically. So we're trying to build that increasingly into the application. So is this the first secure containerization deployment model? I mean, have other people been doing this? What's, I mean, is this new to Docker and new to the industry and what's what's going on there? Well, so we're here to talk about the partnership and of course there's a wealth of, a very active ecosystem in and around security and other spaces, but we think this is the first that brings it this close to the developer in the moment in the command line on the desktop. And thus we think it has a lot of value to offer development team. Okay, I put my developer hat on. Okay, I'm one of the millions of developers. I containers are part of my daily design coding. What's in it for me? Why does it matter to me as a developer? What does it do for me? Save time, what's the impact of the developer? Well, you think about what, I mean, just look at the old model, right? The old model is you develop an application, you send it to the security team and they'll audit it. They'll tell you all the vulnerabilities and then they'll ship it back to you. You fix it, then they'll check it again and you'll wait in the queue and then they'll fix it and tell you what's right and they'll send it back and think of that long. It's just like John, you remember in the early day, you know, when they, when a quality issue, you know, fix it earlier in the life cycle of an application, don't wait until the end where the quality embedded into the process. And so what you find is, you know, the developers are embracing this and we have a, you know, like Docker, you have a freemium where developers can try it and realize that, look, and I'm going to have to do security anyway. I mean, I have to develop secure application. If I can use a tool that's built for me and embedded into my development life cycle so I don't have to be a security expert and I don't have to wait for the security teams to tell me what's wrong and I can embed this all the way through and then not have to go through that painful step at the very end to go that, go through that security audit. I would do that any day of the week. And naturally- I mean they kick it back, the old day was they kick it back to do the scans, hey, you got to fix this and the developer just got to your points, moves on, right there. They're coding. I mean, that's the problem. Developers want to ship. Developers want to ship, right? I mean, going back to your point, John, like one of the revolutions of Docker is that it is given the expectation that developers can ship faster, right? And right now, in much of the state of the state because security is important, like it can serve as a gate and as Peter just walked you through, like it can slow down developers shipping and having impact. And so for you, the developer, John, like this gives you freedom to ship early, often, high frequency, everything, the promise of the container development model, this really unleashes that. Yeah, gives art rails around the security policies too, allows them to be projected in as syntax, if you will, or as part of the coding environment. So I don't have to worry about it. I mean, at the end of the day, it's peace of mind more than anything. Time is certainly in the butt, but as a developer, the creativity is just we need it more than ever. Okay, so with the COVID crisis. One last point, one last point I want to make on this, sorry. It's also the security teams want it too because they don't want to be the bottleneck. They don't want to be doing this at the last minute and having all the pressure on them. I mean, they know that a big chunk of their business is going through these applications. So a lot of the budget dollars that come from people buying sneak and embedding it into the process is from security because they can't keep up. You know, this digital transformation and what companies are going through, they don't want to be, there's one of two things. Either they're going to be the bottleneck or the developers are going to go around them and just put an application in the cloud. And ship the container, put it anywhere and going around security. So they don't want that either. So there's just a very tight alignment between developers want to ship fast but also secure and security teams want to do the same. I hate to say it, but the whole agility is now not only just normal for us insiders in the industry. It's proven now with this COVID crisis that you have to be fast and you have to be at scale. And I think this speaks to some of the experience you guys had in the industry you were talking earlier. If you're not moving at the pace that you need to move at the scale, you need the automation is proven cloud native is going, is completely ratified in my mind. There's no doubt. That means microservices is front and center and this change that's happening right now. And when we come out of this pandemic there's going to be growth winners and not growth winners. We flat line to decline or winners. And it's all going to be based on microservices. So for the developers out there are going to be called into the office some day or in a Zoom. Let's get these apps doubled down on this, kill that project. There's going to be those conversations. It's happening right now, John, right? So look what's happening as a result of COVID and entire bodies of human activity are shifting from offline to online, right? Like social, consumer, B2B, healthcare go on down the list. Finance, commerce, retail, like the massive tectonic shift going from offline to online. That means massive demand for new applications, new application development and quickly, right? Some of this shift is happening and there's a bunch of businesses that didn't have exposure to digital are like, oh my goodness, I need a digital strategy. I need a digital channel. I need a digital revenue stream. And so the demand for new applications quickly is exploding through the roof. And we see this across the board in our industry right now, which is very, very fortunate given other circumstances in other industries. But you're absolutely right. Like this lets them ship faster and now is the time when they need to ship and ship faster. And the budgets are going to be allocated on these new projects. So it's just a nuance on your point. It's net new projects. And then this fix and modernize the old stuff because look at Walmart. Walmart got Hamstrung on the e-commerce side. They just killed their jet acquisition. They spent $3 billion on, this is the reality. This is not like just a strategy to do innovation, innovation strategy or some walk down you know, digital transformation lane. This is happening. It has to be done. What do they do? What do they do? And it starts, you know, we always say we start with the new and replace the old. You know, we start with a new application. It usually is always the case where we usually start with a lot of the companies is a new modern application. And then it expands from there. And so you look at what used to be, you know, the best practices were tech companies. And then it moved to financial services industries and insurance and then retail. Now you work at manufacturing. You look across the board. As Scott said, this offline to online is driving so much of, you know the empowering developers, you know to take on more responsibility and to own more of it but to be faster and to be more agile. And that's really what's driving this big shift in the market. And like you said earlier, if they're not there they're in trouble because this market is driving that direction. I want to get both your comments on this final question because you look at the progression of the developers from the Steve Ballmer developer, developer, developer speech on YouTube to developers on the front lines, cloud native. And now today it's been a progression. And I think it's always been the developers on the front lines or getting closer to the front lines. I think now it's even more compelling because there's a scale and agility speed game going on. So I think it's just another step function developer relevance. It's not so much, they've never been close to it. They have been getting closer. They're in the business conversation and the ones that could move fast are the ones going to deliver the value. So if automation is in the playbook, if cloud native is not in the playbook, this is going to be the new developer equation. The ones that meet that will be successful. Can you guys react to that in your thoughts? Yeah, I mean, I think what we're trying to do is make that developer experience just one from just the partnership with Docker and is a key. Just making it really easy. Do the integration, do a lot of the work. Make the developer experience as seamless as possible. Make it very efficient for them. Make it easy for them to try and buy. Just a great experience and allow them or empower them to take on more of the responsibility of getting that app published in the containers out the door. And that's what we're, I think, excited about with the partnership with Docker is that with the number of developers that they have, the work that we do together and the roadmap that we have is really making that experience just an incredible journey for our developer. And that's what we want to continue to make sure we foster. Scott, the new relevance of developers, your thoughts. Yeah, I would only, Billy, on Peter's point, observe that a lot of the developer expectations are informed by the stack, right? And what's possible. And to your points earlier about the previous waves, John, like, yep, developer's important, but their full potential, if you will, was perhaps muted or gated because there was not a clean abstraction between the application and the underlying infrastructure. And now, as we know with dockerization and the surrounding ecosystem of Kubernetes and other tools, we have a much cleaner separation between the application and the infrastructure. And that allows and set expectations for a much higher cadence of release, much faster time to value, much more agile operations in terms of responding to competitors and the market and your customers. And so with that expectation, how do you unleash that? And this partnership is really key to that, right? By taking the friction out, as we talked about kind of historical security models and bringing a new model that brings security way left right into the developer's command line experience, and then in some sense really fulfills that ability to move quickly, react in an agile fashion and have an impact as quickly as possible. That's awesome. Security built into the workflow, automated, industry first. Guys, thanks so much for a great partnership. Put the final work, get the plug in for the relationship going forward. How does that work? Is it going to be available? Is integration, code, is it developed? Give a quick plug for what's happening, the relationship and what's happening going forward. Look, Docker only succeeds if the ecosystem, and we're very, very proud and humbled to join arms with Peter and the sneak team as a partner in the security ecosystem. And so you'll see us not only in this integrated developer experience on the command line, which is going to be very, very valuable to developers that we've been talking about, but you'll see us out there promoting the solution in different forms and community groups. And so it doesn't stop and end or start and end with the DockerCon experience. Look for us in the year ahead to do more and more together. Awesome. I agree. I think that just culturally and the way the organizations work really well together, I think this is the beginning of a longer journey and a longer partnership we're going to have together with Scott and the team. So we're excited. I think, you know, the validation, the early validation we've got from the development teams we've been talking to around the world. You know, I think there's tremendous, you know, desire for this to happen. And we're excited to launch the journey together with Scott and team. It's been a lot of fun watching this progression. Like you said, you create that headroom, the developers will take it right up and there'll be another step function and more progression. Great job guys. Congratulations on a great partnership. We need the security built in, need more creativity. We need this new modern era to be flourishing. Thanks for your time. Appreciate it. Thanks John. Thank you. Thanks John. Virtual Cube coverage of DockerCon 20. I'm John Furrier, your host along with Docker for DockerCon 20, hashtag Docker20. Thanks for watching and stay tuned for our next segment of DockerCon 20 virtual.