 Hello, and welcome to theCUBE's coverage of Open Source Summit North America 2023. I'm John Furhosa, because we have exclusive news coverage here with Amazon Web Service AWS, David Nally, director of open source marketing with AWS here. Got some breaking news we're releasing today. David, thanks for coming on. I appreciate your busy schedule and thanks for coming on. Thanks for making time for me. I appreciate that. You know, open source has been a great driver of innovation. We've seen it time and time again. Just every year it gets better and better. Now you're seeing cloud scale going next generation. You got a generative AI, foundation models, creating more and more innovation. Open Source is going to continue to grow. You guys got some news. Let's just jump into it. You got Cedar announcement, and you got Snap Change. Two big news items here in open source. Let's get into it. What is the release? What is the Cedar product that you guys are launching? So Cedar is essentially a modeling tool. And so we're releasing both an SDK and a language for modeling permissions. And so you can do very fine-grained permissions. You can do role-based access control. You can do attribute access control. And this allows you to separate your authorization layer from the actual application code. This is something that we're already making use of in Amazon Verified Access and Amazon Verified Permissions. We're open sourcing the same tool that we're using internally for that. We're doing that for a couple of reasons. We're really excited for folks to make use of it. We think that this idea of having a platform to actually manage access and authorization is very powerful. But we also wanna make sure that people can go look at how we're doing things for both Amazon Verified Access and Amazon Verified Permissions. And that they can inspect that for themselves so they'll have confidence that it actually is working and is working well. So authorization policy language, love the word policy, makes everyone knows what that means. You're taking an open source project, open source on the project. And you said it's used by AWS and your customers for the what, AWS Verified Permissions and Access to manage services, is that what it is? Yes, the two services that are already making use of this are Amazon Verified Access and Amazon Verified Permissions. And we're open sourcing it because we think that a lot of folks will be interested in that as well. So on GitHub, SDK, what's the transparency? Can you give them more detail around what's being released? How do people get involved? What's the next? Sure, so it is on GitHub, both the SDK and the policy language itself. And yes, we welcome pull requests. We welcome folks playing with it. We've got some demos scripted in the blog post that's going live, I guess at the same time we're talking now. And so that blog post has some sample code that you can actually run. We've done it in Python and Rust. So you can even start to try it out right from that blog post. We think that folks will start to place that, use that as a policy or controlling authorization. And specifically we think that because this gives you that separation from application code that it allows you a much more rigorous and easily verifiable way to control authorization to be able to do specific things or to access specific things. Part of this comes out of our automated reasoning group. And we think a lot of automated reasoning because it's fine to put things down in code. And we think that you can look at code and you can audit code and verify what's happening. But in addition to that, being able to use logic, use formal methods to verify what is actually going to happen is very powerful in getting assurances about how your code will actually operate in the real world. And especially on some of those fringes. David, this brings up a conversation we've been having on theCUBE, great length from the super compute layer to the cloud layer to the app layer around this next generation architecture. You said a couple of things, fine-grained permission, access and control. You got the decoupling from the application code. And yet it's going to actually provide more value on the independence and auditing and analyzing things. I get that. What does that mean when you say it frees up the fine-grained permission? What kind of permissions are different with this? What are some of the benefits? Can you explain some of these fine-grained permissions and what's different than what's out there now? So specifically, people tend to hard code into their application. The access, control and all of the permissioning logic tends to go into the application. And that may be an ideal place for it to be in some cases, but we think that a more rigorous way of thinking about that is to have a dedicated policy that you can apply across a number of resources that you can then go use some automated tooling to verify rather than trying to rebuild that every single time. And so this allows you to model what you think your permissions and your authorization layers should look like and then actually go verify it against your application so that you can have some type of assurance. You can essentially test lots of scenarios against this modeling and policy language to see if the policy actually holds true. So decoupling from the application also probably what frees up the application too because that doesn't take overhead involved. Is that benefit too? Is it just a benefit of the decoupling? It's a benefit of the decoupling, but the primary benefit is really the fact that this is something that is easily auditable. You can prove out that regular user does not have a way to get to administrative access via some logic law in your application. And being able to audit that over time and verify that especially as applications change as new features are developed that that remains the case is very powerful. We just came back from RSA, big conversation around security, supply chain security. Developers are making the choices at the point of coding in the CI CD pipeline, whether it's auditing for cost management with hearing a lot of FinOps conversations, also auditing from a security standpoint. All good, we love it. So that's the cloud, that's what cloud does. The fact that it's open source is even better. So cool, check. The question that developers might have is what assurances can you give the developers that the authorization decisions will be correct? What's some of the things you mentioned, automated reasoning, what's going on behind the covers? What do you guys have learned at AWS that you're open sourcing and give the developers the confidence that the decisions are going to be good? So I think one of the challenges that we have at any scale, and I mean that even at today's laptop scale, is that the potential combinations of any set of logic that appears in code can really be hard to exhaust all of the possible combinations. And so the idea behind automated reasoning is to use formal methods to use logic, much like you would in a mathematical proof to essentially prove out that things will operate as intended and to do so with a degree of mathematical certainty or tell us that we can't be mathematically certain about it and highlight areas of risk that way. And so being able to use a lot of these formal methods to actually verify that applications are going to work the right way, the way that you intended when you wrote them, we think is very powerful. We use that a lot internally. You'll see that operating at the scale that AWS does brings lots of interesting edge cases. And so we use that to create greater assurance that our services are going to work in the right way. And that's not just security, that's also that when you write a file, the file's going to be there. It's going to be the way that you intended it. And automated reasoning essentially gives you a shortcut instead of testing every single permutation which could take ends hundreds of years that you can look in a mathematical sense and prove via logic, prove via formal methods that the behavior of the program is going to be as expected. I love the term automated reasoning, but the first thing that jumps in my head is AI, right? Cause I think reasoning, I think all the buzz around large language models, foundation models, multimodal, lot of AI machine learning being used in configurations, automation, like you said, takes years to do things with a lot. And then you got logic, I think metadata. So is there any AI in that? Or is it just more the term automated reasoning is more of an internal process to the Steeder engine? So automated reasoning is actually a term of art around the specific type of logic proofs that's going to happen. So certainly not artificial intelligence in the way that you would typically think about it. This is all about mathematical proofs and using logic to verify that code behaves in an expected way. On the AWS side, what did you guys learn? Obviously open sourcing something that has significance here, big news. What's the learnings at inside AWS that you're bringing to open source? And how do people get involved? You guys looking for contributors, I'm assuming AWS will have some people work in the project. Can you take us through some of the mechanics of what will happen post launch? What's the tactics, what's the plan, what's the goal? Sure. So obviously we are happy to have folks contribute, play, file bug reports, help us even improve documentation if they want. In many ways, we continue to develop this and plan to continue to develop this going forward because it's a crucial part of our infrastructure. But this is really just a part of our supply chain security perspective. We're making some tools that are available inside AWS and we're making those available outside to the public as open source. We certainly care about continuing their development. We would welcome other people to join us. We think that this is a really interesting and compelling space to work in right now. And we're focused on delivering this value to our customers, but we'd certainly welcome folks dissipating from the community to help drive what's important to them. We actually think that that will, seeing what is important to other folks, listening to our customers is kind of core to how AWS operates and getting involved in the open source project itself is one of the fastest ways that we can collect feedback from our users and our customers. So you're investing in the software supply chain and other areas. Can you share some points of investment that AWS is doing in open source foundations and projects? We're here today and it's open SSF day at open source summit. And so we're certainly a large investor in open SSL. We contributed $2.5 million to the Alpha Omega project. We're spending money focused on improving some of the package managers. So we've specifically recently engaged with the Rust Foundation on improving the security of crates.io, as well as the Python software foundation or their security efforts around the Python package index. So we're working on a couple of different angles. Some of them are improving the existing ecosystem. Some of it is releasing tools that we're using internally so that the rest of the world gets access to that tooling. And we are all just like everyone else in the tech industry. We are all greatly indebted to open source and we have a vested interest in making the open source landscape far more secure. And there, and talking to the people out there that say that Amazon is not investing in open source. I mean, that's kind of ridiculous. You guys are doing a lot of work. What do you say to those people out there who say, hey, Amazon just takes, they don't give. What would you say to those folks? You know, the reality is that everyone benefits far more from open source than they could possibly ever give back. The world, the technology landscape that we have today simply would not exist without open source. And that's true certainly for AWS. Well, I will tell you personally, you know, our generation, my generation, I remember when it was no open source, you had to steal software and to deal software. You got that copy of Unix. I mean, there was a doubt and there was a time when software wasn't free. And so- There was, you know, but the reality is, is that we are all today standing on the shoulders of giants. And that's certainly true. AWS certainly benefits from that. We're contributing in a lot of places where it's important to our customers. We're doing a lot of work in container D in the cloud native computing foundation, spending time there. We recently contributed Finch as an open source project and spent some time building up some of that ecosystem that we depend upon like Lima and Nerdcuddle where we're investing developer time there. We're spending a lot of time in databases. So we've got a number of folks who are working in and around the Postgres community. And you'll see things like the trusted language extensions for PostgresQL, which we recently open sourced. So I think there's a lot coming out of that. You know, there's entire dedicated teams who are focused on specific upstream projects. We have folks who are working on Java and OpenJDK, where there's an entire two pizza team that's doing nothing but working on upstream. And we've got a number of those sized teams doing upstream work. We don't spend a lot of time promoting every single commit that we ship. And so it may seem like we're a little quiet, but... It's hard when you're running the biggest cloud out there. With all that work you guys do and Amazon's web services cloud is massive. Its services are great growing every day. The fact that you're open sourcing all your jewels, it's phenomenal. And by the way, the shoulders of giants is now the industry. And I think now more than ever open source is the industry. You got business models, you got great licensing, it's permissive, you've got more transparency than ever before. This is the industry. It's almost, you don't want to bet against open. That is now a fact. Startups are coming out of it. So, you know, a testament to everyone involved. And again, I'm always sharing that news. It's only getting better. We need it more than ever. With AI now coming in, it's going to be interesting to see. So we'll get to that in another segment. I want to get to the second part of the news, if you don't mind. The SnapChange is a first open source project that come out of an internal team at AWS called Find and Fix, full-time research securities. Take us through this announcement. What is SnapChange and take us through the story. Sure. So first, this came out of an internal team that we call Find and Fix or F2 if we're trying to abbreviate them. And the Find and Fix team is essentially proactive security where we're going and looking at open source projects that are important to AWS or its customers. We're doing security audits. We're trying to find problems in that. And one of the things that really sets these folks apart is they're not just trying to find problems, but they're also trying to submit patches back upstream when they find the problem. Because they know that maintainers have a lot on their plate and the last thing they need is someone dropping a list of security vulnerabilities that have been found and then they need to go scramble to figure out how to patch them. And so they're doing both sides of this. They're doing some initial remediation work to hopefully speed the security response from the open source project along. They've been doing that for a while, the teams existed for a while. A lot of the things that they're uncovering have taken a while to get fixed. But in the course of this, as part of their security research, they've had to build a lot of tools. And the first one that they're releasing is SnapChange, which is a snapshot-based buzzing machine. And buzzing is essentially a really rapid testing of lots of inputs into software to see where you can break things. And that's been responsible for the finding of a lot of security vulnerabilities over the past couple of years. It's basically a zero-day tool, isn't it? Almost, you know? Any security tool can certainly be used offensively as well. Explain fuzzing, I think that's out of my pay grade. So I have to ask, what is fuzzing? And take us through that, because that sounds like it's really cool tool. Sure, so fuzzing essentially submits lots of different things into inputs into a program. And so if you've seen the meme about sequel injection around dropping tables and where someone names their child drop tables, semi-colon Bobby and calling them little Bobby tables, this is doing something similar except at the application layer. It is submitting untested strings. It's submitting interesting data, trying to change the way that the program operates. And it has been responsible for finding a lot of security vulnerabilities of late. And because you can automate it to a degree, you can specify inputs, you can specify coverage. Fuzzing is a way to really scale what used to be a very manual process in terms of testing applications. And this has been used internally at AWS for the find and fix program. And you guys are open sourcing this as well. We are open sourcing this tool. Couple of the interesting things, there are a number of fuzzing tools out there today. Some of them require that you run an application inside KVM and you have to use a modified or patch KVM or you have to be running special kernel modules. This works with a vanilla KVM and with a vanilla kernel. So you can basically spin up an Ubuntu image, run this and no modifications required. And so we hope that that makes it easier and more approachable, certainly faster. We've also focused on trying to help parallelize this. So a number of the tools that are available today, they only, they're really focused on running on a single core or a single set of cores. And this is designed to be able to scale out a little more broadly. And we're hoping that that starts to speed some things up or makes testing a little easier and less time intensive. That's great. I really appreciate taking the time to come in and talk about the news exclusive here on theCUBE. Final question to wrap us home, bring us home and wrap it up. What do you hope the outcome is from the open sourcing of these projects? See there and snap change. What do you hope that has, what's the outcome you're looking for, David, in the community? You know, specifically, I hope that as we release open source tools that people take advantage of them, I believe that a rising tide raises all boats. And so, you know, this is, this is additional tooling that people can make use of and in this specific arena to make them more secure. We hope that this helps the open source supply chain landscape be more secure. I really appreciate it. Great stuff. Bringing in the Amazon, AWS, Amazonian Way, the internal team, fix and find, love that story. Open sourcing verification and fine grain access and control. Certainly there's no more perimeter. The cloud models here is only growing. So having those access authorization and verification controls is key. David, thank you so much for sharing the news here on theCUBE. Thank you so much for having me. I was really excited to tell you about these things that I appreciate the time. Yeah, we'll see you around. Thanks for coming. Check it out, Open Source Summit 2023 coverage. I'm John Furrier, the host of theCUBE on the show floor in Vancouver for three days of wall-to-wall coverage. Thanks for watching.