 Hi, this is your host, Sapil Bhartiya, and welcome to our brand new episode of T3M, or the topic of this month. And the topic of this month is security and compliance. And today we have with us Ian, UFL chief customer officer at slim.ai. Ian, it's great to have you on the show. Great to be here. Thanks for having me. Before we talk about this topic, you, I mean, your own background is in this, so I would love to talk just a bit about yourself. Talk a bit about yourself and what led you to join slim.ai. I've been in the cybersecurity field for over 15 years. Prior to that, I was in, worked in military intelligence. So this is an area that I'm very passionate about. And I've worked at big and small companies, the, a number of different startups to include, I worked at CloudLock, and which after the acquisition worked with John and Kyle actually at Cisco additionally. And when I heard about this new project that they were working on and the potential impact it could have and the number of users that they were already working with around the open source project, I was really excited to work with them and help figure out how to take this. Let's just talk about how you have seen evolution of security. When we talk about, of course, I'm not going to get to the traditional IT work, though still we have data centers, we still have mainframe, but how you've seen things evolve in this new cloud native container centric world? Yeah, it's been interesting. So I think that there's, that the role of a CISO is getting very complicated. And I think that there's, everyone's trying to tackle what does it mean to have a robust security strategy. And traditionally, everyone really focused on this crunchy outer shell, if you will, of firewalls and all this network-based security. But the reality is now everything lives outside of that world, there are significant portions of your system and you're serving and delivering containers and code to customers. And they're now becoming smarter with wanting to understand what type of risk might be introduced to their organization by consuming those deliverables. And so there's this whole concept, there's now a whole industry around understanding risk. I actually was talking to someone recently, I went to Black Hat with Slim this last year and I've gone every year for probably the last decade except for obviously COVID. And every year, the conference, for those that may not be familiar with Black Hat, Black Hat's a large cybersecurity conference in Las Vegas. And the, every year the floor is covered with your traditional security vendors, the Palo Alto's of the world and Fortinet's and Zscaler now, so on and so forth. What I found particularly interesting is the biggest booths were now vulnerability scanners. There's Sneak had one of the biggest, Aqua had a huge booth, even the Palo Alto booth, there was more there talking about some of their scanning code security capabilities versus their fire, rather than their firewalls. So this is becoming very front and center. And most CISOs now in cybersecurity teams are actively working with their developers and actively working with their IT departments to understand how to get ahead of the risk around the containers that they're creating and shipping and consuming. Let's also talk about what does it mean for cultural or social or organizationally structures? Because as you talked about CISOs, we talk about DevSecOps, we talk about Shiftlet, we talk about zero trust approach. But what is happening is that the reality is a bit different. We have broken the old hard silos of security networking, but they're still soft sellers because there will be folks like you who specialize or interested in security. But when you talk about things like DevSecOps or Shiftlet, we are talking about enabling developers to also own security, it's not no, because also developers don't like to talk to security three people, because that means slowing things down. So talk a bit about what does this mean, this shift as you talk about evolution and what does this mean for developer experience and also what does this mean for overall security also? You beat me to the next punch, which was while I was at Black Hat and this was early on as I was just coming on board, Slim, just about every CISO was actively trying to hire or had just recently hired a new head of product security or a head of DevSecOps or were at least now tied in with their head of DevOps or engineering. So this is becoming a very cross functional challenge and strategy to solve that challenge. And so one of the things that we did once I came on board was we redesigned our actual design partnership program. And the way I think about myself in Slim is I'm the voice of the customer and trying to understand what our customer base is saying. And as I'm sure you're aware, we're huge advocates of developers and we spend a lot of time with them. And as we started to being able to bring a little bit more of the security type of relevance and conversation, what we saw was something I've never seen before in my career, which is DevOps and security people coming to the same table, getting excited about working on a project together and trying to solve and tackle this challenge. There's been a lot of promises of that in the past. It's the first time in my career I'm actually see it happen because this is a challenge that's impacting everyone and we need to tackle it. It can only be achieved and solved cross functionally. Earlier you were talking about when we go to these events, even the traditional, not actually traditional vendors, but a lot of focus is on scanning, vulnerability, risk, things like that. And if you look at cloud and your containers in general, I still remember a few years back when you go to a booth and talk to somebody, yeah, we have control of everything but if you ask what is in their container, they have no idea because you are linking to a lot of repositories and there were also a lot of cases where the hard thing was changed and it was going to totally different projects. You don't even know. It's not just security risk if you don't know what is in your container. It could also be compliance. Your code may not be compatible with the license that is being used there. So there can be a lot of things there. So when we look at container images, golden images and things like that, talk a bit about the containers from the Docker days if you've been talking about container security and we are still talking about that. So talk a bit about container security, what is the right approach and if the current approach is actually offering any security at all or not. The last few years, the security industry has done a really good job at telling everyone how bad they're doing but haven't really offered a meaningful way to solve the challenge. And it's put developers in an impossible situation. It's a never-ending, unwinnable battle. And candidly in these conversations, as you kind of talk through what they're trying to, what they're having to do to overcome, it's a massive tax on new innovation and new features that they're trying to deliver. And so, I think NIST issued some guidance around this a few years ago where they, it was, we gotta do something. And so let's do scanning and then this whole concept of maybe having like a golden image was what was communicated and where a lot of companies try to, what I've been seeing, a lot of companies try to start with some sort of minimized image if they can. And then they kind of do their best practices and scanning and then get it out the door. The larger, more sophisticated companies have entire teams that do nothing but specialize in creating these golden images and then ensuring that there's no new vulnerabilities added as it goes through the developer pipeline. But there's a problem with this fundamentally. The state of vulnerabilities is not a static state. It changes every second. And also the, as you're developing and iterating, sometimes when you're making updates to say solve, you're playing whack-a-mole, you try to solve a vulnerability so you pull down a new version of a library or something along those lines and you've now increased the size of the container but there's less now vulnerabilities so we're gonna ship it. What ends up happening is that attackable surface of that container is just ever-growing. Very rarely do we see containers reduce in size. They continue to just expand. And there is a, what we're seeing is that there's a, basically a cumulative effect here where as the mature and the longer the container is out there, if you're doing your best practice of starting with a pernist, right? That where you're starting with a pre-hardened or base image like alpine, by the time you're shipping it out the door, the attackable surface could be 50 times larger than what you started with in the base OS. And while it may be relatively clean today, there is a high likelihood tomorrow that's not gonna be the case. And it's again, a never-ending battle and the only way to solve this in our opinion is to flip the whole thing on its head and focus on vulnerability reduction and reducing the size of containers at the final point rather than focusing all the way as far as you can go to the left. But if you just look at that ideal solution is to make containers smaller, as you said. I mean, we would love to live in a perfect ideal world but that is not the reality. So talk a bit about what is happening right now in the industry. We talk about continuous integration, continuous delivery. The whole CICD pipeline is there. As you also earlier said, you know, developers don't want to be slowed down. They do want to continue to move fast and it's not just the new technologies keep coming in. So what is the right approach that organization should approach so that once again, the security is not compromised without slowing them down without this whole, you know, the CICD pipeline maintained? Yeah, so we believe at SLIM that this should be as transparent as possible to the developers and they should have the freedom to iterate and to develop as they'd like using the containers in the libraries that they'd like. So they can really maximize their creativity and bring the best possible feature functionality as fast as possible to their users. The, we think that taking an approach of starting there is value in starting with a minimized image for sure but we think that those can sometimes put artificial limitations that don't need to be there when you can take more of an approach of hardening at the very last step. And that's something that we do that's unique of being able to make determinations around whether or not containers have extra components that don't need to be there, understanding contextually the type of risks that's associated with the components that are there and then remove all the components that don't need to be there and ship out a hardened container while giving you kind of a before and after diff and also an S-bomb which is also gonna become an, is now an industry standard and it's going to further become a broader adoption here in the next year or so. And yeah, making this whole process and integrating it directly into your CI CD is critical to the success of, as the industry and as organizations continue to get further and further mature and the expectation bar continues to get higher and higher and people are gonna have to jump up over. What rules can governments play to kind of help organizations improve their security posture because this is going to be even more a critical issue as we are looking at some potential wars that is going on in Europe. The US federal government is actually pretty active in this space and they've released a couple of different things. So they've released an executive order that effectively requires S-bombs to be delivered as part of any container that the government purchases and consumes. So contractually here within the next year or so anyone that's trying to do business with the federal government is going to have to be able to produce an S-bomb. And what they also do is the federal government also has a program for cloud specific called FedRAMP. And one of the things that's great about that program specifically is the concept of continuous monitoring, this Kanman process. What I expect will eventually be happening here is the government's probably gonna require from a contractual perspective and being the number one the largest procurer of IT in the world, I suspect they will have a pretty big impact on the broader industry when it comes to understanding risk associated with the containers that are being delivered to them will impact also the broader consumer base. The other thing I would mention is that there is a, the White House recently released a cybersecurity strategy for 2023. In that cybersecurity strategy, they outlined several pillars effectively saying we need industry to step it up. And as part of that, there's gonna be various resources made available to the public, specifically organizations that are delivering solutions to critical infrastructure is going to be under significant scrutiny. And DHS SISA plans to be very active in this space. And I expect we'll see a lot more guidance and programs launched in the next year or so, resources made available to the commercial sector. You talked about continuous monitoring or Conman. Can you just go a bit deeper? What does it mean so that folks who are not a fear of that they do know and also we can also go to the point earlier you're talking about the importance that what role it can play in helping organizations once again scan all their container images and other code base. So the concept of Conman is you don't want to, you don't want your customers to find out potential vulnerabilities before you do. So we now work with some of our customers and continuously scan and monitor their vulnerability, their containers that they're shipping to production into their customers every day. And through that state, they're now able to understand when a new vulnerability arises before a customer calls them and says, hey, I scanned your container. I found these issues or they have an auditor come in and say, I found these issues. And now they're having to scramble and it comes across as though they're unaware or not a mature organization. Because of that, there's a framework that's available and I suspect specifically around containers, we're gonna also see a more mature framework come out that specifically says X you have to scan your containers every so often and the type of report you're gonna need to provide, I don't know if it'll be a new SBOM or just new vulnerability scan results or just alerting them every time there's a new vulnerability and what your action plan is to solve that vulnerability. That is what is delivered for other types of services like cloud services and FedRAMP. I suspect we'll see something very similar with container delivery. Looking at your own career graph and looking at what Slim.ai does, if I ask you, of course, this is not a simple question and there is no simple answer, an organization that they do actually know much more than what we, but still we see things like bookings.com hack. What would be your advice, at least from the culture point of view so that there should be some practices in place where companies can at least have, hey, we have these things in place to improve their security posture. Yeah, have a plan and train your users on basic cybersecurity hygiene. There's all types of resources that are available out there. I believe there's even some free from the government. It's not a big investment from time and money. The other component is scan your containers, understand your risk. If you don't understand where you stand today, then ignorance is not your friend when it comes to mitigating and getting ahead of threats. You want to know where you are so you can get to somewhere better. And then there's solutions and services available and strategies that are available for users out there, obviously slim.ai would love to work with anyone and everyone. Our service today is still in the design partner stage so users are able to use it in its beta state and provide feedback and we can deliver that meaningful impact for your production in this current state. But yeah, basic training, understanding where you sit invite through various scannings and then having an action plan to actually mitigate and do something with those results. Those are all key. Ian, thank you so much for taking time out today and share these insights. I would love to chat with you again because there's so much to talk about. As you also said, security is not kind of a product, it's a process. So there are so many things to talk about and I look forward to our next discussion. Thank you. Thank you. I look forward to it.