 Well, welcome back to theCUBE's coverage of DockerCon 2021 virtual. I'm John Furrier, host of theCUBE. We've got a great CUBE segment here. Simon Maple Field, CTO at Stink. Great company, security, shifting left. Great to have you on, Simon. Thanks for stopping by. Absolutely, pleasure. Thank you very much for having me. So you guys were on last year, the big partnership with DockerCon. I remember that interview vividly because it was really the beginning, not the beginning, but really kind of to me the mainstream of shifting left as DevOps. It's not been, it's been around for a while, but as a matter of practice, as containers have been going super mainstream, super ballistic in the developer community, and you're seeing what's happening. It's basically containers everywhere. Security, now DevSecOps is the standard. So DevOps, great infrastructure as code. We all know that, but now it's DevSecOps as standard. This is the real deal. Give us the update on what's going on with Sneak. Absolutely, yeah. And you know, we're still tireless in our approach we're trying to get to make sure developers don't just have the visibility of security, but are very much empowered in terms of actually fixing issues and secure development is what we're really striving for. So yeah, the update, we're still very, very deep into a partnership with Docker. We have updates on Docker desktop, which allows the developers to scan their containers on the command line, providing developers that really fast feedback as early as possible. We also have new updates and support for running Docker scan on Linux. And yeah, you know, we're still there on the Docker hub and providing that security insights to users who are going to Docker hub to grab their images. Well, for the folks watching me for the first time, the Sneak Docker partnership, we went in great detail last year was the big reveal. Why Docker and Sneak partnership? What is the evolution of that partnership over the year? They speak highly of you guys as a developer partner. Why Docker? What's the evolution look like? It's a really great question. And I think, you know, when you look at the combination of Docker and Sneak, well, actually let's take each as an individual. Both companies are very, very developer focused so our goals and what we strive for, what we tirelessly spend our time doing is creating features and creating an environment in which a developer can do what they need to do as easily as possible. And that, you know, everyone says they want to be developer friendly, they want to be developer focused, but very few companies can achieve it. And you look at a company like Docker, you look at a company like Sneak, it really, really provides that developer with the developer experience they need to actually get things done. And it's not just about being in a place that a developer exists, it's not enough to do that. You need to provide a developer with that experience. So what we wanted to do was when we saw Docker an extremely developer friendly environment and a developer friendly company, when we saw the opportunity there to partner with Docker, we wanted to provide our security developer friendliness and developer experience into an already developer friendly tool. So what the partnership provides is the ease of, you know, deploying code in a container combined with the ease of testing your code for security issues and fixing security issues in your code and your container and pulling it together in one place. Now, one of the things which we as a security company pride ourselves on is actually not necessarily saying we provide security tools. One of the, our favorite way of saying it is we are a developer tooling company. So we provide tools that are for developers. Now, in doing that, it's important you go to where the developers are and developers on Docker are obviously in places like the Docker Hub or the Docker CLI. And so it's important for us to embed that behavior and that ease of use inside Docker for us to have that flow. So a developer doesn't need to leave the Docker CLI, the developer doesn't need to leave Docker Hub in order to see that data. If you want to go deeper, then there are probably easier ways to find that data perhaps with sneak or on the sneak site or something like that. But the core is to get that insight, to get that visibility and to get that remediation. You can see that directly in the Docker environment. And so that's what makes the relationship so, so powerful the fact that you combine everything together and you do it outsource. And doing it at the point of code, writing code is one of the big things I've always liked about the value proposition is say shift left. So let's just step back for a second. I got to ask you this question because I want to just make sure we get this on the table. What are the main challenges and needs do developers have with container security? What are you seeing as the main top few things that they need to have right now for the challenges with container security? Yeah, it's a very good question. And I think to answer that, I think we need to think of it in a couple of ways. First of all, you've just got developer security in general across containers. And that in itself is there are different levels at which developers engage with containers. In some organizations, you have security teams that are very stringent in terms of what developers can and can't do. In other organizations, it's very much the developer that chooses their environment, chooses their parent image, et cetera. And so when a developer has many, many choices in which they need to decide on, some of those choices will lead to more issues, more risk. And when we look at a cloud-native environment, let's take a node image as an example. The number of different images, tags, you can choose from as a developer. There are hundreds, probably thousands that you can actually choose from. What is a developer going to do? Well, are they going to just copy-paste from another Docker file, for example, most likely? What if there are issues in that Docker file, they're just going to copy-paste that across. Misconfigurations that exist, not because a developer is making the wrong decision, but because a developer very often doesn't necessarily know that they need to add a specific directive in. So it's not necessarily what you add in a config file, but very often what you omit. So there are a couple of things I would say from a developer point of view that are important when we think about cloud security. The first one is just that knowledge, that understanding what they need to do, why they need to do it, secure development. Doesn't mean they need to be deep in security. It means they need to understand how they can develop securely and what are the best decisions that could come from guardrails, from the security team that they provide the development team to offer. But that's an important error of secure development. The second thing, and I think one of the most important things is understanding, or not understanding necessarily, but having the information to get an act on those things early. So we know the length of time that developers are working on a branch or working on some code changes that is reducing more and more and more so that we can push to production very, very quickly. What we need to do is make sure that as a developer is making their changes, they can make the right decision at the right time and they have the right information at that time. And a lot of this could be getting information from tools, could be getting information from your team or it could be getting information from your production environments. And having that information early is extremely important to make that decision, maybe an isolation with your team in an autonomous way or with advice from the security team. But I would say those are the two things, having that information that will allow you to make that action, that positive change, and yeah, understanding and having that knowledge about how you can develop securely. All right, so I have a security thing. So I'm a development team, and by the way, this whole teams thing is a huge deal, I think. We'll get to that. I want to come back to that in a second, but we'll just throw this out there. Got containers, got some security, it's out there and you got Kubernetes clusters where containers are coming in going. Sometimes containers could have malware in them. And I've heard this out and about. How do, if that happens off-container or off-process, how do you know about it? Is that infected by someone else? I mean, is it going to be protected? How does the development team, once it's released into the wild, so to speak, I mean, you have to be like that. But I mean, you get the idea. It's like, okay, I'm concerned. Off-process, this container's flying around. What is it, how do you track all that? And there's a few things here that are kind of like even potential areas that we can trip up. When we think about malware that's running, there are certain things that we need to consider and what we're really looking at here are kind of, what do we have in place in the runtime that can kind of detect these issues are happening? How do we block that? And how do you provide that information back to the developer? The area that I think is, and that is very, very important in order to be able to identify, monitor those environments, and then feed that back so that that's the kind of thing that can be fixed. Another aspect is the static issues. And the static issues, whether that's in your OS, in your OS packages, for example, that could be key binaries that exist in your Docker container out the box as well, or of course in your application. These are, again, areas that are extremely important to detect and they can be detected very, very early. So some things, if it's malware in a package that has been identified as malware, then absolutely that can be tracked very, very early. Sometimes these things need to be detected a little bit later as well. But yeah, different tools for different environments and where sneak is really focused is this static analysis as early as possible. Great, great insight there. Thanks for sharing that. It's certainly important. And some Kubernetes classes are locked down and all of a sudden incomes, some malware from a container. People are worried about that. So I want to bring that up. The other thing I want to ask you is this idea of end-to-end security. And this is a team formation thing we're seeing where modern teams have essentially visibility of their workload end-to-end. So this is a huge topic. And then by the way, their app might integrate with other processes too. That's great for containers as well and observability and microservices. So this is the trend. What's in it for the developer? If I work with sneak and Docker, what benefits do I get if I want to go down that road of having these teams be end-to-end but I want the security built in? Yeah, really, really important. And I think what's most important there is if we don't look end-to-end, you know, there are component views and there are application views. If we don't look end-to-end, we could have our development team fixing things that realistically aren't in production anyway, or aren't the key risks that are potentially hurting us in our production environment. So it's important to have that end-to-end view so that we have the right insights and can prioritize what we need to identify and look at early. So I think that visibility end-to-end is extremely important. If we think about who is refixing certain issues, again, this is going to depend from org to org, but what we're seeing more and more is this becoming a developer-led initiative to not just find or be given that information but to ultimately fix. They're getting more and more responsible for Docker files, for IAC, for their application code as well. So one of the areas which we've looked into as well is identifying and actually running in Kubernetes workloads to identify where are the most important areas that a developer needs to look at. And this is all about prioritization. So, you know, if a developer has just a component view and they have a hundred different images, a hundred different Kubernetes configs, et cetera, where do they prioritize? Where do they spend their time? They shouldn't consider everything equal. So this identification of where the workloads are running and what is causing you the most risk as a business and as an organization, that is the data that can be directly fed back into your vulnerability data. And then you can prioritize based on the Kubernetes workloads that are in your production and that can be fed directly into the results and the dashboards that Sneak can provide you as well. So that end-to-end story really provides the context you need in order to not just develop securely but act and action issues in a proper way. Simon, that's a great point. Context matters here because, you know, making it easy to do the right thing as early as possible at the right time is totally an efficiency productivity gain. You're seeing that, that's clearly what people want. I mean, it's a great formula of success. Reduce the time it takes to do something, reduce the steps and make it easy, right? Come on, that's a formula. Okay, so I got to bring that to the next level. I want to ask you specifically around automation. This is one, the hot topic in DevSecOps, automation is part of it. You got scale, you got speed, you got AI and machine learning, you got all these new things, microservices. How do you guys fit into the automation story? It's a great question. And you know, one of the recent reports that we did based on a survey data this year called the State of Cloud Native Application Security, we asked the question, how automated are people in their deployment pipelines? And we found some really strong correlations between value from a security point of view in terms of having that automation in. And if I can take you through a couple of them and then I'll address that question about how we can be automated in that. So what we found is a really strong correlation as you would expect with security testing in CI, in your source code repositories and all the way through to deployment. CI and source code were the two of the most well-tested areas across the pipeline. However, the most automated teams were twice as likely to test in IDEs and testing your CLIs in local development. And now those are areas that are really hard to automate if at all, because it's developers running their CLI, developers running and testing in their IDE. So having a full automation and full proper testing throughout the SDLC actually encourages and makes developers test more in their development environments. I'm not saying there's a causation there, but there's definite correlation. A couple of other things that this pushes is much, much more likely to test daily or continuously being automated as you would expect because it's part of the builds, it's part of your monitoring. But crucially, 73% of our respondents were able to fix a critical issue in less than a week as opposed to just over 30% of people that were not automated. So almost double people are more likely to fix within a week. 36% of people who are automated can fix a critical security issue in less than a day as opposed to 8% of people who aren't automated. So really strong data that correlates being automated with being able to react. Now, if you look at something like Sneak, what are our goals of obviously being developer friendly, developer first and being able to integrate where developers are and throughout the pipeline, we want to test everywhere and often. So we start as far left as we can integrating into CLIs, integrating into Docker Hub, integrating into Docker scan. So at the command line, you type in Docker scan, you get Sneak embedded in Docker desktop to provide you those results. So as early as possible, you get that data. Then all the way through to get repos, providing that testing and automatically testing and importing results from there, as well as other repositories, container repositories, being able to pull from there and test. Then going into CI, being able to run container tests in CI to make sure we're not regressing and to choose what we want to do there, whether we break, whether we continue with raising an issue or something like that. And then continuing beyond that into production so we can monitor tests and automatically send pull requests, et cetera, as and when new issues or new fixes occur. So it's about integrating at every single stage but providing some kind of action. So for example, in our UI, we provide the ability to say, this is the base level you should be at or could be at, it will reduce your number of vulnerabilities by X. And as a result, you're going to be that much more secure, that action ability across the pipeline. That's great data dump. That's a masterclass right there on automation. Thanks for sharing that, Simon, appreciate it. I got to ask you the next question that comes to my mind because I think this is kind of with the dots connect for the customer is, okay, I love this kind of hyper focus on containers and security. You guys are all over it, shift left as far as possible, be there all the time, test, test, test all through the life cycle of the code. Well, the one thing that's popping up as a huge growth area is obviously hybrid cloud dev ops across both environments and the edge, whether it's 5G, industrial or intelligent edge, you're going to have Kubernetes clusters at the edge now. So you got containers, the relationship to Kubernetes and then ultimately cloud native workloads at say the edge, which has data, has containers. So there's a lot of stuff going on all over the place. What's your, what's your comment there for customers says, Hey, you know, I got this as my architecture. That's happening to me now. I'm building it out. We're comfortable with Kubernetes. We're putting containers everywhere, even on the edge. How does sneak fit into that story? Yeah, really, really great question. And I think, you know, a lot of what we're doing right now is looking at a developer platform. So we care about, we care about everything that a developer can check in. Okay, so we care about get, we care about the repositories, we care about the artifacts. So if you look at the expansion of our platform today, we've gone from code that people, third-party libraries that people test, we added containers. We've also added infrastructure as code. So Kubernetes, configs, Terraform scripts and things like that. We're able to look at everything that the developer touches from their code with sneak code all the way through to your container and IAC. So I think, you know, as we see more and more of this pushing out into the edge, Kubernetes config that, you know, controls a lot of that, so much of this is now going to be, or not now going to be, but so much of the environment that we need to look at is in the configurations or the misconfigurations in that, in those deployment scripts. These are some of the areas which we care a lot about in terms of trying to identify those vulnerabilities, those misconfigurations that exist within those scripts. So I can see, yeah, more and more of this and there's a potential shift like that across to the edge. I think it's actually really exciting to be able to see those pushing across. I don't necessarily see any other, any, you know, different security threats or the threat landscape changing as a result of that. There could be differences in terms of configurations, in terms of misconfigurations that could increase as a result, but, you know, a lot of this just needs to be dealt within the appropriate way through tooling, through education of how that's done. Well, obviously threat vectors are all going to look DevOps like there's no perimeter, so they're everywhere. Or I think you have to think like a hacker to be in there. Great stuff. Quick question on the future relationship with Dr. Obviously you're betting a lot here on that container relationship. Good place to start, a lot of benefits there. They have dependencies, they're going to have implications. People love them, they love to use them, helps old run with the new, and helps the new run better. Certainly with Kubernetes, everything gets better together. What's the future with the Docker relationship? Take us through how you see it. So, yeah, I mean, it's been an absolute blast with Docker and, you know, even from looking at some of the internal chats, it's been truly wonderful to see the way in which both Docker and sneak from everything from an engineering point of view from a marketing, from a product team. It's been a pleasure to see that relationship grow and flourish and I think there's two things. First of all, I think it's great that as companies, we both work very, very well together. I think as users, seeing Docker and sneak work so seamlessly and integrated. Couple of things I would love to see. I think what we're going to see more and more, and this is one of the areas that I think, you know, looking at the way sneak is going to be viewing security in general, we see a lot of component scanning. A lot of people looking at a component scan and seeing vulnerabilities in your component scan. I think what we need to look more upon is consolidating a lot of the data which we have in and around different scans. What I would love to see is perhaps, you know, if you're running something through Docker scan, how can you view that data through sneak perhaps? How can we get that closer integration through the data that we see? So I would love to see a lot more of that occur, you know, within that relationship. And these are kind of like, you know, we're getting to that stage where we see integration at just various levels. So we have the integration where we have, we're embedded, but how can we make that better for say a sneak user who also comes to the sneak pages and wants to see that data through sneak. So I would love to see at that level more there. We're, as I mentioned, we have some additional Linux support as well. So you can run Docker scan from Linux as well. So I can see more and more of that support rolling out. But yeah, in terms of the future, that's where I would love to see us to grow more. And I'll see on the landscape side, on the industry side, security is going beyond the multiple control planes out there, Kubernetes serverless, service meshes, et cetera. It continues to be the horizontally scalable cloud world. I mean, and you got, you mentioned the edge. So a lot more complexity to rein in and make easier. Yeah, I mean, there's a lot more complexity. You know, from a security point of view, the technologies, the ability to move quickly and react fast in production actually helps security a lot because, you know, being able to spin a container and make changes and bring a container down. These things just weren't possible, you know, 10 years ago, 20 years ago, pre that. It's like, it was, it's insanely hard compared, trying to do that compared to just re-spinning a container up. However, the issue I see from a security point of view, the concerns I see is more around a culture and an education point of view of we've got all this great tech and it's awesome, but we need to do it correctly. So it's making sure that, as you mentioned, with, you know, making the right decision, what we want to make sure is that right decision is also the easy decision and the clear decision. So we just need to make sure that as we go down this journey and we're going down it fast and it's not going to, I don't see it slowing down. We're going fast down that journey. How do we make, how do we prepare ourselves for that? We're already seeing, you know, misconfigurations left, right and center in the news, IAM roles, S3 buckets, et cetera. Now these are, they're simpler fixes than we believe, right? We just need to identify them and make those changes as needed. So we just need to make sure that that is in place as we go forward, but it's exciting times for sure. It's really exciting. And then you've got the scanning and right at the point of coding, automation helps take that basic misconfiguration, take that off the table, not a lot of manual work, but ultimately get to that cloud scale, cool stuff. Simon, thank you for coming on theCUBE. If DockerCon covers, really appreciate your time. Drop some nice commentary there, really appreciate it. Thank you. My pleasure, thank you very much. Simon Maple, Field CTO at Sneak, hot startup, big partner with Docker, security honestly built in, DevOps is now DevSecOps. This is DockerConCube 2021 virtual coverage. I'm John Furrier, your host. Thanks for watching.