 Live from the Computer History Museum in Mountain View, California. It's theCUBE, covering DevNet Create 2018. Brought to you by Cisco. Hi, my name is Lauren Cooney and welcome back to theCUBE. Today we're actually at, down in Mountain View at DevNet Connect where we're talking to folks about cloud, DevOps, things along those lines and really what developers are looking for in today's environment. Today I'm here with Kurt and we're gonna talk a little bit about what Kurt is doing and why he's here and what's going on in your world. Thanks, Lauren. I'm excited to be here. This is, you know, being at a DevNet Create where IoT is sort of a major backdrop as a change of pace for us and something that we're very excited about to get involved in. Great. So what, you're here for IoT. What are you really looking at within IoT? What is interesting to you? Well, so I work with Sonatype and our sort of passion and what we bring to the world of, you know, IT in general is software supply chains. We saw a gap in a virtually unlimited supply of open source components that are being used to develop modern solutions and we've been helping our enterprise customers solve this problem for a while and it now occurs to us that it's just gonna explode and get much bigger with IoT. And all the types of devices. And it's all the same problems and it's the same sorts of things that we need to think about as traditional IT, if you will, traditional applications. So what's an example of a customer that you would help with regards to your solution and with IoT? So it would be generally a large enterprise that's looking to put some governance around what's flowing into the organization in terms of these free components, libraries, utilities that are being packaged together and delivered. In the world of IoT what's interesting is we also need to be very careful about what we put in there for possible exploits and we need to be thinking about how are we going to keep them patched and updated, right? We have a saying at Sonotype that software ages like milk and not like wine. So it's generally just a matter of time before components start to show their age and suffer from known exploit patterns. And so we're going to need to get in front of that problem, make sure we're thinking about it as we start to develop the millions and billions of devices that are going to start to proliferate throughout our lives. Exactly. And so how do you decide what open source you support or what devices you support inside of that supply chain? Yeah, so we're focused on it. So we're looking at just the open source, right? So it's not the proprietary stuff, it's not the commercial stuff. So we're watching the 60 million GitHub repositories and we're watching a million events a day trigger. And we're just looking through the forums and through the commit logs and a variety of others, like a thousand plus other sources and correlating all that data into something that's very specific and actionable so that our customers can ultimately make an informed decision about what they're using, right? So half of the battle of managing risk is simply being aware of what you've got. The goal is not necessarily to be perfectly clean, but to have really good awareness of where your weaknesses are so that you can sort of prepare or brace yourself against it or put up other mitigating controls. Great, and so do you guys provide a dashboard, for example, for a compliance team inside of a company? Well, what we provide is a fully automated solution that embeds throughout your software delivery lifecycle. It's designed for the modern world. It's designed to be very precise so you can automate against it. And that's where traditional tools fall down. They were sort of built for a waterfall era where people could take days to go through an approval process. We feel it needs to be done in a matter of minutes so it fits in a modern pipeline. So yeah, we provide that intelligence feed and then we're tied into your build and delivery process and then it does surface, it can break the pipeline and surfaces as a dashboard report where you can drill into the details and then figure out what you've got to do to move forward. Great, and that tracks licenses and things along those lines as well. Yeah, licenses is sort of the original concern of open source. It is. It's being overshadowed by more recent security concerns, but licensing is a very important part too if you want to protect your IP. You need to be careful about what you're putting in these devices. Oh, by far. Now, I was looking at your LinkedIn a little bit earlier and you have a lot of experience with DevOps and actually driving DevOps environments, tooling, things along those lines. What, tell us about that. Yeah, so I started getting involved in DevOps sort of when it was very first a word, if you will. I literally rebranded my team, the DevOps team and it was meant to provoke conversations. It was fairly effective at that, but I did develop a high trust team. I actually was able to implement the cultural part of that within my team. I couldn't change the whole Fortune 100 insurance company, but we could demonstrate the art of the possible. It was an awesome ride. I was also inviting security to the table long before DevSecOps came on the scene because I intuitively understand it was holistic and we needed to get everybody involved. So yeah, so I'd like to think I was a little bit ahead of the curve there and had an opportunity to do some great work with some great people that continues to serve me well to this day as we as an industry mature into it. Yeah, I think it's really interesting. I remember going into a large customer and we were talking about kind of a solution for this customer and at one end of the table was the infrastructure developers. The other end of the table was the app developers and in the middle sat the tooling guys. And so it was always interesting to see how they kind of flock to their different sides and when they started working together how a couple of people would sit together and they morphed a bit. And I think that's really interesting in terms of the culture element. Yeah, I mean, that's essentially what my team was. We were that tooling team, but we acted as the team that was bridging those relationships and bringing those teams together. The middleware team in particular along with our development team. Apps was a little bit further down the line, but also getting security and audit involved, stuff like that. So yeah, it was an interesting role and it's just neat to see that we're maturing as an industry and this is starting to become very real and the tooling now exists to make this stuff very doable unlike five years ago. There just wasn't quite the tooling there. Conceptually we knew what we wanted to do, but until the tooling shows up it's hard to really automate it and do it the way you want. So what kind of tooling is exciting you right now? What are you seeing out there? So what excites me is in addition to our own product, which is in a family of products that I would say is automated inspection, right? And so gone are the days of late lifecycle, heavy lift, manual inspections and here today now we have an ability to inspect continuously early in the process in that CI pipeline where things are happening 10 times a day. We can get that feedback to those delivery teams when it's most timely. And then so you combine that with containerization at least in the regular application space which gives us a converged supply chain. So now my OS, my middleware, everything is flowing through that pipeline as opposed to when I was doing it I was taking the application and ultimately deploying it to a statically provisioned environment. No two of which of those environments ever look quite the same. Now with containers that problem sort of goes away and we have all this inspection tooling that helps us build quality in and not try to inspect it in later. Exactly. And just one of the things I'm looking at when I look at supply chain, the question comes to mind around blockchain. And are you looking at blockchain as something you might integrate into your solutions at some point in time? I'm personally not looking at it yet but it's hard to imagine that I won't be looking at it soon because I can't read three articles and one of them not be about blockchain these days. It seems to hold a lot of promise in terms of provenance and basically chain of custody type things which are also important to this whole supply chain issue. So yeah, I think it has a future. I think I've got a few things on my plate I need to get off first and then I'll have to start looking at blockchain. That's great. Now is there anything that was really wowing you from the show? We've got, there's Maraki here, they're giving away something like $1.2 million of equipment. Were you surprised to see anything more really outside of just IoT, what are you really seeing pop? Like I said, this is a bit of a new venue for me. I've been attending DevOps days and DevOps Enterprise Summit and local meetups and I've been really narrowly focused in that space and this last year, so now I'm getting more into the cloud and this is my first IoT based event. It's great to see Cisco in their second year having such a successful event. It's really grown a lot. It's in a terrific venue. But in terms of wowing me, I think it's just access for me personally to the folks in the IoT community so that I can start to wrap my head around it and share our story with them, which I think has raised some eyebrows and got some interest to think about supply chain issues in that context. Well I think it's absolutely necessary that you actually enable this software across the enterprise. I know that my experience in many enterprise organizations would have been a lot easier if I had your software and the ability to do that. Yeah. You know, I think that's great. So, you know, one of my other questions is, are you guys, are you partnering with DevNet? Is there a relationship there? Is this just educational for you? No, we definitely, we have a relationship with Cisco and we like to support events like this. It helps us get out. It helps us build these types of relationships. Yeah, I mean, I think this is an emerging relationship between Cisco and Sona type and obviously IoT has such a big future. There's a lot of potential there for both parties, I think. That's awesome. Well, thank you so much for being here. Thank you so much for sharing everything that you did and we will be right back from Cisco DevNet.