 we are rolling. Going to share my screen. My name is Mike. Where is the gosh darn share screen? There we go. I'm going to share my screen. And you know what? I'm going to present. My name is Mike Waite. This is the OpenShift Commons Briefing Operator Hours. And we are super excited here today to have our very, very highly energetic rock star best buddy, Scott Johnson, who's the Senior Director of Product Management over at Synopsys. Scott, how are you? Hey, I'm doing great. Thanks for that warm and welcome introduction. Much appreciated. Well, you know, I couldn't help but squeeze that in because you know, as we got on the call at the bridge here a little early, I was like, geez, that's a pretty nice white background you got there. And then Ferris, who I'm also going to introduce in a second, has a similar type of background. Then, you know, you took yours off and there's like this giant Iron Maiden poster flag on the wall. And I was like, wow, where's the, you know, you've got a ponytail going on there. You know, how many guitar picks, how many guitar picks have you collected from Iron Maiden concerts in the day, Scott? I've always wanted to get one, but I've never been in a position to catch one. I was really close when the bass player's side project played in Atlanta to like 100 people. And I was literally up in front and had an opportunity to get a picture with him. But I was not able to get a guitar pick, I think, or in this case, one of the guitar players, one of some little 10-year-old kids snatched it away from me. Oh, no way. Anybody like kick you with the shins? This is mine, grandpa. You remember when we were kids, just do a little sidebar because I find this pretty interesting. Remember going to concerts as a kid, we didn't have any money. And it was like, trying to figure out how to get seats and like, can you even get somewhere near on the floor so you could potentially get a drumstick or something. And lately, over the last three or four years, whenever I've gone to a concert, I basically just go all in and I buy like front row center. I'm like, just give me six of those. I wish we could have done that when you were 17. Yeah, the tickets, the prices have changed a bit since then too, right? That was when tickets were maybe 10 or 20 bucks. Now those are like the $400 ticket or maybe more. Six hundred. Yeah, don't want to change those. So depending on the venue and whatnot. So well, with some of the bands or some of the entertainers, right, they put on a heck of a show. So it's well worth it. If you're going to go, you might as well enjoy it because especially with COVID, right, everything's been shut down. So it's going to be nice when some of those things open up. And we'll probably see, I would expect there's going to be a lot of new music and books and stuff coming out really soon as folks that have been holed up for a while have been sitting around, hopefully being creative. It's only been about what, 18 months and since this whole thing started. And I got to tell you, I'm looking forward to eventually going back to the office. I just, I miss the cafeteria, you know, like getting up and keeping you in a routine. I find that by working from home all the time now, you know, we kind of like get up and you kind of forget about your own personal time and then you're drinking coffee and actually, you know, you're turning on your laptop. And then it's like, you know, 130 and you haven't had lunch yet. And it's just, I like that routine of being in the office building, going down to the, you know, having the chef whip up, you know, whatever they do for breakfast and then, you know, the fantastic lunches that they made. And I just, I don't know, I'm really looking forward to getting back to business as usual. So concerts, you know, There's something to say for that for sure. Right. I mean, I remember one of the cafeterias where I worked, I could just go in and I just kind of do like one of those. And he knew exactly, he was like, ah, he wants a double chicken, chicken wrap with lettuce and broccoli. Yeah. Yeah. Which is an odd combination. But not the, but not the iceberg lettuce. It's going to be romaine. There's no, Yeah, it's romaine. Chopped romaine. Yeah, no iceberg. So, so, but no, you're not a cafeteria worker. You're a senior director of product management and synopsis. So what does that mean? So it means I take all the arrows and all of the, all the blame. Now, what it means is we really focus on how do we drive the, how do we understand and drive the requirements, the, the needs of the customers and the users in the space in which we're in, which is application security, how do we drive that into our vision and strategy so we can meet the needs of the enterprises and other, other organizations as, as they really try to figure out, how do we secure this world? Right? It's been, it's been pretty crazy what's been going on, not just with COVID, like we talked about, but the impact of cybersecurity. So from a, from a product management perspective, it really does go down to the fundamentals of understanding the market. Where's the market going? The old adage that Wayne Gretzky used to use about, you know, he follows where the puck is going, not where it is. We have to do that in product management and try to make some bets, right? What's evolving with API scanning and what are the new languages and frameworks that you need to support? And then driving that into the product requirements and executing, right? Being able to come back to customers with, you know, the features and functionality that enables them to do their jobs effectively and efficiently and meet their needs for their organizations, which I mean, they're feeling, you know, I have a lot of friends that work at the, some of the various large enterprises and in the space and they're, I mean, they're feeling the pressure, right? You know, every day when you hear about, you know, solar winds and colonial pipeline and meatpacking plant, right? What the heck? Meatpacking plant, JBS got hacked. It's like, what in the world, right? I want to ask you about that because I, honest to gosh, I have some opinions, but I want to hold that thought for now. Yeah, we have Ferris Yassen on the phone and Ferris is a good buddy of mine. He's been here at Red Hat for many years and Ferris is the, you know, global alliance manager for software vendors here at Red Hat. Ferris, how are you today? Oh, very good. Thank you, Mike. I was listening to the conversation and I even forgot that we are just talking about business stuff. It was so fun and exciting things. Well, I haven't, you know, when we did the dry run with Scott the other day, you know, you guys know I was on PTO and I was in my pickup truck driving around Northern New Hampshire searching for fireworks for an event. I could tell that we have some pretty good chemistry and synergy here. I don't think we're going to have a hard time running out of things to talk about today, but I did want to get to you. So what do you do here for the company and tell us a little something about yourself first? Yeah, yeah, sure. So I'm a maiden fan. I've always been since I was way back when. And in fact, I was surprised to know that they still have the concerts. I'm not as strong fan as I used to be, but I would love to go with Scott and you might maybe we can go out with some conference. I cannot wait. Maybe around, you know, KubeCon's coming up in October, right? Maybe there'll be a concert in LA and maybe we can like get together like early or stay after it. We can go. I don't know. I haven't even looked for concerts in 18 months, but that would be cool. If we could see that. I heard like Motley Crew and Sticks are going on tour. Sticks and the crew. Yeah. Nice. So wow. All right. So as you can see, we can go all day talking about all these things. So let me get to you. Your question, Mike. So what do I do for Red Hat? So I manage the alliances that we have with our top tier security partners, which is in the status synopsis. So I work very, very closely with the synopsis team in providing ways that we can help our customers be more successful in the implementation of DevOps and the pipeline in the DevOps. And that's why we keep referring to it and Red Hat terms and DevSecOps, which is an industry standard now. And we try to bring security into the mix of DevOps. Now, a lot of the times we hear from our customers that, you know, developers and operations work in this area, then they come in and after the code is done, they go into security. Security is going to yay or nay the code, and this is going to bring the cycle way back in and make it that much longer for them to deploy the code. And today in the agile world of things, we really can't wait that long for code to be coming into market. So we want to do the shift in security, lift sort of speak, and basically taking it from after DevOps and put it in the middle or even before. So we have worked with our partners in the security world to go in and secure the code and secure the containers after they've deployed an open shift. Now, an open shift, obviously, it's a very strong system built on Red Hat Linux. It takes care of the security in the infrastructure, it takes care of the security of the environment. But once you build those containers, we wanted to work with our partners to secure them. Now, we have built a lot of blueprints that will talk about the DevOps world and how it progresses. And we kind of defined how our security partners work in non-areas that are important to security. We defined them into nine specific regions sort of speak. And that basically would be application analysis, identity and access management, compliance, network controls, data controls, runtime analysis, other than monitoring and remediation. And when we defined those areas, what we set out to do between me and Dave Muir and Levi, if you guys are familiar with our team, we set out in the beginning of the year and we decided that it would be a great idea to have a security series. And we started back in March where we started going through the Red Hat security ecosystem. And we provided introduction, we started by providing introduction to the DevOps security topics. And then we went on for each month, we dedicated a topic sort of speak. And this topic, last month, May, the topic was the internet management. So if you were following the show, you would have seen Sabah was on there. This month, we have the app analysis where Synopsys is our top ISV that do a lot of work with us in the app analysis. So here we are today, and we've been doing those series every third week of the month. And I know that because a lot of your audience, a lot of our audience and our customers have been gone to summit last week, that's why we kind of shifted it this week. I know that all of our listeners have been there, if you haven't. We were told, sorry, Mike, shut it down. Corporate was like giant foot coming down. Well, for good cause, we're going into the live events, but they still can catch him. But we're glad to be here. And next month, I think we can be talking about the data analysis, right? So we look forward to seeing you next month in July. But for now, that's where we have with the topic. We're going to be talking to our friend Scott about a lot of things. So I'm very excited to be here today. Cool. Thanks. Glad to have you Ferris as well. And so if anyone wants to stay on top of the security themes that Ferris and his team are putting on with their partners, you can go to the OpenShift site, openshift.tv, find the calendar of events, and you can actually sign up and see, you know, which events are being put on by whom when and ours are generally Wednesdays at noon Eastern. So looking forward to having having you folks on again here Ferris. Scott and Ferris, I need to talk about the elephant in the room. Okay. Well, there's probably lots, but I'm going to bring one up. So I've been here at Red Hat, as some people know, who follow our show forever. I'm as old as dirt. I've been here for 21 years. And we were, yeah, it was 2002 when my office was started. And there were 12 of us in the office. And you know, back then, there were all these companies that were making, you know, all we made was Linux, right? It was like, you know, Linux was our product. We were one trick pony. And, you know, there were these Silicon companies out there Intel and AMD and others. And they all used software from Synopsys for doing electronic design automation. They call it EDAC, right? And so when when I hear Synopsys, I think chip design software. And I think Synopsys is like, you know, buying up everybody else. And I think I think they really bought Mentor Graphics. They bet all these, but then they went and they bought Black Duck. And, and I was like sitting there talking to myself at the time it was Joe Gomes, who was the, who was your, you know, my main point of contact there. Great guy. I got it. I got to text him and see where he ended up. But I don't get like Black Duck software was based out of Massachusetts and, and, and you guys will know better than me. But like vulnerability scanning, right? For open source projects. I mean, imagine how important that is. You're like one of these big commercial banks and, you know, you're building all your own apps inside your commercial bank. And you're taking all this open source code. And how do you know that there's not like vulnerabilities in it? And I'm going to, I'm going to do a really poor job here. But, you know, Black Duck was like, no problem. You know, our vulnerability scanning stuff will make sure that all your open source components will be good. So you can roll out secure, supportable software for your commercial bank. How is it that, that is that what makes Synopsys a security vendor? Is it the Black Duck acquisition or is Synopsys changing their focus? Are they, are they no longer, you know, designing software for Intel to do, to design cores and sockets? How does it, like, tell me about that? Yeah, so look, I think that's a, that's a great, that's a great point. And when you look at kind of the, I guess, the evolution of Synopsys and that history that you mentioned, the rich history and silicon and silicon and focus there and the success, right? The success of the company. I think what they really identified was the importance of software and securing software and how we, how it's so important to enable trust in software over time. And so the, the company, the, the executive team has made a strategic and very focused investment and commitment, right? It's really about commitment. It's beyond investment. It's about commitment to how you secure code. Going back to, maybe they listened to what I think it was Mark Andreessen that said back a decade ago that software is eating the world. And it is, right? Software is basically part of everything we do in addition to the chipsets. And so that commitment, in addition to Black Duck, so they, they have built around and before that you had Sigital, you had Coverti. So if you look at the pillars of application security, static analysis, open source, dynamic, I asked, Synopsys and the SIG, we're called SIG, but within Synopsys, our security group, we're very focused on how do we provide the application security holistically in the pipelines and how it ties in with, with what we're doing together with OpenShift to really accelerate protecting the code as it's being developed a lot more rapidly and frequently. So it really is beyond, beyond Black Duck. And yeah. What's SIG is like, let me, Synopsys Integrity Group. That's correct. Yes. Is it really? Yeah, so I'm a winner. Okay. You are a winner. And, you know, and it's, it's, it's interesting because when you look at what we do, that doesn't really define what we do, because we, we cover so many areas across really the application life cycle. And you'd asked about, you know, what, what is Synopsys continuing to do? We just announced about two weeks ago the acquisition of a company called Code DX. And we can, we can talk a little bit more about that in a few minutes, but the continued investment to provide the capabilities for, for our customers, right? When you think about the direction of application security and the companies, you know, it's, it used to be that it was primarily something that, if you go back to Jeffrey Moore and the crossing the chasm, right, it was kind of the early adopter thing. Yeah. For those that are aggressively writing apps, you probably should do application security. And then what do you do? Do you do static analysis, dynamic analysis, open source? The answer is all the above, by the way. But that, that evolution, right, in terms of how that's really evolving, every single customer or every single company today is a software company in one form or another. Banks, from banks to dollar general. So the, you know, if you're driving through and I think we were talking about me being from Nebraska, you know, during our initial session. And so if you're driving through the panhandle of Nebraska, you find three things, right? There's a gas station, there's a McDonald's, and now there's a dollar general. Well, guess what? Dollar general builds a lot of applications, both internal and external. There's a mobile app, right? I guess you could order your dollar general dollar stuff and go pick it up, right during COVID. But the point is, every company really no matter if they're high tech, financial, retail, there, there is a security aspect of it because you have applications, because you're interfacing with customers that are using credit cards. Real world, real world example. Now my wife recently bought a new dishwasher and she bought it from a small company. I don't even know where they're located. They got hacked. Her credit card was stolen and it was breached. So we had to go through all the process and figure out what to do and all that. But it just illustrates that no one is really immune today. And at the core of it, it really is around the applications and the data. That's why I wash my own dishes. Stay away from them. You don't need an IP enabled coffee maker. I have a dishwasher. I got a ski condo. I got a dishwasher there. I got my summer house in New Hampshire. I got a dishwasher there. I got this house here. I got a dishwasher. They really don't ever get used. Maybe it's because I don't have a whole hockey team of children like Dave Muir does. But anyways, that's what's that? That's another thing we can do with you, Mike, is go to your Colorado condo and then go ski and over there in the winter. Yeah, absolutely. We'll go to the Iron Maiden concert in Denver and then go ski. One other thing that I did want to bring into the discussion that also with synopsis is very big in creating the chips and create the software that would create the chips. I was reading an article the other day about auto manufacturing and we have, you know, a synopsis has a big auto vertical that they work with where they have the chips and they create them for the AI, for the automotive industry. We have had to work very closely. We have our own center of excellence in automotive. And one of the things that the article was talking about with the intelligent cars coming in and how it's going to lower the insurance rates and lower the accidents. But there is one problem that is really making people stay up at night and that's the security of the auto driving vehicle. The entertainment systems, yeah. Exactly because then if somebody hacks into that, then it takes over the cars, then imagine the type of damage that they could bring in and the havoc they could bring into smaller cities, wherever the infrastructure is and so on. So this is, I think, a very important piece where black dark and synopsis can come in and secure that code before it even gets into the chip. And that's a very big area that we've been working on together between red hat and synopsis currently partnership wise, we have a really strong relationship there to help secure to secure the code that goes in cars. If you look at, I mean, it's again, it's the evolution of the space, right? Where is a car rubber and aluminum? Yeah, but it's also code. I think in the latest Tesla, there's like 100 million lines of code and a good friend of mine who does a lot of talks, Ted talks and things like that. He was jokingly talking one time. He said, I don't want my automated driving car to run over grandma when I'm backing out of the garage with no when it's backing out of the garage so I can get in the car right because it's self driving. So it's a really important, I mean, it ties in with everything we do, especially if you look at that part of the automation. If we really do have self driving cars and we do, I've been in one, it's pretty impressive. But if every car is a self driving car and you have a network that is dependent on no latency, right? And if one small vulnerability gets into that software supply chain that it could impact that infrastructure for all the cars that have to connect, it's kind of funny. So here's a non security example, but living in Atlanta, we have what's called the perimeter. And it's basically a circle that goes it's interstate 285 goes around, I'm drawing a circle here. That's what that means. It goes around basically Atlanta. And there were some kids or some college kids, I think a few years ago, during rush hour, they dosed the traffic by all going the same speed on the interstate which backed up everything. And so imagine now, in the future, all the software in the cars, automated driving where maybe probably won't be maybe our grandkids no longer drive. And someone just puts in a stop signal in the middle of rush hour across the entire US or heck the world, right? And all of a sudden one car stops on the interstate and it's total chaos. I mean, we've seen it with the pipeline, the recent pipeline hack with the colonial pipeline in Atlanta hit the region where I live. And my daughter who goes to UGA, she was driving back and she called me. She said, dad, there's no gas. So we'll just wait, wait in line or come back home. I guarantee you a couple of days, right? There's no gas shortage is just the pipeline. I mean, the gas is available. We just can't get it to the gas stations right now because of the hack. So you started talking about that. There were a couple things that you threw out there in your preamble. One was about Wayne Gretzky talking about, you know, go where the puck's going, not where it is. And in computer terminology, they call that speculative execution. And thinking back to like security breaches, you know, you brought up the meat packing plant and the, you know, the gas line and solar winds and everything else. Do you remember the shell shock and heart bleed bug that was actually in every computer in the world? Yep. Because of the anaconda coronavirus. How about that one? It was amazing. I just like, apparently like it started way back in the mainframe where in order to speed up transactions, they were like, well, if I'm a line order cook and I know that someone comes in every day and they're like, hey, I need my double bacon egg and cheese, right? And so they actually handle instructions in advance before the request comes in. Well, if for some reason that request doesn't come in, it gets dumped on the floor. And back then, you know, heart bleed shell shock was basically just dumping information on the floor because it was locked in a mainframe. Then when x86 came out, it's like this was anyways, it was an amazing security problem that was that was addressed. But you know, that's not your space. But let's talk about the meat. But it's all related. I mean, it's all related though, right? I mean, if you look at it, a lot of that generates or it goes back to the software, right? So you know, when you look at lateral movement and the breaches, right? A lot of it is kind of social engineering where, you know, I send you some hacker might, you know, socially engineer your password or, you know, just the old phishing attack. Hey, Mike, can you check out this file? You go, you, you want to, you accidentally click on it. Now you've downloaded something into the system. You don't even know it. And then they laterally move, right? And they find the vulnerabilities in the software. If you go back to like Stuxnet and do, we don't talk about it here per se, but Stuxnet is a freaking amazing, there's a great documentary on it and some good write ups. But it's amazing how the lateral movement going from kind of a vulnerability on the Microsoft server side, I think it was all the way down to the Siemens HMI that enabled them to then get into the system with a USB stick into the nuclear plant. It was, it was just, it was amazing, right? But it went down, but it boiled down to, there was a vulnerability in the software. So it's kind of like the nucleus of where, you know, maybe not where the initial hack comes in, but, you know, water flows is the weakest point. And as we know, right? And it, it opens that up. Yeah. So meat packing plant pipelines, like, you know, like I said, I've been here forever. I have a feeling that Linux is a pretty secure operating system. It, like, how, how can these companies, I don't mean to like point me fingers at them, but come on. Like, like, what are they running? Are they, are they running their, their data centers, like on laptops and their houses and letting kids, like, play games on them and download? How does that happen? Yeah, I mean, are they not secure? Yeah, I mean, well, one, you know, one is, look, there are, you know, some challenges, I think it ties in with some of the challenges, right? The, look, the reality is there, there aren't enough people in security. I mean, there's, you know, there's, there's a need for education and more, more expertise at all, you know, at all levels, right? The pipeline, I mean, a decade ago, I'd say, I'd say more recently, they, they realized, I think they were actually advertising for a chief security architect or something like that. But, you know, there was a time where you would have never even thought, I don't, why would I need any security people? We're a, we're a paper recycling plant. We don't need that stuff. We're a pipeline, right? No, what, so, but when you look at it, so what it, what it really boils down to is if you are using software, even take it up a level, ships and technology, if you have computers, you're using software and you need to secure it. And regardless of your industry, you know, we were talking about coffee, joking about coffee as code, you know, a little, you know, in our, in our preamble the other day. And, you know, you think about just walking into Starbucks or whatever and order a cup of coffee and that's that. But everything they do is software-based. They've got over a thousand developers. They're hiring, if you go out to their job board, because I did just out of curiosity and like the first jobs that popped up were like security testing engineer. It's like, wait, what about coffee growing? What about the beans? Well, that's all automated. So if you hacked into their jump cloud process, you could actually possibly laterally move over and maybe you end up, my wife had, we were in Costa Rica before, like literally when things were shutting down, we almost got stuck in Costa Rica, which wouldn't have been so bad probably, right? But my wife actually toured the Starbucks plant or field where they're growing, you know, growing coffee beans and it's all automated and run by software. So what companies have to realize is if you are, if you are a business, security has to be one of the pillars of your spectrum of control and how you expect to really operate your, your, your company, right? Because it just, it's, it's foundational. It's bumper. It's more than bumpers on cards. It's brakes on cars. Yeah, especially now, nowadays that every time that the security roundabout is identified, especially in the code where synopsis really works really hard is as soon as it's identified, you find YouTube videos is showing you how you can, you can expose that vulnerability. And then if you're not fast enough on the speed is part of the, how are we going to be able to come ahead of those vulnerabilities? Like, I remember, like the one acquired vulnerability or the ransomware that came out and there's a long story that's, that's a very sad story. It came in from the NSA and then somebody saw the tools and exposed it, but Microsoft knew about it. And then they put the patch, but the people who are using the Microsoft servers when really either went to where the patch or they thought they could delay it, that's the ones that were exposed the most, right? Because even though that they posted it and then you have people that had Twitter accounts and YouTube that shown you exactly how to hack it and hack into some of the companies and a lot of companies fail victim to it. So speed is important. And the knowledge of the black hat exposures, I guess, becomes in very, very easily nowadays versus how it used to be in the past. Well, I mean, it's, it's a, it's a really good point. I mean, speed, I mean, we think about the, and the challenge, I mean, just go back to, like, when did the first iPhone actually come out, like 2007 or eight? Seems like it was a lot longer than that, actually. Right. Didn't I always, didn't I, wasn't I in college or in high school with an iPhone? The answer is no. But so if you look at just over the last decade, right, the think about how many companies now have mobile apps that had none just a few years ago. Now they've got hundreds and the, the number of applications that a customer that I worked with quite a bit and became friends with their app sec team. I remember when he emailed me and he said, Hey, you won't believe this. We just crossed over scanning our 3000 application. And I was like, wait, what? You guys have 3000 separate or distinct applications or different code bases. And he's like, yeah, isn't that amazing? And I'm like, God, how do you, how do you, how, like, how do you even keep track of that? And then, and then if you look at the, the evolution that's happening there too is what's an application today? So look at the foundation and some of the things with OpenShift when you're looking at, you know, microservices components and the pipeline process for application security, the, the, the speed that, that you just talked about where there was a day and this kind of goes back when you had just a handful of apps, like, you know, I'm going to scan the app and you'd have like, you know, one guy or one lady and they would run a, run a scan say Covertiback and, you know, Covertiback and say 2010 or something. And maybe it takes two days to scan the million lines of code. And that was okay, right? And here's a bunch of stuff. And I remember distinctly, I was with a customer on location. It was actually with, well, I'll mention the names, but we were, we were on location or on their site. And we were talking to their app sec team member and he said, well, our, our development team needs this to be very fast. And I said, I kind of nonchalantly said, yeah, well, we can do that now in two hours. And he looked at me. He laughed. He said, he said, Hey, man, they need two seconds. And then we all laughed. And I was like, yeah, but it's not, it's, that's exactly right. So when you look at, and again, tying this back with, with what we're, you know, what we're doing together from a partnership perspective is as those pipelines as the CICD pipeline process has sped up and is how, and as more developers are engaging, right, in application security, because they have to, it has to be much quicker. And that's a big trend with all the tooling that's out there, not just from a static analysis perspective, but across the board, right, where developers need that insight back right then and there, because the old way, right, if you give me a report that says, Hey, here's 100 critical issues to go fix. The developer has already moved on. Right. So he or she has already moved on. That was like two days ago, I've written like another X thousand lines of code. I don't even know where I got to go, but now I have to go back and look for that. So you really got to that speed that you were talking about is so important that balance and then the quality too, right, reducing false positives. And do you think, do you think that I mean, there's no one vendor that's responsible for this speed, right? I mean, like, you know, micro, you know, containers and microservices and, you know, apps are getting, you know, yeah, they may have had 3000 apps, but they probably were pretty small. Some of them, they weren't like 3000 databases. That's right. You know, 3000 different vendors. You know, you got all these other vendors out there as part of this whole ecosystem, like you take someone like a Joget, for example, like all their low code, no code, you know, development tools and environment that they provide. It's almost like this whole thing is just like this one big ecosystem is just like continuing to accelerate based on the acceleration of the acceleration. It's really, it's really going fast. So and it makes sense that like, you know, if you can't fix the vulnerability instantly, that application might not even be being used by the time you might get around to fix it. Or it's had so many changes to it that doing a defect repair and something that's three major versions, it's, you know, so yeah, it's amazing how fast things are going. And yeah, it's like, it's like we're accelerating like the universe. They say the universe is actually the big bang, if you believe in that or whatnot, but the explosion, right? We're accelerating faster and software is like that. And technology, like a friend of mine had another quote, he said that technology and software in particular is expanding at a rate that is unfortunately faster than our ability to secure it. Like, dang, that's really, that's like, you know, Nostradamus thinking, right, or like big brain, you know, kind of things. But but but we can't let that happen, right? We can't give up on that because we see the disruption, right? I mean, the mechanics of how we live today, you know, going to things being all driven by software in so many ways, like I don't I don't use an alarm clock anymore anymore. My iPhone is my alarm clock. So somehow the software on my phone doesn't work. Right. I mean, I'll wake up at some weird time. So we're so we've become so dependent on it. And by the way, Scott, it sounds like you're a big believer in the big bang theory. I just want you to know I'm not but I but I am. I don't know if I believe it. What happened before what happened before the big bang, right? Right. I am 100% convinced on the flat earth theory, though. I mean, all those people that think that the earth is actually round, they are just they're out of their mind. I and I and I can prove it. Donald Trump and I will be able to. Here's a really here's a very interested perspective, though. So if you if you look at molecular biology and how the molecule are typically round, so my table right now, right, it looks flat. But depending on your on how you look at it, it becomes round. So if you if we go out a billion miles from our solar system and we look back, does does our does the Milky Way look flat? Does the earth look flat? Maybe it is flat from that context. But on the planet, like we know it's a spear because we're standing on well, we think it's a spear. But if you go out for it, so it goes back to the context, right? And in some ways, that's like software, right? How critical is the software? But it really depends on the context and how you're looking at it and how you're using it. If it's it's your alarm clock, maybe not that big a deal. If it's your pacemaker, probably a pretty big deal. So your your perspective on it changes. Yeah, I want to talk and just like bring the discussion a little bit closer to home with synopsis because this is a very interesting story that I read on your side. Actually, that is very applicable and applicable to the red hat relationship is one and I'm not sure. I guess I could mention the name of the customer, but it's on your website and five people that get different. I mentioned it in my conference talks, but they there's it's like the financial industry regulating body and started to embark on using open open source code. And it's a very good story because when they came in to start using open source code, they what they wanted to do is they have a person a fact was a lady there that would just go in, look at the code and OK it. And then soon they start figuring out that as they get more open source code, the open source code dependency start to grow larger because if you get some open source code, it'll be dependent on 20 other source code, then she'd have to go in and figure this out and try to figure out and approve it. And that became just a humongous task that they couldn't really keep up with. And that's when they start bringing exactly. And then they start bringing blood to monitor the or synopsis to monitor the code and then OK it. And then if there's a human intervention that's needed, then it will direct it back to her. But with that, they kind of start like growing exponentially because they're no longer relying on one person or bottlenecks because it's automated through synopsis and now the code can be scanned and verified and making sure that it's OK and it'd be secure code. Now, this is we're talking about financial indices, so this is very, very, very, very important topic for them, but they were dependent on synopsis to do this for them. Well, it's such an important aspect of things that we do, right? So if you look at the portfolio and maybe, you know, we talked about some of the challenges around speed, tooling, the lack of security expertise where, you know, it's good for people in security, right? Because it drives the salaries up, but there's a need, right, with for, you know, again, going back to the dollar generals and companies like that that all have a need for, you know, for cybersecurity expertise. And so when you look at some of the things that we're doing, right, you know, from you mentioned Black Ducks or the challenges around open source and the our ability to do a penance analysis, binary analysis, snippet matching and automating that, right? So that manual step, right, can become less needed or at least less critical or maybe only at very critical points where there just is no other option, right? So you want to automate those things. And like our open source risk analysis report by our Cyber Security Center Research Center came out fairly recently. And we encourage the audience obviously to take a look at that. I think we have a link on it at the end of the session, but you know, we studied or we audited I think something like, I don't know, thousands of code bases, 20 industries. And look, everyone's using open source. So your point there is it's exactly right. And here's the here's the kicker on that is everyone's using it and everyone has vulnerabilities, right? There are high level vulnerabilities in the vast majority. It's like 80, you know, I think ours that we said 84%, someone else said 85%. It's a high percentage, right? And year over year, that's only been increasing. I think the increase in critical or high vulnerabilities found in the open source things that we looked at packages we looked at was like an increase of 10%. I mean, that's, that's double digit growth. So is it any wonder with more companies using open source, more vulnerabilities, more code, right? So, JavaScript, go, Kotlin, now you've got all the things happening with infrastructure is code with, I mean, so imagine a world now where because this wasn't this wasn't the case 10 years ago, where your helm chart has a parameter setting on the memory aspect in the from a memory parameter perspective, that if that field is left null, somebody can do a denial of service on your app. And it's like, wait, what? That wasn't even that wasn't even a thing just a few years ago. Now you have to look for that, whether it's open source, or, you know, custom code, you've got to look at that from a container perspective. And I think that's with our partnership, right? I think that's one of the one of the great things about what we've really done together. And I know the team has really been working, I think, since geez, I think it goes back to 2016 or 17 when, when before I was here and probably before, well, Mike was long here, as he told us earlier, right? He was here 20 years ago, but I got to tell you so we've been working with we've been working with synopsis since 2020 years. Yeah, when I started here, I was a solutions architect, and I took over the responsibility of doing, you know, partner marketing for software partners. Synopsis was probably the most innovative and aware company. And I remember in 2003, I wore, I think I told you this on the drive run, I worked with Karen Bartelsen, you can look her up on LinkedIn, I'm sure she's still around somewhere. She organized led by synopsis, the EDA consortium, which was to rally all the different chip vendor software companies together and standardize the release cycles. So product managing, poor product management people like the people who are on your team aren't ripping their hair out of the head, right? Like, geez, I got to support, you know, this version of the software on Suza this and this on Red Hat. So they standardized the EDA consortium and that was led by synopsis. So, you know, they have a long track record of working with us way, way more longer than since you guys worked with Black Dark. Yeah, way, way longer than since we were really in the security space. So, but I mean, some of the, some of the things that we're doing partner wise, and I mean, that, you know, so if you go back and look at, you know, what are, what are, you know, with those trends and those challenges, what are some of the things we're doing, and it does center around, I talked, I mentioned code side a little bit. So we acquired them to provide us with really normalization of vulnerabilities across multiple tools, whether they're, they're our own app sec tools or third party, because there's so many tools out there to be able to aggregate and correlate those results. So that's, that's a really great, you know, investment into, into our portfolio, but then driving innovations, right? When you think about the shift left and, and you know, what, what we've been talking about from a DevSecOps perspective, enabling the ability to do static analysis earlier on commit, right? Looking at infrastructure as code, building that in. So we've got a, a Sigma scanner that's, that's a component kind of of our covariity offering that provides that second, you know, second scan, if you're doing a, you know, doing a pull request. So we're doing, we're doing things like that. A number of other things, fuzzing with Defensics. We talked about the automotive industry and a lot of the, you know, the different areas there in terms of the protocols that, that are becoming even increasingly important as we noted. But then when you look at our, you know, the partnership we have with, you know, building on, I think the first integration was back in 2017 with Black Duck and then really building on that, right? So as OpenShift has continued to do, you know, just evolve and is an offer with, you know, the, the, the Kubernetes distribution and really focusing the, the, the product on the developer experience. I mean, that, that really attracts me to what, what we're doing together in terms of application development, containerized pipelines and enabling the developers like with Jenkins and the various tools. But then how we built in, right, using the OpenShift APIs and are in the integration with Black Duck so you can, you can automatically scan and monitor the open source that's in all the container images that are deployed and then monitor that. You can do some additional things like, you know, annotating and labeling the images and the pods if there are bombs or violations that occur. So I mean customers, here's the thing that it's exactly what we should be doing. Customers shouldn't have to worry about that. We have to be building that in, right? When they go to use a solution like OpenShift and the fact that all the things OpenShift has done to build security in from a Red Hat perspective, but then partnerships like with us to then bring in kind of the layers of security with Black Duck to really help provide that secure, right, part of the process as you go through the development cycle is just really powerful, right? You're baking it into the pipeline. And, you know, that's a really key component of how we can, how we can do our part, right, to help the world in terms of making trusted software. Hey, I got a couple little bit of housekeeping here. We are live, although it doesn't feel like we're live. He's just having a laptop camera. I guess it doesn't give anyone anyone a shell shot. But maybe when we can finally get back into the studio in person and do this thing, we can actually see the beads of sweat rolling down people's foreheads. But your wallpaper will be a topic for discussion. Is that fish? I can't tell. No, it's the global view of the world. It's the flat earth. The flat earth. That's what the real world looks like. I got you. We're live on YouTube, we're live on Twitch, we're live on Facebook. And, you know, if anyone has questions for either Ferris or Scott, please drop them into chat down there. And then the robots will automatically bring those over here and drop them into chat here. We have seven minutes left. And I know that every time we go over my producer, Chris Shaw, gets angry and he starts texting me and blah, blah, blah, blah, blah. So like, we'll keep it tight. We have seven minutes left. What, you know, what are you going to, what, what do you want to make sure you cover here today? So when we get off, when we're done, and the phone rings, and it's your CMO, and they're like, Scott, you were live on the Internet for an hour. Why didn't you talk about, why didn't you talk about, I don't know, the future of AppSec or whatever? Yeah. Well, and I think the good, the great thing is, despite all of our fun conversation about, you know, the, the Big Bang Theory and Coffee is Code, we've hit on a lot of those topics. We've talked about, you know, I've actually been going, I've actually been going through the notes and like, man, we're doing a pretty good job. Right. This is a, we are actually, I think, I think maybe another thing is when you look at the holistic nature of application, but you know, again, if our CMO came in and he said, well, make sure we talk about intelligent orchestration and how we are looking at or leveraging policy as code across a pipeline and enabling security. So the right, to ensure that the right tool runs at the right time and in the right context. So I use a lot of analogies as you probably heard from our discussion. It's like, we know, one of them is, you know, you don't, you don't put up, you don't put up pictures with sledgehammers. Right. I mean, if you can, but good, you know, we'll probably have some walls or some holes in your wall. So the point is using solutions like our intelligent orchestration to enable the right tool to run at the right time and to provide the contextual results back. Right. It might go back to Jira. It might flow back into some other ticketing system and it's contextual. Right. And so I think that would be one thing they would, they would want to make sure I noted. I think another thing would be just going back to the, the, the partnership that we have. And when you look at not only the black duck side, but from a, from the standpoint of, of, you know, looking at red hat runtime environments with spring, JavaScript, Java SE and all that, and how we've worked together to add interactive applications to testing our seeker solution with that to provide real time vulnerability discovery where the beauty of it is it provides line code, line code level validation of the issue. So instead of looking around and trying to figure out where is that, it gives you that precision and you can do that. Right. And the, the, within the workflow, right, you can do that runtime testing. You can do it ad hoc, it can be manual or functional testing. You can fully automate it, build it into the CI CD. And then we can, you know, it runs obviously running our HEL and can be fully automated. And it supports, you know, the changes in applications that we talked about, right? You're exactly right. Where those 3000 apps, they weren't all million line Python apps. It was a mix of microservices, cloud-based apps. And that's where the, the IS capabilities within, you know, that we offer together provide additional value. And really another, another layer of security from an open ship pipeline perspective, right? Visibility and the details around things like, you know, is that web services call really an issue or not, right? And we can flag that and provide that right back to the developers. So there'd be a couple of things I would make sure, and we just did, right, tie those in that they go back to the strength of our partnership and why companies really need to look at the combination that we're offering and the value of, you know, orchestration and security as part of it. And you guys, you guys also are very important that you are operator certified in OpenShift so people can go in from the operator and then they find you right in and there. And we recently have integrated BlackDuck into RACM, the VidHAT Advanced Cluster Manager, which is something that we have released last year. Synopsys has come right in and integrated right into it so somebody could just click basically and immediately you're in the Advanced Cluster Manager schema. So we have a lot of integration points that we're doing together and we're very set for our customers. So Scott, I feel like we need to do part two. I've got lots of things that I wanted to talk about, you know, like your Gartner Magic Quadrant Survey. I've got a call to action slide here that I'm going to put up at the end. I'm going to throw this out there though that like we have a really successful podcast series. It's called Behind the App. We just renamed it. It used to be the Red Hat X podcast series. Now it's the behind the app. If you want to come on and join us sometime and do a podcast with us, I think we'd love to have you. Yeah, do a hangout, talk more about AppSec and where it's going and debate the Big Bang Theory and how this all got started in the first place. I'm going to share my screen and hopefully I wasn't updating my Facebook profile while you were talking. This is our call to action slide. You want to speak to this and we've got, you know, you got plenty of time here to go into as much detail as you want in one minute. Well, so just a couple of things to take a look at. If you're interested in learning more about what we're doing to holistically drive application security, our Code DX acquisition really brings it all together, right? Whether it's our tools or third-party tools. So definitely go check that out. We didn't get a chance to talk too much about the Gartner Magic Quadrant, but for the fifth consecutive year or time, they skipped a year and they're somewhere, but we were an unquestioned leader in the space as well as the critical capability scoring or critical capability scores. We could talk about that maybe more in the future. And then I talked a little bit about our OSRA report. Definitely take a look at that. It's got some really good insight around the trends, the types of CBEs that are impactful for probably many of your organizations. And of course, if you do have questions and want to reach out to me, send me a note, reach out, or you can find me in LinkedIn. I'm one of the 1000 Scott Johnson's, although it's with a K and I'm in Atlanta. So you could probably find me pretty easily, but don't feel, feel free to reach out and say, Hey, so yeah, but anyway, so back over to you. I really, really appreciate the time. Great fun discussion. It was an hour that went in like 10 minutes. I know, right? That's what I'm saying. I really want to have you on our behind the app podcast series. We're doing something there. So thanks for coming. Scott with a K, as you said. What's that? Got K Johnson. Yes. Oh, Scott K Johnson. I was like, well, that's not I do have Swedish blood, but we did not spell Scott, although I can get creative and it's SKT about that. Anyway, so thanks for joining. This is the another awesome episode of the Openship Commons briefing operator hours. My name is Mike Waite. We'll see you again next Wednesday at noon Eastern. Thanks, everyone. Hey, thanks. Appreciate you guys. Take care. Have a good day. Bye bye. Right on. Bye.