 This is your Saptan Bhartiya and welcome to another episode of t3m or topic of this month And the topic of this month is security and compliance and to talk about this topic today We have with us worth a card software engineer from VMware forestry to have you on a show Yeah, let's talk a bit about the evolution of security that you have seen If you look at the traditional IT world do this modern the cloud-centric cloud native word I think that the biggest evolution that I've seen So far in the past couple of years has been a Much bigger focus on sort of software supply chain security. So it's now Much more about understanding all of the dependencies that are inside of your apps and Understanding the vulnerabilities that those could potentially have I think that's probably the biggest shift that I've seen and when we Talk about this shift Can you also talk a bit about of course? When you look at security there are tools, but at the same time their culture, you know, you a lot of cultural shifts is happening We talk about shift led we talk about Embracing zero trust architecture. We talk about the whole DevSecOps movement How much cultural evolution you're seeing that is happening in reality? Not what we love to talk about I think that It's actually been a surprising shift in culture. I think previously when I Would see people talk about sort of deep security concerns It was a very small subset of people that would be actually very deeply concerned about it But I think that there's a lot more movement and discussion internally That people are having and they're actually trying to move the levers a little bit quicker I think it's still hard because I think there's a lot of best practice out there and Best practice hasn't really been caught up to from even, you know, five years ago So, you know, it's gonna be a slow process and there's gonna be some catch up But are you happy with the state of this culture where you're like, hey Organizations understand security. They're embracing these practices or you're always bump into some cases where you're like They are they everybody wants security, but they are not doing the right thing They are still looking at security as an afterthought or you feel that no everybody got it right Everybody's working on it. Yes, it will take time I think it would be kind of crazy to say that everyone's got it right because I don't know that anyone's really nailed security but I think that There is a much harder case to be made to ignore security concerns than there was previously maybe and I think that that just comes down to just the amount of Soccer integration that I see sort of in companies universally even places where you wouldn't think about it. So I Think that's more of the approach that I'm seeing now is not necessarily That we we've completely nailed it but taking the conversation pretty seriously when it comes to availability of tools How satisfied you are with the ecosystem where you're like no the tools that we need are available Or you see there is still a lot of gaps where there are still a lot of security challenges You see and you're like hey that gives me a bit awake at night because these are the holes that we still need to fix I think that Particularly in the area. I was talking about secure software supply chains The tooling is evolving rapidly and the standards are evolving rapidly. I think that something interesting that cloud native Development has allowed is sort of these atomized and individualized applications which allow you to Individually track things down to the application level like the container level And I think that you know, that's very exciting new technology So because it's so new the tooling is not necessarily 100% there yet, but there are lots of people working on trying to get that space to You know a really strong place I think in the last couple of years we have also seen a lot of initiatives from Public sector in the US Biden admission They came up with you know executive order about S bombs in in Europe also a lot of things are going on We are the the whole issue is that you know It's not very their policies not very well aligned with open source But if I ask you what kind of initiative you're seeing from governments or public sector But they're also pushing vendors to embrace security. I think that what you brought up in terms of having a Mandate or an executive order is really pushed the want and need for these Public sector Initiatives to completely comply with rules especially Seeing sort of a big boom in the adoption of open source projects into Every technology and software sector they're looking to try and sort of as quickly as possible Find ways to meet security compliance now just also to quickly talk a bit from Cloud Foundry's perspective Especially in the once again modern world where you would also kind of you know building bridge between cloud foundry And Kubernetes word to talk about the initiative that's out there from this project to ensure once again Security of workloads, you know and and the other elements Yeah, so cloud foundry in the CFF Are sponsoring a project that I'm working on called the ghetto That's a set of build packs That are implementations of the cloud native build packs cloud native build packs is a project in the CNCF And as part of our implementation, we've really taken the initiative to Make security kind of our number one priority We wanted to be as turnkey as possible. So we've gone to great lengths to Ensure that we are allowing users to keep the most updated operating systems as well as We support some very sophisticated software of bill of materials both of the actual sort of final Image that's produced but also of the image that's used during the build process We separate the two to sort of reduce the number of Dependencies that end up in the final image before that this up I would like to hear from you. Of course, there are companies who want a different state You know, so there are a lot of companies who got security right, but we still hear from all the cases from them So as you also said Not everybody has got any right what advice you have for organizational so team so that they can improve their security posture I think the security is obviously something that needs to be handled at a company-wide field, but it only is as strong as sort of individual base units and so Understanding some of the options that you have I think would be a strong idea and You know trying to Keep compliance and security over convenience. I think it's something that I would suggest as well I sometimes see people fall into the trap of not being as secure as they could be because it's a harder solution over time and I you know, I can sympathize with that for sure But I think that would be what I would encourage for us Thank you so much for taking time out today and talk about this topic And I would love to talk about security with you again future. Thank you