 And welcome back to theCUBE's coverage of CloudNative SecurityCon 2023 North America. The inaugural event, I'm John Furrier, host of theCUBE along with Dave Vellante and Lisa Martin covering from the studio. But we have on location Emmy ID, who is with Red Hat, Director of Supply Chain Security. Emmy, great to have you on from location. Thanks for joining us. Yeah, thank you. So everyone wants to know, this event is new to inaugural event, CloudNativeCon, KubeCon, very successful. Was this event successful? They all want to know, what's going on there? What's the vibe? What's the tracks like? Is it different? Why this event was successful? What's different? Yeah, I really enjoyed being here. The food is wonderful. There's also quite a few vendors here that just some really cool emerging technologies coming out and a lot from open source, which is really cool to see as well. The talks are very interesting. It's really, they're very diverse in subject, but still all security related, which is really cool to see. And there's also a lot of different perspectives of how to approach security problems in the people behind them, which I love to see. And it's very nice to hear the different innovative ideas that we can go about doing security. We heard from some startups as well that they're very happy with the decision to have a dedicated event. Red Hat is no stranger to open source. Obviously KubeCon, you guys are very successful there in CloudNativeCon. Now the security, why do you think they did this? What's the vibe? What's the rationale? What's your take on this? And what's different from a topic standpoint? From non-security specific events, is that what you mean? What's different from KubeCon, CloudNativeCon, and here at the CloudNativeSecurityCon, obviously security's the focus. Is it just deeper dives? Is it more under the hood? Is it root problems? Is this beyond Kubernetes? What's the focus? I guess that's people want to know why the new event. I mean, there's a lot of focus on supply chain security, right? Like that's the hot topic in security right now. So that's been a huge focus. I can't speak to the differences at those other conferences. I haven't been able to attend them, but I will say that having a security specific conference, that really focuses on the open community and how technology is evolving and how do you apply security. It's not just talking about tools, which I think other conferences tend to focus on just the tools. And you can really, I think it lost in that is someone trying to learn about security or trying to even implement security, but they talk about what it takes to implement those tools. What's the people behind implementing those tools? Let's get into some of the key topics that we've identified and get your reaction. One, supply chain security, which I know you'll give a lot of commentary on because that's your focus. Also, we heard like Liz Rice talking about the extended Berkeley packet filtering. Okay, that's big, you root kernel management. That's big. Developer productivity was kind of implied around removing the blockers of security, making it more aligned with developer first mentality. So that seems to be our takeaway. What's your reaction to those things? You see the same thing? I don't have a specific reaction to those things. Is it, do you see the same thing happening on the ground there? Are they covering supply, those three things? Are they the big focus? Yeah, I think it's all of those things kind of like wrapped into one, right? But yeah, there's, I'm not sure how to answer your question. Well, let's jump into supply chain, for instance. That has come up a lot. What's the focus there on the supply chain security? Is it S-bombs? Is it the container security? What's the key conversations and topics being discussed around supply chain security? Well, I think there's a lot of laughter around S-bomb right now because no one can really define it specifically and everyone's talking about it. So there's a lot more than just the S-bomb conversation. We're talking about full end to end development process and that whole software supply chain that goes with it. So there's everything from infrastructure, security all the way through to signing, transparency logs, really the full gambit of supply chain, which is really neat to see because it is such a broad topic. I think a lot of folks now are involved in supply chain security in some way. And so just kind of bringing that to the surface are the different people that are involved in this space thinking about what's on the top of their mind when it comes to supply chain security. How would you scope the order of magnitude of the uptick in supply chain attacks? Is it pretty heavy right now? Or is it the hair on fire? What's the, give us a taste of the temperature in the room on the supply chain attacks. I think most of the folks who are involved in the space understand that it's increasing. I mean, what is it, 742% increase average annual year, year over year in supply chain attacks. So the amount of attacks increasing is a little daunting for most of us, but it is what it is. So I think most of us right now are just trying to come together to say, what are you doing that works? This is what I'm doing that works in all the different facets of that. Cause I think we try to throw tools at a lot of problems and this problem is so big and broad reaching that we really are needing to share best practices as a community and as a security community. So this conference has been really great for that. Yeah, I've heard of that a lot. Too many tools, not enough platform thinking, not enough architecture meets some structure. Are you seeing any best practices around frameworks and structure around how to start getting in and building out a more of a better approach or posture? I mean, what's the state of the union for supply chain, how to handle it? Well, I talked about that a little bit in my keynote that I gave actually, which was about, and I've heard other leaders talk about it too. And obviously it keyed my ear just because I'm so passionate about it, but about partnership. So empathetic security, where the security team that's enforcing the policies, creating the policies guidelines is working with the teams that are actually doing the production and the development hand in hand, right? Like I can sit there and tell you, hey, you have all these problems and here's your security checklist or framework you need to follow, but that's not gonna do them any good. It's gonna create a ton of holes, right? So actually partnering with them, helping them to understand the risks that are associated with their very specific need and use case, because every product has a different kind of cork to it, right? Like how it's being developed. It might use a different tool. And if I sit there and say, hey, you need to log on to this, you need to like make your tool work with this platform over here. And like, hey, it doesn't, it's not compatible. I'm gonna have to completely reframe how I'm doing productization. I need to know that as a security practitioner because me disrupting product productization is not something that I should be doing. And I've heard a couple of folks kind of talking about that, the people aspect behind how we implement these tools, the frameworks and the platforms and how do we draw out risk, right? Like how do we talk about risk with these teams and really make them understand that it's part of their core culture and their understanding. So when they go back to their, when they go back and having to make decisions without me in the room, they know they can make those business decisions with the risk as part of that decision. I love that empathetic angle because that's really kind of what needs to happen. It's not just, hey, that's your department. See you later. Not even having a knowledge of the information. This idea of team construction, team management is a huge cultural shift. I'm sure the reaction was very positive. How do you explain that to an organization that's out there? How do you, what's the first three steps you got to take? Is there anything that you can share for advice, people watch you saying, yeah, we need to change how our teams operate and interact with each other? Yeah, I think the first step is to take a good hard look at yourself. And if you are standing there and if I retower with a clipboard, you're probably doing it wrong. Check the box security is never going to be any way that it works long-term. It's going to take you a long time to implement any changes. At Red Hat, we did that look ourselves. You've been doing a lot of great things in supply chain security for a while, but really taking that look and saying, how can we be more empathetic leaders in the security space? So we looked at that, then you say, okay, what is my rate of change going to happen? So I need to make so many security changes explaining to these organizations, you're actually going to go faster. We improved our efficiency by 2,000% just by doing that, just by creating this more empathetic. So why it seems like it's more hands-on so it's going to be harder, it's easy to send out an email and say, hey, meet the security standard, right? That might seem like the easy way because you don't have time to engage. It's so much faster if you actually engage and share that message and have a common understanding between the teams that I'm here to deliver a product. So is the security team. The security team's here to deliver that same product and I want to help you do it in a trusted way, right? Yeah, Dave Vellante, my co-host was just on a session, we were talking together about security teams jumping on every team and putting a C on their jersey to be like the captain of the intramural team and being involved. And it goes beyond just like the checklist, like you said, oh, I got the S-bomb list of materials and I got code scanning thing. That's not enough is what we're hearing. Is there a framework or a methodology to go beyond that? You got the empathetic, that's really kind of a team issue. You got to go beyond some of the tactical things. What's next beyond? You got the empathy and what's that framework structure? So what do you do after you have the empathy, right? Yeah. Yeah, I would say Salsa is a good place to start the software levels, let's play team levels for software artifacts. Not full. That's a really good maturity framework to start with no matter what size organization you have. They're just gonna be coming out here soon with version one. So they released 0.1 a few months back. That's a really good place to do yourself a gut check of where you got in maturity and where you can go, what are best practices. And then there's the SSDF which is the secure software development framework. I think NIST wrote that one. But that is also a really good framework and they map really well to each other actually. When you work yourself so you're actually working through the SSDF requirements. Awesome, well great to have you on and great to get that knowledge. I have to ask you, like KubeCon, I remember when it started in Seattle, the first KubeCon event, it's very kind of small, similar to this one, but there's a lot of end user activity. Certainly the CNCF kind of was coming together like right after that. What's the end user activity like there this week? That seems to be always been the driver of these events. It gets a little bit organic. You got some of the key experts coming together, focus. Have you observed any end user activity in terms of contributions, participation? What's the story on the end user piece there? Is it heavy? Is it light? What's the? Yeah, it seems moderate, I guess, somewhere in the middle. I would say largely heavy, but there's definitely participation. There is a lot of community and networking happening between different organizations to partner together, which is important. And, but I haven't really paid attention much to like the Twitter side. Yeah, you've been busy doing the keynotes. How's Red Hat doing all this? You guys have been great positioned with the cloud native movement. I've been following the Red Hats moves since open stack days and really good line of product, good open source mojo, of course. Good product mix, right in relevant. What's the security focus here? Obviously you guys clearly focused on security. How's the Red Hat story going on over there? There was yesterday a really good talk that explains that super well was given by a Red Hatter. Connecting all of the open source projects we've been a part of and kind of explaining them. And obviously, again, I'm keying in because it's a supply chain kind of conversation, but I'd recommend that anyone who's gonna go back and watch these on YouTube to check that one out, just to see kind of how we're approaching the security space as well as how we can contribute back to the community in that way. Awesome, great to have you on. Final word, I'll give you the final word. What's the big buzz on supply chain? How would you peg the progress there, feeling good about where things are? What's the current progress on supply chain security? I think that it has opened up a lot of doors for communication between security organizations that have tended to be closed. I'm in product security, product security is information security is tend to not speak externally about what we're doing. You don't want to look bad or you want to expose any risk that we have, right? But it is, I think, a necessary open those lines of communication to be able to start tackling this. It's a big problem throughout all of our industries and if one supply chain is attacked and that those products are used in someone else's supply chain, that goal can continue, right? So I think it's good, we have a lot of work to do as an industry and the advancements in technology is gonna make that a little bit more complicated, but I'm excited for it. I think you just throw AI at it, that's the big, everyone's doing AI, just throw AI at it, it'll solve it. Yeah. Isn't that just the new thing? I need security AI though. Super important, I love what you're doing there. Supply chain, open source needs supply chain security, open source needs this big time, it has to be there. Thank you for the work that you do, really appreciate you coming on. Thank you. Yeah, thanks for having me. Yeah, good stuff. Supply chain, critical to open source growth, it's gonna, open source is gonna be the key to success in the future with automation and AI right around the corner, it's getting nailed and that's important. This is theCUBE coverage from CloudNativeCon, SecurityCon in North America 2020. I'm John Furrier, thanks for watching.