 Hey, it's Alex Williams here for our pancake breakfast the virtual Europe edition and I have some guests here I want to introduce them right away. I'm willa shun Donnie co-founder and CISO is CTO at Acura X. Hey, how are you doing good? Alex? Great. Wonderful. Cindy Blake senior security evangelist at GitLab Frank Kim fellow at the Sands Institute Hello Sanjeev Sharma had a platform engineering a trust financial Hey, how are you doing? And it's a truest financial truest financial Sanjeev Sharma had a platform engineering a truest financial And Katie Gammanjee ecosystem advocate at CNCF. Hey, Katie Hello, so I got my pancakes. You ever you guys have all your your breakfast treats here Oh, yeah, we can this this is one of the best I've had. Oh, look at that We got pancakes. We got here when we got we got the starburst minis So you just pour those over your is that what you do just pour those over your pancakes Just like that's what I intend to do Good good good. I'm going Hey, hey Frank, could you pass me the syrup? Do you have any syrup over there? Oh, yeah, sure thing. Here you go Oh Hey, there we go. Oh nice. Nice. Yeah, that was flawless, right? I was reading jokes beforehand of pancake jokes. Um You know, there's one about I got dad who who uh, was telling saying this kid Yeah, I had his friend his name was uh, his last name was up And he got knighted in england because he was such a hero and they said them when the queen gave him, uh, gave him his uh, you know, his, uh, sword or whatever they do. He said I I I I I now, um, bequeath the sir up. Oh Oh, that is bad. Oh Okay, well, let's just get started right into our discussion. It's on secure get ups and I want to go right to ohm and one of the first questions I have and before I get started though Everyone can ask questions at the end. It's this is recorded And so we're going to have the opportunity for people to ask questions live So you're here and you're watching this ask a question, please Ohm, there are so many open source projects that are related to get ups now Can you please give us a rundown of those projects and Let's just get right into it from there Sure. Um, and before I give you the list of those, you know famous ones, you know Maybe I can also quickly, you know for the benefit of Level setting and everyone who's listening, right? What precisely is get ups, right? Just a couple of lines of definitions, right? um So get ups is basically your code base infrastructure and operational deployment practice That you know specifically relies upon get and it uses infrastructures code As well as develops methods to deliver high velocity c i c d Uh for specifically kubernetes control plane, of course, it can be applied elsewhere too, but you know get ups predominantly dominates the kubernetes world and You know with that definition some of the well-known tools that are currently under Usage and practice within the community are our go cd flux then You know jenking x, you know, not sure what's the shelf life of jenking x, but Uh, it is still being used and then scaffold Canico as well as tecton These are some of the really well-known ones and of course, uh, there is another, you know open source project which is delivering GitOps and similar capabilities for control planes, which are lower than Uh kubernetes in the tech stack, uh, which is called as atlantis So atlantis also, you know allows to you know do automation using pull request based mechanisms And just one point that you know We'll everybody will hear a lot of pull request today in the conversation, but pull requests are the central technology GitOps, uh, you know methodologies and offerings And that desired state is really what what is the goal here to really reach that desired state? And so that becomes and a real reason why you need, you know, it's integrated deeply into the CICD workflow and katie How does gitOps rank in the overall ecosystem as something of interest to people? And what are the questions that you're hearing service about gitOps and and the and just a general discussion about it I think it ups has really taken the ecosystem discussion, especially in the past months. Um Within the the community, I think there has been a lot of adoption as well And this is always a good sign, especially from the end user community And we actually when we kick started the technology radars from cncf Which pretty much tries to showcase what the end users are usually using in their production system at this time There are already some usages of tools such as our ghost city influx, which is a very good indicator Especially because at the time when it did uh, they continuous delivery technology radar This was around august last year So at that time we had our ghost city influx being either a sandbox or an incubation project So still early projects, but had they had this adoption within the end user community, which is always a good pause So, um, I definitely think this is something which will be more maybe Present within the infrastructure nowadays, so it's always good to Explored from different angles, especially with security, which I'm looking forward to discuss more today Frank You know you had some thoughts on this And you know ohm and katie the what you were just mentioning the tools you were just describing It made me think back to early in my career And you guys might find this hard to believe is when I first started my career We were deploying to production Once every 18 months. It was ridiculous And you know, we didn't have any of those tools or processes or methodologies that you guys were just describing And uh, if only we had you know, we didn't even have git of course back then And this is why I'm so excited about a tool like flux, for example Ensuring the state of your kubernetes clusters match your configuration. Wow. If we only had that, you know 20 plus years ago, right? We our minds would have been blown. So it's really exciting where get ops is going now And I think from a large enterprise perspective, right? So I'm I'm working for a pretty large Financial institution right now. We covered both banking and insurance One of the things we look for when we are looking for some of these open source projects is Other vendors supporting it, right? Because it's very difficult for a large enterprise To to adopt open source without, you know They tend to go towards open source project which have been commercialized So there's commercial support available the issues in there that is a vendor supporting the issue Is who's going to support it tomorrow and can I rely on a community support or can I get commercial support for it? So I think from a github's perspective what is a very encouraging when I look at it is Seeing some of the larger vendors now talking about github's and including it in their In their commercially supported tools because that's what will drive large scale Enterprise grade, you know adoption, right? We love to tinker with open source projects in large enterprises But the moment you talk about, you know controlling your company's crown jewels with a open source project You get all kinds of pushbacks saying, okay, where who's going to support this? Do we have the structures in house or are we going to rely on a commercial vendor to either provide support or provide a commercial variant of it? So I think that to me, you know to to to you know the In the direction tells me that okay. This is really mainstream because we can eventually now start implementing it in a large enterprise So Cindy What's the security posture that you're seeing? Customers taking and how does get ups fit into that? Yeah, this is related to kubernetes development and deployment and management really Right, absolutely. And I want to follow on The point that was made earlier too about githlab has really proven the open source approach We've got a vast community of contributors and We you know customers can can add things that they need and and githlab will ga it and Continue on so in addition to that we have the you know open devops platform and From a security standpoint Get ups is really important and it's in it's an emerging area where people Are concerned about because there hasn't been a history of traditional tools to draw on and we've solved it first for Scanning embedding the scanning within your devops lifecycle. That's You know, it may not sound like get ups, but that's what I would consider an essential foundation piece that you need to have a secure Software base to start with and then your infrastructure is equally important And so we are working in fact Accurax has done some work with githlab to integrate their capability and bring those results Even into the developer's pipeline for really early visibility and transparency Man, that's a really good point cindy, you know that there's a lot of these foundational best practices that we can now automate And sanjeev just mentioned earlier the the crown jewels and you know, why are we doing all of this? It's not just to deploy faster from a security perspective We've got the mean time to remediate which you know, people say that's anywhere from two to three months on average In terms of fixing your serious security vulnerabilities And this is really what get ups and these modern practices and tools allows us to do is to shrink that window of exposure So we can better protect our organizations. I think that's where we all want to want to get to I think you're spot on there, right? I mean at the end of the day The whole ability to secure and you know the recent and I don't want to name any companies here You know just to put them in a bad bad light, but recent issues with Uh, you know delivery pipelines the recent issue with supply chains I only expose the flaws We have and the vulnerabilities we have in our entire supply chain, right and Having security at every point along the way To validate and do the you know, the the the detective, corrective and preventive controls all through the supply chain Is essential and it is becoming with the complexity we have of Kubernetes and the integrations we have to do with third party systems and services Coming from multiple cloud vendors and SaaS providers. It's becoming humanly impossible to track all that We have to have these detective preventive Corrective controls as code and they need to be a part of the code and they need to be enacted the moment the code changes And to me, the what's encouraging is github's health is helping us take Take us down that path where everything becomes code Including these these controls we need to put in for security and compliance. They are also code Which means I as a human, you know, we don't have to throw more bodies at it We don't have to worry about cognitive overload We don't have to worry about toil. It can be truly managed by task code and if I can jump in there that Because it's code You really want to treat the infrastructure as code the same as you would application code in terms of Inspecting it managing it version control access control all of those things as well yes Yeah, good, you know, and uh, you know to to Cindy's point and also sin g You know the the challenges that you are raising The good thing is about github's is that github's is built For technologies, especially kubernetes, which are declarative in nature by default And so all the github's technologies also are Following the same design, you know language, which is they remain Almost, you know close to 100 percent declarative in nature Now that solves a very fundamental problem that we face in security, which is the security teams cannot keep up with the dev ops teams or github's teams, right operations teams basically And the new paradigm of github's is actually pushing us towards no ops situation because everything is code Nobody needs to kick in a pipeline separately in github's world You just make changes into your code and the cluster gets Sinked with the state of the code So the security also should get synced up in the same speed And that's where the declarative nature of these technologies, especially argo, you know flux and many others It comes very handy. So now you can declaratively Feed in or plug in security within the github's, you know tool chain as well For example You can do policy as code within github's now because the fundamental technologies that github's uses is anyways You know your hem charts your terraform your customized templates And these technologies go very well with the cncf ecosystem, especially around opa based project open policy project So this allows you to bake in your security also declaratively which has been In my opinion a fundamental Transformation how security is going to be done in near future It is not going to be done in a reactive manner security now will become really it will become possible for security To be able to plug then into a declarative tool chain like you know github's So it will be proactive and it'll be before the fact So that's a big change that i'm seeing that is coming for us in in the github's world and the security combined with it I honestly couldn't agree more. Um, I actually got to think about how we reach a state where github's is something where It's actually the next step for many organizations And the more I think about this is that currently technology became the Delta or the differentiator for any business So if you're thinking about any company out there, it's going to be having a part of it being tech And it's more like the most important feature about this is to deliver fast your features And that's why we moved from a pool based system when it comes to c i c d to a push based system Actually, is that the vice versa with with the github's we actually Pulling the changes from the gate the gate repositories now with this particular model We have a better transparency and a better dx as well for our developers because when interacting with infrastructure It's not just about having a pipeline. It's thinking about the other side So how the developers do actually interact with this pipeline? Do they have enough obstruction in top of all the configuration? Do they have enough flexibility to deliver how they want in the manner they want? So I think with the github's there is a matter of transparency and at the same time, it's um A system which allows it for for our developers to deploy faster as well And one of the things that I want to mention that I've been encountering in the in the past teams as well When we used a pool based System they're always we had different environments, but the staging of the production environment would always be different There'd be the case when the changes would be deployed in staging and they would be working fine And then towards the production we always would have a change window Which means or you you would do it in a particular day or a particular hour and usually that happened To result with multiple commits to be pushed at the same time which increased our Pretty much disaster rate if if everything if anything would go wrong Now with the github's model will always be aware of what is the actual delta and always be Aware to kind of or enabled to synchronize and reconciliate the state of our applications Yeah, katie and ohm you guys are really talking about you know, what's what's next? And it makes me think about the the evolution of where is security going? And you know if we think back to the some of the basic security vulnerabilities like cross site scripting and asking developers to do output encoding Now commonly used tools commonly used frameworks like angular like react and so on They do that output encoding automatically for the development team And I really see github says kind of the next evolution of this with as you are all saying Everything as code now we're building in we're not just using it in a framework that is used within the application itself But these platforms right various get platforms and so on have these different checks and allow us to do this Incrementally, we no longer have to use that one big Big scanning factory the big dang scan If you will and so now we could incrementally do this treat everything as code and Really, I think this is where the the future of security is going We in security need to take more of this engineering mindset and adopt all of these best practices to again reduce that window of exposure Is kubernetes becoming the de facto now and so You know whether you're using the kubernetes environment or not Um, it's it's relevant now and get us because there are some limitations when you're using non non kubernetes environments, but are we getting closer to the point where the Really the de facto is you know is looking like it will be kubernetes Maybe not any times Maybe not anytime soon and how does security play into that as a consideration I think for the for the container world and I let I know wanted to speak up. Sorry. I cut you off You know, I think for the container world definitely kubernetes is becoming the The de facto standard Uh, you know from my perspective personally, I'm keeping a very close watch at Some emerging projects like kubernetes because if I can use kubernetes to now manage my my VMs Good lord, you know, and that is the de facto standard so I don't know if if katie you or or anybody else has any opinions on cube word But I I would be very interested if I can use the kubernetes control plane to manage both my containers and my VMs I mean that would be the true nirvana, right? But but you know, I'll let you both Both uh, you know give your thoughts on that Cindy go ahead Yeah, one um Great point there if you can manage your VMs, what that would be awesome. Um, you know as we look for tools to Identify security flaws in the infrastructure one thing to think about might be uh behavioral fuzzing I know that that's been kind of in the realm of you know, maybe the gear heads of you know, really Out there in terms of application But gitlab acquired some fuzz testing companies last year and have embedded it with the goal of making it much more mainstream and more usable because What fuzz testing can do is find Things that you didn't know to look for, you know, and I think that's the kinds of problems that we'll get into in the infrastructure side of things You know application security has been around for a long time. You've got a checklist of things to look to check the code for It's not quite that easy From an infrastructure standpoint and so that's where I think fuzzing could have a much bigger role going forward This also gets into questions of policy and there's almost like these different phases of Are these different personas that we see in the kubernetes environments? You have the developers you have the people up to the configurations who are often the developers and then you have to Think about the policy So we have seen the open policy age in emergent opa and How does that fit in and how does how do you think about politics? I think what that's what Cindy is alluding to a little bit when we hear her talk about You know that those checkboxes and then the kind of the new scanning capabilities that we're starting to see that are just becoming Practice at emerging from practices that were established long ago Right Um and alex just a quick give an important point. I'd like to add to your previous question as well Um, which is about is kubernetes becoming slowly slowly the default? Or de facto, you know platform Uh for deploying applications of all scale and size I think um without to kind of you know going to deepen to the kubernetes discussion One of the empirical evidence is that i'm getting as a vendor Is looking to the fact that we have companies like d2 iq now We have offerings from companies like sysco like sysco aci Right, which is your multi control plane monitoring and provisioning layer Uh, which allows you to provision kubernetes at every scale anywhere where you want to And companies like VMware have tanzu open shift has got large offerings around kubernetes cluster management and so is rancher these, you know products Are giving a lot of indication that there's a lot of demand for kubernetes Not just container orchestration, but cluster management as well and cluster management means large scale businesses are adopting it So that's one kind of empirical evidence to your previous question as far as the policy enforcement goes, you know So as I said, right github technologies, you know, thankfully are built on a very solid foundation of You know being declarative in nature. So what that it means it means that we have Uh, you know infrastructures code technologies like, you know hem charts customized and many other Being the foundation of delivering github's With that, um, you know, we today in the in the space where we are we are at a maturity level where we have Uh projects like as I said Open policy agent available which solve the problem of polyglot infrastructures code All infrastructures code technologies have some differences between them But as soon as you start using frameworks like opa to solve your policy enforcement You get a lot of advantages Thankfully, as I said github technologies almost all of them can very easily support frameworks like opa Some other frameworks can also be supported but opa being the de facto standard in policy is code today You know with so many different, you know stars that we see them earning on daily basis that tells me that you know opa is winning the race Um, it allows us to do policy enforcement and governance within the github's, you know Toolchain as well as the process. So imagine if a developer accidentally wrote a hem chart or a customized template which And allowed a container to spin with privilege escalation is equal to true or Uh a privilege which it should not have had Github's toolchain is automatically going to be able to detect that and not only detect that With the help of opa, you can remediate it as well on the fly So you can enforce certain selected policies within your github's toolchain in such a way that it becomes a self-healing platform And all this is possible using open source technologies Just plugging a few things together and then you know running it very smartly So that's where the you know security world is going and that's where the self-healing world is going with the help of policy as code so to to me the perfect formula today is opa plus rego plus github's is equal to secure and self-healing pipelines So how would you wrap all this up? We're about to our time where we need to get questions from the audience So how would you wrap this up? So I think uh from from my perspective, right? This is this is an exciting time to be to be in technology right because we have seen the evolution of You know containers come from you know where it was Nobody knew what would happen right with containers Is it is it going to be the standard and we saw you know Kubernetes and come to the scene and in just a couple of years become the you know the the mechanism the technology everybody uses And this entire ecosystem right I was showing the cncf chart to somebody the other day and You know say okay get your powerful microscope on a magnifying glass won't do anymore Just look at the technologies there right? I mean and it you know, they show the funding on top on that chart That's a that's a brilliant uh Scare the children chart But it what what it tells you is that there is a healthy ecosystem behind everything we are doing This is not you know running solo. This is not some open source project Which people might lose interest in tomorrow? And how do you make it secure and how do you ensure the security and compliance overhead? Which we in large enterprises have to maintain anyone? I'm just speaking from my perspective Uh have to have to manage this is not going to be the what keeps us from adopting these technologies I think that's what's exciting to me is that you know This technology is like OPA the ability to do policy as code security as code do all the preventive corrective Detective measures as code will allow us to not be held back by our by our security And risk and governance folks who will be very who are usually very averse to you know bringing in new technologies Uh, there's a lot of education to be done. Sorry, uh, you know, no, no, it's great great Katie why don't you just take it out on on on a on a con note? And what we'll see from get ops just quickly at this event right where we're enjoying right now Yeah, uh, so kipcon is is dma and it's going to be virtual as well I think there is going to be a lot of good stories from uh, again I'm going back to the end users. So the end users are pretty much the practitioners of cloud natives. There's going to be a good kind of amount of talks around get ops and I think Especially talking about the collocated event. There's going to be the security day as well and there has been a lot of The actual schedule is out and there's a lot of good pointers that I would talk that I would recommend for everyone to To watch as well so In terms of like the cacd part the get ops the security there is going to be an amalgamation of Of good kind of pointers and information points for our daily event. So I hope everyone would attend them and watch them Great. Well, thank you everyone for joining us now. It's time for some questions Please ask those questions and I want to just maybe just quickly go through who we've had join us All motion Donnie is co-founder and in size to see so and tto at accurate. Thank you Cindy Blake senior security evangelist at get lab Frank kim felt the sands institute Sanji Sharma had a platform engineering at truest financial and katie gamanji ecosystem advocate at cncf. Thanks everyone