►
From YouTube: Nick Reva at Snap: Addressing Evolving Threat Models in Cloud Security with Open Source Software
Description
A WEBINAR SERIES ON HOW TOP SECURITY TEAMS LEVERAGE OPEN-SOURCE SOFTWARE:
The cloud threat horizon is rapidly shifting with the emergence of cutting-edge platforms and services, fueling the rise of specialized cloud attack vectors. Large and small companies can benefit from open-source software models that allow for customization and adaptation to their specific security needs. Listen to Nick Reva, Security Engineering Leader at Snap, answer critical questions covering how top technology teams use open source as the ultimate shield against the ever-evolving cloud threat landscape. Learn more and get started with your open-source security journey at https://deepfence.io/get-deepfence/
A
Perfect
all
right,
thank
you,
everyone
for
joining
this
morning,
I
have
today
with
me,
my
dear
friend,
and
our
security
leader
of
a
thought
leader
Nick
from
snap.
He
he
hits
the
detection
engineering
at
snap
Nick.
Thank
you
so
much
for
joining
me
this
morning.
A
A
So
everyone-
you
know
this
is,
unlike
you
know,
a
bunch
of
previous
webinars
we
have
done.
We
will
not
be
talking
specifically
about
any
particular
product
or
any
particular
feature.
Rather,
the
goal
of
this
you
know
session
essentially
is
to
talk
to
thought.
Leaders
like
Nick
see
how
Cutting
Edge
security
teams,
like
the
one
in
snap
or
the
ones
in
Google
or
Amazon,
essentially
use
open
source
software
at
scale
to
keep
their
security
program,
keep
their
security
apparatus
consistently
Cutting
Edge.
So
that
would
be
the
topic
today.
A
The
way
we're
going
to
go
about
this,
like
Essentials.
Of
course,
we
have
I,
have
a
dozen.
You
know
almost
a
dozen
questions
for
you
starting.
You
know
talking
about
the
evolution
of
cloud
security,
talking
about
how
open
source
fits
the
bill,
and
you
know
what
sort
of
any
initiatives
that
you
might
have
at
snap
that
we
could,
you
know,
take
as
a
use
case
and
talk
about
it
and,
of
course,
a
bunch
of
inputs
along
the
way
for
vendors
who
have
open
source.
A
First,
you
know
go
to
market
strategy
as
well,
as
you
know,
all
any
of
the
compliances
that
they
need.
That
would
be
the
format
we'll
keep
it
part
structured,
partly
flowing.
So
please
feel
free
to
ask
any
questions
anytime.
You
want
we'll
take
the
questions
towards
the
end,
so
that
would
be
the
format
and
with
that
I
think
we'll
just
go
ahead
and
get
started
on
this
one.
So
by
default,
all
the
attendees
are
muted.
This
webinar,
of
course,
is
being
recorded
and
you'll
have
the
slides
as
well.
A
As
you
know,
the
video
shared
with
you
as
we
go
forward,
keep
asking
the
questions
anytime,
you
want
to.
You
know,
ask
those
questions.
Absolutely
fine
I
will
try
to
keep
looking
at
the
you
know
the
questions,
and
you
know
if
I
find
any
questions
that
is
sort
of
super
relevant
at
that
point
in
time.
I'll
bring
it
up
right
now.
Otherwise,
we'll
take
a
couple
of
questions.
You
know
towards
the
end
of
the
webinar.
A
So
with
that
to
introduce
myself,
of
course,
I'm
I'm
Sandeep
co-founder
with
Geo
defense,
I
have
Nick
with
me
secondary
engineering
leader
at
snap
Nick.
Once
again,
welcome
into
the
session.
A
And,
of
course,
dick
you
and
me
go
back
a
long
way.
You
know
start
you
know
meeting
first
on
the
bylines
of
one
of
the
I
think
conferences,
and
we
share
this
common
passion
for
open
source,
but
for
the
audience
you
know
that
has
tuned
in
today.
Do
you
want
to
go
ahead?
You
know
sort
of
talk
about
your
journey,
how
you
yeah,
you
know
what
is
your
primary
role
and
responsibility
snap?
What
you've
been
doing
prior
to
that
would
love
to
hear
your
story
start
with
that.
Please.
B
Yeah
absolutely
Cindy.
Thank
you
again
for
having
me
such
a
pleasure
to
be
here
and
share
some
thoughts
of
the
audience.
I
recognize
some
of
my
friends
and
future
employees
have
actually
joined
this
call.
So
we
have
an
individual
joining
us
soon
at
snap.
That's
actually
on
this
webinar
to
listen,
which
is
really
which
is
really
great,
to
see.
Thank
you
for
joining
Karen
and
also
thank
you
for
joining
Jeff.
Look.
B
It's
been
a
wild
Journey
I'm
I'm,
an
immigrant
kid
who
came
here
five
years
old
with
two
bags
in
a
dream.
My
my
family
landed
in
JFK
some
20
years
ago,
more
than
that
actually
like
30
years
ago,
and
we
we've
just
been
trying
to
build
our
life
here
and
I
found
security
at
a
pretty
young
age
and
at
about
age,
16,
I
started,
I
I
started
hacking
web
proxies
at
school
because
I
wanted
to
get
access
to
the
open
internet
to
download
music.
B
By
the
way,
don't
do
this,
but
at
the
time
the
internet
was
really
slow
at
home
we
only
had
America
Online
dial
up,
we
would
get
the
CDs
and
because
we
were
poor,
we
could
only
get
like
30
hours
a
month
from
the
CD.
You
know
we
had
to
get
to
the
next
CD,
but
the
school
had
proper
internet.
It
was
T1,
it
was
1.54
Mbps,
which
is
a
lot
faster,
but
there
was
a
problem.
B
I
couldn't
get
past
the
web
proxy
to
to
use
Kazan
apps
through
download
music,
but
I
found
the
way
right.
I
figured
out
like
hey,
there's
this
little
host
file.
You
can
edit
and
if
you
edit,
the
host
file,
it
changes
the
route
that
that
that
machine
takes
to
bypass
the
web
proxy
and
then
I
can
get
to
the
open
internet
and
I
did.
But
that
was
my
realization
about
age.
B
16
I
realized
that
this
the
security
industry
is
my
calling
and
since
then
I've
been
at
it
for
20
years
and
in
the
past,
like
five
years
or
so
something
changed
in
my
career,
I
realized
I've
learned
a
lot.
I've
harvested
a
lot
of
knowledge,
and
now
it's
time
to
give
back
that
knowledge
and
part
of
giving
back
that
knowledge
is
sharing
some
of
the
cool
stuff.
B
I've
learned
along
the
way
with
others,
and
that
inspired
me
to
not
only
do
more
things
that
snap
and
be
more
influential,
but
also
have
a
more
influential
effect
on
the
Community
just
are
paying
it
forward
during
covert.
During
lockdowns,
we
had
more
time
on
our
hands.
I
decided
to
create
a
class
on
cloud
native
Cloud
security,
Technologies,
fully
focused
on
open
source.
B
That
class
has
now
been
consumed
by
over
2
000
students,
2
000
people
have
never
met,
have
have
taken
a
class
that
I
created
I,
hope
I've
created
some
value
for
them.
Some
of
them
have
reached
out
to
me
and
thanked
me.
Many
haven't,
but
that's
okay,
and
you
know,
and
as
I
was
writing
this
class
I
realized
that
there's
not
a
lot
of
good
books
on
cloud
native,
open
source
security,
I
bought
up
every
book
that
was
even
like
close
to
that
topic.
B
I
had
a
stack
of
seven
or
eight
books
and
then
I
realized.
None
of
these
books
are
really
great
and
I
could
probably
write
a
better
book.
So
after
the
class
shipped
in
May
of
21
myself
and
a
couple
of
folks
at
snapped,
we
we
proposed
a
book
proposal
to
a
publisher.
We
had
a
relationship
with
through
Michael
zalewski,
who
used
to
be
our
VP
of
security,
he's
kind
of
an
influential
guy
in
the
industry.
He
helped
us
with
some
introductions
and
we
got
a
book
deal
with
no
starch.
B
Which
builds
themselves
as
entertainment
for
the
Geeks,
so
we're
working
on
the
book
we're
about
halfway
done
it'll
ship
in
September
of
this
year
and
hopefully
maybe
we
could
do
a
book
signing
with
with
with
defense,
maybe
at
one
of
the
conferences
this
summer,
but
yeah.
That's
a
little
bit
of
background
and
beyond
that.
B
Look
after
corporate
I
look
after
corporate
security
at
snap
I
also
have
interest
in
a
lot
of
other
areas
that
I've
talked
about
with
you
know,
teaching
and
my
personal
research,
so
yeah
that's
a
little
bit
of
background.
A
Absolutely
love
I
love
that
Nick
and
you
know
what
I'd
love
to
host
you
at
our
group
at
RSA
and
maybe
even
at
black
hat.
You
know
who
the
book
comes
out
by
back.
You
know
by
then,
and
you
know
what
I
think,
one
of
the
common
themes
that
both
of
us
have
sort
of
interacted
onions.
You
know
security
is
a
digital
public.
Good
everybody
has
a
it's
a
basic
right,
everybody
needs
it.
It's
like
GPS,
it's
like
road
infrastructure
and
it's
a
security
is
essentially
that
it's
a
public
good.
A
Everybody
has
to
have
an
access
and
I.
Think
that's
where
you
know
we
connected
on
the
open
source,
essentially
the
passion
for
open
source,
and
you
know
really
giving
it
back
to
the
community.
So
thank
you
so
much
for
that.
So
what
I'll
do
is
now,
let's
just
you
know,
try
and
you
know,
look
at
open
source
in
security
and
how
leaders
it
is
yourself.
Companies
such
as
snap
essentially
look
at
this
from
a
strategy
point
of
view
really
right,
yeah.
What
level
open
source
Security
Solutions
are
considered
by
your
teams?
A
B
A
Of
the
options
that
comes
to
you
know
the
team's
mind,
or
you
essentially
always
start
with
open
source
solution,
is
how
do
you
really
think
about
it?.
B
We
almost
always
start
with
open
source
any
reason
from
there.
Now
there
are
some
things
they
wouldn't
build
like
we
wouldn't
build
an
antivirus
theme
and
that's
really
involved
and
other
people
have
done
it
really.
Well,
we
we
probably
wouldn't
build
some
other
commodity
tools,
but
would
we
build
the
service
around
device,
trust
to
assure
that
every
single
corporate
device
on
the
network
actually
belongs
to
the
company?
B
And
when
you
authenticate
to
a
company
endpoint,
we
can
add
in
a
payload
in
in
the
authentication
header,
to
assure
that
that
endpoint
is
actually
the
company's
endpoint
and
it's
not
a
rogue
endpoint,
that's
something
we
built.
We
call
it
device
Trust.
So
it's
foundational
right.
We
could
have
went
and
bought
something
similar,
sure,
there's
Beyond,
Corp
style,
zero
trust
products
in
the
industry,
but
that
that's
not
how
we
approached
it.
Let
me,
let
me
tell
you
a
little
bit
more
about
why
yeah
let.
A
B
Back
out
to
the
kind
of
cloud
cloud
angle
here
to
me,
it's
really
ironic
that
the
cloud
and
the
internet
are
built
on
open
source
Technologies
broadly.
However,
most
security
tools
are
closed.
Source
commercial
products.
This
has
a
bunch
of
downsides
that
I
want
to
talk
about
I
a
I
think
it
holds
back
security
engineering
as
really
being
seen
as
a
true
engineering
discipline
in
a
lot
of
companies
at
high
technical
bar
companies.
B
This
isn't
the
case,
but
in
in
lower
technical
power
companies,
security
is
seen
as
a
compliance
function
as
the
policy
people,
people
who
say
no,
but
why?
Why
is
that?
The
case
at
like
at
the
foundation?
Security
is
an
engineering
problem
right,
and
so
you
know
at
internet
scale
the
way
that
we
operate.
B
We
we
need
to
build
to
support
the
the
ecosystem
that
we're
part
of
if
I
can't
convince
an
engineering
team
that
a
security
control
needs
to
be
implemented
and
built
in
a
certain
way,
and
we
can't
have
like
low
level
observability
of
how
we
do
that,
especially
in
the
cloud
context.
We're
not
going
to
be
able
to
get
it
across
the
line
and
closers
commercial
products,
you're,
basically
living
to
the
vendor,
documentation
and
mental
models.
B
Let
me
give
you
an
example:
snap
runs
a
service
mesh
with
over
a
thousand
kubernetes
clusters
in
order
to
add
runtime
monitoring
like
Falco,
we
we
had
to
convince
the
mesh
platform
engineering
team,
that's
kind
of
the
central
team
that
builds
the
service
match,
that
we
instantly
understand
the
Fallout
modes
for
Falco,
and
we
have
a
way
to
kill
the
sidecar
that
Falco
runs
in
if
something
goes
wrong.
I
remember
this
meeting
vividly
it
was
a
meeting
with
the
engineering
director
for
that
team
he's
like
Nick.
B
A
B
So
we
have
to
convince
them
that
this
is
the
right
thing
to
do.
So,
how
do
we
do
it?
Well,
we
thought
modeling
and
we
set
down
and
say:
okay,
what
are
the
fault
modes
that
can
happen?
The
cluster
loses
connectivity
to
the
network
and
fully
saturates
the
network
adapter.
What
do
we
do
next
Taco
sidekick,
Services,
Downer
and
accessible?
How
do
we
kill
it?
Do
we
push
a
bad
rule
to
Falcon?
Not
the
rule.
Updater
is
stuck
in
a
loop
right.
B
What
do
we
do
next
or
we
have
an
unexpected
CPU
load
on
the
Kernel
and
that
that's,
maybe
the
fault
of
Falco?
How
do
we
have
observability,
so
we
spent
like
a
year
studying
how
to
do
this
correctly.
I'm
not
kidding
like
a
year
and
then
implementing
all
these
control
mechanisms,
these
big
red
buttons,
as
I,
call
them
right
to
to
roll
out
Falco.
That's
just
one
like
one
major
product
yeah,
we
chose
open
source
software
instead
of
systic
like
Enterprise
Falco.
Why?
B
Because
we
thought
we
could
do
it
ourselves
and
we
wanted
to
take
the
time
to
really
do
it
correctly
and
and
not
put
ourselves
into
a
position
where
that,
when
I
get,
you
know
challenged
by
an
engineering
director,
whereas
the
big
red
button
I
know
where
the
button
is
I
know
how
it
operates
and
I'm
confident
that
we
need
to
when
we
need
to
press
it,
we
will
press
it
if
we
need
to
so
that's
part
of
our
ethos
and
I
think
when
you
build
Security,
Services
in-house,
completely
or
open
source.
B
You
know
exactly
what's
going
on,
you
can
debug
traces
with
have
low
level
observability.
You
are
empowered
to
scale
the
services
to
your
company's
needs,
you're,
not
locked
into
a
vendor
ecosystem.
And
ultimately
this
is
a
lot
more
fun
like
I.
Think
I
can
hire
better
people
who
are
more
into
building
and
then
keep
them
happy,
because
they're
building,
really
cool
stuff
in
the
industry.
That's
novel!
You
know
versus
like
taking
boxes
on
a
UI.
You
don't
really
even
know
what
the
box
does.
You
have
to
dig
into
a
vendor
documentation.
B
No
I
do
want
to
caveat
this.
Isn't
for
everybody,
a
lot
of
companies
may
not
want
to
treat
their
security
engineering
program
this
this
way
where
they
have
a
heavy,
build
or
a
heavy
open
source
culture.
Some
companies
want
to
treat
it
more
as
like
a
dial
or
manage
a
role.
That's
a
Rolodex
of
vendors
yeah
run
some
tools.
You
know.
Look
at
some
logs
have
some
alerts.
You
know,
do
some
follow-up
at
the
end
of
the
day,
this
is
risk
management
like
they
can
choose
to
manage
the
risk.
That
way.
B
We've
chosen
we've
chosen
to
manage
the
risk,
a
very
different
way,
a
very
intentional
way,
a
very
deep
way,
a
very
methodical
way,
and
to
do
that,
we
have
to
really
understand
what's
going
on
and
to
do
that
we
need
to
have
low
level
understanding
of
the
code
of
the
of
the
the
Providence
of
it.
If
it
comes
from
open
source,
which
of
course,
we
can't
always
look
because
open
source
is
open
or
build
it
in-house.
So
that's
a
little
bit
of
our
ethos.
Indeed,.
A
Outlining
that
particular
example,
I
totally
conquered
that
operationalizing
security
program
at
scale
is
an
engineering
problem.
It
is
not
a
vendor
problem,
it's
not
any
of
those
other
things
really,
and
especially
at
your
scale
or
any.
You
know
internet
scale,
companies,
it's
it's
the
the
tool,
the
product
that
you're
using
has
to
be
out
there
in
the
public.
You
should
be
able
to
look
at
the
source
code
will
fade
around
the
you
know.
The
this
is
the
product.
Has
you
know,
maybe
even
sort
of
evaluate
it
internally
to
see?
A
Of
the
clothes
Source
product
and
I
totally
agree
with
them.
They
probably
wouldn't
scale
to
where
snap
is
at
or
where
Google
is
at
for
sure.
Really
right,
so
you
can
take
the
code
through
open
source
customize
it
you
know
operationalize
it
truly.
The
way
engineering
happens
in
you
know
top
tier
tech
companies
really.
So
they
couldn't
agree
with
you
more
really,
and
you
know
I
think
the
right
way
for
it
is
is
basically
that
operationalizing
security
is
an
engineering
problem.
B
Absolutely
it's:
it
is
risk
management
again
at
the
end
of
the
day,
but
to
operationalize
and
scale
it.
You
need
to
create
these
happy
paths
for
engineering
teams
right.
You
can
make
it
easy
for
them
to
do
the
right
thing
and
hard
for
them
to
do
the
wrong
thing.
Yeah
in
a
way,
that's
as
frictionless
and
seamless
as
possible,.
A
Absolutely
and
you
know
what
what
I
love
the
fact
about
open
source
like
you
know,
you
mentioned
that
essentially
East
the
quality
of
folks
that
you
can
hire
just
to
work
on
cool
stuff,
which
is
out
there
in
open
and
trust
me
since
we
went
open
source
I
have
made
most
of
my
key
hives
on
GitHub.
It
changes
the
game,
you're,
not
no.
Longer
right.
Initial
recruitment,
you're
really
really
good
and
hiring
top
talents,
for
example
ebpf.
You
know
we
did
the
same
thing.
B
A
Of
my
top
evpf5s
are
from
GitHub
projects:
either
they
reach
out
or
reach
out,
and
that's
it
no
recruiters.
Nothing
is
open
source,
essentially
yeah.
The
quality.
The
DNA
essentially
has
to
be
needed
in
DNA
to
operationalize
any
kind
of
security
at
scale.
So
yeah
absolutely
now
we
spoke
about
we,
you
know
I
want
to
go
deeper
on
one
or
two
use
cases.
You
know
that
you
might
be
dealing
with
or
the
team
might
be
dealing
with
that
snap
leg,
but
you
know
you
have
had
quite
a
journey.
I
know
you.
A
You
were
personally
hired
at
SpaceX
by
Elon
and
you
know
you
worked
with
a
bunch
of
bunch
of
tech
companies
before
that.
What
is
your
mental
model?
You
know
having
been
through
the
Journey
really,
it
has
revolved
I'm
sure
really
right,
based
on
starting
as
a
16
year
old
doctor
to
where
you
are
now.
What
is
your
definition?
What
is
good
and
what
is
great,
what
is
just
compliance
driven
purchase
and
what
is
security,
engineering
driven?
You
know
security
program
essentially.
B
Yeah,
you
know
having
a
chance
to
work
with
Elon
and
doing
some
Consulting
work,
2011
2013
time
frame,
but
I
I
opened
my
eyes
to
what
I
call
good
to
Great
security
I.
Think
the
major
difference
between
good
to
Greater,
the
engineering
bar
and
the
adoption
of
a
either
an
in-house
build
culture
or
an
open
source.
Build
culture
like
like
we
already
mentioned,
seek
at
its
core
security,
is
an
engineering
problem.
So
let's
talk
about
an
example.
B
Let's
say
you
have
2500
Engineers
that
need
to
correctly
manage
IM
permissions
for
AWS
right
and
we
need
to
do
this
consistently.
So
how
do
you
make
this
easier
for
2500
Engineers?
You?
Let
them
like
pick
whichever
permission
they
want.
Do
you
like
have
some
set
of
permissions?
Do
you
have
some
Birthright
access?
Do
you
have
do
you
have
like
some
kind
of
system
you
build?
How
do
you
do
that
like?
How
do
you
abstract
away
the
complexity
of
20
of
2500
Engineers
right?
B
You
know
it's
every
couple
of
days
or
maybe
a
little
bit
longer,
but
that's
the
kind
of
thing
that
you
need
do
like
we've
solved
for
this
at
massive
scale,
not
even
one
cloud
two
clouds
and
that
internal
system
that
we
build
it
handles
both
both
of
them
and
we
could
probably
scale
into
a
third
one
if
we
needed
to
so
I
think
when
you
consume
vendored
Services.
It's
kind
of
like
being
a
hoarder
like
that.
That's
my
like
mental
model.
B
You
know
that
these
these
shows
about
like
people
who
have
like
recording
problems,
and
they
hoard
all
this
stuff.
They
have
like
rent
storage
units
towards
stuff
and
then
like
something
happens
in
their
life,
and
they
need
to
start
a
little
bit
to
me,
buying
a
bunch
of
vendor
tools
like
being
a
hoarder
at
one
point,
you're
gonna
be
like
what
am
I
even
doing
like
I'm
lost,
and
these
tools
that
I
have
I,
don't
even
know
what
they're
for,
like
a
lot
of
tools,
are
never
even
used.
There's
about.
B
B
So
you
got
to
be
like
a
lot
more
intentional
about
this
stuff
right,
because,
if
you're
being
intentional
building,
you
know
why
you're
building
you
know
why
you're
there,
you
know
why
the
codes
are
being
written.
You
know
why
the
open
source
is
being
used
when
you're
like
consuming
tools
left
and
right,
and
unfortunately
the
industry
wants
us
to
do
that.
I
get
solicited
to
probably
50
times
a
week.
You
know
it's
everything
from
like
you
know.
B
B
I
can't
accept
any
of
these
things.
It's
against
company
policy.
Please
don't
offer
me
so
anyway.
I
think
the
time
for
open
source
really
is
is
now.
The
security
landscape
is
Shifting
to
open
source
first
and
these
recessionary
times
when
companies
are
being
challenged
and
CFOs
are
being
more
scrutinizing
with
those
that
rolodexo
vendors.
That
I
talked
about
the
time
for
open
sources.
B
A
Absolutely
you
know
absolutely,
especially
in
fact,
I
had
I
had
a
couple
of
questions
that
came
off.
You
know
from
from
this
discussion
that
we're
having
the
first
question.
Nick
is,
if
you
run
security,
engineering
security
as
an
engineering
function
in
a
way
really
or
our
college
record
engineering,
which
is
basically
our
personalized
in
Secretary
apparatus
of
scale.
Roughly,
what
sort
of
commitment
companies
like
Snap
look
at
essentially?
Are
we
looking
at
10
security
Engineers
for
every
100?
You
know
yeah.
B
That's
a
really
good.
That's
a
really
good
question!
Yeah!
That's
right!
So
we
we
we've
all
historically
taken
at
10
of
engineering.
Kind
of
Baseline
is
proxy
metric.
So
if
engineering
is
2500
or
so
about
10
of
security
engineering
across
all
different
disciplines
right,
we
have
seven
teams
across
those
those
disciplines,
but
yeah,
that's
the
magic,
that's
a
big
investment.
B
A
lot
of
companies
cannot
make
that
kind
of
investment
and,
if
you're,
a
small
company
and
you're
listening
to
this,
so
like
man,
this
guy's
crazy,
like
how
can
you
have
that
many
people
well
because
we're
intentional
We
Care
a
lot
and
we
build
if
you're
smaller.
You
can
scale
that
down
to
the
smaller
size
that
you
are
right.
Maybe
it's
not
10
for
you.
Maybe
it's
five
percent
right,
but
it
it
needs
to
be
a
kind
of
like
engineering
minded
metric.
Otherwise,
it's
unclear
what
the
purpose
of
this
role
is.
Yeah.
A
And
that
is
so
true
for
so
many
products,
it's
unclear
why
they
were
purchased.
Why?
What
are
the
you
know?
What
are
the
Matrix?
What
are
the
key
goals
and
objectives
you
had?
They
never
get
deployed
forget
getting
deployed
at
scale.
They
just
never
even
get
deployed
really
really
Point
Solutions
really
and.
A
Completely
agree
with
you
that
you
know
open
source
gets,
you
know,
forget
the
vendor
side
of
it
purely
from
a
customer's
point
of
view.
From
a
user's
point
of
view,
you
know
you
have
some
of
the
greatest
pieces
of
Technology
out
there.
You
can
modify
it,
you
can
look
at
it,
you
can
smell
it.
You
see
it
fits
the
bill
or
not
and
then
go
from
there.
Then,
of
course
oftentimes.
You
see
that
there
are
companies
that
are
startups
who
are
essentially
offering
support
or
some
additional
features.
A
B
Know
no.
We
we
we
collaborate
like
I'll,
give
you
an
example,
but
we
need
you
to
build
arb64
support
for
for
Falco.
What
did
we
do?
We
went
on
the
Falco
slack
forums
and
started
talking
to
other
people
who
are
BPF
developers,
we're
not
ebtf
developers.
The
person
who
worked
on
this
as
a
part
of
our
sister
team,
like
he
never
even
looked
at
that
before,
but
we
you
know
again,
we
have
a
higher
technical
bar.
We
we
give
people
space
and
it
took
some
time,
but
he
figured
it
out.
B
Oh,
and
now
we
have
arms
64
support.
What
would
we
have
done
if
it
was
a
vendor
all
right,
hello,
Mr,
account
manager,
hi,
I'm,
Nick
I
have
a
problem.
We
this
this
thing
doesn't
have
arm
64
support.
Can
you
get
it
into
the
road
map?
Oh,
okay.
Nick.
Let
me
go
talk
to
the
product
manager.
Okay.
Okay,
some
time
passes
they
come
back.
Oh,
let
me
talk
to
the
product.
Manager's
manager.
B
A
A
B
Or
that
that's
that's,
that's
exact!
That's
exactly
right,
like
like
with
defense
and
Falco.
These
are
Enterprise
grade
security
tools,
much
like
what
hashicorp
brought
to
the
market
when
they
built
vaults
some
10
years
ago,
right
like
it's
Enterprise
grade
it's
high
quality
for
the
Enterprise
and
happens
to
be
open
source.
This
is
like
the
best
of
the
world
right
like.
Why
is
it?
Why
are
more
people
doing
this?
I?
Don't
get
I,
don't
get
it
so.
A
Why
isn't
everyone
doing
it
absolutely
I
think
everybody
is,
is
is
going
to
do
it
soon
enough
option
to
agree
with
you,
so
you
know
moving
on
I
I'm
already
getting
a
couple
of
questions
more
than
a
couple
of
questions
from
audience.
A
The
last
point
was
super
important
for
them
and
I
I
totally
see
you
know
how
and
why
essentially,
hey
do
I
have
to
put
in
10
of
my
engineering
strength
to
operationalize
this
particular
tool
now
or
will
two
percent
do,
or
will
one
person
do
or
hey?
You
know
what
I
am
an
up
and
coming
SMB
we
just
hired
our
first
Security
hire
and
that's
my
whole
team.
A
What
do
I
do
with
open
source
I'm
sure
these
are
all
you
know,
valid
questions
and
I
would
have
sort
of
dig
deeper
into
you
know
all
of
these
so
but
moving
on
you
know
from
now
tell
us
what
are
some
of
the
challenges
organizations
May
face
when
trying
to
adopt
Oasis
for
security
and
what
I
mean
by
this
is.
Is
there
do
you,
for
example,
you
in
particularly
your
case
really,
do
you
have
a
checklist
that
hey
this
project?
Has
to
be
Apache,
V2
hey.
A
This
has
to
be
part
of
cncf
or
open
SSR,
or
you
know
what
the
pen
test
report
has
to
be
out
there
on
GitHub,
otherwise,
I'm
not
going
to
touch
it,
you
know.
Is
there
a
local
model?
Is
there
a
checklist?
You
know
that
you
or
the
team
had
essentially
while
evaluating
such
projects
for
your
internal
research,
yeah.
B
That's
a
really
good
question:
well,
I,
look
I,
I,
think
just
to
get
started
like
the
technical
bar
is
definitely
a
bit
higher
and
you
need
to
hire
people
who
who
are
technically
capable
Hands-On
Engineers.
Not
all
security.
Engineers
can
code
for
open
source
I,
think
you
need
people
who
can
code
or
it
could
be
devops,
Engineers
or
other
Engineers,
but
they
need
to
be
Engineers
like
they
need.
B
Engineers
can
be
somewhere
close
to
the
title
that
that's
one
of
the
challenges
you
need
to
have
that
type
of
talent
now
I
think,
secondly,
is:
is
you
need
to
ensure
the
project
you're
you're
considering
is
legitimate
and
it's
serious,
and
you
should
also
consider
supply
chain
tampering,
like
maybe
projects
coming
out
of
certain
parts
of
the
world.
Maybe
they
have.
Maybe
they
have
back
doors?
Maybe
they
have
some
some
nefarious
things
going
on.
B
Maybe
they're
sort
of
you
know
Trojan
Horse
kind
of
projects
to
get
into
your
environment
and
then
observe
your
environment,
so
you
got
to
be
cautious
with
open
source
as
well.
So
the
way
we
look
at
is
like:
is
it
legitimate?
How
much
adoption
has
it
had
in
the
industry,
our
people
in
our
like
tighter
Circles
of
secure
Engineers,
talking
about
it?
How
many
stars
does
it
have
on
GitHub?
How
many
times
has
the
repo
been
forked
right
like
how
how
how
how
good
of
quality
is
the
code
like?
B
We
could
obviously
audit
the
code
because
it's
open
source
right
and
then
how
much
more
do
we
need
to
do
to
make
it
operationalized
at
our
company,
because
that
that's
the
part
that
takes
the
time
right
like
you,
you
can't
always
drop
it
in
and
get
immediate
results.
B
It
depends
on
your
requirements
like
if
our
requirements
are
very
sophisticated
if
you're
a
smaller
company
that
may
not
be
as
sophisticated
so
pen
test
reports
also
matter,
but
I
think
reputation,
matters
more
and
like
like
really
like
shaking
it
down
and
like
getting
a
couple
people
to
look
at
it
closely.
That
that
can
probably
give
you
enough
enough
comfort
and,
and
then
really
the
rest
is
is:
is
implementation
and
Opera
operationalization.
A
Yeah
no
totally
agree,
and
in
fact
you
know
the
the
bit
that
you
said
about.
Are
there
any
back
doors?
Is
there
anything
potential
in
nefarious
with
this
I
think
open
source
sort
of
you
know
gives
you
puts
it
out
there
in
open
degree,
for
so
many
eyeballs.
You
know
like
you
essentially,
so
many
people
are
looking
at
it
at
the
same
time,
and
you
know
if
you
look
at
if
you
look
at
the
stories
every
quarter,
somebody's
firewall
gets
hacked.
You
know
the
Genesis
of
secretary
industry
was
around
hacking.
A
Clothes,
Source,
Products,
really
right
so
open
source
in
a
way,
I
think
I'm
sure
it's
a
fresh
bit
of
air,
because
you
know
it's
out
there
to
see
you
can
have
your
engineers.
You
know,
look
at
it
pen
test
it.
You
know,
file
tickets
treat
this
as
an
engineering
problem.
Just
like
you
would
do
for
your
services.
You
know
your
critical.
You.
A
Totally
yeah
I
totally
see
that
yeah
and
but
you
know
what
I
wanted
to
keep
this
question
for
the
end
Nick,
but
I
think
it's
so
relevant
to
this
particular
point.
I
must
bring
it
up
now.
This
is
a
question
from
is
the
question
for
you:
Nick
he's
basically
asking
I
can't
do
10
or
secondary
engineering
from
get
go
for
open
source
if
newer
doctors
are
scaling
an
os's
program,
what
are
code
competencies
needed
in
second
engine?
A
B
B
Yeah
that
makes
a
lot
of
sense
thanks
for
joining
me,
such
as
a
friend
of
mine
for
many
years.
Actually
so
great
question,
look
you
don't
need
10
to
get
started.
10
is
where
you,
where
you
may
end
up
well
over
time.
I
I
think
you
need
a
couple
of
good
people
who
have
done
similar
work
in
in
and
around
open
source
projects,
either
developers
of
them
contributors
to
them
or
at
other
companies
that
have
similar
cultures
like
take
any
tier
one
tier
two
tech
company.
B
Most
of
those
companies
have
done
open
source
projects
in
in
this
kind
of
way,
and
then
you
decide.
Okay,
where
do
I
put
their
focus
and
what
are
some
okrs
for
that
Focus
right?
You
know
for
us
with
the
Falco
story,
it
was
getting
runtime
observability
over
our
over
kubernetes
Fleet.
That
was
a
big
big
project
where
I
took
it
took
a
while
to
do
that.
That
was
our
challenge,
but
our
Fleet
is
like
very
large
and
complex.
B
Maybe
in
your
area,
it's
not
as
complex
and
and
large,
and
so
pick
like
one
or
two
areas
where
you
feel
like.
There's
good
partners
on
the
market
like
a
defense,
for
example,
that
built
legitimately
high
quality
Enterprise
grade
products
find
one
or
two
people,
probably
at
like
a
l405
level,
which
is
like
senior
senior
or
staff
and
and
put
their
focus
on
this.
And
if
they're
good
and
the
product
that
you're
using
is
good.
I.
A
Absolutely
Nick
absolutely
agree,
and
then
you
know,
like
you
said
it
has
a
lot
to
do
with
whether
the
project
that
you're
picking
up
comes
back
is
included.
You
know,
is
there
a
company
behind
it?
Is
there
is
there?
You
know,
essentially
someone
who's
sort
of
pulling
to
work
as
an
extension
of
your
team.
Even
if
you
don't
have
a
team
meeting,
for
example,
you're
just
building
so.
B
I
mean:
is
there?
Is
there
a
community
like
if
it's
two
guys
in
a
van
kind
of
open
source
project
like
yeah?
Maybe
it's
kind
of
risky
to
put
your
your
big
bet
behind
that?
But
if
it's
a
legitimate
company
that
has
large
adoption
like
the
examples
that
we've
talked
about,
they
have
a
product
Community.
They
have
good
quality
documentation
like
that's,
okay,
like
you,
you
could
start
there
and
then
and
then
iterate
it
and
and
see
and
see
how
your
adoption
goes.
A
B
Yeah,
that's
that's
a
great
question
Christian,
so,
yes,
you
need
a
way
to
to
observe
this.
There
are
mechanisms
and
tools
that
can
can
ensure
you're
within
lot
license,
license
compliance,
basically,
there's
tools
that
scan
repos
to
look
for
whether
the
license
allows
commercial
usage
or
for
commercial
usage.
Rather,
this
is
another
angle
of
it.
Yes,
you
do
need
to
manage
this.
B
It's
not
something
you
can
exclude,
but
you
can
also
very
clearly
when
you
go
to
the
project
like
depends,
you
can
see
what
the
license
is
and
before
you
adopt
it,
you
can
say:
okay
can
I
use
this
license.
Is
this
gonna
this
license?
Allow
this
kind
of
use
case
open
source
cannot
be
the
log
list.
You
can't
be
like
okay
team,
open
source
slam,
my
hand
on
the
table,
scatter.
No,
you
like
anything
in
life.
B
You
need
to
have
a
strategy,
you
need
to
be
intentional,
and
so,
when
you
pick
like
one
or
two
or
you
know
or
five
of
these
you,
you
can
vet
them.
Obviously-
and
you
should
have
at
them
before
you
use
them
and
then
I
think
you'll
have
a
much
much
better
understanding
of
what
you're
doing,
and
these
types
of
risks
are
are
are
are
really
really
mitigated.
A
Absolutely
yeah,
absolutely
Christian,
I
hope
that
answers
your
question
thanks,
Nick
and
moving
on
to
now
to
you
know,
essentially
a
more
specific
use
case.
Really
right,
I
want
to
ensure
Nick
that
you
know
we're
giving
our
our
listeners
right
now
something
super
concrete
that
they
can
relate
to.
For
example,
you
know:
hey
I'm,
just
building
out
my
security
program
and
I've
been
told
by
my
CSO.
It's
a
board
level.
You
know
sort
of
you
know
a
director
which
has
come
in
which
says:
hey.
A
You
have
to
be
at
least
50
compliant
as
for
miter
attacking,
and
that
that
means
doing
one
two
three
and
four
right
that
could
be
basically
vulnerability
management.
There
has
to
be.
You
know,
Cloud
specific
attack
with
terrorists.
You
know,
as
per
Cloud,
miter
attack
framework,
really
right,
miter
attack,
of
course,
is
you
know
it
has
so
many
favors
now
for
cloud,
kubernetes
and
so
much
more.
A
How
would
you
go
about
it
essentially
and
it's
a
very
sort
of
a
high
level
question.
Essentially,
we
can
just
pick
up
one
single
modality
saying
that
hey
look.
We
are
working
on
AWS,
forget
kubernetes
for
a
moment.
A
Really
just
think
of
it
as
a
cloud
environment
and
I
am
supposed
to
be
meeting
at
least
50
of
the
miter
guidelines,
and
in
doing
so
you
know,
does
two
or
three
things
for
me
makes
me
compliant
gives
me
peace
of
mind
because
I
have
covered
almost
50
percent
of
you
know
the
needed
most
essential,
picks
really,
and
you
know
stuff
essentially,
can
we
map
some
of
the
open
source
tools
that
we
have
that
that
you
might
have
seen
to
one
of
the
existing
one
of
the
ongoing
or
one
of
the
evolving
programs
within
snap?
A
B
Yeah,
no,
that's
a
really
that's
a
really
good
question.
The
way
the
way
I
would
think
about
this
is
as
follows:
miter
is
now
pivoted
and
provided
very
actionable,
very
measurable
from
initial
infection
to
Pivot
to
lateral
movements
coverage
with
their
ATT
and
CK
framework
right.
So
you
can
sit
down
and
map
this
to
what
this
means
to
your
DNR
program,
for
example,
and
say:
okay,
how
do
we
get
signal
coverage
for
50
of
the
miter,
ATT
and
nck
framework?
Well,
what
are
they?
Let's
look
at
them
in
detail.
B
Now
we
say:
okay,
how
do
we
get
a
signal
for
that
attack
Vector
from
an
from
the
AWS
infrastructure?
Well,
we
need
some
kind
of
product
to
do
that
right.
We
need
some
kind
of
observability
product
to
do
that.
It
turns
out
that
deep
phones
offers
miter
mappings
out
of
the
box.
So
if
you
turn
on
defense
for
that
cloud,
infrastructure
to
start
observing
it
you'll
quickly
see
which
one,
what
which
signals
you're
generating
for
the
for
the
cloud
infrastructure
and
those
AWS
accounts,
it
could
be
at
a
VM
level.
B
It
could
be
at
a
at
a
kubernetes
eks
level,
regardless
right,
you'll
get
that
like
out
of
the
box
immediately,
and
then
that
saves
you
a
lot
of
time
like
this
stuff
is
hard
like
sitting
down
like
parsing
spreadsheets,
to
figure
out
like
well
I.
Have
this
thing
here
and
that's
the
miter
here.
This
is
really
labor
intensive
and
not
fun.
B
But
if
you
have
this
mapping
in
a
product
like
it'll
quickly
show
you
like
here's
the
coverage
here,
here's
the
gaps
here
and
then
you
can
start
to
operationalize
those
signals
to
your
detection
and
response
team
to
act
on
it.
The
triage
right
to
enhance
the
alert
and
then
we
get
into
playbooks
and
response
and
containment
kind
of
exercises
that
you'll
ask
for
classic
detection
response
goes.
A
And
this
is
this
is
pre-deployment
as
well
as
post-technology
right
some
of
these
controls,
some
of
the
checks
and
balances
some
of
these
tools
that
you
need
to
officialize,
to,
let's
say
Meet
50
of
miter
coverage.
Really
they
have
to
be
deployed
throughout
your
cicd
pipeline
right.
They
are
they're
not
necessarily
only
as
part
of
cicd
in
the
sense
of
you
know,
pre-deployment
or
not
necessarily
only
at
one
time
right.
They
have
to
be
scattered
throughout.
So
first,
you
will
have
to
probably
figure
out
all
the
integration
points
where
you
really
need
to
do.
A
B
That
that's
that's
exactly
right
like
and
there
there's
no
like
secret
like
weapon
here
to
how
to
do
this.
You
have
to
sit
down
and
think
about
it,
but
but
coming
back
to
my
point
around
if
the
coverage
comes
with
the
product
out
of
the
box,
which
it
does
with
defense,
like
that's
so
powerful
that
this
could
take
many
many
days
and
weeks
to
to
parse
through
and
I,
think
that's
in
a
sense.
It's
like
a
quick
start
guide
already
so
yeah.
A
All
right,
moving
on
I
I'm,
getting
a
couple
more
questions,
but
I
think
we
can
save
those
for
later
they're,
not
about
the
the
point
that
we
were
discussing.
So
let's
move
on-
and
you
know
talk
about
this
particular
question
that
is
in
front
of
us-
essentially
is
so
when
you
think
about
building
secure
Cloud
native
services
and
we're
getting
more
specific
about
Cloud
native
now.
Are
there
any
fundamental
controls
or
partner
technologies
that
are
table
Stakes
for
organization
to
consider?
B
Yeah,
this
is
a
really
good
question.
The
way
the
way
we
think
about
it
is
this,
like
the
foundations
that
we
need
to
build
to
be
secure,
whether
it's
in
a
Corp
context
in
a
cloud
context
and
other
contexts.
Those
foundations
really
haven't
changed
in
the
last
20
years,
the
Technologies
and
the.
How
has
changed,
but
the
foundations
really
haven't
changed.
So
what
I
the
way
I
think
about
this
is
okay.
B
B
Do
you
have
observability
on
on
hardening
scanning
pre-deployment?
Do
you
have
runtime
observability
in
context?
Are
you
collecting
logs?
Are
you
sending
them
to
a
system
or
a
human
who
can
act
on
them?
Do
you
have
audit
mechanisms
to
look
for
changes
to
that
infrastructure
that
are
unexpected
if
a
pod
is
immutable
which
it
is
in
the
cloud
Con
in
the
cloud
kubernetes
context,
if
there's
changes
on
a
pod
like
what's
going
on
like?
B
Why
is
somebody
shelling
into
a
pod
that
that's
probably
a
bad
actor
Behavior
now
continuing
my
discussion
here
now
you
take
that
signal
and
you
send
it
to
to
an
individual
and
then
individual
x
on
it
or
a
system
x
on
it.
What
store
type
Frameworks?
We
can
add
systems
acting
on
signals
now,
so
what
I?
Just
what
I
just
described
like
that?
It
really
hasn't
changed
in
the
last
20
years,
when
we
had
bare
metal,
VMS
and
data
centers.
When
I
got
started
with
this
industry,
it
was
basically
the
same.
A
Yeah,
you
know
I
told
you
again,
it's
like
you
know
what
one
of
the
one
of
the
things
that
I
used
to
want
to
make
and
I'm
sure
you've
thought
about.
This,
too,
is
given
the
fact
that
observability
basically
means
being
able
to
infer
internal
state
of
any
system
by
looking
at
the
outboarding
signals
right,
which
is
why
you
have
any
LT
in
you
know
observable
The,
Matrix
events,
errors
logs
and
traces,
essentially
really
in
in
cyber
we
have
the
miter
attack
and
defend.
A
We
have
really
granular
flavors
of
miter
for
for
various
modalities,
but
there
isn't
anything
like
melt,
which
basically
tells
me
hey.
If
you
just
make
this
four
you've
taken
care
essentially,
but
what
I?
What
I?
What
I
learned
from
what
you're
saying,
which
I
I
think
I
mean
it's
sort
of
you
know.
Resonance
variable
with
me
is
look
they're
at
four
pillars.
Here
too,
the
first
pillar
essentially
is
measure
your
attack
surface.
You
know
that
is
your
pre-deployment
checks,
post
deployment
check
scanning
cspm.
What
have
you
really
essentially?
What
could
go
wrong?
A
Pillar
number
one,
and
this
is
commodity.
Everybody
needs
it.
The
modality
change.
It
was
VMS
earlier
now
it's
kubernetes
on
top
of
VMS,
probably
tomorrow
something
else,
but
essentially
the
the
core
principles
remain
same.
The
modality
might
change
so
much
sure
what
could
go
wrong
number
one
and
then
deploy
our
develop
a
way
essentially
to
measure
what
comes
in
what
goes
out
and
what
changes?
It's.
B
A
Good
okay,
now
this
is
this-
is
purely
this
question
comes
purely
from
a
status
point
of
view.
Maybe
right,
like
I'm,
a
startup,
let's
say
we're
running
a
startup
which
is
you
know
having
this
open
source
project,
seeing
great
traction,
and
we
want
to
know
how
a
top
Tech
you
know.
Top-Tier
engineering
team
would
evaluate
such
a
such
a
such
a
project
really
right.
The
first
part
is,
of
course,
reputation
and
even
the
fitment-
and
you
know
all
of
that
sure,
but
is
there
anything
more
there.
B
Absolutely
so,
first
of
all,
first
of
all,
the
first
question
is:
what
what
problem
are
we
looking
to
solve
internally
yeah,
and
sometimes
we
do
a
build
versus,
buy
bake
off.
If
there's
a
compelling
product
in
the
industry
that
we're
we
can
get
behind,
sometimes
we
don't.
Sometimes
we
we
skip
immediately
to
open
source
or
or
build
and
I
kind
of
look
at
those
in
the
same
modality,
because
the
open
source
almost
always
involves
like
some
some
building
to
operationalize
into
your
environment.
B
So
and
then
we
ask
ourselves
like
hey
what
is
like
the
ideal
State-
and
this
is
where,
like
my
product
management,
turns
out
a
little
bit
there's
this
idea
of
like
working
backwards
like
okay.
Now
that
the
thing
has
been
completed
and
launched,
and
it
has
this
capability
you,
you
will
have
like
an
announcement
of
that
a
capability
I'll
give
an
example.
Now
we
can
observe
all
runtime
for
kubernetes-based
clusters
at
this
company
with
Falco
perfect.
How
do
we
work
backwards
from
that
end
state
to
actually
establish
that?
B
And
then
how
do
we
evaluate
the
potential
partners
with
how
close
they
will
get
us
to
the?
What,
and
why
that
we're
looking
to
accomplish
with
objective
criteria
like
how
legitimate
are
they
in
the
market?
How
much
existing
adoption
do
they
have?
How
how
many
feature
requests
or
pull
requests
are
being
submitted
into
their
open
source
project?
How
engaging
is
there?
Is
there
a
support,
Community
like
we?
We
don't
want
to
be
on
an
island.
B
Ultimately,
if
we
have
to
support
something
we'll
we'll
usually
figure
it
out,
but
those
are
the
kind
of
questions
that
we
ask
right
now
beyond.
Beyond
that,
we
we
also
ask
ourselves
how
how
long
will
this
probably
exist
and
like
what's
the
next
iteration
of
it
and
with
open
source?
The
next
iteration
can
be
our
own
iteration.
We
can
Fork
the
project
and
make
it
to
whatever
we
want
versus
with
closed
Source
partner
technologies
that
are
completely
commercialized,
we're
at
the
mercy
of
the
product
team.
B
A
Absolutely
and
I
think
in
after
that,
of
course,
the
open
source
product
or
the
project
that
you're
choosing
has
to
be
at
least
as
good
as
the
closed
Source
options
that
might
be
there
on
the
table
essentially
or
at
least
has
to
be
open
enough
so
that
you
can
customize
it
quickly
right
and
that's
when
the
quality
differences
will
probably
start
coming
in
hey
what
is
the
quality
of
alerts
or
how
many
Integrations
it
has
and
stuff
like
that?
Really
right.
So
right.
A
All
right,
Nick,
moving
on
to
the
next
question
and
I
I
told
you
already.
We
have
at
least
a
dozen
questions
for
you
and
I
see
more
and
more
questions
coming
in
from
folks
as
well,
so
I
hope
you
have,
but
I
will
move
on
and
talk
about
of
course.
Of
course
absolutely
so.
A
The
question
is:
you've
worked
with
household
internet
scale,
companies
I
mean
snap
is
an
household
name,
and
that
of
course
makes
you
a
desirable
Target
for
Bad
actors
really
right
and
is
there
or
use
case,
or
example,
of
how
your
OS
strategy
helps
your
company
manage
Cloud
native
security
and
intimacy,
essentially
so.
B
A
Think
this
is
probably
the
same
use
case
that
you're
speaking
about
whether
you're
observable
technique,
but
but
over
to
you.
If
there
is
anything
more
that
comes
yeah.
B
Scale,
as
we
discussed
they're
all
they're
often
are,
are
not
Alternatives
that
are
palatable
that
are
not
open,
source
or
built-in-house.
Now,
to
make
this
to
make
the
answer
here,
a
little
bit
more
useful
to
a
broader
audience:
they're,
not
always
internet
scale
companies.
Let's
talk
a
little
bit
about
like
the
tenets
of
why
open
source
is
useful,
so
I
lead
my
teams
to
have
extreme
ownership
and
focus
on
craftsmanship
right.
B
You,
you,
you,
you
you,
you
eat
your
own
food,
so
to
speak,
meaning
the
code
that
you
build.
It
should
be
of
high
quality.
We
should
have
unit
tests,
we
should
have
coverage,
it
should
be
understood
by
others.
It
should
not
be
a
black
box.
We
should
avoid
single
points
of
failure.
Right,
which
means
a
single,
a
single
engineer
on
a
team
should
should
not
be
the
only
person
who
understands
that
multiple
Engineers
on
the
team
need
to
understand
it
with
open
source.
This
is
a
very
achievable
because
everybody
can
see
what's
happening.
B
They
can
look
at
the
repo
we
can.
We
can
collaborate
on
on
feature
requests
and
PRS.
We
can
do
code
reviews
together
right
and
we
we
know
like
we
know,
what's
happening
and
that
that
helps
us
really
for
that.
Helps
us
inform
our
strategy,
just
like
iterate
and
like
build
feature,
a
build
feature,
B
and
so
forth.
B
In
another
sense,
I
think
open
source
helps
us
with
hiring
like
I
already
talked
about
some
of
this,
but
like
the
best
people
in
the
industry
that
we
hire,
they
want
to
build
the
cool
stuff
like
they
want
to
do
stuff.
That's
like
really
notable
we've
open
sourced
some
projects
that
snap
has
built
like
back
to
the
community
right
and
we'll
both
and
we'll
do
more.
Why?
Why
like?
Why
not
it's
we
built
it?
We
built
it
for
the
world,
we'll
we'll
build
we'll.
B
Allow
the
world
to
use
it
I
think
also
having
an
open
source,
heavy
culture.
It
allows
you
to
hire
software
Engineers
into
security,
engineer
roles
because
at
the
core
like
what?
What
is
a
security
engineer,
security
engineer
is
somebody
who
has
context
and
knowledge
of
threat,
modeling
and
attack
surface
and
the
risk
like
kind
of
risk-based
mentality,
but
they're
also
somebody
who
can
code
and
who's
an
engineer
at
the
core.
B
So
in
some
cases
we've
taken
software
Engineers
by
title
and
really
by
background
and
we've
hired
them
into
teams
that
build
that
build
services
or
or
build
on
top
of
Open
Source
services
and
we've
talked
the
throw
modeling,
the
the
kind
of
attacker-based
mentalities
and
so
forth.
Now
we
opened
up
our
talent
pool
like
dramatically
if
we
can
hire
everyone
say
back
in
software
Engineers
versus
security
Engineers,
which
are
a
lot
harder
to
find
and-
and
they
typically
come
with
a
premium
here.
No.
A
Agree
completely
yep
yeah
moving
on
next
to
the
next
question,
and
this
is
a
little
bit
about
you
know
the
discussions
that
you've
been
having
essentially
is,
when
you
think
about
defense
or
a
project
like
defensory,
essentially
a
threat
mapper
our
open
source.
You
know,
cnap,
essentially,
which
helps
you
scan
as
part
of
cicd
at
runtime
across
all
of
the
cloud-ready
modalities,
essentially
too,
and
ensures
that
all
the
all
the
day,
Zero
essential
features
like
vulnerability
management.
You
know
cspn
malware
standing.
A
Second
standing
is
essentially
out
there
for
everyone
to
use,
but
also
comes
with
batteries
included
right,
like
you
have
Integrations
you
can.
You
know,
integrate
this
tool
in
your
Ops
tool.
Lane
file,
a
jira
ticket
in
all
of
that
stuff.
Really
so-
and
this
probably
goes
back
to
one
of
the
earlier
questions-
essentially
is
when
you're
taking
something
like
this.
Like
you
know,
defense
may
have
had
a
different
Journey.
They
did
not
start
as
an
open
source
company.
A
A
What
would
be
your
input
to
to
startups
or
vendors
like
defense,
essentially
that
hey
it's
it's
essential
to
have
those
Enterprise
features
make
in
as
part
of
your
platform
that
you're
putting
out
so
that
anybody
could
just
download
and
start
using
it?
You
know
without
any
customization
without
putting
any
you
know
a
dish
it
shows
on
it.
How
would
you
look
at
it
essentially,
and
what
would
your
advice
to
you
know
the
listeners.
B
Well,
look
if,
if
you're
a
a
builder
like
like
yourself,
send
deep
and
you
you
would
like
to
take
a
product
to
Market
and
your
commercial,
only
you're
going
to
be
met
with
a
lot
of
resistance
from
people
like
me,
I
get
peppered
for
requests
to
look
at
stuff
all
the
time
and
a
lot
of
it.
I've.
Never
even
look
at
it
because
to
me
what's
more
novel
is
what
you're
doing
what's
more
novel
is
taking
an
open
source
approach,
so
in
the
competitive
landscape
that
that
exists
in
this
industry
would
would
just
end.
B
You
know
products
and
so
many
options
so
much
optionality.
There
are
very
few
high
quality,
Open
Source
Products
and
those
stand
out
to
be
the
ones
that
do
stand
out
to
me
and
this.
This
is
why
I'm
an
advocate
for
this
the
space,
so
my
advice
would
be
like
hey
build
this
in
to
your
product
or,
like
maybe
have
like
some
part
of
the
product
open
source
people
can
start.
Maybe
there's
like
a
freemium
kind
of
layer
of
hey.
B
You
start
here
and
then
you
grab
when
you
graduate
we're
here
we're
here
with
you,
we're
not
going
to
leave
you
you'll,
leave
you
hanging
right
and
so
like.
In
that
sense,
you
you,
you
can
get
the
best
of
both
worlds.
You
get
your
product
to
to
market,
for
people
like
myself
who
are
skeptical
of
closed
source,
and
then
you,
you
have
a
you,
have
kind
of
like
a
revenue
pipeline
to
enhance
and
and
and
build
the
the
Enterprise
version
into
that
customer
install
over
time.
A
Absolutely-
and
you
know
all
it
faces
the
bar
for
everyone
really
right
by
permanently
shifting
these.
You
know
demand
and
Supply
Curves
in
our
case,
in
Cloud
security,
essentially
everything
that
you
need,
whether
you're
building
out
a
security
program
or
whether
you
have
already
a
mature
program
or
you're
willing
to
you
know
or
looking
at
replacing
a
bunch
of
clothes.
Source
vendors
with
open
source
becomes
a
standard
essentially
right
in
terms
of
usage
adoption,
and
you
know
that
way.
You're
you
know
slowly
but
steadily
changing
the
demand
and
Supply
curves
of
cloud
cycle.
A
You
couldn't
agree
more
yeah
moving
on
so
we
spoke
about
observability.
We
spoke
about
falgo,
Falco's
use
case.
We
spoke
about
in
the
four
pillars
that
need
to
be
defined,
which
is
basically
what
comes
in
what
goes
out
what
changes
and
how
all
of
this
interacts
with
your
existing
attack
surface.
Very
specifically,
you
know,
post
deployment,
I
know
you're
a
large
sort
of
here,
I
think
one
of
the
largest
kubernetes
deployments
I've
heard
of
honestly.
A
You
know
I
didn't
you
know,
we've
been
speaking
to
so
many
large
companies,
but
your
scale
is
very,
very
different,
especially
in
terms
of
kubernetes.
Really
so
tell
me
more
about
this
post
deployment.
How
important
is
runtime
security
observability.
You
know
and
we're
talking
about
the
molecules,
we're
talking
about
pod
level,
competition
process,
level,
context.
B
B
Yeah,
let's,
let's
go
deep
on
this,
so
think
about
this
way.
You
you've
now
you've
deployed
now.
You've
done
all
the
work
that
you've
done,
pre-deployment
that
we
talked
about
previously
hardened
the
images
you
have
ensure,
there's
no
malware
you've
bootstrapped
your
your
pause
now
you're
deploying
now
you're
running
okay.
How
do
you
observe
for
bad
in
this
running
State
and
in
a
immutable
service
context
where
a
change
should
never
actually
happen
to
a
pod,
because
it's
meant
to
not
be
changed,
so
you
need
to
Observer.
B
You
need
an
observability
layer
like
Falco
or
like
defense
that
can
basically
run
a
kernel
level.
Ebpf
probe
to
look
look
for
assist,
calls
to
the
kernel,
introspect
them
and
tell
you
hey:
is
this
normal
or
is
this
not
normal?
And
if
it's
not
normal
fire
off
an
alert?
Here's
some
like
really
good
examples.
A
lot
of
kubernetes
clusters
are
targeted
for
crypto
mining
takeovers.
This
happened
in
Tesla
I've
talked
about
in
the
class
that
I
built
with
Udacity
as
one
of
the
case
studies
that
we
go
deep
on.
B
They
have
their
API
server
layer
exposed
that
actor
took
over
their.
What
one
or
one
or
many
of
their
kubernetes
clusters
and
started,
spinning
up
Monero
crypto
mining
pods
to
do
crypto
mining?
Why
it's
free
compute,
awesome
right!
How
do
you
catch
that
as
a
big
company
with
like
with
a
lot
with
a
lot
of
infrastructure
going
on
I,
unless
you
have
logs
that
specifically
look
for
like
callbacks
to
their
C2
control
or
other
other
log
level
observability
on
like
the
network
layer?
B
Let's
say
you
won't
catch
it
at
the
Pod
level.
Unless
you
have
pod
level
observability
with
something
like
defense
or
or
Falco,
you
just
want.
There's
no
I,
don't
think
there's
a
way
you
can
technically
do
it.
So
to
me
this
is
so
definitely
more
advanced.
But
to
me,
if
you,
if
you
care
about
runtime
and
you
actually
care
what's
happening,
while
the
infrastructure
is
running
before
it
gets,
you
know,
killed,
destroyed
and
reintroduced,
because
in
this
context
we
mostly
treat
this
infrastructure
like
like
cattle
right
versus
like
pets.
B
We
need
to
runtime
observability,
just
like
in
the
Corp
context.
If
we
have
a
laptop
on
a
network,
I
need
a
observability
on
a
laptop,
because
without
observability
I
can't
react
to
a
a
malware
download
on
a
laptop
on
on
the
corporate
Network.
Just
the
same
way,
I
can't
respond
to
an
event
on
a
pod
in
the
cloud
context.
Unless
I
have
that
low-level
observability.
A
Yeah
well
absolutely
yeah,
absolutely
so,
while
it
is
essential
to
do
scan
as
part
of
pre-employment,
of
course,
Daniel
Cloud
infrastructure,
you
know
using
agent-based
or
agentless
solution
to
cover
the
basics.
Essentially,
it's
ESPN
vulnerably
management.
All
of
that
it
is
equally
important
to
have
runtime
defenses,
essentially,
which
which
use
evpr.
For
one
of
you
know
something
similar
essentially
to
get
you
this
low-level
Telemetry
and
really
build
detection.
A
On
top
of
that
really
right,
that's
that's
the
high
order
of
it
I'm
taking
out
of
your
name,
you
need
both
scanning
comes
first
sure
it's
it's
it's
that's
a
day,
Zero
need,
but
once
you
have
that
you
need
something:
something
which
goes
deeper
right,
and
you
know,
sort
of
you
know
is
looking
at
all
of
these.
All
of
these
runtime
signals
to
to
say
whether
you
are
under
attack
or
not.
B
That's
spot
on
like
this
is
not
a
a
a
start
with
this
kind
of
thing.
This
is
a
graduate
from
pre-deployment
to
post-deployment
observability,
but
once
you've
graduated
to
the
next
step,.
A
Moving
on
Nick
and
I
have
at
least
four
more
questions,
I'm,
not
sure
whether
we
have
time
to
take
all
of
those,
but
at
least
with
two
of
those
questions
will
take,
and
this
is
probably
the
last
question
from
my
side
and
you
know
a
high
level.
One
now
you've
been
you've
been
at
multiple
organizations,
including
SpaceX,
and
you
know
now
at
snap,
meaning,
you've,
you've
you've
been
a
hacker
since
your
childhood,
almost
from
16
years
of
age.
What
would
be
one
piece
of
advice?
B
I
I
think
what's
made
the
difference.
Sandeep
is
this
philosophy
of
being
a
lifelong
student
being
intellectually
curious
and
really
never
stop
learning.
So
if
you
stop
learning,
you
will
probably
stop
earning
and
or
you
may
stop
earning
as
much
right.
This
industry
is
extremely
Dynamic
and
fast-paced
and
yeah
you
should
never.
You
should
never
stop
learning.
So
for
me,
the
day
I
stopped
learning
is
probably
the
day
the
day
I
like
fully
retire
and
like
just
rest
somewhere,
not
not
focusing
on
this,
and
just
you
as
much
until
then
I
will
always
continue
learning.
B
But
learning
is
not
enough
to
me
to
me.
You
need
to
teach
others
once
you've
gotten
to
a
certain
place
in
life
to
help
evangelize
and
build
up
the
Next
Generation
right.
The
people
we're
hiring
now
are
going
to
be
me
in
some
in
some
in
some
time
frame,
right
right,
there's
also
this
philosophy
that
I
take
of
always
be
firing
yourself,
like
not
actually
firing
myself,
but
removing
yourself
from
the
critical
path
to
allow
people
who
you've
hired
to
become
better
than
you
right.
A
B
Me
to
me
this
is
this.
This
is
this:
is
the
style
of
serving
leadership
that
I
that
I
that
I
like
to
practice
and
really
support
my
team
with
so
and
solve
for
the
boring
things.
First,
the
things
that
we
talked
about,
the
the
hardening,
the
observability,
the
monitoring,
the
learning
those
are
kind
of
boring.
This
isn't
the
ml,
this
AI
that
right
and
then
the
stuff
that
vendors
want
to
sell.
You
like
the
boring
stuff
matters,
a
lot
right.
B
If
you
solve
for
the
boring
stuff,
then
you
then
you'll
be
in
a
really
really
good
place
right.
A
lot
of
people
don't
solve
for
the
boring
stuff.
They
they
jump
into
the
sexy,
shiny
object
stuff
and
they
actually
missed
the
point
of
of
sort
of
of
how
to
approach
this
kind
of
in
a
strategic
way
in
terms
of
security
program
leadership,
so
I
think
the
other
thing
is
like
have
advocacy,
have
people
that
are
supporters
of
your
of
you
and
have
people
that
you
support
in
the
industry
like
this
kind
of
relationship.
B
I
think
has
really
helped
me
like
have
a
broader
perspective
on
how
the
industry
operates
and
pay
it
forward
like
give
back
speak
to
others,
whether
it's
at
a
Meetup
in
your
local,
you
know
Community
a
Blog
that
you
write.
If
you
want
to
get,
you
know
very
ambitious,
to
seek
into
a
book
or
or
teach
it's
out
there
like.
The
industry
will
allow
you
to
do
it.
You
just
you,
need
to
step
up
and
and
and
and
and
be
a
participant.
A
Absolutely
love
that
paid
forward
absolutely
exactly
what
we
believe
in
defense.
I.
Think
with
that
you
know
what
we'll
do
is
we'll
just
open
up
for
some
more
questions.
I
have
a
bunch
of
them
in
front
of
me,
but
we'll
probably
just
take
two
more
given
the
the
time
limit.
So
let
me
go
ahead.
This
is
a
question
for
you
Nick
from
Dave.
A
B
Yeah,
that's
a
great
question.
Dave
thank
you
for
asking
it
I
think
you
need
to
start
with
your
strategy,
so
we're
we're
a
doc
based
culture.
We
write
down
okay
problem
statements,
Fubar
Fubar
at
plus,
n
right.
We
write
it
down.
We
ask
ourselves:
okay,
what
are
we
trying
to
solve
for
specifically
like
very
specifically
not
high
level
specifically,
and
then
we
say:
okay?
How
can
we
accomplish
this?
Okay?
Are
we
looking
to
scan
images?
Well,
we
can
do
that
with
gripe.
Okay,
are
we
looking
to
look
at
a
a
bill
of
materials?
B
There's
products
for
that
Open,
Source,
Products
free,
come
take
it
or
are
we
looking
for
a
solution
that
wraps
them
together,
like
like
defense,
does
again
open
source
or
maybe
are
we
looking
for
a
commercial
offering?
Because
we
really
want
that?
We
really
think
like
this
is
the
one
there
are
those
as
well
that
we
we've
purchased
like
there
are.
This
is
the
one
kind
of
commercial
solutions
that
are
fully
closed
source
that
we've
also
bought.
You
got
to
start
with
the
strategy.
A
Absolutely,
in
fact
that
was
my
next
question
that
was
in
front
of
you
Nick.
That
is
what
are
the
set
of
criteria
that
you
look
for
when
you
want
to
upgrade
from
open
source
to
Enterprise
version
of
the
product
like,
but
maybe
that
could
be
the
sort
of
you
know,
you're
concluding
the
mark
on
that
that
helps
the
founders.
Like
me,
yeah
and
companies,
who
are
you
know,
trying
to
monetize
open
source.
B
Right
I
know
that's
a
really
good
question:
you
have
to
figure
out
what
the
Market's
going
to
pay
for
it
and
what
is
what
is
desirable
enough
for
a
person
like
me
or
another
security
leader
to
pay
for
the
Enterprise?
What
does
the
Enterprise
need?
Look.
The
Enterprise
needs
usually
like
lower
level
authorization
and
account
management,
because
I
have
a
lot
of
users
using
this
system.
B
We
probably
need
additional
log
because
we
may
need
support
because
we
get
stuck-
and
we
may
not
have
you
know
all
the
resources
to
go
iterate
and
think
spinner
Wheels
trying
to
figure
it
out
through
the
forums
we
may
need
more
advanced
features.
You
have
to
figure
out
what
that
is
depending
on
whatever
product
area
you're
in
like
in
this
product
area,
you
know,
threat
mapper
gives
you
observability.
Threadmapper
gives
you
context
right.
B
Mapper
can
have
you
Harden
and
ensure
what
you're
deploying
into
production
is,
is
safe,
now
threat
Striker,
which
is
the
the
the
the
Enterprise
product
version
here.
In
this
context,
it'll.
A
B
You
a
threat
graph,
it
allows
you
to
seal
off
and
stop
attacks
at
runtime
by
by
basically
killing
the
network
connection
Sandeep,
you've
studied
this
and
you've
decided
okay.
This
is
the
thing
people
are
going
to
pay,
for.
This
is
the
thing
that
we're
going
to
basically
allow
for
free.
You
got
to
do
that
for
every
product.
That's
built
yeah,.
A
Absolutely
yeah
the
the
what
is
Dave
zero
use
cases.
What
are
the
day?
One
use
cases.
Where
is
your
IP
as
a
company?
You
know
which?
What
is
what
is
something
that
you
can
you
know
give
away
build
a
community
around
and
stuff
like
that,
I
think
these
decisions
have
to
be
made
by
you
know
on
Case
by
case
basis
by
the
companies
that
are
trying
to
monetize
whether
you
want
to
go
open
code.
You
want
to
really
completely
open
source
or
you
want
to.
You
know,
have
a
combination.
There
are
totally
unique.