►
From YouTube: TFiR — Ali Golshan, Co-founder & CTO — StackRox
Description
In this interview, Ali Golshan - Co-founder & CTO of StackRox, talks about complete container security.
A
B
Yeah,
so
stack
rocks
has
been
around
for
three
years
now:
the
company's
about
50
people
and
what
we
build
is
we
build
a
full
products,
lifecycle,
security
solution
for
containerized,
microservices
environments,
so
we
have
a
single
platform
that
covers
various
aspects
of
the
build
and
deploy
phase,
as
well
as
a
module
that
covers
runtime
security
for
containers
and
microservices.
So
we
try
to
create
a
kind
of
a
holistic
overview
of
the
entire
process.
B
Yeah,
I
think
the
main
two
challenges
we
see
up
front
are
really
the
fundamental
problems
you
see
with
any
emerging
market,
especially
when
it
comes
to
a
virtualized
sector,
one
of
them
being.
You
need
to
understand
and
manage
kind
of
hygiene
and
assets
as
you're,
going
through
your
entire
build
and
deployment
process.
B
So
that's
really
the
area
of
the
focus
that
a
lot
of
the
customers
have
just
the
nature
of
the
market
being
early
and
the
other
part
of
it
is
is
really
everybody
wants
visibility
into
their
entities,
whether
it
be
at
the
build
and
deploy
or
whether
it
be
at
the
runtime
phase.
So
I
think
the
market
is
maturing
very
quickly.
As
you
mentioned,
we're
seeing
an
adoption
and
uptake
of
containerization.
B
You
know
more
push
around
consolidation
around
orchestration,
which
is
allowing
customers
to
do
more
sophisticated
things
as
a
result
of
that
expertise
and
sophistication
we're
going
to
see-
and
we
are
starting
to
see
a
higher
trend
towards
more
and
more
sophisticated
security
at
runtime.
But
right
now
the
focus
tends
to
be
around
that
good
hygiene
around
build
and
deploy,
and
good
visibility
at
runtime.
B
B
Collects
data
applies,
then,
into
a
central
analytics
environment,
machine
learning
and
then
correlation
to
give
you
actions
and
automated
responses.
So
our
view
is,
is
that
you
really
need
to
cover
it
for
the
full
life
cycle.
So
while
we
do
focus
on
the
hygiene
at
the
build
and
deploy
process
with
our
prevent
module,
we
have
our
detection
and
response
module,
which
is
really
covering
applications
at
runtime
that
are
containerized.
B
If
you
run
as
a
company
in
a
private
data
center
hybrid
public
cloud,
we
don't
necessarily
sit
like
a
traditional
like
av
in
every
container
and
then
run
the
same
rules
and
heuristics
just
kind
of
replicate.
The
container
our
model
is
to
continuously
collect
data
from
every
node
and
application
and
then
centralize
it
and
make
a
much
larger
correlated
decision
so,
rather
than
raising
single
alerts
every
time
something
pops
up,
we
put
them
together,
stitch
them
for
you
and
then
automate.
The
response.
A
Right
and
you
do
you
only
when
you
say
containers
today,
every
container
of
microservice,
I
don't
know
how
you
want
to
call
it.
So,
do
you
only
add
target
docker
customers
or
you
also
go
beyond
that.
B
Our
view
of
it
is
is
that
this
whole
new
stack
needs
an
entirely
new
approach
and
you
need
to
understand
the
relationships
between
these
pieces.
You
know
how
is
kubernetes
impacting
the
container,
how
is
container
changing
the
behavior
of
the
application,
so
our
product
is
really
an
agnostic
and
the
reason
we
talk
about
it
being
kind
of
a
sensor
model
versus
an
agent.
That
kind
of
conducts
actions
is
we
need
to
capture
all
this
information
and
see
how
it
correlates
across
your
entire
infrastructure.
B
A
B
Exactly
is
cloud
native
cloud
native
yeah,
so
the
way
I
think
about
cloud
native
is
is
more
around
some
core
principles.
That's
how
I
think
about
it
from
a
differentiation
standpoint
and
I
think,
there's
a
huge
debate,
but
the
way
I
think
about
it
is
one
cloud
native
profile
or
particular
principle
is
try
to
reduce
the
host
as
much
as
possible,
reduce
permissions
and
packages
and
credentials
and
privileges,
but
rely
on
your
orchestrator
like
the
orchestrator
in
a
cloud
native
world.
B
I
see
as
the
api
driven
operating
system,
building
everything
down
to
its
atomic
units
of
compute,
so
swapping
and
continuous
build
becomes
an
easier
process
and
the
overarching
umbrella
that
I
see
that
is
kind
of
a
driving
principle.
Around
cloud
native
is
really
automation,
you're
trying
to
do
more
with
less
people,
and
I
think
those
are
the
core
principles
we
see
right,
whether
you
do
it
in
a
vm
or
in
a
public
cloud
or
a
private
cloud.
A
A
So
it's
always
interesting
to
see
other
different
people's
perspective.
You
know
what
they
think,
and
it
makes
perfect
sense
differently,
though,
when
we
do
talk
about
microservices
and
cloud
native
these
days,
it's
hard
to
keep
up
with
the
buzzwords
yeah
serverless
revenue.
So
what
kind
of
security
implications
are
there
in
the
serverless
landscape.
B
Serverless
presents
its
own
unique
set
of
challenges,
because,
naturally
there
isn't
a
lot
you
can
do
with
it
on
the
host
side
of
that,
because
it's
a
function.
That's
basically
writing.
So
this
is
where
I
think,
if
you
think
about
what
our
product
is
trying
to
do,
which
is
the
full
product
life
cycle,
not
just
focusing
on
runtime,
because
more
and
more
constructs
in
it
are
becoming
either
ephemeral
or
as
services
needed
on
kind
of
use
case
basis.
B
You
have
to
be
able
to
provide
as
much
of
that
security,
hygiene
and
visibility
up
front
in
the
build
and
deploy
process.
So
that's
where
we
focus
on
and
say
well,
if
you're
building,
for
example,
a
lambda
function,
you
still
have
to
be
able
to
write
some
code.
You
still
have
to
be
able
to
write
an
image
that
eventually
gets
translated
into
a
serverless
model.
B
There's
a
lot
of
things
you
can
do
that
leads
up
to
the
point
before
you
operationalize
that
function
now,
the
the
the
truth
of
the
matter
is,
is
that
you
can't
you
can't
do
a
lot
with
serverless
at
runtime
phases
from
a
host
standpoint.
So
this
is
why
you
have
to
upload
as
much
as
your
work
process
as
possible
into
the
build
and
deploy
process.
B
Rock
stack
rocks
yeah,
so
there's
two
components
to
it:
one
when
we
were
building
the
product
and
actually
comes
back
to
one
of
your
questions,
which
was
you
know,
is
it
about
a
container.
We
wanted
to
build
a
full
stack
solution.
So
how
do
you
secure
this
full
cloud
native
stack?
So
we
wanted
to
make
the
use
of
the
word
stack
and
the
in
the
name,
and
then
we
wanted
to
convey
you
know
solid
kind
of
solidification
stability
like
you
know,
stability,
things
like
that,
and
so
we
decided
to
go
with
rock.
B
You
know
stack
rock,
but
we
decided
that
rock's
rox
was
a
little
bit
more.
You
know
catchy.
We
can
do
a
little
bit
more
with
it
and
just
kind
of
rolled
off
the
tongue.
A
A
B
No,
I
think
the
biggest
part
of
it
for
us
right
now
is
is
really
the
market
is
now
going
from
its
very
kind
of
infancy,
state
into
a
high
maturity
stage,
so
we're
just
trying
to
engage
with
customers
as
much
as
possible.
So
the
biggest
part
of
it
for
us
is
really
the
exciting
part
of
the
road
maps
that
we
have
coming
up
in
the
product,
and
I
would
say
it:
it
kind
of
further
validates
the
full
life
cycle
product
and
really
a
distributed
architecture
necessary.
Those
are
really
the
main
parts
right.
B
So
we
built
the
company
intentionally
to
deal
with.
You
know:
global
2000
companies
regulated
industries
companies
who
strive
to
build
cloud
native,
but
they
may
not
have
the
same
luxuries.
So
we
actually
don't
have
an
open
source
component
of
our
product.
We
tend
to
be
a
more
kind
of
security,
focused
security,
centric
product
we've
done
talks.
For
example,
you
know
at
b-sides
and
different
environments
where
we,
you
know,
develop
and
release
tools
to
help
configure.
B
A
I
have
talked
to
whenever
I
talk
to
security.
I
get
the
same
answer
because
it's
a
different
market
also,
let's,
let's,
let's
start
talking
about
technology
and
let's
talk
start
on
docker.
Let's
talk
about
you
for
a
while,
okay,
okay,
so
when
you're
not
securing
all
these
things,
what
do
you
do
in
your
free
time.
B
Securing
different
things,
so
you
know
my
background
is
I've.
I
was
always
been
kind
of
heavily
involved
in
security.
I
got
kicked
out
of
school
for
hacking.
My
university
departments
and.
B
B
A
That's
that's
fun,
yeah!
So
when
you
do
talk
about
security,
what
do
you
think
about
mr
robot.
B
I
also
felt
like
it
wasn't
really
kind
of
like
it
wasn't
the
practical
stuff
I
had
to
deal
with
day
day-to-day.
That
is,
like
the
very
pretty
very
exciting
picture
that
everybody
draws
in
security,
but
I
think
when
you
come
down
to
the
reality
of
day-to-day,
it's
really
the
frustrating
mundane
things
that
everybody
has
to
do
right
and
I
think
just
living
that
day-to-day
made
it
a
little
bit
more
difficult
to
watch.
Mr
robot.
A
The
the
reason
I'm
asking
is
that,
because
I'm
a
science
fiction
writer
as
well
and
machine
learn,
you
mentioned
machine
learning,
artificial
intelligence.
So
the
word
we
are
moving
towards
it
is,
and
you
guys
are
actually
building
that
same
word
yeah.
So
so
so
do
you
think
that
is
a
bleak
possibility
or
is
just
perfect
fiction
and
she's
thinking
that
what
is
going
on
here.
B
You
know,
I
think
it's
it's
kind
of
an
interesting
conversation,
so
I
think
the
the
conversation
of
ai
is
actually
a
very
valid
one.
I
personally
don't
believe
we
have
even
functional
ai
right,
let
alone
like
general
holistic,
ai,
like
generalistic
ai,
doesn't
exist,
so
I
think
you
know
my
rule
of
thumb
has
always
been
that
if
you
want
to
figure
out,
if
somebody's
really
talking
about
machine
learning
and
ai,
just
substitute
the
word
for
computer,
if
the
word
still
makes
sense
in
that.
B
B
I
think
the
the
trajectory
towards
ai
is
a
very
realistic
one.
I
think
naturally,
the
the
uptake
in
gpu
kind
of
optimization
and
a
lot
of
the
things
that's
happening
around
neural
nets
and
deep
learning
is
going
to
contribute
to
that
some
of
the
areas
that
I'm
a
big
fan
of
is
like
sub
and
super
modular
optimization
for
future
engineering
on
like
edge
points,
but
I
think
there
is.
B
A
B
Think
about
where
ai
feeds
is
about
data
and
knowledge
and
curation
of
that
like
junk
and
junk
out.
So
if
the
security
industry
comes
together
as
a
whole,
like
parses
data
filters,
it
creates
good
indicators,
good
data,
clean
data
and
then
collaboratively
puts
this
together.
Then
there's
a
huge
amount
of
kind
of
value
you
can
add,
but
this
is
where
I
think,
other
environments,
like
you
know,
image
recognition
or
driving
self-driving
cars
actually
have
a
huge
advantage,
because
there
is
mass
public
volumes
of
data
available
to
be
able
to
train
models
on
top
of.
A
A
Have
some
models
also
there
because
model
is
what
you
know?
Yes,
so
so
this
is
one
effort
that
I'm
aware
of.
Are
you
aware
of
any
efforts
with
by
the
industry
where
you
know
players
are
working
together?
I'm
aware.
B
But
I'm
not
aware
of
any
large-scale
collaborative
initiative
that
is
meant
to
create
open
data
for
the
purposes
of
training,
because
I
think
most
companies,
especially
in
security,
realize
that
the
data
becomes
the
proprietary
piece
for
them.
That's
actually
the
part
that
creates
a
differentiator
for
them
like,
if
you
think
about
our
machine
learning.
The
reason
we
took
the
architectural
decision
we
did
made
was
we
wanted
to
collect
a
hundred
times
more
data
and
analyze
it
than
our
competitors.
That's
why
we
built
our
architecture.
B
The
way
we
did
so,
we
want
to
feed
a
lot
more
data
to
our
ml
model,
to
train
it
in
a
lot
more
substantial
fashion
and
a
higher
efficacy,
so
data's,
valuable,
but
it's
very
expensive
doing
it
in
our
company's
environment
is
very
difficult
and
you
have
to
balance
that
with
a
lot
of
other
things.
So
when
somebody
like
us
goes
through
that
process,
I
think
it
kind
of
naturally
creates
this
like
protective
sense
of
the
data,
because
you
went
through
such
trouble
to
get
it,
but.
A
How,
how
is
that
the
mindset,
because
I
mean
I
have
been
covering
open
source
for
the
day
one
and
now,
when
I
see
everybody
is
doing
open
source.
That
mindset
has
changed.
So
do
you
see
any
any
patterns
or
any
signals
where
you
know
the
the
mindset
of
the
security
companies
will
also
change.
B
Definitely-
and
I
think
actually
to
your
point-
the
the
emergence
of
the
the
kind
of
the
cloud
native
initiative
that
has
pulled
a
lot
more
of
the
open
source
initiatives
into
the
kind
of
the
the
mission
critical
infrastructure
of
a
company
has
forced
security
teams
and
just
generally
security
organizations
to
change
a
lot
of
their
models
of
how
they
used
to
do
things.
They
have
to
be
a
little
bit
more
open,
more
collaborative
decision
making
at
a
faster
pace,
more
comfortable
with
new
tools,
so
naturally
they
can't
make
those
decisions
in
their
own
bubbles
anymore.
B
They
have
to
collaborate,
they
have
to
get
additional
information.
So
I
think
that
general
movement
is
very
much
in
its
infancy.
It's
definitely
happening,
but
this
is
to
your
point,
where
I
think
there's
more
need
for
industry
framework
and
constructs
and
some
scaffolding
that
helps
accelerate.
That.
A
Right
and
but
while
we're
talking
about
black
mirror,
I
I
see
all
those
things
as
iot.
You
know
because
they
have
implants
and
iot
is
also
becoming
very,
very
very
and
with
that,
although
security
is
bigger,
because
a
lot
of
processing
is
moving
to
the
edge
edge
yeah.
So
from
from
your
perspective,
what
is
going
on
in
there
in
terms
of
security,
yeah.
B
So
my
view
of
it
is
there's
two
components
to
that:
iot
by
the
nature
of
it
is
a
massive
data
production
unit.
I
mean
it's
exponentially
higher
volumes
of
data
you
have
to
produce,
so
you
can
the
same
way.
You
couldn't
take
traditional
security
solutions
and
apply
them
to
containerization
and
microservices.
B
You
still
can't
take
that
information
and
that
construct
from
microservices
and
containers
and
purely
apply
to
to
iot,
and
what
I
mean
by
that
is:
is
that
there's
a
certain
classes
of
attacks
that
we've
seen
on
iot,
whether
it
be
ddos
or
particular,
hijacking
or
exploits
that
are
taken
advantage
of
that
still
do,
require
some
preventative
or
some
potential
detection
mechanisms,
but
the
larger
problem.
I
think
that
needs
to
be
solved
in
iot
is
how
do
you
control
the
the
production
of
the
data
itself?
Like?
B
Can
you
actually
measure
the
value
of
what
this
device
is
supposed
to
add
to
a
particular
user
and
is
a
hundred
percent
of
the
data
that
is
being
generated
about
that
user
relevant
or
is
there
a
particular
way
that
you
should
create
a
control
for
a
user
to
actually
reduce
and
diminish?
That
now
that's
not
something
that's
in
the
purview
of
stack
rocks.
That's
not
what
we're
doing
right
now.
A
B
As
well
yeah,
no,
I
think
that's
it.
The
biggest
things
I
would
say
that
has
been
taken
away
for
us
is
that
customers
are
finally
investing
heavily
into
this
ecosystem.
I
think
docker
did
a
tremendous
thing
pioneering
this,
I
think,
there's
a
lot
of
other
companies
doing
really
great
stuff,
like
red
hat,
like
google
they're,
really
pushing
the
initiatives
forward,
we're
seeing
kind
of
the
adoption
of
kubernetes
in
the
ecosystem.
B
I
think,
if
you
asked
a
lot
of
us
a
year
ago,
what
concerns
you
is
like
you
know:
there
was
half
a
dozen
different
orchestrators
and
schedulers
and
that
consul
consolidation
is
creating
a
much
more
stable
road
map
for
companies
like
us.
So
I
think
more
and
more,
every
year
we
come
here,
it's
just
a
more
encouraging
story.
We
hear
and
we're
really
optimistic
about
the
size
of
this
market
and
what
it's
building
awesome.