Running vulnerability scanners during development and in your build pipeline is great, but not enough. Newly emerging CVEs, and other application behavior anomalies need to be caught in production. Oshrat Nir, from ARMO, talks about the importance of runtime vulnerability scanning.
If you have questions to Oshrat, you can reach her here:
- LinkedIn: https://www.linkedin.com/in/oshratn
- X/Twitter: https://twitter.com/oshratn
- Github: https://github.com/Oshratn
- Medium: https://medium.com/@oshratn_61520
If you want to give ARMO or Kubescape:
- ARMO Website: https://www.armosec.io/
- Kubescape Website: https://kubescape.io/
Additional show notes:
The Cloud Commute Podcast is presented by simplyblock (https://www.simplyblock.io)
01:00:00
Again, we're very cognizant of
01:00:01
alert fatigue because what happens
01:00:04
is people are overwhelmed.
01:00:06
So they'll either work themselves
01:00:07
to burnout or
01:00:08
start ignoring things.
01:00:10
Neither is a good option.
01:00:16
You're listening to simplyblock's Cloud Commute Podcast,
01:00:19
your weekly 20 minute
01:00:20
podcast about cloud technologies,
01:00:22
Kubernetes, security,
01:00:23
sustainability, and more.
01:00:26
Welcome back to the next episode
01:00:27
of simpleblock's
01:00:28
Cloud Commute podcast.
01:00:29
This week, I have another person
01:00:32
or another guest
01:00:33
from the security space,
01:00:35
something that really
01:00:36
is close to my heart.
01:00:38
So thank you for
01:00:40
being here, Oshrat.
01:00:41
Is that actually correct?
01:00:43
I forgot to ask up front.
01:00:45
It's hard to say my name correctly
01:00:47
if you're not a
01:00:48
native Hebrew speaker,
01:00:50
but Oshrat is close enough.
01:00:52
Okay.
01:00:52
It's close enough.
01:00:53
All right.
01:00:53
I forgot to ask that.
01:00:56
So maybe you do a
01:00:58
quick introduction.
01:00:59
Who are you?
01:01:00
Where are you from?
01:01:02
What do you do?
01:01:03
And we'll take it from there.
01:01:07
So thanks Chris for having me.
01:01:09
This is a great opportunity.
01:01:11
My name is Oshrat Nir.
01:01:12
I am currently the developer
01:01:14
advocate for ARMO and
01:01:17
Kubescape, which is our
01:01:19
CNCF sandbox project.
01:01:21
So we have been enterprise and an
01:01:24
open source product
01:01:27
or platform that I look
01:01:29
after. I've been at ARMO for a
01:01:32
year and a half.
01:01:33
I've been in cloud native for
01:01:36
about five and a half.
01:01:38
And before that, I
01:01:40
worked in telco, I guess.
01:01:44
And fun fact about me is that I
01:01:46
lived on three
01:01:47
continents before I was nine years old.
01:01:50
All right.
01:01:51
All right.
01:01:51
We'll come back to that.
01:01:53
Or maybe just now.
01:01:55
What do you mean you lived on
01:01:56
three continents?
01:01:58
I was born in
01:01:59
Germany which is Europe.
01:02:02
And then I left Germany when I was
01:02:03
two years old,
01:02:05
nearly three, and moved to
01:02:07
the States and I lived in
01:02:09
Philadelphia for six years.
01:02:11
And when I was eight and a half
01:02:14
years old, I moved to
01:02:16
Israel and that's where
01:02:18
I've been living since.
01:02:19
All right.
01:02:19
All right.
01:02:20
Okay, two years.
01:02:21
So you're not...
01:02:23
I don't speak German.
01:02:25
All right.
01:02:28
Fair enough.
01:02:29
Fair enough.
01:02:29
I tried to learn from German when
01:02:31
I was working for
01:02:32
a German company.
01:02:34
My friend at Giant,
01:02:35
shout out to Giant Swarm.
01:02:39
But no, they did a lot of good
01:02:41
things for me, which was
01:02:42
introduced me to cloud
01:02:43
native, but German
01:02:44
was not one of them.
01:02:45
I agree.
01:02:47
And I feel sad for everyone.
01:02:48
We're sorry for everyone who has
01:02:49
to learn German.
01:02:50
The grammar is such a pain.
01:02:54
Anyway, you said
01:02:55
you work for ARMO.
01:02:56
So tell us a little bit about ARMO.
01:02:58
A little bit more than it's open
01:03:00
source or enterprise.
01:03:02
Okay.
01:03:03
So ARMO is a
01:03:05
cybersecurity company.
01:03:07
Was founded.
01:03:09
The co-founders are Shauli Rosen,
01:03:11
who is now our CEO, and Ben
01:03:13
Hirschberg, who is
01:03:14
our CTO, and another co-founder
01:03:17
who's now on the board
01:03:18
called Leonid Sandler.
01:03:25
Originally, now Leonid and Ben
01:03:28
come from cybersecurity.
01:03:29
They've been doing
01:03:30
it since the 90s.
01:03:33
And originally they built out a
01:03:36
really, really,
01:03:37
really good product that
01:03:40
required installing
01:03:41
an agent in a cluster.
01:03:43
It was highly intrusive.
01:03:46
It was very resource intensive.
01:03:48
It might've been a good idea, but
01:03:49
it was like maybe, I
01:03:52
don't know, five years
01:03:52
ahead of its life because that was
01:03:55
in the days where
01:03:56
agent-less was the thing.
01:03:59
And it kind of, it became a thing.
01:04:04
And then what happened was that
01:04:06
NSA CISA came out with
01:04:08
the guidelines for
01:04:10
hardening Kubernetes.
01:04:12
Yeah.
01:04:12
That was in 2021, August of 2021.
01:04:18
And they grabbed that idea and
01:04:21
they built an open source
01:04:22
misconfiguration scanner based on
01:04:24
that framework and
01:04:26
that's Kubescape.
01:04:27
And they built out that and it
01:04:30
came out and it
01:04:31
went crazy within days.
01:04:33
It was like the star chart was
01:04:35
nearly perpendicular.
01:04:38
It was, it was crazy.
01:04:39
It got to thousands of stars
01:04:41
within really days.
01:04:43
By the way, we are waiting to get
01:04:46
to 10 stars.
01:04:48
So if anybody uses and likes us,
01:04:50
please, we want,
01:04:52
we really, really,
01:04:53
really want to
01:04:53
celebrate that 10K milestone.
01:04:58
But we really reached, I don't
01:05:00
know, 1000, 3000, 5000 stars
01:05:03
very, very quickly.
01:05:05
And then we added the more
01:05:09
framework through the
01:05:12
misconfiguration
01:05:12
scanner, which include my first
01:05:15
class, which
01:05:16
include CIS benchmark.
01:05:18
I mean, everybody
01:05:19
uses the benchmark.
01:05:22
And these were all things that
01:05:23
allowed people to
01:05:25
easily adhere to these
01:05:27
frameworks and help with the
01:05:30
continuous compliance.
01:05:34
But you can't, I don't
01:05:35
know, Alice in Wonderland.
01:05:37
I worked with Lewis Carroll.
01:05:39
You need to run in order to stay
01:05:41
in place, said the
01:05:42
red queen to Alice.
01:05:44
So we had to continue to develop
01:05:46
the product into
01:05:46
a platform because
01:05:47
the misconfiguration
01:05:48
scanner is not enough.
01:05:50
And then we went
01:05:50
into a CD scanning.
01:05:54
Image scanning.
01:05:55
So there's image scanning,
01:05:56
repository scanning, scan the cluster.
01:05:59
And we also have an agent-less
01:06:02
flavor, which was the
01:06:04
original way we worked.
01:06:05
And then we decided to, even
01:06:07
though past
01:06:08
experience, we saw that the
01:06:09
market was good for that, an agent
01:06:11
as well, an operator
01:06:13
that you put on your
01:06:14
cluster, because things that you
01:06:16
can see from inside the cluster
01:06:17
are not the same
01:06:18
as things that you can see from
01:06:19
outside the cluster.
01:06:20
And that's really important in
01:06:21
terms of security, because you
01:06:23
don't want blind spots.
01:06:24
You want to have all
01:06:25
your bases covered.
01:06:26
If I were to use an American
01:06:27
sports analogy.
01:06:29
So you want to have
01:06:30
everything covered.
01:06:32
So that's how
01:06:33
Kubescape continued to develop.
01:06:36
At the end of 2023, or yeah, it
01:06:38
was December of 2023, no, sorry,
01:06:40
December of 2022.
01:06:43
We were accepted, Kubescape was
01:06:44
accepted by the CNCF as a
01:06:46
sandbox project.
01:06:48
First, a
01:06:48
misconfiguration scanner in the CNCF.
01:06:53
And we're still there and we're
01:06:56
happy and we're growing and we're
01:06:58
at a bid for incubation.
01:06:59
So if I do another plug here now,
01:07:01
if you're using Kubescape and you
01:07:02
love it, please add
01:07:03
yourself to the adopters list
01:07:04
because we want to get to
01:07:05
incubation in 2024.
01:07:08
So we're kind of, we only have
01:07:10
seven months to go.
01:07:11
So yeah, please help us with that.
01:07:13
And what happened when we went
01:07:19
into, when Kubescape was accepted
01:07:21
into the CNCF, we had to
01:07:23
break it out of our enterprise
01:07:25
offerings, out of
01:07:26
our commercial offering.
01:07:28
So we broke it out and
01:07:29
now we have two offerings.
01:07:30
We have ARMO platform, which is the
01:07:32
enterprise offering.
01:07:33
It's either SaaS or as a private
01:07:36
installation, whatever works.
01:07:38
And of course, Kubescape, which is
01:07:39
open source, free for
01:07:40
all anybody can use or
01:07:42
contribute and seems that people
01:07:45
really know and love Kubescape.
01:07:47
But this is the impression that I
01:07:48
got from when I came
01:07:50
back from Paris, at the
01:07:52
KubeCon, I mean, people stopped at
01:07:53
the ARMO booth and it goes, oh,
01:07:54
you're a Kubescape.
01:07:56
So yeah, Kubescape is
01:07:57
very, is very known.
01:07:59
It's a known brand and people seem
01:08:00
to like it, which is great.
01:08:02
Right, right.
01:08:03
So as I said, we just had a guest,
01:08:06
like, I think two weeks
01:08:08
ago, Brian Vermeer from
01:08:11
Snyk, I just learned it's
01:08:13
actually pronounced Snyk.
01:08:16
All right.
01:08:18
And they're also in
01:08:20
the security space.
01:08:21
But from my understanding, ARMO is
01:08:23
slightly different.
01:08:24
So Snyk mostly looks at like the
01:08:26
developer and the build pipeline,
01:08:30
trying to make sure
01:08:32
that all possible vulnerabilities
01:08:34
are found before you
01:08:38
actually deploy. That
01:08:40
common coding mistakes, like the
01:08:44
typical SQL injection, all that
01:08:46
kind of stuff is
01:08:47
caught before it actually can get
01:08:49
into production.
01:08:50
But with the onsite or continuous
01:08:54
online scanning, whatever you want
01:08:56
to call it, ARMO
01:08:57
is on the other side
01:08:59
of these things, right?
01:09:00
So why would you need that?
01:09:03
Why would you want that, like,
01:09:05
this continuous scanning?
01:09:07
I mean, if there was no security
01:09:09
issue, why would there be one in
01:09:11
production at some point?
01:09:13
Okay, so first, let's kind of dial
01:09:16
this a little back.
01:09:18
Snyk looks at things from..
01:09:19
Snyc talks about themselves as an app
01:09:21
tech company, and they
01:09:22
look at things from the workload
01:09:24
or application point of view, and
01:09:27
then they work their way
01:09:28
down. And they get informed by
01:09:34
information from
01:09:35
cloud providers, etc.
01:09:40
Armo is the other way around. We
01:09:43
start from the infrastructure.
01:09:46
Kubernetes infrastructure is like
01:09:48
something that has
01:09:49
never been before.
01:09:51
I mean, Kubernetes is different.
01:09:53
You can't use legacy processes and
01:09:58
tools in order to scan your Kubernetes
01:10:00
because you just don't get
01:10:02
everything that you need.
01:10:03
Kubernetes is ephemeral, it scales
01:10:05
up, it scales down.
01:10:06
Containers don't last as long, so
01:10:08
you don't have a
01:10:08
time to test them.
01:10:10
There's a lot of things that you
01:10:11
could do in the past and you can't
01:10:13
do with Kubernetes.
01:10:14
So the way we look at securing
01:10:16
Kubernetes and by extension the
01:10:20
applications or the workloads
01:10:21
running on it is the fact that we
01:10:23
start from the from
01:10:27
the infrastructure.
01:10:29
We work off of those frameworks,
01:10:32
best practices that we talked
01:10:33
about, and we use
01:10:35
runtime to inform
01:10:38
our security because one of the
01:10:41
main problems that people securing
01:10:46
Kubernetes has is the fact that
01:10:48
if they work according to best
01:10:50
practices, their applications
01:10:51
break or may break or break at
01:10:54
some point. And what you need to do is
01:10:57
understand application behavior
01:10:59
and then ignore the
01:11:02
infrastructure informed by that.
01:11:06
So it's sort of a
01:11:07
different perspective.
01:11:08
We kind of do bottom up and they
01:11:10
and Snyk the top down and we kind
01:11:13
of meet at the application, I
01:11:14
would say, I guess, because I
01:11:16
don't think Snyk goes all the way
01:11:18
down to Kubernetes and we don't go
01:11:21
all the way up to the SaaS
01:11:23
or all of those four little
01:11:26
acronyms that
01:11:27
aren't exactly in the
01:11:31
Kubernetes world,
01:11:32
but over Kubernetes.
01:11:33
So as a company, I actually want
01:11:37
both tools, right?
01:11:38
I want the development side, the
01:11:40
bottom up to make sure that I
01:11:42
don't have well,
01:11:45
that I catch as much
01:11:47
as possible before even
01:11:48
going into production.
01:11:49
And I want the top down approach
01:11:51
in production to make sure that
01:11:53
nothing happens
01:11:54
at runtime, because
01:11:56
I think ARMO also does compliance
01:11:58
testing in terms of that my
01:12:00
policies are correct.
01:12:02
It does...
01:12:05
It looks for misconfiguration.
01:12:06
So it looks much more on the
01:12:08
operational side, stuff that a lot
01:12:10
of the other
01:12:11
tools, I think, will not
01:12:12
necessarily catch easily.
01:12:15
Correct.
01:12:16
ARMO looks again, we are there
01:12:18
throughout the software
01:12:19
development lifecycle from the
01:12:20
beginning, even to
01:12:22
the point where you can do
01:12:23
registery scanning and repo
01:12:25
scanning and
01:12:26
image scanning before.
01:12:28
And then as you write things and
01:12:29
as you build out your pipelines,
01:12:31
you put security gateways in the
01:12:33
pipelines using ARMO.
01:12:36
And an interesting thing, we have
01:12:39
started to leverage eBPF a lot
01:12:41
from many of the
01:12:42
things that we do.
01:12:44
In order to reduce the
01:12:47
signal-to-noise ratio, one of the
01:12:49
problems that there is
01:12:50
in the world of DevOps
01:12:51
and in the operations is alert
01:12:54
fatigue, a lot of false positives.
01:12:58
And people,
01:12:59
they're so overwhelmed.
01:13:02
And there's also a missing piece,
01:13:05
because again, even in the world
01:13:07
of CVEs, when
01:13:09
you're judging things
01:13:11
only by their CVSS, only by the
01:13:13
severity and the score of the CVE,
01:13:17
then you might not
01:13:18
be as efficient as
01:13:19
you need to be.
01:13:20
Because sometimes you have a high
01:13:22
severity vulnerability, somewhere,
01:13:25
that doesn't even get loaded
01:13:27
into memory.
01:13:28
So it's not a problem that you
01:13:29
have to deal with now.
01:13:31
You can deal with it somewhere in
01:13:33
the future when you have time,
01:13:35
which is never,
01:13:36
because nobody ever
01:13:37
has time.
01:13:39
But the idea is, again, having
01:13:42
production informing what happens
01:13:45
in operation by
01:13:46
saying, "Okay, this
01:13:48
way the application or the
01:13:49
workload needs to work, and this
01:13:53
is why I care about this
01:13:55
vulnerability and not
01:13:56
that vulnerability."
01:13:57
Right, right.
01:13:58
Now, speaking of that, ARMO is
01:14:01
working on introducing, we already
01:14:03
have this in beta
01:14:04
in Kubescape, but it's
01:14:05
coming out at ARMO as well, on
01:14:08
cloud native detection and
01:14:10
response, like
01:14:11
runtime, or for runtime.
01:14:13
So we have built out, since we've
01:14:16
been working with the workload,
01:14:18
since we've been
01:14:18
using eBPF to see how
01:14:20
applications are supposed to act
01:14:22
so that we can secure the
01:14:23
infrastructure
01:14:24
without breaking the
01:14:24
application, what we're doing now
01:14:27
is saying, "Okay, so now we know
01:14:29
how the application
01:14:29
needs to act", so I can
01:14:32
actually alert you on when it's
01:14:34
acting abnormally, and then we
01:14:36
have anomaly detection.
01:14:37
I can actually detect the
01:14:40
fingerprints of malware, and then
01:14:43
I can flag that and
01:14:45
say, "Look, this might be
01:14:47
problematic."
01:14:47
You might be needing to look at
01:14:49
this because you might have a
01:14:50
virus, because people
01:14:51
might be scanning CVEs.
01:14:53
And sorry for the 90s reference,
01:14:55
but I'm a Gen X-ers, people might
01:14:58
be scanning for CVEs,
01:14:59
but they're not looking for
01:14:59
viruses on images.
01:15:01
And that's just the problem
01:15:02
waiting to happen.
01:15:04
Especially with something like the
01:15:06
XZ issue just recently.
01:15:08
There you go.
01:15:10
Yeah.
01:15:10
Yeah.
01:15:11
And I think that probably opened
01:15:13
the eyes of a lot of people, that
01:15:16
to what extent or to what length
01:15:18
people go to inject
01:15:20
stuff into your application and
01:15:22
take over either your build
01:15:24
pipeline or your eventual
01:15:25
production, I think in the
01:15:27
XZ situation, it was like a
01:15:29
backdoor that would eventually
01:15:31
make it into
01:15:32
production, so you have access to
01:15:34
production systems.
01:15:36
Yeah, I agree.
01:15:37
And you said another important
01:15:38
thing, and I'm coming from a
01:15:39
strong Java background.
01:15:41
It's about dynamically loading
01:15:45
libraries or dependencies.
01:15:47
And Java was like the prime
01:15:48
example in the past.
01:15:49
Not everything you had in your
01:15:50
class path was necessarily loaded
01:15:52
into a RAM or into memory.
01:15:55
But you have the same thing for
01:15:56
JavaScript, for PHP, for Python,
01:16:00
and especially JavaScript,
01:16:01
TypeScript, Python.
01:16:02
Those are like the big comers, not
01:16:05
newcomers, but the big comers or
01:16:07
upcomers in terms
01:16:09
of dynamic languages.
01:16:11
So yeah, I get that.
01:16:12
That is really interesting in the
01:16:15
sense of you look at runtime and
01:16:18
just because something is in your
01:16:19
image doesn't necessarily
01:16:20
mean it's bad.
01:16:21
It's going to be bad the second
01:16:23
it's loaded into memory and is
01:16:25
available to the application.
01:16:26
That makes a lot of sense.
01:16:29
So you said ARMO runs inside the
01:16:34
Kubernetes cluster, right?
01:16:35
There's an operator, I guess.
01:16:38
Yeah.
01:16:39
So do I need to be
01:16:42
prepared of anything?
01:16:43
Is there anything special I need
01:16:44
to think about or is it literally
01:16:46
you drop it in, and because
01:16:48
it's eBPF and agent-less
01:16:50
it does all the magic for me and I
01:16:51
don't have to
01:16:52
think about it at all.
01:16:53
Like magic.
01:16:54
Yeah, the idea is for
01:16:55
you not to think about it.
01:16:57
However, we do give users tools.
01:17:00
Again, we're very cognizant of
01:17:02
alert fatigue because what happens
01:17:04
is people are overwhelmed.
01:17:06
So they'll either work themselves
01:17:08
to burnout or
01:17:09
start ignoring things.
01:17:11
Neither is a good option.
01:17:13
Okay, so what we want to do is
01:17:16
thinking about the usability about
01:17:20
the processes, not just the UX,
01:17:22
but about the
01:17:22
processes that are involved.
01:17:25
So we have
01:17:26
configurable security controls.
01:17:28
You can quiet alerts for specific
01:17:32
things, either forever, because
01:17:34
that's just the way this is a risk
01:17:36
you're willing to take.
01:17:38
Or that's just the way the app
01:17:40
works and you can't change it or
01:17:42
you're not changing for now.
01:17:45
So you can configure the controls,
01:17:46
you can set down alerts for a
01:17:49
configurable period
01:17:50
of time or forever.
01:17:52
And all of these things are in
01:17:54
order to bring you to the point
01:17:56
where you really, really, really
01:17:59
focus on the things that you need.
01:18:02
And you increase the efficiency of
01:18:04
your security work.
01:18:05
You only fix what
01:18:06
needs are these things.
01:18:08
A good example
01:18:08
here is a task path.
01:18:11
People, I mean, it's called a attack
01:18:13
chain, a attack vector, kill
01:18:15
chain, there's lots of
01:18:16
terminology around the same thing.
01:18:18
But basically what it says is that
01:18:19
there's a step by step by step
01:18:21
task or thing that an attacker
01:18:24
would use in order to
01:18:25
compromise your entity.
01:18:29
There are different entry points
01:18:30
that are caused by either
01:18:32
misconfigurations or viruses or
01:18:35
sorry, or vulnerabilities, etc.
01:18:37
So what we do is we provide a
01:18:41
visualization of a possible attack
01:18:45
path and say, ok, it's sort of a
01:18:48
I'm hesitant to use the word node
01:18:51
because Kubernetes,
01:18:52
but it's kind of a node of the
01:18:56
subway map sort of thing where you
01:19:00
can basically, you can check for
01:19:03
each node what you need to fix.
01:19:05
Sometimes there's one node where
01:19:08
you need to fix one
01:19:09
misconfiguration and you're done
01:19:12
and you immediately hardened your
01:19:14
infrastructure to the point where
01:19:16
the attack path is blocked.
01:19:19
You of course, you need to fix
01:19:21
everything around that.
01:19:23
But the first thing you need to do
01:19:24
is to make sure
01:19:25
that you're secure now.
01:19:28
And that really helps and it
01:19:29
increases the efficiency.
01:19:31
Right. So you're basically cutting
01:19:32
off the chain of possible of
01:19:34
possibilities so that even if a
01:19:37
person gets to that point, it's
01:19:39
now stopped in its tracks, basically.
01:19:43
All right. That's interesting.
01:19:45
That sounds that
01:19:46
sounds very useful.
01:19:49
Yeah, I think that's an important
01:19:52
thing because that's that's
01:19:53
basically our North Star where
01:19:55
we're saying we know
01:19:56
that security work is hard.
01:19:58
We know that it's been delegated
01:20:00
to DevOps people that don't
01:20:02
necessarily like it or want to do
01:20:04
it and are overwhelmed with other
01:20:06
things and want to do things that
01:20:07
they find more
01:20:07
interesting, which is great.
01:20:09
Although, you know, security
01:20:10
people don't take me personally, I
01:20:12
work for a security company.
01:20:13
I think it's interesting. But my
01:20:16
point is, is that and this is I'm
01:20:19
sorry, this is a Snyk tagline.
01:20:20
Sorry, Brian. But but you want
01:20:24
security tools that
01:20:26
DevOps people will use.
01:20:29
And that's basically
01:20:30
what we're doing at ARMO.
01:20:31
We want to create a security tool that
01:20:33
DevOps people will use
01:20:34
and security people will love.
01:20:36
And again, sorry, Snyk.
01:20:39
That's basically the same thing, but
01:20:40
we're coming from the bottom, your from the top.
01:20:41
I to be to be honest, I think that
01:20:43
is that is perfectly fine.
01:20:45
They probably appreciate the call
01:20:47
out, to be honest.
01:20:50
Right. So because we're almost
01:20:54
running out of time, we're pretty
01:20:55
much running out
01:20:55
of time right now.
01:20:57
Do you think that there is or what
01:20:59
is your feeling about security as
01:21:01
a thought at companies?
01:21:03
Do they like
01:21:04
neglect it a little bit?
01:21:06
Do they see it as
01:21:09
important as it should be?
01:21:10
What is your
01:21:11
feeling? Is there headroom?
01:21:14
Well, I spend a lot of time on
01:21:17
subreddits of security people.
01:21:20
These people are very unhappy.
01:21:23
I mean, some of them are are
01:21:24
really great professionals that
01:21:28
want to do a good job and they
01:21:29
feel they're being discounted.
01:21:32
Again, there's this problem where
01:21:35
there are tools that they want to
01:21:37
use, but the DevOps that the
01:21:38
people that they serve them to
01:21:41
don't don't want to use.
01:21:42
So there needs to
01:21:43
be a conversation.
01:21:45
Security is important.
01:21:47
Ok, F16s runs on Kubernetes.
01:21:50
Water plants, sewage plants, a lot
01:21:55
of important
01:21:55
infrastructure runs on Kubernetes.
01:21:58
So securing
01:21:59
Kubernetes is very important.
01:22:02
Now, in order for that to happen,
01:22:04
everybody needs to
01:22:05
get on board with that.
01:22:06
And the only way to get on board
01:22:08
with that is to have that
01:22:09
conversation and to say, ok, this
01:22:11
is what needs to be done.
01:22:13
This is what we
01:22:14
think you need to do it.
01:22:16
Are you are you on board? And if
01:22:18
not, how do we get you on board?
01:22:20
And one of the ways to get you on
01:22:22
board is OK, look, you can put
01:22:25
this in the CICD pipeline, forget
01:22:27
about it until it reminds you.
01:22:29
You can scan a repository every
01:22:32
time you pull for it or an image
01:22:33
every time you pull it.
01:22:35
You can you have a VSCode plugin
01:22:37
or a GitHub action.
01:22:40
And all of these things are in
01:22:42
order to have that conversation
01:22:44
and say, look,
01:22:45
security is important,
01:22:46
but we don't want to distract you
01:22:47
from things that
01:22:48
you find important.
01:22:49
And that's a conversation that has
01:22:51
to happen, has to
01:22:52
happen all the time.
01:22:53
Security doesn't end.
01:22:55
Right, right. Ok, last question.
01:22:58
Any predictions or any thoughts on
01:23:01
the future of security?
01:23:03
Anything you see on the horizon
01:23:05
that is upcoming or that needs to
01:23:08
happen from your perspective?
01:23:11
Runtime is upcoming.
01:23:14
It's like two years, even two
01:23:16
years ago, what's the thing?
01:23:18
Nobody was talking about anything
01:23:20
else except shift left security.
01:23:22
You shift left. DevOps should to do it.
01:23:25
We're done. We said.
01:23:28
And we found that even if one
01:23:30
thing gets through our shift left,
01:23:32
our production
01:23:33
workloads are in danger.
01:23:35
So next thing on the menu is
01:23:38
runtime security.
01:23:40
It's a beautiful last sentence.
01:23:44
Very, very nice.
01:23:45
Thank you for being here.
01:23:46
It was a pleasure having you.
01:23:50
And I hope we we're going to see.
01:23:53
I think we never met in person,
01:23:54
which is which is really weird.
01:23:57
But since we're both in the
01:23:58
Kubernetes space, there
01:24:00
is a good chance we do.
01:24:01
And I hope we really do.
01:24:04
So thank you very
01:24:05
much for for being here.
01:24:07
Thanks so much for
01:24:07
having me, Chris. Great.
01:24:09
For the audience
01:24:10
next week, next episode.
01:24:12
I hope you're listening again.
01:24:14
And thank you very much
01:24:15
for being here as well.
01:24:16
Thank you very much. See ya.
01:24:19
The cloud commute podcast is sponsored by
01:24:21
simplyblock your own elastic
01:24:22
block storage engine for the cloud.
01:24:24
Get higher IOPS and low predictable
01:24:26
latency while bringing down your
01:24:28
total cost of ownership.
01:24:29
www.simplyblock.io