Podcasts about aqua security

Josh Larsen, co-founder of CTO of Ghost Security, joins Seth Law and Ken Johnson on January 28th at 12 Noon Eastern time. Before Ghost Security, Josh was a co-founder and CEO of Darkbit and before that of the Blackfin Security Group. Larsen led the GTM strategy for both startups, and Darkbit and Blackfin Security Group were acquired by Aqua Security and Symantec Corporation, respectively. Ghost Security (https://ghostsecurity.com/) was founded so development shops and AppSec teams had a tool to perform autonomous application security using Agentic AI with the goal of helping teams discover, test, and mitigate risks in real time. Josh (joshlarsen on Linked In, @josh_larsen on X/Twitter) has been in the industry for 25 years working as a security program manager and consultant as well as building products that improve the security landscape. Be sure to tune in as Seth and Ken talk through his experiences in the field as well as gleaning his insights about the future of AppSec.

In this episode of The Cybersecurity Defenders Podcast, we discuss some cutting-edge intel coming out of LimaCharlie's community Slack channel.Silent Push's recent analysis reveals new tactics by the FIN7 cybercriminal group, which is leveraging AI-based “DeepNude Generators” as part of a phishing campaign to spread malware. Microsoft's Digital Crimes Unit (DCU), in partnership with the U.S. Department of Justice, has taken steps to dismantle cyber operations by Star Blizzard, a Russian state-affiliated actor also known as COLDRIVER.Aqua Security's detailed research on perfctl describes it as a highly stealthy malware that targets Linux servers using a range of sophisticated methods.Comcast recently disclosed that over 237,000 customers had their personal data compromised due to a ransomware attack targeting a former debt collection agency, Financial Business and Consumer Solutions (FBCS).TrustedSec's research on EKUwu sheds light on a significant Active Directory Certificate Services (AD CS) vulnerability that allows attackers to misuse version 1 certificate templates. Stats on business outcomes after breaches referenced by Matt.

In today's episode, we delve into the recent vulnerabilities disclosed by Progress Software affecting MOVEit file-transfer service, explore how Apple patched a Bluetooth vulnerability in AirPods that could allow eavesdropping, and discuss Aqua Security's findings on the long-term exposure of sensitive data in Git repositories. For detailed information, visit the articles at https://www.cybersecuritydive.com/news/moveit-file-transfer-cves/719933/, https://thehackernews.com/2024/06/apple-patches-airpods-bluetooth.html, and https://www.helpnetsecurity.com/2024/06/26/git-exposed-secrets/. Join us to understand the implications and recommended actions to protect your data. Sign up for digestible cyber news delivered to your inbox: news.thedailydecrypt.com Video Episode: https://youtu.be/CEvyUdyil_A Thanks to Jered Jones for providing the music for this episode. https://www.jeredjones.com/ Logo Design by https://www.zackgraber.com/ Cyberattacks, vulnerabilities, MOVEit, Progress Software, Apple, Bluetooth, AirPods, eavesdropping, Aqua Security, GitHub repositories, sensitive data, credentials, API tokens, cybersecurity, digital threats How to protect against MOVEit vulnerabilities, Apple fixes Bluetooth vulnerability in AirPods, preventing eavesdropping in AirPods, cybersecurity tips for MOVEit, Progress Software vulnerabilities update, Aqua Security reveals GitHub repository risks, securing sensitive data on GitHub, credentials exposed on GitHub, safeguarding against digital eavesdroppers, protecting sensitive data in software development

Evolution Equity Partners today announced the final closing of Evolution Technology Fund III, LP and total capital commitments of $ 1.1 Billion to back visionary entrepreneurs building next generation cybersecurity companies that safeguard the digital world. The fund raise was oversubscribed by existing and new limited partners representing a diversified mix of leading institutions, sovereign investors, insurance companies, endowments, foundations, fund of funds, family offices, and high-net-worth individuals. The capital committed gives Evolution Equity Partners a dedicated pool of capital to pursue opportunities for investment ranging from $20 million to $150 million in cybersecurity and in companies utilizing machine learning and AI to build market leading platforms. Significant investments made to date by Evolution include SecurityScorecard, Arctic Wolf, Protect AI, Talon Cyber, Torq, Snyk, Sweet Security, Aqua Security, Oleria, Halcyon, Cybsafe, Phosphorus, DefinedAI, Carbon Black, Panaseer, AVG Technologies, OpenDNS, Pentera, and Quantexa amongst 60 portfolio companies the firm has backed. Read the Press Release: https://www.prnewswire.com/news-releases/evolution-equity-partners-closes-on-1-1-billion-for-cybersecurity-investment-in-oversubscribed-fund-raise-302117459.html

Diesmal widmen sich Volkmar Kellermann und Moritz Meid gemeinsam mit den Experten Tobias Gerhardt von Aqua Security und Jan Walther vom "Focus On Linux" Podcast dem komplexen Thema der Cloud- und Container-Sicherheit, live von der KubeCon in Paris. Im Mittelpunkt stehen dabei die aktuellen Entwicklungen und Herausforderungen im Bereich der Sicherheit von Public Clouds und On-Premise-Systemen. Außerdem diskutieren sie neue Absicherungsmöglichkeiten für Z Mainframes durch Aqua sowie das Scannen von Container-Images in sicheren Sandbox-Umgebungen. Nicht zuletzt werfen sie einen Blick darauf, wie moderne KI-Technologien im Sicherheitskontext unterstützen können. Taucht mit uns ein in die Welt der Cloud- und Container-Sicherheit und erfahrt mehr über die neuesten Trends und Lösungsansätze!

How widespread is Infrastructure-as-Code adoption? What tools are dominating the IaC space? Could AI play a disruptive role? Join us as we dig into Firefly's comprehensive State of IaC Report and explore the latest trends with co-founder Eran Bibi.Tune in for a must-listen episode on where organizations currently stand in codifying cloud resources, and key insights into the future of managing Infrastructure-as-Code.Download The State of IaC ReportEran Bibi is Co-Founder & Chief Product Officer at Firefly. With years of experience in anything DevOps/SRE and security, he has earned a reputation as a CI/CD and SRE expert and an avid admin of Cloud Platforms and containerized environments.Prior to Firefly, Eran was Head of DevOps & Cloud Platform at Aqua Security and DevOps Group Lead at Finastra. Eran is a frequent speaker at Cloud Native meetups, AWS community meetups, and other cloud workshops and conferences.Sponsored by: https://www.env0.com/

- First off, tell us a bit about yourself, what you're up to and how you have gotten where you are career wise- What are some of the key differences with cloud-native security?- There's a lot of acronyms in the cloud-sec space, such as CWPP, CSPM, KSPM and so on. Can you unpack a few of these for the audience and what they mean?- This also infers there's a lot of different tools and capabilities to manage. Why do you think it is important to have a comprehensive platform to bring it together, to avoid tool sprawl and cognitive and alert fatigue?- There's a lot of focus of course on shifting security left, and CI/CD pipelines and so on, but I know you also focus on runtime security. What makes runtime security so crucial in the cloud context?- Can you tell us a bit about Aqua Security, what you all do and what makes you unique from some of the other platform providers and security companies out there?- What does the term "cyber resilience" mean to you?

Today on Christopher Lochhead: Follow Your Different, we have a special episode featuring a good friend of mine, Dr. Giora Yaron. We talk about what's happening in Israel now, the realities of the situation Israel faces and what's likely to happen next. Dr. Giora Yaron is considered a legend in the startup tech world. He's known as one of the key players in creating the tech startup VC ecosystem. He started his career as a Senior Executive in National Semiconductor in the United States. And subsequent to that he's founded, co-founded, and/or been the chairman of more than 25 Deep-tech startups. He's also the former chairman of Tel Aviv University. Dr. Yaron is also a decorated Israeli Defense Forces Combat officer. And today, he serves as a strategic adviser to the Israeli Ministry of Defense. No matter what you think about this war, no matter how much you think you might know, there's a lot to learn in this riveting captivating, in depth, no BS conversation with a living Israeli legend. Also, it's important to note this episode was recorded on October 26 2023. You're listening to Christopher Lochhead: Follow Your Different. We are the real dialogue podcast for people with a different mind. So get your mind in a different place, and hey ho, let's go. Dr. Giora Yaron on the current situation in Israel Christopher Lochhead and Dr. Giora Yaron discuss the situation in Israel. Dr. Yaron shares how his family was safe living far from conflict zones, although they hosted affected families initially. He mentioned the challenges faced by IDF with a significant number drafted and the delicate balance in completing the mission while saving hostages. Dr. Yaron also highlighted past incidents, comparing the current situation to previous attacks in 1973 and 2002. He expressed concerns about dealing with barbarian savages and the challenge of maintaining Israeli values while addressing the crisis. Dr. Giora Yaron on the conflict's impact on civilians The conversation then shifts to the topic of the recent conflict in Israel and its impact on civilians. Dr. Yaron discusses the strategic and moral dilemmas faced by Israel in dealing with groups like Hamas and the challenges in differentiating between combatants and civilians. He emphasizes the need to combat extremist groups aiming to establish an Islamic state and the importance of military action to achieve this. Christopher notes that many veterans, like Colin Powell, become peacemakers later in life and discussed the heroic efforts of civilians in the conflict. But Dr. Yaron responds that the situation isn't about pursuing peace but dealing with an ongoing conflict. Dr. Giora Yaron on Cultural Differences and how it affects perception in the West Dr. Yaron shares his concerns about the disconnect between Western sympathies for Palestinians and the harsh realities faced by Israelis due to terrorist attacks. He emphasizes the need for a practical approach and shared personal experiences, such as Mellanox's tragic incident, to illustrate the challenges faced in pursuing peace in the region. He further underscores the complexities of the situation and the clash between idealistic hopes for peace and the harsh realities on the ground. To hear more from Dr. Giora Yaron and the clash of ideals in Israel, download and listen to this episode. Bio Dr. Giora Yaron is the former Chairman of Tel Aviv University (Executive Council), and on the board of Amdocs (DOX). Dr. Yaron serves on the advisory board of the Israeli Ministry of Defense. He is also an active Founding Investor and Founder of a group of high-tech and med-tech companies; P-cube, (acquired by Cisco), PentaCom (acquired by Cisco), Qumranet (acquired by Redhat), Comsys (acquired by Conexant, Texas Instruments), Exanet (acquired by Dell) Hyperwise Security (acquired by Checkpoint) Qwilt, Itamar Medical, Excelero, Equalum and, Aqua Security. Dr. Yaron has been serving as board member and/or Chairman of the Boards of these com...

Sargun Kaur, co-founder of Byteboard, aims to revolutionize the tech interview process, which she believes is flawed and ineffective. In an interview with The New Stack for our Tech Founder Odyssey podcast series, Kaur compared assessing technical skills during interviews to evaluating the abilities of basketball star Steph Curry by asking him to draw plays on a whiteboard instead of watching him perform on the court. Kaur, a former employee of Symantec and Google, became motivated to change the interview process after a talented engineer she had coached failed a Google interview due to its impractical format.Kaur believes that traditional tech interviews overly emphasize theoretical questions that do not reflect real-world software engineering tasks. This not only limits the talent pool but also leads to mis-hires, where approximately one in four new employees is unsuitable for their roles or teams. To address these issues, Kaur co-founded Byteboard in 2018 with Nicole Hardson-Hurley, another former Google employee. Byteboard offers project-based technical interviews, adopted by companies like Dropbox, Lyft, and Robinhood, to enhance the efficiency and fairness of their hiring processes. In recognition of their work, Kaur and Hardson-Hurley received Forbes magazine's "30 Under 30" award for enterprise technology.Kaur's journey into the tech industry was unexpected, considering her initial disinterest in her father's software engineering career. However, exposure to programming and shadowing a female engineer at Microsoft sparked her curiosity, leading her to study computer science at the University of California, Berkeley. Overcoming initial challenges as a minority in the field, Kaur eventually joined Google as an engineer, content with the work environment and mentorship she received. However, her dissatisfaction with the interview process prompted her to apply to Google's Area 120 project incubator, leading to the creation of Byteboard. Kaur's experience with Byteboard's development and growth taught her valuable lessons about entrepreneurship, the power of founders in fundraising meetings, and the potential impact of AI on tech hiring processes.Check out more episodes in The Tech Founder Odyssey series:A Lifelong ‘Maker' Tackles a Developer Onboarding ProblemHow Teleport's Leader Transitioned from Engineer to CEOHow 2 Founders Sold Their Startup to Aqua Security in a Year

Shanea Leven, co-founder and CEO of CodeSee, shared her journey as a tech founder in an episode of the Tech Founder Odyssey podcast series. Despite coming to programming later than many of her peers, Leven always had a creative spark and a passion for making things. She initially pursued fashion design but taught herself programming in college and co-founded a company building custom websites for book authors. This experience eventually led her to a job at Google, where she worked in product development.While at Google, Leven realized the challenge of deciphering legacy code and onboarding developers to it. Inspired by a presentation by Bret Victor, she came up with the idea for CodeSee—a developer platform that helps teams understand and review code bases more effectively. She started working on CodeSee in 2019 as a side project, but it soon received venture capital funding, allowing her to quit her job and focus on the startup full-time.Leven candidly discussed the challenges of juggling a day job and a startup, particularly after receiving funding. She also shared advice on raising money from venture capitalists and building a company culture.Listen to the full episode and check out more installments from The Tech Founder Odyssey.How Teleport's Leader Transitioned from Engineer to CEOHow 2 Founders Sold Their Startup to Aqua Security in a YearHow Solvo's Co-Founder Got the ‘Guts' to Be an Entrepreneur

"Good software is built by happy, well-supported people", Rust Foundations, an independent non-profit organization dedicated to stewarding the Rust programming language. Most open-source software developers are paid professionals, usually working in corporations or enterprises, but they may be working anywhere. And it may or may not be the hobby project that they're working on. It's often their main line. What is the Rust Foundation in terms of also supporting open source? We've invited Rebecca Rumbul, Rust Foundation's CEO, to learn more. -Open source today, with Anais Urlichs, Developer Advocate at Aqua Security and CNCF Ambassador of the year from 2021: https://hubs.li/Q01WCyss0 -How companies can approach open source contributions, a podcast episode with GitHub: https://hubs.li/Q01TNn3g0 -Open source projects at Eficode: https://hubs.li/Q01WCzCn0

How do you know what you're using in the open source field is legitimate? More and more people are moving to using open source tools and they don't question whether the Grafana open source or any monitoring solutions that are open source, because they're so widely used by so many companies. And that collective knowledge and collective input that open source now provides, generates the trust from the community. We invited Anais Urlichs, Developer Advocate at Aqua Security and CNCF Ambassador of the year from 2021, to discuss open source today. How companies can approach open source contributions, a podcast episode with GitHub: https://hubs.li/Q01TNn3g0

Join this episode of In the Nic of Time with Amir Jerbi, Co-Founder of Aqua Security as they discuss the evolution of cloud-native security in the last 7 years, the concept of dev to cloud and how it differs from GitOps, the value of being cloud agnostic, an introduction to Trivy and Tracee, the concepts of pre-breach and post-breach security, the importance of Software Bill of Materials, the top challenges faced by customers today, the evolution of malicious actors and their tactics, and the role of technologies like GPT in augmenting security capabilities.

Chris Smith is the Chief Revenue Officer of Aqua Security, the largest pure play cloud-native security company.  In this episode we discuss Aqua Security's role in the cloud security market, their strategy for becoming the category leader, and the importance of having a strong playbook for sales and marketing. Chris emphasizes the importance of understanding customers' needs and conducting user interviews to inform marketing, messaging, sales playbook, competitive landscape, and product direction. He also shares his approach to conducting interviews and managing employees.    Cllick here to learn more about Customer Conversation and how Revenue Leaders buy technology to enable their teams' success. 

For our latest episode, we sit down with Amir Jerbi who is currently the Co-Founder and CTO of Aqua Security, a platform that provides scalable security for the complete development-to-deployment lifecycle of containerized applications. Amir brings decades of expertise on containers, Kubernetes, cloud security, enterprise software, software development and DevOps to the conversation. Amir formerly worked at CA Technologies in the security group, helping fortune 100 customers to secure their Linux and Windows hosts as they moved to virtualization technologies.During the episode, we dive in to providing security for cloud native and containers, and how tools like Trivy can help teams quickly find and correct vulnerabilities before moving to production. We also discuss how tools like TFSEC, which checks for the configuration of cloud resources that Terraform and the cloud formations are generating, can further close security gaps for teams. Listeners will also learn how to integrate the two tools to implement security best practices for their organizations. Tune-in now!

Speed is a recurring theme in this episode of The Tech Founder Odyssey. Also, timing.Eilon Elhadad and Eylam Milner, who met while serving in the Israeli military, discovered that source code leak was a hazardous side effect of businesses' need to move fast and break things in order to stay competitive.“Every new business challenge leads to a new technological solution,” said Elhadad in this episode of The New Stack's podcast series. “The business challenge was to deliver product faster to the business; the solution was to build off the supply chain. And then it leads to a new security attack surface.”Discovering this problem, and finding a solution to it, put Milner and Elhadad in the right place at the right time — just as the tech industry was beginning to rally itself to deal with this issue and give it a name: software supply chain security.It led them to co-found Argon Security, which was acquired by Aqua Security in late 2021, Elhadad told The New Stack, a year after Argon started.

Ein Dashboard, das aufgrund der roten Färbung Meldungen dazu motiviert, es zu ignorieren? Security als eine universelle Versicherung für unwahrscheinliche Eventualitäten? Was hat sich beim Thema Security in den letzten Jahren getan und welche Möglichkeiten bieten Cloud Native Technologien dabei? Dank Automatisierung und entwickelter Technologien ist heutzutage so viel mehr möglich. Neben diesen Möglichkeiten hat sich auch unser Bewusstsein dahin entwickelt, solche Technologien gezielter einzusetzen. Wir haben die Security Experten Tobias Gerhardt von Aqua und Stefan Trimborn von SysDig auf dem Container Security Day getroffen und sie gefragt, worauf es ankommt.

Bret is joined by Anaïs Urlichs of Aqua Security to talk container and Kubernetes security tools like trivy, kube-bench, tracee, and kube-hunter. I've been using trivy for over four years to scan for known vulnerabilities in my own container images and my clients.We also look at tracee, a new tool that is part of a new generation of tools that use the Linux kernel eBPF feature to investigate what's happening in real time on your servers. Anaïs is great as an explainer of Kubernetes and all cloud native things, and she's the creator of the 100 days of Kubernetes tutorials on her YouTube channel where she breaks down various cloud native topics for beginners. Based on what I've learned in this show from Anaïs, I plan to change how I use trivy so that it's scanning more things and more often in my CI automation pipelines.Streamed live on YouTube on November 3, 2022.Unedited live recording of this show on YouTube (Ep #190)★Topics★Aqua Security ToolsAqua Security on YouTubeTrivyTrivy-Operatorkube-benchtraceekube-hunter★Anaïs Urlichs★Anaïs on TwitterAnaïs' Newsletter Anaïs on YouTube 100 Days of Kubernetes★Join my Community★New live course on CI automation and gitops deploymentsBest coupons for my Docker and Kubernetes coursesChat with us and fellow students on our Discord Server DevOps FansHomepage bretfisher.com ★ Support this podcast on Patreon ★

Matt Richards is an international business and product marketing leader with more than 25 years in B2B technology working with companies of all sizes. He is the Chief Marketing Officer for Aqua Security, the largest pure-play and cloud native security company worldwide. Before Aqua, Matt was the CMO for Datto and the VP of Products and Markets at ownCloud among other leading positions. He brings his mindset from mechanical engineering to marketing in order to find clever solutions to drive growth. In this episode… Marketing is driven exclusively by data and numbers, but there is a lot more to consider if your brand is going to keep growing. Behind the analytics are real people. The best forms of marketing require trust, understanding people, and content that naturally captures customers.  Matt Richards of Aqua Security has spent nearly 25 years learning how to market products effectively. His approach is focused less on feeding funnels and more on the customer's perspective. So what does this mindset look like when applied to marketing campaigns? In this episode of the Revenue Engine Podcast, Alex Gluz sits down with Matt Richards, the CMO of Aqua Security, to discuss organic marketing in the security industry. They talk about Aqua Security's business model, what a successful dimension strategy looks like, and how they overcome the challenges of the industry. Lastly, they discuss Matt's background and the best advice he's received.

Com alguns de seus companheiros de Getup, João Brito comenta as mudanças mais relevantes da versão 1.25 do Kubernetes. Algumas delas são a remoção definitiva do PSP (PodSecurityPolicy), a depreciação do suporte para GlusterFS e a morte do Autoscaling v.2 beta 1. Tem também a entrada, ainda em estágio alfa, do recurso de namespace de Linux (não o do Kubernetes, heim!?) e o avanço para estável das features Pod Security Admission e Local Ephemeral Storage Capacity Isolation.Outra novidade é que o PDB (Pod Disruption Budget) vai para versão default, por isso recomendamos que mantenham os deploys produtivos com pelo menos duas réplicas para não ter dor de cabeça na hora de uma atualização, por exemplo.Em meio às observações da nova versão, a turma falou sobre os prós e contras de trabalhar com um cluster gerenciado vs um cluster no On-Premise; e se tem alguma future gate que faz falta num cluster de produção.LINKS do que foi comentado no programa:Artigo da Karol Valencia da Aqua Security: https://blog.aquasec.com/kubernetes-version-1.25KubiLab - Vídeo tutorial do Adonai Costa sobre o KEDA: https://gtup.me/KubilabKeda RECOMENDAÇÕES dos participantes:One Punch Man (livro de mangá)Attack on Titan (série de mangá)The Sandman (filme) Narradores de Javé (filme)Five Days at Memorial (série na Apple TV+)CONVITE! Estamos perto do Kubicast #100 e vamos comemorar esse marco de um jeito muito especial! No formato “ASK ME ANYTHING”, a audiência vai poder tirar todas as suas dúvidas sobre Kubernetes e afins! Inscreva-se para participar: https://getup.io/participe-do-kubicast-100. O evento acontece no dia 15/9 às 19h no Zoom.SOBRE O KUBICASTO Kubicast é uma produção da Getup, especialista em Kubernetes. Todos os episódios do podcast estão no site da Getup e nas principais plataformas de áudio digital. Alguns deles estão registrados no YT. #DevOps #Kubernetes #Containers #Kubicast 

About AnaïsAnaïs is a Developer Advocate at Aqua Security, where she contributes to Aqua's cloud native open source projects. When she is not advocating DevOps best practices, she runs her own YouTube Channel centered around cloud native technologies. Before joining Aqua, Anais worked as SRE at Civo, a cloud native service provider, where she helped enhance the infrastructure for hundreds of tenant clusters. As CNCF ambassador of the year 2021, her passion lies in making tools and platforms more accessible to developers and community members.Links Referenced: Aqua Security: https://www.aquasec.com/ Aqua Open Source YouTube channel: https://www.youtube.com/c/AquaSecurityOpenSource Personal blog: https://anaisurl.com TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: This episode is sponsored in part by our friends at AWS AppConfig. Engineers love to solve, and occasionally create, problems. But not when it's an on-call fire-drill at 4 in the morning. Software problems should drive innovation and collaboration, NOT stress, and sleeplessness, and threats of violence. That's why so many developers are realizing the value of AWS AppConfig Feature Flags. Feature Flags let developers push code to production, but hide that that feature from customers so that the developers can release their feature when it's ready. This practice allows for safe, fast, and convenient software development. You can seamlessly incorporate AppConfig Feature Flags into your AWS or cloud environment and ship your Features with excitement, not trepidation and fear. To get started, go to snark.cloud/appconfig That's snark.cloud/appconfig.Corey: This episode is sponsored in part by Honeycomb. When production is running slow, it's hard to know where problems originate. Is it your application code, users, or the underlying systems? I've got five bucks on DNS, personally. Why scroll through endless dashboards while dealing with alert floods, going from tool to tool to tool that you employ, guessing at which puzzle pieces matter? Context switching and tool sprawl are slowly killing both your team and your business. You should care more about one of those than the other; which one is up to you. Drop the separate pillars and enter a world of getting one unified understanding of the one thing driving your business: production. With Honeycomb, you guess less and know more. Try it for free at honeycomb.io/screaminginthecloud. Observability: it's more than just hipster monitoring.Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. Every once in a while, when I start trying to find guests to chat with me and basically suffer my various slings and arrows on this show, I encounter something that I've never really had the opportunity to explore further. And today's guest leads me in just such a direction. Anaïs is an open-source developer advocate at Aqua Security, and when I was asking her whether or not she wanted to talk about various topics, one of the first thing she said was, “Don't ask me much about AWS because I've never used it,” which, oh my God. Anaïs, thank you for joining me. You must be so very happy never to have dealt with the morass of AWS.Anaïs: [laugh]. Yes, I'm trying my best to stay away from it. [laugh].Corey: Back when I got into the cloud space, for lack of a better term, AWS was sort of really the only game in town unless you wanted to start really squinting hard at what you define cloud as. I mean yes, I could have gone into Salesforce or something, but I was already sad and angry all the time. These days, you can very much go all in-on cloud. In fact, you were a CNCF ambassador, if I'm not mistaken. So, you absolutely are in the infrastructure cloud space, but you haven't dealt with AWS. That is just an interesting path. Have you found others who have gone down that same road, or are you sort of the first of a new breed?Anaïs: I think to find others who are in a similar position or have a similar experience, as you do, you first have to talk about your experience, and this is the first time, or maybe the second, that I'm openly [laugh] saying it on something that will be posted live, like, to the internet. Before I, like, I tried to stay away from mentioning it at all, do the best that I can because I'm at this point where I'm so far into my cloud-native Kubernetes journey that I feel like I should have had to deal with AWS by now, and I just didn't. And I'm doing my best and I'm very successful in avoiding it. [laugh]. So, that's where I am. Yeah.Corey: We're sort of on opposite sides of a particular fence because I spend entirely too much time being angry at AWS, but I've never really touched Kubernetes and anger. I mean, I see it in a lot of my customer accounts and I get annoyed at its data transfer bills and other things that it causes in an economic sense, but as far as the care and feeding of a production cluster, back in my SRE days, I had very old-school architectures. It's, “Oh, this is an ancient system, just like grandma used to make,” where we had the entire web tier, then a job applic—or application server tier, and then a database at the end, and everyone knew where everything was. And then containers came out of nowhere, and it seemed like okay, this solves a bunch of problems and introduces a whole bunch more. How do I orchestrate them? How do I ensure that they're healthy?And then ah, Kubernetes was the answer. And for a while, it seemed like no matter what the problem was, Kubernetes was going to be the answer because people were evangelizing it pretty hard. And now I see it almost everywhere that I turn. What's your journey been like? How did you get into the weeds of, “You know what I want to do when I grow up? That's right. I want to work on container orchestration systems.” I have a five-year-old. She has never once said that because I don't abuse my children by making them learn how clouds work. How did you wind up doing what you do?Anaïs: It's funny that you mention that. So, I'm actually of the generation of engineers who doesn't know anything else but Kubernetes. So, when you mentioned that you used to use something before, I don't really know what that looks like. I know that you can still deploy systems without Kubernetes, but I have no idea how. My journey into the cloud-native space started out of frustration from the previous industry that I was working at.So, I was working for several years as developer advocate in the open-source blockchain cryptocurrency space and it's highly similar to all of the cliches that you hear online and across the news. And out of this frustration, [laugh] I was looking at alternatives. One of them was either going into game development, into the gaming industry, or the cloud-native space and infrastructure development and deployment. And yeah, that's where I ended up. So, at the end of 2020, I joined a startup in the cloud-native space and started my social media journey.Corey: One of the things that I found that Kubernetes solved for—and to be clear, Kubernetes really came into its own after I was doing a lot more advisory work and a lot more consulting style activity rather than running my own environments, but there's an entire universe of problems that the modern day engineer never has to think about due to, partially cloud and also Kubernetes as well, which is the idea of hardware or node failure. I've had middle of the night driving across Los Angeles in a panic getting to the data center because the disk array on the primary database had degraded because the drive failed. That doesn't happen anymore. And clouds have mostly solved that. It's okay, drives fail, but yeah, that's the problem for some people who live in Virginia or Oregon. I don't have to think about it myself.But you do have to worry about instances failing; what if the primary database instance dies? Well, when everything lives in a container then that container gets moved around in the stateless way between things, well great, you really only have to care instead about okay, what if all of my instances die? Or, what if my code is really crappy? To which my question is generally, what do you mean, ‘if?' All of us write crappy code.That's the nature of the universe. We open-source only the small subset that we are not actively humiliated by, which is, in a lot of ways, what you're focusing on now, over at Aqua Sec, you are an advocate for open-source. One of the most notable projects that come out of that is Trivy, if I'm pronouncing that correctly.Anaïs: Yeah, that's correct. Yeah. So, Trivy is our main open-source project. It's an all-in-one cloud-native security scanner. And it's actually—it's focused on misconfiguration issues, so it can help you to build more robust infrastructure definitions and configurations.So ideally, a lot of the things that you just mentioned won't happen, but it obviously, highly depends on so many different factors in the cloud-native space. But definitely misconfigurations of one of those areas that can easily go wrong. And also, not just that you have data might cease to exist, but the worst thing or, like, as bad might be that it's completely exposed online. And they are databases of different exposures where you can see all the kinds of data of information from just health data to dating apps, just being online available because the IP address is not protected, right? Things like that. [laugh].Corey: We all get those emails that start with, “Your security is very important to us,” and I know just based on that opening to an email, that the rest of that email is going to explain how security was not very important to you folks. And it's the apology, “Oops, we have messed up,” email. Now, the whole world of automated security scanners is… well, it's crowded. There are a number of different services out there that the cloud providers themselves offer a bunch of these, a whole bunch of scareware vendors at the security conferences do as well. Taking a quick glance at Trivy, one of the problems I see with it, from a cloud provider perspective, is that I see nothing that it does that winds up costing extra money on your cloud bill that you then have to pay to the cloud provider, so maybe they'll put a pull request in for that one of these days. But my sarcasm aside, what is it that differentiates Trivy from a bunch of other offerings in various spaces?Anaïs: So, there are multiple factors. If we're looking from an enterprise perspective, you could be using one of the in-house scanners from any of the cloud providers available, depending which you're using. The thing is, they are not generally going to be the ones who have a dedicated research team that provides the updates based on the vulnerabilities they find across the space. So, with an open-source security scanner or from a dedicated company, you will likely have more up-to-date information in your scans. Also, lots of different companies, they're using Trivy under the hood ultimately, or for their own scans.I can link a few where you can also find them in a Trivy repository. But ultimately, a lot of companies rely on Trivy and other open-source security scanners under the hood because they are from dedicated companies. Now, the other part to Trivy and why you might want to consider using Trivy is that in larger teams, you will have different people dealing with different components of your infrastructure, of your deployments, and you could end up having to use multiple different security scanners for all your different components from your container images that you're using, whether or not they are secure, whether or not they're following best practices that you defined to your infrastructure-as-code configurations, to you're running deployments inside of your cluster, for instance. So, each of those different stages across your lifecycle, from development to runtime, will maybe either need different security scanners, or you could use one security scanner that does it all. So, you could have in a team more knowledge sharing, you could have dedicated people who know how to use the tool and who can help out across a team across the lifecycle, and similar. So, that's one of the components that you might want to consider.Another thing is how mature is a tool, right? A lot of cloud providers, what they end up doing is they provide you with a solution, but it's nice to decoupled from anything else that you're using. And especially in the cloud-native space, you're heavily reliant on open-source tools, such as for your observability stack, right? Coming from Site Reliability Engineering also myself, I love using metrics and Grafana. And for me, if anything open-source from Loki to accessing my logs, to Grafana to dashboards, and all their integrations.I love that and I want to use the same tools that I'm using for everything else, also for my security tools. I don't want to have the metrics for my security tools visualized in a different solution to my reliability metrics for my application, right? Because that ultimately makes it more difficult to correlate metrics. So, those are, like, some of the factors that you might want to consider when you're choosing a security scanner.Corey: When you talk about thinking about this, from the perspective of an SRE is—I mean, this is definitely an artifact of where you come from and how you approach this space. Because in my world, when you have ten web servers, five application servers, and two database servers and you wind up with a problem in production, how do you fix this? Oh, it's easy. You log into one of those nodes and poke around and start doing diagnostics in production. In a containerized world, you generally can't do that, or there's a problem on a container, and by the time you're aware of that, that container hasn't existed for 20 minutes.So, how do you wind up figuring out what happens? And instrumenting for telemetry and metrics and observability, particularly at scale becomes way more important than it ever was, for me. I mean, my version of monitoring was always Nagios, which was the original Call of Duty that wakes you up at two in the morning when the hard drive fails. The world has thankfully moved beyond that and a bunch of ways. But it's not first nature for me. It's always, “Oh, yeah, that's right. We have a whole telemetry solution where I can go digging into.” My first attempt is always, oh, how do I get into this thing and poke it with a stick? Sometimes that's helpful, but for modern applications, it really feels like it's not.Anaïs: Totally. When we're moving to an infrastructure to an environment where we can deploy multiple times a day, right, and update our application multiple times a day, multiple times a day, we can introduce new security issues or other things can go wrong, right? So, I want to see—as much as I want to see all of the other failures, I want to see any security-related issues that might be deployed alongside those updates at the same frequency, right?Corey: The problem that I see across all this stuff, though, is there are a bunch of tools out there that people install, but then don't configure because, “Oh, well, I bought the tool. The end.” I mean, I think it was reported almost ten years ago or so on the big Target breach that they wound up installing some tool—I want to say FireEye, but please don't quote me on that—and it wound up firing off a whole bunch of alerts, and they figured was just noise, so they turned it all off. And it turned out no, no, this was an actual breach in progress. But people are so used to all the alarms screaming at them, that they don't dig into this.I mean, one of the original security scanners was Nessus. And I seen a lot of Nessus reports because for a long time, what a lot of crappy consultancies would do is they would white-label the output of whatever it was that Nessus said and deliver that in as the report. So, you'd wind up with 700 pages of quote-unquote, “Security issues.” And you'd have to flip through to figure out that, ah, this supports a somewhat old SSL negotiation protocol, and you're focusing on that instead of the oh, and by the way, the primary database doesn't have a password set. Like, it winds up just obscuring it because there is so much. How does Trivy approach avoiding the information overload problem?Anaïs: That's a great question because everybody's complaining about vulnerability fatigue, of them, for the first time, scanning their container images and workloads and seeing maybe even hundreds of vulnerabilities. And one of the things that can be done to counteract that right from the beginning is investing your time into looking at the different flags and configurations that you can do before actually deploying Trivy to, for example, your cluster. That's one part of it. The other part is I mentioned earlier, you would use a security scan at different parts of your deployment. So, it's really about integrating scanning not just once you—like, in your production environment, once you've deployed everything, but using it already before and empowering engineers to actually use it on their machines.Now, they can either decide to do it or not; it's not part of most people's job to do security scanning, but as you move along, the more you do, the more you can reduce the noise and then ultimately, when you deploy Trivy, for example, inside of your cluster, you can do a lot of configuration such as scanning just for critical vulnerabilities, only scanning for vulnerabilities that already have a fix available, and everything else should be ignored. Those are all factors and flags that you can place into Trivy, for instance, and make it easier. Now, with Trivy, you won't have automated PRs and everything out of the box; you would have to set up the actions or, like, the ways to mitigate those vulnerabilities manually by yourself with tools, as well as integrating Trivy with your existing stack, and similar. But then obviously, if you want to have something more automated, if you want to have something that does more for you in the background, that's when you want to use to an enterprise solution and shift to something like Aqua Security Enterprise Platform that actually provides you with the automated way of mitigating vulnerabilities where you don't have to know much about it and it just gives you the solution and provides you with a PR with the updates that you need in your infrastructure-as-code configurations to mitigate the vulnerability [unintelligible 00:15:52]?Corey: I think that's probably a very fair answer because let's be serious when you're running a bank or someone for whom security matters—and yes, yes, I know, security should matter for everyone, but let's be serious, I care a little bit less about the security impact of, for example, I don't know, my Twitter for Pets nonsense, than I do a dating site where people are not out about their orientation or whatnot. Like, there is a world of difference between the security concerns there. “Oh, no, you might be able to shitpost as me if you compromise my lasttweetinaws.com Twitter client that I put out there for folks to use.” Okay, great. That is not the end of the world compared to other stuff.By the time you're talking about things that are critically important, yeah, you want to spend money on this, and you want to have an actual full-on security team. But open-source tools like this are terrific for folks who are just getting started or they're building something for fun themselves and as it turns out, don't have a full security budget for their weird late-night project. I think that there's a beautiful, I guess, spectrum, as far as what level of investment you can make into security. And it's nice to see the innovation continued happening in the space.Anaïs: And you just mentioned that dedicated security companies, they likely have a research team that's deploying honeypots and seeing what happens to them, right? Like, how are attackers using different vulnerabilities and misconfigurations and what can be done to mitigate them. And that ultimately translates into the configurations of the open-source tool as well. So, if you're using, for instance, a security scanner that doesn't have an enterprise company with a research team behind it, then you might have different input into the data of that security scanner than if you do, right? So, these are, like, additional considerations that you might want to take when choosing a scanner. And also that obviously depends on what scanning you want to do, on the size of your company, and similar, right?Corey: This episode is sponsored in part by our friend EnterpriseDB. EnterpriseDB has been powering enterprise applications with PostgreSQL for 15 years. And now EnterpriseDB has you covered wherever you deploy PostgreSQL on-premises, private cloud, and they just announced a fully-managed service on AWS and Azure called BigAnimal, all one word. Don't leave managing your database to your cloud vendor because they're too busy launching another half-dozen managed databases to focus on any one of them that they didn't build themselves. Instead, work with the experts over at EnterpriseDB. They can save you time and money, they can even help you migrate legacy applications—including Oracle—to the cloud. To learn more, try BigAnimal for free. Go to biganimal.com/snark, and tell them Corey sent you.Corey: Something that I do find fairly interesting is that you started off, as you say, doing DevRel in the open-source blockchain world, then you went to work as an SRE, and then went back to doing DevRel-style work. What got you into SRE and what got you out of SRE, other than the obvious having worked in SRE myself and being unhappy all the time? I kid, but what was it that got you into that space and then out of it?Anaïs: Yeah. Yeah, but no, it's a great question. And it's, I guess, also was shaped my perspective on different tools and, like, the user experience of different tools. But ultimately, I first worked in the cloud-native space for an enterprise tool as developer advocate. And I did not like the experience of working for a paid solution. Doing developer advocacy for it, it felt wrong in a lot of ways. A lot of times you were required to do marketing work in those situations.And that kind of got me out of developer advocacy into SRE work. And now I was working partially or mainly as SRE, and then on the side, I was doing some presentations in developer advocacy. However, that split didn't quite work, either. And I realized that the value that I add to a project is really the way I convey information, which I can't do if I'm busy fixing the infrastructure, right? I can't convey the information of as much of how the infrastructure has been fixed as I can if I'm working with an engineering team and then doing developer advocacy, solely developer advocacy within the engineering team.So, how I ultimately got back into developer advocacy was just simply by being reached out to by my manager at Aqua Security, and Itay telling me, him telling me that he has a role available and if I want to join his team. And it was open-source-focused. Given that I started my career for several years working in the open-source space and working with engineers, contributing to open-source tools, it was kind of what I wanted to go back to, what I really enjoy doing. And yeah, that's how that came about [laugh].Corey: For me, I found that I enjoy aspects of the technology part, but I find I enjoy talking to people way more. And for me, the gratifying moment that keeps me going, believe it or not, is not necessarily helping giant companies spend slightly less money on another giant company. It's watching people suddenly understand something they didn't before, it's watching the light go on in their eyes. And that's been addictive to me for a long time. I've also found that the best way for me to learn something is to teach someone else.I mean, the way I learned Git was that I foolishly wound up proposing a talk, “Terrible Ideas in Git”—we'll teach it by counterexample—four months before the talk. And they accepted it, and crap, I'd better learn enough get to give this talk effectively. I don't recommend this because if you miss the deadline, I checked, they will not move the conference for you. But there really is something to be said for watching someone learn something by way of teaching it to them.Anaïs: It's actually a common strategy for a lot of developer advocates of making up a talk and then waiting whether or not it will get accepted. [laugh] and once it gets accepted, that's when you start learning the tool and trying to figure it out. Now, it's not a good strategy, obviously, to do that because people can easily tell that you just did that for a conference. And—Corey: Sounds to me, like, you need to get better at bluffing. I kid.Anaïs: [laugh].Corey: I kid. Don't bluff your way through conference talks as a general rule. It tends not to go well. [laugh].Anaïs: No. It's a bad idea. It's a really bad idea. And so, I ultimately started learning the technologies or, like, the different tools and projects in the cloud-native space. And there are lots, if you look at the CNCF landscape, right? But just trying to talk myself through them on my YouTube channel. So, my early videos on my channel, it's just very much on the go of me looking for the first time at somebody's documentation and not making any sense out of them.Corey: It's surprising to me how far that gets you. I mean, I guess I'm always reminded of that Tom Hanks movie from my childhood Big where he wakes up—the kid wakes up as an adult one day, goes to work, and bluffs his way into working at a toy company. He's in a management meeting and just they're showing their new toy they're going to put out there and he's, “I don't get it.” Everyone looks at him like how dare you say it? And, “I don't get it. What's fun about this?” Because he's a kid.And he wants to getting promoted to vice president because wow, someone pointed out the obvious thing. And so often, it feels like using a tool or a product, be it open-source or enterprise, it is clearly something different in my experience of it when I try to use this thing than the person who developed it. And very often it's that I don't see the same things or think of the problem space the same way that the developers did, but also very often—and I don't mean to call anyone in particular out here—it's a symptom of a terrible user interface or user experience.Anaïs: What you've just said, a lot of times, it's just about saying the thing that nobody that dares to say or nobody has thought of before, and that gets you obviously, easier, further [laugh] then repeating what other people have already mentioned, right? And a lot of what you see a lot of times in these—also an open-source projects, but I think more even in closed-source enterprise organizations is that people just repeat whatever everybody else is saying in the room, right? You don't have that as much in the open-source world because you have more input or easier input in public than you do otherwise, but it still happens that I mean, people are highly similar to each other. If you're contributing to the same project, you probably have a similar background, similar expertise, similar interests, and that will get you to think in a similar way. So, if there's somebody like, like a high school student maybe, somebody just graduated, somebody from a completely different industry who's looking at those tools for the first time, it's like, “Okay, I know what I'm supposed to do, but I don't understand why I should use this tool for that.” And just pointing that out, gets you a response, most of the time. [laugh].Corey: I use Twitter and use YouTube. And obviously, I bias more for short, pithy comments that are dripping in sarcasm, whereas in a long-form video, you can talk a lot more about what you're seeing. But the problem I have with bad user experience, particularly bad developer experience, is that when it happens to me—and I know at a baseline level, that I am reasonably competent in technical spaces, but when I encounter a bad interface, my immediate instinctive reaction is, “Oh, I'm dumb. And this thing is for smart people.” And that is never, ever true, except maybe with quantum computing. Great, awesome. The Hello World tutorial for that stuff is a PhD from Berkeley. Good luck if you can get into that. But here in the real world where the rest of us play, it's just a bad developer experience, but my instinctive reaction is that there's stuff I don't know, and I'm not good enough to use this thing. And I get very upset about that.Anaïs: That's one of the things that you want to do with any technical documentation is that the first experience that anybody has, no matter the background, with your tool should be a success experience, right? Like people should look at it, use maybe one command, do one thing, one simple thing, and be like, “Yeah, this makes sense,” or, like, this was fun to do, right? Like, this first positive interaction. And it doesn't have to be complex. And that's what many people I think get wrong, that they try to show off how powerful a tool is, of like, oh, “My God, you can do all those things. It's so exciting, right?” But [laugh] ultimately, if nobody can use it or if most of the people, 99% of the people who try it for the first time have a bad experience, it makes them feel uncomfortable or any negative emotion, then it's really you're approaching it from the wrong perspective, right?Corey: That's very apt. I think it's so much of whether people stick with something long enough to learn it and find the sharp edges has to do with what their experience looks like. I mean, back when I was more or less useless when it comes to anything that looked like programming—because I was a sysadmin type—I started contributing to SaltStack. And what was amazing about that was Tom Hatch, the creator of the project had this pattern that he kept up for way too long, where whenever anyone submitted an issue, he said, “Great, well, how about you fix it?” And because we had a patch, like, “Well, I'm not good at programming.” He's like, “That's okay. No one is. Try it and we'll see.”And he accepted every patch and then immediately, you'd see another patch come in ten minutes later that fixed the problems in your patch. But it was the most welcoming and encouraging experience, and I'm not saying that's a good workflow for an open-source maintainer, but he still remains one of the best humans I know, just from that perspective alone.Anaïs: That's amazing. I think it's really about pointing out that there are different ways of doing open-source [laugh] and there is no one way to go about it. So, it's really about—I mean, it's about the community, ultimately. That's what it boils down to, of you are dependent, as an open-source project, on the community, so what is the best experience that you can give them? If that's something that you want to and can invest in, then yeah [laugh] that's probably the best outcome for everybody.Corey: I do have one more question, specifically around things that are more timely. Now, taking a quick look at Trivy and recent features, it seems like you've just now—now-ish—started supporting cloud scanning as well. Previously, it was effectively, “Oh, this scans configuration and containers. Okay, great.” Now, you're targeting actually scanning cloud providers themselves. What does this change and what brought you to this place, as someone who very happily does not deal with AWS?Anaïs: Yeah, totally. So, I just started using AWS, specifically to showcase this feature. So, if you look at the Aqua Open Source YouTube channel, you will find several tutorials that show you how to use that feature, among others.Now, what I mentioned earlier in the podcast already is that Trivy is really versatile, it allows you to scan different aspects of your stack at different stages of your development lifecycle. And that's made possible because Trivy is ultimately using different open-source projects under the hood. For example, if you want to scan your infrastructure-as-code misconfigurations, it's using a tool called tfsec, specifically for Terraform. And then other tools for other scanning, for other security scanning. Now, we have—or had; it's going to be probably deprecated—a tool called CloudSploit in the Aqua open-source project suite.Now, that's going to, kind of like, the functionality that CloudSploit was providing is going to get converted to become part of Trivy, so everything scanning-related is going to become part of Trivy that really, like, once you understand how Trivy works and all of the CLI commands in Trivy have exactly the same structure, it's really easy to scan from container images to infrastructure-as-code, to generating s-bombs to scanning also now, your cloud infrastructure and Trivy can scan any of your AWS services for misconfigurations, and it's using basically the AWS client under the hood to connect with the services of everything you have set up there, and then give you the list of misconfigurations. And once it has done the scan, you can then drill down further into the different aspects of your misconfigurations without performing the entire scan again, since you likely have lots and lots of resources, so you wouldn't want to scan them every time again, right, when you perform the scan. So, once something has been scanned, Trivy will know whether the resource changed or not, it won't scan it again. That's the same way that in-classes scanning works right now. Once a container image has been scanned for vulnerabilities, it won't scan the same container image again because that would just waste time. [laugh]. So yeah, do check it out. It's our most recent feature, and it's going to come out also to the other cloud providers out there. But we're starting with AWS and this kind of forced me to finally [laugh] look at it for the sake of it. But I'm not going to be happy. [laugh].Corey: No, I don't think anyone is. It's every time I see on a resume that someone says, “Oh, I'm an expert in AWS,” it's, “No you're not.” They have 400-some-odd services now. We have crossed the point long ago, where I can very convincingly talk about AWS services that do not exist to Amazonians and not get called out for it because who in the world knows what they run? And half of their services sound like something I made up to be funny, but they're very real. It's wild to me that it is a sprawling as it is and apparently continues to work as a viable business.But no one knows all of it and everyone feels confused, lost, and overwhelmed every time they look at the AWS console. This has been my entire career in life for the last six years, and I still feel that way. So, I'm sure everyone else does, too.Anaïs: And this is how misconfigurations happen, right? You're confused about what you're actually supposed to do and how you're supposed to do it. And that's, for example, with all the access rights in Google Cloud, something that I'm very familiar with, that completely overwhelms you and you get super frustrated by, and you don't even know what you give access to. It's like, if you've ever had to configure Discord user roles, it's a similar disaster. You will not know which user has access to which. They kind of changed it and try to improve it over the past year, but it's a similar issue that you face in cloud providers, just on a much larger-scale, not just on one chat channel. [laugh]. So.Corey: I think that is probably a fair place to leave it. I really want to thank you for spending as much time with me as you have talking about the trials and travails of, well, this industry, for lack of a better term. If people want to learn more, where's the best place to find you?Anaïs: So, I have a weekly DevOps newsletter on my blog, which is anaisurl—like, how you spell U-R-L—and then dot com. anaisurl.com. That's where I have all the links to my different channels, to all of the resources that are published where you can find out more as well. So, that's probably the best place. Yeah.Corey: And we will, of course, put a link to that in the show notes. I really want to thank you for being as generous with your time as you have been. Thank you.Anaïs: Thank you for having me. It was great.Corey: Anaïs, open-source developer advocate at Aqua Security. I'm Cloud Economist Corey Quinn, and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice along with an angry, insulting comment that I will never see because it's buried under a whole bunch of minor or false-positive vulnerability reports.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.Announcer: This has been a HumblePod production. Stay humble.

In this episode, Marc and Dror Davidoff, Aqua Security Co-founder and CEO, discuss his passion for his home country of Israel's prominence as a global technology hub and how it led to his founding of one of the most successful security startups of recent years. You'll also learn about: How Israel's dominance in the technology sector and development of some of the best tech talent in the world has helped shaped the country's culture The current state of the cloud native threat landscape Why responsible management and responsible hiring is critical for business leaders Why social impact is core to Aqua's values and why giving back is a responsibility of the tech community

Security is everyone's business. And as everyone seems to be moving to Cloud Native it's important to understand what the security landscape in k8s, containerized apps, serverless, … looks like.To learn more about this we invited Anais Urlichs (@urlichsanais), Developer Advocate at Aqua Security and CNCF Ambassador of the year 2021. Over the past years Anais has educated thousands of people on cloud native, devops and security on her YouTube Channel.Tune in and learn more about the different approaches to security in cloud native, which open source projects are out there and how her advise on embedding security in your day2day work.Some additional links we discussed can be found here:Anais on Linkedin: https://www.linkedin.com/in/urlichsanais/Anais on Twitter: https://twitter.com/urlichsanaisTrivy: https://github.com/aquasecurity/trivyWeekly DevOps Newsletter: https://anaisurl.com/WTFisSRE Talk: https://www.youtube.com/watch?v=0zL61AiOaK0Anais's YouTube channel: https://www.youtube.com/c/AnaisUrlichsAqua Open Source YouTube Channel: https://www.youtube.com/channel/UCb4mfRT5UWpjoUQRcIE2qOQ

In this episode we speak to Liz Rice, Chief Open Source Officer at Isovalent, the company behind the open source eBPF product Cilium. We discuss why it's such a revolutionary approach to developing low-level kernel applications, how BPF can be used for observability, networking and security, how developers should think about application security, and why all of these technologies are open source.About Liz RiceLiz Rice is Chief Open Source Officer at eBPF pioneers Isovalent, creators of the Cilium project, which provides cloud native networking, observability and security. Prior to Isovalent she was VP Open Source Engineering with security specialists Aqua Security. She is also Chair of the CNCF's Technical Oversight Committee, has co-chaired the KubeCon / CloudNativeCon and is an Ambassador for Open UK.Other things mentioned:IsovalentBerkeley labDave ThalerKubernetesFirecrackerLambdaM1 MacbookVS CodeLet us know what you think on Twitter:https://twitter.com/consoledotdevhttps://twitter.com/davidmyttonhttps://twitter.com/lizriceOr by email: hello@console.devAbout ConsoleConsole is the place developers go to find the best tools. Our weekly newsletter picks out the most interesting tools and new releases. We keep track of everything - dev tools, devops, cloud, and APIs - so you don't have to. Sign up for free at: https://console.devRecorded: 2022-05-05. 

Follina's Tuesday Patch, Hertzbleed Attack, Mighty Bot, and more.A daily look at the relevant information security news from overnight - 15 June, 2022Episode 245 - 15 June 2022Follina's Tuesday PAtch- https://www.zdnet.com/article/microsoft-june-2022-patch-tuesday-55-fixes-remote-code-execution-in-abundance/Hertzbleed Attack - https://www.securityweek.com/new-hertzbleed-remote-side-channel-attack-affects-intel-amd-processorsTravis Exposed Tokens- https://www.bleepingcomputer.com/news/security/thousands-of-github-aws-docker-tokens-exposed-in-travis-ci-logs/Citrix ADM Error - https://www.securityweek.com/attackers-can-exploit-critical-citrix-adm-vulnerability-reset-admin-passwordsLinux Panchan Bot - https://www.bleepingcomputer.com/news/security/new-go-botnet-panchan-spreading-rapidly-in-education-networks/Mighty Bot - https://www.zdnet.com/article/a-tiny-botnet-launched-the-largest-ddos-attack-on-record/Hi, I'm Paul Torgersen. It's Wednesday June 15th, 2022, and this is a look at the information security news from overnight. From ZDNet.comJune Patch Tuesday is a popular one with everyone from Siemens to Schneider to Adobe to SAP rolling out updates. In fact, 141 updates just from those four. The one I am going to call out is Microsoft. Redmond rolled out 55 fixes, That's down from 74 last month, and only three of which are critical, but one of those is a fix for the Follina zero-day. At long last. Get your patch on kids. From SecurityWeek.com:Researchers have identified a new side-channel attack that can allow hackers to remotely extract sensitive information from a targeted system through a CPU timing attack they are calling Hertzbleed. This impacts devices powered by Intel and AMD and possibly others. Details on the article. From BleepingComputer.com:The Travis CI platform, which is used for software development and testing, has exposed user data containing tens of thousands of authentication tokens for GitHub, AWS, and Docker Hub. Aqua Security, who discovered the flaw, shared their findings with Travis hoping for a fix, but they were told that the issue was “by design” and left the data exposed. From SecurityWeek.com:Citrix has warned of a critical vulnerability in their Citrix Application Delivery Management that could essentially allow an attacker to trigger an administrator password reset at the next reboot. The vulnerabilities impact all supported versions of Citrix ADM server and Citrix ADM agent. Customers will need to update the server as well as all associated agents. The company says it has already taken care of the ADM cloud service and no additional action is required there. From BleepingComputer.comA new peer-to-peer botnet named Panchan has popped up targeting Linux servers in the education sector to mine crypto. It is empowered with SSH worm functions to move laterally within the compromised network, and has powerful detection avoidance capabilities, such as using memory-mapped miners and dynamically detecting process monitoring to pause the mining module. And last today, from ZDNet.comSpeaking of botnets, Cloudflare says it mitigated a DDoS attack that peaked at 26 million requests per second, and was caused by a botnet of only just over 5,000 devices. Rather than being based in IoT devices, this botnet was hiding in cloud service providers. For this particular attack, each device was averaging 5,200 requests per second, which is about 4,000 times more than a typical IoT botnet can generate. Details on the article. That's all for me today. Have a great rest of your day. Like and subscribe, and until tomorrow, be safe out there.

Netflix lanza más juegos, las criptos caen junto a la economía de papel y la inteligencia artificial no ha cobrado consciencia… todavía.Puedes apoyar la realización de este programa con una suscripción. Más información por acáNoticias:-Netflix anunció varios títulos de videojuegos nuevos vinculados a sus franquicias de streaming.-Las criptodivisas no son inmunes a los efectos de la economía regular y Ethereum ha alcanzado su valor más bajo en los últimos 15 meses.-Investigadores de seguridad de Aqua Security informan que las credenciales de desarrolladores de código abierto de terceros están siendo filtradas por el servicio de integración continua alojado Travis CI.-Spotify busca adquirir la compañía de generación de voz por Inteligencia Artificial Sonantic.-Envían a Blake Lemoine a licencia administrativa tras violar políticas de confidencialidad en Google.Discusión: No hay inteligencia artificial que haya alcanzado un grado de consciencia. See acast.com/privacy for privacy and opt-out information. Become a member at https://plus.acast.com/s/noticias-de-tecnologia-express.

Brand is what people say when you walk out of a room. So how do you control the conversation when you're not there to hear it?  Today's guests, Chris Smith, Chief Revenue Officer (CRO), and Matt Richards, Chief Marketing Officer (CMO) at Aqua Security, talked about the strategic ecosystem of sales and marketing and how they have to work together to win.  Join us as we discuss: Why working together for a shared goal is important What should and shouldn't be measured for ROI Why empathy over ego is the key to success Now that you know how to conduct killer marketing tests, are you ready to learn how to hone your business's competitive edge or use data to prevent revenue leaks in your business? Check out the full list of episodes: The B2B Revenue Executive Experience.  Listening on a desktop & can't see the links? Just search for B2B Revenue Executive Experience in your favorite podcast player.

Brand is what people say when you walk out of a room. So how do you control the conversation when you're not there to hear it?  Today's guests, Chris Smith, Chief Revenue Officer (CRO), and Matt Richards, Chief Marketing Officer (CMO) at Aqua Security, talked about the strategic ecosystem of sales and marketing and how they have to work together to win.  Join us as we discuss: Why working together for a shared goal is important What should and shouldn't be measured for ROI Why empathy over ego is the key to success Now that you know how to conduct killer marketing tests, are you ready to learn how to hone your business's competitive edge or use data to prevent revenue leaks in your business? Check out the full list of episodes: The B2B Revenue Executive Experience.  Listening on a desktop & can't see the links? Just search for B2B Revenue Executive Experience in your favorite podcast player.

El equipo de ciberseguridad de Aqua Security, publicó recientemente su informe de amenazas nativas en la nube de 2022. La compañía descubrió que los ciberdelincuentes están utilizando nuevas tácticas, técnicas y procedimientos para apuntar específicamente a los entornos nativos de la nube.

O Kubicast faz a sua estreia em 2022  trazendo de volta os ilustres Guilherme Valle e o Marcos Antônio Moraes da Americanas s.a para contar como foi a operação Black Friday do ano passado. Com mais de 100 clusters para administrar, os caras planejam o evento com 11 meses de antecedência. Atualização do Kubernetes e acréscimo de novas funcionalidades na plataforma são coisas que não ficam para a última hora. Tudo isso para que dias antes sejam necessários apenas alguns testes, como o de aumento de carga, por exemplo. Em complemento às perguntas sobre essa operação monstra, o Kubicast também quis saber como estão lidando com a AWS desde o final de 2021, como fazem para manter diferentes ambientes cloud (AWS e GCP) alinhados e como têm visibilidade sobre tudo isso, respeitando a LGPD. Confira a íntegra do programa no PLAY. E para ouvir como foi que eles se planejaram para a Black Friday de 2021, acesse esse episódio do podcast. Os LINKS do programa:KCD Brasil - Palestras para estudar e se certificar em Kubernetes aquiMais Talk, Menos Show - podcast que entrevista a carreira e muito mais do João Brito aquiE as RECOMENDAÇÕES dos participantes:Guilherme:H30 - História em meia hora (podcast)Marcos:Grandes Momentos da Segunda Guerra em Cores (série documental na Netflix)João:O Último Duelo (filme no Star +)AVISO FINAL! Acesse aqui a live sobre Observabilidade e Segurança que a Getup fez com a LinuxTips, AquaSecurity e Datadog. Tá imperdível a oportunidade para aprender mais.O Kubicast é uma produção da Getup, especialista em Kubernetes e apoiadora do projeto UnDistro, uma distribuição para gerenciar múltiplos clusters Kubernetes. #DevOps #Kubernetes #Containers #BlackFriday

In this episode you will hear Rory's insights about cloud native security trends, threats and how to stay protected against potential attacks on organisations' supply chains and systems. Rory McCune is a Cloud Native Security Advocate at Aqua Security. His role involves helping to educate and inform around open source cloud native security and protect against potential vulnerabilities. If you want to be our guest, or you know some one who would be a great guest on our show, just send your email to info@globalriskconsult.com with a subject line “Global Risk Community Show” and give a brief explanation of what topic you would like to to talk about and we will be in touch with you asap.

Chris Smith, CRO at Aqua, joins me today to talk about creating a great sales team as a company that's growing rapidly by being intentional about bringing in the right people.Chris has been in sales for 30 years and has mostly stayed within the cyber security industry for multiple reasons, one of them being how within this career, you're doing something meaningful. Now, as he's building out his team at Aqua, a cloud native application protection platform, he shares with us his approach he's taking to ensure he's making great hires.Know the profile of who you are going afterFocus on the importance of the alignment to culture PR the opportunity Augment company searches with agencies Prepare questions Go the extra mileBe thorough - reference LinkedIn, check references, etc. Tune into today's episode where we expand more on Chris's journey and his tactics to creating a great sales team by being intentional about bringing in the right people!If you are a sales leader at a startup, or you're in the sales team, and you're searching for your repeatable scalable sales process to grow sales faster, then please get in touch with me at andrew@unstoppable.do or you can also go to my site at www.unstoppable.do. Sign up for our newsletter (https://www.salesbluebird.com)We want your questions and topic suggestions for future episodes.  Send them to  andrew@unstoppable.do or send us a voice/video message at https://zipmessage.com/unstoppableGet in touch with Chris (chris.smith@aquasec.com) Support the show (http://www.unstoppable.do)

High-profile hacks and ransomware breaches continue to plague headlines, making cyber risk more tangible for individuals. So it's no surprise that a Bloomberg analysis found cyber expenses rising faster than overall IT spending. In addition, as remote/hybrid work shifts more workflow to the cloud, spending is expected to increase.   Insight Partners is a NY-based VC/PE firm with over $30 billion under management. It is also a top enterprise software investor specializing in cybersecurity and data privacy. Notable investments in this space include DarkTrace, Tenable, Armis, Veeam, OneTrust, Cylance, Recorded Future, and Aqua Security.   Steve Ward, Managing Director at Insight,  formerly the CISO of Home Depot and a member of the Secret Service, Steve has over 20 years of experience in cybersecurity, physical security, fraud, and technology risk. We discuss where companies allocate cybersecurity spending and the innovations disrupting the market. We also talk about how the shift to remote/hybrid work has affected cyber investment, the most critical threats, and how cyber innovation responds.  

Welcome back to another Lisa at the Edge Episode. I am joined by the awesome Anaïs Urlichs. Anaïs begins a new role this week as Developer Advocate at Aqua Security, she is a CNCF Ambassador and a GitHub Star! Anaïs has had an interesting career journey so far. So of course I asked her to share that with us. We hear how technology was not the first profession which Anaïs dreamed about, can you guess what she wanted to be when she was young? Listen to find out!

Carol é desenvolvedora de software interessada em boas práticas de Desenvolvimento Seguro, aplicativos nativos da nuvem e segurança. Entusiasta da comunidade de código aberto, co-organizador das comunidades Docker e Hashicorp. No seu tempo livre, gosta de correr

This week in the Enterprise News: Aqua Security Introduces new Aqua Platform, Decryption Tools, Security Summit 2021: Google expands Trusted Cloud, Clearview AI raises $30M to accelerate growth in image-search technology, & more!   Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw236

This week in the Enterprise News: Aqua Security Introduces new Aqua Platform, Decryption Tools, Security Summit 2021: Google expands Trusted Cloud, Clearview AI raises $30M to accelerate growth in image-search technology, & more!   Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw236

Assaf Morag and Ehud Amiri from Aqua Security join me on the Tech Talks Daily Podcast to discuss finding from Aqua's 2021 Security Report, which assesses cloud infrastructure risks. During 12 months, Aqua Security conducted an in-depth analysis of Aqua Cloud Security Posture Management (CSPM) usage data and found that 40% of users had at least one misconfigured Docker API. But, overall, 84% of users were able to detect and remediate misconfiguration issues using CSPM, which would otherwise have gone unnoticed without manual involvement. Although cloud-native applications have many benefits, such as allowing more agility by giving more people access to define the environment, it means that many organizations are moving away from a centralized approach to security. Where once there was only a small, highly skilled team of security practitioners making all configuration changes, we now have a modern, decentralized approach. Indeed, a recent IDC survey showed that almost 80% of respondents had at least one cloud security breach over the preceding 18 months. We talk about Aqua's 2021 Security Report findings, explore the complexity of cloud environments, and discuss some solutions to help mitigate these risks.

Guest: Brian Haugli - Managing Partner, SideChannel | CEO, RealCISO.io | Host of #CISOlifeViewed as a "full stack CISO", Brian is an executive security leader and mentor focused on building high performance security teams, deploying effective operating models, and delivering risk management capabilities for global, domestic, and local enterprises. He has held senior advisory & practitioner roles within DoD, the Intelligence Community and Fortune 1000 companies.Brian is a NIST expert, specifically with the Cyber Security Framework (CSF) and 800-53, and for industrial control systems & operational technologies.In the episode Steve speaks to Brian about implementing security strategy specifically around the struggles with culture change, mis-alignment of risk appetite at the highest level and the behavioural effects this can have throughout an organisation.More about Brian:LinkedIn: https://www.linkedin.com/in/brianhaugliVirtual CISO:  https://sidechannel.com/Security Assessment: https://www.realciso.io/YouTube: https://www.youtube.com/channel/UCtDlpJo3O8Z08mF_KoIkxWQTwitter: https://twitter.com/BrianHaugliYour host:Steve GiguereSteve is a Developer Advocate for Bridgecrew by Palo Alto Networks.He is a serial podcaster having hosted his solo editorial podcast called Codifyre, as well as podcasts for Synopsys and Aqua Security called Hacking Security and BeerSecOps.He's a fun and entertain public speaker on application, cloud native and kubernetes security and when he's not doing that he loves music.  He's composed and played the theme music for this and each of his other podcasts.Learn more...https://stevegiguere.com/https://bridgecrew.io/https://twitter.com/_SteveGiguere_ 

We've seen this story play out in grand fashion over the last year: attackers are using the software supply chain to inject malicious artifacts into CI/CD pipelines and execute elaborate kill chains in production. Traditional software testing techniques are ill-equipped to detect these advanced threats that only initiate during runtime, and cloud native ecosystems add multiple layers of complexity. Now, today's best practices for DevSecOps all but oblige security teams to implement complete pre-production analysis of runtime behavior, to provide detailed documentation of the attack kill chain, and to facilitate proper remediation at the risk's source.At the Inspired Virtual Summit, Aqua Security discussed supply chain security for today's cloud native software ecosystems, exploring:- Advanced threats in the software supply chain.- Security implications of cloud native and DevOps methodologies.- Best practices for detecting malware and mitigating risks before production deployment.Speaker:Steven Zimmerman, Senior Product Marketing Manager, Aqua Security

One of the more popular Compliance Frameworks is the Center for Internet Security (CIS)Benchmarks for Kubernetes. In this podcast, Rory McCune, Cloud Native Security Advocate at Aqua Security will discuss the CIS Benchmarks in depth, specifically how they are created and how people can contribute to them, how can companies Implement the CIS benchmarks to get the best out of them, and the limitations on the scope of the benchmarks and what can be done with them.

Aqua Security helps enterprises secure their cloud-native, container-based, and serverless applications from development to production.

This interview was recorded for the GOTO Book Club.http://gotopia.tech/bookclubLiz Rice - Author of "Container Security"Eoin Woods - CTO of EndavaDESCRIPTIONWhat should you do to secure your containers?Liz Rice, author of the book  Container Security: Fundamental Technology Concepts that Protect Containerized Applications & VP of open source engineering at Aqua Security, and Eoin Woods, CTO at Endava, explore what containers are, what are the implications of a shared kernel and how to assess potential security risks that could affect your deployments. Learn best practices and understand how containers work in this Book Club interview.The interview is based on Liz's book "Container Security": https://amzn.to/3oU4iJeRead the full transcription of the interview here:https://gotopia.tech/bookclub/episodes/secure-your-containers-liz-riceRECOMMENDED BOOKSLiz Rice • Container Security • https://amzn.to/3oU4iJeLiz Rice • Kubernetes Security • https://www.oreilly.com/library/view/kubernetes-security/9781492039075https://twitter.com/GOTOconhttps://www.linkedin.com/company/goto-https://www.facebook.com/GOTOConferencesLooking for a unique learning experience?Attend the next GOTO conference near you! Get your ticket at https://gotopia.techSUBSCRIBE TO OUR YOUTUBE CHANNEL - new videos posted almost daily.https://www.youtube.com/GotoConferences

פרק 45 של ממרמיק, הפודקאסט של עמותת בוגרי ממר״ם מארחים את אמיר ג׳רבי, בוגר ממר״ם, המייסד וה-CTO של Aqua Security ביחד עם שחר מן, בוגר ממר״ם, VP Product, בראיון ראשון לאחר גיוס של 135 מליון דולר שהכניס את החברה למועדון היוניקורנס (חדי הקרן) היוקרתי.    על הזכרונות מהשירות בממר״ם ולמה הם שניהם מצאו את עצמם על הרצפה בחדר של מפקד ממר״ם, דרך העבודה בחברות המובילות בשוק ועד להחלטה לעזוב את הכל ולהקים חברת שמאבטחת קונטיינרים כשאף אחד לא ידע בכלל מה זה קונטיינר. מנחים - יוסי מלמד & רועי אייזנמן

This week, In the first segment, Chris Cleveland from PIXM join us to discuss using computer vision to combat phishing! Next up, Jeff Foley joins for an interview on the OWASP Amass Project! In the Enterprise Security News: Okta acquires Auth0, KnowBe4 Acquires MediaPRO, PayPal to acquire Curv, and Dropbox to acquire DocSend, Aqua Security raises $135M, Privacera Secures a Series B, YL Ventures sells its stake in Axonius, Snyk Secures a Series E, and McAfee sells its Enterprise business, AWS Announces New Lower Cost Storage, Radware's New Integrated Application Delivery & Protection, Bitdefender launches new Cloud-based EDR Solution, Awake's NDR platform, CrowdStrike Falcon enhancements improve SOC efficiency, Tufin releases Vulnerability-Based Change Automation App, Gigamon launches Hawk, Sonatype Releases New Nexus Firewall Policy to Secure Software Supply Chains, & more!   Show Notes: https://securityweekly.com/esw219 Visit https://securityweekly.com/Pixm to learn more about them! Threat Report: https://pixm.net/wp-content/uploads/2021/03/Pixm-Q4-2020-Threat-Report.pdf https://github.com/OWASP/Amass https://owasp.org/www-project-amass/   Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

This week, In the first segment, Chris Cleveland from PIXM join us to discuss using computer vision to combat phishing! Next up, Jeff Foley joins for an interview on the OWASP Amass Project! In the Enterprise Security News: Okta acquires Auth0, KnowBe4 Acquires MediaPRO, PayPal to acquire Curv, and Dropbox to acquire DocSend, Aqua Security raises $135M, Privacera Secures a Series B, YL Ventures sells its stake in Axonius, Snyk Secures a Series E, and McAfee sells its Enterprise business, AWS Announces New Lower Cost Storage, Radware's New Integrated Application Delivery & Protection, Bitdefender launches new Cloud-based EDR Solution, Awake's NDR platform, CrowdStrike Falcon enhancements improve SOC efficiency, Tufin releases Vulnerability-Based Change Automation App, Gigamon launches Hawk, Sonatype Releases New Nexus Firewall Policy to Secure Software Supply Chains, & more!   Show Notes: https://securityweekly.com/esw219 Visit https://securityweekly.com/Pixm to learn more about them! Threat Report: https://pixm.net/wp-content/uploads/2021/03/Pixm-Q4-2020-Threat-Report.pdf https://github.com/OWASP/Amass https://owasp.org/www-project-amass/   Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

Attendees Guest: Benjy Portnoy Guest Title: Sr. Director, Solution Architects Company: Aqua Security Abstract A cloud-native security strategy entails protecting the infrastructure, build, and running workloads. In this episode, we spoke with Benjy Portnoy, Sr Director of Solution Architects at Aqua Security regarding cloud-native security fundamentals. We also delve into various attacks identified in the recently published Cloud Native Threat Report by Aqua's security research team, Nautilus. Timing 0:00 introducing our guest 2:50 what is cloud native security 5:11 Sorting out between CWPP, CSPM & DevSecOps 8:01 Protecting the build, the platform and workload 10:30 Understanding what is CASB 12:45 diving into the kinsing attack 29.11 Summary and last words

Anyone who looks at the growth of Kubecon CloudNativeCon attendance over the past four years can recognize that Kubernetes is more than a passing fad. Instead, Kubernetes represents the way forward for companies to scale, go faster and be more competitive. Many question whether we've achieved ‘peak Kubecon'.Listen in as Cornelia Davis and Liz Rice discuss the current state of cloud native, its ecosystem of projects and how the CNCF can help you navigate the complexity of piecing together a Kubernetes solution that's right for your team.Most organizations find open source software appealing because of the choice it offers. However there are tradeoffs; an abundance of choice can also increase complexity. An ideal situation would consist of an integrated plug and play solution with open source standards and solutions. One of the most pressing questions is whether we'll see a more integrated solution for delivering Kubernetes in the enterprise versus a straight do yourself approach.

Website - https://github.com/coreos/clairSaaS Vendors mentioned in this episode: Aqua Security NeuVector Twistlock Episode TranscriptionWelcome back to The Byte. In this episode, we're going to talk about Clair, a vulnerability Static Analysis tool for containers. Before we get started I want to see a raise of hands who runs containers in production? Now, keep your hand up if you scan your images that are running in production. Now, this is a question I ask in workshops to various banks, and big customers that you would think would be doing this, and it's shocking. If we were all sitting in one room, I would imagine only 20% of us would still have our hands up saying we run production containers, and we scan these containers... Scan the container images.Now, Clair is actually a brilliant tool. It's was developed by CoreOS, which was acquired by Red Hat, which Red Hat was acquired by IBM, but it's still going. I mean, it's still active, which is brilliant, because it's an awesome tool. Now, typically in the enterprise world, and the small-medium enterprise, I mean, different segments, you have different options, right? I mean, typically, if you are going to do container security, you're going to go with some sort of SAS solution, one of the big vendors, and we're talking about Aqua Security, NeuVector, Twistlock. I mean, just to name a couple of them.But, Clair is actually the open-source version, and obviously, it is open source. I mean, you're not getting any SLAs, or anything like that, but it does a great job, and what it does, I mean, it actually does Static Analysis and Vulnerability Scanning of your container images. How that works, it regularly downloads the metadata from various sources, stores them in a database, and then, compares the metadata versus your images that are running. This then provides you a notification, or lets you know, "Hey, this particular image has vulnerabilities, and I'll notify you, and I'll keep notifying you until you..." Like siren's notification.Additionally, we can also integrate Clair into your CICD pipeline, which allows us to, as we build container images we can actually, as it's pushed to a Registry, Clair then fires up, scans the image, and then, provides you like a report about them, if there are any vulnerabilities inside this image. It integrates into your CICD pipeline, it integrates into various container registries, it has configurable notifications, so we can then push notifications to slack, or email, or whatever notification system you want to use, Permit To Use, for example. You can go to the Alert Manager. It has a lot of different possibilities there. It does integrate quite well to a bunch of different type of platforms, so if you go into the documentation on Clair OS, GitHub page, you go to Integrations you can see it obviously integrates into the CoreOS Registry.It integrates into all sorts of different projects. You can look through it. As I said, it's an open-source project. If you're not doing container scanning now, I would highly, highly recommend you use Clair, that at least you have something, right? Because, many times people are not doing any scanning, and it's better to do something, so at least you know, hey, do I have a heart bleed running around in my production systems? Do I have any vulnerabilities that are like super, like red alert? It's good to know at least baseline where I'm sitting. I would recommend Clair if you're not running any security system. If you have the budget I would definitely go for an enterprise solution, Aqua, NeuVector, Twistlock, or just to name a couple of them, but there's a lot of options out there.Security starts sooner than later. I mean, the sooner you can integrate this into your CICD pipeline the better off you are. Give it a try, github.com/coreos/clair. It's a great tool. We've used it for a couple of projects. We're quite happy with it. I mean, obviously, for what you pay for, right? But, at least you're getting some sort of security put in place. This is step one. Obviously, there are a lot more best practices you can incorporate into your building of images, as well as the security in your container environment, but at least with Clair, we have some sort of reporting and availability... Ability to actually scan your images.Give it a try. Clair has great documentation. It's being used quite regularly. it's also being updated quite frequently as well. That's all I have for this episode. Have a great day. We'll see you next time.

Security tools are essential in helping tackle vulnerabilities in the cloud. Liz Rice, Technology Evangelist at Aqua Security explained the capabilities of security tools, vulnerability reports, and the process of deploying security patches.