KubeCon 2023: Securing Software Delivery and Deployment – Source: securityboulevard.com

Speaker 1: This is Techstrong TV.

Mitch Ashley: Hi everybody. We are back here in Chicago at the great conference KubeCon. It’s a lot of great fun, great people we’re talking to. The showroom is buzzing. I mean, it’s kind of days of old here, so it’s great to see things are back and big and a lot of fun. So a great conversation we’re having here with some friends from OpsMx. We talked a little bit about what OpsMx does and dig into some new announcements. David Greene, CRO and Gopal. What is your last name, Gopal?

Gopal Dommety: Dommety, Gopal Dommety.

Mitch Ashley: Dommety, and great. Well, why don’t you start out by talking about what OpsMx is?

Gopal Dommety: So Mitch, we started OpsMX with the vision to fully automate and secure software delivery. That’s our vision. There are developers, there is sort of production, and so as people are going into Kubernetes and microservices, we realize that automating the delivery and the deployments is a lot of manual task and we said, “We should bring intelligence to secure that delivery and deployment aspect.” Now with the executive mandate software supply chain, that’s become very, very important.

Mitch Ashley: A lot of focus on that, yeah.

Gopal Dommety: And so we provide a deployment firewall. That’s what we provide. Most of our customers are large enterprises. Obviously we have some that are small and medium. They tend to have large deployments, Fortune 10 kind of customers, that’s what OpsMx…

Mitch Ashley: And mostly deployment into the cloud or can be private data center too, or?

Gopal Dommety: Deployment into, yeah, both cloud and private data centers. We have in large Kubernetes environments, we deploy into OpenShift, that sort of thing.

Mitch Ashley: And you mentioned of course supply chain security. I mean, there are security requirements, standards, et cetera, but every organization kind has their own thing, right? It’s got to adapt.

David Greene: It’s a huge focus right now, right? I mean, if you look at the work around the supply chain, there’s generally been two areas of focus. There’s been a lot of focus on the production environment when stuff’s already running in the real world or in the developers, but there hasn’t been any work to connect those two. And that’s really what we’re focused on showing here today at KubeCon is this idea of how do we start to get really an end-to-end view of that application lifecycle from when the developer starts the code, when that code lines into production.

We’re showing at our booth, Gopal mentioned the deployment firewall. That’s a new capability we just announced a couple of weeks ago that’s designed to do automated compliance and policy enforcement as part of a software delivery process. So as the release is running through its various approvals and stages and reviews to be able to do that check before it goes into the environment, to make sure that you’ve got your security checks, you understand your security posture, you’ve got the approvals you need, the environment’s ready for it, all those other things you want to make sure are done before you actually put that code out in the wild.

Mitch Ashley: Yeah, usually it’s that last gate, right? You’ve got to go through.

Gopal Dommety: The last gate, last gate, yeah.

Mitch Ashley: You’ve done everything you’re supposed to do, got the results we needed to see, right? Somebody pushes the button or whatever they do.

David Greene: Now it’s live, right?

Mitch Ashley: Push out it out on time.

Gopal Dommety: Exactly. It’s a last comprehensive gate that makes sure the code, the process, the people, the delivery and the deployment, all five of them have happened and we have tested.

Mitch Ashley: And you mentioned working with enterprises. Some of those deployments I can imagine are pretty complex, right?

Gopal Dommety: Yes.

Mitch Ashley: You’re with this cloud, that cloud, Kubernetes here and something else.

David Greene: Little bit of everything, yes. Little bit of everything.

Mitch Ashley: I can only imagine some of the issues you might deal with. As you work with customers to kind of figure out how to adapt to that, what are some things you’ve learned about what they need that you’ve put into the product?

Gopal Dommety: Yes, so you’re right, there are lots of deployment targets. Like some of our customers have 20, 30 and hundreds of Kubernetes clusters. Scale, some of our customers have 24 to, one of our customers has 90,000 pipelines-

Mitch Ashley: Wow, okay.

Gopal Dommety: … And a million deployments, and we have people who have nine pipelines too. I think when you have that scale and speed, any security check, any approval that you need to do from a security point of view just becomes hugely onerous from a time sort of people point of view. So we are built in ability to fully automate gates based on that application security graph that we have, the end-to-end security graph, which if you think about it at scale and speed, that scale and speed is super hard to keep it fresh. So we build the ability to gate. Also, audit is a big issue, especially when you need to audit at that scale. We build that in. Policy enforcement, like you said, that last gate needs a lot of checks and sometimes you will be surprised. Even large enterprises have very not so security enriched processes, like just changing a certain artifact can push you to production. We built in sort of the deployment firewall actually has come into being actually working with our customer that scale.

Mitch Ashley: And of course those nine pipelines or whatever number, they all do things the same way and follow all the rules.

David Greene: They’re exactly the same. Yeah, for sure.

Mitch Ashley: That’s what I remember working in an enterprise.

Gopal Dommety: 9 is one, but 90,000 is another.

Mitch Ashley: Yeah, I was going to say, more or less getting 90,000.

David Greene: I think that’s the key about the scale, the whole shift left movements that let everybody do things their way, which was great from a productivity standpoint, they don’t have waste time there, right? But at the end of the day, you’ve got to have some way of making sure that some minimum set of standards was enforced, right? And so that’s where the automation comes in. And I think the other thing which we’re showing here at the booth is how we can start to add intelligence to that automation. So let us actually do our evaluation of a new release, compare it to an existing release, and give you a score that says, “From a quality or a performance or security standpoint, this release looks like it’s ready to go, this one doesn’t.” Right? Then we can automate policies on that, start to be able to generate your own rule set that you might need to enforce with that. So the automation plus the intelligence allows you to scale from the 9 to the 90,000 in an environment that’s very unique.

Mitch Ashley: So I would imagine, I used to describe when I was running development teams, it’s like when we get ready for a release it’s like going on a trip. We don’t want to get in the RV and find out we left stuff. We got to go turn around and go back. And that takes preparation, not just if we think we’re ready to release let’s do the final check. It’s all those stages before. What kind of things do you do to help customers so when they get to that point, it’s ready, it’s ready to go, not we have 25, 2500, whatever the number is, things we’ve got to go back and do.

David Greene: Well, one of the things we built into the deployment firewall is the ability to do a preview, do a simulation check so that a developer who’s working on a release can say, “Great, my release is going to go to this target environment. Let me run a check today and see how it lines up against the rules for that environment.” And so we’re not deploying anything, we’ll just say, “If you were to deploy, this is where you’d be in good shape and this is where you’d be out of compliance, all right?” So we don’t want the call at 1:00 AM when you’re in the deployment cycle to say you forgot something, right?

Mitch Ashley: Yeah, turn around on that vacation.

David Greene: Exactly. So we’re trying to give that visibility early in the process and with that comes reporting because if you make it easier to make it visible, people can make decisions. One of the problems is for a developer, you got 20 different tools that each have a different data silo and you’re supposed to check all of them, right? We’re aggregating all that data into one view as part of getting this end-to-end perspective. So you could just go one place. If I tell you there’s an issue, then you go one place to see what that issue is, then make a decision how to act.

Mitch Ashley: Yeah. It seems like too, we often talk about security and automation and processes, which, all fantastic. We might think of it as a byproduct, but I actually think some of the essential things is all the data we create in that process is what we can use for our audits and for compliance, whether it be security or our own internal processes so you’re not writing documentation at the end, I’ve got the data I can present. So I would imagine that is one of the things you’ve got to do is not just a screen that says, “We’re ready to go,” but, “Here you go, here’s all the information that we need to provide to whoever for our policies and procedures and compliance.”

Gopal Dommety: Absolutely. The visibility and the checks is one thing, but the auditability from a compliance point of view is another. Incident response, when you have an incident to be able to trace back to exactly, for example, you can go into a pod and say, “If this failed, which exact PR went into this pod and how did it get here?” And we are also looking at enriching the security. Like you have all the security vendors with CSPNs and Synapse, so enrich their security graph with this data so that they can do better security response. You’re absolutely right, I think.

Mitch Ashley: Good. And you learned from those things too, right?

David Greene: Yes, yes. Yeah.

Mitch Ashley: That can make improvements in the front of flow.

David Greene: Yeah, yeah, yeah.

Gopal Dommety: AI ML has been a big part of our original thesis of starting the company, and-

Mitch Ashley: I do want to ask you about that too, because it’s one of the topics for all of this.

David Greene: It’s mandatory for every interview, right?

Mitch Ashley: It is. I’m required to bring it up at least 42 seconds into the conversation. It is putting AI and ML into our applications and systems and the things that we do, the things we produce, but there’s also AI and ML and generative AI that we use on the process of how we create and deliver software. I think one of the particular tricky things about AI ML, especially generative AI, is you have to feed data into this. This is not just deploying software and data’s generated by someone interacting with it. There’re constant data streams that are going into it from multiple sources to feed into these. And so delivering a release isn’t just… Yes, it’s code, but it’s also-

David Greene: The dataset, yeah.

Mitch Ashley: … The data streams that are going into it. How do you account for those kinds of-

David Greene: You’ve been doing some research on that.

Mitch Ashley: … Odd things that are a little different?

David Greene: Yeah.

Gopal Dommety: Yeah, so I think that AI ML is in the delivery process used in many different flavors, right? One flavor which we do is when you do deployment. During the deployment we use AI ML to understand the behavioral characteristics of an application and understand if there are any security risks that are being sort of generated during the deployment. That’s one area.

The other area is we have this data and we want to be able to predict the policies that you need to have and also generate the rego or the specification for the policy, and a human can literally say the intent and that generates the policy, because these policies are very application specific. And the third area we see a lot of emphasis is that especially now that you have these vulnerabilities or policy violations or alerts, the root causing of them is being done with a lot of AI now, especially with the generative AI, with OpenAI APIs. So I see it kind of turning our world into a much more efficient world and much more personalized world. I mean, that’s how I see it. I don’t know if I answered your question, but-

David Greene: Well, there’s also the piece, I think you’re talking a little bit Gopal about the deployment process itself, the process of deploying machine learning models, it’s fundamentally a deployment process. Even though there’s now data with the code, it’s still fundamentally a delivery and deployment process production.

Mitch Ashley: Putting something into production.

David Greene: It just is a bigger object, and so that’s one of the new areas we’re working on right now in the process, how do we put that together?

Gopal Dommety: So Mitch, maybe I’ve missed the question, but I think yes, absolutely.

Mitch Ashley: I liked your answer anyway. That’s not the question I… But that’s okay.

Gopal Dommety: Yeah, yeah, so I gave you the example of this customer who has this 24,000 pipelines, right? 12,000 of their pipelines are actually AI ML models.

Mitch Ashley: That’s interesting.

Gopal Dommety: Yeah, and so when you do AI ML models, AI ML models follow the same delivery process, but they have model, they have model training, and also the model deviation in production, and so-

Mitch Ashley: They aren’t static things, right?

David Greene: Right, they’re dynamic.

Gopal Dommety: They’re not static. I think the sole security layer that we have is now we are optimizing it for the ML ops or ML model delivery, and so very interesting challenges that come. Even in security, because once you’re in production, the behavior of the model could potentially give you a secure data, which was never the case truly in an application. So that’s an area that we are being sort of forced I guess by customers. We didn’t realize half the pipelines were machine learning models, and so we apply the security layer to that deployment.

Mitch Ashley: Well, that’s kind of our industry. We don’t necessarily know what we’re going to be doing.

David Greene: Exactly, exactly.

Mitch Ashley: We have to figure out ways how to-

David Greene: Get ready for it.

Gopal Dommety: Yeah.

Mitch Ashley: Yeah. It’s very interesting. It’s a good point about we don’t typically deliver a lot of data in our deployment pipelines. There’s databases in production that we’ve passed against, and otherwise in these cases they are, they’re vector databases and learning models that we’ve adjusted.

Gopal Dommety: The complexity of these graphs are very interesting because all these models are cascaded. If this model works, this data comes in, the next model works. I mean, it’s actually very fascinating for us to be able to apply.

Mitch Ashley: It’s almost too complex to do it manually.

David Greene: Yeah, you can’t do it manually.

Gopal Dommety: You can’t do it manually. You just can’t do it.

David Greene: I mean, I think across the board here the challenge is the reflex often is if we’re not sure we’ll have a person do it, but the challenge is the people are so overwhelmed they lack context. And so that’s where you’ve got to rely on some kind of automation intelligent in a system to offload the people, and then you bring the people in on an exception basis when you’re really stuck and they had take the time to really dig in and understand what’s happening, right? That’s the complementary model.

Gopal Dommety: You’re absolutely right. That’s a new dimension of delivery that has in the last two years has really taken off. And you said securing, automating software delivery, that’s the new dimension, the models and the data associated with the models.

Mitch Ashley: We didn’t have that in mind when we started doing CI/CD.

David Greene: Exactly, exactly, exactly.

Gopal Dommety: Absolutely.

Mitch Ashley: That’s okay. It’s adaptable. So deployment, anything as you kind of look forward, you’re thinking about where you might go or where the industry might go in your domain in the next 6 or 12 months, or what’s kind at top of mind of here’s the next set of challenges we might look at?

Gopal Dommety: I think the first challenge is driven by, as an industry, a lot of scale of Kubernetes. The scale of Kubernetes is kind of taking off, right? And so as the scale of Kubernetes takes off, people underestimate the complexity of deployments and securing deployments. And so today, in fact, somebody came to a booth and he asked the exact question and I asked him, “How do you know?” He said, “Well, the rest of the guys are going to see it six to nine months from now.”

So I think scale will drive the need for automating security, I think that’s one. I think the second is that a lot of, in the software delivery, a lot of these tools, security tools that need to be inserted like this scan, this scan, so on and so forth. I think that we are also seeing a little bit of a consolidation to say, “Hey, I want the delivery bill of materials for the entire delivery to be understood.” I think that’s another sort of trend that is just starting, and I think that’s the tip of the iceberg. Once we have that delivery bill of materials in this application graph, you can do lots of interesting things, including some generative AI way to understand how things happen. I mean, it’s I think a new frontier that we can hit, but both these we are hoping will make the need for what OpsMx provides, deployment firewall and the delivery bill of materials, et cetera, ubiquitous, right? I mean, hoping that’s how we think of from first principles as to how the industry and us can probably help.

Mitch Ashley: Interesting. Well, where can folks find out more, go kick the tires or whatever they do?

David Greene: We got couple. Obviously, if you’re here at KubeCon, we’re in Booth P14. We’ve got demos and giveaways happening here. Our website, OpsMx, O P S M X .com has got more information. For people who want to try out this solution, we’ve got demo environments, trial environments they can do to kind of see for themselves how this sort of compliance and sandbox might work for themselves at deployment firewall.

Mitch Ashley: That’s one of those things you kind of have to see it work, right?

David Greene: You want to see it work, got to test drive it, right?

Mitch Ashley: Yeah. That’s the way I am. That kinetic learning, I want to see it.

David Greene: We’ll sign you up, Mitch.

Gopal Dommety: Absolutely, and feedback for us is most important. We need customers to kind of kick the tires and make us work hard.

Mitch Ashley: Great. Well, David, Gopal, thank you so much.

David Greene: Great.

Mitch Ashley: Be sure to check out the OpsMx website and all the great content. If you’re here, check out their booth as well. Thank you for joining us for this discussion. We’ll be back in a few minutes with another great interview, so hang tight.