PurePerformance - The future of security is open source and Falco leads the way with Dan Pop
Episode Date: June 7, 2021While some think about the late Austrian musician, Dan POP and the CNCF community thinks about modern security when it comes to Falco.Listen in and hear directly from Dan (@danpopnyc) who, besides doi...ng many things in the CNCF community, also hosts POPCAST where he started connecting technology leaders during the last year. In the podcast you learn a lot about security, the power of eBPF and how Falco aims to contribute to runtime security like k8s contributed to distributed computing.Here the additional links we brought up during the conversation:Dan on Linkedinhttps://www.linkedin.com/in/danpapandrea/Dan on Twitterhttps://twitter.com/danpopnycPopcast Podcasthttps://github.com/danpopSD/popcastCyber Defenders Career Guide by Alyssa Millerhttps://www.manning.com/books/cyber-defenders-career-guideCloud Native TVhttps://www.twitch.tv/cloudnativefdnCNCF Tag Securityhttps://github.com/cncf/tag-securityFalco Tools, Frameworks & Articleshttps://github.com/developer-guy/awesome-falcoFalco Bloghttps://www.cncf.io/blog/2020/12/14/join-pop-falco-org/Falco Der Kommissarhttps://www.youtube.com/watch?v=8-bgiiTxhzM
Transcript
Discussion (0)
It's time for Pure Performance!
Get your stopwatches ready, it's time for Pure Performance with Andy Grabner and Brian Wilson.
Hello everybody and welcome to another episode of Pure Performance.
My name is Brian Wilson and sometimes my co-host goes by Andreas Grabner,
but you and I know him as Andy Grabner.
Andy, I wanted to change it up there.
I know, it's amazing. Yeah, completely different.
Completely different. Now for something completely different. Yeah, absolutely.
Yeah. Well, I wonder, I'm good,
but I just wonder because I know our guest is already listening in and he was
hoping this to be a fun conversation and you told him that we are really
always very funny, but I'm really not sure if we are currently cutting it.
I think I was being sarcastic about my, my dumb jokes, my, my dad jokes.
I saw a great, a great meme yesterday.
It was someone posted in Slack.
It was like, I keep all my dad jokes in the database.
It was not too bad.
That was amazing.
Anyway, let's see.
I want to do one more.
I had a feeling today.
I got a feeling that you and our guests will have a lot to talk about
because I think you are not only kind of,
you lived in the same area in the United States for a while.
So you share a lot of like the same places you went,
but obviously music is connecting you too.
I feel there's going to be a lot to talk about music and kind of one of the
musicians that you always, you know, admire me for, I think, because I live in the country where he came from, Falco, our big Falco.
We finally have, we can finally talk about Falco without being awkward.
Exactly. True. And with this strange segue, I'm not sure if this makes any sense to anybody listening now, but I want to hand over to our guest and let him introduce himself. Dan, how are you?
Hello, everyone. First off, Brian, I'm a big fan of all your music with the Beach Boys. Fantastic.
Thank you.
Good work. Andy, pleasure. Thanks for having me on. My name is Dan Papandrea. People call me Pop. I am the director of open source community and ecosystem for a company called Sysdig. And I work on the open source
project, a CNCF incubator project called Falco, which also
is the name of an amazing German Austrian.
Austrian. Okay, settled.
Settled. Austrian musician. I can go into a whole bunch of German.
There's only one Austrian, no, two Austrian musicians that I know of that are very well known.
Falco and Mozart, right?
Mozart.
They're both on the same scale in terms of how awesome.
Is Beethoven Austrian or has he just spent a lot of time there?
He's not known.
And also Mozart, we all Austrians, we, we know that he's Austrian, but I think
there's also a debate back in the days when he lived in Salzburg, whether it was truly
Austria or it was part of a, I don't know, whatever political situation they had back
there.
Let's just claim him as yours.
It's like the debate where it's the Statue of Liberty.
The Statue of Liberty is in New Jersey, but New York claims it, but just claim it.
I mean, the Italians, we, we, we, we, we grabbed pasta, pasta you know that was noodles from the chinese i mean we we we took it so you have
to do it that's it and by the way you should definitely talk about those amazing like
chocolates you all have in in austria oh my god like i i've i talked to alice about that as all
the time i'm like dude can you ship me some because they're called mozarts can you explain to the listeners about these things they're mostly crazy things they are motor
kugel so motor kugel literally translated means motor balls but not mozart balls because they
would be really probably not that delicious uh but it's basically uh round balls and i think
there's filled with nougat and it's just fantastic. Different layers and there's also
a debate on who invented them and what is the
original factory and the original
store but you get them in the city of Salzburg
and you get them pretty much
everywhere now but they are delicious.
As you said, if you go to
Vienna, the Sachertorte
which is very famous from the Sacher Hotel
chocolate cake.
Yeah, but all guests of the Pure Performance podcast will get some of these Mozart balls.
Tune in, everyone. Tune in.
Exactly.
Okay, so, you know, how did we end up here? I don't remember, but what I want to talk about is now.
So, Dan, you talk about Falco or Falco.
I think the way, I guess, how do you pronounce it?
Falco, Falco.
Falco.
Yeah.
I mean, it's, it's so the name derivation, right?
It means hawk in Italian.
And, you know, it's basically, if you look at it, it's a runtime security project where
kind of the de facto Kubernetes threat engine detection tool.
And what it does is there's three elements to it.
There's you tap into the kernel, right?
So to functions through eBPF or, you know, kernel mod probe.
And you look at all these system calls.
And these system calls then have a second component, which you can basically a rule set through YAML to be able to say, oh, OK.
Somebody terminaled the container. That's a system call. Somebody touched a file.
Files are system calls. Networks are system calls. All of those things. And you have this DSL,
this language for you to, again, create these rules. And then they can output that and alert to things like standard out, JSON, HTTP. And then you can even add what we call something like a
contributor which i love it's awesome in our community contributed something called falco
sidekick and then you can extend it to downstream projects like k-native cicd projects kept in as
an example as well i know that i've talked to the team about that so like there's some really cool
things you can do with it.
And we love the growth that's happened.
I mean, when we were incubating,
I think we were at like 8.1 or 8.5 million Docker polls.
As of this morning, I think we're at 26 or something billion Docker polls.
And the reason is, is again,
it's this great engine from a runtime security perspective
that works in a cloud native context.
And I'm so happy about this amazing community
we've built.
I got to point out, Andy,
he mentioned Captain before you did.
Andy always mentions
Captain at some point in the show.
Big fan.
The only other
thing I want to touch upon is the
appropriateness of the name Falco.
The Falcon idea with security makes perfect sense, but just rounding them out and we'll drop the other Falco right
after this, but Falco had the big hit there, Commissar, which I believe that's like the police
or the secret police or something, Andy, right? And that's all tied to security. So I think you
have a double well-named product. And congratulations on the downloads.
That's amazing.
And just even the contribution has been fantastic.
In terms about the origins of the project,
it was basically where I worked for a company called Sysdig.
And Sysdig, again, is kind of a secure DevOps platform.
There's monitoring capabilities, troubleshooting,
and runtime capability because of tapping into that kernel module
or kernel capability I talked about earlier. And so Loris, our founder, was one of
the guys that if you're all familiar with like Wireshark or TCP dump, he's one of the co-creators
of it, right? And so like taking that pedigree of being able to take, digest all of that data,
like network-level data and whatever, and doing it in this thing from the SysTick perspective,
customers were like, you could probably do a ton with security here.
So I remember the summer before he did, he took a summer off
and he started, you know, he basically created this thing called Falco
and we've had like a ton of amazing maintainers that have grew the thing out.
You know, Chris Nova was a contributor to the project as well.
Leo and Lorenzo Fontana, Leo Di Donato, great, great maintainers of the group. And basically they've written books on eBPF. So like, and now I love seeing, you see all these projects are now
using eBPF and we were like contributors to eBPF, you know, early because we knew the promise that
it has, because it's, you know, so for the listeners, eBPF has enhanced Berkeley packet filtering
and it allows you to kind of tap into,
instead of having to like do an upstream update
to the kernel to add like these,
you know, these kind of helper applications
so you can create these applications on the fly.
It's such a great technology,
not only for security perspective,
but like monitoring and networking.
You see like projects like Cilium, you see projects like, you know,
I, you know, there's a ton of projects using eBPF.
It's the kind of the long or the short of that.
Hey, and just out of curiosity, because I haven't looked into Falka yet.
That means in a nutshell, if I understand it,
you are observing events and you have a pattern definition and you basically are
watching for patterns and then if certain patterns come up like hey nobody should touch this file
from this particular container then you are generating an alert or another event i guess
that is then well once once one step you missed was like the the rules part part of it right
because of all those system calls right you have this language that you can like, you know, basically, you know, check for things like privilege, escalation,
namespaces. We seeded from the community, like a hundred rules out of the box. And they'd be
specific to Cisco level, also cube audit. So if somebody created a namespace, they shouldn't have,
you'll get notified. There'll be like a notification. And that's where then you can
output that to like, that's why I mentioned Falco Sidekick, because there'll be like a notification and that's where then you can output that to like that's why i mentioned falco sidekick because now you have like a
pretty little snazzy ui and you have to one helm chart like literally one helm helm deployment
and you have all those three components falco falco sidekick falco sidekick ui and you can
create your rules test your rules deploy it in your cluster those types of things
and then again i'm'm curious because that means
if I'm a developer and I want to test this out, whoever,
who is the target persona in your case? The security dev, DevOps engineer,
security engineer, was it the architect, the developer? Who is the target audience?
It's all of them. And the rationale is, it's not so much for security
reasons, it's also for somebody to kind of, you know, test out their code.
If we look at this, misconfiguration in security has cost the industry almost $5 trillion.
And that could be, you know, things like cloud, like, you know, S3 buckets being open.
It could be things like in this container, I use this NGINX container that I've grabbed from the cloud.
You know, I'm grabbed from a registry and I brought into my, you know, I brought this thing into the pod.
Look, there's, you know, you can use things like, you know, OPA and have those pods for you to say, okay, I don't, I want this to be, I don't want this to run a route.
Well, what happens when something at runtime is there and it's running and it's post kind of, you know, software supply chain, when it's in a runtime perspective,
somebody gets in there
and they drop their payload
and then they can do whatever they want.
That's the problem.
There's no real notification function
beyond Falco out there.
Shouldn't you then also talk
with the registry providers of the world,
whether it's a Docker hub
or whoever public registries
before things get uploaded? Did you already do the check as part of
that process? I've done a lot of cloud security
podcasts recently, and I can tell you one tool is not going to fix everything. You need a
kind of amalgamation of many tools. So you need something that's doing vulnerability management. You need
something that's doing benchmarking on the underlying rules. Because guess what? Kubernetes and cloud native
is not just one thing.
It's, you know, it's basically, look about it.
It's the underlying, you know,
let's say I'm using a cloud provider,
I'm pulling an AWS, right?
I have this EC2 instance or I'm using EKS.
Great, I'm already kind of have those checks
and balances in place.
I might be having ECR scan some things,
but maybe there's some things I want to have
from a policy perspective where maybe my application
needs to have this level of access.
But then when it runs and if it goes outside it from a deviation perspective, I need something from a runtime security perspective.
So there's tools out there.
There's commercial tools, right?
Sysdig is one of them that allows you to kind of have this full platform that then uses things like runtime security elements for in Falco or,
you know, Prometheus or some of the underlying, you know, open source technology that are out
there. And, and coming back to my, I'm a developer and I, I can basically in my development
environment, I deploy, you said you have a helm chart where you on the one side, you deploy,
you, you, you deploy what's, you deploy a sidecar?
Or how does this work?
How do I get the data from?
So the underlying thing is that kernel level tap that's there,
that's on a per node basis.
So what happens is it taps into user space.
So you can tap into eBPF to do that.
And then that presents itself to this pod,
a Falco pod that's running on per host basis.
But I'm not having to introspect anything in the direct pods, right?
I'm not having to do any of that because it's doing it at the host level.
Yeah, makes sense.
And then from at the host level, those are system calls that are happening because that container and pod is making those system calls.
And then the host is running those container calls.
And there's network calls in the excuse me the host level call so you have that amalgamation so i don't have to
introspect anything directly into the pod or inject anything in my code so i get this like visibility
there yeah and then the the policies where they enforced is there a central component where all
these events are streamed to yeah that so that's's the Falco. So basically the Falco pod has those in there.
So like, again, if you look at it from that perspective,
Falco pod has, you know, taps into the user space,
then those rules get injected as part of that
from an architecture perspective,
and then those outputs are done.
So it's basically saying, okay,
this syscall that tells me somebody has an exec shell,
okay, I want to get notified of it if it's not part of
a macro we have for known things. But the beauty
of this, it's YAML. So I don't have to learn,
there's certain conventions, but it's YAML. I can say, okay,
the file descriptor here is slash user share engine X. I want to know
everything that's in user share
engine x if there's any deviation from it go ahead and send me an alert and i want it to go to this
thing and i want it to just be this description and i want it to have the metadata so it's going
to tell you oh it's this pod and this cluster and this place like you said from a developer's
perspective i got to find that needle in the haystack. How can I do that?
Well, the surest place to me is the kernel.
Interesting.
You know, we're all learning a lot more about security these days, especially over here at Dynatrace.
And as I try to wrap my head around more of it, I know there are certain overarching segments of security have like risk, seam and i forget the other two major ones
where does this fall in that scheme or is this a whole new sort of way of looking at things if we
were to categorize it falco specific falco specific to runtime right and so falco basically runs at
runtime but also when you talk about sims right those are just it's signals that you're providing to your sim right so i talked earlier about cis benchmarking vulnerability management all those that sim
has to concat all those signals the signals that falco provides is very specific to
just runtime stuff right so you know one of the things we we have is we also actually had somebody
like the community has contributed a couple of blogs.
If you go to, by the way, everybody, if you're listening to this, I'm sure there'll be liner notes to this, but falco.org, we have a blog.
And somebody's created this thing where it's called a response engine.
And there's five different things where they're tapping into things like Argo CD or like Knative or OpenFaz or those types of things.
And basically, so I told you about that scenario
where somebody terminals into a container, right?
Well, I want to respond to that.
I don't want to get notified.
I don't want to send to my SIM to respond to it.
Maybe I want to be able to create something
where the response is from a function.
So I have a function that deletes the pod if it happens.
Because what happens?
Somebody comes into that pod.
The beauty of Kubernetes is it respawns the pod
after it's killed, right?
So like you're knocking
that person out.
You get that thing.
So it's basically
an auto-remediation.
You're basically triggering
a remediation function
and whether this is
calling a Lambda function
or whether it's calling
an Argo workflow
or a Ketron, anything.
Yeah, but the beauty of this
is it's any function you can imagine.
That's the beauty of this, right?
So you can create a function for just about anything.
Like you said, Lambda, it could be anything.
I've seen somebody do this, and I thought it was amazing.
I did a talk with somebody, and by the way, all my talks this year have been about cookies and runtime.
It's like you need the right ingredients for runtime security, right?
That was my gist, but I use different technologies each time I do it. And so we did
one where it was basically like, you know, Falco tapping into just GKE, right? Underlying like
things and like some of the functions there. We had to run a function that actually did a
Kubernetes network policy change. So basically when it saw that somebody terminaled in it took any of the ability for them to go egress out so it's like okay cool you can do whatever
you want if you think about some of these scenarios right solar winds last year right
somebody dropped their payload and then they sent them to external network connections and they
you know put the they dropped in a file.
Those two things I talked about earlier, system calls.
When you touch something in a file system, that is a system call.
When you do a network connection, that's a system call.
And so that's the beauty of this thing.
So you can now have that level of introspection.
So, I mean, I guess I'm not familiar with BPF enough, but I assume there's a ton of
events getting generated, especially in large environments with heavy load.
So what volume of events are we talking about that Falco needs to process?
Well, again, because the rule sets are here, it's only digesting the things that matter
that are specific to rules.
But like, that's the thing we've built into this to be able to have this you know syscall you know being able to like have that threshold for that it's built
into into the process it's very i always get that question well with all of that like there must be
a lot of you know um you're running a lot it's resource intensive we i mean we're they're running
in huge environments i mean even even from the largest like SysTick perspective as well.
I mean, it's enterprise scale, but in terms of Falco itself,
it's pretty amazing the amount of like very low overhead
that you wouldn't have get from other conventions,
like having to tap into like LD preload or any of those functions.
So what I was saying is, if I understand this correctly
from an overhead perspective, you said somebody that defines the rules defines them in the YAML file.
The YAML file is actually then being passed on to eBPF or to Linux into the kernel.
No, that's a Falco.
It's part of the Falco process, right? It's just taking those, digesting those things that are happening from the kernel, right?
And we're just tapping into user space to be able to then use the Falco rules to be able to digest, okay, this thing happened, right?
So the rules are just kind of a disseminator of the data.
So that means you still observe all the events that are coming in and then you run it through your rules engine.
That's great. Right, right. you still observe all the events that are coming in and then you run it through your rules engine.
That's great.
Right, right.
And then obviously the rules engine,
you said they are on a host basis.
And do you manage those rules centrally and then push them out again in case they're updates?
So how does that work?
It's a daemon set, right?
So you update the helm chart, it's a YAML file.
Like you can have custom rules.
And we have, again,
we have the out of the box rules that are there. But again, if you all want to take a look at more of the you know the details
there it's right on uh you know falco.org yeah there you go i really like one thing you said
before we started the podcast um you said uh and hopefully i wrote this down correctly but
you said what kubernetes has contributed to, we want Falco to contribute to security.
Let me clarify that.
We believe that what Kubernetes
is to distribute to computing, Falco should
be the runtime security.
And one of the things, I will tell you this, we did a
donation recently, and
Sysdig did to
the Falco libs. There's two libs
that we use, something called LibScap and
Linsp, C++ libraries.
Anybody now can use those libraries to have that dissemination to create even better security
projects that are out there. This took X amount of people hours, X amount of programming time
to create this. Somebody coming out of the box right now that wants to have a start can use the
Falco libs right now. And we have examples of
that being able to do this. And again, the term that we use is the future security is open.
And I totally agree with that. And the rationale between that is, look, if there's external actors,
if we have a common set of rule sets to be able to share, you know, capabilities, so then, you know,
somebody can build like a, you know, a machine learning capability to squash all of this,
then guess what? We're all the better for it. All of our security projects would be even better
in any project that are out there. So if companies like Dynatrace, Sumo, whomever they might be,
can take these libs right now, they're open source, it's a CNCF project, take them and
already have the basis to enhance all that security capability that's there.
That to me is the beauty of open source.
And let me ask you, you didn't start in security, right?
So I was a director of IT for an investment software company.
So I did a lot of, you know, compliance for data centers, you know, network level, like,
you know, in dissemination, sysadmin, that type of thing.
So I have, you know, that basis sysadmin that type of thing so i have you know that that base is for it so but yeah i'm going to ask you if somebody is interested in it like
myself personally i'm someone interested in security i think um this is something that is
way overlooked as we've seen even just recently with the pipeline issue i remember going back
we'll we'll take a trip down memory lane again you you and I, back to the New York City blackout back in the early 2000s.
I remember back then thinking, people don't need to terrorize by knocking down buildings or planes anymore.
You could just take down a power grid or a pipeline or something else, right?
So security is huge, huge, huge.
It's way overdue.
But if somebody is interested in, you know, I know there's a lot of different
aspects in security, but like, if someone is interested, curious, like, do you have any
recommendations on like where to start looking, maybe things to start thinking about things to
start reading or blah, any, any kind of, cause there's a lot of, a lot of concepts in security,
but what, and that's the thing I talked to Alyssa Miller. Um, who's,
who's a amazing expert out there, um, on my podcast yesterday, actually. And so that's,
what's fresh in my mind right now. There was over like 50,000 jobs created for security only
in the U S 50,000. Right. And so if you look at that, it's not just one specific space. There
could be, you know, different places there's one specific space. There could be, you know, different places.
There's incident response, right?
There's, you know, cloud native security.
There's cloud security.
There's CSPM and all of that.
So the question then becomes is, where do you start?
And again, I'm going to mention, big shout out to Alyssa. She wrote this book and it's a security guidelines book that she wrote.
And it's, I'll get the link for you all. Yeah. Yeah.
Because I thought it just provides not only where you start,
but also like how to, you know,
brand yourself in a specific way for, for a specific segment. But I mean,
there's a ton of cloud security podcasts out there,
but like I would say is get involved, understand red team, blue team
stuff, understand like attacks, understand the mind of external actors that are trying to, you
know, go up against things, be part of like, we have a project in the CNCF, which I'm an ambassador
for is it's called tag security. We welcome people coming in and understanding this, but having this
basis of understanding the attack
surfaces that are out there. Like, hey, if I'm a developer, I know how to compile and drop things
in there. That to me is an attack vector. So understanding that, I think the bridge between
developers and security is getting less and less because you have to create secure code from the
jump, right? And if you've seen, you heard these terms like software supply chain and you know,
those types of things, right?
Like you have to think in terms of, is my code vulnerable?
And then if I'm running it at a runtime perspective,
what do I have to protect myself?
And to me, I believe yet again,
for finding us out Falco is the de facto tool for that.
Have you, are you working
with the chaos engineering community at all?
Because this sounds to me like perfect.
This is a developer.
I want to get my
new service properly
tested and then also put on the chaos
and chaos infliction could also mean
let's do
some security, I don't know, whatever, try
to expose some vulnerabilities and then making
sure that my security scanning tool can detect these problems these things that shouldn't happen and then
kicking the auto remediation kind of the system healing itself there's these signals already out
of the box i think you know like you know there's there's you know i don't know gremlin there's some
other like open source tool tools that are out there. Litmus, Chaos, you know, another good choice. But again, this is, all this is,
is another capability for you to run Chaos against, right?
Like meaning, you know,
and we have something like an event generator
that's generating all the things
that the rules would have been attacked for.
But then also you can set it,
create a custom rule set there as well.
So it's, you know, again, it's really, you know, based on like's you know again it's really you know based on like you know
the end results now if anybody from litmus chaos was listening to this wants to you know take a
look at falco you know please be our guest join our kubernetes channel so we have a channel on
kubernetes slack it's called falco uh love to have you in yeah because they will be good because we
from the captain side we've just integrated with them and there's a lot
of great response
in terms of
deploying a container, running load against
it, and at the same time enforcing chaos
and chaos in this case means, I don't know,
killing one of the pods,
doing, I don't know, something
that causes high CPU memory and we'll see how
the system reacts and kind of heals itself.
And it seems like that the chaos community should then work with the security
community to see how they can inflict security chaos, quote unquote, right?
Attacks.
And this is what I love about open source.
Vendor to vendor. It's super hard.
Yeah. Open source.
Litmus chaos.
Yeah.
Falco. Keptin. Yeah. it's super hard yeah open source litmus chaos yeah falco captain yeah i've relished the fact that i can go go talk to like you know the folks like again at doing things like i like what
captain's doing i was on uh um i was i was on a um i think it was a panel or a meetup uh with one
of the captain folks and i was like this is a thing. I'd love to see Falco integrated here.
In terms of response and stuff like that.
So that's where, again, having these
talks like you just had now,
let Miss Chaos reach out to us.
But the thing is,
it's got to be a
reciprocal thing. It's like if you're going to
contribute something, it can't just be where you take,
take, take. That's the beauty of open source as well,
is contribute, adopt, help others where you take, take, take. That's the beauty of open source as well is contribute, adopt,
help others adopt
versus take, take, take, you know?
And by the way, I put the link to
Yeah, I saw that.
So it's called
the Cyber Defender's Career Guide.
Look, I get nothing from this.
I just love how it's like,
it just, it's very well,
well laid out.
And Alyssa is a fantastic resource
in the world. So it's like Ian Coldwater laid out and Alyssa is a fantastic resource in the,
in the world.
So it was like cold water.
There's many really amazing people,
folks out there.
We'll make sure to put these links later on in the,
in the summary.
So people can click on it once they are on our podcast page.
You bring up a good point because this is one of the other things you have
obviously been hugely successful with the open source project.
You have a great blog where you explain how the project grew over the last two years,
whether in terms of stars, contributions of a lot of external contributors.
But you just mentioned something, right?
The way open source works really well is if everyone is kind of figuring out how to contribute to the other projects by
bringing them closer together and building something bigger than the individual pieces
but let me ask you a question um obviously there is not one not two not ten maybe there are 50
different projects where you would like to see an integration built the question is still how
because you have limited resources,
how do you still then prioritize? And this comes back to any, this is the same dilemma that any software organization has in any other organization, right? If you have 50 options
and I would love to contribute and build integrations with all of them,
how do I best prioritize? Do you have any tips here? Because we run into the same dilemma right
now with Keptn. We would love to integrate with all of these tools. We encourage people to build
contributions or integrations for us, but it's still not easy. I would say the end users to
drive that. And what I mean by that is like community contribution has been A plus. Like,
yeah, we got six blogs written by community, not Falco maintainers. Six in a matter
of three to four weeks. You know how that happened? And another example, Falco Sidekick.
There was only standard out JSON HTTP. Now there's over 32 outputs. You know why? One contributor
was like, I like this project so much. And he told other folks and they started contributing.
Look, I built this integration that makes it easier because any project out there that
you're working on, it needs to be easy for somebody to jump on and go and then interact.
So like, think about it, not only from the user's perspective, it's also going to be
easier for another community to go and come in and go, okay, I can see the value of this.
I see how this works.
Let me tap in my thing here.
And the other thing I think that projects don't do
and they need to is gratitude.
Gratitude.
Like literally just say, thank you.
You did this.
This is incredible.
The way I constituted something called
the contributor of the month
and it's voted on in the channel.
It's like, and I know of other projects
are picking this up as well.
I love this fact because we have the groups kind of say, wow, this person took every single blog
that's ever been written about Falco and wrote a Git repo for it and shared it.
Completely unasked for, completely unsolicited. We made that person maintainer of the month.
Somebody came in and literally gave us this idea
for overall response engine
and also showed us this amazing UI he had built
just for another project.
And he basically inspired
one of the other contributors
to create this new UI that we have in Falco Psychic now.
And this is the beauty of it.
Again, it's gratitude.
It's showing the community the respect they deserve
because they're taking their own personal time
to work on your project.
So show them gratitude.
Yeah, I think maybe Jürgen,
I think you were on the meetup with Jürgen
who showed Captain to you.
He's actually...
Jürgen's fantastic.
He's been taking the Contribute of the Month idea
and maybe he got it from you or from somebody else,
but we try to do something similar.
We do a Captain User of the Month.
You know, we promote them
during our monthly user group meetings
because obviously these people are,
yes, they're dedicated and hopefully Captain helps them, but still they're taking extra time out of their regular life and
and building something for that out of where other people can benefit from as well and i think that's
great and the main maintainers are basically almost just shepherds right they're basically
just helping the shepherd through here here's how you you know you can do this contribution but you
think about it like and i'm seeing a lot of student contribution now. Like after KubeCon, a lot of folks have been involved.
They really want to get involved and understand this.
So it's a little bit more,
but then just that little level of encouragement
and that person just is doing all the things
that they can possibly do.
And I got to give props to Kubernetes
because I'm a contributor to Kubernetes, right?
In terms of this, you see the badge here.
And I learned that from Kubernetes.
I asked when we, you know,
we have a great community
from the Falco perspective,
but, you know, to grow it out,
I kind of asked this question.
I was like, well, how about myself
and I had some friends
I have in Kubernetes.
I'm like, how is it you have
this amazing ecosystem
that people like want to contribute
and people like love doing this
and stuff like that.
And they said, the main thing
is what I said to you before,
show the people contributors gratitude,
show them that they they respected for the time that they've taken away from
their kids. And, you know, maybe, you know,
from going out and grabbing a, even though during COVID,
it's really hard to grab a beer or a non-alcoholic beverage,
if they're so inclined, you know what I mean? That that's,
that's the thing we do. And as. And if we can inspire other projects,
that's all the better for us, right?
We're doing the right things.
Yeah.
I think that comes down to the concepts of leadership, right?
And I think that's a lot of people
don't have those thoughts in mind
to just even say thank you for contributing.
So that definitely goes a long way
and what is it it's like swag i mean sorry sorry to cut you off brian but like you know it's like
it's like swag and stuff like that it's cool you send somebody a t-shirt that says
project contributor yeah it's it's they can brag about it it's like you know they've spent time
it's like they should feel like they deserve that. So, yeah. Yeah.
Dan, what else?
If people are, let's say, new to security and obviously there's a lot of information about Falco,
we can put all the links out there.
But are there any one or two tips that you have for somebody
that really wants to make sure to get security right,
building something for the cloud native space, besides looking into Falco, any other tips you
can give people? Yeah. Again, I'm going to go back to the tag security thing I mentioned earlier,
because there's a best practices guide that was done because I told you about that whole
overall workflow, right? From your pipeline perspective your build your run your
post-mortem your you know cloud posture those type of things there's best practices for all of those
things right and there's projects out there in the ecosystem there's commercial projects out there so
it's and what i like about this is it lays it out it tells these were the things that are best
practice this is kind of a simple one sheet that explains this stuff and that's if you go to it's
uh tag security it used to be sig go to it's a tag security,
it used to be SIG security, but it's tag security at CNCF projects and all of that. So that's, that's basically the, the, the group that talks about overall project security. So,
you know, think about, you know, Captain or Falco, all those vulnerability assessments
that are done, they're doing done by the tag security team, but also that team is,
you know, a fantastic group that helps the people to understand what it means to be compliant from a CNCF perspective.
Outside of that, from a security perspective, like I said, there's so many avenues right now for them to look at from that perspective.
Like I said, I mentioned Alyssa's book is great.
A lot of folks on Twitter to follow.
There's a podcast to do as well.
But I would say, again, is be curious, right? Take a look at these capabilities out there from
a security perspective and see how they impact you. Not even if you're inclined to be a security
person. I'm a developer. I just want to write better code. And to me, better code can also
include being more secure. That leads to a question I was,
obviously if you have a developer listening
to something like this or listening to your own podcast,
which make sure we talk about at the end there,
how as organizationally and culturally,
how do we start getting developers or even everybody,
but focusing on developers, right? Because a lot of code vulnerabilities, how do we really start getting developers or even everybody but focusing on developers right because a lot of code
vulnerabilities how do we really start getting them to think about um security how do we start
getting them to take the time to give a crap about making sure i get security in my codes from day
one because there's always the pressure you got to get your code out you got to get stuff out there
so how how do you how do you get a company or an organization to add this to their culture, to adopt this?
So there's traditionally been a security team, networking, knock, whatever.
There's developers and there's operators.
Right, exactly.
You got the cops and then you got everyone trying to have a good time.
But the organizations that work are the ones that I've seen that make this work is the security team basically just highlights the overall arching
things that need to be secure and do it in a way that's not in for you know it's not so much
enforcing so no you can't you can't check in your code now they basically say here's the guidelines
when you do check in your code and there's tools out there again you know that allow you to say
okay if you do this thing in, in, from a vulnerability
manager perspective, you shouldn't have root in your containers. Well, guess what? That's just
best fricking practice anyway. And if you're getting away with that, then you, you know, you,
you, you, you squeak by, but it's basically, if you do it in a way that's more educational versus
slap the wrist all the time, I think that's better. I've seen organizations do that. And also
I've seen organizations integrate secure DevOps, DevSecOps, right? This, I think that's better. I've seen organizations do that. And also I've seen organizations integrate,
secure DevOps, DevSecOps, right?
That coined that beautiful term.
But it's like, you know,
if you have the team that understands
that if I do check in my code,
it needs to be compliant,
it needs to be secure, awesome.
When I run this at runtime,
maybe I have some rule sets
using something like Falco,
using CIS benchmarks,
using things like OPA,
Kiberno out there to be able to have this secure
posture. If everybody's reading from the same script,
that to me is the thing that
is the most resonating for it there. But again, like you said, it's
cultural. It's a cultural issue. You have to decide, and there's leaders
out there, leaders of developers and engineering that are listening to this, you have to
decide that, yes, we're going to put our line in the sand because guess what? It costs
us money if we do have a misconfiguration, if we
have a security issue. These things get
addressed as a culture. Look, any product
out there is going to come tell
you it's, we're going to secure all of it. But if you don't have a culture that wants to adhere to
that, it's going to mean it's going to, it's complete waste of your money. Yeah. I almost
wonder, and this is a topic we don't have to debate, but I almost wonder if there needs to
be more of a drive from a regulatory point of view of, of stricter punishments for companies
that have breaches for when their databases get hacked and everyone's data gets taken away when these things happen, right?
Because obviously there's always going to be from a company point of view, well, how much does it
cost to deal with it versus how much does it cost to prevent it? So I think part of it, obviously,
if you're going to have your leaders out there who are going to say, we don't want to be in this
position. We want to have a good reputation.
There's always going to be those who need to be shepherded in.
But I think for better or worse, all of the security breaches we've been seeing lately, it's completely unfortunate that they're happening.
But as Andy and I experienced in the performance side, when you start seeing these things hit the news, that definitely helps bring up awareness and get people to think about that.
I remember,
you know, on the performance side,
when both Apple and AT&T crashed on the release of the first iPhone,
I finally was able to explain to people what I do.
Like I,
I test to make sure that doesn't happen.
Right.
And now with security,
we're starting to see more and more of these public things.
You know,
it's,
again, it's really unfortunate. I don't wish wish it upon anybody but hopefully this is going to start
raising awareness because you know the writing's on the wall with security there was a presidential
mandate recently about you know software supply chain you know and looking at this from logistically
as as a mandate there we need to do we need to think about this from a cyber perspective, cybersecurity perspective, but also
from, if you think about ransomware attacks and all that, it's definitely costly
money. And the problem, not so much the problem, the thing that we solve,
you think about the pieces that we interact with from a distributed computing
perspective. There's so many attack vectors.
There's network. there's host there's
there's control plane right there's apps you have to have a full posture and if somebody tells you
that like the posture is like you know it's one of this is going to get you all of it no you'll
be fine but it's not only that it's not just the tools, everyone. It's the
culture. The culture needs to say, that's it. From this perspective, this is how we are going to stay
compliant, period. Yeah. And beyond those aspects, there's also just the aspects of a lot of people
might think, well, my system doesn't matter. It's got nothing. I'm not running a pipeline. I'm not
running this. But I was just thinking you know
not not necessarily the greatest example but recently i got a card in the mail from amazon
saying hey put your prescriptions to us right not that i would do that but if you think about what
if someone hacks and takes down amazon right not amazon cloud but amazon the consumer product thing
well if they hit the prescription piece,
now suddenly you have people not getting the prescriptions,
which could be a little deadly, you know?
So I think another thing companies have to do
is change their mindset or really think about
where they fit in the world.
Going back to you, Andy, with chaos engineering,
do that mental exercise as if we're out, what happens?
You know, if people don't get what we offer, what's the impact of that? And we really need to consider security because of that. I mean,
if you're, I don't know, there's probably some people who can be like, yeah, it doesn't matter
if I'm up or down, you know, but you know, I think it is a lot more far reaching than people
would think. Supply chain even, right? What we saw with COVID, I'm sorry, I'm going on a soapbox
here, but you might think, oh, I just, I just i'm just a part supplier well you figure it down and that
breaks down the supply chain later on look what we saw with all these supply chain interruptions
these things have ripples and it's it's such a huge thing i just really hope people get into
it more and i really look at the pipeline thing recently i can you know like that i mean that
that's raising awareness but again it's all you can't think security is one thing.
Security is many, many things.
We had people putting gasoline in buckets.
But yeah, no, it's very important.
And I really appreciate everything you, Dan, and Falco is doing with this, because I think it's just on my mind a lot, you know?
Because I'm a warrior.
And you should worry to a certain degree.
But like, I will tell you this, there's amazing minds working together right now.
And not just Falco, which, you know, obviously plug for Falco, but there's so many great projects.
I mean, I know of one called Sig Store.
Really cool from Dan Lawrence is working on that. It's basically like a methodology for like, you know, key,
you know, basically like
having your containers
be completely secure
through like, you know,
private keys and all of that
in a pipeline perspective.
Really cool, cool project.
And, you know, all these things will,
I think will help with the agita
that is security.
It just need to know
or be aware of what these things are.
Yeah.
Hey, Dan,
before we close up here,
I know you mentioned this.
Why do you get to plug
my podcast for God's sake?
That's what we're doing here.
You guys are all business
on the Pure Performance
for your podcast.
Yeah.
So we're so serious
because this is my German in me.
Yes.
There you go.
So, Dan,
you mentioned it earlier
and sorry that it took so long, but you happen to have a podcast yourself. Now, what is this all about?
Yeah, I do.
Are you all sitting down? By the way, follow at Popcast Pop on Twitter. You'll see the details. So it's an audio and video podcast. I started it
a year ago, a year and a month. And basically it's
not like full tech. It's really about the people behind the code.
And so it's been phenomenal. I love it. The success of it
has been great because I started it because I wasn't out going to see end users and customers
and all my friends in the community right it was like now it was like you know your room like how
can i go talk to some folks and and whatever so i started it and um like i said it's been it's been
great we had you know had i think i'm at 70 episodes by uh 70 by the time this airs yeah
thank you and um i talked to like the mainstays of kubernetes and the cncf projects um and all that and i'm
really excited about um you know the doing it i'm probably next year going to take it on the road
i'm excited for that as well so we're going to try to do some remote stuff then the other thing
i'm working on as well i'm an executive producer of cncf is doing it like has a twitch channel
and the twitch channel is we're going to do some really cool shows that aren't just technical they're also at technical entertainment so like
things like we're gonna have like a family feud level show and it's basically to see like people
in cncf projects will reach out to you from captain maybe captain wants to be part of this
uh basically like kiss all the guests i'm not the host i'm
not the host maddie stratton is that and so uh basically like going up against each other for
trivia dominance and like basically like you know having these teams go against each other and then
at the end of the season they get the cncf cup right so really cool stuff and then there's also
like you know what's the main thing you see from anybody's like oh i want to contribute to a project
well how do i do that live?
Like you have somebody from a project come in and show me how do I contribute to a project?
And that shows calls look good, looks good to me.
So there's a ton of really cool, cool shows.
It's really awesome.
Yeah, we'll make sure to put all the links out there as well.
I think we're going to have a lot of links on this one.
I think so, too.
We may need to buy some extra web space for putting all the things on.
We'll buy some more pixels.
Dan, we'll follow up with you
for an email and all those things
just so we don't lose it
from the Zoom.
I copied it all out.
That's good.
Awesome.
Dan, thank you so much
for enlightening us
on the topics
that are important for you.
Besides security, I think what I learned from you is that you're a really great guy.
And we want to make sure to encourage people to contribute and also encourage everyone that wants people to contribute to show gratitude.
And with that, you know, in the end, we'll make the world a better place, a safer place and a more secure place.
Thanks for having me on.
And I have to say, Dan, talking to you made me homesick for good food.
It's out in Denver.
You know, it's pretty mediocre, but...
Come back to New York.
I'll feed you.
It's all good.
I was back there.
It was amazing.
We were back there for my friend's wedding about a year and a half ago or so and we just we
we took the um the train down to the old world trade center um station got to see the new one
and we walked our way up to 33rd over the course of the day and just stopped and ate a bunch of
places and saw the old place you know so much has changed but it's just um yeah it's great to have
have good food and uh you probably don't know what you got there until you leave.
But it was great catching up with you earlier, too.
Any last things you wanted to get in before we wrap up?
Nope.
Thanks so much.
This has been fantastic.
I really appreciate the opportunity of talking with you all.
And let's do this again sometime.
Well, thank you for educating us.
And thanks for helping educate our listeners. I knowy and i always love that we get to learn
about new topics on the show so it's always a pleasure for us and uh thank you to all of our
listeners out there if anybody has any questions comments or ideas for a show or if you happen to
want to be on a show uh you can tweet us at pure underscoreT or send us an old-fashioned email at Pure underscore Performance at Donatrace.com.
Thanks again, Dan.
And as always, Andy, thank you very much.
Bye-bye, everybody.