Episode 45 of the Open Source Underdogs Podcast: An interview with Tracy Ragan, CEO and Co-Founder of Deployhub.
Episode 44: Devops, Security, & Cloud Automation Puppet with Yvonne Wassenaar, Chief Executive Officer
Mike: Hello, and welcome to Open Source Underdogs. I’m your host, Mike Schwartz, and this is episode 44 with Yvonne Wassenaar, CEO of Puppet. Yvonne is the third CEO of Puppet. Luke Kanies was the founder, we interviewed him in the episode 22.
Sanjay Mirchandani succeeded him, and Yvonne took over from Sanjay in January of 2019, about a year before we recorded this episode. A CEO who takes over a company like Puppet needs a different skill set than your typical founder. Whereas the founder needs deep domain knowledge, usually a hands-on approach to business development, CEOs for companies, in later stages of growth, need this intangible corporate leadership ability. It’s hard to say what it is, but you know what it is when you see it. Yvonne has it, and she also has the values and an understanding of the culture that complements where Puppet is in its corporate life cycle. I don’t want to spoil any of the content, so I hope you enjoy this interview. Here we go.
Why Take On The CEO Role At Puppet?
Mike: Yvonne, thank you so much for joining us today.
Yvonne: Absolutely. It’s great to be here, Mike.
Mike: When you joined Puppet early last year, as CEO, why did you want to take on this enormous responsibility, steering the ship with hundreds of employees and thousands of customers?
Yvonne: You frame Puppet so well in terms of, it is a large employee base. We do have a lot of customers, and I’d extend it even further into we’ve got a massive community around the globe. And I did think really long and hard around was I the right person to take on the responsibility to bring Puppet and the impact of Puppet, the company, in the community to the next level.
And the reason I said yes to that that question, to myself and to the board, is, as I thought about the opportunity, Puppet to me represented a perfect place for my step, next step in my journey, for the following reasons.
One, the values that are represented by Puppet, and the Puppet community aligned really well with my own, in the sense that we are really focused around – you know, being open-source core kind of the democratization of technology diversity and inclusion, having impact at the practitioner level, and really making a difference in the world around us.
And to me, I feel life’s very short, and having strong value alignment is really important. And what Puppet represented resonated very much with me.
The second thing is really around the technology and the problem that we solve. I deeply believe that Puppet and the technology that we build and work, standing upon with the community and with our own team, makes a difference in the world around us, makes a difference not only in eliminating soul-crushing work, which is what Luke started with, but makes a difference in terms of enabling companies to achieve the agility that they want, in a secure and scalable way.
And as an ex CIO, the risk of cyber security I think sometimes is underestimated, and it’s really beholding upon all of us to think about not only how do we leverage technology to make the world a great place, but how do we do it in a safe way.
So, to me, if I think about the values, and I think about the actual product and offerings that we’re bringing to market through the community and with our commercial offerings, that resonated really well. So, the third component was, “Can I personally make a difference?”
Given my experience across companies like New Relic, VMware, and my time in Accenture, I felt I had a good breath of experience that I could, not necessarily bring the answer, but ask the right questions and bring the right team on board to really deliver our true potential as a company.
So, those three things combined, all aligned up, and having been here a year, it was definitely the right decision. It’s been a great ride, I think we’re doing amazing stuff, and I can’t wait for what’s yet to come.
Why Expand Product Surface Area from Configuration Management?
Mike: In the past, I might have described Puppet as being a Configuration Management Platform, but today, Puppet’s moving into areas like continuous compliance, incident remediation, and continuous delivery – why expand the product surface area? And I’m also wondering, how do you evaluate the risks that come along with that expansion?
Yvonne: Puppet as a Configuration Management Platform, I’d even say tool, has been the market perception of who we are. And that very much is grounded on where we started.
To me, the fascinating part of your question really comes down to the fact that the big shift that Puppet made in this last year was going from talking about what I would call “feature functionality”, which what Puppet does, is, really, we automate infrastructure in really, really powerful ways, to talking about the use cases and the business problems that we solve.
So, what’s interesting is, from a technology standpoint, what Puppet has built out over the years is going from a declarative approach to infrastructure automation, which is where we started, which is, we’re turning environment to a known, good state, to extending that into both declarative and task-based automation, which we leverage our open-source project, Bolt, to support and drive. And Bolt integrates with Puppet enterprise. So, it’s both declarative and task-based, both agent and agentless. Now, we are extending even further into workflow, event-based automation.
The tool has gotten more robust in terms of the types of things that people can do with it, but the real shift, I think, from an impact standpoint, is, we’ve started to really be able to harvest from our customers, what do they use that tool in capability for. So, you know, certainly some people are using Puppet truly to manage the configurations in their environments, and that’s the main driver. They’re looking for that efficiency and scalability of what they’re doing.
We also found, however, that some people are deeply dependent on Puppet for compliance. And that understanding that that’s the business use for the tool, or one of the business uses for it, allows us to better serve up and meet those needs.
And interestingly, from an incident remediation standpoint, again, there’s a lot Puppet does from a declarative model standpoint that was always kind of remediating your environments in some way, shape or form, if you think about it. But it’s a very simple extension into integration with security scanners like Tenable, Qualys and Rapid7, to really start to go, having a scan, and then, manual process, and sorting through PDFs and Excel files, to get to business impact to saying, “Hey, I can ingest that information, make it contextually aware in the environment, and allow people to act on it in a much automated way.” Which not only reduces the work effort, but very importantly, to my earlier comment on cybersecurity, reduces the time to remediation of a known vulnerability, which improves your security profile.
So, the big shift, I think Puppet for a while has been making the tool or the platform more robust, but the shift that I think you’ve seen in the marketplace perspective is more around how we characterize what our technology can do in the context of business problems and business outcomes.
Priorities After Joining as CEO
Mike: In your first few months as CEO, what were your priorities, and did you feel like you needed to pivot the business after coming in after the founder? And I’m wondering, was there really a pivot needed? Or did you see that it was more of a requirement to incrementally improve what Puppet was doing?
Yvonne: Yes, it’s always challenging when you take a company over as CEO, in part because there’s a huge piece of the culture and the connection with the people that comes with that top job that you have to be sensitive to.
When I look at the journey of Puppet – Luke actually ran the company for the first many, many years very successfully, and the creation of this new market, and the proliferation of the technology at that practitioner level, there was actually another gentleman, Sanjay Mirchandani, who took over from Luke and ran Puppet for three years. And what Sanjay focused on was really selling higher up into the enterprise, and kind of, to your previous question, looking at going beyond configuration management, what was important in the marketplace.
As I took Puppet over a year ago, the key things that I noticed, one was that we were very much on the right trajectory, and it was more some fine tuning and focus that we had to drive to the business. And my real time and attention in the first year, first and foremost, was on appreciating that a CEO change, no matter how great I may or I may not be, is an experience that you need to work through with your employees and with your community.
So, my first focus was on the team and the community and really aligning around purpose. And kind of your first question, why was I even there, did I care about the same things they did, were my values aligned, how are we going to come together as a team and really drive the next level of the journey – I think that’s important advice for anybody taking on a senior level role.
Start with the people, and then, really, from a business perspective, looking at how could we get the biggest impact with these things that we have, how can we simplify and focus what we are doing to those that would make the biggest difference.
So, we did trim the product portfolio a little bit, we doubled down on areas where we felt we had differentiated capability, we started to focus a lot more on the engagement with the community, we had drifted a little bit away from that which happens sometime.
So, really looking at, we did our first ever in person contributor summit, looking at how could we really nurture both, the community who has gotten us to really where we are, as well as being in meaningful service to our enterprise customers, who, at the end of the day, are a critical part of the business model as well, and scaling what is now a relatively large company that has a strong open-source base, and also has a sustainable, monetary business model to care as well for.
Puppet Value Proposition
Mike: What would you say the value proposition is for Puppet today?
Yvonne: I believe that Puppet has gone from being a kind of a practitioner tool that eliminates soul-crushing work, which is a really, really important thing that we have extended a prawn, that value proposition, to being a platform that enables business agility in a safe and secure way. And the way that I see us, really bringing this to market is, if you think about the modern enterprise and open-source projects, they are here to service to everybody. We really focus our commercial efforts on what I would call the Global 1000. And in that segment, those companies are going to be in a hybrid, or multi-cloud world for many years, if not decades, to come.
And Puppet is uniquely positioned to, in some regards, be their automation everywhere platform, be it in the data center or into the cloud, and increasingly across the Internet of Things. And we’re able to do that because we have a portfolio of automation capabilities, so different types of automation are actually required for different types of use cases in needs.
And so, whereas before, the world was a little black and white, you know, it’s either declarative or it’s imperative, and there were religious battles, it’s like now we realize that many different types of automation are needed when you operate at that scale. And we offer all of them in a coherent way. And we’re starting to build out the intelligence from that practitioner level up through the executive level, and helping people do things, all the way from, get the work done, to create the reports and the insights that the auditors need to get you through that compliance check.
So, for me, the real value proposition for Puppet in the commercial space is being that automation everywhere platform that gives you the action that makes things like your ServiceNow and Splunk implementations complete, because they might be able to tell you what to do or where the problems are.
But it’s really when they integrate with Puppet, that you get that completion of that loop, that everybody needs to truly get the business impact.
Mike: So, Global 1000 is still a very horizontal market with all sorts of different vertical segments. I’m wondering, from tactical sales and marketing perspective, when you’re trying to convey business value to these different segments, do you have to change the marketing a little bit? Or is there any vertical marketing or segmentation going on, and how you look at the customers, and how to sell to them?
Yvonne: Yeah, absolutely. I love the question that you asked because there are so many horizontal technologies in the world, and I work with many companies, back in the day, BEA, and VMware, all very horizontal in terms of a capability. What’s interesting, however, is the importance that you highlight, which is differentiating how a product is built versus how a product is bought and consumed.
And that’s when you do benefit I think from taking a more vertical or use case approach to a technology. And, for us, for example, we do a lot in highly-regulated industries, and financial services is a great callout.
So, even though the Puppet product offerings are the same, whether in service to retail, or financial services, or tech, or government, how we speak about the technology can start to vary in terms of those segments.
And at the enterprise level, referential buying is a real thing. You know, if I’m a large bank, I’m greatly comforted if I know five other large banks also use that same technology. And you can start to help them understand the financial services banking problems that you can solve, and as I mentioned, compliance or certain compliance requirements in those industries.
So, you can start to make it much easier for your customers to get value out of your technology and to trust your technology, when you can speak in their language, and when you can connect them with their peers, who are in a similar way using your technology to solve problems.
So, what we have done – to answer your question from a segmentation standpoint – one is, recognized where are our open-source solutions most relevant and valued, and continuing to feed and nurture those. And then, being really thoughtful on where our commercial offerings are most valuable, and drive the greatest impact.
And on the commercial side then, further sub-segmenting into vertical industry, and then, as we talked about use case, are you looking to solve problems around incident remediation and reduce time to vulnerability remediation, are you more interested in compliance reporting.
At the end of the day, I like to kind of joke, Puppet is a Swiss army knife, they can do a lot of things. That’s a blessing and a curse. And when you work with large enterprise, then, more specific you can be on the problem you solve – I kind of use the analogy of an IKEA furniture – at the enterprise level, they really don’t want the big box of IKEA furniture showing up in a bunch of little pieces, without an instruction manual they have to solve it themselves.
Some people like that and get a lot of joy. It’s usually not my customers, they want to have a simple easy way to get to business outcome. So, we’ve really done a lot to make that clear and easier for them.
How To Balance Open Source Investment
Mike: I thought it was interesting how you mentioned that you were, let’s say, investing a little bit in the open-source community, for example, an event for contributors. I’m wondering if you could talk about how do you prioritize investments in the commercial product versus the open-source product?
Yvonne: I think about open source a lot. For me, personally, I think we are where we are in terms of the rapid technological advancement because of open source, and how that’s really proliferated around the globe in so many ways. And I do believe that it is a great way to democratize access and contribution to technological development, particularly with underrepresented groups in countries and locations, where they may not have otherwise been able to participate at that highest level.
So, I’m a big believer in the whole concept, and I’m really proud to work at a company that appreciates and celebrates that, and invests in it. What I think is really important in the seat that I sit in is appreciating the fact that open source has in our case almost moral and principle value, but it’s also a critical component of our strategy. It is not the business model itself, but it’s a key part of our strategy.
And I think of open-source in a couple different components. We have open source tools, Puppet open-source Bolts, those are tools that our community members can contribute to and benefit from. We have open-source content, which, in our case lives on the forge, which makes the tools even richer. And we have some people who only contribute to content, and some who only contribute to the tool, and some who contribute to both. And then we have the users of that open-source content.
And to me, it’s important when I think about the open-source community, I think about all those constituencies because they’re all critical players even though they’re playing in different roles. And I’m very proud to say we have over 75% of our commits still coming from the community. We have a very active community.
For me, what’s important is that we are continuing to nurture the creativity, the innovation, the access, in what I would call that “ground level of capability”, and that we’re allowing people, who have interest in ownership and institutions that we’ve built, to be able to contribute and get the benefits over time.
So, we do a lot of things, from – we did a contributor summit in Budapest last year, we are doing Puppet camps again, so we’ve reinvested in that, more currently, in the process, we’re making them virtual just because of the environmental challenges, this coronavirus. But we are looking for ways that we can help people who are part of the Puppet community be able to have a platform to speak about, what they’re doing with the technology, the impact it’s having, and help others.
We have obviously community managers, we’ve got slack channels, we’ve got some interesting ways that we’re looking at engaging with the community from the support perspective. So, there are many different aspects to it.
And to me, one of the beautiful things is I think open source has evolved a lot in the last decade. And I like to think of Puppet as one of the folks who are leading through that evolution, and how you continue to give back, and you know, garner benefit in a very, very productive way. So, super-excited about what we’ve done. I’m sure we’re looking to evolve, but I do think it’s part of what makes Puppet special.
Evolution of Sales Motion
Mike: So, originally, I’m sure open source was one of the primary let’s say distribution channels for finding customers who are going to engage with you commercially. But I’m sure that the sales, you know, processes, and motion has gotten very mature as a company has grown. How does it work today? Would you say that the open source still really is a driver for business? And, if it’s changed, like, how have you adapted to that change?
Yvonne: The go-to-market side of Puppet has evolved a lot. And open source has, as you suggested, played a critical role, and I believe it still does, but it’s shifted.
In the beginning, a lot of people who bought the Puppet commercial products came from the community, and they were the practitioners who were bringing that technology into that environment.
Many of the open-source users never felt the need to actually go and buy commercial products, they scaled up, and they built their own UIs and their own ways of advancing the open-source project in their company.
And so, we did go through a phase, where, in the early days, there was a lot of inbound. And what I would say is, now, the two things that have shifted, one is, as our ability to drive impact across an enterprise has increased, as the maturity of our solutions have increased, we’re actually selling to higher-level individuals in a company.
So, what I’d like to say is, we’re not just selling to the hands-on keyboard people, we’re selling to people who may never actually touch Puppet, the technology themselves. And yet, the fact that there are Puppet practitioners in their company is super important. So, I think one open source serves us today because it keeps a rich set of talents in the marketplace that can work on, and scale and execute the technologies that we’re bringing to the enterprise customers.
The other thing that we found is, many of our enterprise customers have in some way, shape, or form, or division, used, or are using, open source. And they have just set a point where it’s no longer differentiating for them to do all the work around, upgrading the open-source and everything else, to do it that way. And they rather move to the commercial version, take advantage of the incremental feature functionality, have a simpler upgrade process, have 24/7 support.
So, for us, I would say, in some regard, open source is still the land, people are using it, and then they’re starting to realize open source isn’t free. You’re just making different choices, do you want to have the engineering talent work on, keeping your open-source implementation healthy and current, and to build around it.
That’s the right choice for some. For others they are saying, “Hey, open source was a great way to get something started. Now it’s starting to run a critical component of my business. Maybe I’m better off, from an opportunity cost perspective, to engage with Puppet, to have Puppet provide me those services of incremental feature functionality, and reporting and support. And I can spend my valuable engineering talents time on other things that might differentiate me as a retailer, or manufacturer, or a bank.”
Is Puppet Open Core?
Mike: Would you say that Puppet is open core?
Yvonne: What I would say is, Puppet has – and I think this has been the big shift in terms of how we think as a company – certainly Puppet open source is a very mature, very impactful projects that many people can build on top of, frankly, around globe, which is wonderful to see.
What I would say is, as we think about the broader Puppet, what we are looking at is, how do we create open-source capabilities that people can stitch together in different ways to self-problems. And we don’t just look anymore at, we have to be the sponsor of those open-source projects, we absolutely contribute upstream to other projects, we leverage other open-source solutions in some of what we do. For example, Terraform and Puppet work great together, there’s actually some great webinars on how you leverage Bolt and Terraform to drive provisioning, and configuration and actioning on that.
So, we’ve really taken a much more open-minded approach, and thought about open source, almost from a component or an ingredient standpoint, that can be stitched together into whatever solution that you need. And some of those solutions we stitched together in a commercial way for our large complex enterprise customers. And others were providing the componentry that companies can stitch together in the way that they need if they want to do something all open source, or put their own secret sauce magic to it.
Mike: Pricing is I think really hard for every company, surprisingly difficult. And it seems like the impact and the value of Puppet is so enormous to organizations – how do you find the rate gate to figure out or to find the right strategy for pricing? And you’ve only been there for a year, but have you seen that change? Do you think that the pricing model that you’ve figured out is going to be stable?
Yvonne: Pricing is an incredibly challenging topic I think to your point for pretty much everybody, and to me, what I learned early on, back in my consulting days, is one of the best ways to think about what the right pricing model is, for your company is, to start with the value chain of what you’re bringing to your customers.
If I take an early-day example of like an eBay, you know, market place, you are bringing value creating community. You’re making value by letting people sell through that community, you’re making value by letting people buy through that community. You are making value by providing different ways to attract attention.
You can kind of map out all the different value points, and then, you can make decisions on where do you want to price to be able to get a return on the value you’re creating. So, eBay for example, could have chosen to say, “Hey, you’ve got to pay to get in, and then everything else is free.” Or, you can get in for free, “There’s value in there, but let me give you that for free, and you’re going to pay these other steps.”
So, I think every company needs to go through that process and figure out where the value is, their driving for their audience that’s worth having an exchange. The interesting thing is, it can easily become way too complex. So, simplicity is an important rule of pricing in my experience, and then longevity.
Particularly if you’re in the enterprise space, you don’t want to be changing pricing all the time, and it runs through your systems. So, I feel Puppet, in terms of where we’ve come from, that we have a pricing model that has worked well for us and for our customer base, on where we’re at. Are there opportunities to fine tune it and evolve over time? I’m confident there are. I’ve never seen a company that hasn’t at some point in time started to shift and think differently about their pricing.
But, to me, whatever you do with pricing, it has to center around what is the value that you’re bringing your customers, and can you come up with something that’s simple and easier for them to understand that will scale out for a meaningful period of time. Because a hard thing to do is change your pricing all the time. That’s an easy way to upset your customers, and make a lot of enemies in procurement. And nobody wants to do that.
How to Encourage More Women in Open Source Business?
Mike: Yvonne, you might have noticed that the male to female ratio in Open Source Underdogs is currently 41:2. And we’re trying to improve that ratio this year, but it does reflect the reality of the tech market, which is that men are overrepresented, especially at the C-level. What can we do as an industry, or even more tactically, what can I do, as a founder of a software company, to improve that ratio?
Yvonne: I love that you’re asking the question, what can you do to improve the ratio, because I believe at the end of the day, it has to start with individual ownership in action. And we can talk about really lofty things we could do, but at the end of the day, we need to create the future reality that we want. And we all have a role in it, whether we’re male and female, different types of necessities and so forth, if we want a diverse world, we have to create the opportunities for that, or diverse roles in leadership I should say.
And what I believe you could do, first and foremost, I appreciate this opportunity, just showcasing Puppet and myself, and having different types of role models in your podcast. I’ve had numerous women come up to me and tell me that they aspire to be a CEO, and in part, they aspire to be a CEO because they see me doing it. That’s incredibly humbling, but it’s also a great reminder that, for many people, if you can’t see it, you can’t believe it.
So, I think, first and foremost, showcasing different types of role models, that it’s not just one type that a successful leader looks like, but there’s many. The second thing is sponsoring and encouraging people to step up to that next level.
What I have found working with underrepresented folks is that – myself included – we can often tend to be much risk-averse. So, encouraging people to retire to build that confidence that they can go to that next level. Sometimes to give them that nice gentle push, maybe not so gentle sometimes, as I had in my career. Sometimes, you just need that.
So, I think creating the models, I think giving the pushes. And then giving the opportunities, take a risk on somebody. You’ll be amazed at what they’ll do with the right sponsorship and support. So, I think there’s a lot we can do across the board, but those are three tactical things that, at an individual level we can engage in, things that I try to do all the time.
Advice for Founders
Mike: Last question, any advice for entrepreneurs who are looking to use open source as part of their business?
Yvonne: Absolutely. I live in Silicon Valley, and I run into a lot of people who get really confused on open source, and – when I say “get confused on open source”, they confuse perhaps a desire and a belief around the power of open source as a way to democratize technology and bring important solutions into the hands of everybody, with the fact that somehow you’re going to have to figure out how you’re going to make money.
And so, to me, it’s really important to understand you can get both, I think Puppet does both, but you have to be really thoughtful what is the role that open source is going to play in your business model, because it is not a business model into itself. That’s kind of a rule number one.
The second thing that I would say is, community, community, community. I don’t think that you’re going to get a lot of benefit out of just open-source thing, the technology you build if you’re the only one building it. Certainly people might use it, they’re not going to pay you for it, they might benefit from it, they might like that it’s open source, but I think part of what’s made Puppet powerful from an open-source perspective is the community engagement, and the fact that we’re collaboratively building these different open-source projects, and that we are collaboratively building content – that is what I think truly makes open-source most powerful.
So, I really think if you’re going to do an open-source solution or have that be part of your solution model, how are you going to invest in, and engage, and nurture, and grow, and sponsor, and give a voice to your community, so that you keep them engaged, so that it truly is really executing open source at what I think is the most powerful level and form.
Mike: Yvonne, thank you so much for your time and sharing your great insights today.
Yvonne: Great. Mike, thank you, it’s been wonderful. And, again, I really appreciate the opportunity.
Mike: Special thanks to the Puppet team for helping to coordinate this episode. Audio editing by Ines Cetenji. Transcription by Marina Andjelkovic. Music from Broke for Free, Chris Zabriskie and Lee Rosevere.The podcast Twitter handle is @fosspodcast.
Please, tweet at us if you have any comments on this episode. Next time, we talk to Tracy Regan from DeployHub, a great technologists and founder CEO.
Stay safe everyone. Until next, time thanks for listening.
Episode 43: Native-Cloud Visibility and Security With Kris Nova, Chief Open Source Advocate at Sysdig
Mike: Hello, and welcome to Open Source Underdogs, the first podcast recorded in 2020. I’m your host Mike Schwartz, and this is episode 43 with Kris Nova, a Chief Open-Source Advocate at Sysdig.
Kris, who also goes by Nova, has contributed to Kubernetes and several other open-source successful software projects and startups. She’s currently a leader in the Falco project, a next-gen intrusion detection tool that is an “incubating” project at the Cloud Native Computing Foundation also known as CNCF.
My mission this year is to interview more women who are open-source business leader, so when the opportunity presented itself to interview Nova, I couldn’t resist. But this podcast was a bit of a challenge for me. I interviewed Loris Degionni, the CEO of Sysdig, a few episodes back, so I wanted to stray little from my normal business model format.
It was also really tough not going down the Cloud Native rabbit hole, although I think ultimately I couldn’t resist. So, it’s slightly more tacky than normal, but I hope you enjoy it. Personally, I found Nova’s perspective really thought-provoking, but you didn’t tune in to hear me, so without further ado, here we go. Nova, thank you so much for joining us today.
Nova: Yeah, thanks for having me.
Mike: So, how did you end up at Sysdig?
Nova: Well, I had come out of my third startup that had gone through an acquisition, and, you know, I took some time off from work, I did some traveling, and just kind of — it was the first time in my life and in my career, where I was able to take several months off of work and just kind of mentally reset. And I started to evaluate the industry I was working in, and I wanted to stay working closely with Cloud, and Cloud Native infrastructure, and Kubernetes, but I wanted to pivot a little bit.
And I started looking at the available spaces or sub departments of the industry. And one of the things that really stood out to me was the security. I felt like security was one of those things that you kind of look at it always as an afterthought.
You don’t really ever wake up and design new software on day one to be the most secure implementation. So, I felt like we were finally there with Cloud Native, and started having more involved security conversations. I felt like there was just a lot of room for innovation in a field that I already knew a lot about starting off, with a new spin on it, which was getting involved with security. And then, Sysdig reached out, and here I am.
What Is Falco?
Mike: Sysdig makes a ton of data available from the kernel, as I understand it. And Falco, the project that you’re working on, tries to filter that data to make some actionable security information, maybe about intrusion detection.
Nova: The definition that kind of really made it sing in my mind and resonated with me was, when Loris, our founder, I think you might have already spoken with him, the way he explained it to me was, basically we take the kernel as the new source of truth. Traditionally, if you look at how you would be auditing or attempting to observe a system, the network was usually kind of the most fundamental element you could get down to and, the thesis behind that was, if it’s happening at the network layer, we know it’s true, and we can trust it.
And as we moved into Cloud Native, we realized that TCP packets were not the smallest element anymore. So, we took it even down later further than the network, which is where the kernel comes into play.
I think you said it best yourself, we take a lot of information coming out of the kernel, and then we try to turn that into something meaningful for a human or a team. And that’s really what Falco does. It tries to be that connection point, that adapter between what would otherwise be an unreasonable amount of information coming out of the kernel, and then actually, trying to give you something that can help you tell a story.
Has Falco Been Good For Business?
Mike: Falco looks like a pretty impressive tool, and I’m wondering, has it been able to drive business opportunities for a Sysdig, the company?
Nova: I think if you look at open source, and what that means to anybody doing open source in any industry, it’s got a new way of thinking about how you engage with other people in the industry, other organizations in the industry, other folks in the enterprise.
And I think the easiest way that I can describe, the success I’ve seen with open source is, just looking at it as there’s fundamentally a difference between building a solution for someone and building a solution with someone. And I think open source is the latter of the two, is it gives you, and it gives your organization an opportunity to collaborate with other folks in the industry. And that’s where we’re seeing a lot of these hybrid solutions.
You know, we could have open-source software called Kubernetes running in a public cloud provider, using a CNI implementation from a startup in San Francisco, all of which being secured with Sysdig. So, we’re seeing these multi-level, multi cardinal solutions because people are building an open source, and realizing that it’s actually more effective to build a small tool that is easily consumable than it is to try to build this monolithic solution to every problem under the sun.
Has CNCF Been The Right Home For Falco?
Mike: Falco has been incubated at the CNCF. And I’m wondering if you have some thoughts about whether CNCF was the right home for the project?
Nova: I’ve been involved with the CNCF for years now. Like I mentioned earlier, I’ve worked at a few startups, we’ve donated, and built, and contributed to a handful of projects that ultimately ended up in the CNCF. And I think if you look at open source in the enterprise, and having a neutral third-party organization such as the CNCF, that can just help with things like governance, and infrastructure, and supporting the projects. And doing it in such a way that it’s neutral and unbiased for the project itself, ultimately just makes for a healthier project in a more wholesome experience for the maintainers and the end-users.
I think the CNCF does a really great job at embracing this idea that ultimately in open source the end-user is the new customer. They’re the new consumers of the open-source project, and giving them that customer-like experience is something that you really see with the CNCF, and I think really drives healthy communities.
Introducing Governance For Falco
Mike: So, one of your goals I guess, when you joined Sysdig, was to help build the governance infrastructure for the Falco project. Have there been any challenges along the way for making that happen?
Nova: I feel like when I joined, Falco was already on a trajectory to being a first-class security solution in Cloud Native that is open source. And I think I was able to come in with, you know, like I said, I’ve done this a few times, I’ve been involved with the CNCF for years, I’ve been working on other more household projects such as Kubernetes, or Helm, or Envoy. And I think I was able to come in and bring everybody together and kind of double down on our approach to open source.
I think there’s a lot of work that we had to do, that we have yet to do, but ultimately, it all comes down to this idea that, at the end of the day, Falco belongs to everyone. It’s not Sysdig’s tool, it’s a tool that was originally started by Sysdig and has already started to grow and be used in new and exciting ways.
We have end-users who are using Falco for things that we never even dreamed of originally. I think having that open-source governance, that open-source model of “We’re going to make our decisions in the public, and we’re going to give the broader community an opportunity to get involved with these decisions as we’re making them.”, has been a really big part of the direction that we needed to take the project over the past maybe six months or so.
Mike: In addition to end-users, have there been any other vendors who joined the Falco ecosystem? Maybe who are looking to commercialize Falco as part of their product or make an offering?
Nova: I mean, that’s something that we’ve tossed around with at Sysdig. And I think any time you have successful open source, somebody’s going to automatically go to, “Okay, how do we wrap this up and stick an SLA on it, and then start offering some sort of first-class support for a project.
And in my mind, once an open-source project reaches that stage, like that’s a sign of success. That’s ultimately where you want to end up. I think Falco is right on the cusp of us getting to more of an enterprise open-source solution.
I’m excited to see both, how my company Sysdig is able to take these new ideas and run with them, and potentially see other organizations and other companies in the industry do the same thing as well. So, I feel like we’re on that horizon of this finally happening for the project, which is pretty rad.
Trade-off Of Moving To A Foundation
Mike: I guess moving your project to a foundation, it’s a lot of bull thing to do for the governance of the project, but not all open-source companies do that. What are some of the trade-offs that you have to make when you decide to move your project to a foundation, and to move the governance to sort of a more open process?
Nova: In Falco, we always talk about exchanging of velocity for altitude. And I feel like in open source, we have that same paradigm of, as you go either more on the foundation side of things or more on the agile side of things, you’re going to be exchanging enterprise opportunity with the ability to be agile.
In other words, if we, as a company, had an open-source project, and we didn’t have open-source governance and open community around it, we would ultimately be able to iterate much quicker, and it would be a much more simpler and less complicated process for us to drive features, and to deal with debt, and to build a new functionality. But we would be sacrificing this ability to build with other folks in the ecosystem.
If you look at Kubernetes, if you look at a lot of the sub-projects of Kubernetes, they do operate at a less agile speed or less agile velocity, but ultimately, that has empowered many different companies in the enterprise to come together and start working on building holistic solutions for everyone.
I think a great example here is, there’s an infrastructure project called Cluster API, I had helped start this project, I think two years ago now, when I was at Microsoft, and the whole point of the project was, for us to come together and start to standardize how folks install and manage Kubernetes. And it’s taken two years for us to get where we are today, so it’s happened a little bit slower than most people might be used to.
But, we now have a standardized holistic API that anyone in the ecosystem can use. And we’ve actually seen large Cloud providers, VMware, Microsoft, Google, they’ve all come together, and they’ve actually started building to this new interface. So, again we’re exchanging that velocity for that ability to be collaborative.
Mike: Remember, when I interviewed Matt Mullenweg from WordPress, he mentioned something very similar how we could build it faster if we just build it ourselves, but the community slowed us down, but we ended up with better software.
And one of the other things I remember from that podcast was, well, just thinking about it, WordPress is really such a central part of so many ecosystems. They’re not monetizing Automattic, the company behind WordPress isn’t monetizing every user of WordPress. There’s companies that do WordPress hosting and WordPress development, so there’s this big ecosystem around WordPress, which is really impressive.
And I’m wondering, do you see the Falco project as coalescing that kind of ecosystem? And how do you get there? Or, is that even desirable?
Nova: I think the CNCF enables this type of collaboration. If you look at the projects, this is something that is baked into the governance model. When we were proposing Falco to move from the Sandbox, which is the most introductory level a project can be at, to incubation, which is where we are now, there is an entire section and an entire conversation around this concept of vendor independence, which is effectively this idea that if one vendor, who is working on a project, decided to take a step back, or take a break, or pull resources back, would the project still be able to grow, and prosper, and be healthy in the same way it is now?
And that’s a fundamental philosophy in the CNCF. So, I think you’re going to see that with every project. I think us doubling down this for Falco was really critical to us getting where we are with Falco.
Surprising Falco Use Cases?
Mike: So, you alluded to some of the interesting business use cases that maybe you didn’t anticipate when you designed the product. I’m wondering if you could share with us what some of those are? Because I was also wondering, it seems super interesting, but how do people actually use it?
Nova: I did a presentation of KubeCon in San Diego, with a gentleman named Abhinav from a company called Frame.io, and he went into a lot of detail about how they’re using Falco in a very limited way, which is funny, because I spend the first half of the presentation talking about how Falco can audit the entire kernel, and how we can start to process and assert various signals in the kernel that go for every system call that would potentially be running in Linux. And then Abhinav walks on the stage and says, “Oh, we only use it for three.”
And it was just kind of this funny moment, where it’s like, if that’s what they needed in their pipeline, which if you go, and you watch the video, you can see the use case, and why they were only interested in a subset of these metrics here.
You can actually see that Falco is dynamic and configurable enough for them to use it very concretely in a very small, but very precise way for exactly what they needed. So, I think you see that in a lot of different open source, but especially in Falco.
Can Falco Consume Non-Kernel Data?
Mike: Can Falco consume information from other sources, other than the kernel, and make sense of it in sort of the same way?
Nova: Yeah, absolutely. One of the things that we’ve been circulating in the Falco community, and I think this is a great example of us not being able to move as quickly as we wanted, but in exchange, we’re getting feedback and insight from the community is, we’re working on a long-term supported release called Falco 1.0.
And one of the things that we learned pre 1.0 was that there was actually a lot of value in taking other input sources other than just the kernel and enriching the Kernel information with these other input streams.
So, a big feature of 1.0 is going to be making secondary input streams much more dynamic and much more configurable, so that folks can start to plug other information into Falco when it comes time to building that story or that alerting system that they’re looking for, when it comes to detection, and anomaly detection, and insecurity.
Is There A Marketing Strategy At Sysdig For Falco?
Mike: Is there a marketing strategy at Sysdig for Falco?
Nova: Yes and no. So, we obviously have our corporate marketing strategy, we have an entire department here. And we have a lot of similar goals, but I feel like they’re implemented in different ways. I think the easiest example here is Sysdig targets customers and users of our platform, whereas Falco targets end-users, which effectively are customers, but the relationship is a little more like, “We’ll give you a foundation in the scaffolding to come and build with us.” And you’ll be able to do that effectively for free, but you’re not going to be getting a lot of the first-class features that you would be as like a commercial partner, or a commercial consumer of what Sysdig has to offer.
So, again, depending on your use case and what you’re looking for, it kind of gives us an opportunity for folks to get involved with — it’s going to cost more, but it’s going to be easier and more resilient, more reliable and more powerful. Or you can take the free open-source approach, which is going to require rolling up your sleeves and getting involved in the community.
And I think what’s really interesting from a business perspective is watching as different implementations change from one side to the other over time. And seeing how 2019, it was a commercial user, and then moving forward, they moved over to open source. Or flipping that around and going from open source to commercial.
So, it’s exciting to have that flexibility, as departments grow, or their organizations, as their needs change, as their systems change, what they might be looking for from us – it could potentially change. And having sort of an array of opportunity and avenues for them to get involved has been really powerful for us.
Difference Between End-User / Customer
Mike: What is the difference between an end-user and a customer?
Nova: I think the easiest way to say “This is an end-user.” is someone who takes advantage of open-source software in its most raw form, whereas a customer is an exchange for goods and services, where we’re willing to provide some sort of monetary compensation.
So, again, we’ll use Kubernetes here. Kubernetes is open source. If you or me wanted to go and go to github.com/kubernetes, we could potentially download Kubernetes and install it on some servers, and then try to go sell those servers that have a working version of Kubernetes running on it, with some sort of service agreement. But there’s nothing that’s really preventing us from doing this.
And in the same way, other folks who have been contributing to Kubernetes for years and maybe even were, like Google, the original creators of Kubernetes, they have both the open-source avenue as well as the more commercial avenue. And I think you see that with tools like how GKE is Google’s Enterprise version of the open-source software that you could go download for free.
Who Ideally Would Join the Falco Community?
Mike: So, if you could see more partners join the ecosystem, what kind of partners would you like to see join the Falco community?
Nova: Honestly, I would like to see the security industry come together and start working together as a community more and more. Like I mentioned earlier in the interview, moving to security, I had to relearn a lot of things. One of the things that hadn’t really been in my career up until recently, after joining a security company, was this concept of very strict competition, and this concept of, if I have some piece of intellectual information, I’m going to kind of withhold that. And that becomes part of our IP and what we have to offer. And I think we saw the same paradigm infrastructure in Cloud
And, ultimately, if you look at the security industry, following applications, following infrastructure, following DevOps, it’s ultimately in my mind going to end up in the same way, which is the industry coming together and realizing that it actually makes more sense for us to work together on something that it is for us to fight each other.
I would love for more folks, whether their security vendors, or security consumers, or even just users of security tooling, at the end of the day, to come together and start exploring different ways of securing systems, and open-sourcing, and collaborate on that.
Is Open Source Security a Trend?
Mike: I think that’s actually true. I remember speaking with Michael Howard from MariaDB, and he mentioned to me that – I don’t know if it was on the interviewer or after – security software is not inherently open source that normally it would be commercial, proprietary, licensed, all the above, to keep it closed. And so, I do think it’s the idea of, there aren’t tons of open-source security tools, so, are there other open-source security tools that maybe you can identify that you can think of this as a trend, or is Falco really at the forefront of this?
Nova: I think – and if I get too often with ranting about security, please, please feel free to stop me – but I think if you look at security, having a holistic approach to two main categories is really what you want to see, when it comes time to taking security seriously and fully locking down a system.
So, I think to give a really simple example of this. If we look at solutions like Kubernetes RBAC, which is role-based access control, just describing who can do what, and when, and how they can do whatever it is they’re trying to do. And potentially rejecting requests if they do not meet whatever criteria you set forth.
But we also see this in Linux with things like Seccomp and SELinux. And it’s this idea of, we’re going to try to prevent somebody from doing something if they’re violating some sort of policy we have in place. So, there’s other CNCF tools like open policy agent as a great example here. There’s an open-source tool from Microsoft called Gatekeeper. That is an implementation, a concrete implementation of open policy agent. That attempts to effectively do the same thing pod security policies do, and Kubernetes, but from concrete implementation of OPA or open policy agent.
But, again, we’re in the situation where these solutions, everything I just mentioned, all attempt to prevent somebody from doing something that they shouldn’t be able to do. Or to prevent some application from doing something that it shouldn’t be able to do. But if you look at the history of security, that’s only part of the story. One of the things I’ve been saying that I really feel like it’s a powerful statement is, at the end of the day, there’s no such thing as perfect software.
Even Linux, the most well-known open-source operating system in the world, the largest open source project in the world, we still get CVEs, there’s still exploits. There was Heartbleed, there was a handful of critical CVEs that have happened in my lifetime. And those are fundamentally never going to stop. And anomalies and things that you aren’t expecting are fundamentally never going to stop.
So, I think having this preventative side of things that you see with tools like access control and policy enforcement, running those in concert with tools like Falco that are more of a detective side of things really gives you like your kind of coming at the problem from two different fundamental perspectives, which kind of I wish you to double down on your security approach.
So, short answer, yes, we see a lot of other tools, but we don’t really see anything that’s as focused on runtime detection, has to do with something say like Falco, or maybe even Wireshark, which was Loris’s original project.
How Can Companies Adopt Cloud Native?
Mike: So, you’re the author of an O’Reilly book on Cloud Native infrastructure, which I just ordered?
Nova: Thank you. You should buy several copies of it, for all of your friends and all of your family.
Mike: Makes a good Christmas present. But this is a very new knowledge domain for enterprise IT staff, and reading your book is a good place to start. But I’m wondering if you have any more thoughts on how companies can get up to speed on Cloud Native infrastructure?
Nova: I think the book is a good starting point, but more importantly one of the things that I really want to stress with folks, to really have an understanding of what this phrase “Cloud Native” even means. And you can go to cncf.io, and they actually have like an entire essay that was put together that attempts to define what Cloud Native means to them.
But I feel like it’s kind of like a personal choice or a personal journey you have to go on. It’s like buying a car. Ultimately, at the end of the day, you’re going to buy the car with the features that you need, that you like, but that whole process starts with, doing test driving things, and doing research, talking to people, and going to look at cars, and spending time understanding why this car may be better in this situation or might be better in this situation.
And I think Cloud Native infrastructure follows the same paradigm of, you have to look at the ecosystem as a group of resources. And you can take these raw resources that are available in the ecosystem, my book included, and those raw resources become part of what you would use to potentially build out your finalized system.
What To Look For If You Want To Join an Open Source Project?
Mike: A couple last questions about your experiences as a veteran of being a part of open-source startups. If you’re looking to join an open-source startup, what would be some of the things you would look for that would be good signs that this company knows how to use open-source as part of their business model?
Nova: I guess there’s two answers here, coming at this from somebody who’s — I’m in a very senior, very high visibility role, here at Sysdig, so I almost wanted to join a company that needed some guidance and needed some help. If I was to join a company that was perfect and open-source was already solved. You know, they were already doing everything “by the book”, it wouldn’t be very interesting or exciting for me, and I would hope that they would not be as interested in having somebody like me come in. And for lack of a better term, do what I do best, which is helping to drive open-source adoption and collaboration.
For me, I wanted to find something that had opportunity to grow, and had opportunity and potential for us to move into really, really great things. And I felt like Sysdig was that perfect intersection of high potential with the right place at the right time with security.
Now, if somebody isn’t as insane as I am, looking to get involved with something that’s going to be a lot of work and a lot of effort, I would say the first thing I always look for is, how are decisions made, both at the company, both on your team and both with open-source projects. And another thing that I always kind of view as a red flag is this concept of open-source announcements.
If you think about it, an open-source project by design should be open to the community, you should be able to go, and read, or watch, or listen to the decisions that are made, the features that are driven, the choices that the community is deciding on. And you should be able to at the very least observe these, and if not, potentially shape and govern these things.
So, anytime I see somebody doing some sort of open-source announcement, to me, that’s just evidence that it wasn’t an open-source project to begin with. That it was built behind closed doors, and then ultimately, hand it over for the sake of publicity, and not originally built in open source, as you would see with a lot of the other CNCF projects, like Kubernetes, like Hellman, like OPA, like Falco.
Advice For Open Source Entrepreneurs?
Mike: Last question about open-source entrepreneurship. So, if you were in the shoes of an entrepreneur who wanted to use open source as part of their business model, do you have any advice for that entrepreneur?
Nova: Get in there and roll your sleeves up. At the end of the day, open source is, you’re not going to have that first-class experience of, “Click here, put in your credit card number, and then poof.” Everything works like it’s going to take understanding what’s going on, it’s going to take contributing to the code, contributing to the project. And you’re really going to have to accept the fact that you are just as responsible as the open-source project as everyone else working on it.
Mike: Nova, thank you so much for joining us today – first guest of 20/20, yay! Thank you so much.
Nova: Thank you. It’s been really nice talking with you.
Mike: Special thanks to the Sysdig team and Amanda McKinney, 280blue, for helping to coordinate the episode.
The link to the presentation that Nova mentioned can be found on the episode webpage on opensourceunderdogs.com. Transcription by Marina Andjelkovic.
Music from Brooke for Free, Chris Zabriskie and Lee Rosevere. The podcast Twitter handle is #fosspodcast.
I have a big announcement: I just found out that my talk about the podcast was accepted to OSCON in July. If that happens, I’m really looking forward to sharing some of my thoughts on what all these episodes mean.
The next episode features the current CEO of Puppet, Yvonne Wassenaar, who brings us up-to-date on Puppet success in business models. Don’t miss it.
Until next time, thanks for listening.
Episode 42: EnterpriseDB, Collaborating with the community to make Postgres enterprise ready, with Ed Boyajian, CEO
Ed Boyajian, CEO joined EnterpriseDB and helped it pivot from a small organization, to one of the leading Postgres database companies. The company has figured out how to run a profitable business, while embracing and respecting the community and open development process that has formed around Postres for more then two decades.