- Hello, and welcome to our third Azure Open Source Day. I'm your host, Sarah Novotny, Director of Open Source Strategy here at Microsoft. This year, our focus is on how to combine open source and AI to build intelligent apps. We have lots of exciting stuff for you today, including a panel of discussion on how open source and AI are changing software development, a grand, unified demo, showing how to build an intelligent app using open source Azure. And then we also have "AI Fireside Chats" with NVIDIA, and Web 3.0. With that, let's get into our panel discussion.
To make this really fun, some of these questions have been generated by ChatGPT. At the end, we'll ask our panelists to identify which questions they think came from the AI, and then we'll reveal it to you at the end of the show. So now, we get an opportunity to hear from our panelists, so let's go ahead and do introductions.
Cassie, I think you're up first. - Yes, thank you, Sarah. Hi everyone, my name is Cassie Zimmerman, I'm the Senior Director of Cloud Alliances at Redis Inc. - Thank you, and Joylynn? - Hi, good morning, good afternoon, good evening, wherever you are. My name is Joylynn Kirui, I'm a Senior Cloud Security Advocate at Microsoft. - And thank you, Joylynn for joining us at an odd hour in your time zone. (laughs)
And, who's up next? - Hi everybody. I'm Jake Lundberg, Field CTO at HashiCorp. We create ever popular products such as Terraform, Packer, and Vagrant. Thanks for having me. - Fantastic.
And lastly, or not lastly, we have someone else in the office, Stormy, on our panel display. Stormy, could you introduce yourself? - Hi Sarah, my name is Stormy Peters, and I'm VP of Communities at GitHub, and I'm super excited to be here talking with you all today. - And Brendan. Hi Sarah, I'm Brendan Burns, Corporate Vice President for Cloud Native open source on Azure.
- So, we're gonna start with some of these questions for you all. Remember, some have been generated by ChatGPT, so keep this in mind as you're doing this. We can even kibitz, and guess, as we go if you like. But my first question, you've all been doing this a while, first question is, how has the open source landscape changed in recent years, and what impact have these changes in open source had on your businesses? And I think, Stormy, you were gonna lead this one off, right? - Yeah, so we have been doing this for a while. I've been in open source software for 25 years, I think you've also been working in it for a while. I think it's more exciting than than ever now.
So at GitHub, we just celebrated a hundred million developers on our platform. I mean, like, who even, just imagine, I can't even imagine the number that big of a hundred million developers of working on open source software. And then, I think there's two things right now that are really making an impact; I think the first is like, who's contributing to open source is changing. Like it's always been global, the open source software community's always been really good at working globally, but based on the Octopus Report that we did recently, we've seen like lots of growth across India and China, and Brazil, like India has almost 10 million people on GitHub, with two and a half million of them in the last year alone. Africa's been really crazy, like overall, Africa has gone up 40%, but like in Nigeria, we saw a 69% jump in the developer population.
Yeah, so I think this is like, we're evolving who can contribute and we're getting more diverse, and more insights, and more people's opinion in it. And I think tools like Code Spaces, I know Code Spaces is from GitHub, but I'm kind of in love with it, your development environment is all just there in the cloud (coughs) when you log in. And so, that means like in education, especially during COVID-19, we saw educators be able to bring students online right away. We see people without access to like high-end computers are able to do all their development in the cloud.
And people who might not have steady internet can be part of this world, so we're really seeing a lot of changes. And we're also seeing the framework for how we work between open source software developers, and companies, that's evolving. Like a lot of people have always wanted a full-time job working at open source, but now we're actually seeing a lot of those companies realize that they depend on that open source, and trying to give back, and trying to figure out how to amp up security, and how to fund the developers that they depend on. So, like with GitHub sponsors, we've seen millions of dollars come from companies like Microsoft, American Express, Mercedes-Benz, and go to the developers that are working on the software that they depend on. So, I think we're seeing the ecosystem change in like really exciting ways that will make it more accessible and sustainable for all of us. - Yeah, and I see Cassie nodding, so I'm wondering, you may very well have a very different perspective of how your business has changed, but you can certainly see some of Stormy's points.
So, what are you seeing, Cassie? - Yeah, absolutely. I definitely agree with the points that Stormy made. I'd love to shed a little bit of light on the perspective from how we're seeing customers use open source in addition to that. I saw a report from 2022 that said something like 76% of companies reported that they increased their usage of open source software in the past year. And under 2% actually said that they decreased their usage of open source software.
And it hasn't always been that way, I've been with Redis for six and a half years, and in the early days, open source softwares were looked at with wary eyes, people were a bit concerned about, "Are they reliable enough, are they secure enough?" What are these projects out there? And we've really seen that change, some of the largest enterprise customers in the world, and you know, small startups, digital natives, are really building their businesses on open source communities softwares, thanks to these vibrant communities out there that have continued to invest. So to us, you know, I think we love it. There's so much power now in the hands of the developers to choose what types of technologies they want to use to create great software. And I think open source has such a huge part to play in that change. - That's some very clear, interesting ways that this is changing, and changing our businesses.
So, Jake or Joylynn, or Brendan, one of you have a thought on this? Why don't we go with Jake, because he's grinning. - Yeah, sure, thanks. As a open source core company and that we build our products off from the products that are available, there's a couple different factors that are open here.
The fact that, you know, Red Hat is such a successful model that allowed folks to bring those type of products into their enterprises has really opened the door for that next generation of open source vendors, to also do similar types of models. And so, there's lots of other factors here; you have investment, people are willing to invest in companies like ours, like folks took a chance on us and that actually paid off for them. And not only that, but you know, like Stormy was saying, we've opened up this ability to spread our developers out worldwide. And as a remote force company, we now have the sort of luxury of being able to pick from a much larger pool of candidates to be able to work for us, both on the projects, you know, not inside the company, but also as talent within the company, as well. So, it's two different avenues in which we can get folks to contribute to the software that are here, and then the related industries, right? So Terraform, for instance, has lots of different providers that control lots of different infrastructure, and it's actually very refreshing that the vast majority of them aren't created by us at HashiCorp, they're actually created by the community, and so it allows people to integrate lots of other software, lots of other hardware into their environments by doing so, thanks. - Yeah, you're speaking broadly to the shift where companies who are consuming open source software are recognizing that it's not free like sunshine, it's free like a puppy.
And so people are contributing upstream, and participating, and scratching their own itch. Joylynn, you said developer advocacy. Tell me how your role, or how you see open source has changed for you here at Microsoft? (soft synth music) - I think I'll get to our security because I'm a security specialist here. And one thing that I've seen, and I appreciate, is more adoption of open source security tools, as well.
We've seen the like of OWA tools, as well, and there are very many other tools that are there for adoption by developers in terms of shifting left. So that's what I've come to really embrace and appreciate, as well, because we also, Microsoft loves open source, we use a lot of these open source tools to integrate into our softwares, and it's amazing. It's amazing what we're doing out there in terms of securing the supply chain. - There's a large amount of effort going into this from Microsoft, broadly speaking. We have the Open Source Security Foundation where Google and Microsoft, and a number of other companies are coming together to help invest in open source projects, as well, upstream. Brendan, you've got a business based on open source.
Tell me what has changed in the last few years other than everything. - Well, I mean, I think absolutely, there's just an incredible focus on open source for every company, right? I think, I sort of joke that the minute somebody asked us to add role-based access control to a project was kind of when we knew that we were enterprise, (Sarah chuckling) and like more and more open source is enterprise, I think at this point, instead of sort of people who are either excited about a product, or who have a need that they need to fill, I think we're seeing people just sort of embrace it as the de facto, right? Especially I think it sort of coincided with cloud, I feel like it's sort of coincided with cloud that people sort of said, "My gosh, these problems are so hard, we can't do it alone," right? If I have to build everything myself or I have to pay someone else to build it, like it's just not gonna work. We have to come together as a community to build this software that's complicated to build.
And I think as a cloud provider, we love to do it, too, because we can help build stuff, and share, and make it easier for other people to come and build on us, right? Which is, at the end of the day what they're trying to do. - And to your point, the building with the community- - Yeah. - And leveraging the long arm of other people joining and participating is really how we have all of these successes. HashiCorp and Redis, of course, have external contributors to both of their projects, but there still is a nice anchor from those companies. Same as our services are.
- And, I think a lot of companies are starting to see that when we open source, and just as a concrete example, the team that open sourced our bicep tooling- - [Sarah] Yep. - Had no open source previous experience and they almost were scared to do it, right? They didn't know like, "I open these doors and what happens?" Right? And suddenly they saw closer connectivity to their users and customers, and they actually picked up people who almost are full-time employees contributing code out of interest, right? And so, it was a real great story of the win of being a little bit more open, and a little bit more connected to the community. - Yeah. And we get more effective development quick.
- Yeah. - More quickly. - Yeah. And people can prioritize their own features, too, right? Like we might not wanna do it, but they wanna do it, they vote with their feet and- - Yep. - And it appears. - That's the joy of open source, vote with your feet.
All right, so we have more questions coming to us, some of them from ChatGPT, don't forget. So question two, many of our panelists, including Microsoft, have a mix of open source, fully open source projects, products that are based on open source projects with proprietary extensions, and fully proprietary software. So, we have this mix; how do you see customers and users navigating these different options? So Cassie, I think you have an answer in this space that will be useful? - Yeah, absolutely. Thank you, Sarah.
So, you know, I think when we look at Redis as a whole, as Redis Inc, the company behind Redis Open Source, our roots are in open source. But over the years we've definitely seen the pain points that can occur from really scaling and managing that Redis open source, especially if you're using it to power a business or a mission critical workload. And so, at Redis Inc. we've solved that with our enterprise product, Redis Enterprise, which is commercially available as a software, as a fully managed cloud service, and have over 9,000 customers who are deploying Redis Enterprise as that fully managed service wherever they choose to run.
You know, our job as a company is we really work with our customers to understand what they're trying to do with Redis, and make sure that it's delivering to their business and to their customers, and really never goes down. But at our core, the North Star for Redis is really in the development community. So what we've tried to do is make all of the capabilities free for developers when it comes to Redis.
And that's either through, you know, our core open source software, or you know, new source available add-ons like Redis Modules, Redis JSON, Redis Search. So really, what we want to be able to do is foster the developers to go and solve problems by using the technology that they know and love, in this case, it's Redis. And when we're looking at when do you use the commercial, you know, paid version of Redis, it's really when it comes down to the operations of it, running Redis at scale and needing to, you know, support high availability scenarios like Active-Active geo-replication, maybe a hybrid workload from on-prem to the cloud. So, you know, at the end of the day we believe, let's make it as easy as possible for developers, and also support those operators to understand, and choose what they need, and when.
- And you're a wonderful partner in that operations with Azure. Because we have the Azure Redis service that is available today, and lots of people make use of it, so we have lots of joint customers, so thank you. - That's right. - We have another partner here in Jake and HashiCorp, who also runs a joint service with us. So tell me a little bit about how you see the customers in navigating this complexity. - Yeah, it's very similar to what Cassie talked about.
I would add in that there's a little bit of risk management, as well. So the vast majority of folks who get started with our software, it's a low barrier to entry with the open source software, you can download it, start experimenting with it right away. But as folks start to work in larger organizations, there's a tremendous amount of risk of having teams do things in disparate ways.
And so the vast aim for what it is that we do on the enterprise side of things, is really make that experience seamless, allow for some consistency within these environments. So, you know, financial institutions have very stringent regulatory compliance that they have to work with. So, how do I stay compliant and make sure that our back systems, (chuckles) Brendan brought that up.
I laughed because I was like, "It's exactly the same kind of issues that we have constantly." How do we get very laser-like focus on who has access to what, where, how do we audit that type of information? But also like what we find is that folks tend to build a lot of scaffolding around our software. And much like Cassie said, if we look at the type of behaviors that our customers go after and the typical patterns that they do over and over, that's really where their products come in. We have products that answer those typical problems that they have so they don't have to build it on their own, they don't have to maintain it on their own. And just as importantly, they're able to get support from us, which, you know, takes all those commonalities of problems that we have across our customer base, and allow us to really accelerate their go-to-market for their products.
I mean, nobody necessarily wants to be experts on the software that we have, and so helping them get really towards their business problems, much like you have within Azure, you have an abstract environment in which they're solving business problems with. Let's reduce the sort of pain of getting to those business problems, accelerate their usage of those, and then allow us to have some kind of supportability when they run into issues with them, as well. - That gives us a nice framing for how your customers engage with the different options. Microsoft people, would you like to, Brendan, answer this? - So, I think in contrast to companies like Redis and HashiCorp, I think the interesting thing about being in Azure is that, you know, we don't have a single open source project that we're doing, but instead we're really focused on taking open source projects and operationalizing them for the customer, so that they don't have to necessarily worry about the details of, "How do I upgrade it successfully, how do I run it reliably, what should I monitor and get paged on?" But in order to do that, and in order to really prove to our customers that we can do that, there's also a component of being involved in these upstream communities.
And so, we really have to demonstrate not just, "Hey, we've got great uptime," but actually we're in the communities, we're helping with releases, we're helping with community, we're helping with all of the sort of nuts and bolts that keep the project moving. And also that we have the sort of the technical knowledge to contribute bug fixes, or even features that our customers might need. And numerous times for various customers, we've come in and made fixes, or actually added whole new parts of the functionality, accelerated parts of a project in response to specific customers' needs, and that ability to operationalize, but also contribute is a huge part of what it means, I think, to be a cloud provider of open source and what our customers are looking for from us. - Such an interesting space.
This really goes to the fact that open source needs to be a cost of goods in the services that you're delivering with it. Like the investment you make in an open source project that your service depends on, or that your products depend on, is just simply a cost of goods in those products. - Yeah. - Stormy or Joylynn, do you have thoughts on this? - Yes, your question was, how do companies decide to use open source of proprietary software, and when and where? So, I think this really short answer is everybody is using open source software. I think I saw a stat that like 80% of all new software that's developed is open source.
It all depends on open source, all has open source in it. So what we're finding at GitHub is that our customers really want to know, "What am I using that's open source? What does it depend on?" Because it's sometimes not obvious, like I'm using this piece of open source software and it has a lot of open source software dependencies and I wanna know about those, as well. And then they wanna know what software they're contributing to, what are their employees working on? What is doing well, what could they contribute more to, what needs some attention? So we've been working on just trying to give that information back to them to help them make wise decisions in open source. - You brought up a great point about dependencies, and the security issues, and security risks that come out of this.
Maybe Joylynn, do you have thoughts about open source and security, and how they connect into a product decision like this for end customer? Like how do you help them frame that thought process? - Yes, sure. So in terms of open source and third party dependencies, we have a something called Software Composition Analysis whereby we incorporate and automate security into your software development lifecycle to identify security vulnerabilities in your dependencies. And we also have a framework by Microsoft, it's called the S2C2F, so that's the Secure Supply Chains Consumption Framework, which is released a couple of months ago, should be like three months ago. So this helps companies to make sure that you are securely consuming your offensive software dependencies into your developer's workflow.
So you need to make sure that you know each component that you're absorbing, or you incorporating within your company. So you also need to have like a software bill of material, which is what we call the SBOM. So at least you know what company is actually vulnerable because for sure we are incorporating so many components; like a typical company would have maybe in the likes of maybe even thousands of softwares within a particular software company. So, how do you keep track of that? How do you make sure that all those dependencies are secure? - Within Microsoft, it's more than 60,000 dependencies on open source software, in more than nine and a half million places in our core code base, which is just crazy.
Yeah, there's so much, even just as a large consumer of software and a large producer of software, there's so much to consider in these different choices that we make. So, question three, how do you think open source can be used to drive technological progress? And how do you see your companies playing into this regard? Do you think open source can be used to foster collaboration and cooperation? Is this something you're seeing in the industry? Discuss amongst yourselves. - Yeah, absolutely.
Well, first of all, that's kind of a lot to unpack. I'm gonna guess that one was written by a human, (laughs) and maybe, you know, sort of unpopular opinions. I don't actually think that open source drives the progress, I think that the demand sort of drives the progress, but open source enables the capability of filling in that need. And also, very quickly, because as the markets start to need these different products that are out there, lots of different people with creative solutions to those things can jump in right away. I mean, anybody can create an open source project on GitHub, share it with their friends, push it out through the community, go to events, and you know, user groups and conferences, and really sort of, you know, allow their projects to be understood that are out there.
And then assuming that the market feels that those solutions are very good, then it's just sort like a snowball just kind of rolls, and other people start contributing to it because they see the merits that are therein. And then, if folks are, you know, aligning a company behind that, then they can really build that vision, start to get funding for those companies, and really kind of explode that's out there. There's more to that question, and again, it's kind of long, but we foster a lot of collaboration in the interfaces, and so our software's a little bit different in that like larger projects like Kubernetes, or some of the other CNCF projects maybe have lots of different committers, and the folks that can actually merge the code within their projects. We actually have all the folks who merge the code, we have lots of different committers from lots of different areas that are out there, so we're benevolent dictators, if you will, with what goes in the software, but we accept lots of streams of software that come from there.
So, the vast majority of our collaborations, again, typically are outward bound to folks like Microsoft, like we run our HashiCorp cloud platform on the Azure platform. We actually started it with ConSol was our first managed platform that we did with with Azure, and that's really where those collaborations come in. Also within the rest of the vendors that, you know, folks may be using to consume their software; so something like Redis, we have Terraform providers, we can work very closely with the folks at Redis, we can work with folks at GitHub in terms of how our providers have people to contribute to their software, as well. So, that's the larger part of that. We do participate in some of the committees that are out there, but we're not the drivers of those particular committees.
I think (laughs) I covered all the different various aspects of that. One thing I say is that, you know, this rising tide raises all ships, and so we all really benefit from the ability to collaborate with each other in these ways of, you know, saying, "Hey, you know, these software collaborations are helping us all out." And it's very refreshing, it's very different than maybe say 20, 25 years ago. - I think I'll take the contrasting view, I guess, and say that I really do think it does drive innovation in the sense that, in sort of two senses: One, is that at an industry level, a lot of the vendor neutral open source allows for competitors to come together, right? So in a way, whether it's in the telco industry or in the cloud industry, where, you know, two competitors might not be able to collaborate directly, but they trust if they can contribute to a vendor neutral forum where the intellectual property of the trademark and all of the sort of intellectual assets are stored, they can then collaborate in that context, right? And so we've collaborated with any number of our competitors in that context. And then, I think the other part of it is the definition of open interfaces, whether it's the open container image format, or, you know, going back in history to HTML and HTTP, but these open interfaces form a basis for kind of saying, "Not my problem," right? Like below this, I'm a server and I know how to serve HTML, above this, I'm a thing that knows how to take HTML and turn it into a picture.
That enables parallel development, and parallel innovation, and those interfaces can't exist without open source, right? Because otherwise you get companies that tightly bind the server side and the client side together, and you don't have that parallel innovation. So, I actually really strongly feel, and maybe it's the difference of like a broad industry participant as opposed to a more focused company, but I think there's a lot that happens because the collaboration unlocks the ability to move quickly. - Yeah, I would say those are great insights.
And to go off of that, I think Microsoft in specific has collaborated well, at least with open source providers like Redis, And there is that fine line, I think, of co-opetition with some of the open source providers, but what Microsoft was able to do, at least in the case of Redis, is really identify that there was a need, there was a gap for their customer base when it came to the operability of Redis. And Brendan, I think you mentioned it earlier, that's something that Microsoft does well, is they notice, you know, "What investments do we need to make in order for our customers to really operate their open source technologies in the way that they need to?" And in the case of Redis, rather than, you know, Microsoft building their own, you know, for example, Active-Active geo-replication for Redis, what they chose to do was deliver that product through partnership with Redis Inc., and really natively integrate Redis Enterprise onto the Azure platform, and give developers, you know, the best version of open source software that they can, but also the operators the same thing. And so, I think Microsoft is really unique in that type of a scenario where you really are able to identify what those gaps are, and be smart about what investments to make through partners, in order to deliver the best experience to your customer base. And that isn't always the case, and so, I think that's a unique thing, at least that Microsoft and Redis have done together.
- It is definitely something that Microsoft focuses on, is making sure that our partners have a strong ecosystem around them, and have the ability to make money within the platform ecosystem that we build here. Like this is just such a core company value at this point, I think. - I mean, I would even put it a little bit stronger, I've said it more strongly in other contexts, which is I think we have an obligation, right? As a cloud provider, we make a ton of money off of people running open source on our platform. And that only happens if they're successful, open source communities, and it turns out open source developers still need to eat food, still need to pay for shelter, so they need to have successful businesses, too, right? And so, if we wanna have a successful cloud, we have to have a successful open source community and that means figuring out how to partner.
- Stormy or Joylynn, anything to add, or do we go on to question four? - So your question was, does open source drive technological progress and does it help people collaborate? And my short answer is, I absolutely think open source software helps people collaborate; it provides a framework, it provides a place for them to go to look for people to work with for code, you know, to join a project, to participate in it. And even from the very beginning with the Linux Kernel, you know, you got companies that hadn't traditionally ever written software together, together to write software. We still see it now with like the Academy Software Foundation, with the next generation of movies from Marvel and Pixar, as being developed in open source together from competing companies. And so, I think just having it as a place, and a framework, helps everyone collaborate together. - Yeah, this speaks again to the co-opetition that happens because the technology has advanced sufficiently far that there is a lot that's been commoditized. And so, we can compete, we don't need to compete where it's commodity, and instead we want to compete on different and innovative things.
All right, okay. - Sarah, can I add one last thing on that topic? - Yeah. - Because I think, you know, the long-term partnership between these companies like Redis and Microsoft, is important. It's not a one and done thing. And as an example, today we've actually announced Redis JSON with Active-Active geo replication natively on the Azure platform; that is only possible, you know, through partnership, and through the type of stance like Brendan outlined very well, that Microsoft takes with open source technology companies.
So, really giving developers the ability to do more with the technologies that they love. In this case today, it happens to be JSON on Redis. - Well, thank you for being a wonderful partner, and thank you HashiCorp for being a wonderful partner, as well. And GitHub, too, but GitHub sort of, captured partner. - So, I think coming from a security perspective, what I've seen is standards being met, because we have several industry requirements also, which have to be met with open source.
So what I've seen, like in terms of Azure, and all the open source tools that are being collaborated or integrated to, they all have to meet industry standards. So, I'll give an example, like PCI DSS, or even CIS standards, as well. So what you're trying to do is to drive more progress within the industry by adopting like more security, more data privacy, and also having a lot of accessibility within these open source tools, within the cloud platform, as well. - Yeah, lots and lots of good stuff. To your point, the compliance is necessary in the engagement to make sure that we are giving our customers what we need, and what they're asking for, in a secure and reliable manner. Question four, speaking of progress, how do you think the rise of artificial intelligence is going to impact open source, and what role do you think these technologies are going to have in the upcoming future of open source and AI, as they intersect? - Can I take the dystopian view? - [Sarah] You can take the dystopian view.
- So I thought it was fascinating to see that Stack Overflow went and tried to ban ChatGPT from responding to questions. And I've thought about like, you know, the kind of spam PRs that we get- - Yep. - Every once in a while, I mean, it's a bit of an issue sometimes. And I'm definitely a little worried that people are gonna somehow take this and use it to like do typo fixes, and other sorts of kind of spammy PRs.
We're already in a place where it's hard to review everything and give everything it's due, and make sure that new contributors feel welcome at the same time as people who are trying to just Game-ify open source are not necessarily getting rewarded. So I think we have to be a little careful as we look at these generative technologies. It's great that it's gonna empower people for sure, but also hopefully it'll only empower people who are gonna do good things and not bad things. - Exactly. All right, what about- - I have a really good example of the good things. - [Sarah] Okay, good things, let's go.
- Yeah, because I think AI and ML are software development, like calculators and computers were to math. But last November, I got to meet a man named Ben who works for the Norwegian Refugee Council. And when the Ukrainian crisis happened and all the refugees were leaving, they were doing like a new way of responding, and actually letting people transfer money directly to people on the ground that needed it. And so, he had to write all this new software to help get applications and transfer money, and he used Copilot, and one person tried to solve this whole problem, and he said Copilot was like having an engineer sitting next to him, helping him the whole time. So it really enabled him to respond to this crisis much faster.
And he said when he got on the airplane, it was actually like the person disappeared for a while and he said he kind of didn't know what to do, and he missed his buddy. (chuckles) - I've heard it described as pair-programming, as well. Same idea, I think. - Yeah, I mean, I'm sort of mixed, I grew up with, you know, the typical sci-fi classics, "2001", "Terminator" you know, the first thing I tend to air towards is like the human beings have a way of being very bad to each other, and using technology sort of misapplied towards, you know, sort of harming each other.
But I think one of the things that's very interesting, and especially in say the last 20, 30 years, is that we've seen a fundamental shift where it used to be like the military and governments had a usage of these particular kinds of technology. We think about Darpanet and ARPANET, who were the creators of the internet that we have. But as the software resolutions really happen in the sort of commodification and the federation of our capabilities, open source software especially, is that now we are seeing that a lot of these corporations are actually ahead of the governments, and ahead of the militaries in terms of what it is that they develop from a tools perspective. And so, we may be at that inflection point just in human history, where the actual usefulness of the software outside of harming each other could actually far outweigh, you know, (laughs) the tools that we're building to actually enable us and accelerate us further. And there's all lots of like, interesting things within the science communities about just like overall consciousness, and how we get towards that next stage of human evolution.
And so, we see that, especially in things like Copilot, enabling people to accelerate specific types of workflows in very good ways. But I've also, I'm not gonna quote the title of this, the author is Daragh O'Brien, it's called ChatGPT, it's a bleeping of Knowledge, If you go out and search for it, D-A-R-A-G-H is the first name, and it really just kind of gives a lens as to the kind of mistakes that AI and ML can make, currently. And it's really still in its infancy in my opinion. And so I, you know, while there's a lot of bad stuff that we can do with these technologies, I think that as we start to mature and really figure out how to accelerate some of our other processes, this becomes very, very important. There is one risk though; and this is just coming from us, and people who develop open source software, is that as we begin to spread out the type of technologies that folks can focus on, we may actually have less contributors to some of the other projects that are out there because it's the wild west. You know, there's a lot of opportunity that's out there that folks can go out and create the new next generation open source communities that create these products, that can hopefully help them sort of raise themself up on the economic ladder.
And so, we may actually see the case that like some of this dilutes the development that we may get towards other projects. And I'm not saying that's good or bad, but it may actually impact, you know, companies like HashiCorp, and some of the rest of us that are here, and that that talent is going towards other projects or products that we may not be developing. So, that's my main concern on the downside, and of course, you know, all the sci-fi stuff that goes with it. - All right, Cassie or Joylynn, anything on this? - You know, I mean, I would just add, I think everyone is just amazed by ChatGPT and the advancements that we've seen, even in just the past couple of weeks around the world. I can't go on LinkedIn without there being a post right away about ChatGPT, and AI taking over the world. But I think, it'll be interesting to see how it influences open source software development.
You know, I think we'll all be, you know, contributing and also bystanders, to watching this next kind of generation of software development. But I think the really big opportunity here will be in machine learning, I think there's a ton of great examples of ways that it can improve businesses, give us better insights, and improve everybody's day-to-day lives. But we've all read the scary stories about AI, and the dangers around it, as well, so hopefully, we manage those appropriately. - It's a really good pattern matching system, but that those aren't always really good patterns to match.
- Yeah, exactly. - Joylynn, I think question five is very much focused toward you. How do you ensure the security and integrity of your open source software supply chain? And what steps do you take to mitigate the risk of malicious actors compromising your projects independencies? And then, basically, how should developers think about managing that risk on the side while working on their own applications? How do they think about this? - Interesting. So, one thing that having worked with developers, they don't think that security is actually their responsibility. So one key thing that we all need to know is that security is everyone's responsibility.
And how we come in here making sure that we are ensuring security and integrity into your open source software supply chain. As I said earlier, you need to know all the components, all the open source software that you are actually incorporating within your software, and you need to know which ones are actually vulnerable. So you'll find that some packages or some open source libraries, which are out of date, are vulnerable. So we have zero day vulnerabilities; so we have to make sure that you are also monitoring if there are any zero day vulnerabilities on components that you're actually using. So, to make this feasible, to make sure that you are actually meeting or identifying them on a day-today, you actually have to automate and make sure that you have it monitored every single time. So, as I said before, you have to know your SBOM, your software bill of material and what open source software you are actually using, and if they're actually vulnerable.
And you have to make sure that you also train new developers to identify them on the go, as well. So we have several tools as well, that you can be able to incorporate even from the developer side that can be able to identify vulnerabilities in your open source software. So I don't know, maybe Stormy will mention a bit around this, but one key component that we use is Dependabot. So Dependabot will identify very many vulnerabilities in your third party, in open source softwares, as well.
And this is something that all developers should be able to use on a day-to-day basis to identify security vulnerabilities whenever they're developing. We also have very many other open source tools that are available that you can be able to integrate into your IDE as a developer, and identify security vulnerabilities in your third party component. And, as I mentioned earlier, it's also important to use framework like the S2C2F by Microsoft; so this one is within the open system of supply chain integrity working group. So, this one is a secure supply chain consumption framework. So just make sure that whatever you're consuming is secure.
I can't iterate this enough, you have to know what components you're absorbing, and if they're actually vulnerable. So identify the various tools, we have open source tools as well, that are available, we have tools like Dependabot, within GitHub advanced security, which you can be able to use to identify the security vulnerabilities. - Thank you.
You made an incredible point with the security as everyone's responsibility, from the developer consuming the dependency that sits there unknown, and unmanaged, and unmitigated, or even unrealized as a risk. That is the problem, this makes it everyone's responsibility, from the developer all the way up to our ISVs, and our vendors with products that are also projects. So tell me, anyone else wanna jump in on this? Like how do you secure your supply chain? How do you secure your supply chain? (Jake laughing) - Easy for you to say, right? So yeah, and you said something there I actually have issues with- - [Sarah] Oh, good! - Not necessarily what you said, but it's the concept of shift left. I think you agree with me in this, and that security should be just shifted in all directions, right? But to get to the question, we actually have a fairly rigorous process in which we catalog any of the dependencies that we have.
It's sort of funny, Joylynn, when you said SBOM the first time, I thought you said F-bomb, and I thought I missed something. I was like, "Whoa, what happened there, she's getting little risque!" (chuckles) So back to the SBOMs, yes, we have a very rigorous process by which we do scanning on any of the dependencies that we have. Also just in the building of the packages that we have, as much as possible, we'll try to build them from the ground up if we can, build them from source, so we can review those things, do the security scanning on them, and then we have full sort of control of the end-to-end process. Normal things like signing of any of the software that we're responsible for when we cut those things. And then just watching the overall wires like CBEs if they come out for particular projects, and then flagging those things if they need to be updated, rebuild those packages, and get that.
Not only that, we also have bug bounty programs, so if folks actually figure out that they have some kind of an issue with our software, they can report those things to us, and we'll go get those fixed, as well. So, just a little bit from the HashiCorp side. - I'd say it's really been good to see open source projects get a little more mature about bug bounty-ing too, right? Because it's easy for Hashi at some level with a company to create a bug bounty, it's harder for an open source project that isn't so tightly associated with a company. But we're starting to see foundations recognize like, we need to actually do this if this piece of software, whether it's the kernel, or Kubernetes, or anything else, is an important piece of software, we're gonna have to pay people who find vulnerabilities in it, or else they will sell them somewhere else. - Well, this is the problem is the incentives are misaligned for a zero day.
- But I would say the other thing, you mentioned a lot of people who you thought should be responsible, but I would say actually I think there's a lot of responsibility to be born by the tools and package communities, that frankly I don't think they've quite absorbed, right? It's great to say, you know, a developer should pay attention to the dependencies and everything else like that. But the truth is that if you rev a dependency, you're not looking, like nobody's looking, right? And I think we need to do better at assessing risk, and building sort of web of trust. - Yep. - Right?
Wherein we can say, you know, this person suddenly, a contributor popped up who'd never contributed to this open source project before, landed 10 new contributions, and now they're in this release you're about to pull in, right? That's a riskier thing to do than if you've been pulling commits from people who've been contributing for years, and years, and years, right? - We've been talking a lot recently about trusting the processes that are created around open source, as opposed to trusting a person in open source. - Right, right. - So making sure that there are multiple reviewers, et cetera. - Yeah, how do I know that, for example, I mean we force everybody to turn on 2FA- - Right. - In GitHub, right? How do I know that this dependency I'm pulling from NPM- - [Sarah] Yeah. - Forced everybody on their GitHub project to turn on 2FA, I can't.
- [Sarah] Yeah. - Right. So I think we need to do a lot more at kind of helping the communities figure out, "Well, what are the places where we trust people? What are the places where we don't trust people? And how do I tell the difference?" Because right now when I run, you know, NEWGEN install, or I run NPM install, or whatever, like trust just doesn't enter into that equation, right? - [Sarah] Yeah. - We see our customers struggling with that, as well- - Or you're YOLO-ing your way through it. - Right. - I agree it's all about tooling.
Like, we want open source software developers to know about security, and you know, we have open office hours and tools to help them, but in the end we need tools that help them all with security so they don't all have to go get a PhD in security. So helping them understand their dependencies, alerting them when there's vulnerabilities, and all the things that Brandon talked about, like the more that we can help them through tooling, the better that we'll all be. Because we can't expect them to all be security experts. - And I think it's interesting. I've been participating in some Rust projects lately, and there's a tool for Rust where you have to go in and label things like, "This is safe to deploy," or "this is safe to run."
Right, and it pushes security into the very much of the front of the dependency in a way that I hadn't seen before. So, it's interesting. - All right, last question. We're running short on time, so let's figure this out.
Question six, again, maybe from ChatGPT, maybe not, tying software security back to AI. With the rise of GPU based crypto mining, there's been an increase in attacks on AI workloads. How do you think companies and open source communities can address the problem of CPU based crypto mining, malware exploitation in AI workloads? Maybe we can skip this. And what steps are your companies taking to protect against these types of Pax? It's very specific. - So, this question was definitely written by ChatGPT- - ChatGPT. - No human talks like that, or can pronounce that correctly.
- Okay, cool. Anyone trying to prevent crypto mining in their infrastructures? - Well, I think, I mean, I will say that we definitely, and I think whether it's GitHub actions, or Cloud Shell, or any number of these kind of like code spaces, general purpose compute platforms that are intended to be really easy to use can also be used- - Are really easy to use. - For this sort of stuff. And what we've seen is people are extremely creative, right? And for a long time it was people putting stuff alongside really useful docker images, right? So it does a really great job at being a Node.js server, and also crypto mines, right? And you know, you don't necessarily notice, right? I always said that one of the problems with cloud compute is when somebody pegs your CPO at a hundred percent, you don't hear the fan spin up, right? Like it's happening somewhere else. - [Sarah] Yeah.
- So I think that one of the things that we've done a lot of is looking for... The truth is that developers are actually not that good at utilizing computers- - Mm hmm. - And crypto mining often is, and it's actually something that's very easy to tell. Like nobody uses that much of a CPU, so, you know, fortunately tools like the monitoring and Kubernetes, and things like that can tell you, say that container is suddenly using a lot more resources, maybe you should go take a look.
And that's enabled us to go and do some of that stuff. But also I think talking about responsibility, talking to other companies about what might happen, and helping their developers, you know, we've seen problems with people accidentally putting stuff just on the public internet because it was the easiest way to access it, right? Like, they're just trying to get their job done. And so, building tooling that helps them get their job done, but in a secure way, is also a critical way of preventing crypto from even getting into the software in the first place. - We've also seen protestware in open source, occasionally, which is another interesting one; someone takes their project, and goes ahead and either hands it off, sorry, protestware would be specifically they change it in a way that changes their effect. But they're also some where people are brought in as new maintainers because they say they want to manage something, and then it becomes not what we initially intended.
- Or even geo-targeted, right? - [Sarah] Yeah. - They've had people have put in stuff wherein specific IP ranges they do different things. - [Sarah] Yep. - It's a- - [Sarah] It's an interesting- - It's a very interesting problem, and yeah, it shows the fascinating aspects of the community. - And part of the dependency analysis.
All right- - It's really- - Oh, go ahead Jake. - Well, it's really fascinating, because it may not be specific to AI workloads, but because we provision cloud infrastructure across lots of different areas, is that the one attack we see a lot is people checking their credentials and their version control. You'd think folks wouldn't do that anymore, and it happens a lot. And so, you know, when you talked about GitHub actions and some of the work that we do around how do we get workload space, identity and RBAC systems again, and another enterprise problem is like, how do we build the safety network around the deployment of that infrastructure such that there's not a lot of hands-on processing, or the need to carry cloud credentials, or other application credentials across. And so, I mean, we have those type of things built into our product, but interestingly enough, we still have to do like workshops with our employees and basically tell them not to do that kind of behavior, right? The scanning helps and whatnot, but sometimes you just gotta hack the humans (chuckles) and tell them not to open themselves up to those vulnerabilities. - Yep, which is an excellent point.
Go on, Joylynn. - Yeah, no, I totally agree. People hacking, that's the vulnerable part, humans are the vulnerable component within the organization. So, security awareness is something that should be done every so often, even whenever you're onboarding new developers, or new company employees, and even afterwards, you need to make sure that they're trained. And also, like a majority of the attacks that we're seeing nowadays in the cyber threat landscape is from bots.
And so, you need to have like a security defense in depth, yeah? So at least you're putting layers and layers of security to prevent most of these threats from actually being successful. And as well as yes, awareness, awareness, awareness, because it's from the human component that you actually get most of these, even ransomware infected into your whole infrastructure. So, yeah.
- Lots of work, lots of accountability, lots of awareness. All right, anyone else, last thoughts? Well, then let me say thank you to each of you for joining us, and for engaging with these questions. Stick with us till the end of the show, and then we can tell what the answers are, which of these questions were made by ChatGPT. So, stay tuned.
So finally, we do get to have a little fun with the show. We've been asking you if these are ChatGPT generated questions, or not. I have the big, secret information, right here. Please hold. (upbeat synth music) - A drum roll. (mimics drumroll) - All of them, except number two.
So, we got some of them right? (everyone chuckling) We were convinced number two was, but- - It's true. - All of the rest of them were, in fact, created by GPT. Thank you, all. (Jake laughing)
- Thanks, everybody. - Thanks. - Thanks, everyone. (upbeat synth music) (music fades)
2023-04-01