Hi, folks, I am sitting here with my good friend John Viega, the chief executive officer of Capsule8. How you doing, John? >> Good Ed, thanks for having me. >> Hey, listen, tell us about yourself. And kind of how you got into being CEO of a cool internet start up company. Absolutely, I stumbled into security by accident, wrote the first book for developers on how to build secure software with our good friend Gary McGraw. Did the GCM encryption algorithm that's used everywhere. And then took a turn onto the business track with McAfee, where I was a tech exec for a long time. And then landed at Capsule8 just because I'd done a good job marrying deep technical background in security with the business side of things. >> How does somebody with a super geek background as a developer hacker get into starting a company? Is that a big transition to go from, I'm assuming you still do tech work. But is it hard to be the CEO of a cyber security company? >> Yeah I spend a lot of time sitting on my hands. >> [LAUGH] >> Meaning I want to roll up my sleeves and do something that keep me from atrophying but I try to stay disciplined about prioritization. >> [LAUGH] Tell us about the company. You guys work, Linux security is your area, so what do you guys do? >> So Capsulat8 is doing security for production environments. So those pretty universally run Linux, more and more so 93% of instances in Amazon are running Linux. And even a third in Microsoft's cloud are running Linux as well. And so, what we're doing is providing visibility into what's going on on your production systems without impacting production. Then doing security on top of that, particularly threat protection, looking for instances of attacks and preventing those. Being able to respond seamlessly to that and then if there is an incident give you the ability to go back and do forensic investigations. >> This may sound like a dumb question, you can fix it if you say it wrong. But in terms of the Linux software, do you guys have to add a bunch of stuff to it? Or is most of it there and you're just making use of what's there? Are you adding, or are you just sort of, or is it all of the above? >> Now so in terms of adding, that's something that big enterprises are really sensitive to. They don't want a Linux kernel module, it risks stability of the system. It means if they do have a problem, their Linux vendor's not going to support them. So in a sense you can't build something that adds to the Linux, and expect that people are going to use it. So we have to make due with the technologies it provides for getting data out and doing whatever we need to so. So thankfully, Linux over the past few years made great progress. So that's actually something where what we're doing today to provide real protection to a Linux system, we couldn't have done five years ago, not even three years ago. >> What's kind of the business model are you selling to data managers to software companies, to enterprise security teams, like who would be buying your product? >> Right now we're focused to large enterprises and many of them are making this transition right now. Where they're designing platform as a service for internal use and that might be based on a hybrid of going into a public cloud and still some on their private cloud. And they're stitching together open source and sometimes commercial components. And they want to have their own kind of internal platform that they give to developers. And so that's really where we're starting is becoming the security fabric for companies that are making that transition. And so that is typically the Fortune 500 enterprise today. And as we figure out what their needs are, we'll have a good sense of how that's going to transition to other markets and move on from there. >> Those number you said earlier staggering, you've told me that before. The percentage of coverage that Linux has in a data center. I bet a lot of people watching don't realize how pervasive that is. >> Yeah, I was kind of surprised that Microsoft bragged about it. >> [LAUGH] >> A third of our server running Linux. >> [CROSSTALK] [LAUGH] >> Probably at some point be dealing with Microsoft folks. Hey, let me take you back to your earlier work. You did a book with Gary McGraw. >> Yeah. >> And it's about secure coding. I want to ask, maybe this is a rhetorical question. But is it possible to write secure code? I bet you get asked that a billion times. >> You know what, probably not actually. I think everyone just assumes that it isn't. And I'd say that's pretty much universally true. There are even in the early days I can remember finding security vulnerability in some code that one of the L0pht guys wrote. Who knew everything that could go wrong that people had found out about and still it was tough for him to kind of keep it out of his code. >> L0pht being of one of the more prominent hacking groups kind of over the last 10 or 15 years. >> Right, right. >> Little less active now it seems like. >> Yeah, they got acquired by @stake what, 15 years ago and they kind of disappeared as a thing but they were really the smartest of the smart. They were still messing things up and I'd say that we've got a lot of abstraction to that helps in some instances. But it's really, I think there is, as long as there are stupid people, there will be ways to game a system and everybody is at some point. So I think that the software security problem might get better but it's not ever going to go away. Coding is just too complicated in itself to never have any security problems. >> Are you more optimistic or pessimistic about cyber security in general? >> Some days it feels easy to be like where a hamster's on a treadmill and the faster we run, the more we realize we're not making any real progress. I think there's still plenty of room to innovate our way out of it. I think that some people would say, well it's a lost cause because the bad guys can always reverse engineer and figure out any problem that's there. But you always can set the bar higher so it's a question of how much work they have to do. And then in our modern world too when a lot of your code runs in the cloud and there's no access to the source code. Then security through obscurity can actually help provide more robot systems. I feel like there are a lot of modern companies that do a good job of locking down their production environment, reducing their tax surface. And have relatively few incidents compared to the titans of yesterday, the Yahoos of the world who can lose billions of records and not notice it for a couple of years. So I feel like there are always new problems, and it is an arms race. But we're trying to find the force multipliers that will kind of help us stay abreast of it, but I'm not sure that ever changes. That's always, if we do nothing, then we're even more hosed. >> Yeah so I'm glad you're doing the work you're doing. >> Thanks. >> On behalf of our whole learning community, I want to thank you for taking some time in sharing. >> Thanks Ed, thanks for having me. >> And we'll see you all in the next time.
