Ashish Rajan: [00:00:00] Hello, and welcome to another episode of Virtual coffee with Ashish for Cloud Security Podcast . As always we’re here talking about another topic in cloud security and today’s topic is open source. And how do you use open source in AWS? I’ve got a really awesome guests over here, we go live every week. We’re coming up to our 50th episode as well soon. So do check out the YouTube channel as well as others. Social media that we have around to learn more about cloud security and a special shout out to the cloud security Academy. Folks. Sweet. Now,

I’ve got my guest. Yeah. Hey Matthew. How are you?

Matthew Fuller: Hey Ashish, doing well. How are

Ashish Rajan: you?

good. so I want to start with the obvious for people who may not know you, I’ve been kind of stalking you like quote unquote, stalking it for some time and I’ve find the content quite interesting.

I’m a massive fan of open source and I love the fact that CloudSpoilt was doing such an interesting job and got picked up. So for people who may not know CloudSpoilt or Matthew Fuller, how’d you get to where you [00:01:00] are and, what was the inspiration behind CloudSpoilt ?

Matthew Fuller: Yes. So my career kind of started in a very traditional computer science kind of background.

I went to school for computer science technology focused on networking. And, during my time at college, I actually started in one of my first internships was working for. Mozilla and I was working on their firebox security team. And that was really the part of my career, where I got the first taste of open source and security and kind of a mix of things.

I was working on the, the web application security team. And I worked really, really closely with a bunch of, researchers in the open source community who were reporting. Bugs and security incidents , to Mozilla and, as part of that bug bounty program and working with the researchers to implement fixes and to really improve the overall security of the product.

And, it was kind of that time when I was working so closely with that community, that I saw that ability for [00:02:00] both the security communities and the open source communities to kind of come together and improve the security of the web as a whole. And, after graduation, I worked at a startup that startup was acquired by a larger company, and I held a series of different roles during that time, though, it was kind of a cross between dev ops and infrastructure and dabbled into cloud quite a bit, moving between AWS and Azure.

And I got exposed to a lot of different cloud services. I worked a lot with serverless technologies, especially more recently, and the entire time that I went through that transition and all of those different roles that I had, I kind of continued to keep that. Lens of security in the back of my mind.

And as I was looking at these environments that we were building different teams, different size companies, and I noticed that it was really difficult for organizations at scale to keep the cloud secure. And so I started working on a, an open source project called CloudSploit, which was really originally just a way to educate myself.

[00:03:00] And, teach myself about all of these different cloud services. Cause I would go to things like reinvent and the conferences like that. And AWS would announced 10, 15, 20 new services. And it was just really exciting to see all of those things available. But in my mind, again, I was coming at it from a security events and so I immediately want to see, okay, what can we do to secure these services?

What do you have to do to stay up to date with best practices? And so that open source project eventually kind of transitioned into a bigger product. people started reaching out and got a lot of attention from developers in the open source and the security communities. And, I met my co-founder Josh Rosenthal and we kind of started to turn this open source project into our product.

And, that was the birth of CloudSploit and how it became what it is today. And then last year, late last year, CloudSploit was acquired by Aqua security. So I’m now working there as a, on the cloud security team. We’re building out products for cloud security and SAAS.

Ashish Rajan: That’s pretty awesome, man.

And it’s a really interesting transition as well. I find that really [00:04:00] interesting. It’s almost like. You’re at a prob trying to solve your problem. And your frustration kind of led you down the path of doing, CloudSploit

so I gonna talk for the next one, cause it’s considering it slots you can do podcasts. What is cloud security for you?

Matthew Fuller: think that interestingly, the cloud security is really not all that different from traditional security, right? It’s really the same concepts behind the scenes, access rights, lease privilege policies end- point security, but it’s just taking all of admin and it’s applying it to a new domain.

behind the scenes, the cloud is really just hardware. It’s someone else’s computer, but it’s still. All of those same policies and controls that you have to implement from a security perspective, but there are a number of new considerations I think, to kind of come about because of these cloud environments, specifically how services interact with each other.

the fact that everything is software now, everything can be API driven. It can be kind of. infrastructure as [00:05:00] code driven, there’s this concept of the shared security responsibility model everybody’s familiar with. So you kind of have to be aware of what you’re responsible for securing versus what the provider is responsible for securing.

And it’s a very different world in that sense, but behind the scenes at the end of the day, it’s really all of this, the same concepts.

Ashish Rajan: Oh, yes, it is just a different lens. But at the same security challenges in a different landscape, I guess that’d be a fair presumption at that point.

Matthew Fuller: Yeah, that’s exactly right. I think that a, it’s just a different lens, you know, as I was talking about earlier, that kind of lens of looking through at open source through the security lens or looking at it from an infrastructure lens, it’s really just taking those same policies, the same problems that have plagued software for ages and just applying them in a different domain.

Ashish Rajan: open sources interesting one for me, because I also feel that cloud has kind of divided a lot of companies earlier. I’ve used to feel that a lot of organizations are just, we’re just going to buy a product and solve our problem. Then this open-source community kind of [00:06:00] started really growing and like all the experts in the world, like kind of like yourself, they started going, Oh, this should be made available for masses.

Everyone should have access to this. And for people who are in the middle of a build first versus buy first, what are the kind of challenges they should be looking at? If they’re thinking between buy first or build first? what are your thoughts for organizations who may be in that dilemma?

Matthew Fuller: Right. I think it’s an interesting problem at any, for anything, not just security, but for any kind of third-party tool or a vendor tool or anything like that.

But ultimately the cloud there’s really no cookie cutter environment. So there’s no one size fits all kind of answer. I think every organization is different, but it comes down to really just the willingness to invest. And I think that. Some of the biggest issues that I’ve seen when organizations medium-sized, maybe they’re smaller tech, try to implement the cloud security program, is that, and build it themselves and not buy it from somewhere else is that they think it’s just [00:07:00] a one-time project.

Right? You can just put some developers on it for a few months. You can build some tooling, maybe automate some things, add some stuff to your pipelines, your CACD tooling, and then you can pick that team and developers and move them over somewhere else and kind of forget about it and let it run in the background.

But the biggest challenge with that is that the cloud is so dynamic, right? You have so many different services, so many different new technologies, even if you take an existing service. Three weeks from now, it could be entirely different or an entirely new set of features that it supports. So that concept of building tooling around infrastructure and building tooling around your cloud infrastructure, it’s just a, it’s something that needs to be done in perpetuity.

So when you’re going into that as an organization, you have to consider all of the. Future impacts as well. And you have to consider the fact that this is not just going to be the team that I spin up different stuff, and then move on. It’s going to be something that’s just continually evolving. And so that affects, you know, the budget and affects the resourcing and affects the planning.

And all of that [00:08:00] goes into the decisions to either. Buy the product to kind of do all of that for you and get it out of the box or to build it yourself. And there’s advantages obviously to both sides. But to me, that’s the biggest advantage of buying a product. If you’re not big enough to support that kind of, of a security program,

Ashish Rajan: that’s a good answer because a lot of people might feel or think that, Oh, you save on money by going open source, but then you actually spend a lot more money.

When you’re trying to either ongoingly manage new rules that let me coming out or you’re relying on something and I’m going to use CloudSploit ‘s example. It’s kind of like saying that, Oh, I’m hoping CloudSploit would have all the services covered of AWS pretty much the day after they’re released, which is A) impractical B)

it’s an open source project what’s your expectation there? Maybe it’s worthwhile calling our focus. I’ve got a few students over here as well, and they might be new to the world. , what is this open sourcing? how do you describe open source?

Matthew Fuller: So open source. I mean, when you’re talking there about a security, it’s not always a cost thing, right? Like some people say open [00:09:00] source, it’s free, but that’s really not the main goal. I think the more important point is that you’re developing in the open, you’re establishing trust. You’re establishing, you know, relationships with the community.

When I was working with CloudSploit for example, one of the main drivers of, of continuing to. Support the open source model was one of trust. And, when I speak to my business partner about this a lot, and you know, when you’re a smaller company, big organizations don’t really trust you as much. And so having that open source, or at least an open core part of your product and being able to point to that and say, you know, these are the actual things that we’re doing inside of your environment.

These are the controls that we’re running. This is the exact set of API calls that we’re making. It’s a tremendous benefit, especially to smaller companies, but I think anybody could benefit from it. but then also it’s, it’s one of, of commitment and collaboration. One of the really nice things that I love to see.

With CloudSploit is when some new feature or a new service or something comes out in the cloud. And [00:10:00] within sometimes hours of that new service being released, we’ll have an open source PR ready for us. If somebody in the community was just saying, Hey, I saw that, you know, AWS announced this new feature and I wanted to add it to the product.

So here it is, I made my own thing and it’s just such a rewarding, kind of experienced it to build something, build a platform, and then. Seeing that being taken in and taken, kind of under consideration by other people in the community and wanting to contribute back to that.

Ashish Rajan: I love that because the whole, the community spirit behind it.

Right. I think because I feel we’re all chasing our tails by trying to keep up with AWS or any of the other cloud services providers and the services that they release as well. So it’s only. Fair that you have almost like a collaboration happening. So today you may not have the time to add the rule, but if someone comes forward, Hey, I’ve already done this.

Add to the repository. Everyone benefits from it, which I believe is the true power of open source. , there’s different variations of open-source as well, for [00:11:00] obvious reasons where. You can have, you can use the code inside your organization, but you need to refer to it.

Sometimes you just copy pasted and exactly not. You don’t have to tell anyone like, so, is there a space in open-source where you reckon it’s more, community driven , what’s the more community driven model? . Is there like an Apache license or something similar that they can straight go for? If they’re trying to think of a couple new projects.

Matthew Fuller: Yeah. I’m not an expert in, in the licensing or kind of reference, but I think that the Apache MIT licenses are much more friendlier to the kinds of, open source that you would want to pull in at your, an organization.

I think if you’re an individual contributor, if you’re just looking for a project to kind of get up and running, then there’s. It’s probably not as big of an impact because chances are, you’re not going to take that code and try to build it into and sell a product yourself using it. I know there’s also a lot of other considerations with, companies that kind of start out in the open source space and then they’d have to be a wary [00:12:00] of some of the bigger players using their code or using it internally within.

their products and they’re obviously sensitive to that. And so they have to work carefully with their lawyers and figuring out what licensing they should apply to their code to prevent that. But I think at the start, it’s probably not, you know, like I said, if you’re just an individual contributor, you’re just looking to get started looking for something to put on your resume, or maybe get some experience with the cloud.

It’s probably not the biggest concern out of the gate.

Ashish Rajan: I’ve got a question here from Abdul here about what are the roles and responsibilities of a cloud security engineer? probably a very broad question. do you have any thoughts on this?

Matthew Fuller: Yeah, I think there’s different categories. Even within cloud security engineer. I mean, security as a domain itself is already becoming so. large, just in terms of the number of different roles and responsibilities that are part of it.

But even within the cloud security domain, there’s different people that are constanting focusing on compliance. There’s one that are focusing on tooling ones that are being part of, kind of the business conversations within an organization and trying to establish policy and really come up with [00:13:00] best practices for the organization.

So it really depends. I think that different companies do it differently. I would say starting on the side of startups. Typically the, the profile of a cloud security engineer is one. Who’s going to build tooling, work with teams to do reviews and audits, work probably pretty closely hand in hand with other software development teams to make sure that the code that they’re pushing to the cloud is secure.

Maybe you work on some pipeline and kinds of projects, but then as you move a little bit higher up in the maybe medium sized companies, larger companies, you start to split things out a little bit and maybe you see a separate. A whole separate security organization or a whole separate security team, specifically within maybe a cloud space.

And those kinds of engineers are ones where you’re probably building tooling that the entire organization depends on. maybe you’re, you’re coming up with a series of. Infrastructure is code templates that the rest of the company’s going to use, or maybe you’re coming up with tooling to help audit all of the different accounts in your organization and make sure that [00:14:00] those are secure.

and the team is probably much larger. And then in the enterprise space, it spans the gamut again from people that are working on the policy side. So if you’re more, maybe into the management space, you can work with the leadership of the company to make sure that when decisions are made, when do services are brought on board, that they are truly.

Compliant with your best practices all the way through to people who are coding and then actually developing tools that are going to run inside of the cloud in a secure way. so it’s, like I said, it’s such a massive, domain right now. It’s really interesting to see how it’s spreading out and becoming adopted across all the organizations.

Ashish Rajan: I must say like, dude, that’s a pretty good explanation. think it explains kind of like the evolution as well, where it’s not just about the title or the word certification, but also about like, What stage that particular organization may be also in.

So I think that’s a great answer, man. I’m gonna switch topic to something else, which is what are the absolute foundational challenges that are obvious, if I’m going in now, I’ve heard about [00:15:00] open source.

I think I want to try open source and try and dabble in learn this. I I’m going into an organization, which to your point, maybe in any phase of that, transition of cloud, where there might be hybrid or quite deep in the cloud already, what are foundational challenges that they might face when they’re going through this program or of just adopting cloud security in their organization?

Matthew Fuller: Yeah. So you and I have actually talked about quite a bit about this before the show, but I think that kind of to go back to one of the foundational pieces, like when you want to implement a, a really secure ground up strategy in this cloud security space, you really have to start from scratch. Right? You have to start with.

all the way from the beginning of the policies that you want to establish, even the cloud provider that you want to use, come up with a list of best practices, whether you want to go multicloud, stick to one cloud provider, which services inside of there, you have to, you know, take on and evaluate.

But unfortunately the, the way that I’ve seen most organizations adopt the cloud is that. Typically, you know, maybe let’s start all the way on the [00:16:00] on-premise side, you’re in the data center and then maybe a small research team, or even an individual engineer starts using the cloud for some really, small projects.

And then another team kind of gets wind of it and then maybe they spend some stuff up and then you’ve got to maybe some tooling that starts to get to deployed into the cloud. And then another team maybe runs a production service in the cloud. And before you know, it, the security team kind of comes by and they’re like, Why do we have all of these, cloud services running and where did they come from?

Or probably more realistically, the finance team figures out the credit card charges and, and sees AWS everywhere. But after that happens, you have to take a step back and to the point you and I were discussing at that point, it’s almost too late to start from nothing and implement things in a perfect world scenario.

And so you’re starting from kind of a. In production in flight, sort of a environment, and you have to go back and take stock of everything that you’ve already departed. Your company has already deployed, figure out what best practices would we need to implement. And then try to do that while the organization [00:17:00] is in production or certain parts of the organization are in production.

So it’s a real challenge. in fact, not to kind of advocate my own poarch here, but I did write a post about to. This concept of jumping into an AWS environment, that’s already been running for some period of time. And, it was this concept that most of the time, when you join a new job, when you move from one job to another, when it teams kind of get shaken up within an organization, you’re not starting from scratch.

You’re starting from this very messy sometimes environment. And you have to go back and kind of reevaluate everything that’s in place and start from the position of, of a very different position.

Ashish Rajan: I’ll definitely recommend people check that article out. It’s pinned on Matthew’s, Twitter page as well.

we’ve talking about the fact that. especially for people who may be new to the cloud security field and you kind of go and learn CIS benchmark and okay, that’s great. You can go and implement it, but sometimes you land in an environment which may not be perfect. You may not have the luxury to just go and just go through the CIS benchmark.

And to your point, there’s a [00:18:00] production goal live tomorrow. Would you focus on CIS benchmark or would you go production? I find it really interesting.

Matthew Fuller: That’s right. The product side of the company. Of course, it’s going to tell you, you know, we have deliverables, we have things we want to get out.

We have to go live. And so, or maybe even a single security engineer within the organization, you’ve got that challenge of trying to take best practices and policies, even white papers that the cloud providers themselves have written. They’re always from the perspective of you’re starting from nothing.

It’s never, Hey, you know, 20 engineers on your team have been running services in production with no security team for the last three years. And your job is to go untangle the web and the mess and that’s practices. That’s a realistic scenario. Yep.

Ashish Rajan: Yep. A hundred percent, I think, Vineet just asked something interesting.

and I think this is in context with the opensource is experienced with Linux beneficial. If you’re going open source or it doesn’t matter. I guess

Matthew Fuller: it’s definitely beneficial. I mean, it can’t hurt at all. I don’t want to kind of say that, the cloud is [00:19:00] any one provider because there’s multiple cloud providers, different, Companies that operate those cloud providers.

And then within the cloud providers, you can obviously operate, any kind of open source project or, any kind of tooling on both Linux or windows. I think that also Microsoft has made a ton of strides recently to really improve the open source landscape and some of their tooling. And, and I know, you know, really popular, development environments and IDs now are, are all owned by Microsoft.

So, there’s really no. I, I guess the flame Wars of the past have kind of died down a little bit, but experienced with Linux is absolutely a, beneficial thing. I think that a lot of times people that have worked with Linux from what I’ve seen and doing, hiring and talking to people that are going to join the team is that.

The kind of tinkering that you can do with Linux is just so, interesting for people that are really self-starters and want to break things and fix them and then figuring out how they work. So, absolutely. If I see Linux on a, you know, a resume, it’s a, it’s a huge plus for sure.

Ashish Rajan: I feel like Linux was

the thing that started the whole thing, I guess, [00:20:00] because every time I’ve spoken about the open source community, it always somehow comes down to like, Oh, somewhere, it just links to Linux somewhere, but I’m glad you brought that up as well, because. There, there are variations of windows folks as well.

They’re not alone. If, if anyone’s like a PowerShell expert over here, there’s GitHub repositories for that as well. So don’t feel that you have to be Linux now probably adding another layer. Right. We kind of spoke about the fact that, the great article that you mentioned as well, right? And I’m going to add one more layer. Does it really change when you kind of start thinking about like we cannot hybrid world or multicloud, poly cloud, whatever, whatever cloud, while the hardest, the challenges change?

Matthew Fuller: I think it’s really similar. they change a little bit because. You have to think of things a little bit more holistically, but the end result is the same, implementing a security program. One that, you know, the organization’s going to be able to adapt and to follow. And when organizations are saying they’re going multi-cloud, the first thing is obviously considering it. If multi-cloud is [00:21:00] really a requirement, big companies do it all the time. They say they do it. I think it’s really when you actually get down to the nuts and bolts. So that it’s really a difficult prospect, especially if you’re a smaller, medium sized company to truly go multicloud.

I’m talking, you know, every layer of the stack is, is split between multiple clouds and you really have. Fail over between one cloud and the other. but just try to avoid vendor lock-in and things like that. They’re all valid reasons to want to go multi cloud, but from a security perspective, The real, the key is coming up with the end objectives.

First covering up for again, to go back to kind of the business case, what are your goals? And you may be able to define them or something like, you know, all applications are all web applications must be defined in a three tier architecture with load balancers and instances and databases. And then from there you can kind of go into each of the individual clouds and figure out.

What are the actual specific, technologies that I need to use, or the services I need to use to implement that, and then come up with a list of best practices that your engineers and developers can follow in that cloud, but all the [00:22:00] way at the top, that end goal is still the same. Or do you have one requirement, maybe all logging or, all API activity needs to be logged to a central repository.

So then you can go into each of the individual cloud services and see maybe I turn on cloud trail and AWS and, you know, excuse me, something else in a, in GCP. But. Really the, the ideas coming up with that, that list. First, that business use case first and then moving from there into the specifics.

Ashish Rajan: That’s a great way to put it, man.

and, 3 Tier architecture, if someone’s looking for a, another layer, just try and Google for 12 factor applications and you’re like this anyway, I’ll let people Google that. I’ve got an interesting question here I don’t know if you want to take that.

One is. How were you able to stay away from VCs and basically boot strap ? So I’m assuming main effort has an open source repo, which is quite popular. What was your aim for holding on for people who may not know this? I guess you already mentioned the fact that, has, obviously collaboration with Aquasec now.

So, would you like to answer this question? I wasn’t sure. I also bring it up.

Matthew Fuller: Yeah, [00:23:00] definitely. it’s an interesting point. And especially when you’re talking about the landscape today with startups, where, you know, you get to VC funding and you, you have to scale as quickly as humanly possible and really just ramp up and 10 X every year.

for me, it was actually the opposite of that in a way that I stayed away from the VCs was being more, I guess, deliberate in the sense of wanting to see it in the long run. CloudSploit started out as a side project. It wasn’t something that I was doing a hundred percent of the time. So I was focusing my spare time.

If you remember back to the, at the beginning of our conversation, I was talking about how originally it was really just a need for me to scratch my own itch and to learn more from a career perspective. and it wasn’t until later that I really started to show promise from a product perspective, but then there was a slow and steady growth there.

So I think having the initial investment. In the open source and the community that comes along with that. And I think the intention behind it, when I started CloudSploit , was to solve a problem. And it was to solve a problem that a lot of other people had it wasn’t to immediately [00:24:00] turn it into a company and try to profit off of it.

So I think that was really the key part of getting things started. And then eventually when people were starting, I simply waited and people were coming to me and say, Hey, I’m willing to. Pay you, if you run this thing for me, because it’s too difficult to run in multiple different cloud environments.

Then from there, I kind of started to scale it and slowly took customer feedback into account. and then eventually, you know, moved on last year to the, the acquisition, which went through with, with Aqua. But at the end of the day, I think patience is key. there are two sides to every point there’s downsides to what I just described.

It was by no means, you know, a stratospheric kind of a, of a rise. It was just a slow. Steady listening to customers, building something that people really want and being willing to put in the kind of the effort in the long run, rather than trying to take it and, you know, scale overnight in the way that a lot of VCs would expect.

Ashish Rajan: I definitely feel it’s fascinating, right? We did an episode ages ago where it was all about 75% of everyone’s scored, in most [00:25:00] organizations is opensource.

And, not all of them obviously want to go down the path of VC a bootstrap because at the very. I guess foundation layer of open-source, you’re just creating it because you want to share, or you want to learn, or you want to do projects that you find are interesting, but your company may not be interested in, if you kind of want to put different spectrums of what really is open source it could be any of this and more.

We spoke about the foundational changes and we kinda touched on the skills as well, if depending on the kind of stage an organization is in, and they’re looking at say, Oh, two, we do open source, or should we go by a vendor? do you feel, is that like a stage where you can experiment with open source versus like, obviously imagine a world with unlimited budget.

Would you ask them to kind of explore the open source angle? Or would you say, go for the pre-prepared and why? I guess if you want to add that.

Matthew Fuller: Yeah, I think [00:26:00] my kind of gut reaction to this, and then first response to that. It may not be what you might expect, that the larger companies and in my mind, from what I’ve seen, tend to be the ones that can benefit more from using open source and investing in open source.

There’s tremendous value for all size companies, but the ones that actually have the time and the teams and the tooling to, to invest in open source, they’re the ones who can leverage a product at scale, and then start to contribute back to the community. you look at companies like Netflix, Salesforce.

They have really interesting projects that they’ve pushed back in the cloud security space, into the open source world. And I think when you’re a small company, maybe you’re a startup in, let’s say the advertising space. It’s not your domain. It’s not somewhere where, you know, you want to make a ton of investment.

Your, your objectives are, let’s make sure that the stuff that we’re deploying is secure and let’s make sure that our developers are enabled to deploy things in a secure way. you probably have less time to invest in. Coming up with huge open source projects and really [00:27:00] taking 10 or 12 engineers and building some tooling.

but I think, like I said, and all size companies can be, both contributors to and beneficiaries of open source. But from what I’ve seen, honestly, that the biggest companies are the ones that really come up with some really interesting projects in this space.

Ashish Rajan: we kind of spoke about different fields and how easy it can be to make that decision. There’s a flip side to it. you kind of touched on the fact that there’s a good and the bad.

I guess some bad could also be the fact that you have an open source repository gets really popular. Suddenly your full-time job is obviously quite intense, quite demanding, but at the same time you have all these pull requests coming in that you want to look at from open social repository because obviously what I have maintained a standard on your open source because popular.

but obviously there’s another side where if you’re looking at a security product, which is open source, And, if you do miss out on something, what’s the bad side to it. I think we kind of touched upon this yesterday. So like, what else is the bad side for this?

[00:28:00] Matthew Fuller: Yeah, I think that the biggest challenge when you’re a small company and maybe a single person running an open source project, like that is just staying up to date.

With all of the things that need to happen in order to maintain that open source project. maybe it doesn’t apply as much in a, in a more static domain where things are not changing as often, but in cloud environments, you know, like I said before, you’ve got new services and new features. And if you miss something, if you are creating a tooling, that’s, let’s say scans.

Policies for a permission management or something like that. And new policies are being added every day. You don’t stay up to date with it. Eventually your code is going to drift out of date, and if you don’t get those contributions back from the community, it just kind of becomes stale. Now it’s still tremendously valuable for you because you created something.

You put it out there. It’s a good resume builder. But I think from the usability standpoint, Maintaining the open source project is probably 10 times harder than starting the open-source [00:29:00] project in the first place. so it’s really just a challenge to make sure you stay up to date with all of those things.

And then again, in a dynamic environment, you’ve got all sorts of research. You have to do yourself to stay on top of things, white papers. You need to read best practices. with CloudSploit I was going into all of these new AWS services when they were announced and. Basically spinning up new, whatever it was.

So if it was Lambda at the time, I was trying out Lambda for the first time. And then when it was, you know, any kind of new database technology, AWS Neptune, like all of these new services, the days they were coming out, I was trying them out and just doing, you know, what can you do with it? What are the best practices around them?

And then trying to take that and bring that back into the, into the tool. So , it’s a demanding, kind of, Approach. And if you go back to something we talked about earlier, when companies are deciding, do you want to build or buy this? That’s something they have to evaluate too, even if it’s not open source, even if you’re just building an in-house.

And so you have to constantly stay up to date with those sorts of things. Oh

Ashish Rajan: yeah. And, goes back [00:30:00] to the challenges as well. And I’m going to add another layer to this, even from a risk management perspective as well. Right. If something goes wrong. And, you’re using an open source versus a, I guess, a paid product that is bad side as well, where, I’ll let you go and talk about it, but I, I feel like what are your thoughts on that?

Where you’re using open source and there’s an incident.

Matthew Fuller: Yeah. I mean, so aside from the vendors where you pay them for a support contract in order to maintain an open source project and may be part of their domain, when things go wrong in the open source world, there is no on-call typically there is no persons you can, you know, reach out to, for him for a support ticket or other than public GitHub issues.

There’s no company that you can go and try to get your money back from, or. You know, envoke licensing terms or anything like that. And so when you bring on open source again, you kind of bring it back to that same investment. Conversation that we had, when you bring in open source, you’re getting an as is the license.

It’s yours to do what you [00:31:00] want with, we’re not using, not charging you for it, but it’s your responsibility to build it up and use it in house the way that you sort of expect to use it and then support it in house. but that goes for any technology. It’s not just security technology. there’s, you know, open source projects in probably more.

impactful spaces in terms of like runtime technology that would have a bigger impact on production workloads if it were to break. but if something goes wrong in the security space and you’ve got an open source tool, it’s really just as good as the team who has implemented it. And so it all comes back to that willingness to invest.

Yep.

Ashish Rajan: And obviously consider all the other things that comes with challenges or just using an open source as well. And I think I do want to make a clear, right. I don’t think either one of us is against open source. It’s just making people aware that it’s not an easy journey. There’s definitely challenges.

And you just need to be aware that it’s great to kind of go down the open source part, but just be wary, there’s a lot of work involved in that as well. And I’m sure there’s work involved in the vendor side as well. There’s no doubt. I’m sure [00:32:00] there’s work on that side because they have, but they have a lot of people just focus on doing that.

Whereas you, as an organization, you may have other priorities for the day as well. Like you may have an upcoming audit or something or the other. Where the person had just split their attention and then AWS would release another service and you’re like, Oh, I’m not protecting, yeah, it’s probably could save yourself some stress as well sometimes.

So just obviously I think we just wanted to give like a balanced view for, things to consider when you go open-source versus, buy something. I, and just on that now, imagine a world where. We done either open source, our vendor base product keen to know how do you usually assess the maturity of security of an environment?

What’s your criteria?

Matthew Fuller: I think the first thing is really just the. Kind of the maintenance and the appearance of the account.

At first, you go into an AWS accounts and Azure subscription and you’ve got things running everywhere. Unnamed, no [00:33:00] tags. Logging’s not turned on. so that’s an immediate sign of, of security immaturity. the more secure and I guess more mature environments, they don’t have a necessarily a one-to-one relationship, but there tends to be a relationship because the ones that are more mature, they put time and effort into thinking about how these resources are going to be deployed.

What’s the interaction between them. How do I keep inventory? And so those are the ones that. Tend to have a better posture when it comes to the security, policies. but yeah, that’s honestly, that’s the biggest thing is just going in first, taking a look and seeing, is it messy or is it not messy and kind of such a non-technical answer for what ultimately becomes a very technical question, but that’s kind of the, if I had 30 seconds to evaluate it, that’s what I would do.

Now. There are so many things that, you know, you can build on top of that. Have you defined clear policies? How does your leadership speak to cloud security? look at your roadmap. look at new tools that you’re trying to build, or maybe new product features. You’re trying to add to your service and look [00:34:00] into the actual JIRA backlog.

Right? And see, are there tests associated with doing security audits, doing security reviews. Talking to the cloud security team. If there’s not, it’s typically sign that, you know, maybe you’re a much faster pace to company, but you’re probably not putting that thought into cloud security at the onset. And it may be more of an afterthought where after you’ve gone to production, then you’re bringing in a team, just kind of do some, evaluations or some audits.

And so it’s really, again, a technical conversation and a business one as well. And I think there’s just so many different facets to both of those.

Ashish Rajan: Yeah, I love the idea because sometimes some of us get too technical very quickly and like, they just let us use this amazing tool that we have kind of come up with without realizing the business may not even need it.

which kind of leads me to another question. Are there any myths around cloud security that you feel should be debunked and you’re still here?

Matthew Fuller: I think the biggest ones, honestly, I’ve already been debunked a million times that the [00:35:00] cloud is not secure areas, more secure.

those come up all the time. typically financial institutions tend to be the ones that are a little bit more risk adverse there. but it all comes down to implementation. I think people especially thought providers themselves have debunked at that, that myth. I think the other thing is that, you know, another myth that I can think of is that when it comes to thinking of cloud security within an organization that only a certain team, or maybe the security org.

It needs to be thinking of cloud security or trained in cloud security. And the reality is that it’s actually like any security policy. It’s it’s everybody’s responsibility. It’s everyone’s concern because as an engineer, maybe you’re a software developer. You don’t really have this cloud security background, but you’re building services that run in the cloud.

The second, you start deploying things into the cloud or using cloud services. You have to take security into account, and maybe there’s a security team there that can help you out with that. But [00:36:00] at the end of the day, just at least thinking about it or having some very basic training on it, it goes a long way to improving the overall security of the entire organization.

Ashish Rajan: We have a varied audience and I’m sure after listening to talk about this, a lot of people may be excited about the idea that, Oh, we could probably do open source.

It’s just start something. And if someone who’s listening to this, what’s your advice to people who may be thinking of dabbling into the open source realm?

Matthew Fuller: I’ll kind of back up. The one thing you said about being technical or not, I, I don’t think it’s actually. A requirement that all, in fact, the open source nature, especially within the security community, you know, you can pick up things. Maybe it’s not a coding project that you’re interested in, but you can still open source other things as well.

for example, things we did early on, within CloudSploit was we open source a set of documentation that we had put together for best practices in AWS. So where we would come up with on the technical side, we [00:37:00] actually had to controls that would check things like. Are your S3 buckets public. We also came up with a set of documentation that would help developers go through and audit those things themselves included screenshots, and you know how you want to make changes in your environment in order to fix those problems.

And we open source that , it was a set of. Documentation, right. Writing words, things that, you know, nobody had to code or to build in that regard. So, so a requirement that all, and I think that, you know, in order to help, be more opening and welcoming to the entire community, making it clear that people can get started in that way is, is really, really important.

but to go back to the question that you asked you about. starting your own repo and the things that, you know, you would be involved in or skillsets. I think that the key and this was really for me. So it’s really kind of specific to what I think, but I liked working on things that I’m passionate about.

I like working on things that I’m interested in. And when I started with CloudSploit , for example, if there’s a way for me to learn about something, it’s a way for me to do something new, get some experience [00:38:00] in, in things. And it eventually turned into something else, but I would not have had the. that desire to continue working on those things for so long.

If it wasn’t interesting to me, if I was just starting it, because I said, I want something to put on my resume, or I want something to, you know, to do in my spare time. It wouldn’t have been something that I think I would have stuck with and stuck through the challenges dealt with, you know, all of the, the rewrites that I had to do.

And so to me, the biggest thing to help you kind of work through those things. It’s just pick something you’re interested in. And if it’s not, you know, maybe a specific service inside of, of the clouds picking a different technology, maybe you’re interested in a web development and then find out how can I take web development and approach it from a security angle or approach it from a different angle.

If you’re trying to get into security specifically and. Make that an open source project, right? Like maybe you want to come up with a, a framework that you can write for AWS Lambda that helps add security as part of a web [00:39:00] framework. Right? So there’s like you take what, you know, your take, what you’re interested in and then you take what you want to do and put it all into a pot.

And then that’s your, in my mind, the best kind of open source project.

Ashish Rajan: I’ll probably add another layer to this. And thanks for clarifying. I did not think about the non-technical part. I think this is a great point. I was going to add for people who may be looking for, looking for a job in cloud security is what this is like an awesome thing to have on your resume that you go, Oh my God, this person is doing so much more outside of their thing.

And to your point, it doesn’t have to be technical. It could just be a blog or it could be documentation of this is how you secure S3 buckets as simple as that as well. But definitely a good, great point, man. Do you feel, it says something that people not talking enough about the cloud security space, cause considering you’ve been here for some time, is there something that you find is, which is probably not, not spoken about enough in the cloud security space?

Matthew Fuller: I think that, To me kind of being involved in the vendor space, looking at all of the different products and services have kind of [00:40:00] cropped up in the last few months to years, the idea that any service or technology is kind of completely comprehensive, is such a misnomer. And I think that people are not talking enough about how expensive.

Cloud security truly is right. How wide the umbrella is that covers so many different things. I think the field itself is still in its infancy. I think that it’s, which is great news, by the way, for anybody who’s trying to get into writing their own product or writing their own open source tool. but I think that a lot of existing companies, large companies, especially they’re thinking in silos, they’re thinking, you know, we got our, our web application security and we’ve got our frameworks security and our endpoint security in our, our cloud security tools.

And we just put them off as one product and that’s kind of. You know, now we’re a comprehensive cost security company. I think that I would be willing to bet that very few companies have any actually cover everything. And so there’s always an open door. There’s always [00:41:00] somewhere that needs improvement.

It’s always evolving. And I think that sometimes that can be, it sounds discouraging from the outside. If somebody is looking in and they’re seeing no, you know, there’s a hundred companies and they’re already doing all these things or there’s a hundred open source tools and it’s already got everything covered.

But I would argue there’s always something that’s missing. There’s, you know, a new technology that comes out, something brand new. And I kind of go back to the time when, like AWS Lambda was first announced. I think it was like 2016 or 2015, but, when that was first announced, No one was really thinking about the security impacts of that initially.

But then within three to four hours months, you started to get some open source tooling, some products that started to sell, bring up around it. And so every time there’s a new innovation, you’ve got a whole long tail with cloud security or just security in general products and tooling. It’s going to follow it.

Ashish Rajan: Yeah. And I think it’s a great point as well, Hey Michael, Michael was an X guest as well as the cloud becomes more featured the amount of complexity and securing the cloud grows, even tools that help you with security. [00:42:00] Yep. They definitely take a lot more learning any comments on this statement?

Matthew Fuller: Yes. I think actually, if you’re not willing or not able or unable to start your own project for any reason, picking up an existing tool and making it better, even if it’s just improving the documentation. Is a huge, huge benefit to the security community. I remember like a year or two ago with, with CloudSploit , we had somebody to commit this like massive change to our documentation to just like went through and just made it so much simpler.

They wrapped it in Docker container and they were like, this is how you run it. It’s, you know, it’s easier this way. here’s all the flags you want to pass in, lay them out in the read me and. To our earlier point. It wasn’t a hugely technical change. They regularly changing any of the functionality or adding new features, but it was such a foundational change to the product to actually enhance how people can pick it up and use it and benefit the community as a whole.

So I think to Michael’s point, just pick something and if you [00:43:00] don’t understand it, make it, you know, a better product and in some way, if it’s documentation or feature

Ashish Rajan: anything. Yeah, awesome. kind of towards the tail end of our show as well. thank you so much for coming in. this has been really valuable for me and I’m pretty sure based on the questions that came through for everyone else as well.

I can’t wait to have you back again, man. Like where can people find you online if they want to have followup conversations about this?

Matthew Fuller: Yeah, follow me on Twitter. I’m on LinkedIn. You can add me as a connection. feel free to message me, like I said, I’m very, open and responsive, you know, especially if you’re trying to get started in this space.

and I’ve talked to a lot of people that are in school, sometimes they’re switching careers, really enjoy those kinds of conversations as much as the ones of people that are been in the field for, you know, 10 or 15 years. So always something to learn.

Ashish Rajan: Yep. Awesome, dude, thanks so much again. And I can’t wait to come back and bring you back again,

Matthew Fuller: man.

Absolutely. Thanks for having me. I appreciate it.

‍