View Show Notes and Transcript

Episode Description

What We Discuss with John Kinsella:

  • 00:00 Intro
  • 05:35 What is Cloud Native?
  • 07:15 What is Monolith?
  • 10:22 Moving from Monolith to Cloud
  • 12:56 Security Challenges of moving from Monolith to Microservices
  • 20:23 Security Challenges of moving from Monolith to Cloud Native
  • 25:45 Third Party Apps vs Cloud Native
  • 33:37 On-Premise vs Cloud Native
  • 40:21 Patching + AWS SSM
  • 48:42 Devsecops for Monolith Applications
  • 53:40 Successful Migration from Monolith
  • 58:10 Where to learn more about this?
  • 59:24 The Fun Section
  • And much more…

THANKS, John Kinsella!

If you enjoyed this session with John Kinsella, let him know by clicking on the link below and sending him a quick shout out at Twitter:

Click here to thank John Kinsella at Twitter!

Click here to let Ashish know about your number one takeaway from this episode!

And if you want us to answer your questions on one of our upcoming weekly Feedback Friday episodes, drop us a line at ashish@kaizenteq.com.

Resources from This Episode:

Ashish Rajan: [00:00:00] Hey John Welcome man, how are you going?

John Kinsella: good to see ya. Great to be here.

Ashish Rajan: Good. Good to see you as well. And I hope you have your drink as well, man.

Cheers.

John Kinsella: Cheers. Happy Saturday. I hope everyone’s doing well on staying safe.

Ashish Rajan: Yeah, I hope so. Especially when you considering you’re close to the fires as well. So especially the folks who are around the fire, I hope you feel that you guys are alright I don’t want to screw up your introduction. So I would love to know and introduce you to my audience as well. So who is John Kinsella?

John Kinsella: Who is John? My name is John. My favorite color is blue. No. So I try to keep it these short did what’s the short version I’ve been in an app sec cloud and operations for the last 20 years.

Done a few startups. I was in Silicon valley. I’m a San Francisco native. I was in Silicon valley till about year, year and a half ago. Moved up to Seattle. My specialty last five, 10 years is really around cloud security container security as co-founder of a company called layer insights, where we were doing runtime security required by Qualice.

I’ve sort of live, breathe, eat in this space part of cloud security Alliance. I’ve done security work with Apache software foundation. I’m now more active with technical advisory group for both Kubernetes and for cloud native computing foundation. I can talk so lots [00:01:00] of, lots of open source stuff lots of security stuff, and yeah, I’m able to do applications and startups as well.

So sort of a, a pretty big thing to cover, but I’m still a simple guy and I’m happy to talk about all that.

Ashish Rajan: And I think that that’s why I was looking forward to having you here to talk about something which is probably not spoken about enough online, which is the conversation about monolith, which we are all talking about, Kubernetes, we are all talking about what the future is going to be, where people have forgotten about I don’t know, 30, 40 years of programming that you’ve been doing.

And as I suddenly people like, Hey, do we want to leave them behind or bring them with us. So maybe to start off with, what do you define as cloud native?

John Kinsella: Yeah. It’s funny when we were talking to the pre-show, I actually had to go and Google. Okay. What do other people think it is?

But I sort of let that sit through my head now and and really, to me, what cloud native , is building something that’s scalable and modern. I’m just going to put it really box it really tight and say that I think anyone who’s getting into software development nowadays. We had a professional sort of hacking round.

They’re going to be playing with, more modern languages like JavaScript and TypeScript and go, and, oh, I’m going to leave it out. Like someone feel bad, but more modern languages. [00:02:00] They’re going to be using more modern tools with those, , CICD , continuous integration, being able to deploy as outlets out there, go deploy to that await for it’s coming to the cloud.

And that’s sort of the very high level. But I think if we actually think about a little more detail, what that means I’ll bring in saying things it’s something which is nimble, scalable I’d say distributed. So those are sort of some of the characteristics

I’ll try not to use too many cloud jokes, but sort of a nebulous thing. But that’s , sort of the structure around of how I think of.

Ashish Rajan: I’m so glad you’ve kind of touched on distributed and nebulous as well. I’m like, wait, are these things that are in monolith? I don’t think we see things similar. So how do you define monolith, I guess, will be people maybe even to, what is monolith? Why do I even care? Cause clearly Kubernetes is the future.

John Kinsella: It is right, but you have to remember, like I said, I was doing containers and layered inside before when I lived in San Francisco I was six blocks away from Dockers headquarters. I used to go over there all the time, and I really lived in a bubble in Silicon valley of like, , all these buzzwords and crazy things.

But if you go a hundred, 150 miles outside, people still have applications were written over the last 10, 20 years, which are trying to support. So if I had to put into a single word, [00:03:00] what I think of as monolithic it sort of actually, as I think of it as sort of an Eddy season, that’s how we started. So, whereas I’d say cloud native is, , modern, really a monolith is more legacy.

I’m sure people could still write, well, they definitely could still write this stuff today, but so what, what does a monolithic mean in, in my mind, usually bigger code base. And you can have a bunch of microservices in one get repo. So that’s not a clear definition by itself, but I see where it really comes down.

If you’ve got an application is doing a bunch of different things. So think about like a shopping cart. If it’s not doing something modern and neat and clean where you’re, , a modern shopping cart these are products I want to buy. Here’s my shipping address and here’s my credit card number go right to the catalog.

And the web display is separate. And what’s interesting is us are scribbling some notes and thinking about this this chat today the UI might not be any different between those two things. We just talked. Right. It’s you still might have a shopping cart. You might have whatever it is, but how those pieces move behind the scenes is a) the exciting point.

But also I think what differentiates those two things.

Ashish Rajan: Oh, actually that’s true because it’s not that, I mean, I guess you can put lipstick on the new [00:04:00] website and go whatever you want to do. I guess it looks very fancy, but at the backend it’s still maybe nothing on mainframe or I don’t know, something it’s something even more, I dunno, what’s mentioned in mainframes are still running, but probably that’s one of the one thing that I think of.

John Kinsella: I’ve actually in this room, I’ve got my first computer ever a Vic 20. So even that’s still not as old as the mainframes, right. Those the I series and disease series go back into the seventies. I’ve got to work on them for they’re pretty cool. But to, to finish,, I started interrupted myself there on the, on the shopping cart example.

So if we go legacy. I don’t know, let’s pick how about auto supply store? So within that shopping cart did have all their inventory system. There are ERP systems, like what’s on all ourselves. What have we ordered what’s coming in? I have to be able to do credit card processing. I have to be able to do shipping.

I have to be able to do any of the display of the product in, in the in the web interface or whatever it is, and be able to see what’s out of stock, but that’s all one code base. So if we want to talk about that versus how you go to microservices, you have a lot of this starts becoming outsource, right?

So you could be using Shopify for the actual cart and checkout. ERP is probably, would be a completely different system, right? [00:05:00] Especially if you’re bigger, it’s going to be an Oracle or something. What else? Your web interface is going to be light and nimble and something written in Java scripts, not PHP or an ultra language.

But all these are little separate pieces and you can adjust each one individually without having to recompile and re redeploy the whole thing. Oh, actually

Ashish Rajan: , that’s great because that was the next question does not ask, like when people do move monolith to cloud, I guess in my mind, monolith is probably millions oflines of code

people have been writing them for years. Maybe in a language just not even supported anymore. And it’s a version, probably it is 10 15, version behind the actual version. I’m like, I don’t know. It’s funny, every time someone talks about they’re working on PHP now and I’m going, wow, php or is it almost go like, wow, this has gotta be, I don’t know how you, but apparently there’s still applications out there.

Even Facebook started on PHB and they still use PHV.

John Kinsella: Yeah. Well, what the PHP, which Facebook has is a pretty special beast nowadays, right? I think that’s a pretty strong force . It’s actually compiled. It’s not an interpreted language anymore. There’s at least one large security company out there.

That’s still a lot of their web interfaces, PHP. I won’t name names to shame people, but , it’s hard, right? It’s cause , I didn’t talk. [00:06:00] One of the hats I wear is I’m a on application security, weekly so slightly different market set than what you are. And hopefully we can share some guests back and forth or listeners, but thinking about, , if I put my manager hat on, like nowadays I’m a co-founder CTO of a startup.

My focus is to, , keep both my CEO happy. So he has something he can show to VCs and to customers and keep my customers happy. Right. So that’s really sort of the focus around what I’m trying to do, but what you didn’t hear me say there is, I’ve got a ton of time to go back and rewrite something which works in a new language.

We start doing a balancing thing here. Right. And that’s always the problem in that we start talking through is we want to be able to have something secure. We want to have something scalable, but same time ain’t nobody got to rewrite the whole thing. So how do we find those balances sorta?

Yeah. Yeah.

Ashish Rajan: Someone has to spend money on it. So I want us to spend a dime on it. So the balance between, Hey, should we release new features or should we go back and change this monolith into like a microservices disco? I mean, I guess decoupled world of microservices, it’s just, yeah. I’ve got a comment here from David as well.

All of that, all of that, about cloud data, plus like a way to build that out of microservices. It just, yeah, there is so much around the cloud [00:07:00] native architecture thing that we can kind of deep dive into, but I kind of wanted to have you share some challenges that you think people would face when they’re moving a monitor or microservices is from a security perspective.

And we’re not even, you’re talking about a cloud at the moment. It’s like moving from to microservice. What, what kind of challenges do you reckon people can expect top three that came to your mind?

John Kinsella: The big one is, which I think is really interesting, especially probably to partial of your audience, is we’re going from, if you think about how you secure a monolith , right? You’ve got usually a large number of developers and security is probably on another floor, somewhere, completely different building.

And they’re usually thinking about firewalls and intrusion detection and whaps and antivirus, and really sort of more IT security or our enterprise security as you start breaking these things down from that monolith into a microservices. And we can talk about how, how people go through that. This becomes an application security game, right?

So if you think about cloud security, a lot of cloud security is application security. Right? Before I got into cloud security, I was doing a lot of penetration testing and code review and stuff like that. So AppSec, and then this cloud thing came along. I’m like, Hey, I, this is sort of cool. I want to go do [00:08:00] that.

But besides just a pure app, sec thing , thinking about multitenancy what used to be a single, , if we think about a monolith is deployed into cloud, maybe it’s on EC2 instances or GCP, oh, I’m going to get in trouble, whatever they call their virtual servers or there’s your equivalent.

Or the smaller guys, I try to give her a one, , fair chance. But as those go into a more microservice type environment, you start getting the chance of multitenancy. So maybe someone thinks, Hey, we’re going to go to Kubernetes and put everything in that. And then, , everything’s going to be great, but now you might have containers from the marketing department mixed with containers, from billing and finance.

And I’ll let you guess which one of those two is probably going to be more secure. So do you want those in the same tenant knows you have to start dealing with things like that and thinking about things. There’s a lot of moving parts a lot, a lot. I mean, even just talking through, we’ve talked so far, right.

I’ve said things around CIC D and , some of these other sort of concepts, but like, as you actually start to move in deploy some of these things, the amount of stuff you’ve got going on is just, it’s impossible to really keep track it’s sort of crazy. So I think [00:09:00] that’s probably one of the bigger things is just for the security people to, we’ll probably talk to you a few times about visibility and communication as we go through this, but really just keeping track of what the devs are doing.

What tools are they using? What languages are they using? Cause, , as we go towards a microservice, one guy at my Startup right now. I’ve got one founder that’s writing in Python. I’m writing in go, but since we’re both writing to serverless Lambdas, it doesn’t matter. As long as we’ve got an API going back and forth.

So, but that’s now two languages, which security has to think about. Yep. This is a lot of moving.

Ashish Rajan: Oh, wow. So you’ve raised two for few good things here then. So obviously the mix of languages and the mixing of architecture as well. Now, suddenly you have everyone, I guess, coming from a monolith world.

Oh, actually its worthwhile calling out. A lot of people are probably showing people our age. I guess people would be working in waterfall to agile. And now in microservices , I don’t know if you can do waterfall in Microsoft’s. I don’t think you can do, but I’m sure people would have figured it out that I’m going to do a wagile as people call it.

It’s a waterfall and agile combined. So that maybe that is that people are doing where we [00:10:00] still want to report at the end of what we’re going to achieve, but I want it to be sprints and a, whatever you wanna call it, but you almost go. So the three things kind of took away from that was one, obviously the mix of architecture where suddenly you don’t have a dedicated server for data database or one server for database application, web application, or you could really have three different servers.

Each one gets a container marketing gets a container, engineering gets a container, but they could be combined or maybe in a cloud native kind of state, as well as you were saying earlier. And then the other challenge, you mentioned about the challenge of languages, how many languages? Because I mean, freedom is not a bad thing.

Like allowing people to work in like, Hey, if you go faster and go, you should code in go. It shouldn’t really matter to the interface, which is kind of what the promise of APIs was as well. Like with microservices, it shouldn’t really matter. Like you, I could be writing in, I dunno, I’m just gonna make up like maybe.net I’m writing in.net and you’re writing go.

We should still be able to communicate with, are you trying to understand the complexity behind.net? But that means from a security perspective, I need [00:11:00] to be a, I guess, API expert, a multiple language expert. If I’m, if I bring back to your asset list, the conversation as well. And I guess the other, the third thing Paul you mentioned is depending on the architecture, how it’s moved across.

Like, if you will, like for, like, I imagine that would come in a bit more, it would make it more complicated. You kind of have to have microservices which have the decoupled model as well, because I met, I can’t imagine it working well, if it is not decoupled,

John Kinsella: everything should be fairly loosely coupled.

Yeah. And that, that makes some aspects of this more difficult, even, not just for security people, but for developers. It’s one thing. If that set of components, I like to use the phrase puzzle pieces, but if what they are and they’re pretty tightly coupled testing with them doing unit tests or integration tests, isn’t, that is pretty simple.

But as you start making them a little more loosely, coupled you’re depending more upon your interfaces, so you have to have more structure and in some of the those interfaces and APIs and things, you’re putting it together. So it, the results great. Right. Cause , think about, let’s think about for a second.

Scalability. So say the monolithic app you’ve got, for some reason, a bunch of people are , [00:12:00] it’s before Christmas and a bunch of people want to check out, right? So they’re going to be hitting that part, that cart a ton. But the last thing you’re going to be doing at the same time probably is bringing new inventory in, right?

If you don’t have that inventory for a retail company, if you don’t have an inventory by what, September, October, you’re not getting it for Christmas. Right. So there will be slowing down on inventory tracking and stuff like that. But that code still there, if you’re a more microservice, like you could just, , scale up the carton containers and let them do their thing and still have two or three GRPs to use that example.

So it allows you to be more flexible in that type of way as result. And that’s sort of the benefit of it.

Ashish Rajan: Oh, actually, that’s true because not all the components of your code would need to always be updating or just refreshing, I guess. Cause I mean, I guess that’s fair to model it because you can see like 25 years old or Gord, which doesn’t need to move what updated it just gets left behind and you just keep adding on top of it.

Like, I guess almost like different layers of a cake, I guess, but just all it focusing on the topless. So that makes me go then. Okay. So we spoke about monolith to microservices, but monolith to cloud native, breaking it down. So I imagine there’s similar challenges at that [00:13:00] point then I guess, would you say things like having.

Multiple languages being used is slowly became a challenge . And I guess then for security, even if it in cloud native space or all the challenges different, if you’ve moved from monolith to, we are going to break this application into a Kubernetes or a serverless application, I can’t even imagine like what would happen in that day.

So application security, definitely big challenge, but I’m keen to know from your side, what would you think are the key things at that point from security perspective? Yeah.

John Kinsella: We’ll keep repeating ourselves here to benefits. This is huge. Getting there is, can be it, this isn’t simply, , we’re spending an hour sort of ripping through all these sort of topics.

One thing that I want to throw into your show notes, and we’ll probably talk about towards the end Adrian Cockcroft man to do has been through so much stuff. He was at sun, I think he was one of the core people behind Java. He went over to Netflix. He was the, I think if not CTO, chief architects, cloud architect.

So he started brought Netflix to the cloud. About about 10 years ago, he did a talk. It’s like an hour 15 hour 20, depending on which version of this you get just about how you take a microservice and sort of peel off pieces slowly by slowly and turn those [00:14:00] pieces into microservices. And that’s how you get from this monolith to microservice architecture.

So he talked about an hour just for that by itself, and we’re sort of going right through here, so let’s see what we can do. But if we , talk about three things in a public cloud, I mean, obviously I don’t wanna expose Kubernetes or whatever you’re having out to the, the public interface.

I think one of the big things to me is to not reinvent wheels. What do I mean by that? I don’t want people to go through and start creating their own load balancers. I mean, if we think about this back in, in enterprise day People are probably are going to be creating their own firewalls or IDs.

They’re going to be buying the boxes, right. , sort of Silicon valley style. But you have to have the box. And once we go to the cloud, the box goes away. But what I’ve seen is people start creating that thing themselves. So either building their own Kubernetes clusters or building, , engine X for a load balancer, or one of the open starts wipes out.

There’s a bunch of different ones. Really. My point here is unless you’ve got a lot of time or a very specific reason to do that, use what the cloud providers have. Cause they’re just building it with some of the brightest people in the world is being used by some of the largest companies. So it’s probably going to handle what you’re doing.

And, [00:15:00] a lot of the stuff we’re talking about, especially as you start changing languages and like, , we’re just talking purely from a point of view of how would you go about rewriting, , the PHP and to go or something. One of the things we completely glossed over is you’re introducing.

There’s pretty much no way you’re going to rewrite that app without bringing bugs. And one of things I’ve got for the news next week there’s a new vulnerability. Patched now I know that we’re still working on was patched, but they’re working on releasing the patch in Gillepsie. But the fun part about this is where it’s came from.

Someone else found another bug. I think it was in March, they patch and the release that version. G-Lab see, but it turns out the patch has a vulnerability on it. They do a null pointer dereference so it’s like, this is one of those things, right? Every time you breathe or touch somebody as things, even if you’re, , really good people, I think this guy was at, I’ll say, I think he was at red hat.

So, , again, great companies. But it it’s, you gotta be on your toes. So let’s see. So I talked about don’t reinvent the wheel. Don’t expose yourself in public internet, like, , exposing what are the common issues that people were seeing with Docker and Kubernetes and security was they were leaving that port open on the internet without being firewalled and the crypto miners really [00:16:00] appreciate that because there are more than well, more willing to come in and use your resources to run their own mining.

So you don’t want to do that. And then let’s see if I want to throw another one out there as best specifically for public is you got to start thinking about isolation more. So we talked about multitenancy a little bit, but even just, how do you isolate say their network or compute between two containers?

And then the second half of that is not just isolation, but also when I was viewing at a company 10, 15 years ago. And it was right before, , red is clubs getting big and they’re like, what would you do if you came in here? And the first thing I said is, I want VPNs between all your, at that point.

It was easy two instances and as basically laughed out of the room. But nowadays, right, if you’re in a public cloud, we have seen a few times that every now and then either a malicious user or possibly a governments will get involved internally and in somewhere they shouldn’t be and are able to sniff traffic.

It has to be encrypted. It makes the developer’s life. Well, it makes the operator’s life a little more difficult for troubleshooting things, if there’s actually an issue going on, but we’re at a point where you get, you got to that trust boundary has to be very, very.

Ashish Rajan: Wow. That’s interesting because I think as you were talking about this, I also realized we kind of brushed upon something else as well, where the [00:17:00] traditional world has always known vulnerability team management

iPS is, and moving this to cloud for a monolith. A lot of people were, and I’ve been asked this questions, I’m curious to know your response. Like, Hey, when do I do a third-party app vs using something from the cloud provider. If I’m moving across, say I’ve already got a bunch of security products in my on-premise.

I got the, just like 12 word trend, micro antivirus. And let me just think of, think of a security product as well in a traditional world for a long time. And now I’m ready to go to the cloud and I’m going actually, obviously the obvious question, a lot of people asking themselves as like, Hey, should I continue?

With my third-party app or should I buy a new third party app? Or should I just go to cloud native? Like as in something provided by the cloud provider for security,

John Kinsella: I would strongly lean towards changing. So it’s funny, we talked about that, the box vendors and all those box vendors. If you go out to like the Amazon, go and talk about Amazon, just keep it simple.

But if you go talk about, if you look at the Amazon marketplace, all those box vendors, they’ve got the software version of that box. That they’re happy to sell you. But in some cases that’s fine. Right. And , antivirus is probably a good example out of ours is [00:18:00] anti-virus, you’re still looking for a pattern.

You’re looking for some sort of pattern against your signatures usually. And then that’s how you do that. Keep in mind if you’re doing that, you’re now paying a cloud service to run your antivirus software. So you gotta be a little careful about when do you want to actually use it, right. That that’s what the tricks there.

Do you want Avi on your server? It’s a bit of a religious question. I come from the vendor side, not even currently, but it’s previous lives where I’ve built cloud native security tools. Right. So I don’t want to make it look like I’m, I’m biased here, but really at the end of the day, a tool which has been designed from the get go for either cloud or cloud native, it does things in different ways.

It thinks about scalability, different. It thinks about usability authentication logging, debugging, all the sorta usability concepts, APIs. You’re not going to see as much of those in the, well, Hey, here we can go. We can call the legacy security products, almost monolithic security products. Ha so I would at least, I think it’s worth a review, right?

It’s worth looking to see what, , what are getting high ratings out there. What are people using? Do you have to buy a box vendor ? Can you use something open source? Do you really need to be using that in public cloud? So there’s a few different things around there. You can think about another example to throw at [00:19:00] you.

, if you’re in a high security environments on prem, you’ve probably got a few, HSMs around, right? Hardware, security, modules to put all your keys and key management stuff in. You can now get those in the cloud, but boy, how do you, they’re not cheap. And for folks who have used HSMs know, usually what have fail over in case one fails, you have to have two of those bad boys.

So you’re really paying a lot of money. It’s last. I checked us into thousands of dollars per month us. So if you need it, you need it. There’s cheaper ways to do it. Then the question is, do you need the full HSM or can you just use Amazon’s security management and just put a token in there which costs like 40 cents a month.

So pretty big difference, but that that’s some of the things that start people have to.

Ashish Rajan: You raise an interesting point over there because the whole benefit that was I guess a dream that was solved by cloud was that, Hey, tickets are going to be cheaper, more agile and more flexible. And that’s kind of I, I feel like in a way and I, I feel comfortable sitting here telling you this because I feel I won’t be aged out, I guess, in a way.

But the interesting thing for me was when people move into cloud, that’s when microservices kind of happened, agile methodology happened around the same time and people [00:20:00] still kind of forgot. Hey that’s all great, but I still want to do what I was doing before, because that’s where I know and the forum comfortable with.

So I thought, are we agreeing with the fact that that’s probably not the right approach in cloud to continue trying to recreate what we hadn’t on-premise.

John Kinsella: So I think I did one of the earlier cloud talks I did was how do you, how do you migrate to cloud? And I wasn’t thinking about the monolith at the time, but now I think about it probably same idea was, do you want to forklift that application over and put her into and continue doing your things and there’s value there, right?

I mean Amazon’s got a whole division that will happily take your money to run VMware on Amazon man, people on Twitter, they really get angry about this. There’s a phrase they use. VMware cloud is. Allowing the ongoing support of legacy end of life software, which is that’s at that that’s a fighting phrase right there.

I’m not going to take a position on it, but so yeah, you can do that. You can just pick up and go over and drop down and go, that’ll get you out of the data center. , people have this conversation about it, , cloud’s more expensive. I’ve run a cloud. I have one of my startups was actually built a cloud.

I know the costs. Good luck. But so do you want, you can pick up a mood over and [00:21:00] then maybe start peeling off the edges, but it definitely , for two reasons you want to look at this from new technology, right? For your own career, for the folks out there who are like, , my age or older, younger dad, look, it matters.

If you want to keep going for a few more years, what tech are people using? This is something I do every few months. I just go and look, am I using the tech that I want to be using? Should I be dropping something and picking up something new? This laptop we’re on today is up, , apple Silicon up until a few months ago, I was on, , standard MacBook pro Intel.

So, , looking change, I didn’t get when it first came out and wants to build other people think, but I do the same thing with cloud. Do I want to go to Alli clouds? Do I want to go, maybe start then one of the new concepts we have going around is people putting compute probably in Amazon and they’ve got fast storage, but then if you want a really great network, you go and you put that in Google.

So different clouds have different sort of versions. If you want to do like fast databases or cheap databases, maybe put that on Oracle. Yeah. But since we’re now microservice in cloud-based and API based and the networks are pretty damn reliable, not perfectly, pretty good. Right. And pretty high speed.

You can have leave your API server in Amazon with doing your crunchy crunchy, [00:22:00] then have maybe have the database server and Oracle. Yep. In some cases that will totally make sense. So that’s, there’s things you can look at in not just on the security side, but it’s worth sort of taking a step back every now and then.

And am I doing things the best way?

Ashish Rajan: Actually thats a really interesting point because I wonder how often people go back and look at, oh shit, this is not really, no, you’re not going back, but looking forward for, Hey, what else is going on? In a way, glad you mentioned that for people who are trying to have like a I guess a career for another 10, 15 years, maybe even longer to keeping an eye, especially in nutrient technology, it makes sense to keeping an eye on what what’s out in the horizon.

It’s just kind of like the top topic of the month, talking about cloud native, because how many people that I’ve spoken to are still are probably don’t have the opportunity to work with Kubernetes or any of the newer tech or maybe even servers and you’ve, but I, you and I can talk about this, but kubernetes has been there for some time already.

It’s not that it was released this year. It’s been there for some time. It caught mass adoption this year. There’s another massive wave coming next year as well. I imagine. And sort of some of the other cloud native projects. So in a way, I’m glad you went that you mentioned, and I guess grateful to people who are listening and going, Hey, what [00:23:00] else is out there?

So I just makes me think of another set of people who probably are getting inspired by going out and dating, I guess, architecture and looking. What else, what kind of softwares we have or what kind of applications are you running? And they realize, Hey, we already have cloud native. So and it’s like, it’s just one of those classic examples where maybe security was not called in.

Someone started a credit card, moved to cloud or maybe cloud native. And I think isn’t easier. Place to start tackling this problem. Like, I mean, I guess to your point, I’m assuming this person, maybe from a monolith world, it has been on-premise for 25 plus years until he finds out, Hey, there’s AWS.

Okay. I’ll just ask her questions like, oh yeah. We’re using EKS like Kubernetes . So it’s not whatever, I mean, you remember? I know it was like, so know, not specific talking about the service, but the whole concept that honestly I discovered today that I’m in cloud native. What are some of the starting things that I should be looking at, which would be stocked different between like a on-premise world vs cloud native kind of world.

John Kinsella: , I’ve been saying this a lot recently. I think I’d go be saying it for a few years. I like to tease some of my friends over at Amazon. [00:24:00] Guys, how do you keep up with them out of products, which Amazon is releasing are, are, do? Cause like I can’t , there was a, a post which came out last week, just a single post is supposed to be one in a chain of 18 new controls, which they’re providing security controls over cloud, over Amazon products and their intention to keep releasing these blog posts until they’ve got security controls across the whole fleet.

And that’s just security controls and we’re not talking about, I think it’s what 180 products or some crazy number now.

So almost, yeah.

I feel lucky in a way that I got it into this beast early. Cause yeah, I started just with Docker. Right. And I did Docker and Docker swarm for a few years. And then at some point I dipped my toe into the Kubernetes thing and that’s a whole separate world.

Right. For people, for people out there who’ve done. What do we talk about cloud stack? They’ve probably seen the sort of pattern before and we’ll probably see it again, but. I think if I was going to answer that question start with Docker on the desktop, just keep it really simple. I think that’s the container is enough, like a VM or an operating system that for folks who have been routed it’s pretty approachable and pretty understandable to understand what’s going on in there.

And the previous CEO over at Docker had a phrase, Steve Singh a great [00:25:00] phrase, which I’ve used so many times again. But additive collaboration, the idea, and I’ve done some classes, right? Where like, , you, you have helped someone write a Docker compose file where you say, okay, download this my SQL container image from Docker hub.

Download. I don’t know. Let’s see, let’s talk about no JS and not pick on Java. So a database plus node, and let’s write a little bit of Java scripts and put that in a file and have that mounted in and have those three things run and expose that on port 80 and then type Docker, compose space up.

And. That’s simply, you’ve got a working web app, right? It’s you didn’t have to build or install or do anything at my SQL. Same with node. You probably got to download some node modules. Right. But still it’s compared to a full actually, if we had to do this five, 10 years ago on an EC2 instance, it’s very quick to get going.

And what’s nice about that. It’s not just that it’s quick, but I know at least for me, if I’m able to quickly see changes or see results from what I’m doing, it, it excites me. It makes me want to do more of that. So I think that’s a great starting point. And then at some point you’re going to run into either networking issues or scaling issues.

So then maybe start looking at Kubernetes, right. And that’s really how you go up that path. But now let’s talk [00:26:00] about security side of that thing. When you go out to Docker hub or when you go out and you’re doing, you’re getting it, that my SQL container, let’s talk about just going ahead and doing a a container scan of it.

So either I believe now for free on the Poplar images, Docker will. And display that vulnerability data. So you can see that, see what that looks like. We can go ahead and figure out, okay. Is that something I need to patch how to go about patching it and get a sense in there. Okay. You’re back. So you disappear for a second.

I want to start talking from not just how do you get going and containers or Kubernetes, but let’s come back and talk about the security side. So vulnerability scanning, right?

That’s our basis. what’s going on, what’s in there, what’s installed, what’s vulnerable. Download that container, figure out how to get a shell into it. Look at what packages are installed, right. Pure testing. And then next you start thinking about, okay, well, how do I want that thing running?

Maybe go and think about, okay, how can I control it? Is it gonna run as route? What happens if someone can break out of that container? How would they okay. Now they have control over my host. Can they see other stuff? So there’s that aspect. And then you can think about firewalling that thing again.

So it’s, again, some of those sort of basic concepts and that’s probably to learn ProjectWise personally. [00:27:00] So either find a project, find something you’re interested in. Usually when I’m at home, I have like some sort of IOT thing around like, , get an IOT thing or a robot or something and create a weekend project and sort of play and see how this stuff works.

But from someone doing it as part of their day job sitting in a desk, think about , we talked about those boxes think about how would you apply that to , , my SQL node combination. Okay. If I want to put an IDs in this thing, how do I do it? If I want to do that in Kubernetes, how do I do it if I want to do it in public cloud?

Right. So you’ve got, there’s a concept, ? So now the thing is how do you take that concept and apply it to a new technology? So that’s sort of the way out approach and that’s really what I do when I’m learning new languages myself. Right now we’re using in the past I’ve done, let’s see for IFC infrastructure’s code.

I’ve used puppet. I’ve used chef I’ve used Ansible. I’ve used Terraform. Cloud formation. So all these sort of BS out there at the current company size sense, we’re looking at using Amazon CDK. Oh yeah. Cloud development kit. And it’s a pretty neat thing. Right. But so, as I said, I’ve done these things in other languages before I’ve used the cloud.

And usually what I’ll do is I’ll go through and sort of pointy, clicky, figure out what my role should be between, say the [00:28:00] Lambda and a database to get that stuff to work. Okay. How do I turn that into. Right. Okay. I know the concepts. I know it’s IAM , or I know it’s a security group, or I know what to open a port or something like that.

And it’s pieces, which I knew about, but now how do I uptake that sort of part of my brain and apply against new language? So I think it’s sort of the same for security people.

Ashish Rajan: I love how you explain this, because I’m thinking about from, I guess, going back to that individual’s example, the persona that I just created out of thin air coming from an on-premise world you will already know some concepts.

You already know networking. You already know how servers communicate. , it’s just about using that foundational piece to understand, Hey, how does this work over in this context, whether it’s Docker, kubernetes or , whatever, there’s still an identity. There is still a network. To the point that you just have one to one relationship between what we have spoken about before. Oh, I think I’ve got a question from quickly addressing that. Know so speaking of patches do you know why the AWS SSM manager service doesnt vet patches and if you know of situations in your career where it has caused issues such as denial of service

John Kinsella: hmm. So I haven’t used the patch management side of SSM. I’m familiar with it. [00:29:00] No, to did. My previous company was called as who, , they’re probably one of the first cloud-based, vulnerability management companies.

So I’m sort of familiar with the patch management space. And let’s let’s, I don’t have a direct answer. I’m going to bring an answer and stop, but let’s go back and talk about what is saying about vulnerability scanning of these containers. So I was talking about, , going to Docker hub, take a look at it.

If you want a little more experience, maybe go out and get a copy of Clare or Trivi, which are both open source, vulnerability, scanners or go and put your container on quail at red hat, or, , Amazon in their ECRs. You can look at it’s all sorts of ways to do this stuff. But what sort of fun to bring up and talk about is if you scan, oh, I don’t know.

Let’s say a Debbie and container. If you can find like a Debbie and version or a Bluetooth version of my SQL or what else. A few sort of more common, maybe like a httpd not like an Alpine version, but like a version that has a full heavyweight container behind it. Right. So what you’re seeing with containers, right?

Container image, usually a version of Debbie and in a container is about 70 or 80 megabytes. But if you look at the slim, sorry, who am I kidding? Probably about 120, 150 megabytes. If you look at the slim version of it, it’s probably about 30 to 50 megabytes. If you look at the Alpine Linux version, it’s about 12.

So [00:30:00] there’s reasons to use different versions of the same things. But if we look at that, the debbie , the Bluetooth version is probably going to say there’s a vulnerability in PCRE. The Pearl regular expression library that CVE I want to say is from 2017. And we’re now in 2021 still it’s hard to keep track with this COVID and stuff, but, so, okay.

You’re telling me about a vulnerability from five years ago, you’re really going to tell me that hasn’t been patched. So there’s there’s issues with some of these scanners is what I’m saying. And that takes a little bit of common sensors to go through and talk that story. And I’ve seen at a previous company , a junior engineer did the scan, it wasn’t cleaning.

There was security mandates that you have to be able to , be a certain level of security. So obviously that vulnerability has to be patched. The dude went and manually downloaded a version of PCRE and was compiling and putting into a container. I’m like, no, it’s a false positive don’t no, no, no, no.

Right. But that takes some level experiences of space to be able to, to recognize that and do it. And when I was at quality, man, I probably had that conversation with about 10 or 20 customers not with our product, but like with like I said, the open-source scanners, they see this it’s, it’s hard to fix some of these signature.

So there’s, there’s issues around [00:31:00] patch management, all sorts of different ways. I think it, so the question comes down to having some local experience about what’s going on. What’s doing , what guardrails can you put in there? If anyone can put a patch into that system? What you’ll the pattern I’ll frequently talk about to people using Amazon is okay.

Maybe you don’t expose SSM directly for people to be uploading patches into, but you put some sort of a software package in front where they suggest a patch and then you go and you vet it and sign it and then put it into the SSM system. Right. So you have some level of control about what’s going in there.

So that’s sort of , the trick around how to do some of that type of stuff. The DAS part I haven’t specifically seen , in these use cases, but I mean, like, , the one that’s coming to mind right now wasn’t McAfee Avi. About two, three years ago, they released an update to their AAV software on, I think it was for Dell systems and it bricked the machines.

So how’s that for a dos free, right? These things are out there. Just need to have to be cloud-based. And it’s how do you, right. It really comes down to testing is the other side of that. So I talked to Amy about vetting and control and not just exposing that API out to anybody. But then on the second side , what things I [00:32:00] really like about either containers are I’m using now with Amazon, Sam for Lambda is being able to do sort of red, green deployments.

So with that container thing, these things are so light and nimble and quick. When we go to release new version of the product, maybe it has those patches in a new version. We updated the base container image cause we wanted to get some vulnerabilities fixed. Okay. So instead of just rolling that out to say a hundred hosts with a thousand containers on it, let’s roll it out to about 5% and both Docker now in Kubernetes will let you do what is called a health check or define a health check.

Basically as part of that container coming up, wait until a HTTP gets to some URL, returns, a thumbs up or some sort of positive value. If you see that, okay. , the application’s up and running, then you can go ahead and roll it out to the rest of your containers. If you didn’t see that, Hey, maybe we want to roll back and double check and see what’s going on.

So there’s ways to do some of these, tests around this type of stuff. Actually,

Ashish Rajan: you’ve kind of touched upon really interesting things from an architecture perspective as well. And by the way, that’s a great question as , as well, because I think as I’m going to listen to John, your so I’m going, oh, wow.

Okay. You’re right. Cause we used to do this in on-premise where we would have a strategy for patch management. You don’t directly get it right. That is a [00:33:00] testing phase. And then it gets restarted. Everyone is like the push button thing, and we can still have the same model in cloud and cloud native kind of applications as well.

And to your point about the other one that you mentioned from patching perspective was the whole blue, green thing that was, I mean, you can have a small set of servers, but use cloud native services. I think what we’re trying to get to as well, you can still have them automate that right through thousands of servers, but almost still have that testing foundation done, especially if you’re doing a meeting in a model that, because I think that the model that AWS kind of talks about, Hey, you don’t have to worry about patches.

We take care of everything. But even in that scenario, RDS is I’m using as an example, the databases they’ve asked us to have a maintenance window, which we should be completely okay with too. I have them patch our servers and hopefully bring that back on. Yeah. And this is a database. I imagine how important that would be for any company out there.

So even I haven’t actually heard of herdenial of service in that case, but I think to your point, , it’s always, I guess, moving to cloud the model should [00:34:00] always be the, Hey, I should be able to test this. And I like a blue-green if you want to use that as an example, I should be able to blue-green this and the whole con immutable architecture that we were talking about, where it’s decoupled your going back to the shopping cart example, just because your inventory is failing, doesn’t really mean your shopping cart should fail because you still want the customer to be able to go and fully complete the transaction of the cost of the inventory that they have already added to their card.

John Kinsella: That blue-green thing. I’m not just dreaming that up. That’s literally built into Kubernetes. That’s the way we do modern deployments. You can say, Hey, once X percentage is reporting positive health, go ahead and roll it out to the right.

That’s an automation that might take us a little bit to, excuse me, let’s say something sort of new and something we had figured out the first time that, , we’ve never done that in the past, right? On desktops. Well, maybe you might what, I guess the way I would have done it was a patch my system, but I definitely wasn’t patching my boss’s system, so right.

You’d do that type of thing and make sure things are fine. And then once you sort of lose it for a few days, things good, then you’ll go and roll out. But now it’s actually, it’s part of the concept, which is really great.

Ashish Rajan: It’s [00:35:00] really good as well that by the way, I’m just kudos to, as you and then others as well, who are thinking of using services, which are cloud service.

I mean, I guess because it kind of forces you to kind of go into a, into a direction. Yeah. You have to decide on, Hey, how do I automate this? So I don’t have to look off the patching for thousands of service. So it’s, I think kudos to you for doing that as well as the unit while we’ve been talking about the patching as well.

And we were talking about the model of the application that made me think about from a perspective that the whole DevSecOps thing that people talk about. Right? Cause I feel like now the industry is kind of like three big buckets. I mean, I’m sure that SOC and everything else in there, but people are primarily talking about cloud security, application security.

And as people talk about application security with the, because everyone’s going serverless. So application security is a lot more bigger bubble than where they used to be. And now going, Hey, how do I do DevSecOps and all this? Right. Cause I think I’m sure there’s a devsecops fan out there listening.

Yes, we should do DevSecOps. Is that even a thing for a monolith application? Where, or is it only after it moves into it?

John Kinsella: Let’s drag the nails on the chalkboard a little bit for a second and try it sec, dev ops and see who sort of [00:36:00] erupts at us. And by the way, folks we’ve got about what 10, 10, 12 minutes left in here.

We love questions. We keep them coming. I love the, , it’s, we’ve got stuff we can talk about. We can talk all day, but give us questions, watch in your mind that that’s what makes us fun. Interesting. Yep. So dev sec ops just think about the dev ops part of it for a second. When we’re talking about those monoliths , , if we’re looking at hundreds of thousands of lines of code, those things frequently, the build cycle, you’re looking at hours from the time used to tape type, make in, go up to grab your coffee or lunch before that thing’s actually done.

And the reason I mentioned this is if you’re in a modern CIS process where, , let’s talk about modern, CIS, I throw these buzzwords around. I used to Github as an example. So every time when I check in code or do a code push I’m going to push into a branch because I’m not allowed to push to the main code tree.

And then in that I’ve have actions orGitHub rule set up. So when it sees that new code come in, it’s going to try and compile it. Let’s make sure to Dan think about we’re going to Lindt it to make sure that, , we’re following best practices, both codewise , as well as , no outstanding like hard-coded passwords and stuff like that.

If we’re a little more advanced as we go through this maturity process, we might have like, , let’s [00:37:00] do some static analysis see if there’s any obvious SQL injections or things like that. Maybe go a little bit forward further and do like an actual integration test. Can we actually run some unit tests against it?

Makes sure that a standard suite of, of code tests work and we maintain say 75, 80% test code coverage. So these are the types of things I talk about when I say this, and then once that’s done, it goes green. We can click a button haven’t merged into our main branch and then I can click another button and have that bad boy automatically shot over to Amazon Lambda or ECS, or let’s see EKS, or, , you got the idea.

There are two containers and serverless, but that’s just. Clicks right. And if I have , full trust once that code is merged, I can have it run it automatically. So this is what gets us these very updated, very quick things. Right. If I see a bug , in a bit of code could be either a type of one on a site, or I want to change some color or something.

And I can do that little process I talked about from check out the code, open a bug modify a few lines of code go ahead and commit and push it with that. Bug ID goes in. It goes through a CII process. Maybe that takes four or five minutes. I merge it and it goes out, , we’ve done probably multiple code [00:38:00] releases during us talking over the last 45 minutes.

So that’s what I’m talking about when I talk about modern CIS . So back to that monolith battle . Let’s see. So the compile would probably take, like I said, in some cases, at least half an hour, if not an hour, that might time out in good health, but you can probably pay for more resources or you can have your tests run on, on Amazon.

But that’s just the compile. Now, if I want to go through do the static analysis, that’s basically another compile. So in that previous life, when I was doing pen testing and code review, I used to use a lot of fortify SCA and for him to test the large code basic was another go and grab a coffee or lunch.

So I’ve grabbed, let’s see breakfast for just doing the compile. I had to grab lunch to do the four to five scan. And then like, there’s probably some other processes and there’s probably going to be at least dinner. Right. So you can do DevSecOps but, and that might be a good way to start, right?

It’s just let’s have the code be built every time or scanned. Every time we go through this process. You’re going to have a lot of pain, right. And maybe , it’ll give you the chance to see how the stuff works and get some of these pieces in place. And then give you , a really great use case of, Hey man, I’ve got to spin up an instance that runs for three hours to compile my code.

That’s an EC2 M [00:39:00] 4 extra large would probably cost about four or five bucks an hour. I’m making this up, but run with me. So that means every time I go to compile my code, it’s costing about five to 10 bucks. Yep. You go back and tell your boss that you certainly have a pretty good use case to go and actually start peeling off some of these microservices.

Right. So that, that’s how you go about some of these things, depending on where you are in the organization.

Ashish Rajan: Yeah. I think that’s it. I love the example as well. And kind of the way you mapped out the amount of time it will take to deploy it. Yeah. Probably one of the reasons why a lot of people want to move across as well.

I think I feel like we may have gotten people a lot of excited excitement, like, Hey, this is like a lot of stuff. Used to or learn from, is there, I actually don’t know if there’s anything that you can learn about monolith. No one really talks about monolith , as a thing . So are there, like, maybe let’s start with, what’s a mature migration or like a successful migration.

If you want to call it in your mind, what’s a mature, migrated model in a cloud or cloud native world look like. And we’ll probably take it from there. So what does that look like when people are successfully move it across?

John Kinsella: I’m a pragmatist, so I’m not going to say [00:40:00] that let’s call it a hundred.

Let’s call it a million lines of code. I mean, you could say. The end story is no applicant, no functions with more than 1500 lines of code. I don’t want to go that way. Let’s look at this pragmatically, which parts of your application are you the way you go about peeling, those onion layers office?

Which part am I changing a lot? Which part do we need to modify or bringing some new code? Maybe you need to start talking to a third party API, or maybe you need to expose an API. You don’t wanna expose an API for whole app. Excuse me. There’s reasons you could do this, but let let’s, let’s go from that point of view.

This is what Adrian talks through in that video. So the next one would be okay. We’ve got that most important one. We’ve got that to a microservice so we can update it quickly without waiting at the dates time and then find the next one. The next one, the next one. At some point, you’re going to , realize that whatever’s left in that monolith we haven’t had to touch that.

Two or three weeks, and maybe it’s still at this point 500,000 lines of code or 700,000 lines of code, but whatever that guy’s doing, he’s just doing it. And that’s like a little more legacy. We don’t have to update it. We can update the stuff around the edge. So that to me is how I would look at something like this.

Right. Have the big piece of code run on an EC2 instance, like I said, and put you more modern stuff [00:41:00] into serverless. So one of the things we’ve been thinking about talking through. At my current place is how do we go about where do we want to use serverless versus a container? Right. I don’t want to run Kubernetes lists.

I have to, I love it. I know it, but if I’d have to spend that thing up, let’s, let’s keep it away. So in a Lambda instance for us, you can have lamba , it’ll run up to 15 minutes on default. The timeout is five minutes, but it’s probably going to be a function, right? So it could be doing a specific thing for me.

Would be an example. If someone posts something on an S3 bucket, it’ll grab a copy of it. And do crunchy, crunchy, and then stored on a database. So, right. That’s a very specific task. But then maybe the next thing, maybe if I’m going to run a scan against a large cloud instance, I know it’s gonna take more than 15 minutes, so let’s put that into a container, right?

So the container sitting there, he’s listening to a message queue. The Lamba instance sees the incoming request for the scan. He put something onto the message queue. The container sees it grabs, it spends the next 30, 40 minutes doing the scan, puts something into S3 bucket, another Lambda grabs it does the crunchy crunchy back into a database.

We’re starting to build up a picture here, right? So this is sort of the way I think about it. And at some point maybe, what our mainframe is [00:42:00] good at. They’re really great at crunching really huge amounts of data. So maybe we do our quarterly reports are still done on the mainframe and he just sits there.

And once a month we go and we download all the data from the RDS database at Amazon, into our local DB two I I’m sure I’m giving someone out there. Some sort of like, , post-traumatic stress. Really sorry about that. But , some of these things still need to be done. And I think that’s sort of how I think about it, right.

Is don’t move, don’t be looking to move everything look, to keep your eyes at like, , what’s my prize, what am I trying to do? I’m not just using technology for the sake of it. There’s a reason we’re doing this. So what is that? Let’s make sure we set the bounce around what that is. So that’s how I think of it.

Oh, I love the answer. And I think I’ve spoken to someone about this recently as well, and he introduced me to this concept of cost of delay. I don’t know if you’ve heard of it, , it’s a whole idea. Oh,

I haven’t, but keep going. Oh yeah.

Ashish Rajan: Yeah. So the, the, the, the cost of delay, I was really interested in what, what they spoke about was that the time you would spend as an organization do say uplift something, which to your point later, just use a mainframe example, which I’ve been crunching numbers for so many years in the time spent to replace mainframe with CSL is something else.

If [00:43:00] that really time, what giving an advantage to a competitor, just because you wanted to uplift the code . Yes. You feel really happy that you’ve uplifted your monolith code to say something really modern. You can do blue-green and everything, but what’s the point when you’ve lost the customer or you’ve lost to the competition.

So it’s about finding that balance, but I think there’s probably a great way to kind of come to a close as well. But that’s probably one of my. It’s going to be a highlight for me for, for this one. People are, is there like an education thing that you can talk about as well?

Where like, if people are listening to this and going, Hey, where do I learn about this stuff? Is there something that of which you can probably direct people to as well?

John Kinsella: So there’s a few different ones. , I’ll give you a link for the, one of Adrian’s talks about this, , how you peel the onion layers off.

I think that’s I mean, it’s what, 10 years later, I’m still talking about that talk. So it’s gotta be a good talk. That’s a great place as you’re getting interested in cloud security I’d say two things, cloud security lines , I’m, I’ve helped write some of the earlier versions of their, how to use cloud securely.

I’m still active in some of their work groups over there at, they’ve got a ton of different work groups and research areas, and also people not just for [00:44:00] learning. If you want to get involved and help with these things, people of all levels, please we’ll take, and then the third one I’d say would be.

CNCF we’ve got like I said, this group called tech security, a technical advisory group for security. Come in, ask questions. We’re on slack. We’ve got weekly meetings. If you’re trying to figure out how to secure something or you think, is he a bug or do you want help with documentation? Again, , any open source project will take help of any levels.

So I think that’s how I’d suggest that.

Ashish Rajan: Awesome. That’s a great. . I think if people have questions and then I’ll come back as well later, cause it’s going to be on live on YouTube after this. So it’s gonna drop questions as well as comment.

That’ll be awesome as well. I do have one last section that I go through with people. It’s a fun section and just three questions to be super quick, hopefully. And this is just to get John A. Little bit outside of technology, I guess. The first question is what do you spend most time on when you’re not working on cloud and cloud native and technology in general,

John Kinsella: give you two things cooking.

I love to cook. First came down. So when I first came down to Silicon valley, I was actually going to make my millions and then go open a restaurant. I read Anthony Bourdain’s kitchen confidential and decided that was a horrible idea. If I’m not doing that, I like to do things with my hands. So I’m also a lot of woodworking.

But if not those two, I’m adding a bike, so awesome.

Ashish Rajan: [00:45:00] And you do get some, , cooking lessons for you, especially helpful with lock downs. I guess the second question, what is something that you’re proud of, but is not on your social media?

John Kinsella: Proud of, but none of my social media on woodworking here, I’ve, like I said, I I’ve like worked in my hands.

I’ve just finished a what’s called a knocking me Nakamichi style live edge Walnut table. That’s about let’s see if I talk metric it’s about two and a half meters long by about a meter and a half wide. So it’s just very big, probably about 500 pound table dining room table. Wow. So yeah, I’m pretty proud of that.

That hasn’t, they’ll probably go out into Reddits in the next month or two once I get it set up. And so that’s sort of when you own. Yeah. So bought two. I bought the, the one that came as a two slabs in half. So basically how do you glue those things together? How do you flatten them? How do you fill in all the gaps and make sure it’s not going to crack or things like that in the future?

Yeah.

Ashish Rajan: Very interesting. I’m finding like lot of technologies, people are going towards more creative things or sort of more like , handy work kind of things, as well as people kind of like there’s enough for technology, just writing softwares, but something doing with your hand as a. I guess charm to it , I guess, for lack of a better word,

John Kinsella: it’s gratifying, right.

To actually see something. So in woodworking for me, one of the most amazing moments is when [00:46:00] you have something finished and sanded and you put that first coat of finish on it, whether it’s an oil or a stain, and like the wood just pops and comes alive and you’re like, wow, this is this thing that I’ve been looking at under sod, Dustin, and, , scraps of wood for months.

It’s like, that’s actually something beautiful. So yeah, it’s, it’s a really cool thing to do. Awesome.

Ashish Rajan: And one last question, because it’s probably best to all, because you’re into cooking. What’s your favorite cuisine or restaurant that you can share with us?

John Kinsella: Favorite restaurant would be Alinea in Chicago.

I got to go there many years ago. It’s a really great place. Probably one the best in the U S if I had to pick a style of food I can eat sushi for weeks.

Ashish Rajan: Okay. Okay. I think I’ll do the same as well. I think it’s funny to, to the comment about, we’re talking about technology and people looking for creative stuff I just wanna give a shout out, shout out to Zenith, cause she’s written a children’s book as well for people should just check her out.

So it was top 10 in Amazon as well, and coming from a cyber security background, writing a book about children like a children’s book. So give me a shout out to you as long as but that’s pretty much what we had time for. And wait, can people find you on social media

John Kinsella: Easiest as Twitter, I’m on LinkedIn out there as well, but Twitter is sort of the more fun stuff.

Hopefully. John L [00:47:00] Consella John L Consella. You probably seen her notes. Yeah. Feel free to say hi, I’m on Instagram as well, but that’s more sort of less techie type. With more woodwork,

Ashish Rajan: I imagine. Yeah.

John Kinsella: Cooking.

Ashish Rajan: Awesome. But I really enjoyed the session cause I think I’m so glad we touched on the monolith topic as well.

And thank you to everyone who watched and basically came over the questions as well. Cause I think it’s always interesting to kind of hear what other people have to say. If you haven’t did not get to see this live and you’re watching this later on, feel free to drop a comment I’m sure I can get that to John, but this has been really fun for me and I’m looking forward to having you again, John.

Thanks for coming in.

John Kinsella: I’d love to thank you. Take care and stay safe. Thanks everyone.

Ashish Rajan: Bye.