VMblog: Can you give VMblog readers a quick overview of your company?
Pieter van Noordennen: Slim.AI helps developers secure their cloud-native applications more efficiently. Our approach gives developers the tools they need to automatically harden their containerized applications for production, reducing their attack surface and making the supply chain security posture less complex. With our system, teams can move the focus on container optimization upstream in the DevOps lifecycle, increasing developer velocity while improving security.
VMblog: How can attendees of the event find you? What do you have planned at your booth this year? What type of things will attendees be able to do at your booth?
Pieter van Noordennen: Attendees can find Slim.AI at Booth SU64. Come by for demos and more information about working with us as a design partner.
VMblog: What do you attribute to the success and growth of this industry?
Pieter van Noordennen: The success of cloud native application architectures came along at precisely the right time for an industry that needed a new model to support the need for rapid software iteration, agile software development, and DevOps. What got lost in that shuffle was the dramatic rise in supply chain complexity and exploitable vulnerabilities, and it threatens to hold back progress. What we're building at Slim.AI is a platform to help address this problem.
VMblog: Do you have any speaking sessions during the event? If so, can you give us the details?
Pieter van Noordennen: Our own Ayse Kaya, Slim.AI's senior director of strategy and insights, will be giving a keynote at KubeCon this year! Titled, "What We Learned Dissecting the World's Most Popular Containers," her talk will hit several key findings of the research Ayse and her team conducted, which will ultimately appear in the second annual Slim.AI Public Container Report. Anyone can download a copy of the report.
The research she'll be talking about in her keynote demonstrates the current paradox in software supply chain practices, especially the trade-offs teams make between "developer experience" and "production readiness." Ayse's insights are based on a Dimensional Research survey of 300 software developers and DevOps engineers globally as well as an analysis of the most popular public container images used by developers today. This work forms the basis of the second annual Slim.AI Public Container Report. Findings she'll dig into include:
- Of the top public containers Slim.AI observed over the past year, 60% actually contain more vulnerabilities today than they did one year ago. Most notably, high-severity vulnerabilities increased by 50%, followed by a 10% increase in critical vulnerabilities. The average public container has 287 vulnerabilities, 30% of which belong to a high/critical category (up from 20% last year).
- A discrepancy between executives and developers on both the capabilities required for supply chain security and the organization's preparedness. According to the survey, executives believe that more container security practices are happening in their organizations (49%) than frontline developers (34%).
- Developers are getting squeezed from both sides - shifts to the left mean removing vulnerabilities from containers is a developer problem, with more and more customers demanding often unrealistic "zero vulnerabilities" in delivered software. Among developers, 88% said it is challenging to ensure containerized apps are free from vulnerabilities, complexity being the #1 contributing factor. Seventy percent stated their customers demand that their containers have zero vulnerabilities.
VMblog: What kind of message will an attendee hear from you this year? What will they take back to help sell their management team and decision makers?
Pieter van Noordennen: In software supply chain security, knowing your software means knowing what's in it-for better or worse. At KubeCon, we'll be talking about Container Intelligence, a new, free, and open service that anyone can use to quickly gain valuable insights into what's in the most popular container images that they're baking into their software every day.
We'll also be talking about how Teams and Organizations are beginning to use our software to automate container hardening in the CI/CD pipelines. We'll be joined by several members of our design partner program - top security teams at some of the fastest growing cloud-native companies - who are using our software to remove up to 99% of the vulnerabilities in their containers, without having to change a single line of code.
VMblog: While thinking about your company's solutions, can you give readers a few examples of how your offerings are unique? What are your differentiators? What sets you apart from the competition?
Pieter van Noordennen: Slim.AI built a platform for developers that overcomes the challenges of other container security approaches by automating the process of shipping slim, secure containers.
Slim.AI platform for proactive vulnerability remediation lets developers use whatever base image and tools they want. They don't have to handcraft anything. They can code happily, enjoy an awesome developer experience, and when they're done building, that image becomes their production image candidate that runs through our system. Slim.AI observes that container's behavior and produces a new container that has all the unnecessary parts stripped out, yielding stronger security, a smaller attack surface and a better compositional profile than you could have gotten if you started with another technology.
VMblog: Where does your company fit within the container, cloud, Kubernetes ecosystem?
Pieter van Noordennen: Slim.AI is an application security company focused on containers. We work with developers and DevSecOps teams to help them better understand what is in their containers and how to remove the most urgent vulnerabilities. We believe securing containers is a shift-left problem, and that developers need more and better tools if they are going to meet today's challenges. More importantly, we give everyone in the software delivery life cycle a clear, simple, and objective platform in which to share information openly about vulnerabilities found, their severity, and how they're being remediated.
VMblog: KubeCon + CloudNativeCon is typically a great venue for a company to launch a new product or an update to an existing product. Will your company be announcing anything new? If so, can you give us a sneak preview?
Pieter van Noordennen: We are announcing the launch of Container Intelligence, a free and open service that anyone can use to quickly gain valuable insights into what's in the most popular container images from multiple repos. These images are being used to build software every day, and our research has shown that they have more vulnerabilities than ever before. Developers can use Container Intelligence to make informed decisions when selecting containers or containerized applications for use in their tech stacks. And, the free tool makes it easy to compare public images in the same category (for example, base images, CMSs, or DevOps tools).
For those who want to know even more about their containers, developers can log in to the Slim.AI platform from the Container Intelligence page to analyze their own private containers, get vulnerability reports from multiple scanners, and automatically harden their container images for production. Additionally, Slim.AI has been adding functionality for teams, and is accepting a limited number of organizations into its design partner program.
VMblog: Where are we at in 2022 with regard to containers and Kubernetes? Is there anything still holding it back from a wider distribution? If so, what is it? And how do we overcome it?
Pieter van Noordennen: Developers want to learn containers - that's clear from the growth of Docker and the results of the StackOverflow 2022 Developer Survey. But the biggest threat to slowing cloud-native adoption is security. Many developers simply don't have the skills, information, and know-how to effectively secure their containers for production. Addressing this problem without slowing the pace of innovation and software iteration is critical to keeping our industry on its growth trajectory.
VMblog: Are companies going all in for the cloud? Or do you see a return back to on-premises? Are there roadblocks in place keeping companies from going all cloud?
Pieter van Noordennen: There will always be valid, economically sensible, business-driven reasons to either keep workloads on prem or repatriate them, just as there are reasons today to divide workloads among multiple public cloud providers. In fact, facilitating this-rather than attempting to stymie it-is something everyone in our industry should be committed to delivering. Because freedom of movement for apps and data is how innovation and advancement take place. The thing I would add to the debate is that whatever your approach to cloud, let your developers work the way they want to work, and use the tools that make them productive and secure.