As DevOps has matured and more organizations have adopted an infrastructure as code methodology, alongside an increased importance of security, we are seeing compliance as code and policy as code being adopted by many organizations. Progress Software’s Chef products are helping lead this trend. The video is below followed by a transcript of the conversation.
Alan: Hey, everyone. Thanks for joining us on another TechStrong TV interview. I’m really happy to have – well, it’s the first time I’ve interviewed him here on TechStrong TV, but Charlene has had the pleasure of having Prashanth on before. Let me introduce you and I’m gonna do my best on his name, I apologize. Prashanth Nanjundappa. Is that close, Prashanth?
Prashanth: Yes. Prashanth Nanjundappa. That’s close.
Alan: All right. Prashanth is with Progress Software, where he’s a VP of product, isn’t it?
Prashanth: That’s correct.
Alan: And we’re going to talk a little bit about today, we’re gonna talk a little bit about, you know, compliance’s code, you know, in this shift left kind of mode, but also the whole maturation of the DevOps space, etcetera. But you know what, Prashanth, as we spoke about off camera, this is your story to tell. Right? This is your kind of thing. Let’s, you know, talk about things that are important to you. Why don’t we, you know, tell us what what’s kind of important to you these days?
Prashanth: First of all, let me thank you. Thank you, Alan and TechStrong TV. This is a great opportunity to actually talk to many of the people who are using our products. Right? I am currently leading the head of product management for one of the business units in Progress, which is managing Chef line of business. We acquired Chef on board about 1.5 years ago. And this is my first foray into managing or building DevOps and SecOps tools. And that was a disadvantage, and also an advantage.
I got to talk to about 150-odd customers because I didn’t know much about this space. So the best way to learn about it is talking to our customers and talking to people who are experts in this domain. And that kind of got me really, really knowing about how these large enterprises are even tech companies are investing a lot in automating their day-to-day needs and adopting DevOps and their SecOps as technology practices, bringing those practices in their organization, and using tools like Chef to make just not their teams efficient, but also to increase time-to-market and reduce the risks of their business.
And the reason I’m talking on this, I think your target audience are the people who listen to this stuff. Your videos are the kind of practice notes that I talk day and day out all the time. They give the feedback which has helped us graph out the roadmap for years to come with Chef product line.
Alan: Absolutely. And you’re right. That is our audience. Right? Quite frankly, you know, when I launched DevOps dot-com eight years ago, Chef was one of the giants in the – you know, pioneer in the DevOps space, and that was our audience. But you know, over the years, we’ve seen this shift, if you want to call it shift left. It’s not necessarily a shift left, but we’ve seen an increased emphasis on security. And, you know, security’s partner in crime in many ways is compliance.
But as we’ve automated more, as we’ve gone faster and try to be better, faster and better, right, we’ve recognized the same way we’ve automate in DevOps deployment, we need to automate more when it comes to security and compliance. Right? And that’s been painful at times quite frankly. It’s not necessarily easy.
Prashanth: Oh yeah.
Alan: Let’s talk about, you know, where the kind of hard parts are and how companies like Progress are helping us overcome that.
Prashanth: You’re spot on. It’s hard. It’s unnecessary evil as some people say but I think that is changing. So before that, taking a step back, why is security and compliance required? I think the need of security is well understood, but compliance data has been historically three primary reasons. Either they are regulated bodies who keep looking out who is complaint, who is not complaint. Every few months or ever few years, they publish a new set of standards, which give a perception to companies or tech companies that they need to adhere to that.
And that then get complemented by either the regulated sectors like banking and financial, credit card, or hospitality, healthcare, where security, privacy, all these things that are of most concern. And they look back at these regulatory bodies who have been publishing these specifications. These two kind of go hand-in-hand. And I tell you, there is a third-dimension, who are the customers who are using the products. They look at these regulatory bodies who turn out the specifications and also the regulatory. They say if I want to buy a product from you, I want it be certified. I want it to be compliant to this.
So these complaint as a need to operate in such industries. But I think it is moving a little from the basic necessity of, you know, being compliant to making sure that my development is fast-paced. Today, if you look at every – there are so many companies, Uber or something, Airbnb, or something, Yelp or something, and this used to be in the consumer sector, but it also coming into regular segments like banking, financials like that, Robinhood like companies have normalized trading, and they have made sure that anyone can launch a product.
So even tech chains, they have to adapt to this fast-paced market and bring their products not just fast into the market, but also adhere to the compliance standards, compliance specification, and make sure that whatever they launch is secure. And that is where automation comes. And that is where as a code paradigm came. You’re quite familiar with the evolution of how infrastructure as code and DevOps involved. There the codification of infrastructures have involved because they wanted to make sure that whatever gets developed is automated, and they test well in advance.
I think the same mindset is coming here because are there different bodies, developers, Ops team, and security teams. All of them generally speak in completely different languages, but if you want them to bring together to actuate the time-to-market, they need to speak one code, one language, and code seems to the most common, most acceptable language. And once they make a code, it falls into the DevOps sector. You can test it. You can repeat it. You can make sure there are checks and balance to make sure you flag, you audit everything.
But I think that mindset, and also DevOps has made compliance as code acceptable. And we are seeing more and more option. And that is ability of success for the traditional organizations to move in a fast pace. And new companies, they don’t even see other options as options. They take it as default option because this helps them past development. I don’t know if it makes sense.
Alan: No, it makes perfect sense. I mean it’s also a life a lot of our people are living day-to-day right now. Right? So the security person in me, and Prashanth, I was in security infosec, as we called it before, cyber sec, whenever I worry about compliance, I hear about compliance, I immediately start thinking, you know, am I dumbing down my security for compliance sake? Right? Because sometimes when we do compliance, it’s kind of, you know, I could call it least common denominator security. It’s like the lowest bar. Right?
Prashanth: Right.
Alan: And a lot of people say, “Okay. I’m compliant. I must be secure too.” But they’re not. Just because you’re compliant doesn’t necessarily mean you’re secure, whether you’ve, you know. Compliance, as they say in Las Vegas, it’s a fine beginning. Right? But it’s not the mean to the end. So how do you, you know, as a compliance’s code type of provider, how do you make sure that your customers understand, okay, since you’ve done step one, but you still need to do step two and three.
Prashanth: Exactly. This is a very important distinction we also took a while to realize. Right? So there are three pillars: infrastructure, compliance, and security. So infrastructure is basically – I mean we can argue what is foundational, but you build your application and that’s where automation is required of infrastructure. Right? And then if you want to operate in regular tech sectors, if you want to be – not lose the competitive advantage with other players, you need to be compliant.
But security is something, which is fundamental. Right? You don’t realize until there is a breach, or until there is an impact on business. But, you know, these days, unfortunately, that is not very uncommon. We are seeing so many companies being exploited because of very, very basic mistakes like opening their port 80. Right? Exposing a port 80, or leaving their S3 buckets unencrypted. Right?
So many of these things are misconfigurations, or many of these things would have been covered or not happened if they had held to some of these standards. Two such bodies which offered a large specifications of best practices. Of course the primary takers of that is compliance. But those act as a foundation to security infrastructure. So we help our customers in obviously infrastructure and compliance, but we have started helping them in secure infrastructure as well.
Well, they have to look at infrastructure whenever an application passes through the CI/CD pipeline at each point in sort of just checking for the functionality using the right tools, some of the tools that we built, and some of the tools are available in their ecosystem. They can secure it. It can harden an image. For example, within Progress, there are teams which are using our Chef software to make sure that every image that gets into Artifactory, the Docker container gets into Artifactory isCIS specification, and other qualities that are specific. They don’t let it get into Artifactory without going through this.
So I think that is very much possible, and that is the education that we are giving and helping our customers, and that’s a two-way process. Right? Because we maturing in security. So as we engage with our customers, we are learning some of the shortcomings and the tools, and we are bringing back in the quality as code approach that we have been working in 2021 is based off this exchange, information exchange.
And also working with our customers, we realized that we’ve gotta go beyond infrastructure as well. Compliance and code, but two qualities a code where we help organizations define their government’s police, which is heterogenous and across organizations, sub organizations. But codify them and help them automate that process.
Alan: Exactly. So here’s an interesting thing from where I sit. Right? Sitting here running DevOps dot-com seven-eight years now. We can’t even have this discussion. We couldn’t have this discussion until we reached a certain level of maturity in the way we approach. Let’s forget compliance for the moment, but infrastructure as a code.
Prashanth: Yeah.
Alan: Right? Because you can’t start talking about compliance as code, and policy as code, and security as code until you got that infrastructure kind of down pat. Right? And so the fact that we are even having these discussions, right, and thinking about it, and implementing tools around it, you know, it was almost the proof on its face. Right? “Prima facie” as they say in law in school. Prima facie. That we are, we have matured, right, in the way we’re deploying our infrastructure, the way we’re automating infrastructure. So I’m calling infrastructure as code. Right?
Prashanth: Okay.
Alan: What do you think as we look ahead to 2022 and 2023, that continued maturity, what does it mean for policy as code? What’s next in other words?
Prashanth: I think a slight deviation from that is you said that is that you said about infrastructure expanded to DevOps methodology. Because I think that is the mindset shift that needed to happen for people to actually add up infrastructure as code, and then subsequently compliance and other paradigms, which would help them in automation. I think that is the foundation and we are seeing more and more companies seeing this as tables takes.
And again, they’re also – it has been a – there is a mindset shift that from where I see, it used to be a play for cost or optimization because of their bottom line. They wanted to reduce their development cost. They wanted to reduce the cost of having a breach. They wanted to reduce cost of finding a defect late in the cycle. But these days, I think is fight for spotlight because every – there is so much competition that is emerging, and there is no choice but to make your product available to your end consumer as soon as you can.
If you don’t do that, someone else is going to grab that opportunity for you. This makes it very, very important for organizations to take this learning that we talked about, which is a testimony that we are talking about compliance and security, but take the previous learning into their foundation. So that is what’s happening. Every new start-up that I talk about, I tell them in DevOps, these are something that they don’t even think as non-optional. Right? These are table stakes.
And from that point, they go on beyond, okay, I got my deployment automation. But hey, I have the security issue. I operate in a finance market. I operate in a banking sector. I operate in a hotel business. I operate in healthcare business. How can I make sure that I stay competitive? I make my data secure? This mindset of having faster time to market is making them add on these things very natural. And policy as code, whatever we are seeing, I think this is one of the common factors day one to stay competitive.
Alan: Got it. Excellent. All right. Prashanth, unfortunately we’re closer to 20 minutes now than we were to 15 that I told you we would do. Hey, we could continue this conversation though, but I think we’re in the right place. I think it’s something that resonates with the audience. For people wanting to get more information on Chef and Progress around this, where do they go?
Prashanth: Of course, we have a very vibrant community for Chef. So Chef community can be found on Slack. That is where us and other practitioners also hang out. And of course many of us are super active on LinkedIn as well. So these are the two places I think we can engage faster, and communities like this is probably the fastest to engage in Chef product, and engineering folks.
Alan: Okay. Hey, thanks for coming on TechStrong TV today. We’ll see you again soon. Best of luck to all the folks across Progress and Chef.
Prashanth: Thank you. Thanks for having me.
Alan: Okay. Bye-bye. All right. We’re gonna take a break. We’ll be right back.