Subscribe
Share
Share
Embed
Cloudsmith is solving the challenges of artifact management and are on the path to becoming the software supply chain itself.
In this weekly podcast, we share knowledge from Cloudsmith employees, customers, and other great guests from the software industry.
Along the way, we’ll unpack topics like the cloud, security, supply chains, and the developer experience.
Alan (00:02):
Welcome to DevX Unpack. I'm Alan Carson, co-founder and chief strategy officer at Cloudsmith. We're solving the challenges of artefact management and are on the path to the coing, the software supply chain itself. In this weekly podcast, we share knowledge from Cloudsmith employees, customers, and other great guests from the software industry. Along the way, we'll unpack topics like the cloud security supply chains, and of course the developer experience. Welcome, really good to have you on the podcast. Alison, you are our VP of product at Cloudsmith and have worked here since November, 2021. I'm just looking it up in the records. It would be great for you to give us a bit of an overview of how you maybe got introduced to Smith and ultimately how you found yourself at Cloudsmith. And a little bit about your background, just to give us a bit of context.
Alison (01:11):
I came out of college as a journalist grad and started my career in New York City working in digital content. And through my initial jobs I got really interested in how the systems that we were using to do our job, the software we were using every day to make content and distribute content, the decisions that were going into how those products worked. And so through that career path, I found myself transitioning into product at a media company. So I was fortunate to be working at Scripps Networks, which owns brands like Food Network and HGTV, and I dunno how much those will resonate with our European audience, but everyone in the US is familiar with those two property brothers and all that good stuff.
(02:03):
And this was in 2013. They were interested in trying to take their library of content assets and make them a second revenue stream. So we have all this great rich digital content, what are we going to do with it? And so they tried to start a little startup within this media company and I raised my hand and said, that sounds exciting. So I went with Scripps Networks from New York to San Francisco and started working with the team out there that was trying to get this startup going within a large media company. And from there I found myself in Ad Tech, which is a really great place I think if you want to understand platform product development because the technology decisions and the product that underpins being able to serve billions of ads in milliseconds is really a fascinating space. And so I worked for a few years in a company called Spotex, and it was actually while I was at Spotex that that company had built two engineering teams based in Belfast.
(03:04):
So that company was headquartered in Colorado, but they needed to find a way to find great engineering talent and expand beyond Colorado and Belfast. I don't actually know how they ended up in Belfast, but they did. And that worked out great for me because I met a bunch of really great software engineers based here in Belfast, and it was a little challenging to do a time zone difference from San Francisco to Belfast, but we made it work. I had shown up in the office at 7:00 AM and folks were hanging around until seven or eight their time. So through that company, that's how I first got introduced to all the great engineering talent and all the great talent that is in Belfast. From there I went and did a startup. There's maybe a theme here of, oh, you want to start something? Let me come help. So I went from trying to do a startup and a media company to going to get a little more product chops at an ad tech company back into the startup life. And so after a few years working in 3D visualisation software, which is also really fascinating space,
Alan (04:11):
I also have a history in that. So
Alison (04:13):
Yeah,
Alan (04:16):
I think that's one of those things where you go into and then you try and get out of
Alison (04:21):
3D.
Alan (04:22):
Yeah,
Alison (04:22):
Yeah, it's tough. Yeah, so then somebody from my past at Belfast from that Belfast team reached out and that's how I got introduced to Alan and Lee.
Alan (04:33):
Yeah, no, I'm not sure I actually knew that you were a journalism major. Yeah. No wonder you get given so many coffee jobs with this. That's
Alison (04:45):
Right. Need something written. I got you covered.
Alan (04:48):
Obviously Lee and I are from Belfast and Lee went to also university here and I went to Queen University here. So we've been pretty embedded for the last show my age now 25 years in the Belfast community. And like I said, I was part of 3D Shop for a couple of years, three years prior to meeting Lee. And yeah, I mean there is a wealth of talent in Belfast. I mean, how did you find that working with them, Allison, particularly from a remote perspective?
Alison (05:32):
Yeah, it was really great. Like you said, there's a wealth of talent here and spending really great, I relocated to Belfast a few months ago to be closer to the KSM Smith team,
(05:44):
And that's helped me get a little more embedded in the product and engineering culture that is here. And so it's been really great just to see all of the great talent that has and the community that it has around that. I got the opportunity to go to an event with some other startup and companies around Belfast talking with some US government officials. And someone in that call was explained that discussion was explaining well about why Belfast is so good in cybersecurity. And I can't remember the exact three characteristics, but they said something about everyone here is paranoid and everybody here is a hard worker. And so that's why cybersecurity is a great industry for Belfast.
Alan (06:30):
Yeah,
Alison (06:32):
There was a third quality too. I can't quite remember what it was though.
Alan (06:38):
I can't think of what it could possibly be either. Yeah, no. Obviously there's a lot of FDAs come to Northern Ireland and Belfast and they have essentially raised the game quite a bit in terms of the talent. I mean there's a lot of graduates coming out of the universities and going into Cyber Cloudsmith itself is part of that NI cyber cluster, or at least it was, I think it's been slightly reshaped recently. But yeah, there's a wealth of that which is just great in terms of when we were out looking for people trying to bring them in. And certainly Cloudsmith has ended up very much focused on bringing security into artefact management. And so that's probably a decent segue into maybe talking a little bit about the Cloudsmith and product. And I'd love to hear what you thought when you walked in the door the first time in your role and looked at what we'd created on what the challenges were going forward. If you can remember
Alison (07:58):
Well enough, can remember that part back. Well, I can remember why I came to the Cloudsmith team. So the things that were really appealing to me about joining Cloudsmith almost three and a half years ago, I have previously been saying about three years ago, but I guess it's almost three and a half now. One was just the transparency, so the culture of transparency within Cloudsmith and Alan, you are a big part of that in our initial conversations talking through that and that continues today even as we're scaling, which is really great to see. It really helps build a culture where everyone understands what's going on and why and has the right context to be able to help drive the business forward. And then the other thing that really appealed to me about Cloudsmith is that you had real customers who had real problems that you were solving for them. And it was really about taking that start of, Hey, we are solving these problems, but how can we solve these better? How can we go deeper for these customers and how can we figure out exactly how this product fits into the market that we're trying to sell? And so it was really great. I think you had maybe 150 customers when I joined. It was not insignificant. And so that was really great.
Alan (09:13):
Yeah, I think you joined just after we closed series A, so we would've had Shopify at that point. They would've been kind of our tent pole key customer back then. Yeah, I mean the transparency thing that gets me in trouble as much as it does helpful and get good people into the company, but thank you for that.
Alison (09:41):
Yeah, yeah. So Shopify was here and I think we all sort of knew we needed to go after Enterprise, but it was really about trying to figure out what the shape of that looked like and what that actually meant. The other thing to mention too is that the differentiators that we still use today to separate our product from our competitors, those are already in place and the foundations of cloud native artefact management was there and it was really like how do we go and disrupt this market with this great product we have? How do we find the right market, the right customers? What's that the ideal customer profile and how do we sell into them successfully?
Alan (10:25):
Yeah, I mean I think our journey has been sort of an interesting one from a point of view of product market fit. I think over the years, particularly in the early years, there was times where I felt like we had product market fit, and then I feel like we fell out of it a little bit. And I don't know if you can talk to anything you've sort of seen there in terms of some of the features and functionality that we've been thinking about or working upon.
Alison (10:55):
Yeah, no, I would definitely agree with that. And I feel like that's a benefit for Cloudsmith now is that we've had to go through those journeys. And so we all built a little bit of muscle of what does it look like to actually evolve your product as the market's changing. And I imagine there'll be rapid changes ahead in this space too. And so we've built that muscle of saying, okay, we had product market fit, now something's changed, what do we do? But yeah, I would agree that we've seen that change a little bit, and part of that is the competitors, the competitive set changing and the concerns of those customers changing over time as well. So when I came in, you guys, a lot of what your success had been is more in that product-led growth and smaller companies, but we were seeing more competitors come in that could target those smaller customers who are less concerned about secure artefact management and were more interested just in storage and distribution. And so being able to take our product and say what we have here is the foundation for Secure Artefact management first, and then saying Secure Artefact management is really the start of a software supply chain security strategy. And finding the customers who are interested in those two things and selling into those and making sure that we had the muscle to sell into those companies as well. That to me sort of been the journey that we've been on the past three years.
Alan (12:19):
That's awesome. How does policy management fit into that?
Alison (12:24):
Yeah, so I mentioned that secure artefact management give companies the right platform to be able to start to consider how they manage their software supply chain. And that's really the thesis of cosmi product is that having that central checkpoint that all your software passes through gives you a place to start to apply controls over what type of software can be used within your organisation, who can access that software and where that software can go. And we have started work on what we're calling our enterprise policy management manager. I actually did a webinar on it two weeks ago in the same office. Hopefully you didn't hear the sounds of Belfast as much on that webinar as you probably are now.
(13:16):
So that the enterprise policy manager, our approach to that and why it's different from other things in the market is that it's really about thinking how you can have a central checkpoint that leverages all of the data that Cloudsmith has about your software, that we enrich that data set with other sources to help you learn more about packages and about requests and about vulnerabilities that we're enriching that data and that we have that central checkpoint where you can use all of that data to build the policies that match your organization's desire for compliance. So the types of things that your organisation cares about when it's thinking about software supply chain and that enterprise policy manager is that central checkpoint that can control any action in Cloudsmith. You can control it through that enterprise policy manager. So that's the artefact management is the central checkpoint is equals enterprise policy management.
Alan (14:19):
Yeah. Yeah. I wasn't doing a webinar yesterday, but I was on stage at a sort of VC portfolio day and they were asking me hard questions and it occurred to me when I was sitting there, Claud Smith has become this really interesting place in terms of technology where it's the cross between cloud computing, computing at the edge, its security, it's software distribution, it has all these aspects that have built on top of that original core thinking around how do we literally get a software artefact into an organisation. And so there was also a lot of talk about ai, and I know we have been maybe not fast, let's put it this way, not fast out of the gate to immediately slap AI onto every feature and functionality that we've done. I'd love to hear what you think about AI and how it would maybe apply to some of the things that we're doing going on going forward.
Alison (15:45):
Yeah, I mean ultimately bringing AI into our product, it has to help us solve a problem for our customers. It either has to help us take the problems we're solving today and solve them better, or it has to help us solve new problems for them. And we've had a lot of internal discussions about AI over the past year, and I think you'll see us exploring that space more here in the next few months. But ultimately, the foundation of Cloudsmith as that central hub for all software and all data puts us in a good place to say, how can we use that data? How can we use that information to power the use cases that we have for our customers? And we certainly not rushed into introducing AI into the product, but what we have spent time doing is saying, how can we have a really strong data platform where we're bringing in all this data, we're making that data actionable to our customers, we're enriching that data set and we're in a position where we can say, okay, how can we leverage this data going forward?
(16:55):
So like I said, I think you'll see us start to explore that here in the next few months, and we're always interested in hearing from our customers too. So that's one angle is how can we make our product better through ai? But the other thing that's interesting for Cloudsmith is just that there's new artefact types that folks are using and there's new problems around software for our end customers. And so how can we help support our customers who are developing with AI or with machine learning, how can we support those customers and help them securely develop AI solutions for their own products?
Alan (17:32):
Yeah, no, absolutely. And oh, actually one of the questions I got asked was about kind of authentication and ultimately if it's an AI agent or a service account accessing, we put a lot of that in place to make sure that you can be authenticated which packages and containers that you're able to pull and what you have access to. So I suppose from my perspective, we put in a lot of the foundation and understanding around what Kal need to look like in order to start thinking about how AI can make things better.
Alison (18:15):
The authentication piece is interesting. It just made me think about in our product vision we have a line of ultimately we're trying to help these enterprises solve problems of trust at scale and problems of trust and the at scale piece both get harder as AI gets in the mix. And so staying true to that product vision and making sure that we're able to deliver that for our customers, I do think we're in a good position both on leveraging ai, but ultimately helping our customers who are leveraging AI continue to have secure software.
Alan (18:44):
Are there any partners that you're excited about at the minute?
Alison (18:50):
Yeah, so I think one thing that maybe differentiates us a little bit in the marketplace is that we're really interested in the ecosystem around us and being a great partner for the other tools that our customers are using and making sure that integrations and data flow and workflows, that all of that is really seamless for our customers. And the best way to do that is to have strong partnerships with partners in this space as well. So I'm really excited. We've had some good chats with Docker. I think Docker's a great partner for us in this space and just as more and more folks embrace containerization and leveraging Docker and how that works with being able to distribute and have a great experience with those containers at scale and the distribution of those, I think we're in a good place to build a strong partnership with Docker. I'm also excited about Chain Guard. They've been in this space or they've been around basically the whole time I've been at Cloudsmith and sort of trying to understand where chain guard's going to go with their product and seeing them explore clean base images and helping customers solve some of those core problems around the vulnerabilities in their software and come at the problem from a slightly different angle. I'm excited about the opportunity to continue to partner with ARD as well.
(20:11):
We've had some interesting conversations with folks who are aggregating and making information about vulnerabilities and advisories enriching that data, bringing a unique spin or a unique point of view on what those vulnerability, those advisory, that advisory information means for our customers. I think there's some interesting partnerships for us in that space as well, some startups that it's interesting to sort of explore what a partnership could look like there as well.
Alan (20:42):
Yeah, it is interesting how over time the mechanics of being that software distributor has morphed into being more of a data play and capturing a lot of the data and bringing in and ultimately making decisions upon it and in terms of that EPM side of things. So that's really interesting. I think that's one of the most interesting things that's going to be happening over the next 1218 months is how much we leverage those partners. And really it does take a village to solve software supply chain, and it's not just one tool, but it's being significant part of that ecosystem in order to make that work. Maybe switching gears a little bit, how are you finding working with, you've now got a whole team of people and who are all looking into different areas. How are you finding that?
Alison (21:56):
Yeah, I was just having coffee with our VP of growth, Paul McKeever, and we are talking about scaling the company and some of the challenges with that and just how you go from being a doer to having folks who are doing, and you have to sort of recalibrate for yourself what that means for your role. But it's been really great to build out the product organisation as a whole. I have a really great teammate in Paul May. He's senior director of product and design. And between him and me, the product team has added entirely new functions in the past three months. So we have product design, we have user research, we have prototyping team who's helping us look ahead at the products and the problems we're trying to solve. We have our product management team and then we have technical writers as well. And so just figuring out what are the functions that should be within our product org, how do we interface with other groups now that we're a little bit bigger has been really fun and there's some interesting challenges there. I'm really excited about having a robust team who can help us really understand our customers, understand what's ahead in different problems that we could be solving for our customers, what those solutions could look like if we wanted to pursue them, and then having the product management chops to have follow through on actually being able to deliver those products to our end customers. So yeah, it's been really great to grow this team and figure out how we find our place within the wider organisation as well.
Alan (23:38):
Yeah, I mean as a founder in the early days, the most frustrating that can happen is the things that you're not working on. I mean, there's all these cool things that you are working on and you're building and you're releasing features and trying to solve customer problems, but there's always the things in the back of your mind that you're like, wow, we should be looking at that. We should be working on that. We should be talking to those people. And a lot of that only really happens when you get to scale where you get other people to come in and you can give them an area that they can go on and focus on. So from my perspective, it's been kind of great to see that grow. Leanna was one of the first people that I think you hired into your team and to put her on package formats, which was the bread and butter essentially of artefact management is making sure that you have full support there and increase our scope has been great to see over the last six months.
Alison (24:52):
Yeah, no, it's been great to start to have a little more specialisation in the product org, both in just terms of function, but also in terms of product area. It is also challenging to try to give up responsibility and get a little bit more removed from decisions that are being made, but trying to make sure you're building the right structures and communication patterns in place so you're still staying abreast of decisions and what's happening. People who are listening will probably know who actually said this quote, I don't know who said it, but I read it a few months ago about when you're scaling a startup, you have to be okay with giving away your Legos, and that's really resonated with me. When you're 20 people, you are doing a little bit of everything, but as you scale, you have to be okay with giving away some of those tasks or some of those areas of responsibility, and that can be uncomfortable and hard, but it's the only way you can scale the company.
Alan (25:50):
Anything you're excited about coming up?
Alison (25:55):
Well, I'm excited about enterprise policy management. So that feature has been an early access for a few weeks months now, and we've been getting some really great feedback from customers. We have some folks who are adopting it in production, they've tried it out, they're ready to move forward with it. And so I'm really excited just about the problems we're solving there now, but also where that product can go in the future. And so that vision of it's not just about this one piece of data and this one action you want to control, but it's a richer and more robust engine for everything you might want to control within KLAS Smith and seeing how that evolves. I'm excited about, we have a product called Navigator, which is a separate product to our core, but the thesis behind Navigator when we launched it was that there's information about packages, the origins and the beginnings and the history of those packages that could help customers make better decisions about what software they're letting their own developers use.
(27:02):
And so I'm excited about actually integrating that data into our core platform as well. And all the things that will unlock, I'm excited about. So we provide our customers with vulnerability data about their packages, and we've reworked under the hood how we are going to be doing that moving forward. And we call that product continuous security, and it's ultimately that as soon as a new advisory is available, we'll know about it and we'll let you know. And having that real time notification for our customers is exciting. And then also just what we can do with that data, what sort of exploration organisations can do once they have all of that data in one central place. So things like a CVE Explorer or what could it look like if you could look across your entire software supply chain and see information about advisors and see information about where packages are originating from and what sort of use cases or problems that could help solve for our customers.
(28:05):
So really, I guess I'm mostly excited about that helping you ship secure software pillar within our product. There's a lot of really rich and exciting things we can do there. I also think that that's an area where we can help lead our customers too. So a lot of the enterprises we talk to know they should be doing more in that space, but they're not quite sure where to start. And so now that we have a really strong product there, I think we can also start to help guide best practises and how folks can more successfully use Cloudsmith to actually make themselves more secure.
Alan (28:39):
Yeah, no, those are some really interesting areas. I think I'm really happy with where we have sort of gotten the product to where it is today because done a lot of work both in re-architecting and launched the new web app, and we have dark mode now. We
Alison (29:01):
Have dark
Alan (29:02):
Mode. The joke is it only took nine years, but it didn't take nine years obviously to develop it, but it took us nine years to get to it.
Alison (29:13):
I was going to bring that up earlier when you were talking about how there's all these things you want to do, but it's hard to get to. And it was like, oh yeah, you're just nine years in a full team and you got dark mode.
Alan (29:21):
Yeah. But that's the cool thing is about scaling and getting, you get people who are excited about some of the rough edges that you maybe hadn't had the time or the impetus to get to, and then suddenly they make it a reality and it feels like it happened overnight even though it didn't. So it's
Alison (29:47):
Fantastic. And I think dark mode is an interesting example too, of how we are leaning into user experience as a differentiator, building a great product design team, and building a discipline around how we make sure what we're designing is, and having a real strong focus in that area is a differentiator against our legacy competitors as well.
Alan (30:13):
And I mean, look, I credit you with bringing that to Cloudsmith. I mean, when it was Lee and I making all the decisions, we were just doing what we thought was best, and I suppose we were kind of building it for ourselves in many ways and not really leaning into what the customers were asking for. I mean, we would do whatever they wanted, but at the same time, it was not put into the rich hopper of is this a good idea and will this apply to everyone and everything? I mean, I think we had a good gut reaction to that, but I don't think it was particularly codified or process driven or anything.
Alison (31:06):
I think there's the prioritisation and should we do this question, but then there's also how do we design the right solution? And Paul May's product design team has really elevated our game in that space of saying it's not enough to just say the product should do X, Y, and Z, but you have to spend time going deep and understanding, well, what does that actually mean for our users and how they'll engage with our product. So it's been really great to just see, like I said, I guess the product org build out some of those functions and those muscles and how that can come back and add so much value to the business.
Alan (31:40):
Yeah, I mean, you have talked me off the ledge numerous times where I've been ranting that we should do something and then you're like, should we? So no, it's absolutely the best way to think about things.
Alison (31:56):
Yeah. Well, it's an interesting thing about having a lot of customers being into this exciting market, this innovative and constantly changing market is that there's lots of things we could do, and how do you make the decisions about what you should do and not just be reactionary to what you're hearing?
Alan (32:17):
Yeah, no, that came up yesterday that people were saying the VCs, they're kind of all looking towards ai, but hey, there seems to be this category in cybersecurity that never seems to go away. And I think the truth is, and we only, I suppose we personify a security company more and more over the years, even though ultimately artefact management probably wouldn't have sat in in the past, but it's become the foundation for security, and it is a kind of evergreen topic. There's always new things happening, new approaches for vulnerabilities and dependencies, and so it's hard to stay ahead of the game, but we've put ourselves in this really interesting position to try and figure that out for our customers.
Alison (33:23):
Yeah, I think it's interesting. Are we a security company? Are we not? Ultimately we help our customers have secure artefact management best practises, and we help you ship secure software. That's sort of how I think about the two ways that security comes into play for Cloudsmith.
Alan (33:41):
Yeah. Is there anything that we haven't talked about today that you'd love to talk about?
Alison (33:51):
Well, can I ask you some questions?
Alan (33:53):
You can, yeah,
Alison (33:55):
Sure. Alan, tell me a little bit about the motivation behind starting a podcast.
Alan (34:04):
Ah, that's a good question. Well, there was sort of two reasons. One, being the founder Glen and handing the reins over to Glen, and Glen is now the CEO 18 months ago, 19 months ago. He likes to correct me and he was like, Alan, you need to get out there more. You need to talk to people and network and be a bit more visible, a bit like chain guard. And I was like, oh, no, that's not really my personality. And then at the start of the year, I had a conversation with Chris and he's our podcast producer, and as I like to call him the video, God,
Alison (34:54):
The video God Behind Cloudsmith.
Alan (34:57):
And he was like, we were talking about Demand Gen, and we were talking about, we had done one episode of Cloudstream, which was kind of more like a video podcast attempt, and it was like two years ago, and it was sitting on our YouTube channel and it had, I dunno, a hundred times more views than any of the other videos that we had. So that was kind of where the idea percolated. And then the other thing was sort of just a personal goal of trying to get out there and talk to more people and learn things. I kind of felt like when I was CEO, I was learning all these other things about finance and raising money and all of those things, but I'm a developer at heart and I was feeling a little bit further away from the technology than I wanted to be. So in many ways, this is a way to try and marry some of those things together and try and put out some content and talk to some good people and find out what's motivating them and driving them and what's good for Cloudsmith and the customers.
Alison (36:30):
You say it's not part of your personality, but I think you're great in these types of settings and when you're talking to people and when you're out there representing Cloudsmith,
Alan (36:38):
But the fear behind the persona is real.
Alison (36:42):
Oh, nobody notices it.
Alan (36:46):
Yesterday when I was on stage, I had to run up to Alex, he was the moderator afterwards. I was like, is that okay? Was that okay? I'm just like, oh, what did I say? But so far so good.
Alison (37:01):
Yeah, we do. So Cloudsmith gets the team together every three times a year. And the last offsite, I think we had 70 people there or something like that. And one of the PMs, Liana, who you mentioned was giving a talk and she was a little nervous about it. And so I told her my secret, which is that you have to do a power pose before you go do something, which you just find a spot and you're away from people and strike a power pose for a few minutes and then you'll, you'll feel a little bit stronger when you go up there.
Alan (37:29):
Yeah. Did she do it?
Alison (37:31):
I don't know. I'll have to ask her, but I did it before I did my presentation.
Alan (37:35):
Yeah, yeah. My problem is I don't prepare enough. That's always my problem. I don't write the questions, I don't consider what the answers are going to be. I was sitting, we were on last yesterday and I was sitting listening to everybody else talk and I was looking on my phone, I was looking at the questions that they were going to ask, and I was like, I didn't know they were going to ask me that. So I was like, I'm not going to lie. I was chat GPT and potential answers for certain things. Thankfully I had wifi, otherwise I would've been screwed. But yeah, no, I like the format as well. So I think it's a sort of good way to get people and you can feel people warm up as they get into the conversation and it gets a bit easier. And
Alison (38:37):
Ellen, what are you excited about from the product team?
Alan (38:41):
From the product team? So I've always been pretty close to the product and thinking about the product. So I mean, I'm just really looking forward to getting the product that I had envisage in my head when we started this. I really love a lot of the side of things. I started from a front end point of view. Lee was always more a little bit more backend and I was a little bit more front end. So I love what's going on there. I love the fact that the brand is getting pushed out across the website, navigator broadcasts and
Alison (39:27):
Docs coming soon,
Alan (39:29):
Docs and the core app and everything. So I kind of love all that side of things. I like writing, so I'm super excited that we're getting our ducks in a row there in terms of how we're talking to the customer product wise. I mean dark mode, obviously the policy thing, which sort of came from an idea from the hackathon that we did, sort of internal hackathon that we did at one of the offsites last year. That was, I think you and I and Lee were judges.
Alison (40:08):
That's right.
Alan (40:08):
And I think we handed that team the prize that time. It's been really fantastic to see that come from that place, be sort of filtered into the thinking. And we did a sort of an initial launch at CubeCon last year. So I'm excited about where that goes because I think it's the driver of, it's the data play and surfacing and being able to use and control and in around having a lot of that data and seeing that come to Fruitation is pretty cool.
Alison (40:51):
Yeah. Yeah, it's been interesting. Enterprise policy management was, like I said, it's in early access now. It was probably a little more alpha at the end of last year. And we had a customer who ultimately needed it for their use case, and we are a prospect I should say. And we were all a little nervous about was it ready, how was that interaction going to go? And it was really rewarding when that customer ultimately chose Cloudsmith because of how we built that product and the flexibility that we built into that product and that we could solve their use cases now, but they could also see how it would help and how it would grow with them as they got more advanced in software supply chain security.
Alan (41:32):
And then the follow on to that, which I suppose is in some way sort of the next stage is like how do you benchmark against SALSA or one of those kind of initiatives because we've obviously been helping customers achieve FedRAMP and SOC two, and I think being able to make that maybe a bit more visible and actionable for customers in order to lean into those types of things, I think will be a game changer.
Alison (42:06):
Yeah, I would agree with that. And it's interesting you mentioned FedRAMP. We had a customer who is FedRAMP compliant and ultimately the latest revision Rev five of FedRAMP acknowledged that, Hey, you need to know where packages are coming. You need to have integrity around packages in the software and use, and ultimately you need to have secure artefact management. And we were able to work with them and say, here's how you can prove that using Cloudsmith ensures that you have secure artefact management and have integrity and authenticity on where these packages are coming from. And you see that too across those other frameworks. You mentioned SALSA and Microsoft's S two C, c2 FC,
Alan (42:49):
You're braver than I because I was like, am I going to get that acronym right? I'm not sure I am. So I just was like SALSA and the other one, the
Alison (42:58):
Acronym's easy. What does it stand for? I think it stands for Software Supply Chain Compliance Framework, something like that.
Alan (43:05):
It's meant to write
Alison (43:07):
Both of those. Ultimately it's about artefact integrity
Alan (43:13):
And we should just mention the other acronym SBOs as well, just so if
Speaker 3 (43:18):
You
Alan (43:18):
Throw it in there, in many ways Claude Smith manages your SBO OM without you actually having to produce an SBO OM artefact. But at the same time, we do handle and manage SBO OM artefacts as well.
Alison (43:36):
Yeah, I was just talking to a customer this week about sbo oms and similar to vulnerability management and software supply chain security, everybody's sort of figuring out what these bits and pieces mean for them to help them be more secure. But it was interesting to talk through sort of our history around SBOs. I just aired our dirty laundry with them about how three years ago we introduced the ability to store and distribute those SBOs and had the thesis of, oh, those should be coming from the build machine, the build process, and the evolution of our thinking around SBOs of how ultimately you probably need SBOs many times throughout that development process. And now in addition to being able to let you store those SBOs will actually generate them for you and SBOs have been talked about for a long time, but actually being able to start to put them to use and get value from them and seeing our customers work through those problems themselves has been really interesting.
Alan (44:35):
Yeah, I think one of my big thesis on SBOs is until you get to a point where you need to share it in order to be certified, in order to make a sale into a customer or sell into the federal government, that's really when it'll kick in. I completely agree with you. You need a visibility of it, you need to work through it. But I think that pressure needs to come from the top in order for companies of all ships and sizes to ultimately start to lean into needing them using them.
Alison (45:19):
I mean for us too, they're also another source of really rich information about artefacts and containers. And so being able to add that information and add that data in for customers is a really good place to be as we explore how you can start to use that data in the future.
Alan (45:35):
Yeah.
Alison (45:37):
It's also always interesting to me, it's full circle to the start of the conversation about my journey here is that the startup prior to this, that 3D visualisation platform was in manufacturing. So we talked a lot about bill of materials. So then when I came here and it was like, and now there's software bill of materials, I was like, oh, great.
Alan (45:56):
Yeah, yeah, yeah, no, I was part of a startup that did 3D visualisation of broadcast chains. So from the camera in the studio all the way through to the antenna on the top of the riff in terms of sending it out. That's what I always think about Smiths is this really interesting thing where there's so many analogies to other parts and other industries and other parts of business. Configuration management is a big thing in the aerospace industry, and I had spent a bit of time there as well. And there's a lot of parallels in terms of which part you can use on an aeroplane versus which package you can use in a software supply chain.
Alison (46:51):
Well, yeah, I would agree with that. You're taking components, you're putting them together and you're shipping something else, and in one case it's a physical object, and in our case it's software. So definitely see a lot of parallels there. And also you need to know the quality of the supplier of those parts as well,
Alan (47:09):
And those parts need to work with the other parts and
Alison (47:13):
Reuse what's on the shelf. What should I be using?
Alan (47:16):
Yeah, yeah, no, I mean there's a whole stream of technical directives that come out in the aerospace industry where you can only use certain parts with other certain certified parts, and we have essentially the same thing with both the vulnerabilities and obviously APIs being compatible and that type of thing. So yeah, no, it's kind of fascinating how there's all these different companies and different people solving the same problems, but the niches and nuance are so different that you need a different company to solve it.
Alison (48:03):
Yeah, and it's interesting too, I think in this analogy, the manufacturing space has understood oversight, governance and the need for control, and what happens if you don't have that, whereas software developers, the software development process is, it's really taken some attacks and the rise of the solar winds and the log for shells to be like, oh, we should have some governance and control over software development as well.
Alan (48:29):
Yeah. Well, yeah, I mean, maybe just stretch the analogy. I think that the thing is a software guy can do everything and build it all together, run it, whereas sort of a flight engineer is probably not going to build an entire aeroplane, get in it, pilot it and fly away. So yeah,
Alison (48:56):
That's right.
Alan (48:57):
The regulation side of it is interesting too. I mean, I think we've seeing more and more regulation kind of come out the White House commenting and initiatives there, so that'll be really interesting in terms of whether or not we see an inflexion point over the next couple of years of when that way in. And if that kicks in, I think it will
Alison (49:23):
Too.
Alan (49:24):
So Allison, thanks for spending time with me today. It's been a really interesting conversation. I think the product side of Cloudsmith is amazing and I've loved seeing spend time with the team and everything. Is there anybody else you think I should talk to?
Alison (49:47):
Well, there's tonnes of great folks at Cloudsmith you could talk to. Top of mind for me probably would be folks like Esteban and Jack who've been working on native signing and artefact integrity. I think that's a tough area for our customers to understand what they should be doing there and how the ecosystems work. So they would be good to chat with, especially as it's fresh in their minds. Patty, of course, he's the genius behind enterprise policy management, which we talked about here. Kira Carey, I think she would be a good
Alan (50:19):
Kira Carey is on the list. Yeah.
Alison (50:21):
Okay, good. Yeah, she is one of our solutions engineers, so she's working front lines with our customers, but I would really love to see you talk to some of our recent enterprise customers. So 2024 was sort of the year of the enterprise, and we were able to onboard some really great customers through that American Airlines core weave, the Trade Desk, and just hearing how their rollouts going, the problems that they're looking at next that they can use Cloudsmith to solve. I think it would be really interesting to hear from those folks. We've been talking with Core Weave about native signing, so how they're thinking about software supply chain security, and then Dave Brushy at PagerDuty. He's sort of a perennial favourite of Cloudsmith, but he led the charge on how they could work with us to prove out that FedRAMP compliance, rev five FedRAMP compliance. It'd be good to hear from him.
Alan (51:13):
Yeah, all good suggestions. We'll try and get those scheduled in.
Alison (51:18):
Cool. Well, thanks for having me on.
Alan (51:20):
Yeah, no, thank you so much for joining us.