[04:37.300 --> 04:40.300]  So did you watch the video?
[04:40.300 --> 04:41.300]  Yeah.
[04:41.300 --> 04:44.300]  Do you have questions about it?
[04:44.300 --> 04:45.300]  No.
[04:45.300 --> 04:47.300]  Okay.
[04:47.300 --> 04:48.300]  Yeah.
[04:48.300 --> 04:49.300]  Okay.
[04:49.300 --> 04:52.300]  So now some demographic questions.
[04:52.300 --> 04:57.300]  So how can you describe your role in the company?
[04:58.300 --> 04:59.300]  Software development.
[04:59.300 --> 05:00.300]  Okay.
[05:00.300 --> 05:05.300]  And what kind of tasks do you do in your daily work?
[05:05.300 --> 05:07.300]  So mostly full stack, yeah.
[05:07.300 --> 05:12.300]  Back and front and a little bit of infrastructure.
[05:12.300 --> 05:15.300]  But not that much because [redacted] is doing all that.
[05:15.300 --> 05:16.300]  Yeah.
[05:16.300 --> 05:18.300]  But I am taking part.
[05:18.300 --> 05:19.300]  Yeah.
[05:19.300 --> 05:25.300]  So there's a mostly backend using spring and frontend development.
[05:25.300 --> 05:26.300]  Okay.
[05:26.300 --> 05:34.300]  So let's assume a scenario like you get an IAC script of some language that you're familiar with.
[05:34.300 --> 05:36.300]  And you have enough time.
[05:36.300 --> 05:43.300]  Can you understand the architecture that is described by this IaC script?
[05:43.300 --> 05:44.300]  Yeah.
[05:44.300 --> 05:50.300]  Do you mean if I get it?
[05:50.300 --> 05:52.300]  What do you mean exactly?
[05:52.300 --> 05:58.700]  So let's say you have a, let's imagine you know Terraform, probably do.
[05:58.700 --> 06:08.660]  And you have a Terraform script that describes some infrastructure of some application system.
[06:08.660 --> 06:16.940]  By looking at the file and having enough time, can you create an understanding of the architecture
[06:16.940 --> 06:18.300]  of the system?
[06:18.300 --> 06:19.300]  Yeah.
[06:19.300 --> 06:21.300]  I think so.
[06:22.300 --> 06:23.300]  Okay.
[06:23.300 --> 06:29.300]  So for how many years have you worked on tasks related to IAC tools?
[06:29.300 --> 06:35.300]  Like not directly IAC necessarily, but yeah, somehow related to it.
[06:35.300 --> 06:36.300]  Yeah.
[06:36.300 --> 06:37.300]  And now I get it.
[06:37.300 --> 06:43.300]  I saw the IAC was your framework you created.
[06:43.300 --> 06:44.300]  Yes.
[06:44.300 --> 06:45.300]  Yeah.
[06:45.300 --> 06:47.300]  The framework is IACMF.
[06:47.300 --> 06:48.300]  Yeah.
[06:49.300 --> 06:50.300]  Yeah.
[06:50.300 --> 07:00.300]  So, yeah, I mean, the years is now, I mean, to be really honest, the last three years,
[07:00.300 --> 07:03.300]  we didn't work that much of infrastructure as code.
[07:03.300 --> 07:06.300]  So, and we didn't use Terraform or stuff.
[07:06.300 --> 07:12.300]  The only thing we use is, yeah, Helm for all of the business stuff.
[07:12.300 --> 07:13.300]  Yeah.
[07:14.300 --> 07:16.300]  This is also qualifies as IAC.
[07:16.300 --> 07:17.300]  Okay.
[07:17.300 --> 07:19.300]  So, I would say for four years.
[07:19.300 --> 07:20.300]  Yeah.
[07:20.300 --> 07:21.300]  Let's say four years.
[07:21.300 --> 07:22.300]  Okay.
[07:22.300 --> 07:24.300]  So, how large is the company?
[07:24.300 --> 07:26.300]  Probably A, right?
[07:26.300 --> 07:27.300]  A, yeah.
[07:27.300 --> 07:30.300]  Just let's do B.
[07:30.300 --> 07:31.300]  Yeah.
[07:31.300 --> 07:34.300]  I hope so.
[07:34.300 --> 07:35.300]  Okay.
[07:35.300 --> 07:40.300]  So, now the real stuff.
[07:41.300 --> 07:46.300]  So, in your company, how do you check compliance of software applications?
[07:46.300 --> 07:55.300]  So, but for any question, feel free to like deviate from the text of the question itself.
[07:55.300 --> 07:56.300]  Yeah.
[07:56.300 --> 08:02.300]  Even if the answer is yes or no, or a specific value, you can also add clarifications.
[08:02.300 --> 08:03.300]  Yeah.
[08:03.300 --> 08:05.300]  You can ask me as well.
[08:05.300 --> 08:06.300]  Yeah.
[08:06.300 --> 08:09.300]  So, I mean, yeah.
[08:09.300 --> 08:14.300]  So, I mean, there are different stages of compliance.
[08:14.300 --> 08:20.300]  So, maybe the most low level is just checking code.
[08:20.300 --> 08:29.300]  You can call this compliance, but we use PSLint or Sonalint stuff and stuff like this checking.
[08:29.300 --> 08:34.300]  And on the infrastructure levels of Kubernetes, we don't have automatic checkings.
[08:34.300 --> 08:45.300]  So, this is done by us and we hope they are by manual checking and looking and so you
[08:45.300 --> 08:50.300]  have in the video, there was this example that certain users only have access to the
[08:50.300 --> 08:51.300]  database.
[08:51.300 --> 08:52.300]  Yeah.
[08:52.300 --> 08:56.300]  This is checked manually, but we don't have automatic checks.
[08:56.300 --> 09:01.300]  And then it bothers us and our company is way too small to handle this.
[09:01.300 --> 09:04.300]  And I think, yeah.
[09:04.300 --> 09:10.300]  We can and I probably won't implement something like this in the near future.
[09:10.300 --> 09:11.300]  Mm-hmm.
[09:11.300 --> 09:18.300]  So, as far as we do it, Sonalint checks on coding level and ASLint stuff, but this is more like
[09:19.300 --> 09:21.300]  other styles, correct?
[09:21.300 --> 09:23.300]  Sonalint checks on there.
[09:23.300 --> 09:28.300]  So, no one issues in code if they are cool.
[09:28.300 --> 09:31.300]  So, the code checks on something like this.
[09:31.300 --> 09:34.300]  You can call this compliance, but I think so, yeah.
[09:34.300 --> 09:35.300]  Yeah.
[09:35.300 --> 09:40.300]  So, it's one sort of what type of compliance as we define it in our research.
[09:40.300 --> 09:46.300]  So, it's kind of internal policy within your company and the code should adhere to this
[09:46.300 --> 09:47.300]  policy.
[09:47.300 --> 09:50.300]  It's also compliance.
[09:50.300 --> 10:00.300]  So, you said for compliance related to the resources other than the application system,
[10:00.300 --> 10:03.300]  the application itself, not the system.
[10:03.300 --> 10:12.300]  So, the database or layers below the application itself, you said you check the compliance manually,
[10:12.300 --> 10:17.300]  but how do you, or what rules do you check?
[10:17.300 --> 10:20.300]  And this leads us to question seven.
[10:20.300 --> 10:27.300]  Do you use well-defined models for compliance rules?
[10:27.300 --> 10:34.300]  Or not models, but you text how, what kind of compliance rules do you have?
[10:34.300 --> 10:39.300]  At the moment, non, yeah.
[10:39.300 --> 10:43.300]  So, it's not written down or something.
[10:43.300 --> 10:44.300]  Yeah.
[10:44.300 --> 10:49.300]  It's just in probably in our heads, the best practices.
[10:49.300 --> 10:56.300]  And you also have to say that the point that mostly one person is doing this.
[10:56.300 --> 11:03.300]  So, for example, one or two, so me and [redacted] the most time.
[11:03.300 --> 11:11.300]  So, we'll talk about all the cloud infrastructures or spinning up databases or using the service
[11:11.300 --> 11:13.300]  and managing the Kubernetes.
[11:13.300 --> 11:18.300]  I think this is more in our best knowledge, but we don't have written it down.
[11:18.300 --> 11:26.300]  So, that you say you have to, that this compliance rules or you are, you are, I don't know.
[11:26.300 --> 11:30.300]  Only those services can be accessible to the internal level.
[11:30.300 --> 11:32.300]  It's not written down.
[11:32.300 --> 11:35.300]  It's just by our best.
[11:35.300 --> 11:37.300]  Your knowledge of best practices.
[11:37.300 --> 11:38.300]  Yeah.
[11:38.300 --> 11:39.300]  Okay.
[11:39.300 --> 11:45.300]  It's not really defined in a way that you have a manual or something.
[11:45.300 --> 11:55.300]  So, yeah, in the following, when I say complexity, this means not the,
[11:56.300 --> 12:03.300]  yeah, it means kind of what the degree of experience you need to have in order to perform something.
[12:03.300 --> 12:13.300]  So, do you think you have, or if you have well-defined and machine-readable format for compliance rules,
[12:13.300 --> 12:20.300]  this would reduce the complexity of checking them?
[12:20.300 --> 12:21.300]  Yeah.
[12:21.300 --> 12:28.300]  So, you have them like modeled somewhere instead of having them only in your mind.
[12:28.300 --> 12:31.300]  Would this make it easier to check them?
[12:31.300 --> 12:32.300]  Yeah.
[12:32.300 --> 12:33.300]  I think so, yeah.
[12:33.300 --> 12:34.300]  Mm-hmm.
[12:34.300 --> 12:35.300]  Okay.
[12:35.300 --> 12:42.300]  And uncertainty means like how you interpret the compliance rule.
[12:42.300 --> 12:49.300]  So, maybe you have an interpretation in your mind, but someone else in the company, maybe someone new,
[12:49.300 --> 12:51.300]  have a different interpretation.
[12:51.300 --> 12:58.300]  So, this is a situation of uncertainty of interpreting the compliance rules.
[12:58.300 --> 13:04.300]  So, do you think if you have a well-defined and machine-readable format for compliance rules,
[13:04.300 --> 13:09.300]  this would reduce the uncertainty of interpreting the compliance rules?
[13:09.300 --> 13:11.300]  Yeah, for sure.
[13:11.300 --> 13:12.300]  Yeah.
[13:12.300 --> 13:13.300]  Okay.
[13:13.300 --> 13:15.300]  Yeah.
[13:16.300 --> 13:23.300]  So, how often do you have to deal with new compliance rules?
[13:23.300 --> 13:25.300]  Zero times.
[13:25.300 --> 13:28.300]  Yeah, it's just the knowledge, right?
[13:28.300 --> 13:39.300]  But maybe you read some article, I don't know, that highlights a new security problem that you need to consider.
[13:39.300 --> 13:42.300]  Doesn't this happen sometimes?
[13:43.300 --> 13:47.300]  And so far, it didn't.
[13:47.300 --> 13:48.300]  Okay.
[13:48.300 --> 14:01.300]  So, I think one thing that pops up in my mind was this, wasn't there a bug in, in, what was it, in the Chava Loca or something?
[14:01.300 --> 14:02.300]  Yeah, yeah, true.
[14:02.300 --> 14:03.300]  Do you remember?
[14:03.300 --> 14:04.300]  Yes.
[14:04.300 --> 14:05.300]  This one bug?
[14:05.300 --> 14:11.300]  Yeah, one implementation of this locking library was, yeah, not good.
[14:11.300 --> 14:14.300]  Had some security problems.
[14:14.300 --> 14:15.300]  Yeah.
[14:15.300 --> 14:20.300]  So, and we use one, so, party service from WSL2 for our document.
[14:20.300 --> 14:21.300]  Yeah.
[14:21.300 --> 14:30.300]  And I think it was a little bit, an issue that, so, but again, we did it manually because we read it in news,
[14:30.300 --> 14:37.300]  or like, someone of us, and then we checked if the third party service for use uses this library.
[14:37.300 --> 14:42.300]  And then we had to, for sure, update this, this service.
[14:42.300 --> 14:43.300]  Yeah.
[14:43.300 --> 14:53.300]  So, this works fine because it's just one service update, but I can imagine, if this is on a larger scale, you have, like, a sound of services.
[14:53.300 --> 15:01.300]  And you, you don't know which services are effective, and you have to find this out, and somehow check some compliances.
[15:02.300 --> 15:06.300]  I mean, yeah, that just can easily get a little bit more complicated.
[15:06.300 --> 15:07.300]  Yeah.
[15:07.300 --> 15:13.300]  But, yeah, we will not at this scale, so I think, in my opinion, all this.
[15:13.300 --> 15:22.300]  Also, question eight and nine, I can totally imagine that this is, like, super useful, you know, especially on a large scale.
[15:23.300 --> 15:33.300]  If you're a large-scale company, and it's also a little bit, just some people define those rules, and then, yeah, they automatically check, for example,
[15:33.300 --> 15:43.300]  if other guys want to spin up for them or something, and then they automatically check if the settings occur to the predefined rules.
[15:43.300 --> 15:45.300]  It's very useful, I can imagine.
[15:46.300 --> 15:48.300]  But, yeah, we're not at this stage.
[15:48.300 --> 15:54.300]  For us, it would be worth of time, because we would put so much effort from that stuff.
[15:54.300 --> 16:05.300]  We probably throw away already in a few months, because we don't have an appropriate market fit for the solution, and then change, change, change.
[16:05.300 --> 16:09.300]  So, maybe, in another stage, it's more useful.
[16:09.300 --> 16:10.300]  Yeah.
[16:10.300 --> 16:12.300]  Yeah, exactly.
[16:13.300 --> 16:14.300]  Okay.
[16:14.300 --> 16:27.300]  So, now, yeah, these are, like, multi-choice on a scale, but also feel free to, like, add explanation, yeah?
[16:27.300 --> 16:31.300]  And they are kind of related to the previous questions.
[16:31.300 --> 16:34.300]  So, how much do you agree with the following statement?
[16:34.300 --> 16:41.300]  Using IACMF, which is the name of the framework, of course, based on the video that you watched.
[16:42.300 --> 16:47.300]  Using the framework reduces the effort associated with defining and checking compliance rules.
[16:47.300 --> 16:51.300]  So, here, like, there's defining and there's checking.
[16:51.300 --> 16:59.300]  Maybe I should have split this into two questions, but, yeah, keep this in mind, yeah?
[16:59.300 --> 17:04.300]  You can answer differently for defining and for checking, if you want.
[17:04.300 --> 17:05.300]  Yeah.
[17:05.300 --> 17:06.300]  Yeah.
[17:07.300 --> 17:12.300]  So, defining was a little bit of question for me.
[17:12.300 --> 17:17.300]  You also had to, always had to first define your rules in this Job thing, right?
[17:17.300 --> 17:18.300]  Mm-hmm.
[17:18.300 --> 17:25.300]  And then, you can use some templates or plugins, but they are seen from, they seem a little bit,
[17:25.300 --> 17:28.300]  they are minimum, and you still have to define your own logic.
[17:28.300 --> 17:35.300]  So, the question, which came up to me was, I think this tool is powerful.
[17:35.300 --> 17:42.300]  Once you have a big, let's call it market place, not really market place, but, you know,
[17:42.300 --> 17:49.300]  were we can use the stuff you defined in the video, it's just share, and you can already use it.
[17:49.300 --> 17:54.300]  So, you use this null checker, you don't have to write the Bash script yourself.
[17:54.300 --> 17:59.300]  It's just there, you can use it, like it, like, use different plugins, and then it's super powerful.
[17:59.300 --> 18:05.300]  I guess, once you overcome this first step of some guy needs to define it,
[18:05.300 --> 18:10.300]  I guess it's super powerful, the defining step, because, at least for me,
[18:10.300 --> 18:15.300]  the video seemed a little bit long to come to the stage where you finally can check something.
[18:15.300 --> 18:16.300]  Yes, true.
[18:16.300 --> 18:24.300]  I mean, the video, it takes between five and ten minutes for one compliance job to be configured.
[18:24.300 --> 18:25.300]  Yeah.
[18:25.300 --> 18:26.300]  That's true.
[18:26.300 --> 18:28.300]  I mean, it is easily solvable, right?
[18:28.300 --> 18:32.300]  You just have some sort of marketplace, so it's there.
[18:32.300 --> 18:36.300]  It's always a use case specific.
[18:36.300 --> 18:38.300]  Not always.
[18:38.300 --> 18:41.300]  Sometimes it is use case specific, and sometimes not.
[18:41.300 --> 18:44.300]  It depends on the nature of the plugins that you choose to use.
[18:44.300 --> 18:51.300]  So, some plugins are easy to implement, but use case specific.
[18:51.300 --> 19:02.300]  And some plugins are generic, but they have a lot of configuration to do, like this bash script execution plugin.
[19:02.300 --> 19:05.300]  Yeah, you need to configure many things to use it.
[19:05.300 --> 19:16.300]  So, you say if you have kind of a marketplace for that, yeah, already has pre-configured compliance jobs,
[19:17.300 --> 19:22.300]  this would make the definition part easier, right?
[19:22.300 --> 19:23.300]  Yeah.
[19:23.300 --> 19:26.300]  Maybe not jobs, but those plugins here.
[19:26.300 --> 19:28.300]  The plugins as well.
[19:28.300 --> 19:29.300]  Yeah, they are true.
[19:29.300 --> 19:33.300]  I mean, that's also a point raised by [redacted].
[19:33.300 --> 19:42.300]  I wouldn't call it marketplace, because you don't pay money for it, but it's just a library full of those useful things.
[19:43.300 --> 19:48.300]  As an example, I mean, if you take ESLint or something, some Linter, you can check which rules.
[19:48.300 --> 19:53.300]  They always have a set of rules, and you just say you want them or you don't want them.
[19:53.300 --> 19:55.300]  Something like this.
[19:55.300 --> 20:02.300]  Yeah, I know you probably look a little bit different, because for the plugins, you need some sort of variable to be fine.
[20:02.300 --> 20:05.300]  Also, like you did in the video, but make it even easier.
[20:05.300 --> 20:08.300]  But yeah, I totally see that this is possible.
[20:09.300 --> 20:11.300]  That is, yeah, for sure.
[20:11.300 --> 20:14.300]  It's probably...
[20:14.300 --> 20:16.300]  So, let's imagine two scenarios.
[20:16.300 --> 20:24.300]  If you do have such a repository of plugins and pre-configured plugins, and if you don't.
[20:24.300 --> 20:29.300]  So, let's say if you do, what would you choose on the scale?
[20:29.300 --> 20:30.300]  Four.
[20:30.300 --> 20:31.300]  Yeah.
[20:31.300 --> 20:32.300]  Four.
[20:32.300 --> 20:33.300]  Okay.
[20:33.300 --> 20:35.300]  And if you don't...
[20:36.300 --> 20:37.300]  Two or three.
[20:37.300 --> 20:38.300]  Okay.
[20:38.300 --> 20:39.300]  Okay.
[20:39.300 --> 20:42.300]  Let's say three, let's in the middle.
[20:42.300 --> 20:46.300]  So, also, what I...
[20:46.300 --> 20:48.300]  This is...
[20:48.300 --> 20:50.300]  What I also didn't like is this...
[20:50.300 --> 20:52.300]  I don't like UI stuff.
[20:52.300 --> 20:55.300]  So, what I expect as a developer is as-code.
[20:55.300 --> 21:01.300]  You can define those compliance rules in YAML or something, or ... as-code.
[21:02.300 --> 21:04.300]  I think there are also existing tools.
[21:04.300 --> 21:07.300]  When I worked at a project, I found some tools...
[21:07.300 --> 21:10.300]  But I can't remember the name, so you can define it.
[21:10.300 --> 21:12.300]  It's also called, I think, compliance as code.
[21:12.300 --> 21:14.300]  You define your compliance rules.
[21:14.300 --> 21:19.300]  Just in code, like you would define the infrastructure.
[21:19.300 --> 21:27.300]  And this would feel a little bit faster for guys who are already aware of infrastructure.
[21:27.300 --> 21:29.300]  They don't have to click through the UI.
[21:29.300 --> 21:33.300]  I think this is also just implementation details.
[21:33.300 --> 21:34.300]  Yeah.
[21:34.300 --> 21:35.300]  Yeah.
[21:35.300 --> 21:38.300]  I mean, the framework itself has an API.
[21:38.300 --> 21:41.300]  So, what you put on top is, yeah, presentation.
[21:41.300 --> 21:46.300]  But I see the benefit of also defining compliance rules as code.
[21:46.300 --> 21:47.300]  Yeah.
[21:47.300 --> 21:50.300]  Because you can, of course, manage them as code.
[21:50.300 --> 21:51.300]  Yeah.
[21:51.300 --> 21:55.300]  I mean, imagine something like you have a visual studio code plug in,
[21:55.300 --> 21:59.300]  and then you can nicely, like, sketch it into your code,
[21:59.300 --> 22:02.300]  and then you through the file against your API,
[22:02.300 --> 22:05.300]  and then it just works.
[22:05.300 --> 22:06.300]  Yeah.
[22:06.300 --> 22:07.300]  Yeah.
[22:07.300 --> 22:08.300]  Yeah.
[22:08.300 --> 22:09.300]  Yeah.
[22:09.300 --> 22:10.300]  I see the benefits, of course.
[22:10.300 --> 22:11.300]  Yeah.
[22:11.300 --> 22:12.300]  Yeah.
[22:12.300 --> 22:14.300]  Such suggestions are useful.
[22:14.300 --> 22:17.300]  We can, of course, report them in the paper.
[22:17.300 --> 22:18.300]  Yeah.
[22:18.300 --> 22:19.300]  That's...
[22:19.300 --> 22:20.300]  Thanks.
[22:20.300 --> 22:22.300]  Yeah.
[22:22.300 --> 22:23.300]  Okay.
[22:24.300 --> 22:27.300]  So, now we were talking about the effort.
[22:27.300 --> 22:29.300]  So, yeah.
[22:29.300 --> 22:33.300]  How much time it takes, let's say, kind of...
[22:33.300 --> 22:36.300]  Now, 12 is about complexity.
[22:36.300 --> 22:42.300]  So, do you think that using the framework reduces the complexity of
[22:42.300 --> 22:45.300]  defining and checking compliance rules?
[22:45.300 --> 22:46.300]  Yeah.
[22:46.300 --> 22:47.300]  Yeah.
[22:47.300 --> 22:51.300]  And I also forgot the effort for checking.
[22:51.300 --> 22:52.300]  So, yeah.
[22:52.300 --> 22:53.300]  Yeah.
[22:53.300 --> 22:54.300]  I mean, I said it's...
[22:54.300 --> 22:57.300]  I said it's 4, and it's really depending on if you have this library.
[22:57.300 --> 22:58.300]  Yeah.
[22:58.300 --> 23:02.300]  And I think once you have your job really asking to checking,
[23:02.300 --> 23:04.300]  it is no effort.
[23:04.300 --> 23:05.300]  This is really nice.
[23:05.300 --> 23:06.300]  So, you have it.
[23:06.300 --> 23:07.300]  I would say, totally agree.
[23:07.300 --> 23:08.300]  It reduces the effort.
[23:08.300 --> 23:09.300]  Okay.
[23:09.300 --> 23:10.300]  It changes the effort.
[23:10.300 --> 23:11.300]  Okay.
[23:11.300 --> 23:12.300]  And it fixes...
[23:12.300 --> 23:13.300]  I mean, this is great.
[23:13.300 --> 23:14.300]  Mm-hmm.
[23:14.300 --> 23:16.300]  So, to 12, how much should you...
[23:16.300 --> 23:20.300]  If you have the flexibility, you're going to reduce the complexity.
[23:20.300 --> 23:24.300]  Complexity in defiling, I don't see that much,
[23:24.300 --> 23:25.300]  to be honest.
[23:25.300 --> 23:28.300]  It seems all still...
[23:28.300 --> 23:31.300]  I mean, at the end, it is the whole idea.
[23:31.300 --> 23:34.300]  You shift the complexity to defining your rules.
[23:34.300 --> 23:38.300]  But when you define it, because you already had it there,
[23:38.300 --> 23:42.300]  now it's no complexity during checking, because you have your
[23:42.300 --> 23:46.300]  rules defined as machine-readable instructions.
[23:46.300 --> 23:51.300]  So, defining, I would say, it's still complex, probably because, yeah,
[23:51.300 --> 23:53.300]  someone has to deal with it.
[23:53.300 --> 23:54.300]  But then you can reuse it.
[23:54.300 --> 23:58.300]  So, the complexity defining is a would say two.
[23:58.300 --> 23:59.300]  It's still complex.
[23:59.300 --> 24:00.300]  Mm-hmm.
[24:00.300 --> 24:02.300]  Checking is, yeah, I agree.
[24:02.300 --> 24:03.300]  It reduces.
[24:03.300 --> 24:04.300]  So, five.
[24:04.300 --> 24:05.300]  Okay.
[24:05.300 --> 24:06.300]  Okay.
[24:06.300 --> 24:10.300]  Yeah, now the last question in this group.
[24:10.300 --> 24:14.300]  So, what do you think about the following statement?
[24:14.300 --> 24:18.300]  Using well-defined models for compliance rules,
[24:18.300 --> 24:21.300]  it reduces the uncertainty associated with interpreting them.
[24:21.300 --> 24:25.300]  So, yeah, you kind of answered a similar question in the previous slide,
[24:25.300 --> 24:29.300]  but there you... I mean, here we need, like, kind of a number.
[24:29.300 --> 24:30.300]  Yeah, okay.
[24:30.300 --> 24:32.300]  Yeah five, I would say.
[24:32.300 --> 24:33.300]  Okay.
[24:33.300 --> 24:39.300]  Yeah, and now architectural reconstruction.
[24:40.300 --> 24:45.300]  So, I don't know if you managed to check the associated document as well,
[24:45.300 --> 24:47.300]  or you just watched the video.
[24:47.300 --> 24:51.300]  A little bit, but, yeah.
[24:51.300 --> 24:59.300]  So, I mean, the framework, in order to, like, be able to check the compliance rules,
[24:59.300 --> 25:02.300]  it reconstructs the architecture first.
[25:02.300 --> 25:08.300]  It first contacts the IAC tool, creates an initial instance model,
[25:08.300 --> 25:13.300]  and then, based on the information that are needed for the compliance checking,
[25:13.300 --> 25:19.300]  one or more refinement tools are used to, or refinement plugins, I'm sorry,
[25:19.300 --> 25:24.300]  are used to add additional information to the instance model
[25:24.300 --> 25:27.300]  that are necessary for the checking phase.
[25:27.300 --> 25:33.300]  So, we call this whole thing, so the creation and then the refinement steps,
[25:33.300 --> 25:36.300]  we call this architectural reconstruction.
[25:37.300 --> 25:42.300]  And, yeah, it's necessary for compliance checking,
[25:42.300 --> 25:48.300]  but you might also need it for other purposes.
[25:48.300 --> 25:53.300]  So, now let's imagine, now I'm referring to question 14,
[25:53.300 --> 26:00.300]  let's imagine that you have a running system,
[26:00.300 --> 26:05.300]  and you want to understand its architecture.
[26:05.300 --> 26:10.300]  Everyone tells you, I don't know, an application, let's say, in Kubernetes,
[26:10.300 --> 26:19.300]  in a cluster, but I don't know which resource elements are used,
[26:19.300 --> 26:23.300]  how many applications there are, and databases, and so on.
[26:23.300 --> 26:29.300]  So, it's a running application, and you want to get an understanding of its architecture.
[26:29.300 --> 26:32.300]  How do you do that?
[26:32.300 --> 26:43.300]  So, we use Argo CD, so this is one thing to visualize all our containers in running
[26:43.300 --> 26:45.300]  in our Kubernetes cluster.
[26:45.300 --> 26:47.300]  How is the tool called?
[26:47.300 --> 26:48.300]  Argo CD.
[26:48.300 --> 26:49.300]  Argo CD.
[26:49.300 --> 26:50.300]  Argo CD.
[26:50.300 --> 27:00.300]  Send it a link, and yeah, this is always the first thing I do when something goes wrong
[27:00.300 --> 27:01.300]  with our cluster.
[27:01.300 --> 27:05.300]  So, you go there, you see all the information of all your containers,
[27:05.300 --> 27:08.300]  which ones are running, which version is deployed,
[27:08.300 --> 27:13.300]  so you can see at the Helm and chart, which is deployed,
[27:13.300 --> 27:16.300]  which container image, or the resource annotations,
[27:16.300 --> 27:21.300]  so you get a pretty good overview of the current state of your services,
[27:21.300 --> 27:24.300]  and this is the way I can do it.
[27:24.300 --> 27:27.300]  So, this is only covering Kubernetes,
[27:27.300 --> 27:30.300]  so what is not covering is the whole view.
[27:30.300 --> 27:33.300]  I don't know, other databases in the cloud,
[27:33.300 --> 27:37.300]  or some queues, or whatever.
[27:37.300 --> 27:44.300]  So, for the whole view, I need to go into Google Cloud and check
[27:44.300 --> 27:49.300]  what is up and running, so we don't have an overall view of this.
[27:49.300 --> 27:50.300]  Okay, yeah.
[27:50.300 --> 27:55.300]  So, I would go there and check. This Argo CD is super nice
[27:56.300 --> 27:58.300]  for Kubernetes.
[27:58.300 --> 28:03.300]  So, this also may be answers question 15,
[28:03.300 --> 28:08.300]  so you do use an automated tool, but partially, right?
[28:08.300 --> 28:11.300]  Because you have a tool that works for Kubernetes,
[28:11.300 --> 28:17.300]  but if you want to get an idea about external systems,
[28:17.300 --> 28:21.300]  let's call them, or cloud resources not part of Kubernetes,
[28:21.300 --> 28:24.300]  you need to do that manually, right?
[28:24.300 --> 28:26.300]  Exactly.
[28:26.300 --> 28:34.300]  So, now, again, you can assume you do have plugins,
[28:34.300 --> 28:39.300]  or you, and in other case, that you don't have plugins.
[28:39.300 --> 28:42.300]  How much do you agree with the following statements?
[28:42.300 --> 28:45.300]  Using the framework reduces the effort associated with
[28:45.300 --> 28:51.300]  reconstructing the architecture of running application instances.
[28:52.300 --> 28:55.300]  So, if it works like a charm, I would say five.
[28:55.300 --> 28:58.300]  I mean, the idea is nice.
[28:58.300 --> 29:08.300]  One central tool where you can visualize your whole landscape.
[29:08.300 --> 29:10.300]  I would say five.
[29:10.300 --> 29:18.300]  Yeah, and if you have to implement plugins for,
[29:18.300 --> 29:24.300]  yeah, so let's say you want to, you have some services in Google,
[29:24.300 --> 29:27.300]  Google Cloud, and you have Kubernetes.
[29:27.300 --> 29:33.300]  So, for Kubernetes, we do have a plugin already for an initial
[29:33.300 --> 29:34.300]  instance model creation.
[29:34.300 --> 29:41.300]  There is a plugin, but again, it only shows you what's in the cluster,
[29:41.300 --> 29:44.300]  and maybe it's not configurable enough,
[29:44.300 --> 29:48.300]  meaning it has some assumptions regarding how to interpret environment
[29:48.300 --> 29:54.300]  variables and transform them into arrows, into relationships within the instance model.
[29:54.300 --> 29:59.300]  So, it might benefit from some customization.
[29:59.300 --> 30:06.300]  But, I mean, we do have some plugin, but we don't have a plugin that talks to the Google
[30:06.300 --> 30:09.300]  Cloud API and knows about the resources there.
[30:09.300 --> 30:12.300]  So, if you want to implement this in the framework,
[30:12.300 --> 30:17.300]  you will have to implement the plugin.
[30:17.300 --> 30:20.300]  In this case, what do you think?
[30:20.300 --> 30:27.300]  How do you evaluate the effort needed for architectural reconstruction?
[30:27.300 --> 30:32.300]  If you have to implement it yourself,
[30:32.300 --> 30:45.300]  it depends on how easy and how well documented the API for Google is,
[30:45.300 --> 30:50.300]  and what credentials you need and (s-word).
[30:50.300 --> 30:56.300]  Again, if you have to implement it yourself, it depends.
[30:56.300 --> 31:00.300]  I would say three or two.
[31:00.300 --> 31:03.300]  This can be really, yeah.
[31:03.300 --> 31:07.300]  Yeah, it's hard to estimate, right?
[31:07.300 --> 31:09.300]  Yeah, that's true.
[31:09.300 --> 31:10.300]  I agree with you.
[31:10.300 --> 31:16.300]  But the good thing, I think, is when you do implement it, it becomes very efficient, right?
[31:16.300 --> 31:21.300]  Then it's super efficient, and then again, hopefully you can share it with other people
[31:21.300 --> 31:26.300]  in the best case, some other poor guy has already implemented it.
[31:26.300 --> 31:33.300]  I mean, this is the most important part for frameworks like this.
[31:33.300 --> 31:40.300]  You need a community who creates those plugins, and then it's super nice.
[31:40.300 --> 31:45.300]  Yeah, sounds very reasonable.
[31:45.300 --> 31:46.300]  Okay.
[31:46.300 --> 31:51.300]  And now about fixing violations if you do find them.
[31:51.300 --> 31:55.300]  So what do you do if you find out that running application instance
[31:55.300 --> 31:58.300]  violates a compliance rule?
[31:58.300 --> 32:00.300]  Probably I would fix it.
[32:00.300 --> 32:04.300]  Yeah, but how?
[32:04.300 --> 32:09.300]  Manually, let's say, let's construct an example.
[32:09.300 --> 32:12.300]  Let's stay in this Kubernetes space.
[32:12.300 --> 32:23.300]  So I find out that one container exceeds the maximum amount of CPU.
[32:23.300 --> 32:25.300]  This could be a case.
[32:25.300 --> 32:32.300]  So I would go in our helm chart and fix the code.
[32:32.300 --> 32:34.300]  Yeah Okay. Eight CPUs are not allowed but you now use four, and I deploy it again and check in Argo CD if everything worked.
[32:34.300 --> 32:44.300]  So you basically use this immutable architecture style, right?
[32:44.300 --> 32:57.300]  You don't change running resources, you change the code and deploy again.
[32:57.300 --> 32:59.300]  That's the way to fix things, right?
[32:59.300 --> 33:01.300]  Yes, we don't.
[33:01.300 --> 33:02.300]  Exactly.
[33:02.300 --> 33:05.300]  So there's nothing done on this.
[33:05.300 --> 33:09.300]  Yeah, we do the code.
[33:09.300 --> 33:11.300]  Okay.
[33:11.300 --> 33:18.300]  And if so, does your code manage all the resources you need?
[33:18.300 --> 33:26.300]  So even outside of Kubernetes, meaning if you find some managed service, let's say,
[33:26.300 --> 33:31.300]  again, from Google Cloud, that has a violation.
[33:31.300 --> 33:37.300]  How do you fix that thing also in the same way or do you do it some way else?
[33:37.300 --> 33:38.300]  No.
[33:38.300 --> 33:39.300]  Yeah.
[33:39.300 --> 33:42.300]  There we really, everything is manually.
[33:42.300 --> 33:46.300]  So this is a big thing to improve.
[33:46.300 --> 33:51.300]  So I guess there would be something like Terraform would be handy.
[33:51.300 --> 33:53.300]  Let's give you an example.
[33:53.300 --> 33:59.300]  We use BigQuery and this is like a data warehouse from Google Cloud where we will put all our
[33:59.300 --> 34:04.300]  metering data from our usage-based metering.
[34:04.300 --> 34:06.300]  But this is all configured by hand.
[34:06.300 --> 34:10.300]  So if they are, for example, something goes wrong, we don't have it configured in code.
[34:10.300 --> 34:12.300]  We need to configure it again.
[34:12.300 --> 34:14.300]  Everything manually created.
[34:14.300 --> 34:22.300]  Create a new database, create the queues to put the data in there.
[34:22.300 --> 34:27.300]  So this is not written down in code.
[34:27.300 --> 34:30.300]  But we also don't have any compliance checks.
[34:30.300 --> 34:37.300]  And if there would be some compliance issues, let's say, for example, the queues are wrongly
[34:37.300 --> 34:38.300]  configured.
[34:38.300 --> 34:42.300]  We would look at it in the Google Cloud and configure it with a UI.
[34:42.300 --> 34:47.300]  So there's nearly no process at all.
[34:47.300 --> 34:51.300]  So this also answers question 18.
[34:51.300 --> 34:59.300]  So you do have automated tools, which is only applicable for Kubernetes cluster.
[34:59.300 --> 35:02.300]  But sometimes you have to do things manually, right?
[35:02.300 --> 35:05.300]  For fixing violations, if you do have violations.
[35:05.300 --> 35:06.300]  Yeah.
[35:06.300 --> 35:07.300]  Okay.
[35:07.300 --> 35:16.300]  And now, again, assume there are plugins or not.
[35:16.300 --> 35:19.300]  How much do you agree with the following statement?
[35:19.300 --> 35:24.300]  Using the framework, it uses the effort associated with fixing compliance violations.
[35:24.300 --> 35:25.300]  Yeah.
[35:25.300 --> 35:29.300]  I would say on a large scale, yes, on a small scale, no.
[35:29.300 --> 35:35.300]  So if I only have three services, I think it just introduces more complexity.
[35:35.300 --> 35:41.300]  One thousand services, probably it can reduce the complexity.
[35:41.300 --> 35:44.300]  So complexity in which sense?
[35:44.300 --> 35:46.300]  I'm sorry, effort, effort, yeah.
[35:46.300 --> 35:47.300]  Yeah.
[35:47.300 --> 35:49.300]  I mean, you can answer for complexity if you want.
[35:49.300 --> 35:50.300]  That's also interesting.
[35:50.300 --> 35:55.300]  So what do you mean?
[35:55.300 --> 36:05.300]  Like effort for configuring the job that would be more difficult or for creating suitable plugins
[36:05.300 --> 36:07.300]  or what do you think?
[36:07.300 --> 36:08.300]  Exactly.
[36:08.300 --> 36:15.300]  So let's imagine I'm so like we are a small startup and we have only five cloud services.
[36:15.300 --> 36:20.300]  So five cloud services is super easy to handle manually.
[36:20.300 --> 36:31.300]  And I think the complexity to introduce a framework like yours to just fix potential compliance
[36:31.300 --> 36:36.300]  violations would be more complex than just do it manually.
[36:36.300 --> 36:42.300]  So if you have a small scale, I think there's not much benefit.
[36:42.300 --> 36:47.300]  So the effort is bigger to introduce, you know, your compliance checking framework.
[36:47.300 --> 36:54.300]  But if you are a big company, a lot of guys, a lot of services, I think it's...
[36:54.300 --> 36:59.300]  I can see that it reduces the effort.
[36:59.300 --> 37:05.300]  But I guess here again, it depends on the size of the company.
[37:05.300 --> 37:11.300]  And also on this amount of services used, I think this is...
[37:11.300 --> 37:12.300]  Yeah.
[37:12.300 --> 37:18.300]  Assuming that the size correlates with the number of services, this also...
[37:18.300 --> 37:19.300]  I mean, true.
[37:19.300 --> 37:23.300]  I mean, you could have many services while being small, of course, small company.
[37:23.300 --> 37:31.300]  But the size also means like many, many people that needs to do the stuff, right?
[37:31.300 --> 37:38.300]  So you need many people's experience, if you have many services.
[37:38.300 --> 37:39.300]  Exactly.
[37:39.300 --> 37:41.300]  I think this is an important point.
[37:41.300 --> 37:49.300]  So in our company, we have two guys, and it's super limited to the amount of people who can do shit.
[37:49.300 --> 37:51.300]  Something stupid.
[37:51.300 --> 37:59.300]  But if we onboard every week, new people, and I guess it's hard to handle to educate them on the same level
[37:59.300 --> 38:03.300]  and to ensure that they all act in a similar way.
[38:03.300 --> 38:07.300]  I think that it's super useful to have something like this.
[38:07.300 --> 38:17.300]  But if you're only two guys, and the same example is, let's say you build an app with only 100 lines of code
[38:17.300 --> 38:21.300]  and you do it together, just two guys.
[38:21.300 --> 38:24.300]  I'm not sure if you really need something like SonarLint.
[38:24.300 --> 38:25.300]  Maybe not.
[38:25.300 --> 38:28.300]  Because you only have one file, a little code.
[38:28.300 --> 38:31.300]  You can just look at it every day and check if it's compliant or not.
[38:31.300 --> 38:33.300]  But I don't really check it all.
[38:33.300 --> 38:37.300]  So I think you have like 10,000 lines of code and 100 people.
[38:37.300 --> 38:40.300]  Maybe it's better to use something like this.
[38:40.300 --> 38:41.300]  Yeah.
[38:41.300 --> 38:43.300]  I agree.
[38:43.300 --> 38:44.300]  Okay.
[38:44.300 --> 38:53.300]  So now it's about the interpretation of what to do when you find violations.
[38:53.300 --> 38:59.300]  So do you think having well-defined models for compliance jobs?
[38:59.300 --> 39:00.300]  Not rules now.
[39:00.300 --> 39:06.300]  So a job is not only like which rules, but also what to do when you find violations.
[39:06.300 --> 39:16.300]  So if you have well-defined models for compliance jobs, does this reduce the uncertainty associated with how to handle violations?
[39:16.300 --> 39:17.300]  Yeah.
[39:18.300 --> 39:19.300]  Yeah.
[39:19.300 --> 39:23.300]  Yeah, I would say five.
[39:23.300 --> 39:25.300]  Okay.
[39:25.300 --> 39:26.300]  Yeah.
[39:26.300 --> 39:31.300]  Now the last set of questions, there are some general questions.
[39:31.300 --> 39:36.300]  So how do you evaluate the novelty of the framework?
[39:36.300 --> 39:39.300]  According to your knowledge, of course.
[39:39.300 --> 39:40.300]  Yeah.
[39:41.300 --> 39:44.300]  And it's hard for me to say because I don't have that much knowledge.
[39:44.300 --> 40:00.300]  So what I know is from the research I did is that there at least some sort of, like I said, this compliance as code where you can define something like this.
[40:00.300 --> 40:03.300]  You can define rules in code for your infrastructure.
[40:03.300 --> 40:10.300]  Maybe you can really define something like only those users for the database or the location.
[40:10.300 --> 40:13.300]  So I think this already exists.
[40:13.300 --> 40:18.300]  What I haven't heard of so far is this automatic repairing.
[40:18.300 --> 40:20.300]  So your whole process.
[40:20.300 --> 40:24.300]  At least for me it was something new.
[40:24.300 --> 40:27.300]  So you detect it and you fix it all at once.
[40:27.300 --> 40:30.300]  And in a perfect world, this works perfectly.
[40:30.300 --> 40:32.300]  It fixes everything.
[40:32.300 --> 40:36.300]  I mean, the ideas, it's super cool probably.
[40:36.300 --> 40:37.300]  Yeah.
[40:37.300 --> 40:38.300]  Yeah.
[40:38.300 --> 40:46.300]  I mean, individual steps of the process that we're proposing, they are there.
[40:46.300 --> 40:52.300]  But the process itself is probably new.
[40:52.300 --> 41:05.300]  Like model automatically check and then automatically fix and then validate the system after fixing and then report the execution.
[41:05.300 --> 41:10.300]  So this is the process we are kind of introducing or proposing.
[41:10.300 --> 41:15.300]  And maybe this, we hope this is novel.
[41:15.300 --> 41:20.300]  But separate steps are already there.
[41:20.300 --> 41:21.300]  Yeah.
[41:21.300 --> 41:24.300]  We're kind of building a puzzle.
[41:24.300 --> 41:25.300]  Yeah.
[41:25.300 --> 41:26.300]  Yeah.
[41:26.300 --> 41:35.300]  I mean, what would be super interesting for me is, I mean, if she was, for example, did you already talk to people in larger companies?
[41:35.300 --> 41:39.300]  And did they told you a little bit how they?
[41:39.300 --> 41:40.300]  Yes, we did.
[41:40.300 --> 41:43.300]  So we kind of did this in two rounds.
[41:43.300 --> 41:51.300]  We made some, made up some ideas and then discussed them with a large enterprise.
[41:51.300 --> 41:57.300]  And they, and we discussed it with system admins there.
[41:57.300 --> 42:08.300]  So they deal with compliance rules and they, they are, each one of them is responsible for tens of running systems within the company.
[42:09.300 --> 42:16.300]  And they have to, they have a list of compliance rules internal within the enterprise.
[42:16.300 --> 42:22.300]  And they have to, yeah, maintain compliance.
[42:22.300 --> 42:25.300]  That's their job and main job.
[42:25.300 --> 42:30.300]  And they don't have like a predefined tool for that.
[42:30.300 --> 42:37.300]  Each, each one of these admins, they implement a tool, an automated tool for checking.
[42:37.300 --> 42:46.300]  And they, they check only one type of compliance rules, basically compliance rules that are related to operating systems.
[42:46.300 --> 42:48.300]  So to Linux.
[42:48.300 --> 42:49.300]  Yeah.
[42:49.300 --> 43:02.300]  So there are a bunch of security related compliance rules that, yeah, address problems with Linux configuration or potential threats in Linux configuration.
[43:03.300 --> 43:10.300]  And they, they have like best scripts that, that does these checks.
[43:10.300 --> 43:12.300]  Yeah, that's how they do it.
[43:12.300 --> 43:14.300]  They don't use a framework.
[43:14.300 --> 43:17.300]  They implement tools there on their own.
[43:17.300 --> 43:20.300]  Yeah, on their own.
[43:20.300 --> 43:22.300]  That's, that's one example.
[43:22.300 --> 43:25.300]  We didn't talk to other enterprises.
[43:25.300 --> 43:26.300]  Yeah.
[43:26.300 --> 43:32.300]  But I totally can see that it's, I can see a business case.
[43:32.300 --> 43:37.300]  If you scrap away TOSCA, and do it in a nice way.
[43:37.300 --> 43:42.300]  I totally see that companies would use it and pay money for it.
[43:42.300 --> 43:47.300]  I think what needs to solve is easy plugins that are just there.
[43:47.300 --> 43:52.300]  You can use it because you provide them and then it must.
[43:52.300 --> 43:57.300]  So that you come away from this self-developed solution.
[43:57.300 --> 44:01.300]  So every guy is doing his own (s-word) to solve the same problem.
[44:01.300 --> 44:04.300]  Because at the end, it's always the same problem, right?
[44:04.300 --> 44:09.300]  And the rules are probably always quite similar in any company.
[44:09.300 --> 44:10.300]  Yeah.
[44:10.300 --> 44:19.300]  I mean, there are even catalogs like guidelines published by, I don't know, the department of defense in the US.
[44:19.300 --> 44:24.300]  They have a publicly listed guide, set of guidelines, security guidelines.
[44:24.300 --> 44:27.300]  And many companies choose to follow them.
[44:27.300 --> 44:34.300]  And there are also some certification processes like some ISO for, for compliance, security compliance.
[44:34.300 --> 44:45.300]  And if you want to obtain this ISO certification, you need to go through certain auditing process that checks certain things, certain compliance issues.
[44:45.300 --> 44:52.300]  And then you need to follow also a set of rules, ensure that there exists before the audit comes.
[44:52.300 --> 44:58.300]  So then you obtain this certification, compliance certification.
[44:58.300 --> 45:02.300]  So there are kind of catalogs for compliance rules.
[45:02.300 --> 45:13.300]  And maybe if we have kind of plugins that go, or they can check and probably fix these predefined compliance rules,
[45:13.300 --> 45:18.300]  maybe this enhances the usability of the framework, right?
[45:18.300 --> 45:20.300]  This would be great, perfect.
[45:20.300 --> 45:21.300]  Yeah.
[45:21.300 --> 45:32.300]  Imagine you just select, you want all this as you start a template and automatically, all the checks are in your job as well.
[45:32.300 --> 45:35.300]  And it stands for something.
[45:35.300 --> 45:40.300]  I mean, this would, you know, something like this would be perfect.
[45:40.300 --> 45:41.300]  Yeah.
[45:41.300 --> 45:56.300]  Yeah, of course it's a bit difficult to do this in research, but yeah, we need to, at the end, we're not selling a production ready system, right?
[45:56.300 --> 46:01.300]  We are, for academia, we're selling the idea.
[46:01.300 --> 46:08.300]  So that's good to hear that you think there is a good potential if we have enough plugins.
[46:08.300 --> 46:15.300]  Okay. So how do you evaluate the extensibility of the framework?
[46:15.300 --> 46:18.300]  Good.
[46:18.300 --> 46:24.300]  Okay. Is it useful?
[46:24.300 --> 46:33.300]  So extensibility means being able to add new plugins plus being able to configure things.
[46:33.300 --> 46:39.300]  So things means configure compliance rules or configure plugins and so on.
[46:39.300 --> 46:41.300]  This is kind of extensibility.
[46:41.300 --> 46:42.300]  Yeah.
[46:42.300 --> 46:50.300]  Things you can do this there, but again, here, again, I see this trade-up because between academia, you always want things.
[46:50.300 --> 46:54.300]  Like it's super extensible. It's on this hoskoshtana blah, blah, blah.
[46:54.300 --> 46:57.300]  In business, I don't want this.
[46:57.300 --> 47:01.300]  I want to use something that already exists.
[47:01.300 --> 47:04.300]  Yeah. And everything should work out of the box.
[47:04.300 --> 47:07.300]  I don't want to care that much about extensibility.
[47:07.300 --> 47:15.300]  Extensibility is for edge cases, but I hope that I don't reach those edge cases because when I buy stuff, I expect that it just works.
[47:15.300 --> 47:28.300]  So this whole extensibility, in my opinion, is not that important for stuff like this because you choose such solutions because you don't want to care about it.
[47:29.300 --> 47:31.300]  Yeah, it's nice to have it.
[47:31.300 --> 47:36.300]  I think you can extend it, but this is the stuff which makes it again complex.
[47:36.300 --> 47:37.300]  Yeah.
[47:37.300 --> 47:39.300]  I don't know.
[47:39.300 --> 47:43.300]  But this is always this academia thing.
[47:43.300 --> 47:48.300]  Yeah, that's a fair answer.
[47:48.300 --> 47:55.300]  I totally understand that when you need to extend something, this might introduce new bugs, right?
[47:55.300 --> 47:59.300]  Maybe even new threats.
[47:59.300 --> 48:00.300]  Yeah.
[48:00.300 --> 48:05.300]  So the last three years, I never thought about extensibility.
[48:05.300 --> 48:07.300]  So this was never a problem for me.
[48:07.300 --> 48:10.300]  Google, I take the services.
[48:10.300 --> 48:12.300]  I use Argo CD.
[48:12.300 --> 48:13.300]  Helm, I don't want to extend it.
[48:13.300 --> 48:15.300]  I want to use helm.
[48:15.300 --> 48:17.300]  UJS, I want to use Fujianics.
[48:17.300 --> 48:20.300]  I don't think about extensibility.
[48:20.300 --> 48:21.300]  Yeah.
[48:21.300 --> 48:22.300]  I see.
[48:22.300 --> 48:23.300]  Yeah.
[48:23.300 --> 48:26.300]  You can extend it with the plugin system.
[48:26.300 --> 48:29.300]  The idea is nice.
[48:29.300 --> 48:31.300]  Okay.
[48:31.300 --> 48:37.300]  So hypothetically, would you use the framework in your work?
[48:37.300 --> 48:38.300]  Yeah.
[48:38.300 --> 48:42.300]  So in our stage, no.
[48:42.300 --> 48:49.300]  In the later stage, if it's more self-contained and I don't have to do much, I just take it
[48:49.300 --> 49:00.300]  and say, give me those predefined security checks and then just go, I can, I don't know,
[49:00.300 --> 49:06.300]  put it in my CI/CD and it runs every time you push and fix automatically all the issues,
[49:06.300 --> 49:07.300]  then yeah.
[49:07.300 --> 49:15.300]  If people have to work on it like a month to get it working, probably not.
[49:15.300 --> 49:18.300]  I think it's a barrier and you need to overcome.
[49:18.300 --> 49:19.300]  Okay.
[49:19.300 --> 49:20.300]  Yeah.
[49:20.300 --> 49:23.300]  It's self-contained and easy to use totally.
[49:23.300 --> 49:24.300]  Okay.
[49:24.300 --> 49:28.300]  And yeah, finally, what's your general impression?
[49:28.300 --> 49:29.300]  Yeah.
[49:29.300 --> 49:31.300]  Yeah, exactly.
[49:31.300 --> 49:39.300]  So the idea is nice there and it depends on how easily and this is, I think, is always a problem.
[49:39.300 --> 49:43.300]  How easily can you integrate it in existing solutions?
[49:43.300 --> 49:44.300]  Yeah.
[49:44.300 --> 49:48.300]  So, for example, for our case, it would be a deal breaker for this task cutter because
[49:48.300 --> 49:50.300]  we don't use it.
[49:50.300 --> 49:53.300]  It must be, yeah, it's the tooling question.
[49:53.300 --> 49:59.300]  If there's nice tooling around it, it's great here.
[49:59.300 --> 50:02.300]  The overall idea is nice.
[50:02.300 --> 50:10.300]  If this plug-ins, you define your rules, they are automatically checked and it's, yeah, it's well understandable
[50:10.300 --> 50:15.300]  it has the machine readable code. Yeah it's nice.
[50:15.300 --> 50:16.300]  Yeah.
[50:16.300 --> 50:17.300]  Yeah.
[50:17.300 --> 50:21.300]  Sounds reasonable again.
[50:21.300 --> 50:22.300]  Okay.
[50:22.300 --> 50:23.300]  Yeah.
[50:23.300 --> 50:24.300]  That's it.
[50:24.300 --> 50:25.300]  Yeah.
[50:25.300 --> 50:27.300]  Thank you very much.
[50:27.300 --> 50:31.300]  I'll stop sharing and recording.