[04:11.920 --> 04:13.920]  So as I
[04:14.520 --> 04:20.920]  Told you before in the email. We will like record the audio now will transcribe it and anonymize it
[04:20.920 --> 04:24.200]  so your name and the company name will not be there and
[04:24.800 --> 04:28.560]  Then yeah, we will analyze it and report it in a research paper
[04:28.960 --> 04:33.040]  Yeah, so so if you decide like to
[04:33.720 --> 04:37.920]  Revoke your interview. That's that's fine until the end of this month
[04:37.920 --> 04:44.000]  But then afterwards we will be like already submitting the paper. So that would be difficult after that
[04:45.520 --> 04:53.720]  My answer will be the most answers I can answer. I will answer and those I can't I will say that I can't so
[04:53.920 --> 04:56.400]  Yeah, that's fair. That's perfect
[04:57.400 --> 04:58.920]  Yeah
[04:58.920 --> 05:06.400]  Okay, so did you manage to watch the video? Yeah, do you have questions about it that you want to ask now?
[05:06.400 --> 05:09.800]  Or do you think we they will be answered during the interview?
[05:12.440 --> 05:14.440]  I think there was just one
[05:15.080 --> 05:18.600]  Statement to do in terms of you left out one of these
[05:21.080 --> 05:25.120]  Columns I would say I think it was the column six
[05:26.400 --> 05:29.000]  As far as I remember because there was nothing to do there
[05:29.640 --> 05:31.640]  but basically
[05:31.640 --> 05:33.960]  What I noticed on on this GUI was
[05:35.000 --> 05:39.840]  The real information was a little bit lacking in in the text fields
[05:39.840 --> 05:40.720]  so
[05:40.720 --> 05:47.240]  You go to through columns and you don't see the really interesting information. You see some kind of verbs
[05:48.280 --> 05:53.440]  Starting with a sentence and then the real information was behind three dots. So
[05:53.440 --> 05:56.800]  That's how I noticed that in the video. So
[05:58.240 --> 06:05.400]  The UI needs and it's some improvement to show the important things. Yeah, yeah, I agree
[06:05.400 --> 06:07.400]  Yes, the thing is I
[06:08.360 --> 06:15.680]  For technical reasons I had to use some low resolution in the for the
[06:16.400 --> 06:18.160]  for the desktop
[06:18.160 --> 06:23.760]  Because the my machine is not that powerful. I couldn't record like high resolution
[06:24.440 --> 06:31.560]  Desktop. So that's why things were a bit too large. So yeah, there was these dots instead of the actual text
[06:32.200 --> 06:34.920]  Yeah, I'm sorry for that. No, no problem
[06:36.320 --> 06:38.880]  Basically, I'm not a man who's working with GUIs
[06:38.880 --> 06:41.520]  So I'm typically asking for APIs and
[06:42.080 --> 06:47.520]  Command-line interfaces because if you want to program some things you don't want to interact with mouse
[06:48.160 --> 06:51.160]  Yes, so so the framework exposes a REST
[06:51.880 --> 06:53.080]  API
[06:53.080 --> 06:59.600]  We we still don't have a CLI tool, but yeah with the rest API if you have you
[06:59.600 --> 07:03.400]  I mean it allows other tools to integrate with it with the framework
[07:04.480 --> 07:06.880]  But I agree we got feedback from other
[07:07.520 --> 07:11.800]  Participants in the interviews that they also prefer CLI
[07:12.240 --> 07:14.240]  they prefer
[07:14.240 --> 07:22.360]  Files that model the compliance rule instead of doing that in the UI and then yeah, you can also then manage this file as code
[07:23.640 --> 07:25.400]  Which is
[07:25.400 --> 07:29.080]  beneficial, so this this is part of our future work
[07:30.120 --> 07:31.560]  Okay
[07:31.560 --> 07:33.400]  Thanks for the feedback
[07:33.400 --> 07:36.320]  Okay, so I guess we can start with the questions
[07:37.080 --> 07:39.440]  So what's your current role in the company?
[07:40.160 --> 07:42.160]  I
[07:42.160 --> 07:44.160]  Can do everything
[07:47.120 --> 07:52.440]  Right now I'm doing automation for our service elements, so I'll try to get
[07:52.880 --> 07:56.120]  from our pools of host management controllers
[07:56.520 --> 07:59.520]  information out of them to do some kind of a
[08:00.280 --> 08:04.600]  state analysis where we are with driver versions and stuff like that
[08:05.600 --> 08:09.880]  Basically, I'm working with Ansible as the automation language
[08:11.080 --> 08:13.080]  and I have had
[08:14.160 --> 08:16.160]  nice journey
[08:16.160 --> 08:21.400]  automating provisioning from build workers and different flavors for C systems for
[08:22.200 --> 08:24.040]  x86
[08:24.040 --> 08:28.840]  systems with Ubuntu with Red Hat with
[08:31.200 --> 08:33.200]  What else
[08:35.600 --> 08:40.840]  Centos, well, basically Red Hat, but the low cost version of it
[08:42.160 --> 08:47.840]  Yeah, and then we made up a quite nice role-based
[08:49.960 --> 08:55.080]  Suite of things which are bringing up a machine
[08:55.840 --> 09:00.000]  Installing everything on to the machine make it secure
[09:00.760 --> 09:06.760]  provision user management as well with some of our homegrown tools and
[09:08.280 --> 09:15.200]  Well doing as well some kind of analysis of states of the build workers by seppics
[09:16.760 --> 09:21.840]  That's not my main area. We have a specialist for it and
[09:23.760 --> 09:29.040]  But you need to take care of your environment if it's still
[09:29.640 --> 09:31.640]  sane and
[09:32.040 --> 09:34.040]  Responsive all the machines. So
[09:35.040 --> 09:41.880]  Basically what I left behind now to get our pool of service elements being automated
[09:43.160 --> 09:47.720]  Okay, so I guess we can skip questions two and three then
[09:48.400 --> 09:49.600]  so
[09:49.600 --> 09:51.600]  Yeah, they are meant to
[09:52.000 --> 09:53.280]  like
[09:53.280 --> 09:58.560]  Assess with your experience with the IAC in general. So yeah, it's it's obvious
[09:59.400 --> 10:04.080]  Well, I came from a completely different area
[10:04.080 --> 10:10.080]  so I was working with hardware and developing test systems and test patterns and
[10:10.480 --> 10:14.640]  Therefore, I'm doing this now aside about since about six years
[10:15.360 --> 10:17.840]  Or to answer your fourth question
[10:19.160 --> 10:23.160]  Yeah, you're answering the questions before I ask that's nice
[10:23.920 --> 10:28.480]  Okay, so for five how large is the company? I think it's
[10:29.600 --> 10:31.800]  Right, I have no clue
[10:41.440 --> 10:43.440]  That might be the
[10:43.840 --> 10:45.840]  Huge company and
[10:45.920 --> 10:47.920]  What you should also mention
[10:48.720 --> 10:56.240]  [redacted] that you were as responsible in the infrastructure team for the security of the sea zone servers, right?
[10:56.320 --> 11:01.080]  Yeah, well, we have some demilitarized zones. So
[11:02.200 --> 11:03.560]  build up
[11:03.560 --> 11:06.080]  the area for our build workers which are
[11:06.800 --> 11:12.560]  Have to be kept to an older version of the operating system because we have legacy out in the field for
[11:13.000 --> 11:16.720]  customers which we need to keep the same as they have and
[11:17.200 --> 11:23.400]  They had to move into a secure zone. Okay, that's interesting
[11:24.240 --> 11:29.080]  Yeah, yeah, yeah, I don't often hear this
[11:30.400 --> 11:36.680]  These requirements in in startup companies because I had some interviews with them and they have totally different
[11:37.520 --> 11:42.880]  Requirements for for their infrastructure and their applications. It's really different for enterprises
[11:44.080 --> 11:46.080]  Yeah, okay
[11:46.560 --> 11:50.040]  So for for for any of these questions
[11:50.040 --> 11:57.320]  Just feel free to ask me if something's unclear and feel free to answer beyond the question if you if you want that
[11:58.440 --> 12:02.800]  So, how do you check the compliance of software applications in your company?
[12:03.360 --> 12:09.120]  We had in former times. We had a tool called a homegrown tool called [redacted]
[12:10.720 --> 12:14.840]  Made from two or three persons to real nice
[12:15.400 --> 12:19.840]  suite, but as we were changing to internal systems
[12:21.240 --> 12:23.640]  variation of ITS
[12:24.680 --> 12:26.800]  We don't have
[12:27.680 --> 12:28.840]  amount of
[12:28.840 --> 12:35.960]  Person months available to get this migrated to this tool. So we are now on
[12:35.960 --> 12:37.960]  a
[12:38.760 --> 12:42.440]  Company-provided from the security tools point-of-view
[12:43.080 --> 12:47.840]  phone shop, which is calling a pearl script, which is looking at
[12:49.160 --> 12:51.160]  table-based
[12:51.800 --> 12:53.800]  Database
[12:53.800 --> 13:01.520]  which RPMs should have which version so we do daily a completely scan of installed RPMs on the machines
[13:02.600 --> 13:05.440]  and feed this back against the table of
[13:06.480 --> 13:08.480]  the suggested
[13:08.680 --> 13:11.360]  Versioning they expect us to have
[13:13.080 --> 13:19.920]  And as well with this versioning and there is some kind of security vulnerability messages with it
[13:22.160 --> 13:24.160]  Mm-hmm. I'm just trying to
[13:25.720 --> 13:28.400]  Understand the table so the table is
[13:29.080 --> 13:36.200]  Telling you what it should what did the version should be or what is the current state?
[13:37.640 --> 13:39.640]  They tell us the current state
[13:40.640 --> 13:42.640]  The actually installed versions
[13:43.160 --> 13:50.160]  And in a second step there is another file which they feed back to to the database which is
[13:51.120 --> 13:57.040]  pointing to the versions which have some kind of security messages and
[14:00.240 --> 14:05.320]  But what's the risk with it so there is a low medium and high
[14:06.120 --> 14:07.320]  risk
[14:07.320 --> 14:10.160]  Association and then there you have a kind of a
[14:10.880 --> 14:16.520]  three month or seven days period where you have to make sure that you get
[14:17.080 --> 14:20.200]  The latest level of the RPM
[14:21.080 --> 14:25.760]  Okay, so and and this state like the current state of the system
[14:25.760 --> 14:27.760]  How does it get populated?
[14:27.760 --> 14:32.200]  Do you do that manually or does the tool somehow query that?
[14:32.800 --> 14:37.200]  The tool is querying the package manager of the operating systems
[14:37.880 --> 14:45.600]  Okay, so they are able to to look into windows. They are able to look into Ubuntu, Centos
[14:46.760 --> 14:48.760]  You name it so
[14:49.000 --> 14:52.680]  Everything which is Linux is basically following either the
[14:54.680 --> 15:00.920]  APT or the yum as a base mechanism and therefore they get all the information they need and
[15:02.200 --> 15:05.880]  When some issue is like is detected
[15:07.160 --> 15:12.920]  Does it suggest how to fix it or just it just tells you okay? There is a problem here
[15:14.000 --> 15:16.000]  well, typically
[15:16.040 --> 15:21.680]  They gave a point or two one of the CVE databases for example to
[15:22.400 --> 15:27.720]  Have a look here what they should just in terms of what should be done to this problem
[15:28.280 --> 15:30.280]  Sometimes we have some complex
[15:30.760 --> 15:32.760]  mechanisms where we
[15:32.880 --> 15:35.800]  Need to evaluate ourselves to get a solution
[15:36.600 --> 15:37.680]  Okay
[15:37.680 --> 15:45.840]  Yeah, you are answering questions in the next slide. So this probably will be a short interview
[15:46.000 --> 15:53.680]  Yeah, it's to be honest. Yeah, when when I'm interviewing someone who really works on the domain the interviews are much shorter
[15:54.760 --> 15:58.040]  Because you know what you're talking about some some
[15:59.240 --> 16:01.640]  Answer again the questions when they arrive so
[16:04.480 --> 16:06.480]  It's easier for you to get the
[16:07.920 --> 16:09.920]  Scripting to the question
[16:10.480 --> 16:12.480]  Yeah, let's
[16:12.480 --> 16:15.640]  Let's see. I think I'll see if
[16:16.240 --> 16:21.720]  If the answers are just already there or or we need some further clarification
[16:22.880 --> 16:24.880]  Okay, so you do have
[16:28.440 --> 16:36.520]  Automated tools that help you. Okay, so did you consider this database or?
[16:36.640 --> 16:38.640]  Or
[16:39.640 --> 16:47.500]  Yeah, so the list of compliance rules that you follow currently. Did you consider it to be well-formed machine readable?
[16:52.360 --> 16:57.160]  No, definitely no, okay, this is this is one of our
[16:57.160 --> 17:04.840]  Endeavors we daily have in terms of what do they want from us in terms of
[17:04.840 --> 17:07.520]  Well, we have some kind of a risk-based approach now
[17:08.880 --> 17:13.920]  We give some freedom to the to the users or the administrator so this person like me and
[17:15.120 --> 17:22.000]  We have the opportunity to think through this problem in terms of how we fix it all about what would be the
[17:23.120 --> 17:25.120]  best way to do it but
[17:25.760 --> 17:27.760]  In some cases
[17:28.200 --> 17:33.000]  We have not really completely well described architecture
[17:33.000 --> 17:38.520]  so there is some kind of a homegrown environment where you have some interdependencies between applications and
[17:39.200 --> 17:41.160]  you get
[17:41.160 --> 17:42.320]  this
[17:42.320 --> 17:44.320]  interdependencies by
[17:44.520 --> 17:47.320]  Experimenting on a test systems where you make
[17:47.800 --> 17:53.280]  First installation and afterwards you see if you still your interaction between all the processes is working
[17:55.120 --> 17:58.680]  Yeah, unless this isn't most likely no, no
[18:01.160 --> 18:07.200]  Software out of of any bags so there is some really homegrown code as well associated
[18:07.600 --> 18:15.200]  It's sometime an endeavor up to a week or two to get a new installation working again. Oh, okay
[18:16.240 --> 18:22.920]  Yeah, then I see why you are complete because for some frameworks like I don't know Kubernetes or
[18:23.920 --> 18:30.320]  Terraform moving from testing to production is usually an hour at most
[18:30.960 --> 18:34.760]  But in this case, I see why it's it's a big endeavor
[18:37.440 --> 18:41.160]  Really some kind of scheduling mechanisms homegrown
[18:42.000 --> 18:44.400]  They are pulling machines by by
[18:45.240 --> 18:52.120]  Stacks and commands and that's really crazy where this will not last very long anymore
[18:52.120 --> 18:57.400]  So that was about another two years to go. I think and then we are off of this topic
[18:59.160 --> 19:01.160]  Docker isn't nearly no
[19:02.840 --> 19:08.120]  Thing at all meanwhile, I would say we are starting to migrate all this other stuff to 
[19:09.080 --> 19:11.080]  Kubernetes and
[19:11.760 --> 19:13.760]  the pods so
[19:13.880 --> 19:15.640]  we've had
[19:15.640 --> 19:17.640]  three years ago first
[19:18.640 --> 19:20.640]  the first
[19:20.640 --> 19:28.040]  Experiment I would say with with a colleague which is has left meanwhile, but most of this stuff still exists
[19:28.040 --> 19:33.200]  and this is why this well-deformed redhead environment with open shift now and
[19:34.480 --> 19:39.080]  It's interesting though most of our users are starting to migrate now
[19:41.640 --> 19:44.800]  Yeah, this would make the process much easier I think
[19:45.800 --> 19:47.800]  Hmm, okay
[19:49.400 --> 19:52.680]  So while the client machine readable format for compliance rules
[19:54.520 --> 19:56.520]  By websites
[19:56.800 --> 19:58.800]  Okay
[19:58.800 --> 20:00.640]  Reading them
[20:00.640 --> 20:09.040]  So do you think if you do have like a machine readable formats would this reduce the complexity of checking compliance?
[20:09.040 --> 20:19.840]  The magic is to map the machine readable stuff into this risk-based approach process
[20:21.840 --> 20:28.480]  If you have an opportunity to do like a match matrix whether you can say if you do this
[20:29.680 --> 20:31.680]  Here that your risk is
[20:33.600 --> 20:35.600]  Growing I would say
[20:36.280 --> 20:38.280]  You better go another route
[20:39.040 --> 20:45.000]  So if you have some suggestions at that part, they are typically welcome because
[20:46.800 --> 20:48.800]  If you have to try things
[20:50.160 --> 20:52.920]  It's time consuming and if you have some some
[20:54.000 --> 20:57.600]  Expelled explanations or suggestions. It's it's much more
[20:59.000 --> 21:01.000]  certain to don't lose your services
[21:02.360 --> 21:05.200]  So you say it will be valuable
[21:05.200 --> 21:11.840]  But only if it can be understood by by the existing tool or framework that you have, right?
[21:12.400 --> 21:14.400]  Yeah, okay
[21:14.400 --> 21:17.640]  That was some kind of from mapping. I would say needed
[21:19.760 --> 21:28.680]  So I think you already answered nine so you say you spend a lot of time in trying to understand what what they want from you
[21:28.760 --> 21:34.320]  So that's what that's what we mean with uncertainty. So if you do have
[21:35.600 --> 21:40.200]  Well-defined formats with the mapping that you're requesting
[21:40.680 --> 21:45.800]  Then this would reduce uncertainty, right? Yeah, okay
[21:47.400 --> 21:50.080]  So how often do you deal with new compliance rules?
[21:53.880 --> 21:56.800]  It's a little bit slowing down now, I would say
[21:58.240 --> 22:00.000]  Half a year
[22:00.000 --> 22:07.040]  Sometimes three months, but I would expect that this is now going into this half a year
[22:10.560 --> 22:12.560]  Okay
[22:12.560 --> 22:19.160]  So now it's like similar questions just trying to get numerical estimation for the answers. So
[22:20.240 --> 22:27.560]  I'll tell you a statement and then five if you tell me five this means that you totally agree and one totally disagree
[22:27.840 --> 22:33.360]  So using the framework which you saw in the in the video does it reduce the effort of
[22:34.200 --> 22:36.680]  defining and checking compliance rules
[22:41.560 --> 22:44.200]  So imagine imagine that you have some some
[22:45.080 --> 22:48.480]  catalog of compliance rules and now you want to this is like
[22:49.040 --> 22:55.400]  Written for for human beings and you want to now model all that in in the framework
[22:55.400 --> 22:58.880]  And then use the framework to actually do the checking
[23:00.640 --> 23:05.120]  Exactly as I was thinking of it. I do have to build up my own Catalog?
[23:06.080 --> 23:08.080]  It would be...
[23:08.400 --> 23:12.720]  Each and everyone needs the same kind of catalog. So why not doing this in
[23:14.480 --> 23:16.480]  Library for everybody?
[23:17.560 --> 23:19.560]  Yeah, that's that's a common
[23:20.520 --> 23:22.520]  I would have I would totally agree
[23:23.520 --> 23:26.240]  If you do need to do it yourself
[23:27.920 --> 23:29.920]  Then you totally disagree
[23:32.720 --> 23:35.120]  I have just seen right now the
[23:36.720 --> 23:38.320]  amount of
[23:38.320 --> 23:43.920]  clicking around and defining stuff and interacting so I would say
[23:44.680 --> 23:51.120]  If I do it if I have to do it on my own, I would go into the direction of a disagreement. Okay
[23:52.520 --> 23:54.520]  That's fair
[23:55.760 --> 24:04.520]  Okay, and now in the next question I say complexity and this means that you need an expert to do the compliance checking
[24:05.680 --> 24:12.080]  In contrast to having someone who yeah, that doesn't have much experience
[24:13.240 --> 24:18.040]  Executing these compliance checks. So do you think if the framework is used?
[24:18.360 --> 24:22.560]  So with all the that compliance rules already modeled
[24:22.560 --> 24:29.880]  Do you think using the framework reduces the complexity associated with checking and defining compliance rules?
[24:30.800 --> 24:34.400]  Definitely. I would say I would count a four
[24:35.560 --> 24:37.560]  It's always room to improve
[24:37.720 --> 24:39.720]  sure
[24:39.720 --> 24:41.080]  and
[24:41.080 --> 24:43.040]  now
[24:43.080 --> 24:50.320]  About uncertainty again, so do you think that using well-defined models for compliance rules reduces the uncertainty of
[24:51.040 --> 24:53.040]  Interpreting them
[24:53.040 --> 24:55.040]  Absolutely, well
[24:56.880 --> 25:04.080]  It's a I'm an engineer. There is always the opportunity to find something which is not completely defined
[25:05.520 --> 25:12.000]  But in most cases we are by well defined in the right definition of totally agree
[25:13.400 --> 25:18.760]  If somebody has stated a completely defined I would say we are around the three, but
[25:19.640 --> 25:21.720]  With a well-defined I would say five
[25:25.480 --> 25:27.160]  So
[25:27.160 --> 25:36.280]  Architectural reconstruction means getting an understanding of the architecture of the application system that you you want to manage the compliance for and
[25:36.280 --> 25:43.320]  The the framework does that because it's the first step in the compliance checking
[25:43.520 --> 25:48.800]  The way the framework does works is like creating this
[25:49.760 --> 25:57.720]  Architectural representation of the system and then comparing it against the compliance rules and then with this comparison
[25:57.720 --> 26:01.240]  it decides whether okay there are violations or not and
[26:02.240 --> 26:09.680]  Architectural reconstruction is done in two steps the first step creates like an initial architecture
[26:10.160 --> 26:12.480]  based on the information known to the
[26:13.120 --> 26:15.120]  IAC tool, so let's say
[26:15.160 --> 26:21.480]  Imagine that you have the carbonate is already so the first step would be to communicate with with
[26:22.840 --> 26:31.200]  Kubernetes cluster and then ask it about what it knows about the application like which resources and their relations
[26:31.480 --> 26:32.800]  and then
[26:32.800 --> 26:39.600]  If if your rules need to know further information about certain elements of the infrastructure
[26:39.880 --> 26:43.500]  Like for example in the second use case in the video
[26:45.400 --> 26:51.600]  Already showed a really nice graphical representation of the interaction between containers and
[26:52.400 --> 26:56.520]  Applications and that's that's really what one of the things which are needed most
[26:57.440 --> 27:05.100]  It was the hardest time in our Docker environment to get the clue about of how many images are stacked together into one
[27:05.280 --> 27:11.960]  Container and which container is interacting with with another one and how did you do that? That's question 14
[27:12.720 --> 27:18.080]  Manually, so did you? By asking around and by going into
[27:18.720 --> 27:20.240]  Docker
[27:20.240 --> 27:28.440]  Online and having a look what is stacked upon and I thought that's really reverse engineering at its most painful state
[27:30.040 --> 27:32.040]  Nice description I
[27:32.440 --> 27:34.440]  Might quote it
[27:34.800 --> 27:37.880]  Yeah, so that's a question 15 already
[27:37.880 --> 27:41.440]  So did you think that according to what you saw in the video?
[27:41.440 --> 27:46.080]  Do you think that using the tool reduces the effort of architectural reconstruction?
[27:47.080 --> 27:49.080]  So
[27:49.080 --> 27:56.520]  Let me give you a hint. Maybe it helps you on this answer this so you need the proper plugins for that
[27:57.000 --> 28:03.640]  So we do have a plug-in for Kubernetes, but we don't have a plug-in for example for a salt stack
[28:04.560 --> 28:06.920]  or any other IAC tool so
[28:07.600 --> 28:13.120]  The if you want to use it then you need a plug-in that talks to the current
[28:13.680 --> 28:18.240]  Tooling that you have and then for specific use cases
[28:18.240 --> 28:22.000]  Let's say you want to know extra information about some database
[28:22.000 --> 28:28.560]  Yeah, you need an a refinement plug-in an additional plug-in that knows how to talk to the database management system
[28:29.000 --> 28:38.400]  So you need you need plugins for that. So maybe you can answer in two scenarios first scenario is you you have the current version
[28:38.760 --> 28:40.760]  which means you need to
[28:40.880 --> 28:43.680]  employ some people to implement these plugins and
[28:44.080 --> 28:52.240]  The second scenario is that okay, you already have a repository of public plugins. Maybe you can reuse most of them
[28:53.360 --> 28:57.200]  So if I would if I would have had more time yesterday in the afternoon
[28:57.600 --> 29:00.280]  That's why I didn't send you an email as well
[29:00.280 --> 29:03.280]  I would have made some research on
[29:03.920 --> 29:10.600]  Is there anything out there right now in terms of plugins which is fitting and supporting your environment?
[29:10.840 --> 29:12.840]  Winery and the stuff and
[29:12.840 --> 29:21.240]  I haven't had the time so I would expect that this is this is this is something everybody's needing so there are lots of homegrown
[29:21.880 --> 29:24.040]  Environments and if this is taking
[29:25.280 --> 29:27.280]  the rate the right
[29:28.160 --> 29:31.880]  Corporation part so I expect that this will
[29:33.440 --> 29:40.680]  Flourish like this Ansible stuff that the community supporting and growing these plugins as they are
[29:40.760 --> 29:42.760]  needed and helping
[29:44.320 --> 29:49.000]  So if there is such a community and you have something like
[29:49.880 --> 29:57.000]  A repository of plugins you would totally agree that the effort will be reduced. Okay. Definitely. Yeah
[29:58.200 --> 30:05.080]  And even though if you if you invest first and have your plugin afterwards you do have it so
[30:06.640 --> 30:08.640]  Can work with this tooling and
[30:09.640 --> 30:12.320]  Some time that it needs to be invested
[30:13.520 --> 30:22.000]  Okay, so it's not totally disagree if you don't already have the plugins. Yeah, it's a bit better than one. Yep
[30:24.560 --> 30:28.120]  Okay, so now about automatically fixing
[30:28.720 --> 30:31.440]  Violations if you do find violations
[30:32.600 --> 30:38.200]  So at the moment, what do you do if you find out that are some some application?
[30:38.840 --> 30:40.840]  Violates some compliance rule
[30:41.120 --> 30:45.800]  Well, we go into our Ansible roles where we set up the
[30:46.920 --> 30:49.080]  Manipulations of the setting sort of configurations
[30:49.600 --> 30:56.880]  Feed in the right way of doing things. So the most likely there are some variables which have to be set differently
[30:57.600 --> 30:59.600]  and you you feed this into our
[31:00.560 --> 31:02.160]  submission code and then
[31:02.160 --> 31:08.120]  get a first glance with a trial run and then afterwards you push it to the
[31:08.640 --> 31:10.640]  repository and have
[31:10.640 --> 31:15.360]  Your fix in and I've seen the mechanism you are using here. This is
[31:17.240 --> 31:19.240]  What I did often
[31:19.480 --> 31:25.000]  manually to get a first glance if it's really working and when it was working I
[31:25.760 --> 31:27.760]  have done the
[31:27.760 --> 31:32.720]  procedure I have described before so changing the configuration script first and then
[31:33.600 --> 31:39.920]  Going through the pipeline like trying it in test environment and then actually deploying it to production
[31:40.760 --> 31:42.760]  And is it always the case that
[31:43.760 --> 31:50.880]  The compliance violation is related to something that is that can be actually fixed using Ansible I
[31:50.880 --> 32:07.160]  can't remember if well at one time we had to change a complete appliance. So we have to drop
[32:07.880 --> 32:10.280]  Mayday men and get another one
[32:11.480 --> 32:12.680]  Yeah
[32:12.680 --> 32:14.680]  all the other cases
[32:15.640 --> 32:23.560]  Some more string and configuration settings which are a little bit different than the default which is coming by the up here
[32:24.440 --> 32:26.440]  So I would say
[32:27.480 --> 32:32.400]  About 90 to 95 percent would be feedback into our Ansible environment
[32:34.400 --> 32:42.120]  Okay, yeah, that's that's not always the case so Ansible is really powerful. Yeah, but if you use other tools
[32:42.120 --> 32:44.880]  It's not always the case. Sometimes you you do have
[32:45.800 --> 32:47.680]  some
[32:47.680 --> 32:53.400]  Something that can violate compliance that is not managed by the IAC tool. So and then
[32:54.000 --> 32:55.320]  it's
[32:55.320 --> 33:03.840]  You either need an additional IAC tool like Ansible in that case and to fix such problems or or you do that manually in the current
[33:04.840 --> 33:07.560]  Current practices I heard about at least
[33:07.560 --> 33:12.960]  And we see this mechanisms as you were asking before in terms of
[33:13.480 --> 33:18.200]  How often do we see changes in our ruling and security ruling? We have
[33:19.080 --> 33:21.440]  stepped forward and backwards two times with
[33:23.520 --> 33:25.160]  Credential management
[33:25.160 --> 33:27.160]  We have developed credential management
[33:28.200 --> 33:33.240]  environment and has set up everything and ready to go and
[33:33.240 --> 33:38.160]  And three months later, we were told to that this
[33:39.600 --> 33:42.080]  Environment isn't supported anymore. Oh
[33:47.240 --> 33:50.920]  And I was thinking of HashiCorp as one of the premium
[33:52.200 --> 33:54.200]  supporters of security
[33:55.000 --> 33:57.000]  I
[33:57.000 --> 33:59.000]  Was wrong
[33:59.720 --> 34:01.720]  Yeah, such a waste of effort
[34:04.160 --> 34:06.160]  Oh
[34:06.160 --> 34:08.760]  Yeah, where are we now? Okay, so
[34:11.360 --> 34:17.080]  Yeah, so you you you apply these fixes to the Ansible script manually, right?
[34:17.080 --> 34:19.880]  You need to know what to fix and how to
[34:20.280 --> 34:25.960]  Change the script but then applying the script itself after it's changed. That's automatic, right?
[34:26.600 --> 34:28.120]  Yeah, okay
[34:28.120 --> 34:32.080]  Well, there was this notion of if we would have more
[34:32.640 --> 34:38.400]  Was resources, I would say and that's what I was asking and going into direction before
[34:38.720 --> 34:41.280]  if there is some kind of a community and
[34:42.400 --> 34:45.880]  Now that and all these compliance violations are
[34:46.520 --> 34:52.360]  described in a manner where they already provide solutions. So if there are enough
[34:54.080 --> 35:01.320]  Coders they could really go and give for every flavor of the operating system a solution and
[35:02.080 --> 35:04.080]  provide it to this
[35:05.280 --> 35:07.280]  IACMF
[35:07.720 --> 35:09.640]  approach
[35:09.640 --> 35:11.640]  Let's call it the framework. It's
[35:12.880 --> 35:14.720]  The framework
[35:14.720 --> 35:15.840]  Yeah
[35:15.840 --> 35:19.200]  Yeah, I see you. I see your point. Yes
[35:20.800 --> 35:26.080]  Many many other participants in the interviews did give the same comment
[35:27.200 --> 35:29.200]  Okay
[35:29.720 --> 35:37.760]  So do you think then if if you use the the framework does this reduce the effort of fixing compliance violations if you do have these
[35:38.560 --> 35:40.560]  pre-configured
[35:40.560 --> 35:42.560]  fixes I
[35:44.200 --> 35:49.120]  Would say we go to four because of there might be well
[35:50.200 --> 35:53.600]  the question would be if we go and
[35:54.480 --> 35:59.640]  Change our process in a way that we don't go in a controlled forward ways
[36:00.080 --> 36:07.040]  We go going in a default forward way and then we are going in a second round and fixing everything
[36:07.680 --> 36:09.680]  it is some kind of this
[36:10.320 --> 36:12.320]  You better make it safe the first time
[36:12.960 --> 36:19.280]  You will need to feed back this information in your setting up of the provisioning
[36:19.280 --> 36:25.800]  Mm-hmm. Mm-hmm. That's the last point. I would say to not reaching the five as the final state
[36:26.880 --> 36:29.320]  You want to make sure that you're in
[36:29.960 --> 36:31.960]  provision something which is
[36:32.760 --> 36:39.600]  From the very beginning safe. Yeah, so that your scripts are already compliant. Yeah
[36:40.600 --> 36:42.080]  But that would be
[36:42.080 --> 36:49.240]  Much more interesting position in terms of saying is there a way that I can check my scripting that it's safe
[36:50.160 --> 36:54.840]  There are some toolings where for example analysis which are going into
[36:55.280 --> 37:01.680]  Pro scripts and say this is a behavior or a coding style. You we we do not
[37:02.280 --> 37:06.880]  Say it's safe to go this route. Please code differently
[37:08.000 --> 37:14.320]  Yeah, the problem with these tools in my opinion is that they are a bit difficult to customize for
[37:14.400 --> 37:22.680]  For lists of compliance rules that you need so that they have like heuristics or specific best practices
[37:22.880 --> 37:24.880]  but sometimes you
[37:25.000 --> 37:31.360]  You have your own compliance rules that you need to check and they could be not really best practices overall
[37:31.360 --> 37:34.820]  But there are compliance rules for for your specific
[37:35.800 --> 37:37.360]  enterprise
[37:37.360 --> 37:42.160]  And so that's what we really focused on in the framework to be customizable
[37:42.720 --> 37:49.360]  That you can define your own rules. You don't need to say. Okay. I want this specific catalog and that's it
[37:49.600 --> 37:53.040]  That's the only thing that the the framework supports
[37:53.040 --> 37:59.360]  No, you can you can have your own rules as well and that's one thing and another thing is
[37:59.920 --> 38:07.800]  Fixing is plugin based like everything else in the framework. So basically you can in theory at least you can implement a plugin that
[38:08.280 --> 38:14.880]  Does the fixing by not really going to the running instance and fix it but going to the
[38:15.320 --> 38:18.040]  code and fix it and then
[38:18.560 --> 38:27.560]  The plugin also can trigger the deployment. So in theory you can you can kind of integrate the fixes into the the regular
[38:28.640 --> 38:36.080]  deployment pipeline not not make a different pipeline of fixing the instance and then you you have the code or
[38:36.720 --> 38:39.760]  In a in an uncompliant way
[38:39.760 --> 38:47.320]  So if someone else deploys starting from the code you say you have the same violations again. Yeah, you you can actually
[38:48.360 --> 38:50.360]  Program a plugin for doing that
[38:51.840 --> 38:54.520]  This would be a diploma thesis I would say
[38:56.600 --> 38:58.600]  Master thesis
[38:58.600 --> 39:00.600]  Yeah tell tell what in about it
[39:01.160 --> 39:05.940]  He knows these master thesis. Yeah, I think a master thesis now
[39:06.080 --> 39:11.920]  Might work because we already have a framework. Yeah, when we tried it the first time there was no framework
[39:11.920 --> 39:17.320]  That was a bit difficult. I need a practical master thesis
[39:19.680 --> 39:21.840]  Yeah, then maybe maybe try with
[39:22.800 --> 39:29.120]  Fachhochschule. Yeah, maybe they do have this kind of master. We have one guy now who does a bachelor
[39:31.000 --> 39:33.000]  Practical yeah
[39:33.160 --> 39:37.620]  Yeah, in our case the prototype is doesn't come first
[39:41.760 --> 39:44.720]  I see I see you are the architectures
[39:47.160 --> 39:50.720]  Don't forget the doors if you just have windows
[39:53.480 --> 39:55.480]  Yeah, I like the concept that
[39:56.280 --> 40:00.600]  Totally through the here a he's we can check for for let's say
[40:01.560 --> 40:04.320]  premises virtual system running
[40:05.080 --> 40:06.680]  as a nodes
[40:06.680 --> 40:12.240]  Calling databases applications and so on and this gets automatically basically in a hierarchy
[40:12.240 --> 40:15.880]  Are he and then you can check the security in all different kinds of layers
[40:17.160 --> 40:20.120]  [redacted]
[40:20.760 --> 40:22.760]  Okay, okay
[40:24.320 --> 40:26.320]  Okay, so
[40:26.480 --> 40:35.480]  There's the concept of a compliance job, which is basically what you said that not only what the compliance rule is but also how to fix it
[40:35.480 --> 40:37.480]  So a compliance job
[40:37.480 --> 40:43.280]  combines a few related compliance rules and for each possible
[40:43.480 --> 40:52.080]  Violation it says what how to fix it so in the video it was this UI with with multiple steps the overall
[40:52.920 --> 40:57.000]  Entity that comes out of this UI is this compliance job
[40:58.280 --> 41:04.920]  And I saw that similar concept exists for for a tool for salt stack compliance
[41:06.720 --> 41:10.000]  They have a different name for it, but basically it's the same thing like
[41:11.000 --> 41:17.160]  Please check these set of compliance rules and fix them in this way and do that
[41:17.160 --> 41:22.880]  I don't know once once per month. So this this whole thing is called a compliance job and
[41:24.440 --> 41:30.800]  Since it says how to fix compliance rules like for if this is violated
[41:30.800 --> 41:32.800]  You do that do you think that?
[41:33.440 --> 41:39.520]  Having such a model a compliance job would reduce the uncertainty of how to handle violations
[41:44.040 --> 41:46.640]  So yeah, so let's say
[41:47.400 --> 41:49.400]  You now know there is a violation
[41:51.680 --> 42:00.200]  Do you immediately know what to do or would an existing model that you did previously or someone else that did for you
[42:00.760 --> 42:02.760]  Would that reduce the uncertainty?
[42:05.040 --> 42:07.040]  I would say this is
[42:07.720 --> 42:16.000]  Nearly totally agree because of whenever you are in a hurry to get something fixed and you can fall back to something
[42:16.000 --> 42:22.400]  Which was predefined or already has shown that it's on other installations is working
[42:23.160 --> 42:28.200]  You get close to this totally agree and there is no uncertainty anymore
[42:31.480 --> 42:36.720]  Okay, so that's all about this concept of learning from others from others faults
[42:37.440 --> 42:40.920]  And if they have fixed their fault why why why
[42:41.800 --> 42:43.800]  Being uncertain anymore
[42:44.800 --> 42:51.960]  Just this uncertainty in terms of is my application and the interaction still working, but at least
[42:53.720 --> 42:55.720]  Security part of it is definitely
[43:00.200 --> 43:05.680]  Okay, so now this is the last set of questions and they are general questions
[43:06.840 --> 43:08.640]  But yeah
[43:08.680 --> 43:15.160]  Try to answer them according to your knowledge. Yeah, you might not know for example 21
[43:15.760 --> 43:19.440]  Like do you think this this approach is novel I?
[43:25.160 --> 43:28.880]  Feel like there is something out which I'm not aware of
[43:29.880 --> 43:37.120]  Already so I think at least if you go and buy something you will find the one or the other
[43:39.240 --> 43:44.760]  opportunity to get something like this if it is
[43:47.680 --> 43:54.440]  That flexible as I have seen so far and the big question behind this is how much of
[43:55.520 --> 43:57.520]  supporting libraries are there and
[43:59.880 --> 44:01.880]  Then the
[44:02.080 --> 44:04.080]  It's a novelty is that
[44:04.560 --> 44:09.440]  New I would say there is not much of a existing library
[44:13.280 --> 44:21.120]  Positive effects because of now somebody is able to get through stacks of information and applications and then there
[44:22.160 --> 44:26.240]  hierarchy and I would say yes, it's
[44:30.480 --> 44:32.480]  For me I would say a very
[44:33.120 --> 44:36.680]  New novel way of of going going this route.
[44:38.520 --> 44:40.520]  Okay, so
[44:40.520 --> 44:42.520]  What do you think about?
[44:43.000 --> 44:49.240]  Extensibility first is it useful and second do you think that the framework offers extensibility?
[44:53.160 --> 44:59.080]  Extensibility is always a nice thing to have. Oh no, it's a it's a must have I would say because
[44:59.480 --> 45:03.240]  Everything's changing all the way. So you want to adapt to the change
[45:04.360 --> 45:05.920]  and
[45:05.920 --> 45:08.520]  therefore, it's absolutely must and
[45:09.960 --> 45:15.400]  Yeah, evaluation is the concept of plugins is well known
[45:16.480 --> 45:21.520]  In terms of of this mechanism. I would say yeah, that's that's the way to go
[45:22.160 --> 45:27.600]  the question is now there are lots of guys and girls and
[45:28.560 --> 45:34.840]  Anybody's I would say already following this this kind of extended Marga language or plugging
[45:35.440 --> 45:40.200]  Definitions and stuff like that. So I think it's easy to get this extensibility
[45:41.040 --> 45:43.040]  rolled out into the field and
[45:43.920 --> 45:45.920]  Support us by anybody
[45:47.280 --> 45:49.280]  Okay, so now
[45:49.440 --> 45:51.440]  Next question would you
[45:51.760 --> 45:54.360]  Hypothetically at least would you use the framework and your work?
[45:54.360 --> 46:02.440]  If you would give me a car with four wheels steering wheel and
[46:03.280 --> 46:09.760]  An engine no matter if it's electric or combustion. Yeah, would do a test right?
[46:10.160 --> 46:12.160]  Okay
[46:12.160 --> 46:17.240]  And would you test it for all possible steps of the framework?
[46:18.120 --> 46:22.440]  Even for fixing automatic fixing or or would you just try to?
[46:23.400 --> 46:27.640]  Use it for compliance checking and then no no fixing
[46:29.400 --> 46:31.400]  If you're in a development
[46:32.600 --> 46:41.840]  Situation you always have new scenario. So you would go all the options in your test environment and then you can
[46:42.360 --> 46:48.920]  Say okay evaluation of this was worthwhile. This was too much effort to get to the point
[46:49.560 --> 46:51.560]  so I
[46:51.600 --> 46:53.600]  Think
[46:53.600 --> 46:57.480]  You can afterwards say no doubt we wouldn't apply this
[46:58.600 --> 47:02.320]  I can't say okay. Yeah, that's fair
[47:03.600 --> 47:05.600]  Okay, so
[47:05.600 --> 47:07.600]  What's your general impression?
[47:10.640 --> 47:16.600]  As you were guiding through the GUIs is I was a little bit
[47:16.600 --> 47:18.600]  a
[47:19.720 --> 47:24.040]  Disappointed well in the second in the second part. There was this is kind of architectural
[47:24.760 --> 47:31.160]  diagram which how which is the interaction between the administration and
[47:31.880 --> 47:34.080]  applications and that's it come from and
[47:35.000 --> 47:37.000]  there I
[47:37.000 --> 47:44.040]  Found as well a document. Well, it's always a matter of have you do you have enough time to spend and
[47:45.040 --> 47:47.040]  Absorb all the information and then
[47:47.520 --> 47:54.120]  Make your well a well done thought or you just do a gut feelings
[47:56.280 --> 48:00.760]  For my gut, I would say there is a quite potential and
[48:02.520 --> 48:07.280]  Depends very hard on how much of this
[48:08.280 --> 48:15.280]  Configuration work is on my own shoulders although with support in terms of our libraries and
[48:18.000 --> 48:26.000]  Interacting with existing mechanisms like for example this export plug-in that you get your fixes as well into an
[48:26.000 --> 48:27.760]  Ansible
[48:27.760 --> 48:29.760]  For example
[48:30.920 --> 48:34.720]  Yeah, but I don't we have thought this is
[48:35.720 --> 48:37.720]  Dimitri's
[48:38.720 --> 48:42.480]  Environment for automation of his cfox stuff so and so forth
[48:44.240 --> 48:46.520]  Yeah, there are much more
[48:47.320 --> 48:50.520]  different coding for infrastructure as code so
[48:51.480 --> 48:58.960]  Let's see where that's go to and if we end up in all the soothing and simple and galaxy stuff
[49:00.040 --> 49:04.200]  Yeah, if everyone uses the same thing it's it's life is much easier
[49:04.720 --> 49:06.720]  But very difficult
[49:09.120 --> 49:12.400]  If you make this one thing everybody's in deep [s-word]
[49:13.560 --> 49:17.040]  Yeah, that's another point. Yes
[49:18.040 --> 49:24.160]  Why do you have this high frequency on this [redacted] stuff? I would say everybody's using it so it's it's quite
[49:24.640 --> 49:26.640]  interesting to make some money with
[49:26.840 --> 49:28.840]  Hacking [redacted] products
[49:30.320 --> 49:33.000]  I will probably remove this from the transcript
[49:35.560 --> 49:40.320]  Okay, okay, so yeah, that's that was it
[49:41.400 --> 49:48.400]  Thank you very much. That was really valuable and I will certainly quote you a few times in the paper