Slim.AI Helps Developers Focus On Driving Business Without Getting Distracted

Guest: John Amaral (LinkedIn)
Company: Slim.AI (Twitter)
Show: Let’s Talk

Slim.AI, a company focused on building better containerized apps with less friction, has raised $31M Series A financing led by Insight Partners and StepStone Group with participation by boldstart Ventures, Decibel Partners, FXP, Knollwood and TechAviv Founder Partners.

John Amaral, Co-Founder and CEO of Slim.AI, says, “I believe in two principles for a company at our stage: Build a great product that developers love and make sure they all know about it. So we will be doing a lot of the first thing, which is developing a lot of energy and investment in building something that developers love.” Amaral continues, “So we’ll be investing some in the ability to learn from developers, in product management, and even community. But the predominance of this is going towards R&D, building great software.”

Slim.AI takes a developer-first approach. The mission of Slim.AI, according to Amaral is, “How do we make it so that developers don’t end up having to be experts in areas that distract them from their core function of building software that drives your business?” With this in mind, Slim.AI wants to reduce that burden and give developers the tools to help them build the things they might struggle with. On this issue, Amaral states the goal is “Improving developer experience, lowering friction, and increasing their productivity and ability to deliver software that will work really well in the target infrastructure.”

Amaral also touches on the practicality of security, when he says, “I think there’s increasing awareness, but I think that taking that awareness into practice is pretty low today in most organizations.” He further explains, “I think organizations typically understand and appreciate that there’s some degree of risk. I think that that understanding is increasing. And I think the awareness of the need to understand and do something is increasing. So good news for our world and software that people are starting to pay attention.”

[expander_maker]

Swapnil Bhartiya: Hi, this is your host Swapnil Bhartiya and welcome to TFiR Let’s Talk. And today we have with us, once again, John Amaral, co-founder and CEO of Slim.AI. John, it’s great to have you back on the show.

John Amaral: Swap, It’s great to see you again. Thanks for having me.

Swapnil Bhartiya: There’s so much to talk about. First of all, having you here and second is that you folks have raised another 30 or 31 million, if I’m not wrong. So what a great start of the year. I may be wrong in the number, so that’s all the things that we’re going to talk about today. So let’s start with this big news, Talk a bit about this funding Round.

John Amaral: We just closed a Series A round at Slim.AI. 31 million dollars was co-led by some fabulous venture partners, Insight partners, StepStone group, and Knollwood, inclusive of having investment from all our existing investors, which are great, including Boldstart and Decibel and TechAviv partners. The investors are the ones that are behind Docker and JFrog and Acquia and Snyk and so many great security and cloud native developer first companies. It’s very gratifying to have an investment from these folks at this time, and really helping us support our mission to make containerized applications easier, better, more secure for all developers. So off to a good start this year.

Swapnil Bhartiya: One of the areas that you will be investing in already or that you see potential for growth, because at the stage you’re Slim.AI is, I mean, the sky is the limit for you folks right now.

John Amaral: It’s all about building great software for developers right now. So, predominantly the investment here is going to be in more R and D for our company. We’re going to significantly increase our development organization. I believe in kind of two principles for a company in our stage. It’s build a great product that developers love and make sure they all know about it. So we will be doing a lot of the first thing, which is developing a lot of energy and investment in building something that developers love.

That means all of the pieces of an organization, software development, of course, hire more engineers, get them focused on the right things and more about interacting with users in our community. So boosting our ability to communicate, interact. So we’ll be investing some in the ability to learn from developers, et cetera, in product management, and even community. And then the other part, make sure they know about it. We’re also investing a modest amount in just getting the word out there with some more growth and more sort of marketing capabilities. But the predominance of this is going towards R and D, building great software.

Swapnil Bhartiya: We all know, and you also mentioned the focus on developer first. I also, this is an observation, I may be wrong, that can help us with this discussion as well, that we traditionally are trying to break old silos but we end up kind of creating new ones. I call them soft silos. We talk DevOps, DevSecOPs, NetOps, because with this engineering people will have interest in specific areas. So there will always be security folks. There will always folks who are interested in network. At the same time, we are also looking at unicorn developers who can do everything. Because when you do look at all the DevOps and everything else, a lot of things they do fall in developers’ pipelines. A lot of responsibilities are becoming developer’s responsibilities. So I also want to understand how do you see the evolution that we read about versus what is happening in reality? And then when you talk about developers first, so I just want to understand where does it fit in what you see in reality that happens in the organizations. And that can also explain why you talk about developers first.

John Amaral:

Great question, and a lot to unpack there, but I’ll do my best. First of all, I think this idea of soft developers build it and run it, this kind of shift left transition you’ve seen, it’s revolutionary in that it allows the kind of decision making upfront when you’re building software to be carried forward very quickly, or learning happens faster. A lot of the sort of glide path to getting production ready software kind of gets smooth. But at the same token, there’s a feedback cycle that comes back to the developer’s desk, which includes a lot more work, a lot more expertise needed, a lot more evolving and learning about what happens to my software when it goes over there. For instance, like containerizing software, it’s effectively an infrastructure related task to make sure that’s going to work when it gets over on the infrastructure side.

John Amaral: And so we see developers having more responsibility and I’d say more trust in them to deliver in the way we describe. But at the same time, the feedback cycle creates a lot more work and a lot more learning and a lot more knowledge necessary to be able to do their job. And so it comes with a lot of friction and a lot of, I’d call it a lot of moving away from the core function of writing software and into the role of taking part in the delivery of that software. Which creates a ton of, I’d say, friction for developers. And so I think that, again, good things, positive things with that. And also these negative side effects.

And with the rapid change in what it takes to build and deploy apps these days, well, keeping up with that change is hard for the average developer and it makes that a difficult job to do. We’ve observed in, we’ve been building software for a long time, we have developers, we’re a software company. We’ve observed that some of these, I’ll call them newly acquired tasks related to this owning and deploying your software, can take up 30, 40, 50% of a developer’s cycles. And it’s really often difficult work for them.

And so when we talk about developer first, especially with our mission, it’s all about how do we make it so that developers don’t end up having to be expert in areas that distract them from their core function of building software that drives your business. And so how do we make reducing that burden, giving them tools that make the things they’re not necessarily expert at or don’t want to be expert at, easy to do. Improving developer experience, lowering friction and increasing their productivity and ability to deliver software that will work really well in the target infrastructure. And there’s a tons of places to look there for improvement. So we’ve got a pretty rich place to target with value.

Swapnil Bhartiya: Earlier, you also talked about security. And security is really becoming important. I am here in the DC region and there was a White House meeting about open source code as well, supply chain. And you folks also have focus on supply chain. First of all, I want to talk to you, is that from your own observation, how much awareness is there in people that they do understand that, hey, the software that we are using, most of it is open source. So they need to understand the software supply chain issue. They need to know, hey, because they are pulling so much code from so many different places. So we should look at it as recipe of a dish or assembly of a car where you are getting different, if you don’t understand, you cannot even guarantee. So is there any awareness about it or not?

John Amaral: I think there’s increasing awareness, but I think that taking that awareness into practice is pretty low today in most organizations. Unless you’re governed by some compliance program, think of FedRAMP for the federal government, where it’s enforced upon you. I think organizations typically understand and appreciate that there’s some degree of risk. I think that that understanding is increasing. And I think the awareness of that need to understand and do something is increasing. So good news for our world and software that people are starting to pay attention. I think it’s early in the life cycle of people generally caring and doing something about it. Certainly we’ve seen a bunch of well publicized exploits and attacks that have leveraged this kind of software supply chain vectors to really create significant, big attacks.

And so these kinds of things, plus I’d say, industry and governmental folks talking about it more and mandating and suggesting that we do more is helping. I think in general, right, especially in cloud native software, since containers have existed, folks have been talking about container best practices. And to your point, Swap, it’s like, what’s the first thing you see there? Well, if you’re using open source software or containers from an external party, know what’s inside them, right?

The second thing they say, only put the parts of those software into production that you need to run your app. And the third is remove vulnerabilities and reduce the attack surface of those software because it’s a better security posture. And generally what we’ve seen is that a far few number of organizations actually put those three recommendations into practice. We see it all the time when we look at open containers out there in the wild. We see it all the time when we look at code running and production. Those three pretty sensible controls, which are at the heart of the matter with software supply chain security, are often ignored and not done well. And so, and I think if we could do more of that, I think we’d be in great shape. And a lot of what we’re building helps organizations achieve those three things.

Swapnil Bhartiya: And we do talk about security. Yes, availability is, bugs are part of software development. You can never get rid of them. As long as we are writing software, there will be bugs. But there is human factor also. Misconfiguration is one of the most known, giving too many permissions, giving access to people who should not have it. Those are all, if you look at cases, you see that. And of course, other thing. So from developers first study, how do you look at this culture of people, problem of security as well, and what are you doing about that? Because we cannot not do anything about bugs, we cannot do, but there are certain things we can do about how to actually configure things better.

John Amaral: Right. Yeah. I think more broadly, there’s three parts to kind of like this idea of doing something about software supply chain security. This kind of compositional integrity. Like is the software there that we need? Is it correct? And can we use it and should we use that software? And of that software we use, are we in control of what it is and making sure that it’s minimal and the attack surface is lowest. From a responsibility perspective for developers and security professionals and DevOps folks, really, I think that’s a configuration problem of some sort. It’s like configuration means, what’s in my packages, what am I shipping? I think generally that this part of security is often overlooked. It’s the hardening phase, it’s the reductive phase.

It’s pretty hard to do those things. And I think most organizations don’t have the tools and techniques and practices to do that well. There’s the software security configuration stuff. That’s the second kind of big bucket here, which is I have some software, I want to run it. Is it set up to run securely? Do I have the right permissions? Do I have the right leased privileges? Do I have the right edges of that software, the way they talk to things, what they can talk to? That’s kind of usually security controls and configurations, maybe at the network and the software configuration level. Organizations typically do that a little bit better because you have security professionals that know how to do that. And there’s usually best practices being traced. And typically that’s closer to the operational profile of the software and folks know how to take care of that stuff.

So I think that from a typical level of maturity is higher than the latter that what I talked about, which is I’ll call software, it’s like compositional integrity. The third is trust and integrity. It’s knowing who and what that software is and where it came from. I’ll call this kind of a signing part or understanding the lineage of your software. That’s an area also poorly handled. Most organizations being able to say, well, I know this package uses that package uses that package uses that package. It came in this container, and I know where and how that container was composed. Also a very sort of under established methodology and system. So this idea of integrity and trust in the software supply chain and compositional integrity of software, not so well done today mostly in organizations. And the problem with the compositional parts is a lot of the decisions need to be made when you make the software, upfront in the developer’s purview.

It’s like, so what did I select to be my software and how did I vet it, is hard. So what we need is systems that augment kind of like human decision making there, like having something like an automated system that tells you, well, this is the software you have that you’re about to use. Make it intentional, make it obvious, make it easy to do. These are the vulnerabilities you have. And I think organizations are doing a better job with that and removing them and managing them. And third is, where did this software come from? Can I trust it? These things need to be much better in organizations and kind of industry wide. And we hope to help with those three problems specifically in the future.

Swapnil Bhartiya: While we do talk a lot about security, I feel that we are getting better because I remember three or four years ago, we will hear about target got hacked or compromised. We do hear like Solar Wind thing happen once a year, but we don’t hear those scary stories that much these day, even with log4j. But we did not see the compromise that happens with a lot of things. So I do feel that things are getting better. It could be because the open source has been used and open source communities are fast to patch. It depends on whether you’re implementing the patch. But have you seen some improvement? You said there is a lot of awareness there, but have you seen some changes, improvements that you feel that people are doing the right thing, you are helping those folks to improve their security posture?

John Amaral: Yeah. Well, there’s a lot of folks in companies like Slim right now that are putting their attention into this kind of software composition, software integrity. And several other companies out there and open source projects like Sigstore and others that are really trying to address it. So I’d say that the software industry at large is investing and the investors behind the software industry are investing money to build better here. And I’m a benefactor of this movement in my company. And it’s exciting. So I think there’s a ton of money coming to this phase. Open source is fantastic in that, well, the software is there for the people to see and patches happen fast, like you mentioned.

And so this kind of open record, right, the ability to access the software, understand it and see it deeply and be able to improve it quickly, I think is also great. And I think that in general, people care too about the integrity of these software packages. I think that as a baseline is super important and are two good signs I see that are kind of contributing to, I think, a brighter future. There’s risk though because I think still the practice of doing this in a very, I’d say deliberate way across the better portions of software building in the world is not yet there. And I think we’re seeing the leading edge of some of these exploits. I think software supply chain attacks are typically sophisticated, right?

There’s a lot of work there to do. So I think that’s a high bar for bad actors to jump over. Because if you ever read the details of some of these attacks, I mean, they’re pretty detailed, pretty sophisticated. So I think you don’t see a lot of them at least visible because either we didn’t hear about them because they were kind of not public purview or the relative complexity of the attacks makes it hard to have a lot of them. But that being said, I think that it is a pretty scary way to exploit the software and it’s a rich target. So I think we need to be vigilant. I see improvements and I also see investments. So those are usually the signs that we’re going to improve.

Swapnil Bhartiya: John, thank you so much for taking time out today. And of course, I send congratulations for the funding round and talk about security in general. And of course the work Slim.AI is doing not only in helping developers in their journey, but also improve the security portion. Thanks for those insights. And as usual, I would love to have you back on the show. Thank you.

John Amaral: Always a pleasure. Love your questions, love the interaction. I think it’s all always a good time and I appreciate it. Come back anytime you want me to. Thank you very much. Yeah. I mean consistent with our mission to make software that helps developers build better cloud native applications. I mean, the interest around developer first companies is super high right now from investors. We’re a company that’s focused on empowering developers to build more secure and more optimized containerized applications. And that resonates with the market and with developers. And we’ve had some good traction with our open source software and our free SaaS software that’s in early access now. I think from a market perspective, a lot of stars are lining up for companies like us who have this mission and these capabilities. Gartner recently reported that 45% of organizations have experienced attacks on their software supply chain.

We know that there’s a lot of effort by development organizations to be more productive. And so this combination of developer productivity, aspirations and software supply chain risk have driven a really exciting space for us. And we’re really positioned at that intersection between developer productivity and security. And our investors have recognized the kind of market shifts towards these values. And of course our users have proven that we’ve been able to deliver value. So the combination of this kind of like really exciting time, market, interest in software supply chain security, and developer productivity has kind of built a good foundation for our business. And we hope to continue to deliver value to those folks.

[/expander_maker]

You may also like

Carbon Data Specification Consortium helps drive climate solutions with carbon data standardization

Tackle data complexity with Hasura v3

Acorn Labs’ GPTScript aims to redefine coding for AI applications

Kubernetes is not for the weakhearted, so we are trying to simplify it | Sudeep Goswami

Salt Security sheds light on security risks of LLMs

You need a robust cyber materiality program | CISO Insights E2