Cloud Security Today

Iron Maiden and cloud security

Season 5 Episode 6

Share episode

Send us a text

In this month's installment, Toni De La Fuente shares his journey into cybersecurity, detailing his early experiences with computers and his passion for hacking. He discusses the creation of Prowler, an open-source cloud security tool, and its differences from commercial solutions. The conversation explores cloud security challenges, the importance of open-source solutions, and the dynamics of scaling a startup. Toni also emphasizes the significance of passion in one's career and offers advice for aspiring tech professionals.

And yes...we also talk about his LOVE for Iron Maiden ;-)

Matthew Chiodi (00:01.058)
Tony, welcome to the show.

Toni De La Fuente (00:03.065)
Thank you. Thank you Matt for having me here.

Matthew Chiodi (00:06.638)
Well, I'm looking forward to this. You as the creator of Prowler, I've actually wanted to speak with you for a while. It's a name that's become quite, I think, significant in the area of cloud security. But before we talk a little bit about what Prowler is and things like that, maybe take us back a little bit. Everyone has a back story, something that attracted them to cybersecurity and hacking. How did you?

How did you first get into this whole world?

Toni De La Fuente (00:38.159)
Well, that was long, long ago. I got my first computer when I was 10, probably at the end of the 80s. And after, and I got impressed because it was like, wow, this is amazing. And for some reason it was a really, really bad computer that I couldn't even run games. So when you are like 10, 11, you only want to play games, but that computer, it was really bad one for games. So I,

only had the chance to type commands, play with stuff, and it came with DR-DOS instead of Microsoft-DOS. What happened is that at school, at the summer school, I learned MS-DOS. And when I came back home, I was trying to practice and nothing worked, or not exactly the same way. So that made me think and go to read the DR-DOS handbook.

of course in English and you can imagine in the south of Spain, young guy trying to read an English user manual so it didn't work but it was like a very big challenge but like fast forward few years later I started working I studied like professional high school for computers and I started working with 19 when I was 19

Matthew Chiodi (02:00.312)
Hmm.

Toni De La Fuente (02:05.482)
And also I remember a colleague by that time gave me a book called The Cucko's Egg. I don't know, you know the book? Yeah, me too, me too, I have it here. Yeah, it is. It's probably the first hacking books, right? And it was like, wow, I want to be a hacker. I wanted to be, you know, Cliff Stoll.

Matthew Chiodi (02:13.27)
I have that right here on my shelf, right here. It's a great book.

Matthew Chiodi (02:22.915)
Yes.

Matthew Chiodi (02:29.07)
That's right.

Toni De La Fuente (02:30.314)
And for that, somebody told me that you need to learn, if you want to be a good hacker, you have to learn Linux. And I said, okay, let's do Linux. And like the year after that, I moved to Madrid. I'm from a very small town next to Granada, south of Spain. Then I moved to Madrid, which is the largest city in Spain. there, in Madrid, I could find a very good...

Matthew Chiodi (02:49.198)
Okay.

Toni De La Fuente (02:59.298)
colleagues that they were teaching me a lot of things for sign OS, then Solaris, then I joined some hacking, but kind of social hacking teams and where we were learning a lot about Linux and wifi networks, social wifi networks by that time. And I learned a ton and it was like, wow, this is what I want to do forever because it's like the infinite knowledge, right?

Matthew Chiodi (03:10.883)
Hmm.

Toni De La Fuente (03:29.15)
And as a self-taught person, it was like, okay, now I have my peers here and I can keep learning and teaching. So actually I did my first talk about FreeBSD when I was 21. And I didn't know about FreeBSD, but nobody else knew, so.

Matthew Chiodi (03:41.838)
Hmm.

Matthew Chiodi (03:46.958)
That's right. I love that.

Toni De La Fuente (03:49.08)
That was my first years in hacking and computers and I enjoy a lot, yeah. Still enjoying a lot.

Matthew Chiodi (03:57.848)
That's amazing that you had such a drive for knowledge as you're reading a manual, which even if somebody was a native English speaker would have been difficult. How old were you, you said, when you were doing that?

Toni De La Fuente (04:12.078)
I think I was eleven.

Matthew Chiodi (04:14.626)
my gosh. So not only are you, you're not even a teenager and you have this drive to understand. Sure. I got to give it to you. That's pretty amazing. I, I thought I had drive, but I was at least reading in as a English speaker. So that's just, that's amazing.

Toni De La Fuente (04:18.382)
You

Toni De La Fuente (04:29.247)
But now I have kind of bittersweet memory about DR2.

Matthew Chiodi (04:37.986)
What is, what, I have to admit, I'm not, what dr dos, what is, what is that? that like, so that was the predecessor of.

Toni De La Fuente (04:41.838)
Digital research does. Yeah, I think so. I didn't know. I knew about that way later.

Matthew Chiodi (04:48.96)
So, okay, if you're listening, yeah, I'm to have to Google that after the show. But for those that are listening that are probably have, don't even, don't even remember DOS, you'll have to go and ask chat GPT about DR DOS versus MS DOS. And it'll take you probably five minutes to figure that out. But well, that's really, I love that background. Now before Prowler, which we're going to talk about in a minute, you worked on some earlier open source projects like

Toni De La Fuente (05:02.273)
Yeah

Matthew Chiodi (05:17.58)
PHP, Radman. And it looks like, at least from what I could tell, that you were purposely trying to compete with some commercial offerings. I don't know if that's true, but that's the way it looked to me.

Toni De La Fuente (05:27.884)
Well, you know, when you start with Linux, you always have, you know, Microsoft in mind back in the days. Nowadays, everything's the same, right? Everything is the community is pretty much the same. But back in the 2000s, I remember I was working for a very large telco company here in Spain. I was seated in the operations room in the sock. Now it's called sock, but by that time it was called whatever else.

And next to me, right next to me, there were the guys of access, you know? I was doing web security, but the guys next to me were doing like network access. And they were managing some software called Juniper. And they say, wow, this software makes a lot of things for radios to access networks. And it's very, very expensive. And by that time, I was dealing with my own time with this.

Matthew Chiodi (06:20.461)
Hmm.

Toni De La Fuente (06:24.534)
Wi-Fi social networks building our own internet using Wi-Fi networks. And I said, wow, Wi-Fi has important security issues back in the days. We remember the days of WEP, right? Web encryption protocol. But the only way to make that more secure was with EAP, was Enterprise Authentication Protocol, I think it was the name, with...

Matthew Chiodi (06:30.445)
Hmm.

Matthew Chiodi (06:38.313)
WEP, yep, yep.

Matthew Chiodi (06:50.859)
Remember.

Toni De La Fuente (06:52.546)
public infrastructure or with MD5. And I said, okay, what if I create an open source solution to make those insecure Wi-Fi networks more secure based on this very expensive software, I mean, inspired by this software, Juniper. And that is why I started, learned about radius. I learned that there is a open source project called FreeRadius. many, you know, with OpenSSL,

You can create a public infrastructure kind of CA. And with PHP, I started writing all that stuff. But it was really hard to install because they have many different components. So I learned also about Linux. Remember that project called Linux from scratch?

Matthew Chiodi (07:41.933)
Mmm.

Toni De La Fuente (07:43.694)
So with Linux from scratch, can, by that time, I don't know if it's still working, but you could create your live CD. So I create PHP RatMing live. you introduce the CD in your computer with a couple of Wi-Fi antennas or connected to your Wi-Fi access points and create a mesh of your secure Wi-Fi network with public infrastructure.

Matthew Chiodi (07:51.851)
I remember that. I do.

Toni De La Fuente (08:10.583)
creating the certificates, installing certificates in the customers. It was a bit of a mess, but it worked. And I learned a lot about security, of course.

Matthew Chiodi (08:20.257)
So with.

Matthew Chiodi (08:23.937)
So lots of trial and error. then, know, PHP Radman, which is an awesome name. I love that. So it looks like you were competing with Juniper, right? Was Juniper the main competitor there? Or?

Toni De La Fuente (08:36.301)
Yeah, I mean, it was the only product that I knew that they were doing more or less the same, but probably there were many, many others. mean, and to call PHP, PHP Ratmin competitors of Juniper is way too much, but I try.

Matthew Chiodi (08:54.861)
I love that. I love that. And so, you know, you've had this long history with, with open source and now let's, I want to hear a little bit more about, Prowler. So you've got a great background. You're at AWS for awhile. you obviously have been in cybersecurity for a number of years. Tell us a little bit about, know, if someone's not heard of Prowler, maybe they're familiar with some of the big names like whiz and things like that. What's the difference? This is probably a question that you get all the time. What's the difference with Prowler and whiz? Like what's

What's the delta?

Toni De La Fuente (09:26.123)
Well, we do exactly the same important things. mean, the main cloud security problems, you can solve them with WIS, but you can solve them also with Prowler. Now, with that said, of course WIS is a huge platform. It does a lot of different things. It's a complete CNAP platform. Prowler is more like a CSPN. We do a few more things than just a CSPN, like a cloud security puzzle management, right? And the WIS does

course many other things. They have a great product. What I wanted to do when I started Prowler was to solve a problem that I had. And at the same time, I realized that I had many other practitioners. So I was working for a company and I realized that there was not easy way to first know what you have. So having visibility of what you have in the cloud. And second, fix it or tell others how to fix it.

and to understand the security problem, the risk and then the hardening part. And I said, okay, I'm going to do this, but I'm going to do it once. I'm going to automate the process of hardening, right? And I started writing some scripts, I started with AWS and I realized that, hey, doing these scripts, I'm learning a lot about cloud security. I'm learning everything about S3 security. Everything about, I mean, not everything, but...

you get the point. Everything about EC2 security and EC2 is a huge service because you have AMIs, have security groups, have VPCs, Elastic IPs, a lot of different things, networking, virtual machines, a lot of things. So I'm writing those checks. It was like a very easy way and very fun way for me to learn security and hardening.

So I, and I decide to say, okay, if this is being helpful for me, so let's make it open source and make it also helpful for others, right? And that is why I decide to make it open source in GitHub. And I put in a cool name like Prowler, that is the first song of Iron Maiden's first album. It's my favorite band all times. Actually, I'm going to watch them in a month from now.

Matthew Chiodi (11:49.345)
Nice. How old, just by the way, real quick for those, again, I always have to remember that I'm getting to be one of the older guys, you know, in the industry. I think you and I are probably pretty close in age. When, how old would the guys from Iron Maiden be now?

Toni De La Fuente (11:50.379)
in Madrid, yeah.

Toni De La Fuente (12:04.045)
Steve Harris, the lead of the band is 70 years old now. of course, and they do it very well. And actually their first album that is probably the first song is Iron Maiden with the same name album, was releasing...

Matthew Chiodi (12:12.703)
He still rocks it out?

Matthew Chiodi (12:16.783)
my gosh, that's impressive.

Toni De La Fuente (12:26.797)
Then the year I got born, so in 1979, something like that.

Matthew Chiodi (12:29.644)
You

Matthew Chiodi (12:34.476)
I love that. love that. All right. I know we went off topic a little bit, but I had to, I had to ask given the name of the product. So.

Toni De La Fuente (12:37.965)
Yeah.

Matthew Chiodi (12:41.546)
So again, Prowler can do a lot of the same things that a whiz can do. I know that a lot of the commercial products, especially if somebody is in a small or medium sized business, they can be cost prohibitive. not only the cost, and I know this from being at startups for a couple of years now, not only are they cost prohibitive, but a lot of times they take a dedicated team to get the most value out of those tools.

How is, you know, how is Prowler different as an open source tool? Is it something that requires a whole team to get value out of it? What is that? What's the practicality of it?

Toni De La Fuente (13:16.683)
Yeah, and that is a very good point because in the, let's say, enterprise world, so you have a problem and you have to go through different solutions, procurement processes, long, very long sales processes, and then you get the solution, right? With open source, open source is the enabler of immediate solution, let's say that way. So with Prowler is that, so if you think about,

Matthew Chiodi (13:36.172)
Hmm.

Toni De La Fuente (13:45.129)
what are the top five security problems in the cloud, you can solve those top five problems with WIS, with Prisma Cloud, with Orca, with Lacework, you name it, but with Prowler as well. And you have those problems today and you can fix those problems today with Prowler as well. I mean, the top five today, unfortunately, are exactly the same top five as

five years ago, most likely. And that is because of the lack of, know, open source players most likely, because as you said, so you don't have to go through 100K, 200K subscription if you want to solve. I won't say low hanging fruit, but even low hanging fruit. So with Prowler, I wanted to give a solution, easy to use solution for everybody, any practitioner.

Matthew Chiodi (14:15.66)
That sucks.

Toni De La Fuente (14:44.46)
From the CLI, because Prower started as a common line interface for AWS, but now it's multi-cloud, but also now the whole platform. And you can use it either on-prem. I mean, you can use it, install it in your own cloud or locally, the whole application, or come to our cloud service if you don't want to run it. So from the need to the solution is five minutes instead of whatever else, right?

Matthew Chiodi (15:14.796)
That's impressive. Cause like you said, if you're, if someone's listening to this and they're working in, you know, a fortune 2000 enterprise, they typically have a procurement cycle that could take months. Then you add the POC on top of that. And then all the decision-making and you're easily can be looking at six to nine months before someone can get value. So this sounds like something that if you know, a listener, you're thinking, Hey, maybe we already have a tool. Maybe we're thinking about.

renewals, this could be a great opportunity to take a look at Prowler as something that you can get immediate value from. One thing I want to go back to Tony that you said is you said the top five things that are causing incidents in the cloud today are likely the same things that were five years ago. What are you seeing now? If you had to come up with the top three, what are the top three in your book? What do you see?

Toni De La Fuente (16:11.692)
misconfigurations, right? In identity and access management and also with the new services that are always releasing new services with a lack of security best practices or lack of security best practices applied by default. And this is happening because of probably the most important challenge in the cloud that is the shared responsibility model, right?

Matthew Chiodi (16:13.408)
Hmm.

Toni De La Fuente (16:41.386)
You know, you have worked on, you're working on cloud. I've been working on cloud on big vendors and they are always talking about the shared responsibility model. And we all are all the time failing. Why? Because there is not such a thing. I mean, you can talk about security of the cloud, security in the cloud, all that stuff, but you go to the, let's go to AWS console, wherever, but AWS console.

Matthew Chiodi (16:58.252)
Mm.

Toni De La Fuente (17:10.12)
And most likely that every click that you make in the console has a different position in the share responsibility model. So now explain to some new company that is bringing everything to the cloud, explain the difference in the share responsibility model of Aurora versus EC2 or versus Lambda function, right?

Matthew Chiodi (17:17.515)
Hmm.

Toni De La Fuente (17:39.325)
And it's like, okay, do I have to take into account the programming language, even the version of Python on my Lambda function? It's hard to understand. So the way, and that is why it's important open source and it's important open knowledge and to share this information. Something that I like to say is if Prowler can detect it and can help you fixing it, it's your responsibility.

Matthew Chiodi (18:07.103)
Hmm.

Toni De La Fuente (18:08.66)
And, but even for the cloud providers, sometimes they need us, the open source communities and even the products, any cloud security vendors as Prowler is now or WIS, Palo Alto, to specify, A, this is what you have to take care of. And it's hard, it's difficult for the users. So that is why open source is very important for those providers actually.

is the way that they can tell, and actually AWS does this and many other infrastructure providers like run Prowler and you will see, right? And something that we want to do in Prowler is like, because we have realized that some companies, any size from Fortune 2000s to SMBs, they run Prowler and they realize how good or bad they are in their security posture.

and they go to find a solution or find a continuous monitoring solution. And that is why I started Prowler as a company. I said, okay, do that with Prowler, but stay with Prowler, right? Now, even managing by yourself or you get the subscription with us.

Matthew Chiodi (19:20.276)
Hmm.

Matthew Chiodi (19:29.355)
So anytime, you know, this is somewhat of a common story where someone's passionate about solving the problem there. You know, they've write some code, they share it on GitHub. It gets popular because guess what? There's product market fit. Right. And it requires though, my understanding a lot of times. So I know that today.

what started as a single person project just for you. You now have a team of about 20 people in your startup on the commercial side of this maintaining it. Just talk for a minute about, and just because I'm curious, I know this wasn't what we talked about beforehand, but how much time did it take for you, if you had to average out on any given month, how much time were you spending when it was just you maintaining Prowler?

Toni De La Fuente (20:14.731)
before I started Proler 2016 as a few scripts that they became like Proler the tool, an average of, I'm not kidding, not kidding, an average of 12 to 16 hours per day. Per, yes, because yeah, so at the beginning it was, I had my day work, then I...

Matthew Chiodi (20:33.077)
per month or per week. my gosh.

Matthew Chiodi (20:41.706)
Right.

Toni De La Fuente (20:43.707)
I have been doing marathons, triathlons all the time in the last 15 years. So after work, I have my workout, then I came back home and I started coding or solving issues on GitHub or reviewing pull requests, all that stuff. At the beginning, it wasn't very intense, but for example, when I was working at AWS, I remember AWS is a great...

Matthew Chiodi (21:07.294)
Hmm.

Toni De La Fuente (21:11.977)
place to work and for me it was like a kid in Legoland, right? But Prowler was my pet project and after work I had to take care of Prowler, keep adding more features, reviewing stuff. I remember to be months and months working. It was like day job, Prowler, dinner, sleep, day job, Prowler didn't sleep for very long, long, long, long time.

Matthew Chiodi (21:21.289)
Right.

Toni De La Fuente (21:42.22)
And when I have the opportunity to say, okay, let's try to do this full time and see how far we can go with making parallel company, right? And that is what we are doing now. But yeah, was like having a successful open source project with just one person, with a large community, but one person as the main person is tough, it's tough. Rewarding, if you love it.

if you are passionate about it. So I don't regret at all, but it's tough. You have to love it.

Matthew Chiodi (22:19.017)
Yeah, that's not spending that much time per day outside of your regular day job is impressive. And so now you're at this point where you've scaled this company up to 20 employees. Now, how are you managing the growth? And specifically, how are you balancing? You still have the open source product. Now you have this commercial version as well. How are you thinking about growth? What does success look like for you in terms of scaling Prowler now?

Toni De La Fuente (22:48.789)
Well, it's to keep the team engaged, to keep the team understanding how important is what we are doing. Honestly, having a project and a company like Proler nowadays is kind of a blessing because if you're a developer or a cloud security developer and every line of code that you type in a couple of minutes or even two days, whatever, 100.

Matthew Chiodi (23:05.771)
Hmm.

Toni De La Fuente (23:18.795)
if not thousands of people are going to use it. And it's amazing, right? And I tell that to in product from the, you know, the most experienced engineers to the junior engineers, they say, okay, we have huge responsibility, but it's an amazing responsibility to have. to have everybody understanding our strategy is key, is what it makes me more...

Matthew Chiodi (23:22.73)
Hmm.

Toni De La Fuente (23:48.876)
not nervous, but it takes me more time to explain and to be on top of everything all the time. Trying to grow that team. Even if you want to grow very fast, this is not possible because hiring takes time. yeah, from two or three that we were before, because the first engineers I hired were community engineers, community people.

Matthew Chiodi (24:05.341)
Hmm.

Toni De La Fuente (24:17.055)
Pepe, Sergio and other engineers, they were here in Spain and that made everything easier for us. But at the same time, we have people now in five time zones plus community contributors. And that is, I mean, I would say it looks like very difficult, but we are used to that difficulty. So it's like we are...

Matthew Chiodi (24:42.792)
Hmm.

Toni De La Fuente (24:44.543)
Difficult native? I don't know, that doesn't exist. But you know what I mean. It's it's hard. But when you do that from the beginning, it's like, okay, this is how it works. So we have to work with multiple time zones, like type of async type of job sometimes. Trying to make sure that everybody is aligned, not only.

As I said, employees, per hour employees, but also the community. So that is, for example, one of the reasons that we have our roadmap public. And some people get very impressed that we have that public when Cloud Security is like a race to be smarter than anybody, right? And we want to be not smarter than everybody, but also open, more open than anybody else. And that is why we want to

move from easy to use CLI, command line interface for cloud security to an easy to use platform for cloud security.

Matthew Chiodi (25:49.567)
What was the motivation for making your product roadmap public? Because I know that a lot of companies, they, you know, you'll get into a sales pitch and maybe the second, second time you talk to a vendor, if you ask them, if you say, Hey, I want to see a preview of your roadmap, they might bring a product person on and they might show you one or two slides and it's 10,000 feet up in the air. It's very generic. So I'm curious, what was your motivation for making your roadmap?

public, right? Because essentially, are giving to somebody that could be your competitor. You're telling them essentially the direction you're going in. That's kind of the competitive angle. But for your customers, people that are using your tool, that's a massive benefit, at least from my perspective. But talk with us for a minute. What was the motivation for making it public?

Toni De La Fuente (26:36.746)
There are two main reasons. First, that if our competitors, they want to be open source, it's good so we can all take advantage of each other, right? Like hundreds of companies are taking advantage of Prowler and it's fine. It's the price to pay being open source and it's good. If only if 10 % of them give us feedback or make any contribution, they make Prowler better, right?

So you know how hard it is to get feedback when you write software. So there are many companies even paying for feedback and we get feedback for free because we are open source. That is gold. That is gold. And at the end of the day, having a public roadmap, allowing third parties, customers, users.

opportunities, know, sales opportunities that we have, are talking to, you know, opportunities and they say, guys, I want to have single sign on. And they say, well, we are working on that. So you can see it here, or we are going to start working on that in the next quarter, you can see that here. Or if you are a big company or somebody that you want to contribute, hey, do you want to contribute with us? Pick something that is here with a high vote, because you can vote to ask for features.

And it's a matter of, yeah, that openness is not only about Apache license, it's about the way of working and the way of making software and making money because don't forget that we are talking about making a business, right?

Matthew Chiodi (28:20.564)
So when we started out by talking about the fact that the top five have been the top five probably for the last five years in cloud security, when you look at somebody who's very closely connected to cloud security, when you look at the current conversations that are happening around cloud security, what's maybe something that you feel isn't being talked about enough? Maybe what's an area that's being overlooked you don't see in the conversation that's happening?

Toni De La Fuente (28:48.712)
Something that I see happening in large corporations, even governments or big companies, and small companies as well, unfortunately, is that they are moving to multi-cloud. Like multi-cloud is, okay, yeah, I need to put my eggs in different baskets. Okay, it's like, it's a good practice. And I don't think it's a good practice. The good practice is using one cloud well. Because one cloud is very difficult to learn.

whatever cloud is, very difficult to understand. And if you go to Kubernetes and they said, no, move everything to Kubernetes because it's easier to move to multi-cloud and it is not, it is not. Somebody has to tell you, don't do it. It's very hard. It's very hard to secure. It's very hard to have the visibility of that security and it's very hard to migrate, move all the stuff I'm going to tell you. So, now,

If you are kind of a mid or large size company, try to hire somebody that knows security in any cloud. Try. Now make it happen. All that stuff is very hard. So let's try out of the box, try to do easy things. A multi-cloud is not easy. Not for us as a security vendors, we have to provide multi-cloud solutions, all that stuff, and it's fine. We have to, but I'm talking about the consumers.

Matthew Chiodi (30:17.609)
Hmm.

Toni De La Fuente (30:18.602)
Don't do multi-cloud if you don't have to because there is some sort of regulation that is forcing you to do so. Doesn't make any sense. It's very expensive, it's hard, and you don't need it. It's better if you use Azure, if you use Google Cloud or AWS or whatever, use a proper multi-region deployment that is going to be good solution for you in 99.9 % of the times, right?

That is what I said that is, I will say that is something that I see companies and governments moving to multi-cloud with no reason. It's like, no, it's just in case. Just, yeah, just in case. If AWS goes down, you won't care anything. Right? So just in case what? Just in case we don't have internet.

Matthew Chiodi (31:05.906)
Yeah.

Right, right. If AWS goes down and you're even if you're multi-cloud with Azure or something else, they're going to be impacted likely as well if AWS actually went down.

Toni De La Fuente (31:18.538)
Exactly, exactly. So it's like what happened here in Spain like a month ago or so with the blackout. It's like, okay, yeah, well done with your multi cloud strategy, but no power.

Matthew Chiodi (31:26.249)
Hmm.

Matthew Chiodi (31:34.598)
I think you make a really good point in that I think the desire to be truly multi-cloud is, I don't know, I guess it's a good thing, but it's likely a major over-complicating factor, right? Because like you said, each cloud itself represents so much complexity.

And then when you add a second cloud, it's not just one plus one. It's probably one to the 10th power, like more complexity. And it's really difficult. As we said, misconfigurations remain probably the top issue in cloud. And I would imagine, I don't know if there's ever been, I'm trying to remember if back when I was at Palo Alto, if the threat research team, if we ever compared, you know,

misconfigurations, you know, looking at, and honestly looking at customers just to see like those that are multi-cloud, if they have a higher level of misconfigurations versus ones that are just single cloud. If you're listing Palo Alto, that might be a really cool threat research study to do. but I would guess that it's going to be higher simply because again, you're just having the additional complexity.

Toni De La Fuente (32:34.708)
Mm-hmm.

Toni De La Fuente (32:41.48)
Yeah, the attack surface becomes larger even if you don't do much, right? Even if you only have one subscription in Azure, you have something that somebody can go through,

Matthew Chiodi (32:56.969)
I love that. I love that. That's a really good point. So it's like, don't just do it because it's cool. You want to make sure that you actually have first and foremost, a well architected framework in the cloud you're in. And then maybe once you can prove you can do that well, if you can, and you're doing it really well, then maybe you get to that point, right?

Toni De La Fuente (33:15.816)
Yep, yep. And also have that under control with your proper measures, your proper remediations or auto remediations, real-time detections. are many different things to do to have a properly handled cloud security. So many different things. And it's hard in just one cloud. So if you add other cloud, it's like too much. And we are not talking about AI yet.

Matthew Chiodi (33:38.89)
Well, no interview would be complete without it. I'm just curious from your team, you mentioned that you were spending 12, 15 hours a day. A lot of that was coding. I'm curious now for your team, what

How are you guys thinking about, not AI in the product, let's talk about how you use AI to create the product though from a coding perspective. I've listened to a number of different founders who have said, and they can say whatever number, I don't know if it's true. Some of them are saying they're now at 25%, 40 % of their PRs are being done by an agent. What are you seeing from a reality perspective? You still have a fairly small team with 20 people.

How are you guys thinking about leveraging agentic AI from a coding perspective?

Toni De La Fuente (34:25.843)
That is a very good point. I love that you are asking this because we had actually last week a very long conversation internally about this. So we have become, I mean, we are 20 people, but we are releasing new versions, new features every week. Of course we use, for example, most of our engineers are using Cursor, right? With AI and that makes, if you have played with Cursor, developing whatever in Python or whatever else.

you fly, right? It's like a lot of, you add a lot of speed to your development, but the problem is not what you create. Because this is like adding, you know, a bunch of code into your product. It's about testing that properly. It's about integrating that properly. It's about testing, integrating and deploying that properly.

Matthew Chiodi (34:56.329)
Mm.

Toni De La Fuente (35:24.239)
And that is in some cases, but not many cases possible with AI. But in our case, that is a big problem. I I wouldn't say problem, I'm going to say bottleneck. Because you have to do your integrations and many, you can automate many different things. when you, so for example, I'm going to give you an idea as an open source project, but this can happen even if you are not an open source project or company.

Matthew Chiodi (35:37.853)
Hmm.

Toni De La Fuente (35:53.992)
Somebody sends you a pull request with something that is helpful for them. And that person has the need of that feature, but not necessarily the knowledge of how to code that in whatever programming language. And they send you like 15 files with more than 2000 new lines. So ask the AI to fix that.

Matthew Chiodi (35:57.929)
Hmm.

Toni De La Fuente (36:21.649)
or to understand that there is no way. So you have to put an engineer that has his or her own things to do every day to review a 2,000 lines pull request. That they are not coming in from a person. I mean, it's a person who opened the PR, but it's a person with AI, right? That adds a lot of complexity to every project.

Matthew Chiodi (36:22.761)
Yeah.

Toni De La Fuente (36:47.337)
because the needs time and you cannot trust 100 % everything because part of our responsibility as a cloud security company and cloud security platform is to review everything. We have governments using Prouder and we have to take care of every single line of code that comes into Prouder. We have to test it, we have to review it and we have to make sure everything is working properly, right? And even with that, you have bugs because it's software, but that is the most important challenge and hard.

the harder challenge that we have nowadays with AI. And these are an open conversation and discussion that I had with lot of other founders, engineering managers and developers, because it's hard. It's unsolved question,

Matthew Chiodi (37:33.345)
I like that. I, I don't know if you listened to Lenny's podcast, but, it's a great, great podcast. And he had on the founder of, I've got the actual name of the company, but they have a product called Devon D E V I N. And it is essentially, an agent that helps developers automate a lot of coding.

And one of the things he said that really stuck with me from that interview, I listened to it two or three times because it was just, it just blew my mind in terms of where we are at today with agents around code was he said that even with as good as AI is with coding, right? And you still have to think about it from the perspective of solve, take, do this task. If you ask AI to solve this problem, whatever it is, it's not going to do a good job at it. But if you, as the engineer or the architect,

have already defined the problem. If you can give AI solve, these tasks that are associated with the problem, it will do very well at that. But I think this is where the conversation comes in around developers, which is if you give a junior developer AI, is that helpful? Versus if I give it to a very senior engineer, is it even more helpful? So I know we're kind going down the rabbit hole on this, but I'm just curious, what's been your experience around that dynamic?

Toni De La Fuente (38:53.765)
I mean, the other day talking to one of our frontend engineers, he said, yeah, I fly, but sometimes I shouldn't fly. It's like, we should be slow at creating code to make sure we have the time to review in that code. I mean, yeah. So the good thing of all this stuff about AI at building software is that we are in very, very early days.

Matthew Chiodi (39:02.888)
Mm.

Toni De La Fuente (39:23.689)
So we will see, regardless there are models that they can do a lot of things, but, and platforms like Bolt or many others that make all that stuff that they work very good, very good. But as you said, from having the opportunity to explain the problem to having a proper solution, as we understand software nowadays, I think we need more time.

And AI, of course, is changing the way we make software. The big change is to come, I guess.

Matthew Chiodi (40:03.912)
So you've been very successful in your career so far through a lot of hard work, a lot of hard work, as we've heard. What does success mean to you personally, though? Beyond your achievements with Prowler and some of the other things you've done professionally, what does success mean to you?

Toni De La Fuente (40:22.696)
I guess is waking up with a reason, right? Waking up with a goal every day with a mission, I will say. That sounds even more bigger, right? That is the most important thing. So if you have something to do for the world to make this...

something better to make internet better, is, or clearly what we do or what I want to think we do to make the internet better for more and more people. That is the most important thing. If you want to think you are doing cool, right? So whatever it is for us is making the cloud more secure. That is one thing. Another is

Yeah, to have passion for what we do. So if I wake up one day and say, for I don't want to do this, that is what that is over. So I should do something else. But I love to have this opportunity at Prowler. Of course, it's an opportunity that we have been working and digging, you know, every day. But yeah, keeping that passion is what makes me feel that this is.

happiness, this is the only way you have to put so many hours, right? Otherwise, it doesn't make any sense.

Matthew Chiodi (41:57.875)
I love that. I love that. Yeah, you cannot. I've been in that place in my career before where, if the focus is primarily money, you can only go so far. You can only push yourself so far, at least me personally. And I, but I think this is a, universal principle that if you're not doing it out of some sort of passion for something greater, you're likely going to burn out or just not do very good at the thing you're

you're pressing so hard against because you're doing it out of sheer will rather than out of something greater.

Toni De La Fuente (42:34.108)
Yeah. And even with that, have ups and downs, right? Because life is very long, because weeks could be very long as well. But having that passion and that commitment is what makes you keep going every day, every day, every day, over many days, over many months, over many years. And that is the only thing. The only thing I believe is the way to go. It's not a matter of

Matthew Chiodi (42:37.928)
Sure.

Toni De La Fuente (43:04.294)
How old are you? It's not a matter of how many years you went to college or whatever. It's a matter of what you want to become as a professional, what you want to do in your life. Because at the end of the day, we can do a lot of things because we work, right? So we have the good luck of living in a world, in a side of this planet that we could

make our own life. And we don't get that responsibility. And this is important because in many other places in this planet, people have to do whatever they have to do, but they don't have any chances. And we do have chances. Even for me, in the south of Spain, that is not a big city or anything, I had that opportunity. Working a lot.

But for me, wasn't working, it was having fun because I found what I wanted to do. But yeah, we have to be more responsible of what we do in this side of the world because we can choose it.

Matthew Chiodi (44:14.951)
So if you could give one piece of advice to someone who's starting their career in tech, maybe, I don't know if they're thinking about going down either cybersecurity route or maybe the open source route, what would that one piece of advice be?

Toni De La Fuente (44:29.18)
Well, like last year, a friend of mine invited me to go to a high school to do a small talk to the last year students. And I prepared like three superpowers that everybody has. the first super power was learn a language. Learn a second language. I mean, if you speak Spanish, learn English. If you speak English.

learn something else, right? Chinese, Spanish, whatever. That is a superpower and that is in your hand. Nowadays, everybody can learn a second language with a cell phone. Of course, it takes time, you can do it. That is one superpower that works very, very well. The second is whatever you pick, pick many different things, but whatever you pick, put passion. Nobody can beat you if you are passionate about something.

because you are going to learn, because you are going to become not an expert, but to learn a lot. I don't think I'm an expert of anything, but I put a lot of effort and time doing my research and all that stuff. And that is a superpower. Nobody can take you that superpower out. And third, be organized. Write your things, organize your calendar, plan ahead.

Matthew Chiodi (45:46.257)
Hmm.

Toni De La Fuente (45:52.358)
That is very easy. It's a calendar. So everybody has Google Calendar or something like that. Everybody has an notebook. Take note of your things and plan your things. That is very straightforward superpower, but it's a superpower because if you plan things, you visualize what you plan and you can do it better. You can make it real. That is what I think everybody.

can do it. You don't have to be Albert Einstein or anything. can just organize yourself.

Matthew Chiodi (46:23.643)
I love those. Those are three powerful things and they're really empowering because like you said, those three things are, I think available to probably 90%, maybe 95 % of the global population. They don't require wealth. They don't require, special access. And so I think those are our superpowers. I love that. I love those things. I love asking my guests these questions because you know, I'm always like, yeah, the most fundamental things, they make the most sense. And generally they're available to, to most people.

Toni De La Fuente (46:53.243)
Yeah, I will say, yeah, remember to compile the kernel with this and that option because that is going to make your kernel better in Linux. But no, it's not that far.

Matthew Chiodi (46:59.719)
Well, is there anything else I didn't ask you that you wanted to cover?

Toni De La Fuente (47:07.621)
Well, yeah, I think we covered a lot of things. So this has been a very, very good conversation. Thank you for this, Matt. I mean, I will say that we are building a lot of cool things at Prowler. Everything open source, everything for everybody to enjoy. We have, of course, Prowler that is open source. You can go to Prowler Cloud if you want to run anything, but you can also to discover a new service that we have that is called Prowler Hub. It is at hub.prowler.com and it's our

It's like Docker Hub for Docker images, but for Prowler artifacts. So you can discover all our detections, our checks, also fixers, our remediations, also our compliance frameworks. everything explained, it's like a knowledge base as well, because you can learn about EBS snapshots, how to secure the EBS and snapshots, and how to detect the security with Prowler, how to fix them, all that stuff.

or if you want to learn about ISO 27001 in the cloud, multi-cloud, you can learn that as well and how we do that in Prowler. That is Prowler Hub. Keep an eye into our repo because we are adding new features all the time. Feedback is very important for us, of course, to keep growing.

Matthew Chiodi (48:28.625)
Tony, thanks for coming on the show. This has been a great conversation.

Toni De La Fuente (48:32.475)
Yeah, likewise. Thank you. Thanks for having me.