VMblog had an opportunity to speak with Dennis Zimmer, co-founder and chief technology officer at Codenotary, to find out more about the company and what they've been up to lately.
VMblog: Before we
dive into details, can you tell us who Codenotary is, what the company's
mission is, and what you do?
Dennis
Zimmer: We
bring easy to use trust and integrity into software development and delivery.
Our main product line secures the software lifecycle by providing end-to-end
cryptographically verifiable tracking and provenance for all artifacts,
actions, and dependencies. It is the only immutable and client-verifiable
solution available that is capable of processing millions of transactions a
second. With the Codenotary tamper-proof bill of materials (SBOM),
users can instantly identify untrusted components in their software builds.
VMblog: You have
different product offerings for Ops and DevOps. Do you believe enterprise
organizations must address both Ops and DevOps together to achieve optimum
security?
Zimmer: DevOps
is a very important field to secure and enable zero-trust integrity for the
entire software delivery and our product to address that need is Trustcenter.
But we also think that secure and tamper-proof change, configuration,
performance and log management for infrastructure is equally important as the
security of the software you build, deploy and run. Specifically to address
Operations, we offer Opvizor Metrics & Logs, as well as Auditable Change Management (ACM).
VMblog: Codenotary
started and maintains a very popular open source project called immudb. Why did
you start it and how do people use it?
Zimmer: We
were looking for a high-performance, immutable and verifiable database to
support our own products that run on-premises and in the cloud. Blockchains are
too slow, complex and come with many regulatory and operational issues. So, we
developed an immutable database ourselves and released it as open source to the
public.
This
database has built-in cryptographic proof and verification and will track any
changes in sensitive data. With immudb, there's no need to trust the database
because you can verify all changes on your own. It can operate both as a
key-value store or relational database with built-in auditing.
immudb
is used by thousands of different projects wherever trust and verification is
of the essence, such
as fintech, healthcare,
manufacturing, and government. In India, for
example, the Ministry of Housing and Urban
Affairs is using immudb as part of its India Urban Data Exchange (IUDX) project to provide a platform to plan for growth of
their cities.
VMblog: Your latest
product release is called Auditable Change Management (ACM) for VMware. What do
you do differently than other change management systems?
Zimmer: Typical
change management tools focus on tracking changes for inventory purposes. We
want to make change management auditable, so all changes that happen are being
tracked immutably. Think about proving changes or non-changes to third-party
vendors to reduce licensing costs.
ACM maintains an indelible, precise record of the VMware infrastructure
configuration and resource usage, along with time-stamped changes - providing
proof of compliance with licensing terms.
VMblog: More and
more companies start green initiatives and want to save energy for various
reasons. I noticed that you support customers on their journey - how?
Zimmer: For
some time, we noticed a steady increase of companies that started "Green
Initiatives" to reduce energy consumption and
now the suddenly rising cost of energy accelerates the need for change. In
conversations with our customers, the visualization of performance and energy
metrics is a very common request. Therefore we added data collectors and
dashboards around energy consumption and energy savings to Opvizor Metrics
& Logs. That way, customers can see the impact of every configuration or
power operation.
VMblog: When it
comes to DevSecOps and especially the notorious Software Supply Chain Attacks,
what is your take on fighting these?
Zimmer: When we started development of Codenotary
Trustcenter we had 3 main topics in mind:
Ease of use, tamper-proof data storage, integrated tooling.
Our customers can integrate our CLI in any
CI/CD environment (or use manually) to track and verify everything that goes
into a pipeline, as well as track and trust (or untrust) everything that comes
out. Our platform includes vulnerability scanning, code signing, Software Bill
of Materials (i.e. SBOM) and runtime
enforcement. That way, you could block everything unknown in your pipelines
including the pipeline recipe itself and make sure that everything built and
deployed is based on a good version. In case a good version turns bad, you can
remove the trust in real time across all your infrastructures or stop it from
being deployed again.
##