Virtualization Technology News and Information
VMblog Expert Interview: Dennis Zimmer Talks Codenotary and Auditable Change Management (ACM) for VMware


VMblog had an opportunity to speak with Dennis Zimmer, co-founder and chief technology officer at Codenotary, to find out more about the company and what they've been up to lately.

VMblog:  Before we dive into details, can you tell us who Codenotary is, what the company's mission is, and what you do?

Dennis Zimmer:  We bring easy to use trust and integrity into software development and delivery. Our main product line secures the software lifecycle by providing end-to-end cryptographically verifiable tracking and provenance for all artifacts, actions, and dependencies. It is the only immutable and client-verifiable solution available that is capable of processing millions of transactions a second. With the Codenotary tamper-proof bill of materials (SBOM), users can instantly identify untrusted components in their software builds.

VMblog:  You have different product offerings for Ops and DevOps. Do you believe enterprise organizations must address both Ops and DevOps together to achieve optimum security?

Zimmer:  DevOps is a very important field to secure and enable zero-trust integrity for the entire software delivery and our product to address that need is Trustcenter. But we also think that secure and tamper-proof change, configuration, performance and log management for infrastructure is equally important as the security of the software you build, deploy and run. Specifically to address Operations, we offer Opvizor Metrics & Logs, as well as Auditable Change Management (ACM).

VMblog:  Codenotary started and maintains a very popular open source project called immudb. Why did you start it and how do people use it?

Zimmer:  We were looking for a high-performance, immutable and verifiable database to support our own products that run on-premises and in the cloud. Blockchains are too slow, complex and come with many regulatory and operational issues. So, we developed an immutable database ourselves and released it as open source to the public.

This database has built-in cryptographic proof and verification and will track any changes in sensitive data. With immudb, there's no need to trust the database because you can verify all changes on your own. It can operate both as a key-value store or relational database with built-in auditing.

immudb is used by thousands of different projects wherever trust and verification is of the essence, such as fintech, healthcare, manufacturing, and government. In India, for example,  the Ministry of Housing and Urban Affairs is using immudb as part of its India Urban Data Exchange (IUDX) project to provide a platform to plan for growth of their cities.

VMblog:  Your latest product release is called Auditable Change Management (ACM) for VMware. What do you do differently than other change management systems?

Zimmer:  Typical change management tools focus on tracking changes for inventory purposes. We want to make change management auditable, so all changes that happen are being tracked immutably. Think about proving changes or non-changes to third-party vendors to reduce licensing costs.

ACM maintains an indelible, precise record of the VMware infrastructure configuration and resource usage, along with time-stamped changes - providing proof of compliance with licensing terms.

VMblog:  More and more companies start green initiatives and want to save energy for various reasons. I noticed that you support customers on their journey - how?

Zimmer:  For some time, we noticed a steady increase of companies that started "Green Initiatives" to reduce energy consumption and now the suddenly rising cost of energy accelerates the need for change. In conversations with our customers, the visualization of performance and energy metrics is a very common request. Therefore we added data collectors and dashboards around energy consumption and energy savings to Opvizor Metrics & Logs. That way, customers can see the impact of every configuration or power operation.

VMblog:  When it comes to DevSecOps and especially the notorious Software Supply Chain Attacks, what is your take on fighting these?

Zimmer:  When we started development of Codenotary Trustcenter we had 3 main topics in mind:

Ease of use, tamper-proof data storage, integrated tooling.

Our customers can integrate our CLI in any CI/CD environment (or use manually) to track and verify everything that goes into a pipeline, as well as track and trust (or untrust) everything that comes out. Our platform includes vulnerability scanning, code signing, Software Bill of Materials (i.e. SBOM)  and runtime enforcement. That way, you could block everything unknown in your pipelines including the pipeline recipe itself and make sure that everything built and deployed is based on a good version. In case a good version turns bad, you can remove the trust in real time across all your infrastructures or stop it from being deployed again.



Published Friday, September 02, 2022 7:30 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<September 2022>