Josh chats with Sal Kimmich about the current state of everything, and what we can expect next. Sal has some incredible insight into what we can expect to see due to the current wave of security bugs and incidents. There are some new features we will need in both our hardware and software to ward off the state of things. Since those features are years away, what we need in the short term is shoring up our SDLC programs. Sal has some really good medical examples and analogies for this one. It’s a huge problem but not insurmountable.

This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.

Episode Transcript

Josh Bressers (00:00) Today, open source security is talking to Sal Kimmich a security architect. Sal, I’ve known for a while, and Sal gave me their book, and I think we’re at KubeCon when you gave me your book, and I read it and it’s awesome, and you’ve got a ton to talk about, so welcome to the show, Sal.

Sal Kimmich (00:17) Yeah, thanks for having me. Let’s talk some cybersecurity.

Josh Bressers (00:22) It is crazier than it’s ever been. Actually, so before I hit record, I was talking to Sal about the book and you wrote the book last year from, we’re in 2026 right now. And you wrote a bit about supply chain security and vulnerabilities and things like that. I was actually, I was rereading the book over the weekend to get myself back in the right head space.

Sal Kimmich (00:33) Yeah, yeah, I got it out.

Yeah, 2025.

Josh Bressers (00:50) And I’m like, when did Sal write this? Like, you got a lot right. I mean, because everything is just completely bananas and on fire right now. And I don’t know if I’m impressed or sad.

Sal Kimmich (01:02) Yeah, yeah, well, this the book was really interesting because I really wanted to understand what digital isolation is at every layer all the way down to the kernel originally. So I went out and I just talked to everybody I could. And unfortunately, when I talked to kernel maintainers, they said, Sal, the problem is actually the semiconductor supply chain. You have to write that first. And I said, whoa, this is a really deep problem. ⁓ But yeah.

Josh Bressers (01:28) Yeah. Yeah.

Sal Kimmich (01:29) That was a lot of shared wisdom that went into that book. And I think the best way to know what the next 30 years is going to look like is asking people who looked at the last 30 years because they were there, right? Yeah.

Josh Bressers (01:40) Okay,

so before we go on, I want to clarify, your book is called Code, Chips, and Control. And I know you’re doing a ton of other work right now too, but like this one specifically, I do love this book and it really resonated with me. So anyway, I’m sorry, I’m sorry to interrupt. I just wanted to make sure I got the title. I’ll put links to all this crap in the show notes for anyone listening also. So all right, so back to you, apologies.

Sal Kimmich (02:00) Yeah,

Yeah, well, I it’s such an interesting journey. ⁓ And I think right now, a lot of what people are seeing in their news feeds is a lot of application layer on fire security. And underneath that, there’s a lot of really interesting security vectors. And I think as soon as security gets below your control plane, whatever that looks like for you, we

try not to think about it even though the risk is greater. So now I’m really interested in what are the solutions at lower layers that make it so that I can have confidence in my runtime no matter what I’m building because agentic makes that really important.

Josh Bressers (02:49) Okay, I want to maybe push back on something you just said, where you talk about the layer of your control plane, which we all have a line we have to draw that just says everything beneath this line, thinking of our architecture as some, we’ll use the XKCD tower maybe, but there’s a point where we can have impact on the things above our line and there’s.

functionally nothing we can do beneath it. And we all live our lives like this. Like the power company is a great example where our water supply coming from wherever we get water for our homes, things like that, right? And you mentioned the things beneath the line we need to care about, but I think it’s easy to say we need to care about them, but I don’t know if we can.

Sal Kimmich (03:38) Yeah. So I think when I say care, I think what I am really interested in is there’s a fundamental unblocking. There’s a kind of creativity that you can get in workplaces when security has been so primary to the practice that it allows you to, right? So sec dev ops is where I started my career and being able work and really, really sanitize spaces while you’re building really big, expensive things is important now.

I think worrying about observability and thinking of it as telemetry, think the real actual problem with that is both where and what you want to look at, but also the fact that telemetry costs money. The kind of solutions that I am interested in are where would it not make sense to spend money on telemetry? And instead, where can I put a secure primitive or a deterministic gate that ensures I don’t need to observe that because I’ve guaranteed it in some other way.

That’s what you get to start thinking about when you go, when you look at chaos, wherever it’s happening over a kernel, that’s where it makes a lot of sense to step one layer down or two layers down and see if you can secure that threat model at the base.

Josh Bressers (04:55) Okay, the thing that just popped into my head, Sal, is I don’t know if you’re familiar, there’s a person named Wendy Nather, who I’ve been just kind of reading her things for, it feels like decades at this point, it’s been a long time. But Wendy has this concept they call the security poverty line, right, where the vast majority of organizations, they basically are in security poverty, meaning they’re not paying their bills, they can’t even feed themselves. So talking about things like,

know, deterministic hardware gates or various other, and this is amazing ideas, I’ll say, but I think this is one of our challenges, right, is when people are literally starving to death, you know, security-wise, they don’t care. They’re gonna draw that line of control as high as they can put it, even probably higher than it maybe should be, right, and they are going to just maliciously ignore everything beneath it. And I’m curious, like, what…

What do we even think of that? What can we even do about that? Because I mean, I feel this every day. We’re like, everything is crazy and on fire. It’s like, what can I just not do right now? Because I don’t have time to do, you know, I have 30 things to do and I have time to do 10 of them. What are the 10 I’m going to do?

Sal Kimmich (06:06) Yeah. Yeah. So that is the security posture of a downstream consumer, not a midstream and not an upstream, right? So you are consuming a bunch of applications. Your security risk over that surface area is reasonably large and increasing, right? It is very likely that next month is going to be a harder month for you than this month was given last month than the month before that, right?

So this is a really interesting kind of existentialism that I’m seeing in this one moment. And it’s one of the things that I really wanted to talk to you about, because I think in the face of that, to be so optimistic in the way that I am, I think implies am looking at this from the perspective of what does this do to the most massively distributed, distributed logical system in the world, the Linux kernel and

10 years, 15 years, 30 years. Now what happens in the Vulnerable Apocalypse is we have a couple of really bad days, weeks, months, not really, I don’t know if it’s many years, but yeah, a few years. It’s gonna be bad. What does this do? It forces the attention of the logical system down to where we can create primitives. There are many things that are problems for you today.

Josh Bressers (07:18) Yes.

Sal Kimmich (07:30) in the security space. There’s a CVE that came out this week that if we put a lock on the kernel, that entire condition is erased. We get hundreds of fewer CVEs a year just by putting that into place. The kind of solutions and the massive bloom of secure primitives that I think comes out of this is what I have waited my whole life for. And it just has to catch a little bit on fire first. ⁓

Josh Bressers (07:58) Okay,

you call this optimism and now there’s two sides to this discussion because there’s the optimistic future view of it’s all burning down right now, but we know we can build it back better. And that is correct. But when I am inside of the fire, I don’t care about what happens in two years. I’m like, I am burning to death. Please come help me right now.

Sal Kimmich (08:00) Hahaha

So when we’re looking at a massive list of CVEs in our system, right, we’ve got our criticals, our highs, our oh no, maybe I’ll get to those anything else someday. Yeah. Nope. Yeah.

Josh Bressers (08:37) Those are all just, no, those are completely ignored at this point. Like I’m not even gonna pretend like they’re whatever. I don’t even look at mediums and lows anymore. Cause I’m like,

I’m drowning in this other stuff. I don’t care.

Sal Kimmich (08:47) Yeah. So I think the one thing that’s most valuable there is the hygiene of your SDLC. But one thing about this is really, really important. And this is the most important lesson I ever learned from working in like security clearance skiffs. The SBOM actually is the most important part of that because, and it has to be cryptographically attested.

Josh Bressers (09:13) I bet Alan Friedman’s ears are ringing

right now.

Sal Kimmich (09:16) It’s a, I mean, it’s a thing that I did wish was not true because it’s very hard to engineer well. But with those in place, you actually should be able to have a clear known boundary of the software that is in the system that you’re running. Right? What is the absolute blast radius of the logical surface area that you’ve constructed over the kernel? And do you, for everything that you cannot mitigate over that.

have additional controls in place, right? So the shift here is going to be for downstream consumers that have been doing vulnerabilities reactively to now have to build or bust, but what you have to build is a threat model that’s sincere. And you have to be predictive and thinking about the ways to secure your system. Now, when you start thinking about the threat model, you get better at not doing just-in-time patches.

but engineering around conditions that put you at risk. Our ability to understand that, build that and communicate that is what’s coming out of this. And I think that’s really cool.

Josh Bressers (10:28) I will not disagree with that. And you are absolutely correct that we have not approached a call it patch management, but it’s not really patch management. think just calling it SDLC in general, it makes more sense, but yes, engineering kind of dealing with vulnerabilities into the process versus I’m just going to patch it and ignore it. Now there are many people that are currently claiming the solution.

is to just upgrade all your open source, turn on your seven day cool downs, whatever that we want for it, and just upgrade it all and who cares, and then you don’t have to worry about it. So what do we say? Are those people right? Or is that a different solution to something else?

Sal Kimmich (11:12) Yeah, no, they are right. If that is what your compliance request of you in a way. Are you secure? No, no, not likely. ⁓ And what I’ve really seen around like the vulnerability expansion over the years, I think the dimension that it impacts the most in workplace is time. Right. So I’ve seen vulnerability management go from being what it felt like

Josh Bressers (11:19) Yes.

Sal Kimmich (11:42) 10 years ago to feeling like, why am I doing cybersecurity instead of SRE if I never wanted to be on pager duty again? Right? Because the time and required like security uptime and compliance now is really, really converging. And also that’s something to note everywhere around the world around vulnerability management, they’re asking shorter and shorter timeframes. So I don’t really care where you are or what your compliance is right now.

It’s probably going to be a requested shorter timeline moving forward. Right. So you need to have immediacy in the effect. Now, when we’re dealing with software vulnerabilities in a company, I like to remind software engineers that you can also take examples from literally everything that has ever existed before. Don’t isolate it to thinking that software is the only way to think about solving a problem. One of the things that I always like to think about, like,

Josh Bressers (12:39) Yeah, yeah.

Sal Kimmich (12:41) So early in my career, I was doing signal processing, got to use supercomputers all the time. It took me to National Institutes of Health. Now at NIH, I was in Building 10. I was on the basement because I was doing fMRIs, so I was underground. But every layer above me for seven stories represents one layer of the body system. And you get to talk cross about the research that you’re doing. And I like to look at the security that way.

So where am I getting to? You in the body of a corporation and your security practices must be building an immune system. Use whatever proxy that you want within that, but decide how you are going to prevent infections whenever possible and decide how you’re going to mitigate infections when they occur because they are inevitable. When you carry this model all the way down, what I really, really have always wanted

If I’m going to build an entire application space over something is to be able to have that guarantee at the kernel level. That only what needs to be there is there when it needs to be there and it can only be used at the right time. Same way a surgeon has their operating room set up, right? That should be the expectation. I want only the tool for the thing at the moment in the time. Now looking at what your security posture could look like in two years.

Yes, I want you to log it down all the way to the kernel. Is that an extreme request for you right now? No, because you want to do that against your OPA policies. If you’re running Kubernetes, there, that is a top to bottom from policy to the actual full mitigation. That’s where we can remove hundreds of vulnerabilities from our high moderate critical list.

Right? They all literally do not come in because they’re no longer possible for your architecture. Think about it that way. And maybe also do a little bit of meditation because the next few months are still going to be hard.

Josh Bressers (14:54) okay.

Let me, let me see if I’m understanding what you just said correctly, because I think there’s a couple important pieces in, your description. So I want to go all the way back to when we were talking about zero vulnerabilities and patching very quickly and things like that. And, and, and I think you mentioned it’s not security, but I feel like whether you’re mitigating through controls or patching quickly, it’s, they’re both part of an SDLC program, right?

It’s not like one replaces the other, which I do think is part of the discussion right now. Like the public discourse is very just patch it and you’re done. Whereas that’s obviously a ridiculous place to be. And obviously patching everything all the time is sometimes just not realistic. I mean, you mentioned you’re an NIH. mean, I know people who’ve worked in hospitals that were like, we put the MRI on its own network and told people they can’t like, you know, scan the networks and MRI crashes, and then maybe we’ll kill someone like that’s terrifying, you know, but then.

Sal Kimmich (15:49) Yeah. Yeah.

Josh Bressers (15:52) You’re talking about, you know, mentioned, you know, health and surgeons and I’ll pick on this maybe because so I’m of a certain age that there used to be a thing called exploratory surgery when I was young where they would just like, well, you’re really sick and we don’t know what’s wrong. So we’re just going to cut a big hole in you and look around.

And that feels a little bit like kind of what security is today. We’re like, now we look at surgery and they’re like, we’re going to insert this thing, the size of a pencil into you. And then it’s going to do a bunch of things. And we’re going to take it out. And like the only thing on your body is going to be this teeny little hole versus I feel like a lot of IT and security today is like, well, we’re just going to cut a giant hole in this thing and it’ll probably be fine. You know what I mean? Like it feels very apt in your analogy.

Sal Kimmich (16:37) Yeah. Yeah. Well, I think one of the things that really bothers me is for about three years, company I’ve ever worked with, try to, like, of our goals and our targets that I have tried to get us to keep is like, once we can get vulnerabilities down, can we get 20 % time back for research?

Josh Bressers (16:58) ⁓

Sal Kimmich (17:00) Do you want to know how many times I’ve been successful in getting our vulnerability? Yeah. Yeah. You want a whole day back? Yeah. Yeah. Exactly. Yeah. But what that would do is allow you to get into a more preventative state. It also is a very good tactic for retention, right? Which I think is really important. I think what people don’t realize is that the newer

Josh Bressers (17:02) Oh, it’s zero. What you just said is you can fire 20 % of the staff, Sal.

man, yeah.

Sal Kimmich (17:27) person is to the architecture that they have a cybersecurity incident over, the longer that incident will take to mitigate. So high turnover in a company is the thing that makes your meantime remediation fail. So try to keep them around, give them some time to think. That’s what I’m hoping for.

Josh Bressers (17:36) yeah.

Okay,

so I wanna use this as kind of a launching off point. So in your book, I’m on page 60, I don’t know if there’s different editions, this is a very kernel specific chapter, and I think this is related, where you have a thing that says what to do next, and it says like lock the boot chain, ⁓ fund migration to memory safe languages, require kernel SBOMs reproducible builds, draw red lines on kernel level surveillance, make breakage cheap before attackers do, like.

So here’s my question for you, and I think this is kind of the ultimate question for this discussion, is it’s easy to say these things. It’s easy to say, let’s get vulnerabilities under control and then start doing research. But I think if you look at nearly any industry, and medicine included, where almost no one does anything unless you kind of make them, right? And this is where I think, you know, I…

I get in this argument all the time where I’m always like, we need regulators to make people do some of this stuff. And then a bunch of people are like, regulators are idiots and they don’t change anything. And they move too slow. it’s like, I don’t know what the answer is. So like, this is kind of where Sal, need, I need some optimism because right now it feels like all of the good ideas we have have been good ideas for decades and we’ve never done them. Like, why are we going to do them now?

Sal Kimmich (19:02) Yeah, well, before this call, you asked me how I get people to care. And I told you, you would not like the answer. Here’s my answer. The answer is have regulated clients. That is the, that is the fact of the matter. But I want you to think about how much that changes things when you consider that there’s a lot more than just finance, healthcare and government, but it’s tricky. So if we’re really talking about the book, like,

Josh Bressers (19:08) All right, let’s hear it.

Okay.

Sal Kimmich (19:32) What the person that I wrote it for is really, specific. At the end of the day, I probably wrote it for a head of security, a tribal nation, or a chief that wants to read it so that they can be informed about their positionality. That is my target audience. Why? Because that’s a world that I live in, but there’s like two other really, really good reasons. When we’re dealing with any

like indigenous population that is particularly tied to their land. It’s a perfect way to test the model of land bound sovereignty. When you’re checking out tech, land bound sovereignty is the most challenging model to get right, right? Can you actually skiff that environment? Can you understand everything that you’ve brought into it? ⁓ But every year I have to go to this event where we’ve got talking circles. And this is where

I go into a room and there’s chiefs and security leads from hundreds of nations around the United States and from further. And at the front of the room, there’s usually going to be a state or a federal representative or someone that is representing a large company that is engaging with them either through employment, contracts, et cetera. And I get to watch all of those personalities, right? CISA reps.

What is the conversation when a chief that I’m sure does not know how to turn on his phone has to go and ask them about cybersecurity, right? And they are responsible for hundreds of thousands of people. Now the threat model for a tribal nation can vary by size and what they are, but basically think about it this way. They’re usually about a mid to large size company in their infrastructure and they are under both state

federal and tribal security requirements all at the same time. When you want to talk compliance, that one’s hard.

Josh Bressers (21:36) Okay, so here’s what popped into my head as you described this because this is a fascinating scenario that I’ve never even thought of, much less can imagine because quite frankly, this is like so far outside of like my sphere of understanding. We’ll have to speak more of this someday. However, I have a suspicion. If you have a tribal leader that has to ask a representative from the government, it CISA or something, question about security, what is not going to happen

is they’re not going to call them an idiot and start yelling at them versus in more times than I can count. I have seen that happen in organizations and more times than I’d like to admit I was the one yelling at other people and calling them idiots. And like, this is intriguing to me.

Sal Kimmich (22:24) Yeah, yeah, and it’s not ⁓ trivial either. ⁓ So I come from the Western Band Cherokee Nation. Now that’s a pretty large, well-infrastructured, federally supported nation. And it’s cybersecurity infrastructure. It’s federally supported. ⁓ the reason why is because it’s so large, it has the largest healthcare, not of any tribes in Oklahoma, but it is the largest healthcare system in Oklahoma. Non-tribal people use it.

Josh Bressers (22:39) Nice.

Sal Kimmich (22:54) Right? So let’s talk about regulated databases, health care, sovereignty, state and federal involvement in that health care system. Yeah. It’s a real.

Josh Bressers (23:07) Wow. Well,

okay, so answer me this then. So this is one of the things, I have a suspicion, but I am completely making this up, is when you’re dealing with the tribal government, this is an organization that has been wronged repeatedly over a century or more by the federal government. So they have reasons to be extra concerned about data sovereignty and privacy.

and kind of all those things that I think sometimes we like to hand wave away and be like, whatever, it’s fine, don’t worry about it.

Sal Kimmich (23:39) Yeah, well, I mean, it’s interesting. So there are more federally recognized tribal nations in the United States than there are days of the year. And that’s not even counting state tribes, right? And every one of them has their own relationship to cybersecurity. Only a few of them have a federal relationship to cybersecurity because they’ve chosen to do so in the last few years. There’s a federal program that has come out to make our security practices stronger, which is really interesting to watch how each one approaches it. But

What I wish people would understand is like natives are around tech all the time and always have been. So the first semiconductors like that were produced in the United States, a lot of those were produced on the Navajo Dena Nation. Why? Because they’re master weavers and they were very good at building transistors, right? So there’s a lot of really long lasting relationships, a lot of really interesting long lasting relationships between these companies.

And with every government, because every single government service, especially and including NASA, is deeply engaged with the native populations because they like to shoot their rockets on tribal lands. Yeah. Yeah.

Josh Bressers (24:55) Well, wow, I didn’t know that. That’s wild. Wow.

And everyone loves NASA. mean, it’s one of the few federal government organizations that is, I would say, consistently liked by virtually all people across the political spectrum, which I don’t think there’s many other departments you could say that.

Sal Kimmich (25:01) Yeah, yeah, it’s great.

Yeah. And how could you not? like, you go, so ACES is where these, ⁓ like security talks go, these, talking circles every year. And I go around the booths and like, I’m just going to ignore everything and be aligned for whoever brought the like six rockets into the room. I would love to learn more about that. yeah.

Josh Bressers (25:35) Nice, nice.

Okay, okay. But I want to, I want to bring this one home by kind of bringing us back to my question about like, what do we do about this? Because you mentioned regulated organizations, be it, you know, financial healthcare, governments, know, tribal in some instances, but that, and maybe I’m wrong to say this, but I feel like that is not the majority of software or development or usage.

And do they have enough sway to affect meaningful change across the industry?

Sal Kimmich (26:13) So I would argue yes. ⁓ So when improvements happen over the Linux kernel, it tends to happen in a like target radius that goes out from the center. I the very, very center of that are chip producers. Right outside of that, in terms of influence and immediate care is critical services. And I think it’s so important for civilians of any type in any place to think about how much their life actually is improving.

by security getting better for your banks and your healthcare systems and your water sewage treatment plants, right? That’s important to know and it helps me to sleep at night. But what else happens when critical infrastructure improves? All of that does come downstream. So it’s not going to be an infinity loop of vulnerabilities.

Josh Bressers (27:05) Yes.

Sal Kimmich (27:09) One, because logically of the kernel, there is actually a discrete set that there can be at this time. So it cannot last forever. Thank God it’s a tractable limited problem. But then the solutions and the ability to architect things better while just being able to serve your client in your client space, right? Making life simpler for DevOps is going to be the outcome of this. The SDLC, we can configure it in ways that are better and worse, but at the end of the day,

It is the changes that are happening around critical infrastructure that are going to make your life, hopefully a lot easier in less than two years. ⁓ And that’s really the interesting thing and why it’s so fun to watch right now. I do think that outcome is good.

Josh Bressers (27:57) It is good. And here’s the thing I keep telling myself. And I think everything you just said backs us up is when fuzzing became a thing, this would have been around 2006-ish give or take, we didn’t have things like address space layout randomization. We didn’t have stack canaries. We didn’t have, you know, the various memory protection capabilities built into silicone as well as the binaries. I mean, I remember when ASLR became a thing.

I was working at Red Hat at the time and so I was on the security team and this is a huge thing. We’re like, please hurry up, like do it faster. The sooner we get this, the better. And I remember that line where in one version of Red Hat Enterprise Linux, basically all memory bugs were basically critical vulnerabilities for us. And once you pass that, would rank them to important.

generally speaking, because now we had, you know, ASLR and mprotect and, and stack canaries and all of these things. But now the other thing I also remember is it, it was hard and it took time, but I do think you’re correct that a lot of the regulated industries, the banks, the governments, they were pushing for this stuff. So you’ve given me some optimism, not as much as I’d like,

Sal Kimmich (29:18) Can I give you,

Josh Bressers (29:21) I don’t…

Sal Kimmich (29:21) I’ll give you a little bit of extending that optimism. So when it comes to movement based on regulation, right, which basically is just we’ve heightened the liability profile around security risk. So that is really interesting to watch for now over conditions not traditionally regulated because of the EU CRA Act. That is so interesting.

Josh Bressers (29:25) Okay.

Sal Kimmich (29:45) That is a massive expansion of regulatory pressure. I think most importantly, because it is extraterritorial. ⁓ It is not exclusively applied to the EU. It’s applied to anything that gets consumed by it. That is the regulatory pressure ⁓ that you might be looking for.

Josh Bressers (30:07) I’m being cautiously optimistic about the CRA because I want it to work because you’re right. I think if the CRA has enough teeth and it’s taken seriously, I think it could be a huge deal. But I also look at like GDPR and I won’t say it’s been ineffective, but it definitely hasn’t lived up to I think some of what the hype maybe was or what we’d hoped it could be. And that is

I want to believe, right? That’s kind of, that’s where I am on this.

Sal Kimmich (30:42) Yeah, yeah, yeah, think changing again, right, changing people’s behavior and getting them to care. I think adoption on CRA is going to be somewhat challenging, it’s going to take people longer than the current deadline. And then I think people are going to get much quicker and effective at implementing as soon as there is a major monetary consequence that’s realized in the news. I think that’s the full play for the CRA.

Josh Bressers (30:56) yeah.

Sal Kimmich (31:10) make it painful for one or two large cases, and make it a norm for security expectations if you have a consumed product. Yeah, do we get that right? Do we communicate that well in advance? I don’t know. That’s for this moment to find out.

Josh Bressers (31:20) Yeah.

⁓ I know I’m impatient, Sal. I don’t

want to wait for these things. Like I want security now.

Sal Kimmich (31:33) Yeah, yeah, yeah, yeah, I would love to be a future engineer

and go have fun again, but I can’t because I’m terrified.

Josh Bressers (31:42) It, don’t,

yeah, I don’t know. I don’t know if I’d wanna do that right now, cause it’s wild. All right, let’s land this plane, Sal. What do you want us to know? What should we do next?

Sal Kimmich (31:56) All right, what I want you to know, I think the vulnpocalypse is a moment in time. Take a deep breath. And I do think things are going to get better. uh, hold up and be strong. Um, but on the other side of that, yeah, if you are not in security, but happen to work with that team, take a second to go and check in with them and see if there’s any better way that you can support, particularly communication across your company right now.

⁓ They are pivotal to your business running effectively and they have to run effective to do that. Let’s talk with them. Companies have to provide a different level of support to security teams now in order for security teams to support the company. Please be very respectful of that and also tell them thank you. say that to your SRE team as well, but for this month, it’s your cybersecurity team that needs a little gratitude.

Josh Bressers (32:45) Yeah.

Indeed,

indeed. Awesome. This has been, this has been amazing Sal. Thank you so much. Like I have learned an incredible amount and I absolutely, I love the fact that I always learn something completely unexpected in these discussions. And like you’re, the things you explained about, you know, tribal security is fascinating. I honestly, do me a favor and I’ll put this for anyone listening, but I’ll put it in the show notes. Like send me some links to some of this stuff because I would love to learn more about you, that whole tribal dynamic, especially your own security.

Sal Kimmich (33:20) yeah,

I gave a talk on it for ⁓ OSI. I’ll give you all the link. Yeah.

Josh Bressers (33:26) Perfect. Yes, absolutely. I can’t wait to watch it.

awesome. Sal, thank you so much. This has been an absolute treat. I really, really appreciate it.

Sal Kimmich (33:35) Thank you