Securing the Cloud with Josh Stella

Happy new year everyone! There was a short break for Christmas + New Years the past two weeks, but this week I’m back with a fabulous episode with Wei Lien Dang, General Partner at Unusual Ventures and formerly co-founder of StackRox. I recorded this episode on-site at KubeCon Salt Lake City back in November 2024. This episode is particularly fabulous because Wei was willing to give some founder real talk. This is easier once you’ve sold your company, and especially easier when the ‘outcome’ of your company’s trajectory looks like an unmitigated success. And that is precisely why you hear so few founders willing and able to be honest about what the company’s trajectory really looked like — and all the times when things did not look like a chart going up and to the right. Wei has also written an open source field guide, which is absolutely worth reading and is available here. We talked a lot about product-market fit, how hard it is to find and how important it is. From the risks from just going to your network for feedback to the difference between general, high-level feedback and a very specific idea of how and why your product is used, Wei talked about both recognizing that you have a product-market fit problem and how to fix it. We also talked about empathy as a founder, recovering from building the wrong product, and managing the hearts and minds of your team. Are you struggling with product-market fit, or feel like you have project-market fit but can’t translate it into commercial success? You might want to work with me, and / or come to Open Source Founders Summit to chat with other open source founders.

6 Jan 26min

This week on The Business of Open Source, I have a special episode recorded on-site at KubeCon NA this fall, with Ramiro Berrelleza, the CEO of Okteto. We kicked off the conversation with a discussion about branding. Okteto is the name of the company, the name of the project and the name of the product. We started this conversation because it had been a big part of conversations I had with other founders at KubeCon. Most interesting to me was that while Ramiro explained how that decision was made, he said he was 50% happy with it, 50% not. Which is about the same as what I hear from founders who have made the opposite decision — so maybe there is just no ideal way to approach branding. Some other things we discussed: What’s the different from fully embracing open source versus just having an OSI-approved licenseNot donating the project to the CNCF specifically because he wanted to maintain control over the brand; a decision he thinks was a correct one. The specifics of developer marketing, and especially how sometimes developer marketing can be a mix of B2B marketing and B2C. The tensions between the needs and desires of individual users and the needs and desires of their employers. Ramiro and I are on the same wavelength about a couple of things; I particularly appreciated his distinction between users and customers. We ended the conversation with a discussion of the benefits of open source companies — the opportunities that come from being open source that you can’t get any other way. Having trouble taking full advantage of your open source project? You might want to work with me, and / or come to Open Source Founders Summit to chat with other open source founders.

18 Des 202424min

This week on the Business of Open Source, I have an episode recorded on-site at KubeCon SLC last month with Cole Kennedy, co-founder of TestifySec. We kicked off the conversation with a discussion about software development practices in the US Department of Defense and the US government at large — and the challenges involved with deploying quickly and frequently when you have to keep things both compliant and security. Here are some of the take aways from the conversation: Why TestifySec decided to donate Archivista and Witness, their two open source projects, to the CNCF — in particular, because they don’t see their business model as directly monetizing either. How they monetize with a SaaS platform instead“Founder-market fit” — Cole used to work as a developer for the Department of Defense, and that gives him a unique perspective on the needs and pain points specific to defense organizations. Changing culture with software. During our conversation, it really struck me that a lot of the problems around compliance are organizational culture problems, not just software problems. How do you use software to change culture? The main advantage of open source, Cole says, is the feedback loop you get with your users, including people using the software in ways you never thought possible. Advertisement time! Are you struggling to figure out how your investment in open source translates to revenue? Do you want to figure how to increase the percentage of users who even know the commercial product exists? You might want to work with me. And if you are a founder of an open source company, consider coming to Open Source Founders Summit, the only conference dedicated to building financially successful and sustainable open source companies. Attendance is restricted to founders and leadership in open source companies. Check it out here.

11 Des 202417min

Who pays for the future of infrastructure? In this special episode, I spoke to Bobby DeSimone, founder and CEO of Pomerium, about how he feels like infrastructure and security both have to be open source — but then, what does that mean about the future of the financial support for infrastructure and security? We talked about: The importance for customers, especially early customers, of being able to do code audits early in the buying cycle — and Bobby thought that just a BSL license would not have been enough.We talked tension between project and product 😳 my favorite topic. If you’re curious, I did a talk at All Things Open on the subject, one that was sadly not recorded :( but you can reach out if you want the slides. How Pomerium manages that tension, both internally and externally. There are open source purists as well as cutthroat capitalists. Bobby describes it as making a bet on the middle. If managing product-project tension is something you’re struggling with, reach out, you might want to work with me. And if you want more conversations about the unique aspects of open source businesses, you should come to Open Source Founders Summit this May. Join the mailing list to find out as soon as tickets are available.

4 Des 202418min

This week on The Business of Open Source, I spoke with Mark Fussell, CEO and co-founder of Diagrid and co-creator of Dapr, in a special episode recorded on-site at KubeCon NA in Salt Lake City. We kicked off with a discussion of what’s different about running an open source company versus a proprietary software company, and Mark said that a big part of it is that you have to nurture the community. But what does that actually mean? I pushed back, and happily Mark was able to go into more specifics about what he means. We also talked about: Why, and how, to build a contributor ladder. —> worth noting here that not all companies even want to encourage outside contributions, so it was interesting to hear Mark go into this dynamic. Dapr is now a graduated project at the CNCF, and Mark talked about what changed for Dapr as a result of getting that seal of approval… as well as what changed for Diagrid. And since Diagrid is the primary maintainer of the project, this probably means Diagrid will end up spending more engineering resources on the project. The constraints that come from having your open source project hosted by the CNCF — or any other open source foundation, for that matter. The delicate balance between the engineering resources you need to put into your open source project and the engineering resources you put into your commercial product. Even though Dapr has many (around 4,000) outside contributors, it takes a huge amount of effort (and effort = money) to manage that community, and Mark talked frankly about the investment it requires to make that happen. What percentage of the open source users even know that Diagrid exists? 😳 Mark guesses that it’s 5%, and he talks about what he’s tried doing at Diagrid to make that percentage go up. Is 5% good or bad? We talked about how it’s hard to know, actually, how Dapr/Diagrid compares on that. ###Are you struggling to figure out how your investment in open source translates to revenue? Do you want to figure how to increase the percentage of users who even know the commercial product exists? You might want to work with me.

28 Nov 202423min

In this last special episode of The Business of Open Source recorded at All Things Open, I spoke with Elias Voelker, VP North America for CheckMK. We talked a lot about product strategy; when CheckMK decided that they needed a clear strategy for deciding which feature goes in the open source project and which goes in the commercial version. Elias finished up the conversation by circling back on this issue: As an open source company, if you don't have a big enough difference between the value customers get from project and what they get from the commercial relationship... you won't survive. Since Elias works in sales, we also talked about sales for open source companies. He said one of the most important questions in the context of open source is “why now?” Since many customers have been using the open source project successfully for years, this question is really important for uncovering what’s changed and why they are ready to buy at the moment. We also talked about some cultural differences between selling in North America and selling in Germany, since while Elias is German (as is CheckMK), he leads sales in North America and therefore has some advice for European companies moving into the North American market. ###If you’re struggling to figure out your product strategy as an open source company, you might want to consider working with me. I help open source companies figure out how to differentiated themselves in the market, how to differentiate the product from the project and how to take advantage of the opportunities specific to being to a open source company.

26 Nov 202417min

This week on The Business of Open Source, I have the first episode I recorded on-site at KubeCon Salt Lake City (and the only full-length episode), with Solomon Hykes, CEO and co-founder of Dagger, and co-founder of Docker.One thing Solomon mentions briefly but that is very important is that there are limits to what can be learned from Docker’s story, simply because the situation was so unique. Docker experienced explosive growth, at least some of which was due to having the right technology at the right time. This kind of explosive growth is very rare, though, and it brought it’s own set of challenges. The point being that while most companies will struggle to get enough adoption, Docker struggled to monetize effectively but got so many chances to try again just because it had a massive community. The hypothesis — or actually, lack thereof — behind creating the original Docker open source project. How having a massive community does help — but also doesn’t guarantee you’ll be able to build a financially sustainable companyWhen you build a massively successful technology or standard, you’ll attract competition — and in the case of Docker, the competitors were savvy companies who’d won the previous cloud wars and ultimately were quicker to figure out how to monetize Docker containers than Docker itselfWhat Solomon is doing differently at Dagger compared to Docker, one of which is thinking about monetization much soonerThe open source movement was founded on such explicitly anti-commercial principles that companies building in the space would often not be intellectually honest about the fact that they were building both a software to give away for free as well as a business that needed revenue. Docker tried too hard to please everyone, including those who felt that open source should be pure and non-commercial — at Dagger, they’re much more transparent and upfront about the fact that it’s a company with commercial ambitions. Solomon also talked about the difference between components and product, and how designing products requires control, including the ability to just say no without explaining yourself. ###It was fascinating to hear Solomon talk about the lack of intellectual honesty around who pays for the development and maintenance of a lot of open source projects, because that precise topic was the focus of two panels I moderated at KubeCon, one during the main conference and one during CloudNative StartupFest. If you’re struggling to articulate how your product and project are different from each other (and others in the ecosystem) and why someone should pay you, you might want to work with me. Reach out!

20 Nov 202439min

In this special episode of The Business of Open Source, I spoke with Nithya Ruff, director of Amazon’s Open Source Program Office (often referred to as an OSPO). We started out talking a little about what exactly an OSPO is and what they do in companies — something I’m guess not everyone understands. It boils down to managing the company’s open source strategy — something that is relevant to pretty much any company that writes software of any kind. There are a lot of components to an open source strategy, and there are different ‘models’ for an open source strategy, depending not just on the company’s size, but also whether or not open source is core to what the company sells. Nithya previously led the OSPO at Comcast, and talked a bit about the difference between running an OSPO for the a company like Comcast and a place like AWS, because their products are different. And why do open source strategies matter for startups? Even if you’re not an open source company, if you can’t prove you’re in compliance with open source licenses for projects you depend on, or if there are security concerns related to your open source use, it can sabotage acquisitions. By the way, helping startups figure out their open source strategy is what I do as a consultant. If you’re figuring out how to balance your open source project and your product strategy, and how to manage the risks and opportunities associated with open source projects, you might want to work with me.

13 Nov 202415min