Toni de la Fuente: In the last year, we have grown exponentially because we are adding more and more new features, also creating Prowler Pro, increasing the support and now, very soon, we are releasing version 3, which is going to be a game changer. When I started running Prowler, I didn't want to deal with API limits and all that stuff. So I say, okay, I prefer to go slow but correct. Now with Prowler three, we are doing things in a different way and we increase the speed like 10 times, at least. Eric Anderson: This is Contributor a podcast telling the stories behind the best open source projects and the communities that make them. I'm Eric Anderson. Prowler is for implementing AWS security best practices, including assessments, audits, incident response, continuous monitoring, hardening, and forensic readiness. It contains more than 240 controls covering at least nine frameworks, acronyms like CIS, PCI, GDPR, HIPAA, ISO, and four others, I don't recognize, as well as custom frameworks. The project boasts 130 contributors, the first and most prolific of which is the creator, Toni de la Fuente who joins us today from Southern Spain. Apparently, is really hot there and so is this project. It has six and a half thousand GitHub stars in just six years of its existence. Toni, thanks for joining us. Toni de la Fuente: Thanks for having me, is a pleasure to be here. Eric Anderson: How was my intro? Did I get it mostly right? Toni de la Fuente: It was very good, yeah. Pretty much exactly what we do. Eric Anderson: Yeah. Good. And you mentioned that you are not from Atlanta but recently moved from Atlanta, is that right? Toni de la Fuente: Yeah. I moved to Atlanta back in 2012 to work for Alfresco software. Actually, I was working for them here from Spain to cover south of Europe, and I had the chance to move there for another position. And I was living in Orlando for almost seven years and I moved back to Spain to work for AWS, for [inaudible 00:02:09]. So I joined AWS as a security consultant and also I moved to... AWS security as a security engineer a year ago before I left and I joined Verica to work on Prowler and Prowler Pro. Eric Anderson: Ah, very good. So you definitely are an AWS security expert. So tell us about Prowler. I'll also add that I'm impressed that... there's a lot of open source projects out there that kind of have linear adoption and Prowler seems almost kind of exponential, which is probably exciting for you. Before I get into all that, tell us what Prowler is, in your own words. Toni de la Fuente: Yeah. Prowler is an open source security tool for AWS. So what it does is it gives you insights about your security posture in AWS. So the main goal was to be able to get easily what you have right and what you have wrong in your cloud. So we cover different use cases but mostly is to see what you have, no matter what region you use or what type of AWS subscription, and you can get easily what you have right or wrong and act accordingly to fix it. Eric Anderson: Got it. I normally ask you a couple follow up questions but that seems to kind of encapsulate it. What led you to start Prowler? Maybe you can take us from the beginning. Toni de la Fuente: Yeah. Well, actually back into 2016, I took over a new position when I was working for our Alfresco software and I had to take care of 36 accounts, AWS accounts, so I was lost. I didn't know what to start doing actually. And by that time, the center for internet security released the CIS AWS benchmark and actually was a creative [inaudible 00:03:50] so I took that benchmark and I started writing my own tool. Well, actually it was on script by that time where I could automate checking the basics or the security foundations for an AWS environment. So I did that and I did that in a way to allow the engineers I was working with to run it by themselves because I didn't want to take care of all those accounts, et cetera. And also I wanted the tool by default be multi region and covering the most important services. Toni de la Fuente: So in that case, we realized how many resources we were using and misconfigurations as well, and also regions that we didn't even know that we were using. That was working fine and I decided to put it in GitHub and I changed the name to Prowler because at the beginning, it was just a name, I don't even remember the name but something like in security check for AWS or something like that. So I changed it to Prowler, which is the first song of the first album of Iron Maiden, which is my favorite band. And it's a nice name as well, I guess. So with that, I did, by that time, a couple of talks talking about Prowler Open Source security, and AWS. Toni de la Fuente: It wasn't very common to have tools, AWS security tools by that time. We had, remember, Security Monkey from Netflix and Scout Suite, Scout Suite was more or less the same time as Prowler. So it became more and more popular, we were growing the number of users and now is the most popular tool we can say, if we count stars, GitHub stars that apparently is something very important. We have 6,500 stars now and in the last year we have grown exponentially because we are adding more and more new features, also creating Prowler Pro, increasing the support. And now, very soon, we are releasing version three, which is going to be a game changer. Eric Anderson: That's fantastic. And you say we, Toni, at the beginning it was kind of just you, right? How did that evolve? So what is the second person who helped you with Prowler and the third and fourth? Toni de la Fuente: I have say that in my 20 years of career, I've done many different open source projects, contributing to projects and starting the projects by myself but I never have the satisfaction or the success that I'm living with Prowler because, I guess, it's being helpful for a lot of people. At the same time, when you have a lot of contributors sending you fixes and enhancements, it also requires your time. So Prowler has been in the last five years, like a side job, pretty much. So doing my day job and then doing Prowler until midnight for many, many days and months and years until I met Aaron and Casey from Verica, and they said, "Toni, let's do something bigger with Prowler and keep growing Prowler Open Source." So now I work full time for Prowler and Prowler Pro and I have a team. So we are right now four full-time engineers working for Prowler. From a side job to a real thing in the last nine months, so it has been amazing journey for sure. From working during the nights to now a day job, being able to take care closely to everything is amazing. Eric Anderson: That's kind of the open source dream, to go viral and then to be able to get paid to do it. That's fantastic. Toni de la Fuente: Yeah. It's great. Is a dream job, yeah. Eric Anderson: So initially, Prowler was just for you probably to do your own security checks. Can you tell us maybe about some of the first adopters who began to use Prowler for their work as well? Toni de la Fuente: Actually yeah, I was the customer zero or customer one, whatever. And still, it's still customer one, we use Prowler every day, and Prowler Pro now, of course. So I remember, of course, Alfresco was our customer because I was working for Alfresco by that time. I'm not sure if I can say the names of companies- Eric Anderson: Sure. Toni de la Fuente: ... that are really big companies. One of the most important security training companies in the world did a very good job adding, for example, the CSV format to Prowler. And also a very large company in the internet asked for some features that I didn't even know that were helpful. So that's something that I did for them in a couple of nights. So that also made Prowler to be growing and being adopted by a lot of people because they saw me taking care of the project closely. But I have seen very well known companies contributing to Prowler in the last years, even since Prowler 1, we had 50 checks. And now that we have 250 today, I see good logos and very impressive engineers contributing to Prowler. Eric Anderson: That's exciting. And I imagine when you hear about these big companies asking for features, you think, well, for everyone that's asking for features, there's probably a dozen others who are just using Prowler and I have no idea. Toni de la Fuente: Yeah, so the point of having a project in GitHub and this is not good for GitHub probably, is that you don't have fully visibility of who is using Prowler or who is using your open source. So you have some basic stats and some information about the git clones, but not really the downloads. We have also some stats from Docker registry and for the AWS ECR repository. And we get, who is... not who but the number of downloads, git clones, pulls from the Docker images, things like that. And we have millions of downloads since day one, but on average, right now we have 1500 a day. It's like every minute somebody runs problem. Eric Anderson: That's amazing. Toni de la Fuente: But we don't really have that information. With Prowler Pro, of course, we have more information because our customers. Eric Anderson: Got it. So maybe tell us a little bit about now that you've described kind of the open source journey. At some point, you realized this was maybe big enough to become a business or to become something more than an open source project. At what time, did you realize that and what were the things you considered doing and what did you end up doing, I guess? Toni de la Fuente: Yeah, well, I think it was a few different things. First, because I was working a lot for my day job and also for Prowler for a very long time. Actually, I thought that life was there, was just that and it is not. It was like, okay, if I can pick something, I will pick Prowler and to see how far I can get. And by that time, I met Casey and Aaron from Verica, two and a half years ago probably, by that time I was about to join AWS and I was excited to join AWS. Actually, I had very good time there and I learned a lot. It was great for me and for my career to work, to meet people there. But also, at the same time, I was maintaining Prowler and seeing the opportunity because as I mentioned, I was talking to people, I also presented Prowler at Black Hat Arsenal. I say, okay, this can be something else. Toni de la Fuente: And I have another conversation with Casey and Aaron and they say, "Well, let's see what we think about the cloud security, about what customers are expecting from Prowler." And actually, we are in the same page in terms of philosophy for open source, for the product. We wrote a roadmap about what to do and how to create Prowler, what is now Prowler Pro. And having that alignment, I decide to leave AWS and start developing Prowler Pro and actually keep the flow with Prowler and adding more features because Prowler Open Source is a key part as a component of Prowler Pro. Eric Anderson: Yeah, makes sense. And then tell us about Prowler Pro. Toni de la Fuente: Yeah, the Prowler Pro is the result of growing the Prowler community and the number of users. And actually, we wanted to provide a better experience at the end of the day for those users or companies that are using Prowler. So not everybody wants to clone a [inaudible 00:12:09] in the internet and brand commands by themselves. They want something built that they don't have to take care of, running commands or running anything. So Prowler Pro is everything that you can get with product but without having to run anything. Basically, is a self hosted solution in your infrastructure and you get a nice UI with dashboards, very customizable dashboards where you can get all the information that you need to see in minutes, your security posture and evolution of your [inaudible 00:12:42] posture from overall dashboards to specific dashboards based on services, or even your [inaudible 00:12:50] and different options that you can get actually with a Prowler data set, but we give you everything done and built to consume directly with Prowler Pro. And of course, with enterprise support, which is something that any company can expect. Eric Anderson: Yeah. Maybe to understand Prowler Pro, we have to understand a little bit of how Prowler executes. So it's a Docker image that runs in some AWS environment? Toni de la Fuente: With Prowler, it is just a command, common line interface that you can run the different checks, all the checks or just a group of checks. If you want to see how you are for PCI or GDPR, et cetera, but in Prowler Pro, you don't have to be worried about running anything because it runs for you every day and you get your reports or alerts automatically every day in a nice UI. So it's like a web interface that you don't get from Prowler open source, you get that from Prowler Pro. Eric Anderson: You mentioned at the beginning that when you began to use Prowler, you discovered you were operating in regions you didn't know about and Prowler creates this, is it an asset inventory or something like it? A catalog of sorts? Toni de la Fuente: Now, we have something that we call quick inventory but by that time we didn't have anything. So what I did from the beginning with Prowler was to be comprehensive by default. And what I mean by that is, in AWS, by that time, we have 12 versions. But remember, I don't know if you're very familiar with AWS but they are adding regions every year. And I didn't want to be worried about new regions added and taking care of everything. So I wrote the code to make sure any new region was going to be scanned. And also AWS has something called partitions. Most people are listening to us, probably they are familiar with the commercial partitions, North Virginia, Dublin, Oregon, but AWS has other partitions like China, like GovCloud for the U.S. federal government and also top secret, and other type of partitions. Toni de la Fuente: So also I took that into account. I wanted to make sure that Prowler could discover resources and security misconfigurations in those partitions. So with that said, what you get when you run Prowler is everything that we cover, but they are the most important services, at the end of the day, and in any region. So for example, every time... I've done hundreds of security assessments when I was in AWS, before AWS, and after AWS, and I always have found resources in places that the customers didn't know they had. Eric Anderson: Wow, every time. Toni de la Fuente: Every time, every time. An SQSQ in Singapore or an instance in Sao Paulo, things like that. I say, why do I have this EC2 instance in Paris? I don't have anybody in France working, things like that. And also with a security group open, the SSH open to the entire internet, things are very common. You can think about them like low hanging fruit but Prowler does finds all that stuff and many other very complex type of findings, for pentesting or even incident response. Eric Anderson: Who are your users? Are these security professionals or are they developers? Is it a mix? Toni de la Fuente: The main goal for product was to be able to be used by anybody in the cloud space, of course, cloud developer or cloud infrastructure developer. But what I have seen is that cloud infrastructure developers are important group of users, also the cloud practitioners in terms of auditors or cloud security architects. So people that they are working for third parties and they want to assess their own customers and they use Prowler. And also we see pentesters, so if you have to do some security tests in your AWS account or your customer accounts, you can use Prowler to find secrets that are going to allow you to do lateral movement or privilege escalation, internet exposed resources to see the attacks [inaudible 00:17:00] or even authentication or authorization roles are not properly set up and allows you to escalate privileges, things like that. Toni de la Fuente: And also incident responders. I was also part of the incident response team back in AWS and we used to use Prowler when we had incidents because in Prowler we have also severities. Every check has a severity, so you run Prowler and you get the result of the assessment and you can sort it by severity. So when an incident happens, you see the most critical findings and it's probably going to be the source of your problem. In most cases, we find the issues doing that. Eric Anderson: If people aren't using Prowler, what are they doing? Are they just kind of left vulnerable checking things manually? Are there commercial offerings, like close source proprietary offerings that do similar things? Toni de la Fuente: There are commercial offerings out there with different type of pricing. I'm not very good at that so I don't really know how much it costs other commercial offerings but there are many different ones. And also for open source, there are good ones like Scout Suite, like the Security Monkey but Security Monkey from Netflix is deprecated. Electric Eye or Steampipe, CloudMapper. So there are a few open sources, I have actually a repository in GitHub, which is called my arsenal of AWS security tools. So if you look for that in Google, you can find... I maintain that report with all these open source security tools related to AWS. And you can see them by users, popularity, and test them. So there is a good, large community behind AWS security. So there are many different tools. I don't think there are many tools for classically [inaudible 00:18:49] as Prowler is with the number of checks that we have, but there are some good ones. I always like to recommend to use all of them or as many as you can because that means that you are worried about your security. Eric Anderson: Yeah. So it's fascinating. You were kind of an AWS consultant or [inaudible 00:19:07] consultant. You were working inside AWS and now you're kind of on the outside doing tooling for everybody. You've kind of played all the roles in the industry and you go to this, was it Black Hat you said, was kind of the first time you presented Prowler to the world to a degree? Toni de la Fuente: Yeah, I remember I had a conversation with Eric from Puma security, he's also instructor for the Science Institute, Eric Johnson. And he said, "Toni, you should present Prowler in places because it's a great tool." So we use it and we would like to make Prowler bigger because I didn't have enough confidence of what I was doing until he mentioned that. And also I saw the community growing and I say, okay, I'm going to send a paper to Black Hat Arsenal and they said, no. But the point is, they say no to me but they say yes to a couple of guys that presented a tool that was using Prowler underneath. And I said, "Okay, it is fine." But I say, "Hey, remember that this tool is using Prowler underneath and you didn't get me the okay." And they say, "Okay, don't worry. You will come to the Black Hat EU." Toni de la Fuente: And I went the same year to Black Hat EU in London and I presented Prowler. And that was a very good spotlight for us, so that made Prowler more popular. And also I did a couple of talks for the Science Institute, their [inaudible 00:20:35] summit, and actually going to events and talking about what you have done and how it helps others, because at the end of the day, this is not about show off, it's about showing what you do to help others regardless, it's for free or not. But in this case, it's free and that is making Prowler more popular, actually. So last week, for example, we went to the [inaudible 00:20:58] talking to a lot of people about Prowler as well, talking about the coming version 3 and this is working out for us. Eric Anderson: How does that work? At the beginning, a lot of your time is coding. And then over time, your time becomes responding to feature requests, speaking at conferences, help us understand how you spend your time on Prowler and how that's changed over the life of the project. Toni de la Fuente: At the beginning was only coding, then coding and doing support, solving issues during the nights. And when you are solving issues, you can't code. So you have to pick for example, one day or two days a week to solve issues or to respond questions. And then, other couple of nights to actual code and evolve the code, add new features, et cetera. Then when you have a large community, many new features are done by a community, you only have to review the code, but that review also takes time because you have to test. I broke the code a few times and that is my fault, of course, because I didn't review the code properly or taking the time that requires. But also you have to choose what to do and try to find the right priority, which is always challenging. Now is easier, a little bit easier. Toni de la Fuente: So I'm not coding that much but I'm doing also a lot of helpful things. I work with the team to set priorities, what we are doing in the different sprints, et cetera. I'm writing now the training that we are delivering not only next week but also we are going to release a training portal, our Prowler training center in a few weeks with a lot of different contents to learn about Prowler and Prowler Pro from scratch, so that is something that I can do also now. So yeah, I'm doing pretty much everything because as in any startup, you have to do too many things. Eric Anderson: Got to wear lots of hats. Lots of jobs. Toni de la Fuente: Too many things but I prefer to do too many things now, work full-time working for Prowler than before that I was doing so many things with outside job. Eric Anderson: So anything you would like to discuss about the future of Prowler and where the project's headed? Toni de la Fuente: Yeah, I like to highlight what we are doing with Prowler Pro to simplify the way that you consume all the data that we generate with Prowler and to get rid of the hassle of running Prowler, which is not difficult, but we do that automatically with Prowler Pro. And also the work that we are doing with Prowler 3, I said at the beginning that is going to be a game changer and that is because it is going to be 10 times faster. So people love Prowler, and that is fine but Prowler can be faster. Prowler 2, what we call the current version, can be faster. The point is, when I started running Prowler, I didn't want to deal with API limits and all that stuff. So I say, okay, I prefer to go slow but correct. Toni de la Fuente: Now, with Prowler 3, we are doing things in a different way and we increase the speed like 10 times, at least. Only 10 times with kind of default setup, so that is coming in the next couple of months. Actually, next week at DEF CON and BSides Vegas, we are going to be there teaching Prowler 2 and Prowler 3, and how to write checks in Prowler 3. We have designed a new architecture for those new checks in Python, which is even more powerful. A lot of things are coming, Prowler 3 with the new features but also once we have that, we are going to release a couple of the new features of the inside Prowler 3 that are going to help our users to improve their security pressure because at the end of the day, what we want to do is to be a driver for their security. So if they don't know what to do in their cloud, run Prowler and Prowler will tell you. And also the new version is open for new providers, so we are opening the door to others other than AWS. Eric Anderson: Oh, that is a big deal. So by the time this episode airs in a few weeks, you'll probably have finished your talk at DEF CON and folks can maybe go find that talk and learn how to make checks in Prowler 3. So you said that it will allow for other providers, I assume that means you won't have yet included other providers just yet that's open to the community to contribute those or maybe down the line someone will. Toni de la Fuente: Actually, we have the architecture of Prowler 3, allows new providers. We are writing a sample provider to allow the community to write their own checks. Actually, we are in conversations with some of the other providers because they want Prowler for them as well. Eric Anderson: Totally. Toni de la Fuente: Something that we have seen and this is very cool, actually, when you lead an open source project, is that a company like AWS is using Prowler and other cloud providers are saying, okay, if we have Prowler for us, we can drive also customer with us because they are comfortable running Prowler. Eric Anderson: Got it. Toni de la Fuente: And we have seen that happening, so that is one of the reasons we are opening Prowler to other clouds. So hopefully in a couple of months, we can say that we are multi cloud. Eric Anderson: Yeah, well, one of my first open source contributions was when I was a PM at Google cloud and I added support, a Google cloud provider to... it was a data infrastructure project and interesting enough, it was an Eric Johnson, a different Eric Johnson who was kind of encouraging me to do this. So yeah, that should be quite an expansion vector for you. Toni de la Fuente: Yeah, that would be important. Yeah, we are looking forward to have it done and keep growing in number of checks. So I said we have 250 checks but we want to end up the year in around 500 if possible, yeah. Eric Anderson: Wow. Toni de la Fuente: Across all the clouds but yeah, it's going to be easy to grow the number of checks and adding more checks, not only for, okay, tell me if you have this service properly configured but also doing automatic pentesting and more incident response checks. Eric Anderson: Looking back, Toni, it seems like you did all the right things, you picked the right jobs and you made good decisions with the open source project. At the time, was it clear to you that you were making all these right decisions and are there learnings from the process that we could all benefit from? Toni de la Fuente: Yeah. I've done many things wrong, of course. Eric Anderson: Sure. Toni de la Fuente: And I'm not sure if this is right or not. What I'm sure is that I'm having good time, so time will say. But I did a project, back in 2006, when I was working for Telefonica here in Madrid. I wrote a tool called PHP [inaudible 00:27:42], which was radios... you know the radios' protocol? Radios front end with public infrastructure, some different components to harden and secure wifi networks. By that time, the wifi networks were like a wild space. Toni de la Fuente: I released that project as open source and I quit. I say, okay, I don't want to manage it but many different users were starting with the project and asking me a lot of questions around the world because by that time, remember, we have SourceForge with SBN and all that stuff. And over the years, I always regret to quit that project or to stop maintaining the project because it was good time for that project. But I remember I changed it to another company and I didn't have time and I didn't want to have the same feeling again with Prowler. So I said, okay, I have to invest and to push for Prowler and see how far we can get so that is one of the other reasons. Eric Anderson: Also, you were at AWS when you were working on Prowler, did you ever wonder would AWS want to kind of invest in Prowler, pick this up, put resources behind it? Apparently, that didn't happen very much at the time. Toni de la Fuente: Prowler is a tool that is being used internally in AWS, so I can say this because it's public that AWS uses Prowler for the security assessments among other tools and other solutions, of course. But when it comes to do an assessment, Prowler is very convenient because it doesn't touch your infrastructure. So you don't have to enable anything to get a snapshot of your security. So that is the difference between Prowler and other services that you can find in AWS like Security Hub or even in AWS Config. I'm not saying that those services are not good at all. So they are right tools but with Prowler, you don't have to touch them to see what you have right or wrong, that is why they are using Prowler. And actually, one of the biggest contributors to Prowler and to the checks is AWS. I have a lot of ex-colleagues and friends, very good friends there and they are contributors to Prowler. So I'm so glad that we are still very close and they're still using Prowler. I actually, we support them anytime that they need to. Eric Anderson: Fantastic. Toni, as we kind of wrap things up here, anything we didn't cover, you wanted to cover? Toni de la Fuente: Just to thank you for giving me the opportunity to talk about the project, Prowler Open Source and also Prowler Pro and open for any other conversations. Eric Anderson: Yeah, maybe a few words on how people can get involved. Certainly they can go to GitHub and check it out but also they can go to Prowler Pro and experience it maybe more easily. Is there a community place as well? Toni de la Fuente: They can go to prowler.pro and we have the links to the GitHub and everything there, this is the easier way probably, or look for Prowler Open Source or Prowler security, AWS in Google and is fine, but it's GitHub, prowler-cloud prowler, is where we have everything. And they can find me also in Twitter with toniblyx, T-O-N-I-B-L-Y-X. I have DMS open and also they have the link of the project there, so is easy to find us, I think. I hope. Eric Anderson: Yeah. Thanks, Toni. Very fun and exciting story. Congrats to you and good luck. Toni de la Fuente: Thank you. Thank you very much, Eric. Eric Anderson: You can subscribe to the podcast and check out our community Slack and newsletter at contributor.fyi. If you like the show, please leave a rating and review on Apple podcasts, Spotify, or wherever you get your podcasts. Until next time, I'm Eric Anderson and this has been Contributor.