Console #82 -- RosettaBoy, Fosscord, and Shisho

An Interview With Takashi of Flatt Security

Projects

fosscord

Fosscord is a free open source self-host-able discord compatible communication platform.

language: JavaScript, stars: 2936, watchers: 81, forks: 83, issues: 7

last commit: November 22, 2021, first commit: January 27, 2021

social: https://twitter.com/fosscord_/

repo: https://github.com/fosscord/fosscord

shisho

Shisho is a lightweight static analyzer for several programming languages.

language: Rust, stars: 261, watchers: 2, forks: 9, issues: 24

last commit: October 21, 2021, first commit: July 28, 2021

social: https://twitter.com/flatt_sec_en

repo: https://github.com/flatt-security/shisho

rosettaboy

rosettaboy is a gameboy emulator in several different languages.

stars: 101, watchers: 6, forks: 7, issues: 12

last commit: October 22, 2021, first commit: December 07, 2019

social: https://twitter.com/shish2k

repo: https://github.com/shish/rosettaboy

---

An Interview With Takashi of Flatt Security

Hey Takashi! Thanks for joining us! Let’s start with your background. Where have you worked in the past, where are you from, how did you learn how to program, and what languages or frameworks do you like?

I started programming when I was 11 (or 12). It was just for making games or creating Web pages at first, but eventually, I wanted to explore how computers work rather than doing something on them. So I earned a bachelor of science degree in computer science at the Department of Information Science, the University of Tokyo.

Now I work as CTO at Flatt Security Inc. The primary programming languages are Go, OCaml, and Rust. I really, really love them!

What was it like starting at a company and eventually becoming it's CTO?

I'm one of the earliest members of Flatt Security after pivoting from e-commerce to cybersecurity.

First, I committed myself to launching an e-learning platform on cybersecurity for Japanese developers. I did everything for this product; I interviewed beta users, coded a lot, learned web design stuff, researched business models and growth strategy, and tried to find out a better way for team management. These days allowed me to sharpen my skills in both technical and business aspects.

After making it generally available, I became CTO and started a new project for world-wide developers. That’s Shisho :-)

What’s your most controversial programming opinion?

Someone may think that knowledge of low-level programming is useless for Web developers, but I don't. 

It's certainly true that we have so many abstraction layers between Web applications and OS kernels that Web developers don't need to care about OS in their work. However, the deeper you know about lower layers, the faster you can learn about higher layers! Consider Site Isolation, a feature of Chromium, for example. It would be gibberish to developers without low-level programming skills, but it would look intuitive to ones with the skills.

If I gave you $10 million to invest in one thing right now, where would you put it?

I would probably invest in information security vendors who could lead developer-first security like us! :-)

What about developer-first security makes you think that it is and will be a valuable business?

Security tools haven't followed the trend of code-first/API-first approaches yet, and there is much room for the improvement of user experiences! It is for this reason that I feel this business is valuable for developers.

Additionally, as reported by Battery Ventures (https://www.battery.com/opencloud-2021/), IPO valuations of related fields are growing and growing. I believe this fact shows how high expectations the market has!

What are you currently learning?

Quantum Computing, because I’m participating in a project to create a Rust-like quantum programming language.

What have you been listening to lately?

Japanese Hip-Hop.

Care to share any of your favorite artists?

Here's a list of my favourites:

"Selfish" by Ralph

"The Choice Is Yours" by RHYMESTER

How do you separate good project ideas from bad ones?

I feel an idea is good if and only if I can imagine that it solves someones' problem in the simplest way (i.e. problem-solution fit). 

Why was Shisho started?

It’s because modern security tools are not kind to normal developers.

In daily work at Flatt Security Inc., some of our customers told us that they didn't have an easy-to-learn tool to detect misconfigurations of public clouds. After we heard that we did some more user interviews, we found that many software developers struggle with user experiences of related security tools. The deeper analysis made me realize that the tools report well, but they do not support fixing issues. We started the Shisho project to solve this problem.

In the project, we’re developing Shisho Cloud, a SaaS platform that helps you keep your public clouds secure. As a foundation of the platform, we’re also working on Shisho, an open-sourced static analyzer that helps us find and fix code with custom rules. 

Where did the name for Shisho come from?

It came from a Japanese word 師匠, which means “a professional” in English.

Who, or what was the biggest inspiration for Shisho?

Open Policy Agent, Semgrep, Coccinelle, and Comby.

Are there any overarching goals of Shisho  that drive design or implementation?

The goal of Shisho is to enable you to define policies on your code by yourself; it provides a way to create a custom lint rule for various programming languages, allowing you to automate tailored code reviews. 

What trade-offs have been made in Shisho  as a consequence of these goals?

Considering that users of Shisho may have different backgrounds, it must be easy for anyone to understand. Therefore, to keep the whole simple, I purposefully omitted complex features like data-flow analysis and focused on designing extremely intuitive DSLs to write a custom lint rule instead. 

What is the most challenging problem that’s been solved in Shisho, so far?

The most challenging problem is to provide the way to transform code with another user-supplied code pattern as follows: https://docs.shisho.dev/learn-shisho/04-rewrite-option

How is Shisho intended to eventually be monetized?

Shisho itself will be free and open-sourced forever.  Shisho Cloud is now available for free, but we’re planning to add a paid plan in the near future.

How do you balance your work on open-source with your day job and other responsibilities?

The development of Shisho is now part of my day job. We, Flatt Security, are proactive in publishing what we've built internally as open-source software.

What is the best way for a new developer to contribute to Shisho?

The best way to contribute is to file a bug report or to request a new feature in GitHub issues. If you’re a Rustacean, please find a good first issue, and tackle it! https://github.com/flatt-security/shisho.

If you plan to continue developing Shisho, where do you see the project heading next?

I’m going to provide more language support in Shisho. YAML/JSON support will be coming soon, and after that, Bicep/CEL/Nginx support will follow :-)

What motivates you to continue contributing to Shisho?

I believe that the mission of Shisho I talked about above must be achieved by someone, including me. This feeling motivates me strongly.

Do you have any other project ideas that you haven’t started?

I wanted to create an authorization microservice inspired by Zanzibar by Google, but currently I haven’t started to write code yet since I recently noticed some open implementations like SpiceDB by Authzed (https://github.com/authzed/spicedb) or Keto by ORY (https://github.com/ory/keto) are actively developed right now. 

Do you have any suggestions for someone trying to make their first contribution to an open-source project?

The easiest contribution is to give feedback on your experience to authors. Next is to file a report on a bug you encountered. I recommend you start with these two actions.