Authentication With Stina Ehrensvärd

"Stina Ehrensvärd: If you don't have a solid door to your house, someone was just going to walk in there. We came up with the concept of using strong public key crypto and hardware. We are building a very secure iron door. The open standards are critical for adoption and to ensure you do the right thing. A lot of people looking at the same thing and scrutinising and if the question is good. The hackers are always in front of us and will hack systems. If it is an open standard, there will be more people who can identify when there's a problem and solve it.

[INTRODUCTION]

[0:00:39] Guy Podjarny: Hi, I'm Guy Podjarny, CEO and Co-Founder of Snyk. You're listening to The Secure Developer, a podcast about security for developers, covering security tools and practices you can and should adopt into your development workflow.

The Secure Developer is brought to you by Heavybit, a program dedicated to helping startups take their developer products to market. For more information, visit heavybit.com. If you're interested in being a guest on this show, or if you would like to suggest a topic for us to discuss, find us on Twitter @thesecuredev.

[INTERVIEW]

[0:01:10] Guy Podjarny: Hello, everybody. Welcome back to The Secure Developer. Today, we have with us Stina Ehrensvärd from Yubico. Welcome, Stina.

[0:01:18] Stina Ehrensvärd: Thank you so much for inviting me here.

[0:01:19] Guy Podjarny: Thanks for coming to the show. I've sort of know you from the Yubico world, the YubiKey world. Can you just introduce yourself a little bit? What you do, maybe how you got into it, and tell us a bit about indeed, Yubico, and what to do.

[0:01:31] Stina Ehrensvärd: Okay. I have a background in product design. When I went to college, a guy, an electronic computer engineer approached me and gave me a working prototype of one our designs. I knew that was my man, I married him.

[0:01:46] Guy Podjarny: Love at first prototype.

[0:01:47] Stina Ehrensvärd: He was 15 when he built his first computer. At the time, he was 25, and just designed the security system for the largest nuclear plant in Sweden, including my design that I did at college. Other guys had given me flowers and dinners, and Jacob gave me a prototype that's much more useful anyway. Since then, we've been working in this crossroad between industrial product design and innovation with a focus on security. We started as consultants, and we came up with ideas.

The YubiKey and the Yubico mission actually came to us 11 years ago. It was an odd story. I was logging into my online bank, and Jacob said that it would take him one and a half day to write the code that would hack my bank account. To check with the bank what they would about this problem, I called them up, called the customer service, and I got the response, "Can you please tell your friend to not do that?"

[0:02:42] Guy Podjarny: However [inaudible 0:02:43].

[0:02:43] Stina Ehrensvärd: It sort of triggered me and Jacob to figure out what could Jacob not hack, and what was there to – what was the thing that we needed to crack. The only thing that Jacob could not hack at the time was smart cards, public key crypto, strong authentication, a proven technology that's been around for 30 years, it's the same technology you see in SIM cards, and pin, and chip cards, but they were not designed for the web. They were not designed for mobile, and really for users.

We came up with a concept of using strong public key crypto and hardware but simplifying. You didn't need any client software or reader. It identifies itself as a keyboard. That was the first invention, and then you touch it. So, you show that you're real human. We made it in the form factor of a USB key, instead of a card. Because then, you carry the reader with you. You don't have to have an external reader. It was a long, really difficult journey to convince the world at the time. Because at the time, everyone said, "Oh, the phone by [inaudible 0:03:44] and user behaviour, that is completely the future. SMS had just launched, and there I was with my little USB key and no one cared. Literally, I was like, "Okay. " People even said, "Sorry, you're dead." This is the nineties, why are you coming with a USB key?"

[0:04:01] Guy Podjarny: It feels nice sometimes to prove people wrong in that sense.

[0:04:03] Stina Ehrensvärd: Yes. You know what? People do question why we need hardware. But, well, anyway, I just say, "Okay. Is there a more easy and secure way to pre-user credentials?” Anyway, what we came up with needed a global standard to make the mission complete. The mission of Yubico and the YubiKey came from the same word that we pick for our name, the word ubiquitous, which means everywhere. A key that would enable you to log in and access everything, your computer, your networks, your online services, just like you can go with your credit card, and buy in all stores, and with your driver license, and driving old cars.

[0:04:41] Guy Podjarny: Was it meant to be a replacement or an augmentation? I mean, was it meant to be like the two-factor auth, or to be everything in one. This is the way you authenticate to the web.

[0:04:52] Stina Ehrensvärd: It was definitely an augmentation. Our biggest competitor is not everything two-factor. It's still a username, password, used by 90% of services. Everyone else out there, the smart cards, the one-time password tokens, the push-ups, SMS has actually helped educate the market. But they've all – the hardware devices have been too complicated, and the software solutions, SMS, and push-ups, and anything that you download on a computer or phone is not secure enough. But they've all had an important role in getting there. To go from some other two-factor authentication method to the YubiKey is much easier than convincing people they need to go from using passwords.

[0:05:34] Guy Podjarny: And you get the advantages of indeed, hardware design that we don't appreciate much, although we use it on everyday life, of being what you want. It's just there, it's just on the – it's plugged into your laptop, you just touch it, and it goes.

[0:05:44] Stina Ehrensvärd: We came up with this simple user experience first, and then we realised, "Okay. On order for this technology to scale, everywhere, the glue is missing. How do you attach this to a service, and then you can log into any number of services?" And Google had started buying our product. They started to buy our one-time password product.

[0:06:02] Guy Podjarny: For internal purposes, or just for internal use?

[0:06:04] Stina Ehrensvärd: Internal purposes for their own internal staff. We were aware that was not the ultimate product that we could invent. It didn't have NFC for mobile. I wrote my first business plan. I'm not from the business world at all, so I'm not even sure how you write those plans. But I wrote one page, I think it was even half a page, I said, "We're going to move from Stockholm to Silicon Valley, and we're going to scale our technology through working closely with the tech giants through the platforms, and the browsers. So it gets integrated directly into the technology that's used by billions of people." In that way, we don't have to have 100 salespeople and hundreds of marketing people. We just have to work with 10 companies or even less.

[0:06:46] Guy Podjarny: To an extent, you took the advantage of the hardware design, which is – you can design it to sort of fit the literal physical need, and I love that, and the notion that I'm often an advocate around making security easy. Just sort of making it, hopefully the default, but even if not default, at least, sort of a very easy action. But I guess, now that you're in hardware mode, you have to also ensure that the sort of the software components on it are sufficiently universal, sufficiently enforcing because you can. You're not going to carry around 10 of these YubiKeys and kind of plug in the right one at any given time.

[0:07:17] Stina Ehrensvärd: Actually, a few years ago, someone told me, they could identify people working in the financial sector, and Wall Street on the size of their pockets because they were carrying all these tokens. That, we wanted to avoid. Now, a lot of people have had some kind of phone app instead. But they have been increasingly vulnerable. and Google had seen that. They were seeing phishing attacks. They started using our one-time password device, and we approach them with this idea of adding public key crypto and NFC. This protocol of enabling one single security key to access any number of services with no shared secrets. It took some time for us to convince them. But finally, we did. The initial use case for Google was just their internal users. That's where they had a budget, and that's where their needs initially –

[0:08:04] Guy Podjarny: Yes, keep themselves as secure.

[0:08:05] Stina Ehrensvärd: The results were so great. I mean, the results were amazing. Together, with Google, we contributed the code to an organisation named FIDO Alliance that had started just a few months earlier.

[0:08:16] Guy Podjarny: What does FIDO stand for?

[0:08:17] Stina Ehrensvärd: It stands for First Identity Online. It started with a similar, but a slightly different authentication protocol. It was more focused on the same sort of mission, "Okay. How do you make it easy and seamless for everyone?" But the initial focus was biometrics and phones. While our focus was hardware security keys. It's been a challenge, and fun, and amazing journey, sort of working with these standards bodies, and all these organisations sort of moving things forward.

[0:08:46] Guy Podjarny: That sounds like quite a feat. So you're there, you're sort of this tiny startup, you're coming along, you're driving a mindset, or maybe a slice of the world of security. Trying to drive more secure authentication and identification in your work with Google. That's sort of a good moment in the sense that they, as a customer, there are pretty good customer to have. I know you're trying to work with these standard bodies. How was that like? Maybe if I can even ask what was the primary driver? I mean, what was the mission inside the organisation, saying, "We'll go through what I believe or sort of what I must suspect was somewhat painful times, which is mobilising a standards body at the pace of a startup.

[0:09:24] Stina Ehrensvärd: Yes. I mean, to convince, and gather, and sort of get all the leading tech giants into the same room, agreeing on something was a very –

[0:09:33] Guy Podjarny: That sounds easy. That sounds very –

[0:09:36] Stina Ehrensvärd: I don't want to go into detail, because they're all my friends and customers, but we had some sort of cool stories where they didn't really trust each other. So they use Yubico to sort of walk between and be the middleman. I sometimes see ourselves as sort of the small Switzerland in this giant tech world. We were this little company that had great ideas, but we were not a threat to anyone. I think that was also the key to our success. We could walk between and solve problems. We were very hands-on, we build code, we wrote 90% of the U2F code, we put it out there. We build test tools and servers. We educated the world. After Google made support, we convinced GitHub, and Dropbox, and Facebook, and we just keep pushing While the world was screaming, saying, "Oh, that's not the future of security keys, they're not the future of something else." We just were focused and said, "Yes, whatever the else is, we will need hardware too."

I mean, I'm absolutely think; yes, biometrics; yes, user behaviour, or geolocation, or all the other things that you may want to add to track and monitor user, that will add another layer of security. If you don't have a solid door to your house, someone was just going to walk in there. Even if you have a good camera watching, "Oh, someone is walking into your house." But you can, they're already locked in.

[0:10:55] Guy Podjarny: Yep, they blocked the door in.

[0:10:57] Stina Ehrensvärd: What we're trying to do is basically put out that door. I mean, a username and password is like putting up a latch, you can just kick it in. What I'm trying to describe this for my kids, I got three kids, we are building a very secure iron door.

[0:11:13] Guy Podjarny: Yes. It keeps people absolutely out of the –

[0:11:15] Stina Ehrensvärd: Yes. You need a speciality key to get in there. If you don't have the key and the door is – it's just going to be really difficult. But it's of course, it's not impossible.

[0:11:23] Guy Podjarny: What you're trying to get, or what you did actually get, all these companies to sign in. Is to basically subscribe to fight over to this standard, the end result of which that you can now authenticate with any authentication device that supports that act as the client in that. Is that correct?
[0:11:38] Stina Ehrensvärd: Yes. I mean, we were the first to develop the authentication device. Now, there are others. We put up the code and worked with Google. Now, also, actually, Microsoft has made a fantastic contribution. Because our initial protocol was just focused on combining the key with a username password. The vision was to say, it doesn't have to be a password, it can be biometrics, or nothing. The key was something that you are or you –Microsoft have now – the FIDO U2F protocol have evolved to something called FIDO2, which parts of it is in W3C, and under the name WebAuthn. But to respond to your question, there are authentication devices, and there are free open-source servers that any company can integrate. Yubico provides these servers, it takes a couple of days to make support for it for free. Then there are the browsers and the platforms that make support. But those are not so many, there are handful.

When the platform and browser got supported, it's so much easier for both the device providers and the servers to make support in the backend. We have fantastic results. Since Google deployed this for all their staff and contractors, they had zero account takeovers, literally. Not one single successful –

[0:12:52] Guy Podjarny: That's a good number.

[0:12:54] Stina Ehrensvärd: – Successful attack, and they were able to reduce support with 92%. I was like, "Where did that fantastic number –?" Because I didn't expect that. They said, "But we figured out that independently if you only have one key, or one phone, or one card to log into some, users will lose it. But if you give everyone two or three – one, we actually design one that sits in the computer, one you put on a keychain, one you can put in a wallet, then the number change, because then, you have a backup. And if you make the backup weak, that's where the bad guys will come in.”

[0:13:27] Guy Podjarny: Yes. That's the forgot your password hack, or whatever it is that, secret questions. You have this Uber sophisticated password, and then your secret question is your date of birth, which you can – it's not that many options when you can guess the person involved. I love the impact of it. I feel the world of security tends to be very self-interested, or just like much more opaque in many aspects. Not necessarily as collaborative, not for bad reasons, just a security scary. We're not that far from the time in which people thought that even like the best crypto algorithms were the ones that nobody knew about.

Today, we're in a different era, and crypto algorithms are open source, so they're better for it, they're sort of they're vetted, and the likes. But as a business, many companies would have said, "Hey, I have this YubiKey, and I'm trying to support, and I will do the grunt work of authenticating with the, whatever it is, gazillion different protocols out there, and it would give me a competitive edge." I guess, was there a core principle, or how did you sort of keep the perseverance to it. To an extent, you're sort of giving up some kind of core concept and core advantage maybe that you have in this YubiKey to help improve the general ecosystem security by driving it.

[0:14:36] Stina Ehrensvärd: That was a decision we made. We said – it was actually very similar decision that Volvo made when they invented the seatbelt, which was solving a problem 60 years ago. The cars were not designed for security. The Internet was not designed for security. There was an inventor at Volvo who said that he had made some research and come to the conclusion that users do not want to be uncomfortable even for a minute. Whatever the seatbelt will be, it had to work within a second with one hand. That was the [inaudible 0:15:06] for the three-point seatbelt he invented.

Then, he went to the Volvo board and said, "We should not keep this great invention by ourselves, we should give it to the world. Every single car on the planet should have this because it will save millions of lives." He's an inspiration to me. I think he just said the right thing. You have to take that bet and trust that you can build a business and will have customers even if you're giving up some IP. We haven't given up every piece of our IP in the company, but we've given up the standards piece. That is the crown jewel of our invention.

We are extremely proud and happy of that. This is how I've been able to recruit the coolest engineers on the planet. But this is how I say, "Okay. Do you want to have important job? Do you want to help to secure billions of people? I think that is a very good way.

[0:15:55] Guy Podjarny: Yes, that's a pretty good mission. When we get some pretty committed people.
[0:15:59] Stina Ehrensvärd: Then, they say, "How is Yubico going to make money?" I said, "Yes, eventually, we'll have competitors. Eventually, it will be built in directly linked into computers, and phones. But there are seven billion people out there, and if we get a fraction of those, we're going to be really good.

[0:16:12] Guy Podjarny: Yes. I think oftentimes, also the expertise, the people driving the standard, first of all, help influence the agenda. Your vision, and your alignment, you're generally always a few steps ahead of the world, because you understand it in that very, very few people and entities do. So, you can plan ahead, and then you can also help indeed to chart that path because that's what you believe is next. But still, that's sort of an amazing sentiment and mission to do it. I think, one to applaud, not one that happens every time.

I think we see some initiatives, you look around now, you'll see things like, Let's Encrypt, that sort of helps establish standardising the creation of certificates, or so the certificate authority. They didn't invent anything, necessarily, except maybe some automation components. But sacrificing a potentially profitable or sort of good moneymaking certificate authority business in favour of doing something that expands the use of HTTPS, and TLS in the world, I think is positive. Hopefully, we'll see more of those.

[0:17:11] Stina Ehrensvärd: I'm actually very optimistic about the world's future. I'm seeing a lot of these sort of sharing community efforts in many aspects. The work we are doing is one of many. I mean, many of many standards work and collaboration projects I'm seeing across the planet. Where people actually want the world to be better and contribute. I mean, the whole Linux thing, there is this community, they don't just give because you want to be part of something bigger.

We've been fortunate, which has been very helpful for us to actually be able to build a business around it and was also necessary, because we needed the feedback from customers, and customers needed a product. When you have a product, you can actually earn some money. So it was, in some way, really helpful that we were a corporation, in order to – if we had been completely nonprofit, we wouldn't have been able to put out the product there and get the feedback, and work with these customers on their problems. There are times I feel like, are we are a corporation or are we a nonprofit? I think we're sort of both right now.
[0:18:12] Guy Podjarny: Yes, that's fine. You're a corporation with a good mission for it, and that's a good one. I'd love to dig in on one specific aspect of it. This is, you have the standard. These standards are sort of their authentication standards. They're not identities. Can we talk a little bit about that? What's the difference between the authentication standards versus who you are, or sort of your identity?

[0:18:33] Stina Ehrensvärd: Authentication is basically the same person coming in again. It's the key to your house, it doesn't say, "This is Guy's key." It's just the key, and it has, in the digital world, it has a number with identity that's you. The stuff that's on your driver's license or other means of personal information. We don't do that part, but it is important to combine those pieces. We got a grant from NIST two years ago to figure out how we can combine the FIDO U2F with identity for – you can't even say this in America. In Sweden, where I come from, we can. How would a national ID system that is not owned and controlled by the government or by corporations, how could that look using the standards in tying the users' identities to it in a high security, high privacy way? We have figured out some cool ways to do it, and we're now deploying this with our first users in California.

[0:19:27] Guy Podjarny: That sounds amazing and scary.

[0:19:28] Stina Ehrensvärd: Yes. I mean, don't really personally want to go into the identity space. But there are ways to ensure that you keep your users' data fairly secure, and don't collect too much data, just the data you need.

[0:19:41] Guy Podjarny: Hopefully, there's means to do it. I guess, at the end of the day, we're kind of in a world of federated identity. It's just not a single federated identity. There's a bunch of them.

[0:19:49] Stina Ehrensvärd: The FIDO U2F protocol that is now becoming FIDO2 protocol is actually a very good complement to the federate identity. The federated identity allows you to have a lot of identity data, and go to many places, but it didn't really solve the authentication problem. The federated identity idea is like Facebook Connect. With Facebook Connect, you can go to a lot of places, and you don't have to sign up for these places. If you tie a security key to Facebook Connect, now, you can securely login to these places, but you're still using federated identity.

We have a strong collaboration and actually hired members of the OpenID and SAML communities into Yubico to sort of figure out our next-generation protocols because we were innovators. How do you tie federated identities with this authentication piece in the most high-security, high-privacy way. Our mission is a user-owned identity, where you own and control your identity, and give this to service providers. Just the way that when you come into a store, and show your driver's license, you choose when and how to show too. It doesn't necessarily stay with an identity provider.

[0:20:57] Guy Podjarny: Sounds like an area that definitely requires the very least. Some better solution right now, where we are currently.

[0:21:03] Stina Ehrensvärd: We're still figuring out what we believe, again, in open standards. The open standards are critical for adoption, and to ensure you do the right thing. A lot of people looking at the same thing, and scrutinising, and the question is good. We are living in a time when you should not buy Black box security. I would not recommend anyone to do that. "Oh, I am the big brand. Go and trust me." That doesn't really resonate.

We have to remember that the hackers are always in front of us, and will hack systems. If it is an open standard, there will be more. If it's open source, it will be more people who can identify when there's a problem and solve it, and in transparent, and agile way.

[0:21:42] Guy Podjarny: A bit of a side question for it. This is the technology and the technology evolution to it. I think to an extent, we're seeing trends, like two-factor auth get stronger. It used to be something that was very niche. Now, it's much more sort of standardised, or accepted in whatever means there are. What do you see in terms of adoption trends or changes? Do you see hardware supported, or even software supported if we can multi-factor authentication better, security controls growing substantially? Are we still like 99% passwords, and we're just living in a little bubble?

[0:22:15] Stina Ehrensvärd: I would say, maybe not 99, but not far away. I mean, the vast majority. I think Google put out some stats saying, you know, only 10% of the users had turned on. It has very good effect, which is interesting because we’re humans. We're not really interested in adding anything that we believe is a little more complex. We've really figured out okay, people believe it's difficult, but this is actually easier than a username and password. Because once you register this to Facebook, for example, Facebook have set it up, you only have to do it once. You blast it to your phone, and you bless it to computer, and then you don't have to touch your key, you can put that in a drawer unless you move to a new computer.

Then, you got strong two-factor authentication without having the need for logging in with a complicated username, password, or you can literally just open your computer and it's secure. But, I don't know. To answer your question, the world needs more hacks. I don't want to say it, but –

[0:23:14] Guy Podjarny: Some more scars.

[0:23:14] Stina Ehrensvärd: – every time there's been a major hack, then my logistics team comes, "Stina, did you have a marketing, marketing push or something?" I said, "Oh, no, there was just a big hack." Then, the other is, I think actually the GDPR even if it's sort of just in the start. This is in Europe. Requiring corporations to take care of user data in a thoughtful way. If they're hacked, it will be a big fine. It's a good start.

What I don't like with GDPR now is that it's sort of fuzzier, what you actually should do. It's sort of the consultants and bureaucracy of getting there. But the intention, okay, you need to do something, or you will be fine. I think the next step is that they would say, and you actually have to have to factor. or you have to have whatever the recommendation is.

[0:24:01] Guy Podjarny: Right. Set the standards for it. I think what I like about GDPR is just the lines, the incentives a little bit. So, means aside, just the fact that the fine is bigger, it's big enough to care more. I think at the end of the day, that's maybe one of the most important in my mind. One of the most important aspects of it is that, before the fines were too small, the price to pay from like a direct cost, and sort of penalty that you have to pay if you mishandled, if you underinvested in keeping your users’ data secure or private for it, it was just too low. It was easier, or better business-wise wise to just not invest in it if you didn't fuss about it too much.

[0:24:37] Stina Ehrensvärd: Now, when going back to the seatbelt, after they invented the seatbelt after they did a standard, the government came in, and put out these regulations. First, it was just mandatory. Now, they're beeping and really annoying. Like, “Oh, you put on a seatbelt.”

[0:24:51] Guy Podjarny: First, people complained, and they're like – when I was growing up, I wasn't, whatever in the backseat, it didn't have seatbelts and whatever, the boosters. They evolve.

[0:24:59] Stina Ehrensvärd: I mean, the reality is, seatbelts have saved millions of lives, and two-factor have already proven to be good and is not the only security problem on the planet. But it's by far the biggest one. If you read all these breaches that are in the news, 80% to 90% of them are due to a hacked password, or a weak credential in some way. The most sensitive part is someone logging into a server. If I have a recommendation or company and say, "What should I do?” I just say, "Start securing your privileged users, your admins with two-factor.” That's a very small investment that can have very big impact for a company. You can go and get these keys on Amazon, and from Yubico, and other companies, it's a small investment, it's not difficult. Then, you can set it up within hours, and days, depending on the backend infrastructure.

[0:25:48] Guy Podjarny: Yes. It pays dividends, I think very, very quickly. I guess I'm looking forward to see even further evolutions from YubiKey because I believe in what you were saying around people, or I guess, you were sort of attributing this to the seatbelt creator. People don't want to be uncomfortable, even for a second. I think as, we make it more, and more convenient to them. And maybe on the other side, we make it inconvenient to not do it, whatever prompts you again and again, that you have to turn on, that other security control. But the better you design, you and Jacob apply, join minds with him, and sure, an incredible team now to figure out other means of just making it so streamlined, that you don't even think about it, but you do the secure thing. I think that would sort of help move us in having the 90 some percent to be on the other side of the equation.
[0:26:30] Stina Ehrensvärd: No. I mean, I started this journey together with Jacob. I'm thrilled, and excited, and honoured with the global community we're working with today. We work with some of the smartest people at these tech giants, and these open standards bodies who really share the same love for the internet. I know, the first time I actually log into the internet, I almost have like a spiritual experience. I said like, "Oh, I grew up in Sweden, we're not religious." But I got this sense like, here, we are connected. Here's this place where we have endless information for all of us to tap into. Isn't that God? Isn't that what someone says is God? But I got goosebumps, and since then, I've loved the internet. I think it's a vital infrastructure for democracy, and collaboration, and sort of the next thing mankind can do.

I'm here as one of many to help to secure its future and to stay open. Because some of these security discussions are like, "Oh, we need to lock down the openness, because that's the only way to make it secure. To ensure that you can have good security with good privacy, that's the difficult mission.” But the one that we have just started in a few years from now, we will see the results.

[0:27:40] Guy Podjarny: Indeed. Before I let you let you go here, I have a whole bunch of other questions. But I think we're already kind of a little bit over time. I'd like to ask every guest on the show. If you have sort of one piece of advice, or sort of some word of wisdom to people looking to sort of level up their game, specifically on security, but maybe even broader, what would that be?

[0:27:59] Stina Ehrensvärd: Level up? The game is to stay optimistic. I've met a lot of people who are cynical about the world, and where we're going. I am unfaltering optimists that believe that mankind, yes, we are good at creating problems, but we are as good at solving them together. When you tap into that mindset, and that energy and sort of find that community with people in pairs who want to solve the same problem, it's just a really inspiring thing to do. Don't give up and don't be demotivated, the world will be more secure, and we can all help. The best way to actually be part of this movement – I'll call it the movement, is to engage in open-standards work, download the open-source code, go and build products around the standards and figure out what we can do next.

What is the trust model that we could build when people can start to control their own authentication and identity? What are the new payment methods, and IoT solutions? What can grow and flower from this? I am so curious to see what will come from these inventions and to see what actually Yubico have created.

[0:29:08] Guy Podjarny: That's a very good message to have. Well, thanks a lot, Stina for coming on the show.

[0:29:12] Stina Ehrensvärd: Thank you.

[0:29:12] Guy Podjarny: Thanks, everybody for tuning in and join us for the next one.

[OUTRO]

[0:29:17] Announcer: That's all we have time for today. If you'd like to come on as a guest on this show or want us to cover a specific topic, find us on Twitter @thesecuredev. To learn more about Heavybit, browse to heavybit.com. You can find this podcast and many other great ones, as well as over 100 videos about building developer tooling companies, given by top experts in the field.