Enterprise Security With James Governor

JAMES GOVERNOR: “If you looked at any of the companies that have had big breaches, they all have huge security staffs. But unfortunately, they are not fit for purpose. Security as an industry hasn't really done itself a great deal of favors in terms of modernizing. When you as a company know that negligent breach can cost you four percent of global turnover, if you're doing business in Europe, you will invest in keeping that from happening. There's no technical solution to human stupidity. If we have no sense of a precautionary principle, really bad things can happen. The reason we have regulated industries is because bad shit can happen.”

[INTRO]

[00:00:44] GUY PODJARNY: Hi. I'm Guy Podjarny, CEO and Co-Founder of Snyk. You're listening to The Secure Developer, a podcast about security for developers covering security tools and practices you can and should adopt into your development workflow. The Secure Developer is brought to you by Heavybit, a program dedicated to helping startups take their developer products to market. For more information, visit heavybit.com. If you're interested in being a guest on this show or if you would like to suggest a topic for us to discuss, find us on Twitter @thesecuredev.

[INTERVIEW]

[00:01:15] GUY PODJARNY: Hello, everyone. Thanks for tuning back into The Secure Developer. With me today, I have James Governor from RedMonk.

[00:01:21] JAMES GOVERNOR: Yes. Hey, Guy. How are you?

[00:01:23] GUY PODJARNY: Thanks for coming on the show. It's been a while I wanted to kind of get you on. Can you, just to kick us off, tell us a little bit about yourself and about RedMonk?

[00:01:32] JAMES GOVERNOR: Yes, sure. I'm an industry analyst, but I don't hold that against me. I think that RedMonk looks at the world somewhat differently from the more traditional firms, the gardeners and foresters and so on. They have a model that is really about client inquiries from enterprises, top-down purchasing, legal procurement, RFP theatre, that sort of view of the world that technology is something that is done to the people that actually have to do the work. I think RedMonk is much more about bottom-up adoption, so looking at the decisions the developers are making, that engineers are making, that the admins are making.

Increasingly, in a world with cloud, social in terms of look at things like GitHub and MPM and so on, the simple fact is that we're not in a world of permission anymore. It's not to say that the top-down thing is no longer relevant, but there is another way of understanding technology adoption. We focus on the practitioner view and really see ourselves as sort of developer advocates, practitioner advocates, and would try and encourage whether it's enterprises, service providers, or software companies, to just do a better job of serving the developers. Then, hopefully, they'll get better business results.

[00:02:50] GUY PODJARNY: Very cool. Yes, definitely, sort of the bottom-up version of the analyst. Sort of reach them out. We'll definitely hear about RedMonk all the time from the sort of language analysis to the presence in pretty much every event and kind of have the year of I think pretty much any big or even not big cloud provider or Dev tooling entity that's relevant there.

[00:03:12] JAMES GOVERNOR: We've been lucky, I think. As a research firm, to deal with a secular shift is quite challenging. When you're small, I guess it's easier. But certainly, I would say, traditionally at least, a lot of our revenues are driven by vendors. Obviously, some of those vendors are disappearing. I mean, you look at a company like HP, and then you're like, “Wow, it's turned into HPE and then Micro Focus, which is this more Newbury company, is now buying a big swath of it. Obviously, for the likes of IBM, there are all sorts of challenges.

The fact that we've now got clients that we're doing a lot of work in that are the new generation of companies I think is super important. I mean, if you're not doing business with Amazon, Google, companies like that, you're not really going to know what's going on in modern software development. Yes, I think we're in pretty good shape.

[00:04:04] GUY PODJARNY: Cool. You talk a lot about many things in the world, specifically a lot about DevOps, what's right and wrong, kind of have a perspective around cloud Dev-driven technologies, where do we evolve. I guess kind of over the course of the next little while, we'll chat about how security plays into kind of all of that world. I guess as we dig in, what do you see? You look at just the world of developers, of DevOps, of sort of companies as a whole. They need to be secure. What do you see as sort of the biggest problems right now or kind of the gaps of where we are versus where we want to be?

[00:04:43] JAMES GOVERNOR: Well, I think the gaps are really massive. We frankly got an industry that has failed. Security as a separate thing is just not a model that works anymore, and yet we've got entire industries, audit, compliance. Look at the security in the big banks or – I mean, let me tell you. If you looked at any of the companies that have had big breaches, they all have huge security staffs. But unfortunately, they are not fit for purpose. If it turns out that the problem is a vulnerability in struts, in an older version that you haven't fixed, I'm pretty sure that auditors had signed off on all of the processes there. But then you end up with a really significant breach.

I think security as an industry hasn't really done itself a great deal of favors in terms of modernizing and becoming, as I say, fit for purpose in the new world. Then you've just got all of the, well, what does it actually mean to secure infrastructure when it's running on the cloud? We've gone from, “Oh, the cloud is insecure,” to, “Oh, don't worry. The cloud is completely secure,” to, “Oh, shit. It really isn't.” I think thinking about the cloud undoubtedly can be more secure, but that doesn't by definition mean it is. That's the gap that we need to address as an industry.

[00:06:01] GUY PODJARNY: I'm totally with you on the need for this inclusive security. Security is everybody's problem. I guess I think of it as the fact that nobody can keep up anymore, right? You've got the developers. You've got the Ops teams that are just like they're running. We're innovating. We're changing stuff all the time, whatever move fast and break things. But don't get broken into, right? Don't have a breach. Just sort of nobody can keep up on it. What do you see as like the root causes for it? I mean, why aren't we embracing it, right? Why isn't security naturally moving into being at the core?

[00:06:35] JAMES GOVERNOR: Well, one is that it's hard. I mean, we as a species will tend to optimise for the easiest thing. Nobody has yet made it super convenient and easy to do security. We are lazy. We take shortcuts. It's all the things. How do you develop a personal culture of staying fit? How can you find a thing that works for you? Not everybody wants to be the gym person. For me, I've found a thing which is that I like cycling to work. You make sure that some of the time you really boost it, get your heart racing, and that's going to help you out. All of the things; flossing your teeth, brushing your teeth, the stuff you try to teach your kids to do. How do you sort of make that fun? Basically, hygiene factors is just something that we're not good at.

I think that in terms of that delta between current behaviours and changed behaviours, we really need to understand how to package and make security, as I say, a more – a simple thing. I don't want to get too carried away, but try and make it fun.

[00:07:52] GUY PODJARNY: I think making security fun is key. I agree with that. I find – I do a lot of talks about security, right? Security, fundamentally, is boring. I mean, it's insurance. It's risk reduction. It's not an exciting thing. You haven't built anything. You don't have something to show for it. Hacking is fun. Hacking is invigorating. It's something where you feel like there is a problem, a challenge I want to break in, and I've succeeded. That's definitely one means to do it in the education side. Definitely relates to sort of this desire to make security fun, but there's just all this heaviness of responsibility, right? There's no room for error. It's hard. It's hard to have fun in that context.

[00:08:33] JAMES GOVERNOR: Well, I think that's a really interesting example, and that's one where as an industry we are beginning to do a bit better. If you just think about rewarding people at all different levels, and sometimes it's just acknowledging them but bug bounties. Just thinking about when somebody identifies a flaw, dealing with it in the right way so that everybody feels like, A, they're acknowledged. But, B, that the problem was dealt with because what you don't want to be is a situation where someone identifies a problem with your code. They come to you. They've bother to come and tell you about it, rather than just announcing that they found it, right?

[00:09:10] GUY PODJARNY: Yes. Or selling it on the black market or something. Yes.

[00:09:13] JAMES GOVERNOR: Or selling it on the black market. How do we reward them, and how do we make sure that there's the social factors but also, yes, paying them? You look at some of the things. Again, I feel like as an industry, if it's going to be fun, it has to be rewarding. I mean, we're certainly pretty good as an industry at supporting ego-driven behaviours. Maybe we need to think about that a little bit more but definitely paying people for identifying bugs. If not that, at least do the, “Hey, such and such found this thing,” and send them some SOX for goodness sake, whatever it is. I think that that's one that we're beginning to do a little bit better on. As you say, it tends to be for the hacker aspect rather than the hygiene aspect.

[00:10:00] GUY PODJARNY: That's the defender. It's hard. It's a little bit more sexy or kind of compelling to be on the red team, to be on the one that's sort of breaking in versus to be the one defending. I find the same sentiment when I worked in security and then kind of moved into Ops. I'm back in security. Then I felt like if you go to Black Hat or any security conference, when you're back, you kind of want to curl up in a corner and cry, right? There's no sort of – everything is the world's against me mindset. While when you go to a Velocity or some big sort of DevOps conference, everybody's kind of together and singing Kumbaya. We can make the way better. There's a community of people that love this. Together, we're going to make the world a better place that kind of lacks in security.

I do like it. I think there's a set of conferences or community mindset that embrace the security. I love that bug bounties are getting more widely adopted conferences like DevSecCon. It's running now. That one has more sort of security consciousness. O’Reilly is trying to do this with the O’Reilly Security to be more kind of a positive, be the defender’s conference. There's definitely elements of it. I still feel like we're sort of not gamifying. We're not getting that.

[00:11:12] JAMES GOVERNOR: No. It’s very early days. I think that to draw parallels, if we think historically, testing was not something that developers did. They're like, “No, I'm a coder. I write code. I let the people that aren't quite so good do the testing, or that's for someone else.” Of course, now that sort of sounds absurd. Of course, developers do their own testing. But if we look at the things they are currently doing that with, clearly unit testing is canonical. We understand that, and that is something that we now do.

Thinking about test coverage, clearly, functional testing, there are areas that we are doing more. But security testing is still not something that we've made easy enough and then baked into the toolchains. I think the fact that we were able to take testing from something that somebody else did to something that we now do ourselves and take pride in, and you get people bragging about how many tests they wrote for a few lines of code. That revolution, we do need to be thinking about those approaches in security.

[00:12:21] GUY PODJARNY: Do you think there's examples of kind of key shifts if you look at indeed testing and embedding that? Were there kind of key means of success that helped us drive this to the mainstream? I use testing as well as an example of something that we want to do it, but it's hard to kind of pinpoint how would we tip that balance. I'm not sure if it's entirely tipped. Testing still needs more love. But how do we move it into the mainstream?

[00:12:48] JAMES GOVERNOR: Well, it's a really good question. You're always looking for sort of patterns of success and how this stuff took off. I think some of it was kind of to do with resource constraints. That's always an interesting one because at the moment, it very often feels like we don't have a lot of resource constraints, at least in availability of software and hardware resources. Look, Kohsuke Kawaguchi was sitting there at Sun Microsystems, and he didn't want to be waiting for others, right? He's like, “Well, I've got this server under the desk. I'm going to build this thing called Jenkins.”

I know that these days, oh, no, I'm going to use Travis or Circle or whatever else. But the simple fact is that notion of actually we've got some resource here that we can use, and we're going to use it ourselves to become more effective. There are some interesting things there. There's – he was an individual that's made a really big impact, I think, on the industry in terms of thinking about testing. He acknowledged that it was good and important. I know that a lot of people are like, “Wait, the user experience of Jenkins is not super great.” But we're talking about a tool. It was a lot easier to use because it was something that someone could do themselves, and he is profoundly about how do we just make things actually easier for people.

It's difficult because over time, a product becomes so much bigger, and there's so much other stuff, and there's so much configuration. But I think the spirit of the work that Kohsuke did is definitely something that we can all learn from because, to me, he in terms of the tool and he as an individual changed the industry. It’s dangerous to, I think, do too much hero worship or the idea that one person changed the world. Sometimes, the right tool at the right time, hitting a movement where people are like, “Yes, we need to do more testing,” can be super effective.

[00:14:43] GUY PODJARNY: Yes, agreed. I think making something easy is a core success factor it seems in pretty much everything that we do. The less visible it is or the less naturally visible it is, the more important it is that it'd be easy. There’s the level of you care, and there's the level of how easy it is or the level of friction that it creates. You need the friction to be lower than the level that you care, right? You need to care more than it is hard. We spend a lot of time talking, and also the news and breaches kind of help us a little bit in growing how much people care. But then we have to lower the bar where for the typical security tool, that other line of how much friction it is, how hard it is to use, sometimes how expensive it is to use is super high. You just don't care enough to mobilise to action.

[00:15:32] JAMES GOVERNOR: It's very interesting because we've been through this period. As I say, I think security has sort of failed in a sense. But one of the things there is also just the nonsense spoken by – because you get – you read the consultant reports. It’s like, “Oh. After a breach, a business is going to have this huge problem. It might be share price.” These made up spurious, “Oh, they will have gone out of business within three years.” Let me tell you. All of the large companies have had significant breaches, and they're still there, right?

Sometimes, stuff does begin to change. Sometimes, people do lose their jobs. I think at the moment, certainly what we're going to see with GDPR as a regulation, that's going to really concentrate the minds. I mean, when you as a company know that negligent breach can cost you four percent of global turnover, if you're doing business in Europe.

[00:16:28] GUY PODJARNY: Yes. You will invest in keeping that from happening.

[00:16:30] JAMES GOVERNOR: You will invest in keeping that from happening. If you're investing in keeping that from happening, you're hopefully – as we understand, they’re investing in people and the tools that they want to use. Yes, I mean, at the end of the day, there is a trigger that is fairly universal in getting people to do stuff, and that is to pay them.

[00:16:53] GUY PODJARNY: Yes, rewards.

[00:16:53] JAMES GOVERNOR: I think rewarding people for better behaviours is a big part of changing them.

[00:16:58] GUY PODJARNY: Interesting to see if people explore sort of security champion rewards inside the engineering team. Say, okay, in the engineering team every month or whatever, we will give some substantial reward, whatever, if it's financial or send you off on a vacation or whatever it is or just bragging rights even. That comes in for the person who's contributed to security the most this month or something along those lines.

[00:17:22] JAMES GOVERNOR: Well, it's super important. Look, I mean, and – as you say, it's all to do with the fixations we have. We don't want to reward maintenance. Like, “Oh, maintenance is bad.” Well, let me tell you. I don't want the bridge I'm driving over to collapse. If I think about my house, sure, just slap on some paint is great. Actually, you need to – if you're doing a window frame, you've got to take the paint off. You've got to repair the putty. You got to let it dry properly. That's how you're going to get result results. We don't as a culture reward maintainers, teachers, nurses, immigrants doing shitty jobs that actually in many case –

[00:18:00] GUY PODJARNY: Operate, yes.

[00:18:01] JAMES GOVERNOR: Operate the thing we live in. Then we just want to support the people that are in marketing. I mean, I think that we need to – as a culture, I think that's part of the problem because security is maintenance, right? It keeps the lights on. It's not necessarily the cool new thing. I think that's part of the challenge.

[00:18:21] GUY PODJARNY: Indeed. It's invisible, right? It's not – you don't get rewarded if you invested a lot in security and you didn't get breached. If you bought an amazing new lock for your door and nobody broke in, was that investment worthwhile? There's no clear indicator. It doesn't hurt until it hurts really bad that you didn't invest. But there's no intermediate feedback loop to say, “Oh, look. Some of the pain went away because I invested this amount in security.”

[00:18:51] JAMES GOVERNOR: It’s really beautiful when you see it done right, actually. There's an organization. It's a roll-up of, I think, five Blue Cross Blue Shields in the States, HCSC, right? They are under a regulation called high trust. High trust is difficult because in a way it's an old-fashioned standard. It's not amenable to the cloud because auditors need to come in and actually check out the data centre, right? That's the bad news.

The good news is when you look at sort of the degree of probity and care and concern that HCSC is applying to that medical information, that's really good to see. They have a culture of they don't just go, “Oh, okay. We've got high trust, so we're okay.” They're like, “No, no. We need to take everything as far as it can go because this is people's healthcare information.” I mean, compare and contrast. It is staggering to me. This isn't a security flaw in a sense, but it is – we don't actually care about things.

Yes, one of the NHS trusts wanted to get better results. Well, it was either liver or kidney cancers. Let me tell you. If you have one of those things, you don't give a shit about the security of medical information, right? You just want – but they just said to Google, “Here is over a million medical records. Go and see if you can fix the problem.” Now, on the one hand, okay, good, I want Google machine learning, deep-mind looking at improving healthcare outcomes for cancers. I mean, no doubt. But on the other hand, they’re just dispensed with all of the normal clinical controls concerning user and patient data in doing that. It’s sometimes quite staggering how little respect we have for this information.

[00:20:49] GUY PODJARNY: How do we balance that with pace? I mean, today one of the buzzwords of the day is digital transformation, right? Really, at its core, it's all about speed, right? It's all about the fact that you want to mobilise, react to a market need faster. You make your development process continuous. You tap into kind of cost-effective technologies like cloud and the likes. You build up and you move faster. But if you move faster, this is, again, sort of the move fast and break things. You're taking risk.

We've climatised or we've accepted the functional risk of it in the DevOps mindset, right? It's okay. The gain from moving faster and seizing an opportunity is greater than the occasional risk of having broken something, and it didn't work, right? Your system went down or a system, granted you also need to do what you can to prevent that from happening. But security is not as forgiving. You can say, “Listen, I move fast. Once every year or two, I'll get broken into, and my data will be stolen.”

I guess how do you balance this sort of healthcare organization, this sort of Blue Cross Blue Shield mother company with they will get obsolete if they don't move at the pace of the market and adjust their offerings? I mean, how – do you see? Do you feel like there are some core guidelines? Is it always a judgment call? Where do you think we sit there?

[00:22:16] JAMES GOVERNOR: Yes. I mean, that's a fantastic question and we're certainly under pressure to move more quickly. We all are as organizations. You used the phrase move fast and break things a couple of times, right? That’s famously a Facebook maxim. Well, they literally broke democracy, right? We're still feeling those repercussions. So quite interesting today, I think the US Treasury is applying some sanctions against the Internet Research Agency in Russia, right? I'm a little bit cautious of, “Don't worry. It'll all be okay,” because that was, “Hey, it's just social information. It's just Facebook, right?”

Yet the law of unintended consequences means that if we have no sense of a precautionary principle, really bad things can happen. The reason we have regulated industries is because bad shit can happen. I was looking at pictures earlier this week. Someone had just posted some beautiful pictures of exploded steam engines with all the pipe work just splurging out like a Cthulhu because it is. It's like this spaghetti of pipes, right? They're beautiful, but you wouldn't want to be the person driving that, right? If we think about boilers, regulations around boilers, I want that.

[00:23:48] GUY PODJARNY: Yes. You want to keep that from happening in your house.

[00:23:51] JAMES GOVERNOR: Yes. I don't want that to happen in my house, right? I want strong regulations about carbon monoxide, making sure that we have regular audits of boilers and stuff like that. I want a certified professional to – and here's me doing the opposite side. I said security failed, but I still want a certified professional to deal with those things. I think that it sort of gets to maintenance. Speed is great. But I think that, again, as a culture, would it really hurt to just take a step back and say, “Actually, it's probably a good idea to do this right.” Yes.

Does HCSC get obsoleted because Google isn't held to those standards? I don't know, but I'm still actually glad that that's there. As I say, GDPR is going to be a complete shit show. It's going to be some US company is going to complain that this is just the EU trying to mess up US companies. There's going to be legal problems. People will go out a bit. It is going to be a mess. But actually, the ideas of right to be forgotten, you may sort of disagree with it. But privacy is becoming important again. I think almost that as a driver for security becomes absolutely key.

Speed is important. But just as a culture right now, I think it would be good to take a step back and say, “Actually, let's reintegrate security into everything we do. Let's have some ownership of that.” Would it really hurt to just move a little bit more slowly?

[00:25:44] GUY PODJARNY: I think the problem or maybe I would say I think the opportunity lies to an extent in new foundations, new best practices, new tools that allow us to walk that line a little bit better. We kept kind of referring to Google here. In a sense, I would kind of venture that Google's security is probably no worse, if not better, than that Blue Cross Blue Shields company. Maybe I'm wrong. I know it's just like a loose statement. But it's definitely pretty darn good, right? It's not bad. I’m not implying otherwise.

But when you look into why, like why would you think that that's the case, it's not because they have larger security teams. They do have large security teams, but I would wager that they don't have larger per-capita per-employee security teams as compared to those healthcare companies. What they do have is they have full-on foundations of just how software is built, constraints built throughout the system, tooling and automation that just makes security something that is core but still merges that in. That applied a different constraint which is the thresholds to be able to be an engineer in Google is maybe higher. It might constrain them from growth in that sense.

Fundamentally, it's almost like the hope, the Holy Grail to balance these two super desirable outcomes of securing my data but moving fast is really comes back to technology. It comes back to the changes, the substantial changes that have happened as part of enabling DevOps or enabling cloud to just move some responsibilities to be a part of the fabric of what it is that we're building. I guess one of the key questions is what does that look like from a security. I think a portion of it we get in cloud, right? We get in serverless offloads, a whole bunch of security concerns from you.

There's others that are there, and they would get emphasis. Still, there are some concerns that move off it, the right tooling inside the application, whatever. A key management systems help deal. It is a technology that helps not quite fully alleviate but simplifies. It makes it easy. It maybe comes back to your kind of core point which is if we had a way to make it easy, we wouldn't need to create too much of that balance between the moving fast and –

[00:28:04] JAMES GOVERNOR: Well, yes. Look, I'm not here to say nice things about Snyk, right?

[00:28:10] GUY PODJARNY: Yes.

[00:28:11] JAMES GOVERNOR: The simple fact is if we think about the way the world works now, everything is pulling down a package, integrating it to build a new thing. I need lightweight tools that are able to inspect and understand the dependencies to make sure I don't mess things up. You're doing good work there. We could look at some of the works that we're now seeing from Tidelift and the Libraries.io folks. These are good approaches because they map to the way that modern developers are thinking about building software.

I think definitely tying into or at least understanding that that is the way software is built now, we're beginning to identify, actually, here are some best practices. You shouldn't be. You should not be deploying software if you have not used a tool to understand what's in it. You should understand the license, but you should also understand, as I say, what are the dependencies. We should also understand if we're taking this approach, then it's that. Dependency management not just from a security perspective is super important. Otherwise, you can just have a left-pad example, right? Just understand what you're building. Yes, good luck with that I guess.

[00:29:42] GUY PODJARNY: I think the interdependent web, sort of the fragile interdependent web is indeed a problem. I'm happy to be contributing kind of with Snyk to a part of it. There's also third-party services when Dyn went down with that big DDoS attack a couple years back, I think. It takes down a whole portion of the Internet because we all depend on it. What was it, the NHS side or one of the government site that was serving Bitcoin mining scripts because one of the third-party components that it was using was compromised? We’re definitely interdependent in a pretty big way, and that moves into the Internet and the paths.

Hopefully, that's another area where these tools brought us up. These interdependencies is the reason we move fast. It's the reason we create the wonderful technology and enables us to do this podcast and record around.

[00:30:31] JAMES GOVERNOR: Also to your point, look. I mean, sometimes it's the pain that makes us do better things. I mean, if you have a heart attack, chances are much higher you're going to give up smoking, right?

[00:30:41] GUY PODJARNY: Yes.

[00:30:42] JAMES GOVERNOR: Getting the pain, and we have had some really big examples lately, that begins to change behaviours. I think it's important to work through the pain and not be like, “Oh, yes. We won't worry about it.” Yes, I do think that it is important, and that's the thing, again, about GDPR. Someone's going to get hit, and they're going to be like, “Why me?” Well, actually, it's going to be applicable to everyone. You know what? If you are the one that gets caught, that is bad luck. But if it drives better behaviours, then –

[00:31:20] GUY PODJARNY: You may be better off for it.

[00:31:21] JAMES GOVERNOR: Yes. Maybe you needed to do a better job.

[00:31:22] GUY PODJARNY: What doesn’t kill you makes you stronger.

[00:31:23] JAMES GOVERNOR: Yes. Google, unbelievably good at security, right? I certainly wasn't saying I just meant this deep-mind thing. If somebody just gives them data to do what they want, then it is what it is, right?

[00:31:34] GUY PODJARNY: And they’re not held to the same compliance and regulations as well. That’s also a factor.

[00:31:39] JAMES GOVERNOR: I think that what we do need to do in making things easy and finding automations and the right tools is helping security for the 98%, right? It's even more than that. I mean, Google, Facebook, those folks that the engineers that they can hire, the amount of money they can throw at this, most people really struggle to do that. We do need to have empathy for Marks & Spencers or Kroger or HCSC or – because the bottom line is – or Barclays. It used to be the financial services companies in London, they were like, “Yes, we're going to hire all the best developers.” I’m like, “Oh, yes. All the best developers want to work for the web companies.” They are under pressure now. Yes.

That’s true of all. That's part of, you said, digital transformation. That's where we are. I mean, that's why people are using serverless infrastructure is hard. Not everybody wants to spend their time fiddling around with Kubernetes, right? I don't really know what the answer is. Now, one of the things you were like, “Who does it well?” I think, honestly, partly because the stuff is hard, there are not that many organizations doing this stuff super well. Where is the stripe of security? Arguably, there kind of isn't one. Nobody has yet done such a magnificent job of documentation developer experience that everybody's like, “Oh, yes. When I'm developing an app, I know I'm using that.” I mean, there is a missing thing at this point.

[00:33:24] GUY PODJARNY: I think there's a whole new breed of developer-focused security tools that needs to come in. Of course, security is not one thing, right? Security is kind of this whole. It's like operations. There's not one operations tool. There's specific segments of it, but hopefully this whole sequence of tools that come in that operate in that fashion that help us build.

[00:33:44] JAMES GOVERNOR: But developers need to be given the budget to use those tools, right?

[00:33:47] GUY PODJARNY: Yes, and the time.

[00:33:48] JAMES GOVERNOR: At the moment, it's still security is off to the side with all this money that they're spending on ridiculous firewall products. Some of that money needs to be taken out of the hands of those organizations and driven into development and engineering so that it can begin to spend that money on third-party services that help them make more secure software.

[00:34:12] GUY PODJARNY: Indeed. We've been chatting here, and I've got all sorts of thoughts. But we're already far longer than planned. I want to ask you one question that I try to ask every guest that comes on the show, which is if you had one suggestion or one pet peeve that you have around the security space, one practice that you would want people to embrace or stop doing, what would that be?

[00:34:38] JAMES GOVERNOR: A pet peeve. I think it is probably something around forgetting the most basic thing which is that you can do all you want with tooling, everything else. But the truth is the easiest and best attack vector is always humans. We're so prone to social engineering. I think security has to be about risk management and understanding those risk factors. Sometimes, it becomes too much about, “Oh, yes. We'll come up with a technical solution.” There's no technical solution to human stupidity, right? People will always be gained, which is not to say we should attack people. We need to have some empathy for the fact that people will make mistakes. I guess that's the – it annoys me sometimes where you just – people are like, “Oh, yes. This is a solved problem.” Truth is there are no solved problems.

[00:35:42] GUY PODJARNY: Yes. Yes, indeed. Humans are often the weakest link, and that's going to be reality. We need to deal with it. Cool. Well, thanks, James, for coming to the show. There's a whole slew of things. We need to get you back on to chat to about some more things.

[00:35:54] JAMES GOVERNOR: Well, the good thing is that you're about 100 yards away, so that shouldn’t be too hard.

[00:35:57] GUY PODJARNY: That definitely helps. Thanks for coming on. Thanks, everybody, for tuning in.

[END OF INTERVIEW]

[00:36:04] GUY PODJARNY: That's all we have time for today. If you'd like to come on as a guest on this show or want us to cover a specific topic, find us on Twitter @thesecuredev. To learn more about Heavybit, browse to heavybit.com. You can find this podcast and many other great ones, as well as over 100 videos about building developer tooling companies given by top experts in the field.