Our Best Security Advice

[INTRODUCTION]

[00:00:21] ANNOUNCER: Hi. You’re listening to The Secure Developer. It’s part of the DevSecCon community, a platform for developers, operators and security people to share their views and practices on DevSecOps, dev and sec collaboration, cloud security and more. Check out devseccon.com to join the community and find other great resources.

This podcast is sponsored by Snyk. Snyk is a dev-first security company, helping companies fix vulnerabilities in their open source components and containers, without slowing down development. To learn more, visit snyk.io.

[00:01:05] Guy Podjarny:  Hello everyone. Welcome back to The Secure Developer. I’m Guy Podjarny the founder of Snyk and your host, as always. Today, we have a very special episode. Amazingly, this is the 100th episode of the podcast, which I find mind blowing. I mean, I started this podcast, really with the intent to bring some of the sharing mentality that really played a key role in DevOps, moving it forward and helping understand that failure is an option. I tried to bring some of that mentality to the security world, which really doesn't have enough of it, doesn't really have enough opportunities for people to share their leanings and help all of us avoid the same mistakes.

Really, the intent was to create a stage for security practitioners, security leaders to come in and share, share their learnings share their practices, their perspectives, and philosophies. This way, we can all get better by learning from each other, just advance the state of the art. It was a bit of a bet, it's really quite scary to share and open up around your approach to security and how you're tackling it. It's, it's easy to think that if you tell people how you defend and how you secure, then attackers will use that against you and find the flaws, but if we don't share that way, then we're all learning on our own and we don't really progress nearly as much as a community, as an industry.

So, I find it really important and this makes me even more appreciative of all these great, smart folks that came on the show, and shared and shared a ton. For me, it's that, frankly, it's a treat to just have this this excuse to get airtime with these smart people. I get to ask them the questions that I find interesting and I learned so much from every one of these episodes. It's amazing. Then to top that up with the fact that there's this big and growing community of developers and security practitioners and leaders, again, who are eager to learn and tune in to the podcast, all of you listeners coming in, that just makes it a true privilege to host this show to serve all of your listeners and to meet all these great people coming as guests.

So, I'd to start this 100th episode with just a big thank you. Thank you to the guests who really put in and invest the time to help all of us get better. A huge thanks to you, the listeners. Really, I find that you help us, as a community, you help us advance the state of the art in security and you help us make security more inclusive, more developer minded, more scalable, and at the end of the day that contributes to the industry and contributes to our digital lives to embed security into this modern technology world.

Lastly, I'd to also personally thank a person that is behind the scenes running this podcast. So you don't hear her name, but Sam Hepburn is the person, you sometimes hear in intros and promos and she behind the scenes has been running this podcast for a good while and plays a huge role in making the podcast what it is today and DevSecCon, as a community that she doesn’t get episode of airtime or recognition. Sam, huge thanks for making the podcast happen and for all this other great work you do. You're amazing. Keep it up.

Lastly, before I veer into the episode itself, I'd like to make a small ask of all of your listeners, as we grow the podcast, we'd love to hear from you, your topics what is it that you wants to hear us cover on the podcast. You’re a guests, who would you like to see on the show? Format, are the episodes too short? Are they too long? Do we want to try and do you like the mixes? Do you like only having individual guests? Those are super, super helpful when we get this type of feedback. I would love any bits of advice or opinions, or just thumbs up, thumbs downs on capabilities. If you have such thoughts, please share those with us on the securitydeveloper@snyk.io. We also have a shortcut which is tsd@snyk.io. So, we really do want to hear from you, please share.

With that, let's switch into the podcast itself this episode. For this 100th episode, we're doing something a bit different instead of having a guest, we're actually collecting some wisdom from past guests. If you've been following the podcast, you would know that for really about 80 or so episodes, I always concluded episodes by asking the guests for one bit of advice. The question is typically something like, if you have one bit of advice to share with a team looking to level up their security food, what would that be?

I like that question, because it's open ended, because people take it in many, many different directions. I don't give guests further guidance on what they should talk about. So, people really take it in different paths, and it's very inspiring, really allows for creativity. So, what we've done for this episode is that we've picked a subset, a subset of this ton of great advice, we couldn’t really cover all of it. So, we picked a few highlights, and we group to them together a little bit, to help see them, when themes recur and we collected them in this episode to hear it.

If you want to hear all of the advice, you're going to have to go back and re-listen to all those episodes, but hopefully, this one gives you a bit of a concise view on some creative thinking of how to level up your security foo. With that, let's get to it and here's some of this collective wisdom from our past guests.

Before I introduce a specific topic, it's worth noting, that I will mention a person's name and the company that worked at, at the time of the episode. So, some of these episodes happened a while ago, a bunch of these folks that work at different companies. So, just to avoid confusion, I'm referring to the companies that they were at when they gave that advice for the best context.

The first bits of advice come around focusing on the threats you're actually facing. We have Kelly from Capsule8, Steve White, from Pivotal VMware. Shannon Lietz from Intuit. Talk a little bit about how do you really choose what to focus on first?

[00:06:53] Kelly Shortridge: Yeah, that's a great question, tried to boil it to just one, but I would say my perennial advice is always raise the cost of attack, and be realistic about that. Don't focus on the missed side level threat, focus on what's realistic, which is like phishing and really basic attacks and figure out what simple interventions you can use to just cut off that low hanging fruit for attackers like two factor, being a great example. Start with the basics. So, think of it always as how can we make this harder for the attacker? I think that's in some ways, as simple as that. If you anchor yourself to that, and you start there, you won't be over optimizing for things like blocking [inaudible 00:07:30] or all these side channel attacks or whatever else, because that – so you’re like really weak, that’s just you shouldn't bother doing as part.

[00:07:39] Steve White: Focus on the actual threats to your organization, not the science lab projects that your neighbor has dreamed up and keep your organization focused on combating those threats. That to me is like my number one advice to any security team. Focus on the real threats, not necessarily all of the imaginary ones.

[00:08:06] Shannon Lietz: Yeah, somebody who's looking at, but to look up their security skills and try an up level. I would say the one question you should ask yourself is how many adversaries does my application have? Because it's the curiosity around that question that will lead you to better places. Just having that goal of trying to solve that question, will lead you down to find people that you can contribute to or collaborate with, that will help you answer that question. I think once you do answer that question, it's mind-blowingly obvious what you have to do to fix the problems that might actually be in your applications and in some of the code that you are writing.

[00:08:45] Guy Podjarny: So, those great advice around focusing on threats that actually apply to your specific surrounding. Sometimes you can have a few too many of those types of threats. The next couple of bits coming from Brandon at Toast, and from Vandana, who is an old board member, talk a little bit about not boiling the ocean, and trying to manage your load. Let's hear Brandon and Vandana.

[00:09:09] Brendan Dibbell: I would say that the biggest thing that you can do as someone building a security program is to not try to take ownership over too many things. Far too often and I mentioned this at the start of our conversation, people make the mistake of trying to do everything, and they make the mistake of trying to solve security themselves overnight. I would say that people should focus on two things.

Focus on helping other people take ownership of security, so that you have ownership over fewer things and security and focus on taking security one step at a time. You don't have to be better overnight. You can take baby steps; it's going to be okay. Just to work with your team to make sure that you have a clear and concrete path forward, but that you're not just trying to do everything yourself, because if you are, you're going to inevitably drive yourself crazy and never get where you want to be.

[00:10:11] Vandana Verma: I will say, understand your environment first. A lot of attacks happen, because you don't know your environment. Understand your environment first, and then start off with the security if you've not started. It's like, better late than never. So, start your security anywhere you know and understand your environment, I would say understand your environment, get started, get going. It's very, very important, especially if I have to give examples, think about the hacks that have happened recently, Equifax, Capital One and so many major hacks.

[00:10:42] Guy Podjary: Great, a couple of more great bits of advices, maybe just a bit of a plug that Vandana, now joined Snyk and we're very, very happy to have her. Cool. So, we talked about focusing on those threats that you face, we talked about how you're not boiling the ocean, and then maybe a bit of advice about how do you implement, which really focus around automation. So, we've got Zach from One Medical, we've got Ryan Ware from Intel and then we've got Kyle Randolph, who was at Optimizely, and actually came on to the episode twice, on to this podcast show twice, talking a little bit about the importance of automation. Let's hear them out.

[00:11:18] Zach Powers: The best advice I could give is that, if security team is not engineering automation today, they will not scale, and they will not be able to play ball with the type of threats we face today. It cannot be done manually. There are some things some types of security testing that still need to be done manually, but so much of security, especially the world of SecOps, it must be automated. So, ask yourself that, if your team is capable of automation, are they prioritized? You’re setting time aside for them to engineer automation. If the answer's no to that, take a step back and think about that, because that is where most security teams are going to that, at the, what I would say the companies that really understand the threats and trying to respond to this.

[00:12:08] Ryan Ware: I would say the thing that they need to do is make sure that they're automating all of the security tools that make sense into their DevOps, because that's actually something that I wish we had done earlier than we're doing it and have done it. Being able to in an automated way, let a developer as early as possible know about a problem in their code is the thing that you have to do. If you could even do it at the check in point, so that they understand it then or even with a tool as they're writing their code, that flag something as a problem in their IDE immediately. Getting that automation in place to do that is critical. It gets so much harder to solve issues, the further you get down the development pipeline. Trying to fix an issue just before a product goes out the door is so much harder.

[00:12:57] Kyle Randolph: My advice. Over the years, one of the main things has been like get the decisions out of it, stop making humans make the decisions and that’s where we can build security and without relying on an engineer to make that decision, that's great. So, yeah, investing more in tooling, making security and the components, I think that's like gold, because it just keep on benefiting from it without needing more humans and need more humans to make the right decision in the moment and have all the standards in their head. So, as far as investments to the tooling and getting as much as you can, going back to build versus buy analysis, bias, even if you think you're biased to buy how can you double anything outside of your [inaudible 00:13:42]. ****You’re like, buy as much security for free as you can.

[00:13:48] Guy Podjarny:  Cool. So, hopefully this was some useful advice around to focus on your priorities. Where you put in the investment, how do you implement it. Let's switch a little bit to people clearly all of this great practices you need the actual the actual people that are able to implement them. There was a lot of emphasis on people in the various bits of advice that we have. Here are three bits of advice, talking about the importance of diverse sets of skills within your team. We're going to hear from Michael Hanley, who was at Duo/Cisco, Geoff, who at the time was at Slack and recently came on as of LinkedIn onto the show. We've got Sacha Faust, who was at Lyft and then Amazon, coming on to the show. Let's hear them out talking about team diversity.

[00:14:31] Michael Hanley: The most important piece of advice I would give is seek diversity of experiences, diversity of thought, diversity of opinion on security, because the reality is our space as we touched on a few times during this conversation is moving so quickly, at any given time, that it's really, really dangerous for your security team to get trapped in what's always worked or what worked last time. You have to constantly be challenging yourself. I think when you're hiring in terms of looking for people who will bring a new contribution and ways of thinking to your team, if you just hire for fit, you're going to miss those opportunities, what you want to look for is actually contribution to your way of thinking.

Really, I would challenge teams to not just go look for what worked in their last gig or what worked on their last hire, and really think deeply about what's going to help them get to the best possible business outcome and on that second point, really focusing on business outcomes, because security teams are at the end of the day, trying to help increase the level of assurance and confidence in de risk, the business is the delivery to customers and internal clients. If you lose sight of that, if you don't understand what the business is trying to accomplish, again, that's a case where your credibility as a team can go downhill very, very quickly. It's very hard to recover from that.

[00:15:43] Geoff Belknap: I think, I was just ranting about this on Twitter, which honestly, I have to be more specific about. I think the best tip I have is, if you only have one place to focus, focus on people, focus on the really hard non-instantly gratifying thing of like, invest in your people, invest in hiring great people, invest in giving the people that you have hired the things that they need, listen to them, give them your time, give them your support, your trust, your respect, and they're going to do great things for you.

Putting great people on your team is going to be way better than spending double or triple that amount of actual hard money into some security product. In fact, some of the security products that we have that are the best are the least expensive things we would spend money on. I think spending money but also just investing time in your people is the best thing you can do. It's also, quite frankly, the least expensive, easiest thing you can do.

[00:16:41] Sacha Faust: Regardless of my personal experience moving into Dev, the general guidance I tell people, both from a career and also how to build teams, diversity is king. So, go wander elsewhere, asking management from a manager, go send your people embed them into engineering projects, if that's the route that they want to take, having diversity of experience, building your team and people but also work experience has been for me extremely valuable. I always look at building teams that have that diverse set, and tapping to it which bug bounty is crowdsourcing, but a tremendous value in diversity, we learn a lot from those. That would be my general guidance, regardless of my personal route.

[00:17:24] Guy Podjarny: Very cool. I hope those bits convinced you that you really should invest in different skills, different competencies within your tool. Your team is important, but investing in yourself is also really important. That was another chunk or recurring theme, these advices just think about and how do you always be learning.  So, we're going to hear Roland Cloutier, who's the CISO of ADP at the time, and we've got Stu Hirst, who was at Just Eat, and Sara Dunnack from Envision, let's hear them talk about personal growth and about investing in yourself.

[00:17:55] Roland Cloutier: Yeah, it's simple. Get help. I mean, if you're not coming from a development world, you've been protecting things your entire life, and you've grown up in a very different model. Don't think you're going to read a couple of blogs and watch a video and a couple TED talks and all of a sudden know how to do it osmosis through a book. Find people who have done it, finding outside organization or a consultant or someone and validate they've done it, but bring them in for their expertise. I think that's the number one thing that I can say. Find people that can make it happen for you.

[00:18:27] Stu Hirst: I guess, I'll flip it in terms of what I've done to try and get better or upskill. I follow lots of people on Twitter, I follow lots of people on LinkedIn, I go to lots of conferences and talks and meet-ups and I try and put myself out there from a community point of view. By doing those things, I've met so many great people. I've learned a huge amount. So, there's various mechanisms to up-skill in this industry, it's not just about going to training courses or watching online material.

For me, it's been about being part of a wider community and learning from all of those people, whether they're super senior security people, or people just starting in the industry, that there's always something to learn. Anybody within my teams or anyone that I've worked with, I try and encourage people to do that as best they can. It's not for everybody. It's an investment in time. Everyone has their personal lives and their family lives. I certainly invest a huge amount of time in doing those things. That's why I'd encourage people in the industry to be active, put thoughts out there, put learnings out there, if you're brave enough to do it, and your companies will allow you to do it, because that's how we all get a bit better live doing what we're doing.

[00:19:32] Sara Dunnack: One tip I would have a something I'm working on myself, or I've been out of development for so long. If you want to level up security, especially on the AppSec side, stay in development as much as possible, because if you need to do code reviews, it certainly helps if you are still in the mindset of regularly reading code. Everyone on our team is really developer first, and security second, obviously strong security but we need to be in the code. That's one thing that we do for our work, security reviews is we actually do full code reviews. I think that's the biggest thing that many security folks may not think about, especially if you come from the sysadmin side, you need to be able to get into the code, and truly help the developers and show them a specific line like on this line, you need to do this.

[00:20:22] Guy Podjarny: Awesome. So, we had five different categories that hopefully, we're already showing some diverse wisdom in how you should level up your security. The next one, we'll talk about your team or yourself, but more about all those people that we are supporting. Maybe this was the biggest theme across the podcast is really this notion of collaboration and empowerment. So, the next actually put in five bits of advice, because this was such a recurring theme, talk about how do you collaborate with the rest of the organization.

We're going to have Andy from Pinterest, talk about his view. We've got Wendy from Experian. We’ve got Leif and Eric who are at Segment, running the program over there. Then we've got Liran Tal, who is our very own here at Snyk Developer Relations Lead, talk about his views. Then lastly, in this section, we have Francois Raynaud, who really started DevSecCon and is a big committee person talking about how to make security more inclusive and collaborate with others. Let's hear from these five great people around collaborating with the rest of the org and then empowering others.

[00:21:26] Andy Steingruebl: Don't ignore the people aspect of getting this stuff done. So much as security, whether it's in the app space, or in the product space, or whatever is about collaborating on solutions, not about just technical excellence. One of the best pieces of career advice I ever got was decide, do you want to be right? Or do you want to be effective? They're not always the same thing. So as engineers, it's very frequently the case that like I want to say, this is the right way, and I'm going to prove it to you. Or after something happened, say, “I told you so.” I don't even need, I think I need no fingers to count the number of times saying I told you so actually worked out well, where the other person said, “Oh, you're right, you did tell me so and I'm so happy, you've pointed it out to me.”

It's getting stuff done is way more important than being right about something. That means understanding people and working with people and collaborating together on coming up with solutions. Not saying that it's my one way of doing it, or whatever. There's several ways to solve a lot of different problems. The human element is what's really necessary to up your game, not just technical expertise like that matters, but ultimately getting to a workable solution that people will implement is what matters, not just building it and then having no one adopted it. Building something and having no one use it is the same as not having built it at all.

[00:22:48] Wendy Ng: I think collaboration. I don't think any one of us is an island. There's an osmotic process between us, we filter knowledge, and I genuinely believe this. I've been trying to do this through just sharing my knowledge and blogs on for the past few years now. I think instead of trying to reinvent the wheel, or just trying to solve a problem from scratch, by ourselves, collaborate, share our knowledge, I think that is so important and coming back from my academic background, that was second nature. I really hope going forward that we can watch gather more share knowledge. I truly believe this we are stronger, if we work together. We will always be stronger when we are together.

[00:23:25] Leif Dreizler: I don't really know if it's a pet peeve. I think it should be relatively obvious from the rest of the podcast, but be friends with people. People are way more likely to do the things that you need them to do if they like you. So much of security revolves around getting other teams to do work, because they have domain expertise that you don't and you need their help to improve the security posture of your company. So, do everything you can to build really great relationships inside of your organization.

[00:23:55] Eric Ellett: I think the one thing is definitely tried to do the investment in building out quality where you have the most FaceTime. So like with your engineers, so training, for example, it's paid us back in spades, I think. The amount of value we've gotten out of it, yes, like we could have gone down the automated route or a video route. The amount of time that we've spent making that training awesome has definitely outweighed the amount of time we would have had spent dealing with the vulnerabilities or issues that would have came up, if we didn't spend that time.

[00:24:28] Liran Tal: I think mine would be try to leverage coach someone from the team to be a security champion, and really empower them to take actions on that. I found that previous experience leading teams. I found that very helpful and impactful to have someone from the R&D team owning security, loving it, and trying to help the rest of developers through doing a lot of AppSec work.

[00:24:52] Francois Raynaud: Sit down together with security and that's the same thing security needs to sit down with DevOps. We both got to learn something from each other. That's one of the first thing I do is, I bring those two teams together and make them sit together, go and have a drink, go outside party, just go and have some dinners together, understand what the other side wants, and understand what you can bring to them. I think it works both ways. If we want to make security and Dev, the overall security area better, we need to promote this inclusion.

[00:25:25] Guy Podjarny: To finish off, we're going to end on a positive note. We have four bits of advice, focusing on keeping a positive attitude on thinking about security, not just as this downer and risk reduction, but also, it's something that can help you out. We're going to hear from Alyssa, who at the time was our security advocate here at Snyk. We're going to hear from Julie Tsai who was at Rubric, Andy Ellis, who's a bit of a legendary CISO of Akamai. Tad Whitaker from CircleCI, let's hear them all talking about taking a positive spin on security.

[00:25:58] Alyssa Miller: The thing I've been preaching, and I had to use that term, but get rid of the fud more than anything else. It's unfortunate that we still that that's a thing. The fear, the uncertainty, the doubt, and really focus on how what you're doing is going to help enable the business. If we're talking to Security Initiative, how is that tied to revenue generation? Or how is that going to create cost savings or open up a new business line? If we're thinking from a dev, or an ops perspective, those same things come into play.

Okay, yeah, we want to leverage, a new container environment or a new cloud technology, wonderful. How do we sell that in terms of this is what it brings to the business? This is how it's going to move us forward. Ultimately, in terms of whether it's reducing business risk or costs, or it's opening up that new revenue channel for us. Those are the things that are in the end most meaningful and are going to be that's going to be your paved road to getting those initiatives approved.

[00:27:05] Julie Tsai: I would say it's encapsulated well by a joke, that infrastructure friend told me about security, he said, “How do you tell the difference between a good security person and a bad security person?” You can't, they both say no and as a former infrastructure person, I said that just sucks. I got into this to build stuff, not just to tell people no. It reminds me of the whole point of this is for us to be fueling creativity and product for the customer in a secure way. So, being able to keep that bigger picture in mind, on all sides, I think is, is for me, that Northern Star.

[00:27:44] Andy Ellis: I have a one simple rule, which is nobody is the villain in their own story. If you're having an encounter with a business partner, whether you're the development team or the security team, and you're telling the story that says this person is bad, to have bad motivation, they're trying to hurt me, whatever it is, just stop. They have different motivations than you. They have a different model of the world, but odds are, they have the same ultimate goal you have, which is, if you work in a for profit company, or in a startup like that would to be for profit, is to make money, that's their goal, they might see different risks than you do.

But you can't learn from somebody who's a villain. If you tell the story, that they're a villain, you have just prevented yourself from learning what matters to them. Once you start learning what matters to them, you can channel them. I was just talking to one of my staff who was in a meeting, he said, “There was this really weird thing that the person on the business side was making these continuous jokes about the places we were going to disagree, that he would make a statement that, Oh, and here's where so and so I’m going to chime in and say this is unsafe.” I said, “This is perfect. It means they have a mental model of you that's accurate, that they actually saw the unsafe thing before you pointed it out.”

That's great. It means they don't see you as a villain. They might see you as somebody you're they're struggling with, but you're struggling together, you both care, they want to be part of it. Don't tell the story in which the other person's a villain, because it's too easy to do. I can take almost any interaction and tell a story about the other person being a villain. As soon as I do, I lose the opportunity for my own improvement, because instead I can say, “How do I act they do? How would other people see me in that same light? Maybe I can improve based on my own gut reaction that was negative.”

[00:29:36] Tad Whitaker: Make security fun. It is fun. I think almost everybody that I've ever met, likes to know about the bad side of behavior in one way or another. The accountant really likes to read about financial embezzlement stories or the HR people know some incredible blow ups that have happened and people like to talk about this. I think it's utilizing that instinct that everybody in every team has. Keeping it light and fun, is I think the best thing to have.

[00:30:12] Guy Podjarny: With that, that's the conclusion of our 100th episode. I want to just quickly repeat a huge thank you to all of you who make this happen. Also repeats the say, if you like this format, other formats, any thoughts you have, please email us at thesecuredeveloper@snyk.io, we'd love to hear from you. That's it for today. Thanks for tuning in. I hope you join us for the next one.

[00:30:39] ANNOUNCER: Thanks for listening to The Secure Developer. That's all we have time for today. To find additional episodes and full transcriptions, visit thesecuredeveloper.com. If you'd to be a guest on the show, or get involved in the community, find us on Twitter at @devseccon. Don't forget to leave us a review on iTunes if you enjoyed today's episode.

Bye for now.

[END]