1 00:00:01,080 --> 00:00:05,679 How'd you like to listen to dot NetRocks with no ads? Easy? Become 2 00:00:05,679 --> 00:00:09,839 a patron for just five dollars a month. You get access to a private 3 00:00:10,000 --> 00:00:14,240 RSS feed where all the shows have no ads. Twenty dollars a month, 4 00:00:14,279 --> 00:00:18,640 we'll get you that and a special dot net Rocks patron mug. Sign up 5 00:00:18,679 --> 00:00:36,039 now at Patreon dot dot NetRocks dot com. Hey, welcome back to dot 6 00:00:36,119 --> 00:00:39,920 NetRocks. I'm Carl Franklin and I'm Richard Campbell doing the thing that we do. 7 00:00:40,240 --> 00:00:44,240 Yeah, Laura Belmains here. We're gonna be talking to her about some 8 00:00:44,280 --> 00:00:48,320 really cool security stuff. But first, how are you doing? My friend? 9 00:00:48,399 --> 00:00:51,119 How's the new digs here? That's good to be up on the coast, 10 00:00:51,200 --> 00:00:54,439 you know, living by the ocean's always therapeutic. Could graduate sort of 11 00:00:54,439 --> 00:00:56,439 stuff out, you know, and he got it. But it's far enough 12 00:00:56,479 --> 00:00:59,920 away, you know, it's about three hours from the city. New doctor, 13 00:01:00,520 --> 00:01:04,159 new dentists, like new pharmacists, like you have to sort of figure 14 00:01:04,200 --> 00:01:10,519 all this stuff out. So getting recommendations from friends and bit by bit so 15 00:01:10,719 --> 00:01:12,319 funny life now it's sort of like, can you go a week without going 16 00:01:12,359 --> 00:01:15,200 to the city, Can you go two weeks? Going to the city like, 17 00:01:15,280 --> 00:01:19,799 that's kind of the thing. So you're stacking up firewood, that's what 18 00:01:19,879 --> 00:01:23,480 you're selling me. Well, that's winter, and you know, the power 19 00:01:23,560 --> 00:01:26,840 lines and the in the internet come up on one set of follower poles on 20 00:01:26,879 --> 00:01:33,079 that highway and there are trees. So do you have a wood powered generator? 21 00:01:33,239 --> 00:01:34,560 Is that how it works up there in the country? No, no, 22 00:01:34,560 --> 00:01:37,560 no. We just got a pop belly stove, which is a good 23 00:01:37,599 --> 00:01:41,159 thing. And I got a bunch of UPS and I have starlink so I 24 00:01:41,159 --> 00:01:45,239 can stay online for a little while. We'll see how much UPS, she 25 00:01:45,359 --> 00:01:48,159 who must be obeyed, allows me to have. You know, you might 26 00:01:48,159 --> 00:01:53,519 be able to invent a beaver treadmill that might provide some This is more odder 27 00:01:53,560 --> 00:01:57,560 country than beaver. You know, we'll work on it. I can feed. 28 00:01:57,599 --> 00:02:00,760 The movie is the right thing, Get the moose, the treadmill. 29 00:02:00,959 --> 00:02:04,359 We had elk in the driveway. Well, listen, I'm not black bears. 30 00:02:04,359 --> 00:02:07,239 Don't bother me. You know this, right with black bears all my 31 00:02:07,280 --> 00:02:09,319 life. It's not a big deal. Their coat, but elk are problem. 32 00:02:09,520 --> 00:02:14,199 They're very large. They're also tasty, yeah, you know, especially 33 00:02:14,240 --> 00:02:16,599 when you mix the meat with like you know, pork fat. Yeah, 34 00:02:16,639 --> 00:02:21,680 well there was a dozen standing in the driveways we're coming in and where we 35 00:02:21,759 --> 00:02:23,120 want to put the truck, you know, like sort of look at her 36 00:02:23,120 --> 00:02:25,039 and go, you know, we could go to the pub, and she's 37 00:02:25,039 --> 00:02:28,039 like, yeah, let's go to the pub. We just back back out 38 00:02:28,039 --> 00:02:30,319 our driveway to the pub for a couple hours. They were gone when we 39 00:02:30,400 --> 00:02:34,080 got back. Laura's looking at us like she's on the wrong podcast. I'm 40 00:02:34,120 --> 00:02:37,439 loving this. I live in New Zealand and so we don't have elks. 41 00:02:37,520 --> 00:02:42,400 We have like mammals in New Zealand, we have one. We have a 42 00:02:42,479 --> 00:02:46,840 bat and it's teeny tiny and endangered, and none of our birds fly because 43 00:02:46,879 --> 00:02:50,319 we have no mammals and predators. So you know, yeah, we're not 44 00:02:50,360 --> 00:02:52,400 good at this. So I listened to this and I'm like, yeah, 45 00:02:52,439 --> 00:02:55,280 we can get beavers and otters and make electricity and then go to the pub. 46 00:02:55,560 --> 00:03:00,120 All of this is great. Yeah you have sheep though they're tasty. 47 00:03:00,159 --> 00:03:02,159 We yeah, we have more sheep than people and more than sheep, so 48 00:03:02,479 --> 00:03:08,400 yeah, not by a little either. It's like it's a lot. All 49 00:03:08,520 --> 00:03:13,840 right, So another bonus chit chat. Let's get started with better no framework 50 00:03:13,840 --> 00:03:23,680 we're all the crazy music. Okay, all right, man? What do 51 00:03:23,680 --> 00:03:25,719 you got? Uh? What I got is an article that I found on 52 00:03:25,800 --> 00:03:34,120 LinkedIn, uh and it's Don't Bet against the Cloud, Oh, by Kendall 53 00:03:34,199 --> 00:03:37,319 Miller. I know Kendall, do you? Yeah? Well anyway, So 54 00:03:37,680 --> 00:03:43,719 basically, the article discusses why there's this this swing back towards self hosting after 55 00:03:43,879 --> 00:03:49,919 years of you know, people businesses increasingly relying on cloud services. And even 56 00:03:49,919 --> 00:03:54,520 though some companies like Amazon, Prime Video and thirty seven Signals have cut costs 57 00:03:54,560 --> 00:04:00,000 by moving away from cloud service providers CSPs, there's still a strong case, 58 00:04:00,319 --> 00:04:03,439 so he says for sticking with cloud solutions, and he's right, sure, 59 00:04:03,520 --> 00:04:08,240 yeah, yeah. These cloud services like you know, Amazon, Google and 60 00:04:08,280 --> 00:04:14,599 Microsoft Azure offer flexibility, which is a game changer for businesses. And you 61 00:04:14,639 --> 00:04:18,040 know, you read this and it seems like common sense. But why is 62 00:04:18,120 --> 00:04:21,360 this, you know, why are people moving away and saying no, we're 63 00:04:21,360 --> 00:04:26,079 going to do it ourselves. Why why the sudden change? And it's not 64 00:04:26,120 --> 00:04:28,720 sudden, it's a gradual change. It's a gradual I think it's a right 65 00:04:28,759 --> 00:04:32,279 sizing. It's certainly been a topic on run as is figuring out what payloads 66 00:04:32,319 --> 00:04:34,839 make sense to the cloud. We don't. Let's face it, if you're 67 00:04:34,879 --> 00:04:40,399 thirty seven signals, you're already running a twenty four hour a day knock right, 68 00:04:40,480 --> 00:04:44,000 Like, you already have the infrastructure. So do you want to monitor 69 00:04:44,040 --> 00:04:46,000 somebody else's machines that you pay for by the hour, or do you want 70 00:04:46,000 --> 00:04:49,399 to monitor your own? Like that's sort of a balancing act. You can 71 00:04:49,399 --> 00:04:53,720 get into that. Do you think it has anything to do with trust? 72 00:04:53,879 --> 00:04:57,480 Like? Are people losing trust in the in the clouds because they're rock solid. 73 00:04:57,680 --> 00:05:01,079 Yeah, they're much more reliable than any home run implementation. Again, 74 00:05:01,439 --> 00:05:08,000 but if you're committed to three shifts of assisted men's working around the clock to 75 00:05:08,079 --> 00:05:11,040 keep things up, so you're already paying for an awful lot of infrastructure, 76 00:05:11,560 --> 00:05:15,199 you know, the numbers start to make sense. That AWS story about moving 77 00:05:15,319 --> 00:05:19,920 off of serverleists onto VMS is an interesting one because that's also a story about 78 00:05:20,079 --> 00:05:25,879 right sizing what they You know, what's great about serverlest is that it costs 79 00:05:25,879 --> 00:05:29,439 you nothing when nothing's happening. But what if you have a service that has 80 00:05:29,680 --> 00:05:32,120 tens of thousands of instances all of the time, Like, why are you 81 00:05:32,279 --> 00:05:36,800 paying for that efficiency when you don't need it, you might as well. 82 00:05:36,839 --> 00:05:41,040 You could easily run vms that are under full load all of the time and 83 00:05:41,079 --> 00:05:44,639 you'd get state for free. Well in a bunch of architectural differences. Like 84 00:05:44,759 --> 00:05:48,439 I think it's just this statement in Kendall's Whole Story, and I read it 85 00:05:48,639 --> 00:05:55,279 a while ago. It speaks to the maturation of an industry that we're getting 86 00:05:55,319 --> 00:06:00,639 to a place where there is a debate of on prem in cloud hybrid. 87 00:06:01,160 --> 00:06:04,000 You know, what are the commits, what's the reliability? Like, there's 88 00:06:04,000 --> 00:06:08,040 a bunch, there's a mixture there. There is no one right solution. 89 00:06:08,959 --> 00:06:12,079 I think if I, if I could just add something, I think there's 90 00:06:12,160 --> 00:06:15,879 a little bit of a thing that we overlook when we look at the diversity 91 00:06:15,920 --> 00:06:20,560 of companies using those platforms. You know, if you go and you you 92 00:06:20,600 --> 00:06:24,199 know you're a midsize company, you go and you're like, right, we're 93 00:06:24,240 --> 00:06:28,399 going to go AWS, great, wonderful. You go stand at that configuration 94 00:06:28,439 --> 00:06:30,879 page, that initial page, and choose the services you need, and it 95 00:06:30,959 --> 00:06:33,519 is like standing at one of those restaurants that's got like one hundred items on 96 00:06:33,560 --> 00:06:38,399 the menu. There is something for everyone, but somehow you still leave slightly 97 00:06:38,480 --> 00:06:42,519 hungry and confused, and so a lot of folks, you know, very 98 00:06:42,680 --> 00:06:46,399 quickly adopted, Oh well, these people over here were using Zerblus, let's 99 00:06:46,399 --> 00:06:49,199 go do that, and went all in and they went and they try this, 100 00:06:49,319 --> 00:06:55,839 And it's really easy to blow up your budget and to not have the 101 00:06:55,879 --> 00:07:00,120 best performance in scaling because you haven't quite grasped the you know, the complexity 102 00:07:00,160 --> 00:07:04,560 of using all of those parts together. And outside of our large organizations who 103 00:07:04,600 --> 00:07:10,120 have the expertise to really like rain that in, I can understand the temptation 104 00:07:10,199 --> 00:07:15,959 if that's got carried away to go back to something simpler. I think it 105 00:07:15,000 --> 00:07:19,360 would be really good as we enter this next stage of maturation in the cesps, 106 00:07:20,079 --> 00:07:24,920 for them to actually simplify a little. There's an entire group of audiences 107 00:07:24,959 --> 00:07:30,240 who don't need ninety options. They need four and them to be really easy 108 00:07:30,240 --> 00:07:33,360 to navigate and to work with. Yeah, exactly, it's great that we 109 00:07:33,399 --> 00:07:36,759 can do anything we want, but like when we build software, should we 110 00:07:36,839 --> 00:07:42,240 really be doing all of that craziness. Actually, some design patterns work and 111 00:07:42,279 --> 00:07:46,879 we can just use those really easily. And it's just because you can I 112 00:07:46,920 --> 00:07:49,560 sound like my mum, I've reached that stage. You know. It's funny 113 00:07:49,600 --> 00:07:54,160 that we've had these conversations, like with Leila Porter talking about the sort of 114 00:07:54,199 --> 00:08:00,879 right sizing of the monolith versus the micro services. Right, It's like, 115 00:08:00,879 --> 00:08:01,959 hey, Microsoft makes a lot of sense. When we have a team of 116 00:08:01,959 --> 00:08:05,839 one hundred and you have a team of three, it seems like overkill. 117 00:08:07,759 --> 00:08:09,519 So you know, I think the same thing happens inside of the cloud. 118 00:08:09,600 --> 00:08:15,519 It's like they're effective strategies. But and I do as I'm close to this 119 00:08:15,560 --> 00:08:18,079 stuff because I'm talking all these experts all the times on the shows. You 120 00:08:18,120 --> 00:08:24,120 can see them starting to consolidate one set of access policies that apply to all 121 00:08:24,199 --> 00:08:26,279 products like that. It's but we're in the early days, so they are 122 00:08:26,360 --> 00:08:31,759 right sizing too. I've never had such a discussion from a better NO framework 123 00:08:31,799 --> 00:08:37,519 before. M This is great, it's good, but it's but one topic 124 00:08:37,639 --> 00:08:39,440 that we're going to talk about today. And Richard's going to bring up another 125 00:08:39,480 --> 00:08:43,000 one from a comment who's talking to us, Richard Grady comment to Show eighteen 126 00:08:43,120 --> 00:08:48,559 twenty seven, the one we did early in twenty twenty three with Tanya Janka. 127 00:08:48,559 --> 00:08:52,399 I entitled the show because it was the name of a book. Alice 128 00:08:52,440 --> 00:08:58,039 and Bob Larn application security. Yeah, great book. Tanya is a howl 129 00:08:58,240 --> 00:09:01,519 and I'm a local to us for me anyway near in Victoria, just across 130 00:09:01,519 --> 00:09:05,480 in the island that I'm staring at from here. And our friend Hilton Gizan 131 00:09:05,519 --> 00:09:09,799 now out of South Africa, who's been on the show before as well. 132 00:09:09,679 --> 00:09:13,440 At this point he said, Hey, Richard, question in the show about 133 00:09:13,440 --> 00:09:16,120 what to do about having your multi factor accounts only had a single device a 134 00:09:16,159 --> 00:09:22,240 smartphone which travels with you and can get lost or stolen, and I talked 135 00:09:22,279 --> 00:09:26,159 about how complicated the backups and recovery strategies were for those things, like that's 136 00:09:26,159 --> 00:09:30,200 a challenge for most people to do right. He goes on to say a 137 00:09:30,200 --> 00:09:33,519 simple solution is to have a second device like a tablet or a cheap older 138 00:09:33,600 --> 00:09:37,879 phone or even a watch, with a backup of all those accounts. Both 139 00:09:37,919 --> 00:09:43,200 Google Microsoft Authenticator have the ability to export and import across devices. I've never 140 00:09:43,240 --> 00:09:46,519 tried this, but it might even be useful to use that to backup accounts 141 00:09:46,519 --> 00:09:50,080 for others. Then, and you know, I'm trying to push you, 142 00:09:50,120 --> 00:09:52,519 who must be obeyed, into starting to use Authenticator, So maybe this is 143 00:09:52,559 --> 00:09:54,039 something I got to put in front of her. It's like, look, 144 00:09:54,080 --> 00:09:58,240 don't worry, We'll have a backup sitting on your tallet, So if that 145 00:09:58,399 --> 00:10:01,120 happens your phone, you're going to be okay. I can actually make a 146 00:10:01,120 --> 00:10:05,399 suggestion here because I have a five year old and eleven year old, which 147 00:10:05,440 --> 00:10:09,519 means that my resilience policies have to be really good. My devices do not 148 00:10:09,720 --> 00:10:13,799 last long, and I learned this the hard way when my five year old 149 00:10:13,799 --> 00:10:18,039 decided to play the game Does it swim? Yeah? I don't need to 150 00:10:18,039 --> 00:10:24,240 elaborate on what happened. Now, AnyWho wet device doesn't do well at multi 151 00:10:24,279 --> 00:10:28,039 factor authentication. Now I'm not commercially involved with it, but I use an 152 00:10:28,039 --> 00:10:35,159 app called author for my non critical work account. Now that automatically will allow 153 00:10:35,200 --> 00:10:41,519 you to move all of your authenticators between devices, So instead of me having 154 00:10:41,559 --> 00:10:45,919 to migrate before the bad thing, I can actually pull that down onto a 155 00:10:46,039 --> 00:10:48,399 new device. Now, yes, there's risks in here. I'm a security 156 00:10:48,440 --> 00:10:54,320 personal. I literally risks all day. Get somewhere. Yeah, but you 157 00:10:54,360 --> 00:11:00,240 know from the review I've done, you know the risk versus me losing this 158 00:11:00,440 --> 00:11:03,960 entirely all me managing secure backup code somewhere like there was going to be something 159 00:11:05,000 --> 00:11:09,399 somewhere sure, And I think for especially if these are your non critical accounts. 160 00:11:09,440 --> 00:11:13,240 So I'm not saying put your you know, your CSP root account passwords 161 00:11:13,240 --> 00:11:16,320 in this thing. But you know, if it's you know, someone significant 162 00:11:16,360 --> 00:11:20,039 in your life and they're looking for a little bit of resilience, that could 163 00:11:20,080 --> 00:11:22,120 be a really good solution. Yeah. No, I think it's a great 164 00:11:22,159 --> 00:11:26,600 idea. And that's Twilio that makes athy are friends of the show also, 165 00:11:26,679 --> 00:11:33,039 absolutely nothing bad to say about that. It's a good product, and Hilton 166 00:11:33,200 --> 00:11:35,919 goodness knows you've got a copy of Music Koba already. But thanks so much 167 00:11:35,919 --> 00:11:37,039 for your US in common. I hope you and your family are well. 168 00:11:37,120 --> 00:11:39,279 And if you'd like a copy of Us to Cobey, I write a comment 169 00:11:39,320 --> 00:11:41,960 on the website at dot at Rocks dot com or on the facebooks. We 170 00:11:41,960 --> 00:11:45,200 publish every show there, and if you comment there and everything on the show, 171 00:11:45,240 --> 00:11:48,519 we'll send you a copy Music Goba. Yeah. And another way that 172 00:11:48,600 --> 00:11:50,919 you can get a copy of Music to Code by is sending us a tweet 173 00:11:50,960 --> 00:11:56,720 from x or a toot from mastadon. I'm at Carl Franklin at tech hub 174 00:11:56,759 --> 00:12:03,080 dot social, and I'm Rich Campbell at Macedondo dot com social. Oh okay, 175 00:12:03,159 --> 00:12:05,919 honest, really, it's been forever show that you've mentioned it. I 176 00:12:05,120 --> 00:12:09,919 just I don't know. I'm having a now your question. I'm now having 177 00:12:09,519 --> 00:12:13,440 questioning myself. You're having a moment. I'm having a moment. So it 178 00:12:13,519 --> 00:12:16,399 must be the haircut. I think it's it must be all right. Well, 179 00:12:16,480 --> 00:12:20,480 let's introduce our guest today, who we've already heard from. Laura bell 180 00:12:20,559 --> 00:12:26,759 Maine is a global secure development leader, a best selling author and speaker, 181 00:12:26,320 --> 00:12:33,240 helping software development leaders worldwide engage their entire team in building secure software and officially 182 00:12:33,799 --> 00:12:37,480 welcome to the Dot net Rocks Show. Laura, thank you so much for 183 00:12:37,519 --> 00:12:41,559 having me. Apologies so jumping into your conversations. This is a really fun 184 00:12:41,600 --> 00:12:45,960 podcast. You made it better by jumping in you. We're never going to 185 00:12:45,960 --> 00:12:48,159 complain when smart people are due to Talking about smart things makes me happy every 186 00:12:48,200 --> 00:12:52,879 time. Absolutely Yeah at a keywa to boot. I was born in New 187 00:12:52,000 --> 00:12:56,600 Zealand, although I sound like an American and I live in Canada. Where 188 00:12:56,600 --> 00:13:01,080 were you born? Wow? Okay, family farms. Family farms on Ohuiti 189 00:13:01,200 --> 00:13:05,720 Road. Wow. For those who don't know New Zealand at all, we're 190 00:13:05,759 --> 00:13:07,240 a tiny island. And that's a tiny place on a tiny island, like 191 00:13:09,360 --> 00:13:13,000 very very specif hills and cows and sheep. So I brought Carl to the 192 00:13:13,080 --> 00:13:16,279 to the farm once and when we got it, we got into the rental 193 00:13:16,320 --> 00:13:18,519 car and it was a holding commodore. Of course. Uh. At the 194 00:13:18,600 --> 00:13:22,919 at the airport, I said, listen, over the next couple of hours 195 00:13:22,960 --> 00:13:24,840 while I'm driving, you're gonna see me randomly turn on the windshield wipers. 196 00:13:26,679 --> 00:13:30,279 That's because they switched the position of the windshield wipers and the turn signals, 197 00:13:30,320 --> 00:13:33,200 and I keep screwing them up. So when you're wondering, why does Richard 198 00:13:33,240 --> 00:13:39,960 keep him in the turns which have no reason. That's why it was a 199 00:13:39,000 --> 00:13:45,559 delightful trip though. And your your aunts were amazing. Yeah, great, 200 00:13:45,600 --> 00:13:48,600 they're great people. And they and they the Knee family, which is my 201 00:13:48,720 --> 00:13:54,679 eldest aunt married into this family that who's the grandfather was a homesteader. He's 202 00:13:54,759 --> 00:13:58,440 original Ohouiti settler. There's literally roads named of the you know, the road 203 00:13:58,440 --> 00:14:03,720 at the bottom of his farm is Knee Road, right like it's it's superdol 204 00:14:03,879 --> 00:14:07,600 And they have every sop when day when if I'm lucky enough, when I'm 205 00:14:07,600 --> 00:14:11,080 there. They have a party for the weedy settlers. They're amazing people. 206 00:14:11,120 --> 00:14:16,960 But these are genuine farmers that have grown up there and they've seen their city 207 00:14:16,000 --> 00:14:20,679 grow change and so forth. They're They're hilarious. I was on the edge 208 00:14:20,679 --> 00:14:24,120 of my seat waiting for Gandolf to pop out from behind the rocks and trees, 209 00:14:24,799 --> 00:14:28,519 and he never did. Though never saw any hobbits. All the green 210 00:14:28,639 --> 00:14:33,799 rolling hills, but beautiful things down the road in mad a body. So 211 00:14:33,200 --> 00:14:39,120 anyway, Laura Bellmain, tell us what you've been thinking about and talking about 212 00:14:39,200 --> 00:14:41,480 lately. I bet it has something to do with secure applications. It does, 213 00:14:41,840 --> 00:14:46,080 but it also so I've been going to a lot of conferences, as 214 00:14:46,080 --> 00:14:50,159 you do. I tend to cluster them together and do these like weird little 215 00:14:50,159 --> 00:14:52,440 holidays with like three or four conference because everywhere's far from where I live. 216 00:14:54,159 --> 00:14:58,879 And I've been hearing a lot about develop a toil that we're all very sad, 217 00:14:58,879 --> 00:15:01,320 and we're all very tired, and everything is hard right now, and 218 00:15:01,360 --> 00:15:05,879 I get it. And so we've been having a bit of an existential crisis 219 00:15:05,879 --> 00:15:11,639 in security of whether we in dev zecops and kind of in moving security into 220 00:15:11,639 --> 00:15:16,840 the deav space that we're making people even sadder and even worse. So I've 221 00:15:16,879 --> 00:15:20,720 been talking a lot about where security needs to be versus why it doesn't need 222 00:15:20,759 --> 00:15:24,279 to be, and which parts of it actually are just making things worse and 223 00:15:24,320 --> 00:15:28,639 more painful. And so yeah, a lot of conversation about that at the 224 00:15:28,679 --> 00:15:33,679 moment, because if I'm honest, I'm kind of bored. I'm bored of 225 00:15:33,720 --> 00:15:37,720 the conversation always being Hey, we found three vulnerabilities and we're home five last 226 00:15:37,759 --> 00:15:39,799 month, and therefore we're more secure, and now I think we can do 227 00:15:39,879 --> 00:15:45,200 better than just like looking back at our code and going looks all right. 228 00:15:46,240 --> 00:15:52,600 So yeah, I want to kind of make security a little less painful and 229 00:15:52,759 --> 00:15:56,559 a little bit more focused on you know what if security really was part of 230 00:15:56,600 --> 00:16:02,600 software quality, right, how would we measure it then and how would we 231 00:16:02,639 --> 00:16:06,600 approach it if it wasn't this weird, separate, standalone thing that we all 232 00:16:06,600 --> 00:16:11,000 get to later when somebody makes us Yeah, well that comes down to what 233 00:16:11,039 --> 00:16:14,679 are the unit tests for security? Then? Isn't it partially? But for 234 00:16:14,799 --> 00:16:18,000 me it's it's kind of it's going old school with like the ilities, right, 235 00:16:18,120 --> 00:16:22,279 it's not just does it work? Does it not? It's not just 236 00:16:22,440 --> 00:16:25,919 straightforward tests that you know, if we look at performance and scaling, very 237 00:16:25,960 --> 00:16:30,840 few organizations have really got structured tests around that. Now there's a lot of 238 00:16:30,039 --> 00:16:36,080 you know, more subjective appreciation, and then there's a lot logging and monitoring 239 00:16:36,120 --> 00:16:41,080 and observability that comes into it. But I don't think we have that maturity 240 00:16:41,200 --> 00:16:47,759 in security to assess where we're at because most of it it really is take 241 00:16:47,799 --> 00:16:52,200 code, scan code, find things or not find things. And I really 242 00:16:52,240 --> 00:16:57,000 want to kind of explore and play with how we already examine our software and 243 00:16:57,039 --> 00:17:00,559 what we can learn from a security PERSPECTI from the things we already do in 244 00:17:00,639 --> 00:17:06,119 development. I mean, I love the idea of including in my CICD pipeline 245 00:17:06,160 --> 00:17:10,880 like the latest script giddy attacks just running against AID. Did you get anywhere? 246 00:17:11,240 --> 00:17:15,160 Yeah, although it's complicated, like you've got to get to an external 247 00:17:15,200 --> 00:17:18,279 host and poke in, yeah, and got to find a script kitty. 248 00:17:18,799 --> 00:17:22,400 Absolutely. You just they're really hard to catch. I need to throw the 249 00:17:22,400 --> 00:17:27,799 ball multi times and give them a berry and yeah with water, but they 250 00:17:27,839 --> 00:17:33,079 come back. They just like it. Maybe they like the elks you can 251 00:17:33,160 --> 00:17:40,920 stay when we get down to it. You look at people like there was 252 00:17:40,960 --> 00:17:44,759 a gentleman, James. His name's going to scape me because I've now tried 253 00:17:44,799 --> 00:17:47,880 to say it out loud, and that's the rule of names who did a 254 00:17:47,920 --> 00:17:52,079 lot of work on automated security testing. So this was the time where things 255 00:17:52,079 --> 00:17:57,759 like BDD security started coming out, and they were cucumber style tests that were 256 00:17:57,759 --> 00:18:03,240 written around open source testing and scanning frameworks for security, and there was a 257 00:18:03,240 --> 00:18:07,000 lot of push at that period for getting those into CICD pipelines. The problem 258 00:18:07,200 --> 00:18:11,599 is that the way that the underlying tools they hook to do that work, 259 00:18:11,839 --> 00:18:18,240 they're very slow tools, and so it exploded pipelines everywhere and everyone got sad, 260 00:18:18,720 --> 00:18:22,079 and then we ended up with parallel pipelines and before we knew it, 261 00:18:22,119 --> 00:18:26,880 we were back to where we started. So that's the one I It was 262 00:18:26,920 --> 00:18:33,039 a w brains are funny things, Thank you so much. So yes, 263 00:18:33,559 --> 00:18:36,640 and the work you did at that time. You know, there's not a 264 00:18:36,640 --> 00:18:40,079 lot of activity in that space at the moment. There's a lot of know 265 00:18:40,240 --> 00:18:44,880 how to build AI that builds your test for you and security, but it 266 00:18:44,920 --> 00:18:48,160 would be good to see how we could approach that differently. I think the 267 00:18:48,440 --> 00:18:52,720 big problem in that space was always the underlying tools that we were hooking into. 268 00:18:52,599 --> 00:18:56,279 So we couldn't do this from you know, just a raw perspective. 269 00:18:56,319 --> 00:19:00,119 We had to hook an open source tool. Those open source tools weren't built 270 00:19:00,440 --> 00:19:06,119 to be run in tiny components. They're big frameworks that it tries to run 271 00:19:06,160 --> 00:19:10,240 a huge thing. Testing's got that same problem, right, if you really 272 00:19:10,240 --> 00:19:14,599 want to load test, it's a complicated set of tools. Absolutely. So, 273 00:19:14,720 --> 00:19:18,359 Yeah, I'm genuinely excited that I think we can do some really cool 274 00:19:18,359 --> 00:19:22,319 stuff in the space. But I think the focus, and unfortunately the money 275 00:19:22,359 --> 00:19:26,519 in security is very much at those kind of code scanning, kind of glossy 276 00:19:26,559 --> 00:19:30,519 things, and I think it's going to take more death focus for us to 277 00:19:30,559 --> 00:19:34,519 make this more practical and something we can control ourselves in the death space rather 278 00:19:34,519 --> 00:19:40,119 than relying on external things. Yeah, you know, over on the cystin 279 00:19:40,200 --> 00:19:45,279 inside, I've talked to so many INFOSEAC folks who are just so Frustrated's like, 280 00:19:45,440 --> 00:19:48,279 we see the vulnerabilities we have brought them forward to to leadership. Leadership 281 00:19:48,359 --> 00:19:51,359 is that we don't think this is that big of a risk. We're not 282 00:19:51,440 --> 00:19:56,039 spending money on it until it explodes. Yeah, there's an interesting conversation actually 283 00:19:56,279 --> 00:20:00,880 just started in the last couple of years in digital safety about the old recurring 284 00:20:02,039 --> 00:20:07,920 theme of software liability and warranties. And you know, there's an argument that 285 00:20:07,000 --> 00:20:11,480 it will take us moving to having to be liable or have full warranty so 286 00:20:11,559 --> 00:20:15,000 the software you build for people to care, which I have many thoughts and 287 00:20:15,039 --> 00:20:19,480 feelings on, and that's a pretty scary area. But you can see historically, 288 00:20:22,720 --> 00:20:26,599 arguably Bill Gates's real contribution to the world, when they strip it all 289 00:20:26,640 --> 00:20:30,519 the way down one hundred years from now, will be he wrote the original 290 00:20:30,599 --> 00:20:33,920 yula, rather his father, the lawyer did. But you know, eliminating 291 00:20:34,000 --> 00:20:40,680 responsibility for software to the or limiting that liability to the price you paid for 292 00:20:40,880 --> 00:20:44,240 it. You know, there is an argument at the time, at least 293 00:20:44,400 --> 00:20:48,160 what fifty years ago, that this is what will allow for rapid innovation. 294 00:20:48,200 --> 00:20:52,480 But now it seems like a real liability that we just have no reason to 295 00:20:52,960 --> 00:20:57,359 become professionals because we have no liability. Absolutely. And you know, if 296 00:20:57,400 --> 00:21:02,359 you're writing an e commic site and selling widgets to people, cool, all 297 00:21:02,440 --> 00:21:06,960 right, you know, I get the financial liability stuff, but if your 298 00:21:07,039 --> 00:21:10,480 software I was talking to some I love. I collect the stories of amazing 299 00:21:10,519 --> 00:21:14,279 engineers who are building crazy things from sci fi. That's like my nerd hobby. 300 00:21:14,880 --> 00:21:18,279 And I was talking to this team and they're like, so we have 301 00:21:18,519 --> 00:21:22,559 built these amazing remote control cars and I'm like, hang on, no, 302 00:21:22,680 --> 00:21:26,000 that's not tech. And they're like no, like full sized cars that are 303 00:21:26,039 --> 00:21:33,440 remote controlled over thousands of kilometers in airports, and I'm like cool. So 304 00:21:33,720 --> 00:21:37,319 we started realizing that, you know, this massive piece of software that was 305 00:21:37,359 --> 00:21:41,000 attached to a standard car. So these are not custom built vehicles. This 306 00:21:41,160 --> 00:21:45,160 is they have taken a you know, a Sedan or whatever and retrofitted some 307 00:21:45,400 --> 00:21:48,559 remote control tech into it, right, and they're in an airport and I'm 308 00:21:48,640 --> 00:21:52,680 like wow. From a security point of view, that's one thing, but 309 00:21:52,759 --> 00:21:59,599 from a health and safety point of view, you know, moving machinery because 310 00:21:59,599 --> 00:22:03,960 that learning in a busy environment, and you know, like this, it's 311 00:22:04,039 --> 00:22:08,240 hard to be a security person right now because you're torn into There's half of 312 00:22:08,319 --> 00:22:11,400 me that's like, oh my goodness, there is amazing technology everywhere and look 313 00:22:11,440 --> 00:22:14,799 what we're doing and it's cool, and the other half of me is like, 314 00:22:14,839 --> 00:22:17,799 can I just go lie down please? This is fairly terrifying. Well, 315 00:22:17,960 --> 00:22:21,240 you know, Apart aside from the tech, probably one of the biggest 316 00:22:21,279 --> 00:22:25,839 vectors for security attacks is social engineering, isn't it, And things that we 317 00:22:25,960 --> 00:22:30,559 don't think about because we're tech focused software developers don't think about these side channel 318 00:22:30,599 --> 00:22:37,119 attacks that can happen. I heard one story about people who are trying to 319 00:22:37,240 --> 00:22:45,240 listen in on other people's conversations by connecting microphones to the plumbing. And you 320 00:22:45,319 --> 00:22:48,079 don't think about it, but your sync is listening to you, and you 321 00:22:48,200 --> 00:22:53,279 put a microphone on the pipe and you can actually hear everything that people in 322 00:22:53,319 --> 00:22:56,480 the room are saying. There's a really good example of something. Oh but 323 00:22:56,880 --> 00:23:00,400 this room is out, you know, has got the security surveillance and the 324 00:23:00,440 --> 00:23:07,680 cameras, and fine, but what are you doing about to sink? Absolutely 325 00:23:07,720 --> 00:23:10,519 there was a glorious video from it a number of years ago now, but 326 00:23:10,960 --> 00:23:15,599 some very smart scientists discovered that they could monitor a plant that was in the 327 00:23:15,720 --> 00:23:18,759 room, and they could look at the vibrations on the plant, and they 328 00:23:18,759 --> 00:23:22,960 could actually extract the conversation from a room based on the minute movements of a 329 00:23:23,039 --> 00:23:27,759 plant, and like part of me is like wow, that's like it is 330 00:23:27,880 --> 00:23:32,839 so cool, and you know what security can be all doom and gloom. 331 00:23:32,920 --> 00:23:36,400 Absolutely, lots of terrible things can happen. I will not understate those. 332 00:23:36,880 --> 00:23:40,200 But at the same time, I think the future of security doesn't just need 333 00:23:40,279 --> 00:23:44,759 people like me with massive anxiety problems that turned it into a career. Then 334 00:23:44,880 --> 00:23:49,559 you've got to be excited about the technology and the potential of it. Not 335 00:23:49,759 --> 00:23:53,039 everything is going to change the world, but to one or two people it 336 00:23:53,160 --> 00:23:57,880 might to be able to work on the let's mute our plants problem rather than 337 00:23:57,920 --> 00:24:03,519 the really sequel injection. Really that would be nice, isn't it. Yeah? 338 00:24:03,759 --> 00:24:07,359 Yeah, but you know there's an underlying truth about that though. There's 339 00:24:07,359 --> 00:24:10,279 a reason that the OS top ten hasn't changed much from two thousand and three 340 00:24:10,359 --> 00:24:14,680 till now. Yeah, and that's because we're still approaching it in the same 341 00:24:14,720 --> 00:24:17,599 way we have twenty years ago, more or less writing software the same way. 342 00:24:17,839 --> 00:24:22,920 Well, I know for a fact that two factor authentication has saved my 343 00:24:22,079 --> 00:24:26,839 butcher several times. Every once in a while, I get an email that 344 00:24:26,960 --> 00:24:33,559 says, hey, we've got a request to change your password. You know, 345 00:24:33,599 --> 00:24:37,640 if this wasn't you, then just ignore this. Otherwise here's the code. 346 00:24:37,559 --> 00:24:41,160 Uh yeah, I think I'm going to ignore that. I think you 347 00:24:41,319 --> 00:24:44,799 ignore that one. It's a conversation we had on run as I think it 348 00:24:44,880 --> 00:24:47,079 was with Sammy Laho. He said, hey, look, you know, 349 00:24:47,559 --> 00:24:51,160 multi factors worked well enough that it's actually moved it off the top. It's 350 00:24:51,240 --> 00:24:55,480 now number two, and what's on top is unpatched servers, And that brought 351 00:24:55,559 --> 00:24:59,839 up this whole conversation of we're super cautious about patchy service because sometimes it breaks, 352 00:25:00,720 --> 00:25:03,079 but that's now a higher risk than the possibility of the breaking. So 353 00:25:03,119 --> 00:25:07,559 it's like it's better to deploy the patch quickly and deal with the consequence, 354 00:25:07,640 --> 00:25:11,319 that is to stay unmatched. And what do you do about gramdmars that insist 355 00:25:11,440 --> 00:25:17,240 on clicking on links and emails and text messages that you know, I mean, 356 00:25:17,400 --> 00:25:22,359 that remains probably one of the biggest threat factors, this social engineering stuff. 357 00:25:22,599 --> 00:25:25,960 I mean, that's there's no tech that can well can you know, 358 00:25:26,039 --> 00:25:29,960 that can protect you from that. There never will be and there never has 359 00:25:30,079 --> 00:25:33,839 been. So I love the fact that security has invented fancy words for all 360 00:25:33,880 --> 00:25:38,000 of these things, but in essence, human beings are jerks and have always 361 00:25:38,039 --> 00:25:41,799 been jerks for as long as there have been people. We have done whatever 362 00:25:41,920 --> 00:25:45,799 we could, whether it was line cheating, stealing, applying the technology of 363 00:25:45,880 --> 00:25:52,200 the time to get things we wanted. And so it's evolutionary. It's part 364 00:25:52,279 --> 00:25:56,599 of our culture is the willingness to bend the truth, to bend the rules, 365 00:25:56,079 --> 00:26:02,039 and to change our behaviors such that we get gain. Now, you 366 00:26:02,240 --> 00:26:07,960 can't fix that with a web application firewall, because you know, you're as 367 00:26:07,039 --> 00:26:11,359 engineers, we're problem solvers. So we we you know, problems over here. 368 00:26:11,440 --> 00:26:12,319 Cool, I'm going to take any pathway to get there, and I'm 369 00:26:12,359 --> 00:26:17,279 going to build something great, wonderful. And some of us build beautiful systems 370 00:26:17,319 --> 00:26:19,119 and some of us build things made out of duct tape and good intentions, 371 00:26:19,559 --> 00:26:23,480 and it doesn't matter. This is a different style of engineering, and our 372 00:26:23,519 --> 00:26:29,160 attackers are exactly the same. They are creative, they are very objective focused. 373 00:26:29,279 --> 00:26:32,680 They want, you know, the shiny shirt, or they want to 374 00:26:32,720 --> 00:26:36,039 go and you know, get the money, or they want to get political 375 00:26:36,079 --> 00:26:40,559 influence, whatever it is, and they'll take whatever path. It's an infinite 376 00:26:40,680 --> 00:26:45,480 problem space and at the moment in security, we we're very narrowly focused because 377 00:26:45,519 --> 00:26:48,960 it helps us focus and it's all we can do on this vulnerability class or 378 00:26:49,000 --> 00:26:52,640 this vulnerability class. But we overlook the fact that if you take that one 379 00:26:52,680 --> 00:26:56,640 away, something else will spring up. So it has to be more holistic. 380 00:26:57,119 --> 00:27:02,480 Yeah, and constant and vigilant. Yeah. Yeah, yeah. It's 381 00:27:02,519 --> 00:27:04,279 not a good recruiting campaign for security, to be honest. I'm just telling 382 00:27:04,319 --> 00:27:11,759 you constantly learning and you'll always fail. So yeah, I don't know why 383 00:27:11,839 --> 00:27:15,039 we do it. Really, it's only what you mentioned that when although every 384 00:27:15,119 --> 00:27:19,799 security person I know is busy, like, nobody's being laid off in this 385 00:27:19,880 --> 00:27:25,599 space either, there's only more work. Yeah, it's as frustrating it may 386 00:27:25,640 --> 00:27:29,079 be, and I do I mean, I appreciate your your sense of weight 387 00:27:29,240 --> 00:27:34,759 and concern because it can be weighty and concerning. It's it's certainly there's no 388 00:27:34,960 --> 00:27:37,319 lack of things to do. It's just I think it's going to be very 389 00:27:37,400 --> 00:27:45,119 frustrating to have the same conversations over and over and over before we go on. 390 00:27:45,559 --> 00:27:48,200 Why don't we take a brief break. Sure, we'll be right back, 391 00:27:52,480 --> 00:27:53,640 and we're back. It's not that Rocks. I'm Richard Campbell. That's 392 00:27:53,680 --> 00:27:57,559 called Franklin. Hey, talking to our friend Laura Belle Main a little bit 393 00:27:57,559 --> 00:28:03,119 about you go on the agile side of security, which I find interesting we've 394 00:28:03,160 --> 00:28:10,799 been talking about the whole shifting left of security. I just don't you know, 395 00:28:11,319 --> 00:28:15,599 And yet most of the time security still applied after the V one's out 396 00:28:15,640 --> 00:28:19,559 the door. So what do you how do you even talk about shifting security 397 00:28:19,680 --> 00:28:23,039 left? I'm going to be a bit controversial, and I'm really sorry. 398 00:28:23,319 --> 00:28:27,480 People will have feelings and opinions, Please please put them in comments and for 399 00:28:27,599 --> 00:28:33,400 our shows probing for us, I think what's really happening with shifting left is 400 00:28:33,559 --> 00:28:34,720 if you shift left for long enough, it ends up in the sea. 401 00:28:36,000 --> 00:28:38,000 And that's what's happening. We go, all right, it's not our team 402 00:28:38,000 --> 00:28:40,759 anymore. We're going to pas it to that team, and that team go 403 00:28:40,920 --> 00:28:42,680 cool, we don't have the time, and there's another team and they pass 404 00:28:42,720 --> 00:28:47,759 it on and what was seeing? Time and time again? The focus on 405 00:28:47,799 --> 00:28:51,200 shift left is limited in two ways. Firstly, even see it in the 406 00:28:51,319 --> 00:28:55,039 language of the tools and techniques we do. They talk about from development to 407 00:28:55,200 --> 00:28:59,200 deployment as if that's the entire process. Use that's the whole loop man. 408 00:28:59,319 --> 00:29:04,799 Nobody Actually, yeah, absolutely nothing else happens planning and design, none of 409 00:29:04,880 --> 00:29:10,119 that, exactly. The light of software just descends upon us. We instantly 410 00:29:10,240 --> 00:29:18,799 know exactly, yeah, exactly, we go home. Yeah, job done. 411 00:29:19,160 --> 00:29:22,519 It's weird that we're all still employed. I don't know why that would 412 00:29:22,559 --> 00:29:27,960 be. So all of our things focus on that stage. So writing code 413 00:29:29,079 --> 00:29:33,599 through to deployment, now that leads to startlingly big gaps. It leads maintenance 414 00:29:33,680 --> 00:29:37,920 and support. So those ones, those tools that you have out in the 415 00:29:37,960 --> 00:29:41,279 world that are now in BAU, they you know, there's minimal changes happening. 416 00:29:41,720 --> 00:29:45,359 Now. That's especially true if your architecture has been fragmented in some way 417 00:29:45,960 --> 00:29:51,720 such that you know a component actually has a singular purpose or a small number 418 00:29:51,720 --> 00:29:53,519 of purposes, and you work on other components to do the rest. So 419 00:29:53,680 --> 00:29:59,079 micro services folk have this a lot. It's never built. How are your 420 00:29:59,119 --> 00:30:02,839 fancy security p this is ever going to apply again if that thing is never 421 00:30:02,960 --> 00:30:07,599 being built, because everything's built into the deployment pipeline, into the build pipeline. 422 00:30:07,160 --> 00:30:11,599 And at the other end, we talk about threat assessment. And I 423 00:30:11,720 --> 00:30:17,400 love that the movement is starting to get some energy, but we still we 424 00:30:17,519 --> 00:30:19,079 still fall back on that urge. We have to well, how can I 425 00:30:19,160 --> 00:30:23,759 automate that? Now, threat assessment is very difficult for you to automate and 426 00:30:25,079 --> 00:30:26,480 that's hard to hear as an engineer because you want to go, well, 427 00:30:26,519 --> 00:30:29,880 I just want to make the tool do it for me, and then I 428 00:30:29,960 --> 00:30:33,000 can do other things like drink coffee. But threat assessment, I've got to 429 00:30:33,079 --> 00:30:37,799 look around. Yes, sometimes you actually just have to plan a bank robbery 430 00:30:37,880 --> 00:30:42,279 with your friends. That's just how you have to operate. And so we've 431 00:30:42,359 --> 00:30:47,160 got to find space for this. We've got to start talking about development. 432 00:30:47,319 --> 00:30:52,680 Security are around more than just that middle section and more than just the people 433 00:30:52,680 --> 00:30:56,519 who write the code. It needs to be everybody in the team, and 434 00:30:56,640 --> 00:31:00,960 it doesn't need to be lots of work. We run a very kind of 435 00:31:00,039 --> 00:31:04,640 lightweight programs completely free called one hour app sex, So we aim to get 436 00:31:04,720 --> 00:31:08,640 folks in dev doing one hour of security stuff every sprint. That's it, 437 00:31:10,079 --> 00:31:14,079 just one hour, sixty minutes. But if you imagine the impact of doing 438 00:31:14,160 --> 00:31:17,599 that across you know, one hundred percent team, that's a lot of security 439 00:31:17,680 --> 00:31:22,279 every sprint. So those minute changes across all the roles could have a huge 440 00:31:22,319 --> 00:31:26,359 impact. But at the moment, unfortunately shift left and DevSecOps and the agile 441 00:31:26,440 --> 00:31:30,920 movement really is focused on that CICD pipeline and that middle chunk right which again 442 00:31:32,039 --> 00:31:34,799 is trying to automate the problem away rather than you know the problem. And 443 00:31:34,920 --> 00:31:37,880 I think you described as really well, it's not shift left, it's everybody 444 00:31:37,960 --> 00:31:42,640 fights that everybody has to be part of the solution here. And this is 445 00:31:42,680 --> 00:31:47,039 something that is that a scrub master could easily manage that. Hey, we're 446 00:31:47,039 --> 00:31:49,400 starting up a sprint. Let's do our hour. What are you going to 447 00:31:49,440 --> 00:31:52,079 work on? Absolutely, oh, like, let's let's get this at the 448 00:31:52,119 --> 00:31:56,400 front of the sprint, talk through the security elements before we go anywhere else. 449 00:31:56,480 --> 00:32:00,640 Almost absolutely, And you know, if you're white with your hour, 450 00:32:00,279 --> 00:32:02,599 you know, the first time you do it, you think about things. 451 00:32:02,680 --> 00:32:06,200 The second time you do it, you've got the guardrail that you did the 452 00:32:06,279 --> 00:32:09,880 last time you did this, and you know, these artifacts start to naturally, 453 00:32:10,759 --> 00:32:14,319 you kind of get created as part of it, and they iterate as 454 00:32:14,359 --> 00:32:17,680 you go and it really there is no done. There is no perfect insecurity. 455 00:32:17,720 --> 00:32:22,720 So if we park that idea entirely, what we have is an awareness 456 00:32:22,400 --> 00:32:27,079 and behaviors that we try and consistently apply. So you can look at this 457 00:32:27,200 --> 00:32:30,039 in any part of your life, like a gym membership. Right, buying 458 00:32:30,079 --> 00:32:35,680 the gym membership isn't actually going to do anything for me, SORR the New 459 00:32:35,720 --> 00:32:44,200 Zealand. Yeah, in between the sheep and the characters gyms foreign concept. 460 00:32:45,960 --> 00:32:47,880 So whatever it is, it's not buying the thing isn't going to get you 461 00:32:49,000 --> 00:32:54,920 there, but consistent application and shared shared participation, group participation will get you 462 00:32:55,039 --> 00:32:59,720 there. So, you know, I think perhaps I'm like the security equivalent 463 00:32:59,720 --> 00:33:04,279 of a hit, but that's okay. I really do think that there are 464 00:33:04,359 --> 00:33:07,000 no superheroes in security. There is nobody that's going to come and do it 465 00:33:07,119 --> 00:33:09,680 for us in our team and make it all go away. The best thing 466 00:33:09,759 --> 00:33:15,240 you can do is find little things, do them consistently, automate the ones 467 00:33:15,279 --> 00:33:17,960 you can that make sense and the ones that you can't do. If you're 468 00:33:17,960 --> 00:33:22,640 anything like me, I'm truly interrupt driven and horribly distracted. So create little 469 00:33:22,720 --> 00:33:27,000 robots that tell you you need to go do you think right? And the 470 00:33:27,200 --> 00:33:30,839 easier you make that for yourself. Suddenly we have a huge movement that isn't 471 00:33:30,880 --> 00:33:36,799 led by specialist security engineers. We still need them for a variety of reasons. 472 00:33:37,480 --> 00:33:39,480 But what if the majority of software security was in the deaf team. 473 00:33:39,839 --> 00:33:43,200 It was just part of what we do a little bit and a little bit 474 00:33:43,240 --> 00:33:45,720 of time, so that you built up a set of guardrails that you could 475 00:33:45,920 --> 00:33:49,599 use over and over again. So when you're doing pantesting, for example, 476 00:33:49,799 --> 00:33:53,359 how much of that can you automate versus doing you know, doing manually. 477 00:33:53,720 --> 00:33:57,240 Oh, that's a there's a load, that's a loaded question. Car, 478 00:33:58,319 --> 00:34:01,559 we're going to get in trouble, so let's do it. So I did 479 00:34:01,599 --> 00:34:05,920 about seven years as a pent tester, so been very deep in that. 480 00:34:05,960 --> 00:34:08,440 I've also been a red teamer, so where you know, the more advanced, 481 00:34:08,519 --> 00:34:13,880 sort of customized level. Now, it really does depend on the pen 482 00:34:13,920 --> 00:34:20,559 test company. So I'm going to like blanket handwave statement. But a lot 483 00:34:20,719 --> 00:34:24,639 of the early stuff in a pentest, so what we'd call reconnaissance is absolutely 484 00:34:24,679 --> 00:34:30,559 automated and has been for a number of years. Vulnerability scanning, which is 485 00:34:30,679 --> 00:34:35,320 the next stage, also heavily automated. Now, if I could give the 486 00:34:35,400 --> 00:34:39,119 audience a little bit of advice, pen testing is really expensive. Your aim 487 00:34:39,199 --> 00:34:43,199 with a pentest is to make your pen tester cry. You want them to 488 00:34:43,239 --> 00:34:47,000 be to work so hard. Oh yeah, So like the stuff that's automated, 489 00:34:47,039 --> 00:34:52,920 that reconnaissance, the information gathering, the running, vulnerability scanning, that 490 00:34:52,079 --> 00:34:55,639 you should be doing yourself like you can do that with open source tools. 491 00:34:57,000 --> 00:35:00,079 There is no magic there, and there is no magic in pen testing at 492 00:35:00,159 --> 00:35:02,880 all. In fact, if you're a dev, if you wanted to get 493 00:35:02,920 --> 00:35:06,800 into the space and learn a bit more about it, there's some really great 494 00:35:07,000 --> 00:35:10,920 free resources by bug crowd so the bug Bounty platform. They have a little 495 00:35:12,000 --> 00:35:15,280 university that you can go and just free of charge. There's no sign up 496 00:35:15,320 --> 00:35:17,280 or anything. You just watch their videos and things and learn how this all 497 00:35:17,400 --> 00:35:22,000 works, and you start to realize that there's this whole foundation that you can 498 00:35:22,079 --> 00:35:27,360 do and then automate to mean that by the time you get to a pen 499 00:35:27,400 --> 00:35:30,719 test, they really do have to focus on that really manual custom effort, 500 00:35:30,800 --> 00:35:35,639 and that's what we want in a pen test. They will only do as 501 00:35:35,719 --> 00:35:38,440 much manual effort as they have time to do, So if they're finding lots 502 00:35:38,480 --> 00:35:43,280 of junk with the vulnerability stuff, they'll never get to it. So yeah, 503 00:35:43,320 --> 00:35:46,159 it's it's a bit of a strange situation. But to answer your question, 504 00:35:46,239 --> 00:35:49,519 Carl, you want to force them to do as much of it as 505 00:35:49,599 --> 00:35:52,880 possible and do it for them. Yeah, yeah, so they have Your 506 00:35:52,960 --> 00:35:57,320 real value is going to come when they're deep down the pipeline. Yes, 507 00:35:57,760 --> 00:36:00,039 the yep, but if you've only paid for many hours, if they can 508 00:36:00,119 --> 00:36:04,320 knock you out with a simple oh, you have this port open exactly, 509 00:36:04,880 --> 00:36:07,559 this server's not be patched. I just love it. One. Questions are 510 00:36:07,639 --> 00:36:14,599 like what is that? Yeah, And there's a lot of folks who will 511 00:36:14,639 --> 00:36:17,039 say, hey, never share your code with the pen testers either, And 512 00:36:17,159 --> 00:36:22,199 I would absolutely argue with that because a penthest scoped, it's timescoped, so 513 00:36:22,280 --> 00:36:25,639 you've only got two weeks, three weeks, whatever it is. And if 514 00:36:25,679 --> 00:36:29,800 you imagine as an engineer, you were given a system and you're told find 515 00:36:29,840 --> 00:36:32,519 the most vulnerable, valuable parts of it, and you've got two weeks to 516 00:36:32,599 --> 00:36:36,199 do it, and you can't see the source code, you're really going to 517 00:36:36,239 --> 00:36:38,639 struggle. So if you want to get to the really juicy bits and get 518 00:36:38,679 --> 00:36:43,840 those bits that are really sensitive tested, it's really important to safely find a 519 00:36:43,920 --> 00:36:46,679 way to get them their access so they can then dig in and then pull 520 00:36:46,760 --> 00:36:50,840 back and then go deeper on that research. Not only that, but your 521 00:36:50,840 --> 00:36:54,280 average pen tester probably has enough knowledge to go criminal if they really wanted to, 522 00:36:54,840 --> 00:36:59,320 but they've decided not to. They decided to sell buy their talents to 523 00:36:59,400 --> 00:37:01,760 the powers of good, so you should be able to trust them. How's 524 00:37:01,800 --> 00:37:06,960 that good statement? Oh, I can see the emails are coming in already. 525 00:37:07,559 --> 00:37:10,599 Absolutely, but yeah, don't waste their time with the simple vulnerabilities. 526 00:37:10,679 --> 00:37:15,519 Knock all of those out. Do the boring basics, right, You know, 527 00:37:15,239 --> 00:37:19,800 the brains are funny. We love dopamine, and so we love focusing 528 00:37:19,840 --> 00:37:23,800 on the really novel challenges and the new things, and so we intentionally or 529 00:37:24,119 --> 00:37:30,440 unconsciously avoid those boring basics that trip us up every time. And if we 530 00:37:30,559 --> 00:37:34,239 can be conscious of that and we can work on those, then it really 531 00:37:34,320 --> 00:37:37,440 does get us much further along our security journey. I mean, it's kind 532 00:37:37,440 --> 00:37:39,599 of an embarrassment to be tipped over by any of the O WASP ten Like 533 00:37:40,000 --> 00:37:45,440 these are known, they're well documented. They I am not saying all of 534 00:37:45,440 --> 00:37:49,079 them are simple to fix, but they're just like you can scan for these, 535 00:37:49,400 --> 00:37:52,079 you can look for you know, you're doing the right things and this 536 00:37:52,159 --> 00:37:54,159 stuff and just at least get that much done. And you were saying you're 537 00:37:54,159 --> 00:37:59,679 bored by sequel injection, but I mean that still is very high on the 538 00:37:59,760 --> 00:38:02,280 one split number one, number two, Like still, well, even if 539 00:38:02,320 --> 00:38:07,199 you just look at it as a puzzle. SQL injection actually is a really 540 00:38:07,320 --> 00:38:10,599 incredible puzzle when you start looking at it from a playful perspective. So you 541 00:38:10,679 --> 00:38:14,760 know, at it's simplest and you start seeing like authentication bypassage, you're kind 542 00:38:14,760 --> 00:38:19,320 of like mean. But when you start to understand that people are using SQL 543 00:38:19,440 --> 00:38:29,079 in really ugly disturbing ways to blindly work through and around your database without knowledge 544 00:38:29,119 --> 00:38:32,239 of the schema, without any understanding of the other components, and they're using 545 00:38:32,280 --> 00:38:37,559 it to extract data up to the point where they're using either you know, 546 00:38:37,679 --> 00:38:42,480 the query speed to determine an answer, or they're pulling it out a single 547 00:38:42,679 --> 00:38:46,199 character at a time. That to me is you know, there's a fascinating 548 00:38:46,320 --> 00:38:52,639 challenge there, and so if you can appreciate the tech behind the challenge, 549 00:38:52,679 --> 00:38:57,280 it's not just hey, oh and all one equals one, that's where we 550 00:38:57,360 --> 00:39:00,719 start. But like anything in engineering, it's much much bigger and it's as 551 00:39:00,840 --> 00:39:06,800 powerful as sequel is itself, and sequel is ridiculously powerful. So yeah, 552 00:39:07,000 --> 00:39:09,559 if anyone at home's going, well, how do I learn to care about 553 00:39:09,599 --> 00:39:14,719 this more? Go deep on it, Go have a look at their really 554 00:39:15,000 --> 00:39:20,239 ridiculously dirty sequel that gets written in the offensive space. It's not bad sequel, 555 00:39:20,239 --> 00:39:23,280 it's just SEQL doing things that you would never as a polite person try 556 00:39:23,320 --> 00:39:28,159 to do yourself, it seems to me. So I do this security show, 557 00:39:28,400 --> 00:39:30,599 a podcast called Security This Week, and I am not the expert. 558 00:39:30,639 --> 00:39:36,159 I'm the dumb guy asking questions. But Duaye Laflotte is one of the guys 559 00:39:36,239 --> 00:39:39,760 on there, and he is like when I say, he could go rogue 560 00:39:39,920 --> 00:39:44,800 and make twice the money that he's working. He definitely could be evil if 561 00:39:44,840 --> 00:39:50,920 he wanted to. But like I think, like you, his reaction to 562 00:39:51,199 --> 00:39:54,480 an elegant hack is, you know, the more dangerous it is is, 563 00:39:55,039 --> 00:40:02,760 oh, this is awesome. That's like he appreciates the evil mind that went 564 00:40:02,840 --> 00:40:08,119 into creating this attack. You know, there is something about how folks in 565 00:40:08,159 --> 00:40:14,239 offensive security see the world and see systems that is really interesting. You know, 566 00:40:14,440 --> 00:40:16,840 to be able to take a complex system and you know, tilt your 567 00:40:16,880 --> 00:40:21,440 head in the right way and press this convent and to even be able to 568 00:40:21,519 --> 00:40:27,239 think like that and to have that process of exploration and play coupled with the 569 00:40:27,320 --> 00:40:32,199 technical ability to then pull that off is really interesting. And well, you 570 00:40:32,280 --> 00:40:36,480 know, nine percent of what we see out there is noisy automated junk. 571 00:40:37,079 --> 00:40:39,280 There are in amongst that the people who are coming up with these new attacks 572 00:40:39,360 --> 00:40:45,440 and these new vulnerabilities who are really very creative thinkers. And yeah, you 573 00:40:45,239 --> 00:40:47,519 as an engineer, you've got to respect them. I think they put their 574 00:40:49,000 --> 00:40:51,920 they think they put their minds to more meaningful work, right, I mean 575 00:40:51,960 --> 00:40:54,480 that My general experience with criminals is like their criminals is they don't want to 576 00:40:54,519 --> 00:40:58,320 work that hard. Oh you you've lived in small towns, haven't you. 577 00:41:01,599 --> 00:41:06,760 So I grew up in a small town that was famous for two things teenage 578 00:41:06,800 --> 00:41:10,800 pregnancy and car theft. That was pretty much our claims to fame. But 579 00:41:12,000 --> 00:41:15,519 that was it. They literally the cars. So they used to call it 580 00:41:15,639 --> 00:41:20,679 joining the family business. And you know, you were either building a family 581 00:41:20,840 --> 00:41:24,960 or robin cars. And what happens is you started to understand crime in a 582 00:41:25,000 --> 00:41:30,559 way that you didn't even understand why you were You understood it. And I 583 00:41:30,639 --> 00:41:35,159 think as I've gotten older, yeah, there are some very common, very 584 00:41:35,199 --> 00:41:38,599 basic reasons that people commit crime, but there are also some very interesting ones. 585 00:41:39,760 --> 00:41:44,840 There's a lot of psychology in there, and it's a really fascinating space 586 00:41:44,960 --> 00:41:47,559 and a lot of the vulnerability. Researchers out there don't have a criminal bone 587 00:41:47,599 --> 00:41:51,920 in their body. That's you know, why they do what they do. 588 00:41:52,960 --> 00:42:00,559 But they're insatiably curious and they think differently, and the way that they've channeled 589 00:42:00,559 --> 00:42:07,599 the energy is not it's not even intentionally malicious. It's just that their perception 590 00:42:07,880 --> 00:42:14,000 of right and wrong don't match ours. It's a very interesting space, especially 591 00:42:14,119 --> 00:42:16,280 in electronic crime. Physical crime is a little bit different. But in the 592 00:42:16,320 --> 00:42:22,199 electronic space, have you discovered any zero days? Because I know that's in 593 00:42:22,280 --> 00:42:27,239 the holy grail of like security. Not in a good many years. I 594 00:42:27,400 --> 00:42:30,199 unfortunately used to work for the UK government, so even whatever I discovered wasn't 595 00:42:30,239 --> 00:42:35,440 allowed to be put out there in the world. My days of that are 596 00:42:35,480 --> 00:42:39,599 gone. Ye. No, it's and that's a whole other different aspect of 597 00:42:39,679 --> 00:42:44,639 the work too, right, it's hunting well and you also think about the 598 00:42:45,119 --> 00:42:46,320 it's the cloud providers. It seems to be at the front of this now 599 00:42:46,360 --> 00:42:52,119 because they have a super vested interest there is a zero exploit that might affect 600 00:42:52,159 --> 00:42:55,119 the cloud and affect their customers. That's bad for them, I respect how 601 00:42:55,159 --> 00:42:59,280 it is for their customers. So you just have to look at Heroku from 602 00:43:00,000 --> 00:43:02,880 a couple of years ago. One vulnerability in a platform as service now not 603 00:43:02,960 --> 00:43:07,039 one of the major ones now, but you know, in its day was 604 00:43:07,400 --> 00:43:13,239 still got thirteen million customers, but a compromise there affected thirteen million customers at 605 00:43:13,440 --> 00:43:20,719 least twenty thousand live applications, including dial in, meeting systems, online doctors, 606 00:43:21,000 --> 00:43:24,840 and information health sharing. So you know, if you're an attacker and 607 00:43:24,920 --> 00:43:29,199 you're being super cost effective, you don't want to go and attack every single 608 00:43:29,280 --> 00:43:32,079 person individually. You're going to pick these big share components, whether it's a 609 00:43:32,239 --> 00:43:38,159 shared framework that everyone uses, WIDA or CMS. That's why word Press is 610 00:43:38,239 --> 00:43:42,199 you know, always got to target on its back because it is so widely 611 00:43:42,320 --> 00:43:46,239 used, or the platform themselves. You know, if you can compromise anything 612 00:43:46,320 --> 00:43:52,559 in aws's environment, it would be you know, Christmas a million times over 613 00:43:52,760 --> 00:43:59,079 sure for an attacker, it's a hotitreation of wealth essentially of all of resources 614 00:43:59,159 --> 00:44:02,119 being spent. While I remember meltdown Inspector and going, oh man, the 615 00:44:02,159 --> 00:44:06,480 cloud people are going to freak out. Not that there was ever a successful 616 00:44:06,519 --> 00:44:10,159 exploit against this, but just the prospect that you might be able to see 617 00:44:10,880 --> 00:44:15,639 data from a different tenet because it happened to be running on the same machine. 618 00:44:15,840 --> 00:44:20,039 You know, for a tech guy like me who's deeply the hardware, 619 00:44:20,079 --> 00:44:23,119 I'm like, I love this and the fixed for it is hard like it 620 00:44:23,400 --> 00:44:29,440 genuinely what they knock down ten percent of the performance of processors to box that 621 00:44:29,559 --> 00:44:32,440 in. But I think about a guy like Scott Guthrie at the head of 622 00:44:32,719 --> 00:44:37,400 Azure, like this is the stuff that we keep him awake at night. 623 00:44:37,199 --> 00:44:40,920 Absolutely. Yeah, Yeah, there's a lot of security vulnerability as a company 624 00:44:40,960 --> 00:44:44,639 can come back from. And in fact, you start looking if you look 625 00:44:44,639 --> 00:44:47,440 at companies that have big security breaches and look at their share price, you'll 626 00:44:47,440 --> 00:44:50,800 see a blip, but you will actually see it go up after you know, 627 00:44:51,079 --> 00:44:53,280 and there is a real problem. There seems to be no consequences to 628 00:44:53,320 --> 00:44:59,280 getting exploited. Oh like but surely nothing, loud Ashley Madison still in business. 629 00:44:59,480 --> 00:45:02,360 They get exploited, they prove that their business is a lie, and 630 00:45:02,480 --> 00:45:08,400 they're still in business. I have no comment as an American, no comment. 631 00:45:10,400 --> 00:45:14,519 Ah, did you see that vulnerability? I think it was last year 632 00:45:14,599 --> 00:45:21,000 or something, and it was in memory chips where hackers found that they could 633 00:45:21,320 --> 00:45:24,000 by just hitting a certain memory register over and over and over again. They 634 00:45:24,119 --> 00:45:30,519 raise the heat so much in that register that it actually sets the bit next 635 00:45:30,639 --> 00:45:35,119 to it, flips it from zero to one or one to zero. And 636 00:45:35,239 --> 00:45:39,039 that bit is an important bit in you know, like allowing access or something 637 00:45:39,159 --> 00:45:45,039 like that. It was just unbelievable. How does anybody protect themselves against that 638 00:45:45,199 --> 00:45:49,719 kind of thing. It's mind blowing. It's mind blowing, it really is. 639 00:45:51,119 --> 00:45:52,280 But the thing is we need to remember, again, going back to 640 00:45:52,360 --> 00:45:57,079 that dopamine part of our brain, we can be fascinated by those big edge 641 00:45:57,119 --> 00:46:00,239 case ones, but it's highly unlikely though, are going to be the type 642 00:46:00,239 --> 00:46:05,320 of things we would do. Sure, we have to hold on to them. 643 00:46:05,599 --> 00:46:08,320 I want to provide at Doom and Gloom here because this is entirely too 644 00:46:08,400 --> 00:46:13,280 happy here. It makes me feel at home. You know you've welcomed me 645 00:46:13,440 --> 00:46:16,519 in true security fashion. Yes, Next, can we talk audit frameworks because 646 00:46:16,679 --> 00:46:22,840 they're not we're friends. You know, we don't have enough existential dread on 647 00:46:22,920 --> 00:46:29,079 this show. Let's talk about it. Frameworks fabulous. I mean, the 648 00:46:30,000 --> 00:46:35,599 employer, the leadership ask us this question. Are we secure? They asked 649 00:46:35,639 --> 00:46:38,880 that question? And how do you not just lie to them? Because there's 650 00:46:38,920 --> 00:46:44,440 no way to know, to the best of our knowledge. We crave certainty, 651 00:46:45,400 --> 00:46:50,559 We crave concrete answers, not just in security and everything really, and 652 00:46:51,159 --> 00:46:53,280 this is one of those areas that we can't There isn't one. The boss 653 00:46:53,360 --> 00:46:57,800 I was able to do as an IT manager talking to leadership was like, 654 00:46:57,880 --> 00:47:00,360 listen, I think we're at a place now where it's like we have a 655 00:47:00,519 --> 00:47:04,159 club on our steering wheel. It's not that they can't steal the car if 656 00:47:04,159 --> 00:47:06,880 they really want the car, it's that our car is now are paint in 657 00:47:06,920 --> 00:47:09,320 the butt to steal, and so maybe they'll steal something else, Like we're 658 00:47:09,679 --> 00:47:15,360 we're gonna be okay with drive buys because we've done the fundamentals. But if 659 00:47:15,400 --> 00:47:20,159 someone is genuinely targeting you, there's not that much you can do. Like 660 00:47:20,320 --> 00:47:24,599 it's very very hard forget about the car, steal the beaver treadmill. There 661 00:47:24,639 --> 00:47:28,480 you go. I think we went with Otters on that. Actually did we 662 00:47:28,559 --> 00:47:30,480 go with Otters? Yeah? Oh you did? You did. I'm trying 663 00:47:30,480 --> 00:47:36,880 to let me tell you. I think they're around little buggers, instructive little 664 00:47:36,920 --> 00:47:39,880 buggers. So Laura, tell us a bit about safe stack, because this 665 00:47:40,039 --> 00:47:45,639 seems to be something important to you. Yeah, absolutely, So safe Stack 666 00:47:45,800 --> 00:47:50,400 is my company. We're we're just thirteen people, so like you know, 667 00:47:50,639 --> 00:47:55,280 company in that scale, not in like global enterprises, and we're we call 668 00:47:55,320 --> 00:48:00,760 it for profit, but with massive purpose. So we are on a mission 669 00:48:00,880 --> 00:48:05,719 to try and give everyone in development the skills that they need to build secure 670 00:48:05,800 --> 00:48:08,280 software. So whether you're a product person or UX person, develop, a 671 00:48:08,400 --> 00:48:14,199 tester, analyst, architect, everyone has something to do and so we intentionally 672 00:48:14,239 --> 00:48:16,280 build a platform so you can learn things and there's a free plan, like 673 00:48:16,360 --> 00:48:20,440 no strings, no credit cards. You can go check it out and then 674 00:48:20,519 --> 00:48:24,079 we reinvest a part of the revenue from that. So when you know, 675 00:48:24,159 --> 00:48:28,719 big banks and things, come and work with us and we offer a few 676 00:48:28,880 --> 00:48:30,840 cool things. So we have our free plan, we have parity pricing around 677 00:48:30,840 --> 00:48:37,400 the world. We also give free training to every single Compute to science student 678 00:48:37,440 --> 00:48:44,079 in New Zealand and Australia. So we're trying to use a business to grow 679 00:48:44,159 --> 00:48:50,719 a foundation of people with the skills needed to kind of naturally do security as 680 00:48:50,760 --> 00:48:53,840 part of building software. We love that there's a whole community of specialists who 681 00:48:53,960 --> 00:48:58,760 are in app second things, but the future for us is about everyone doing 682 00:48:58,760 --> 00:49:00,880 a little bit. So that's what we do. So yeah, it's a 683 00:49:00,880 --> 00:49:04,639 lot of fun. Well in some ways, better use those specialist times so 684 00:49:04,679 --> 00:49:07,440 they're not working on the fundamentals either. We're all working on the fundamentals and 685 00:49:07,480 --> 00:49:12,119 they can work on those edgier cases. Exactly, Yeah, exactly that. 686 00:49:12,599 --> 00:49:15,760 So education just get people more eligible about doing the right things. Yeah. 687 00:49:16,199 --> 00:49:22,639 So we have courses and qualifications and hands on labs. We have playbooks and 688 00:49:22,760 --> 00:49:24,639 templates, so for anything we're doing, you should be able to go from 689 00:49:24,960 --> 00:49:28,280 I now know about the thing too, I can do a thing. And 690 00:49:28,400 --> 00:49:31,920 we also have a community where you can come together with other people and ask 691 00:49:32,039 --> 00:49:36,159 anonymous questions and say, hey, this is hard, I'm struggling with this. 692 00:49:36,639 --> 00:49:38,480 What have you done? So instead of you know, just going to 693 00:49:38,760 --> 00:49:42,800 the internet and going hey, here's all of my vulnerabilities and laundry, please 694 00:49:42,840 --> 00:49:45,880 help me, there are some intentionally built spaces for you to get some help 695 00:49:45,920 --> 00:49:52,000 and support. And we're now working with about seventeen thousand engineers from eighty nine 696 00:49:52,039 --> 00:49:55,239 countries, so there's quite a breadth of experience in there. Everyone from teeny 697 00:49:55,320 --> 00:49:59,719 tiny two person nonprofits all the way up to big banks and airlines, so 698 00:50:00,159 --> 00:50:04,039 you've got really everyone at every stage of that maturity cycle. Awesome. Have 699 00:50:04,199 --> 00:50:07,679 you ever seen Hack the Box, Hacked the box dot com? Yeah, 700 00:50:07,679 --> 00:50:10,760 I'm sure you have, because who doesn't know about it. But in the 701 00:50:10,840 --> 00:50:14,800 security space, it's a place where you can come together and try to break 702 00:50:14,880 --> 00:50:19,440 into a machine. Yeah, and that's a really good exercise to do. 703 00:50:19,599 --> 00:50:22,400 And maybe you do that in your training classes too, I don't know. 704 00:50:22,920 --> 00:50:27,639 Yeah. So we've got an intentionally vulnerable crypto exchange that we built as part 705 00:50:27,679 --> 00:50:30,039 of ours, so you can play around and find the vulnerabilities in that. 706 00:50:30,920 --> 00:50:34,159 But there are some wonderful platforms even outside of our own, so Hack the 707 00:50:34,199 --> 00:50:37,239 Boxes one, but even in the free space, if you're listening and you 708 00:50:37,320 --> 00:50:40,400 want to just get started and play around and hack something. OSP have a 709 00:50:40,480 --> 00:50:45,480 project called juice Shop, which is a node application, but it's a Docker 710 00:50:45,559 --> 00:50:49,440 container. You can just download it and off you go, and it's a 711 00:50:49,480 --> 00:50:52,480 little juice Shop, as it says on the label, and you can find 712 00:50:52,480 --> 00:50:54,760 the vulnerabilities, you can play and you can hack those. So there's lots 713 00:50:54,800 --> 00:51:00,639 of really fun and free in many respects places you can go to explore and 714 00:51:00,719 --> 00:51:06,519 play. And I can't understate how important it is that when you're learning security, 715 00:51:06,920 --> 00:51:09,679 you don't approach it from a true academic I want to learn everything about 716 00:51:09,679 --> 00:51:14,639 cryptography way, but that you engage that bit of your brain that you did 717 00:51:14,719 --> 00:51:16,719 when you were a kid, that bit of your brain that would look at 718 00:51:16,760 --> 00:51:21,400 something and go what if, and that would be creative and would ignore the 719 00:51:21,519 --> 00:51:23,920 rules. As engineers, we build the rules, we follow them very well, 720 00:51:24,760 --> 00:51:28,280 and one of the best things you can learn is to just when to 721 00:51:28,440 --> 00:51:32,639 just soften those up a bit and just explore y very good. What's next 722 00:51:32,679 --> 00:51:37,639 for you, Laura, what's in your inbox? What's next? Well, 723 00:51:37,719 --> 00:51:42,440 I'm going to speak at a few wonderful conferences, so you can come say 724 00:51:42,519 --> 00:51:45,679 hi to me at any of the YAO conferences in Australia later in the year. 725 00:51:45,280 --> 00:51:51,239 And I'm also hosting the security track at QCon in London next year, 726 00:51:51,400 --> 00:51:57,360 so we'll have a whole curated day of security awesomeness. Podcast is We've got 727 00:51:57,400 --> 00:52:00,440 lots of wonderful people coming on and collecting stories, so you can checks out 728 00:52:00,519 --> 00:52:05,280 at build amazing things Securely. We're much smaller podcast than this one. These 729 00:52:05,320 --> 00:52:08,440 are like professionals. We're kind of mostly making it up. I don't know 730 00:52:08,480 --> 00:52:14,719 about that, but for a long time, we made a career making it 731 00:52:14,880 --> 00:52:19,639 up, and next year we're hoping to find ways for you know, all 732 00:52:19,679 --> 00:52:22,199 those smaller companies out there. So if you work for a giant organization, 733 00:52:22,280 --> 00:52:23,440 this probably isn't few, but if you're one of those, you know, 734 00:52:24,199 --> 00:52:29,920 between fifty engineers and two hundred engineers smaller size, We're going to be releasing 735 00:52:29,920 --> 00:52:34,840 a whole bunch of free resources and guides for how to build an appset program 736 00:52:35,199 --> 00:52:38,760 when you don't have any specialists or huge budgets and fancy things. So what's 737 00:52:38,800 --> 00:52:43,639 of space, Lots of giving out in the community, a lot of talking 738 00:52:43,800 --> 00:52:46,440 to folks, and if anyone ever wants to come and chat app SEC, 739 00:52:49,559 --> 00:52:53,519 I'm irritatingly easy to find and you can come and have a chat. I'd 740 00:52:53,519 --> 00:52:58,360 always love to learn what you're up to. Fantastic Laura, this has been 741 00:52:58,440 --> 00:53:00,519 amazing. Thank you very much for being on the show. Thank you, 742 00:53:00,960 --> 00:53:04,480 thanks for having me all right, and we'll talk to you next time. 743 00:53:04,840 --> 00:53:30,480 I'm dot net Rocks. Dot net Rocks is brought to you by Franklin's Net 744 00:53:30,760 --> 00:53:35,599 and produced by Pop Studios, a full service audio, video and post production 745 00:53:35,760 --> 00:53:39,360 facility located physically in New London, Connecticut, and of course in the cloud 746 00:53:40,000 --> 00:53:45,960 online at pwop dot com. Visit our website at d O T N E 747 00:53:45,119 --> 00:53:50,960 t R O c k S dot com for RSS feeds, downloads, mobile 748 00:53:51,000 --> 00:53:54,199 apps, comments, and access to the full archives going back to show number 749 00:53:54,280 --> 00:53:59,480 one, recorded in September two thousand and two. And make sure you check 750 00:53:59,519 --> 00:54:01,880 out our spot answers. They keep us in business. Now, go write 751 00:54:01,920 --> 00:54:10,280 some code. See you next time. Got tread middle vans The NC time 752 00:54:12,880 --> 00:54:15,199 means home, then my Texas