WEBVTT 1 00:00:01.080 --> 00:00:05.679 How'd you like to listen to dot NetRocks with no ads? Easy? Become 2 00:00:05.679 --> 00:00:09.839 a patron for just five dollars a month. You get access to a private 3 00:00:10.000 --> 00:00:14.240 RSS feed where all the shows have no ads. Twenty dollars a month, 4 00:00:14.279 --> 00:00:18.640 we'll get you that and a special dot net Rocks patron mug. Sign up 5 00:00:18.679 --> 00:00:36.039 now at Patreon dot dot NetRocks dot com. Hey, welcome back to dot 6 00:00:36.119 --> 00:00:39.920 NetRocks. I'm Carl Franklin and I'm Richard Campbell doing the thing that we do. 7 00:00:40.240 --> 00:00:44.240 Yeah, Laura Belmains here. We're gonna be talking to her about some 8 00:00:44.280 --> 00:00:48.320 really cool security stuff. But first, how are you doing? My friend? 9 00:00:48.399 --> 00:00:51.119 How's the new digs here? That's good to be up on the coast, 10 00:00:51.200 --> 00:00:54.439 you know, living by the ocean's always therapeutic. Could graduate sort of 11 00:00:54.439 --> 00:00:56.439 stuff out, you know, and he got it. But it's far enough 12 00:00:56.479 --> 00:00:59.920 away, you know, it's about three hours from the city. New doctor, 13 00:01:00.520 --> 00:01:04.159 new dentists, like new pharmacists, like you have to sort of figure 14 00:01:04.200 --> 00:01:10.519 all this stuff out. So getting recommendations from friends and bit by bit so 15 00:01:10.719 --> 00:01:12.319 funny life now it's sort of like, can you go a week without going 16 00:01:12.359 --> 00:01:15.200 to the city, Can you go two weeks? Going to the city like, 17 00:01:15.280 --> 00:01:19.799 that's kind of the thing. So you're stacking up firewood, that's what 18 00:01:19.879 --> 00:01:23.480 you're selling me. Well, that's winter, and you know, the power 19 00:01:23.560 --> 00:01:26.840 lines and the in the internet come up on one set of follower poles on 20 00:01:26.879 --> 00:01:33.079 that highway and there are trees. So do you have a wood powered generator? 21 00:01:33.239 --> 00:01:34.560 Is that how it works up there in the country? No, no, 22 00:01:34.560 --> 00:01:37.560 no. We just got a pop belly stove, which is a good 23 00:01:37.599 --> 00:01:41.159 thing. And I got a bunch of UPS and I have starlink so I 24 00:01:41.159 --> 00:01:45.239 can stay online for a little while. We'll see how much UPS, she 25 00:01:45.359 --> 00:01:48.159 who must be obeyed, allows me to have. You know, you might 26 00:01:48.159 --> 00:01:53.519 be able to invent a beaver treadmill that might provide some This is more odder 27 00:01:53.560 --> 00:01:57.560 country than beaver. You know, we'll work on it. I can feed. 28 00:01:57.599 --> 00:02:00.760 The movie is the right thing, Get the moose, the treadmill. 29 00:02:00.959 --> 00:02:04.359 We had elk in the driveway. Well, listen, I'm not black bears. 30 00:02:04.359 --> 00:02:07.239 Don't bother me. You know this, right with black bears all my 31 00:02:07.280 --> 00:02:09.319 life. It's not a big deal. Their coat, but elk are problem. 32 00:02:09.520 --> 00:02:14.199 They're very large. They're also tasty, yeah, you know, especially 33 00:02:14.240 --> 00:02:16.599 when you mix the meat with like you know, pork fat. Yeah, 34 00:02:16.639 --> 00:02:21.680 well there was a dozen standing in the driveways we're coming in and where we 35 00:02:21.759 --> 00:02:23.120 want to put the truck, you know, like sort of look at her 36 00:02:23.120 --> 00:02:25.039 and go, you know, we could go to the pub, and she's 37 00:02:25.039 --> 00:02:28.039 like, yeah, let's go to the pub. We just back back out 38 00:02:28.039 --> 00:02:30.319 our driveway to the pub for a couple hours. They were gone when we 39 00:02:30.400 --> 00:02:34.080 got back. Laura's looking at us like she's on the wrong podcast. I'm 40 00:02:34.120 --> 00:02:37.439 loving this. I live in New Zealand and so we don't have elks. 41 00:02:37.520 --> 00:02:42.400 We have like mammals in New Zealand, we have one. We have a 42 00:02:42.479 --> 00:02:46.840 bat and it's teeny tiny and endangered, and none of our birds fly because 43 00:02:46.879 --> 00:02:50.319 we have no mammals and predators. So you know, yeah, we're not 44 00:02:50.360 --> 00:02:52.400 good at this. So I listened to this and I'm like, yeah, 45 00:02:52.439 --> 00:02:55.280 we can get beavers and otters and make electricity and then go to the pub. 46 00:02:55.560 --> 00:03:00.120 All of this is great. Yeah you have sheep though they're tasty. 47 00:03:00.159 --> 00:03:02.159 We yeah, we have more sheep than people and more than sheep, so 48 00:03:02.479 --> 00:03:08.400 yeah, not by a little either. It's like it's a lot. All 49 00:03:08.520 --> 00:03:13.840 right, So another bonus chit chat. Let's get started with better no framework 50 00:03:13.840 --> 00:03:23.680 we're all the crazy music. Okay, all right, man? What do 51 00:03:23.680 --> 00:03:25.719 you got? Uh? What I got is an article that I found on 52 00:03:25.800 --> 00:03:34.120 LinkedIn, uh and it's Don't Bet against the Cloud, Oh, by Kendall 53 00:03:34.199 --> 00:03:37.319 Miller. I know Kendall, do you? Yeah? Well anyway, So 54 00:03:37.680 --> 00:03:43.719 basically, the article discusses why there's this this swing back towards self hosting after 55 00:03:43.879 --> 00:03:49.919 years of you know, people businesses increasingly relying on cloud services. And even 56 00:03:49.919 --> 00:03:54.520 though some companies like Amazon, Prime Video and thirty seven Signals have cut costs 57 00:03:54.560 --> 00:04:00.000 by moving away from cloud service providers CSPs, there's still a strong case, 58 00:04:00.319 --> 00:04:03.439 so he says for sticking with cloud solutions, and he's right, sure, 59 00:04:03.520 --> 00:04:08.240 yeah, yeah. These cloud services like you know, Amazon, Google and 60 00:04:08.280 --> 00:04:14.599 Microsoft Azure offer flexibility, which is a game changer for businesses. And you 61 00:04:14.639 --> 00:04:18.040 know, you read this and it seems like common sense. But why is 62 00:04:18.120 --> 00:04:21.360 this, you know, why are people moving away and saying no, we're 63 00:04:21.360 --> 00:04:26.079 going to do it ourselves. Why why the sudden change? And it's not 64 00:04:26.120 --> 00:04:28.720 sudden, it's a gradual change. It's a gradual I think it's a right 65 00:04:28.759 --> 00:04:32.279 sizing. It's certainly been a topic on run as is figuring out what payloads 66 00:04:32.319 --> 00:04:34.839 make sense to the cloud. We don't. Let's face it, if you're 67 00:04:34.879 --> 00:04:40.399 thirty seven signals, you're already running a twenty four hour a day knock right, 68 00:04:40.480 --> 00:04:44.000 Like, you already have the infrastructure. So do you want to monitor 69 00:04:44.040 --> 00:04:46.000 somebody else's machines that you pay for by the hour, or do you want 70 00:04:46.000 --> 00:04:49.399 to monitor your own? Like that's sort of a balancing act. You can 71 00:04:49.399 --> 00:04:53.720 get into that. Do you think it has anything to do with trust? 72 00:04:53.879 --> 00:04:57.480 Like? Are people losing trust in the in the clouds because they're rock solid. 73 00:04:57.680 --> 00:05:01.079 Yeah, they're much more reliable than any home run implementation. Again, 74 00:05:01.439 --> 00:05:08.000 but if you're committed to three shifts of assisted men's working around the clock to 75 00:05:08.079 --> 00:05:11.040 keep things up, so you're already paying for an awful lot of infrastructure, 76 00:05:11.560 --> 00:05:15.199 you know, the numbers start to make sense. That AWS story about moving 77 00:05:15.319 --> 00:05:19.920 off of serverleists onto VMS is an interesting one because that's also a story about 78 00:05:20.079 --> 00:05:25.879 right sizing what they You know, what's great about serverlest is that it costs 79 00:05:25.879 --> 00:05:29.439 you nothing when nothing's happening. But what if you have a service that has 80 00:05:29.680 --> 00:05:32.120 tens of thousands of instances all of the time, Like, why are you 81 00:05:32.279 --> 00:05:36.800 paying for that efficiency when you don't need it, you might as well. 82 00:05:36.839 --> 00:05:41.040 You could easily run vms that are under full load all of the time and 83 00:05:41.079 --> 00:05:44.639 you'd get state for free. Well in a bunch of architectural differences. Like 84 00:05:44.759 --> 00:05:48.439 I think it's just this statement in Kendall's Whole Story, and I read it 85 00:05:48.639 --> 00:05:55.279 a while ago. It speaks to the maturation of an industry that we're getting 86 00:05:55.319 --> 00:06:00.639 to a place where there is a debate of on prem in cloud hybrid. 87 00:06:01.160 --> 00:06:04.000 You know, what are the commits, what's the reliability? Like, there's 88 00:06:04.000 --> 00:06:08.040 a bunch, there's a mixture there. There is no one right solution. 89 00:06:08.959 --> 00:06:12.079 I think if I, if I could just add something, I think there's 90 00:06:12.160 --> 00:06:15.879 a little bit of a thing that we overlook when we look at the diversity 91 00:06:15.920 --> 00:06:20.560 of companies using those platforms. You know, if you go and you you 92 00:06:20.600 --> 00:06:24.199 know you're a midsize company, you go and you're like, right, we're 93 00:06:24.240 --> 00:06:28.399 going to go AWS, great, wonderful. You go stand at that configuration 94 00:06:28.439 --> 00:06:30.879 page, that initial page, and choose the services you need, and it 95 00:06:30.959 --> 00:06:33.519 is like standing at one of those restaurants that's got like one hundred items on 96 00:06:33.560 --> 00:06:38.399 the menu. There is something for everyone, but somehow you still leave slightly 97 00:06:38.480 --> 00:06:42.519 hungry and confused, and so a lot of folks, you know, very 98 00:06:42.680 --> 00:06:46.399 quickly adopted, Oh well, these people over here were using Zerblus, let's 99 00:06:46.399 --> 00:06:49.199 go do that, and went all in and they went and they try this, 100 00:06:49.319 --> 00:06:55.839 And it's really easy to blow up your budget and to not have the 101 00:06:55.879 --> 00:07:00.120 best performance in scaling because you haven't quite grasped the you know, the complexity 102 00:07:00.160 --> 00:07:04.560 of using all of those parts together. And outside of our large organizations who 103 00:07:04.600 --> 00:07:10.120 have the expertise to really like rain that in, I can understand the temptation 104 00:07:10.199 --> 00:07:15.959 if that's got carried away to go back to something simpler. I think it 105 00:07:15.000 --> 00:07:19.360 would be really good as we enter this next stage of maturation in the cesps, 106 00:07:20.079 --> 00:07:24.920 for them to actually simplify a little. There's an entire group of audiences 107 00:07:24.959 --> 00:07:30.240 who don't need ninety options. They need four and them to be really easy 108 00:07:30.240 --> 00:07:33.360 to navigate and to work with. Yeah, exactly, it's great that we 109 00:07:33.399 --> 00:07:36.759 can do anything we want, but like when we build software, should we 110 00:07:36.839 --> 00:07:42.240 really be doing all of that craziness. Actually, some design patterns work and 111 00:07:42.279 --> 00:07:46.879 we can just use those really easily. And it's just because you can I 112 00:07:46.920 --> 00:07:49.560 sound like my mum, I've reached that stage. You know. It's funny 113 00:07:49.600 --> 00:07:54.160 that we've had these conversations, like with Leila Porter talking about the sort of 114 00:07:54.199 --> 00:08:00.879 right sizing of the monolith versus the micro services. Right, It's like, 115 00:08:00.879 --> 00:08:01.959 hey, Microsoft makes a lot of sense. When we have a team of 116 00:08:01.959 --> 00:08:05.839 one hundred and you have a team of three, it seems like overkill. 117 00:08:07.759 --> 00:08:09.519 So you know, I think the same thing happens inside of the cloud. 118 00:08:09.600 --> 00:08:15.519 It's like they're effective strategies. But and I do as I'm close to this 119 00:08:15.560 --> 00:08:18.079 stuff because I'm talking all these experts all the times on the shows. You 120 00:08:18.120 --> 00:08:24.120 can see them starting to consolidate one set of access policies that apply to all 121 00:08:24.199 --> 00:08:26.279 products like that. It's but we're in the early days, so they are 122 00:08:26.360 --> 00:08:31.759 right sizing too. I've never had such a discussion from a better NO framework 123 00:08:31.799 --> 00:08:37.519 before. M This is great, it's good, but it's but one topic 124 00:08:37.639 --> 00:08:39.440 that we're going to talk about today. And Richard's going to bring up another 125 00:08:39.480 --> 00:08:43.000 one from a comment who's talking to us, Richard Grady comment to Show eighteen 126 00:08:43.120 --> 00:08:48.559 twenty seven, the one we did early in twenty twenty three with Tanya Janka. 127 00:08:48.559 --> 00:08:52.399 I entitled the show because it was the name of a book. Alice 128 00:08:52.440 --> 00:08:58.039 and Bob Larn application security. Yeah, great book. Tanya is a howl 129 00:08:58.240 --> 00:09:01.519 and I'm a local to us for me anyway near in Victoria, just across 130 00:09:01.519 --> 00:09:05.480 in the island that I'm staring at from here. And our friend Hilton Gizan 131 00:09:05.519 --> 00:09:09.799 now out of South Africa, who's been on the show before as well. 132 00:09:09.679 --> 00:09:13.440 At this point he said, Hey, Richard, question in the show about 133 00:09:13.440 --> 00:09:16.120 what to do about having your multi factor accounts only had a single device a 134 00:09:16.159 --> 00:09:22.240 smartphone which travels with you and can get lost or stolen, and I talked 135 00:09:22.279 --> 00:09:26.159 about how complicated the backups and recovery strategies were for those things, like that's 136 00:09:26.159 --> 00:09:30.200 a challenge for most people to do right. He goes on to say a 137 00:09:30.200 --> 00:09:33.519 simple solution is to have a second device like a tablet or a cheap older 138 00:09:33.600 --> 00:09:37.879 phone or even a watch, with a backup of all those accounts. Both 139 00:09:37.919 --> 00:09:43.200 Google Microsoft Authenticator have the ability to export and import across devices. I've never 140 00:09:43.240 --> 00:09:46.519 tried this, but it might even be useful to use that to backup accounts 141 00:09:46.519 --> 00:09:50.080 for others. Then, and you know, I'm trying to push you, 142 00:09:50.120 --> 00:09:52.519 who must be obeyed, into starting to use Authenticator, So maybe this is 143 00:09:52.559 --> 00:09:54.039 something I got to put in front of her. It's like, look, 144 00:09:54.080 --> 00:09:58.240 don't worry, We'll have a backup sitting on your tallet, So if that 145 00:09:58.399 --> 00:10:01.120 happens your phone, you're going to be okay. I can actually make a 146 00:10:01.120 --> 00:10:05.399 suggestion here because I have a five year old and eleven year old, which 147 00:10:05.440 --> 00:10:09.519 means that my resilience policies have to be really good. My devices do not 148 00:10:09.720 --> 00:10:13.799 last long, and I learned this the hard way when my five year old 149 00:10:13.799 --> 00:10:18.039 decided to play the game Does it swim? Yeah? I don't need to 150 00:10:18.039 --> 00:10:24.240 elaborate on what happened. Now, AnyWho wet device doesn't do well at multi 151 00:10:24.279 --> 00:10:28.039 factor authentication. Now I'm not commercially involved with it, but I use an 152 00:10:28.039 --> 00:10:35.159 app called author for my non critical work account. Now that automatically will allow 153 00:10:35.200 --> 00:10:41.519 you to move all of your authenticators between devices, So instead of me having 154 00:10:41.559 --> 00:10:45.919 to migrate before the bad thing, I can actually pull that down onto a 155 00:10:46.039 --> 00:10:48.399 new device. Now, yes, there's risks in here. I'm a security 156 00:10:48.440 --> 00:10:54.320 personal. I literally risks all day. Get somewhere. Yeah, but you 157 00:10:54.360 --> 00:11:00.240 know from the review I've done, you know the risk versus me losing this 158 00:11:00.440 --> 00:11:03.960 entirely all me managing secure backup code somewhere like there was going to be something 159 00:11:05.000 --> 00:11:09.399 somewhere sure, And I think for especially if these are your non critical accounts. 160 00:11:09.440 --> 00:11:13.240 So I'm not saying put your you know, your CSP root account passwords 161 00:11:13.240 --> 00:11:16.320 in this thing. But you know, if it's you know, someone significant 162 00:11:16.360 --> 00:11:20.039 in your life and they're looking for a little bit of resilience, that could 163 00:11:20.080 --> 00:11:22.120 be a really good solution. Yeah. No, I think it's a great 164 00:11:22.159 --> 00:11:26.600 idea. And that's Twilio that makes athy are friends of the show also, 165 00:11:26.679 --> 00:11:33.039 absolutely nothing bad to say about that. It's a good product, and Hilton 166 00:11:33.200 --> 00:11:35.919 goodness knows you've got a copy of Music Koba already. But thanks so much 167 00:11:35.919 --> 00:11:37.039 for your US in common. I hope you and your family are well. 168 00:11:37.120 --> 00:11:39.279 And if you'd like a copy of Us to Cobey, I write a comment 169 00:11:39.320 --> 00:11:41.960 on the website at dot at Rocks dot com or on the facebooks. We 170 00:11:41.960 --> 00:11:45.200 publish every show there, and if you comment there and everything on the show, 171 00:11:45.240 --> 00:11:48.519 we'll send you a copy Music Goba. Yeah. And another way that 172 00:11:48.600 --> 00:11:50.919 you can get a copy of Music to Code by is sending us a tweet 173 00:11:50.960 --> 00:11:56.720 from x or a toot from mastadon. I'm at Carl Franklin at tech hub 174 00:11:56.759 --> 00:12:03.080 dot social, and I'm Rich Campbell at Macedondo dot com social. Oh okay, 175 00:12:03.159 --> 00:12:05.919 honest, really, it's been forever show that you've mentioned it. I 176 00:12:05.120 --> 00:12:09.919 just I don't know. I'm having a now your question. I'm now having 177 00:12:09.519 --> 00:12:13.440 questioning myself. You're having a moment. I'm having a moment. So it 178 00:12:13.519 --> 00:12:16.399 must be the haircut. I think it's it must be all right. Well, 179 00:12:16.480 --> 00:12:20.480 let's introduce our guest today, who we've already heard from. Laura bell 180 00:12:20.559 --> 00:12:26.759 Maine is a global secure development leader, a best selling author and speaker, 181 00:12:26.320 --> 00:12:33.240 helping software development leaders worldwide engage their entire team in building secure software and officially 182 00:12:33.799 --> 00:12:37.480 welcome to the Dot net Rocks Show. Laura, thank you so much for 183 00:12:37.519 --> 00:12:41.559 having me. Apologies so jumping into your conversations. This is a really fun 184 00:12:41.600 --> 00:12:45.960 podcast. You made it better by jumping in you. We're never going to 185 00:12:45.960 --> 00:12:48.159 complain when smart people are due to Talking about smart things makes me happy every 186 00:12:48.200 --> 00:12:52.879 time. Absolutely Yeah at a keywa to boot. I was born in New 187 00:12:52.000 --> 00:12:56.600 Zealand, although I sound like an American and I live in Canada. Where 188 00:12:56.600 --> 00:13:01.080 were you born? Wow? Okay, family farms. Family farms on Ohuiti 189 00:13:01.200 --> 00:13:05.720 Road. Wow. For those who don't know New Zealand at all, we're 190 00:13:05.759 --> 00:13:07.240 a tiny island. And that's a tiny place on a tiny island, like 191 00:13:09.360 --> 00:13:13.000 very very specif hills and cows and sheep. So I brought Carl to the 192 00:13:13.080 --> 00:13:16.279 to the farm once and when we got it, we got into the rental 193 00:13:16.320 --> 00:13:18.519 car and it was a holding commodore. Of course. Uh. At the 194 00:13:18.600 --> 00:13:22.919 at the airport, I said, listen, over the next couple of hours 195 00:13:22.960 --> 00:13:24.840 while I'm driving, you're gonna see me randomly turn on the windshield wipers. 196 00:13:26.679 --> 00:13:30.279 That's because they switched the position of the windshield wipers and the turn signals, 197 00:13:30.320 --> 00:13:33.200 and I keep screwing them up. So when you're wondering, why does Richard 198 00:13:33.240 --> 00:13:39.960 keep him in the turns which have no reason. That's why it was a 199 00:13:39.000 --> 00:13:45.559 delightful trip though. And your your aunts were amazing. Yeah, great, 200 00:13:45.600 --> 00:13:48.600 they're great people. And they and they the Knee family, which is my 201 00:13:48.720 --> 00:13:54.679 eldest aunt married into this family that who's the grandfather was a homesteader. He's 202 00:13:54.759 --> 00:13:58.440 original Ohouiti settler. There's literally roads named of the you know, the road 203 00:13:58.440 --> 00:14:03.720 at the bottom of his farm is Knee Road, right like it's it's superdol 204 00:14:03.879 --> 00:14:07.600 And they have every sop when day when if I'm lucky enough, when I'm 205 00:14:07.600 --> 00:14:11.080 there. They have a party for the weedy settlers. They're amazing people. 206 00:14:11.120 --> 00:14:16.960 But these are genuine farmers that have grown up there and they've seen their city 207 00:14:16.000 --> 00:14:20.679 grow change and so forth. They're They're hilarious. I was on the edge 208 00:14:20.679 --> 00:14:24.120 of my seat waiting for Gandolf to pop out from behind the rocks and trees, 209 00:14:24.799 --> 00:14:28.519 and he never did. Though never saw any hobbits. All the green 210 00:14:28.639 --> 00:14:33.799 rolling hills, but beautiful things down the road in mad a body. So 211 00:14:33.200 --> 00:14:39.120 anyway, Laura Bellmain, tell us what you've been thinking about and talking about 212 00:14:39.200 --> 00:14:41.480 lately. I bet it has something to do with secure applications. It does, 213 00:14:41.840 --> 00:14:46.080 but it also so I've been going to a lot of conferences, as 214 00:14:46.080 --> 00:14:50.159 you do. I tend to cluster them together and do these like weird little 215 00:14:50.159 --> 00:14:52.440 holidays with like three or four conference because everywhere's far from where I live. 216 00:14:54.159 --> 00:14:58.879 And I've been hearing a lot about develop a toil that we're all very sad, 217 00:14:58.879 --> 00:15:01.320 and we're all very tired, and everything is hard right now, and 218 00:15:01.360 --> 00:15:05.879 I get it. And so we've been having a bit of an existential crisis 219 00:15:05.879 --> 00:15:11.639 in security of whether we in dev zecops and kind of in moving security into 220 00:15:11.639 --> 00:15:16.840 the deav space that we're making people even sadder and even worse. So I've 221 00:15:16.879 --> 00:15:20.720 been talking a lot about where security needs to be versus why it doesn't need 222 00:15:20.759 --> 00:15:24.279 to be, and which parts of it actually are just making things worse and 223 00:15:24.320 --> 00:15:28.639 more painful. And so yeah, a lot of conversation about that at the 224 00:15:28.679 --> 00:15:33.679 moment, because if I'm honest, I'm kind of bored. I'm bored of 225 00:15:33.720 --> 00:15:37.720 the conversation always being Hey, we found three vulnerabilities and we're home five last 226 00:15:37.759 --> 00:15:39.799 month, and therefore we're more secure, and now I think we can do 227 00:15:39.879 --> 00:15:45.200 better than just like looking back at our code and going looks all right. 228 00:15:46.240 --> 00:15:52.600 So yeah, I want to kind of make security a little less painful and 229 00:15:52.759 --> 00:15:56.559 a little bit more focused on you know what if security really was part of 230 00:15:56.600 --> 00:16:02.600 software quality, right, how would we measure it then and how would we 231 00:16:02.639 --> 00:16:06.600 approach it if it wasn't this weird, separate, standalone thing that we all 232 00:16:06.600 --> 00:16:11.000 get to later when somebody makes us Yeah, well that comes down to what 233 00:16:11.039 --> 00:16:14.679 are the unit tests for security? Then? Isn't it partially? But for 234 00:16:14.799 --> 00:16:18.000 me it's it's kind of it's going old school with like the ilities, right, 235 00:16:18.120 --> 00:16:22.279 it's not just does it work? Does it not? It's not just 236 00:16:22.440 --> 00:16:25.919 straightforward tests that you know, if we look at performance and scaling, very 237 00:16:25.960 --> 00:16:30.840 few organizations have really got structured tests around that. Now there's a lot of 238 00:16:30.039 --> 00:16:36.080 you know, more subjective appreciation, and then there's a lot logging and monitoring 239 00:16:36.120 --> 00:16:41.080 and observability that comes into it. But I don't think we have that maturity 240 00:16:41.200 --> 00:16:47.759 in security to assess where we're at because most of it it really is take 241 00:16:47.799 --> 00:16:52.200 code, scan code, find things or not find things. And I really 242 00:16:52.240 --> 00:16:57.000 want to kind of explore and play with how we already examine our software and 243 00:16:57.039 --> 00:17:00.559 what we can learn from a security PERSPECTI from the things we already do in 244 00:17:00.639 --> 00:17:06.119 development. I mean, I love the idea of including in my CICD pipeline 245 00:17:06.160 --> 00:17:10.880 like the latest script giddy attacks just running against AID. Did you get anywhere? 246 00:17:11.240 --> 00:17:15.160 Yeah, although it's complicated, like you've got to get to an external 247 00:17:15.200 --> 00:17:18.279 host and poke in, yeah, and got to find a script kitty. 248 00:17:18.799 --> 00:17:22.400 Absolutely. You just they're really hard to catch. I need to throw the 249 00:17:22.400 --> 00:17:27.799 ball multi times and give them a berry and yeah with water, but they 250 00:17:27.839 --> 00:17:33.079 come back. They just like it. Maybe they like the elks you can 251 00:17:33.160 --> 00:17:40.920 stay when we get down to it. You look at people like there was 252 00:17:40.960 --> 00:17:44.759 a gentleman, James. His name's going to scape me because I've now tried 253 00:17:44.799 --> 00:17:47.880 to say it out loud, and that's the rule of names who did a 254 00:17:47.920 --> 00:17:52.079 lot of work on automated security testing. So this was the time where things 255 00:17:52.079 --> 00:17:57.759 like BDD security started coming out, and they were cucumber style tests that were 256 00:17:57.759 --> 00:18:03.240 written around open source testing and scanning frameworks for security, and there was a 257 00:18:03.240 --> 00:18:07.000 lot of push at that period for getting those into CICD pipelines. The problem 258 00:18:07.200 --> 00:18:11.599 is that the way that the underlying tools they hook to do that work, 259 00:18:11.839 --> 00:18:18.240 they're very slow tools, and so it exploded pipelines everywhere and everyone got sad, 260 00:18:18.720 --> 00:18:22.079 and then we ended up with parallel pipelines and before we knew it, 261 00:18:22.119 --> 00:18:26.880 we were back to where we started. So that's the one I It was 262 00:18:26.920 --> 00:18:33.039 a w brains are funny things, Thank you so much. So yes, 263 00:18:33.559 --> 00:18:36.640 and the work you did at that time. You know, there's not a 264 00:18:36.640 --> 00:18:40.079 lot of activity in that space at the moment. There's a lot of know 265 00:18:40.240 --> 00:18:44.880 how to build AI that builds your test for you and security, but it 266 00:18:44.920 --> 00:18:48.160 would be good to see how we could approach that differently. I think the 267 00:18:48.440 --> 00:18:52.720 big problem in that space was always the underlying tools that we were hooking into. 268 00:18:52.599 --> 00:18:56.279 So we couldn't do this from you know, just a raw perspective. 269 00:18:56.319 --> 00:19:00.119 We had to hook an open source tool. Those open source tools weren't built 270 00:19:00.440 --> 00:19:06.119 to be run in tiny components. They're big frameworks that it tries to run 271 00:19:06.160 --> 00:19:10.240 a huge thing. Testing's got that same problem, right, if you really 272 00:19:10.240 --> 00:19:14.599 want to load test, it's a complicated set of tools. Absolutely. So, 273 00:19:14.720 --> 00:19:18.359 Yeah, I'm genuinely excited that I think we can do some really cool 274 00:19:18.359 --> 00:19:22.319 stuff in the space. But I think the focus, and unfortunately the money 275 00:19:22.359 --> 00:19:26.519 in security is very much at those kind of code scanning, kind of glossy 276 00:19:26.559 --> 00:19:30.519 things, and I think it's going to take more death focus for us to 277 00:19:30.559 --> 00:19:34.519 make this more practical and something we can control ourselves in the death space rather 278 00:19:34.519 --> 00:19:40.119 than relying on external things. Yeah, you know, over on the cystin 279 00:19:40.200 --> 00:19:45.279 inside, I've talked to so many INFOSEAC folks who are just so Frustrated's like, 280 00:19:45.440 --> 00:19:48.279 we see the vulnerabilities we have brought them forward to to leadership. Leadership 281 00:19:48.359 --> 00:19:51.359 is that we don't think this is that big of a risk. We're not 282 00:19:51.440 --> 00:19:56.039 spending money on it until it explodes. Yeah, there's an interesting conversation actually 283 00:19:56.279 --> 00:20:00.880 just started in the last couple of years in digital safety about the old recurring 284 00:20:02.039 --> 00:20:07.920 theme of software liability and warranties. And you know, there's an argument that 285 00:20:07.000 --> 00:20:11.480 it will take us moving to having to be liable or have full warranty so 286 00:20:11.559 --> 00:20:15.000 the software you build for people to care, which I have many thoughts and 287 00:20:15.039 --> 00:20:19.480 feelings on, and that's a pretty scary area. But you can see historically, 288 00:20:22.720 --> 00:20:26.599 arguably Bill Gates's real contribution to the world, when they strip it all 289 00:20:26.640 --> 00:20:30.519 the way down one hundred years from now, will be he wrote the original 290 00:20:30.599 --> 00:20:33.920 yula, rather his father, the lawyer did. But you know, eliminating 291 00:20:34.000 --> 00:20:40.680 responsibility for software to the or limiting that liability to the price you paid for 292 00:20:40.880 --> 00:20:44.240 it. You know, there is an argument at the time, at least 293 00:20:44.400 --> 00:20:48.160 what fifty years ago, that this is what will allow for rapid innovation. 294 00:20:48.200 --> 00:20:52.480 But now it seems like a real liability that we just have no reason to 295 00:20:52.960 --> 00:20:57.359 become professionals because we have no liability. Absolutely. And you know, if 296 00:20:57.400 --> 00:21:02.359 you're writing an e commic site and selling widgets to people, cool, all 297 00:21:02.440 --> 00:21:06.960 right, you know, I get the financial liability stuff, but if your 298 00:21:07.039 --> 00:21:10.480 software I was talking to some I love. I collect the stories of amazing 299 00:21:10.519 --> 00:21:14.279 engineers who are building crazy things from sci fi. That's like my nerd hobby. 300 00:21:14.880 --> 00:21:18.279 And I was talking to this team and they're like, so we have 301 00:21:18.519 --> 00:21:22.559 built these amazing remote control cars and I'm like, hang on, no, 302 00:21:22.680 --> 00:21:26.000 that's not tech. And they're like no, like full sized cars that are 303 00:21:26.039 --> 00:21:33.440 remote controlled over thousands of kilometers in airports, and I'm like cool. So 304 00:21:33.720 --> 00:21:37.319 we started realizing that, you know, this massive piece of software that was 305 00:21:37.359 --> 00:21:41.000 attached to a standard car. So these are not custom built vehicles. This 306 00:21:41.160 --> 00:21:45.160 is they have taken a you know, a Sedan or whatever and retrofitted some 307 00:21:45.400 --> 00:21:48.559 remote control tech into it, right, and they're in an airport and I'm 308 00:21:48.640 --> 00:21:52.680 like wow. From a security point of view, that's one thing, but 309 00:21:52.759 --> 00:21:59.599 from a health and safety point of view, you know, moving machinery because 310 00:21:59.599 --> 00:22:03.960 that learning in a busy environment, and you know, like this, it's 311 00:22:04.039 --> 00:22:08.240 hard to be a security person right now because you're torn into There's half of 312 00:22:08.319 --> 00:22:11.400 me that's like, oh my goodness, there is amazing technology everywhere and look 313 00:22:11.440 --> 00:22:14.799 what we're doing and it's cool, and the other half of me is like, 314 00:22:14.839 --> 00:22:17.799 can I just go lie down please? This is fairly terrifying. Well, 315 00:22:17.960 --> 00:22:21.240 you know, Apart aside from the tech, probably one of the biggest 316 00:22:21.279 --> 00:22:25.839 vectors for security attacks is social engineering, isn't it, And things that we 317 00:22:25.960 --> 00:22:30.559 don't think about because we're tech focused software developers don't think about these side channel 318 00:22:30.599 --> 00:22:37.119 attacks that can happen. I heard one story about people who are trying to 319 00:22:37.240 --> 00:22:45.240 listen in on other people's conversations by connecting microphones to the plumbing. And you 320 00:22:45.319 --> 00:22:48.079 don't think about it, but your sync is listening to you, and you 321 00:22:48.200 --> 00:22:53.279 put a microphone on the pipe and you can actually hear everything that people in 322 00:22:53.319 --> 00:22:56.480 the room are saying. There's a really good example of something. Oh but 323 00:22:56.880 --> 00:23:00.400 this room is out, you know, has got the security surveillance and the 324 00:23:00.440 --> 00:23:07.680 cameras, and fine, but what are you doing about to sink? Absolutely 325 00:23:07.720 --> 00:23:10.519 there was a glorious video from it a number of years ago now, but 326 00:23:10.960 --> 00:23:15.599 some very smart scientists discovered that they could monitor a plant that was in the 327 00:23:15.720 --> 00:23:18.759 room, and they could look at the vibrations on the plant, and they 328 00:23:18.759 --> 00:23:22.960 could actually extract the conversation from a room based on the minute movements of a 329 00:23:23.039 --> 00:23:27.759 plant, and like part of me is like wow, that's like it is 330 00:23:27.880 --> 00:23:32.839 so cool, and you know what security can be all doom and gloom. 331 00:23:32.920 --> 00:23:36.400 Absolutely, lots of terrible things can happen. I will not understate those. 332 00:23:36.880 --> 00:23:40.200 But at the same time, I think the future of security doesn't just need 333 00:23:40.279 --> 00:23:44.759 people like me with massive anxiety problems that turned it into a career. Then 334 00:23:44.880 --> 00:23:49.559 you've got to be excited about the technology and the potential of it. Not 335 00:23:49.759 --> 00:23:53.039 everything is going to change the world, but to one or two people it 336 00:23:53.160 --> 00:23:57.880 might to be able to work on the let's mute our plants problem rather than 337 00:23:57.920 --> 00:24:03.519 the really sequel injection. Really that would be nice, isn't it. Yeah? 338 00:24:03.759 --> 00:24:07.359 Yeah, but you know there's an underlying truth about that though. There's 339 00:24:07.359 --> 00:24:10.279 a reason that the OS top ten hasn't changed much from two thousand and three 340 00:24:10.359 --> 00:24:14.680 till now. Yeah, and that's because we're still approaching it in the same 341 00:24:14.720 --> 00:24:17.599 way we have twenty years ago, more or less writing software the same way. 342 00:24:17.839 --> 00:24:22.920 Well, I know for a fact that two factor authentication has saved my 343 00:24:22.079 --> 00:24:26.839 butcher several times. Every once in a while, I get an email that 344 00:24:26.960 --> 00:24:33.559 says, hey, we've got a request to change your password. You know, 345 00:24:33.599 --> 00:24:37.640 if this wasn't you, then just ignore this. Otherwise here's the code. 346 00:24:37.559 --> 00:24:41.160 Uh yeah, I think I'm going to ignore that. I think you 347 00:24:41.319 --> 00:24:44.799 ignore that one. It's a conversation we had on run as I think it 348 00:24:44.880 --> 00:24:47.079 was with Sammy Laho. He said, hey, look, you know, 349 00:24:47.559 --> 00:24:51.160 multi factors worked well enough that it's actually moved it off the top. It's 350 00:24:51.240 --> 00:24:55.480 now number two, and what's on top is unpatched servers, And that brought 351 00:24:55.559 --> 00:24:59.839 up this whole conversation of we're super cautious about patchy service because sometimes it breaks, 352 00:25:00.720 --> 00:25:03.079 but that's now a higher risk than the possibility of the breaking. So 353 00:25:03.119 --> 00:25:07.559 it's like it's better to deploy the patch quickly and deal with the consequence, 354 00:25:07.640 --> 00:25:11.319 that is to stay unmatched. And what do you do about gramdmars that insist 355 00:25:11.440 --> 00:25:17.240 on clicking on links and emails and text messages that you know, I mean, 356 00:25:17.400 --> 00:25:22.359 that remains probably one of the biggest threat factors, this social engineering stuff. 357 00:25:22.599 --> 00:25:25.960 I mean, that's there's no tech that can well can you know, 358 00:25:26.039 --> 00:25:29.960 that can protect you from that. There never will be and there never has 359 00:25:30.079 --> 00:25:33.839 been. So I love the fact that security has invented fancy words for all 360 00:25:33.880 --> 00:25:38.000 of these things, but in essence, human beings are jerks and have always 361 00:25:38.039 --> 00:25:41.799 been jerks for as long as there have been people. We have done whatever 362 00:25:41.920 --> 00:25:45.799 we could, whether it was line cheating, stealing, applying the technology of 363 00:25:45.880 --> 00:25:52.200 the time to get things we wanted. And so it's evolutionary. It's part 364 00:25:52.279 --> 00:25:56.599 of our culture is the willingness to bend the truth, to bend the rules, 365 00:25:56.079 --> 00:26:02.039 and to change our behaviors such that we get gain. Now, you 366 00:26:02.240 --> 00:26:07.960 can't fix that with a web application firewall, because you know, you're as 367 00:26:07.039 --> 00:26:11.359 engineers, we're problem solvers. So we we you know, problems over here. 368 00:26:11.440 --> 00:26:12.319 Cool, I'm going to take any pathway to get there, and I'm 369 00:26:12.359 --> 00:26:17.279 going to build something great, wonderful. And some of us build beautiful systems 370 00:26:17.319 --> 00:26:19.119 and some of us build things made out of duct tape and good intentions, 371 00:26:19.559 --> 00:26:23.480 and it doesn't matter. This is a different style of engineering, and our 372 00:26:23.519 --> 00:26:29.160 attackers are exactly the same. They are creative, they are very objective focused. 373 00:26:29.279 --> 00:26:32.680 They want, you know, the shiny shirt, or they want to 374 00:26:32.720 --> 00:26:36.039 go and you know, get the money, or they want to get political 375 00:26:36.079 --> 00:26:40.559 influence, whatever it is, and they'll take whatever path. It's an infinite 376 00:26:40.680 --> 00:26:45.480 problem space and at the moment in security, we we're very narrowly focused because 377 00:26:45.519 --> 00:26:48.960 it helps us focus and it's all we can do on this vulnerability class or 378 00:26:49.000 --> 00:26:52.640 this vulnerability class. But we overlook the fact that if you take that one 379 00:26:52.680 --> 00:26:56.640 away, something else will spring up. So it has to be more holistic. 380 00:26:57.119 --> 00:27:02.480 Yeah, and constant and vigilant. Yeah. Yeah, yeah. It's 381 00:27:02.519 --> 00:27:04.279 not a good recruiting campaign for security, to be honest. I'm just telling 382 00:27:04.319 --> 00:27:11.759 you constantly learning and you'll always fail. So yeah, I don't know why 383 00:27:11.839 --> 00:27:15.039 we do it. Really, it's only what you mentioned that when although every 384 00:27:15.119 --> 00:27:19.799 security person I know is busy, like, nobody's being laid off in this 385 00:27:19.880 --> 00:27:25.599 space either, there's only more work. Yeah, it's as frustrating it may 386 00:27:25.640 --> 00:27:29.079 be, and I do I mean, I appreciate your your sense of weight 387 00:27:29.240 --> 00:27:34.759 and concern because it can be weighty and concerning. It's it's certainly there's no 388 00:27:34.960 --> 00:27:37.319 lack of things to do. It's just I think it's going to be very 389 00:27:37.400 --> 00:27:45.119 frustrating to have the same conversations over and over and over before we go on. 390 00:27:45.559 --> 00:27:48.200 Why don't we take a brief break. Sure, we'll be right back, 391 00:27:52.480 --> 00:27:53.640 and we're back. It's not that Rocks. I'm Richard Campbell. That's 392 00:27:53.680 --> 00:27:57.559 called Franklin. Hey, talking to our friend Laura Belle Main a little bit 393 00:27:57.559 --> 00:28:03.119 about you go on the agile side of security, which I find interesting we've 394 00:28:03.160 --> 00:28:10.799 been talking about the whole shifting left of security. I just don't you know, 395 00:28:11.319 --> 00:28:15.599 And yet most of the time security still applied after the V one's out 396 00:28:15.640 --> 00:28:19.559 the door. So what do you how do you even talk about shifting security 397 00:28:19.680 --> 00:28:23.039 left? I'm going to be a bit controversial, and I'm really sorry. 398 00:28:23.319 --> 00:28:27.480 People will have feelings and opinions, Please please put them in comments and for 399 00:28:27.599 --> 00:28:33.400 our shows probing for us, I think what's really happening with shifting left is 400 00:28:33.559 --> 00:28:34.720 if you shift left for long enough, it ends up in the sea. 401 00:28:36.000 --> 00:28:38.000 And that's what's happening. We go, all right, it's not our team 402 00:28:38.000 --> 00:28:40.759 anymore. We're going to pas it to that team, and that team go 403 00:28:40.920 --> 00:28:42.680 cool, we don't have the time, and there's another team and they pass 404 00:28:42.720 --> 00:28:47.759 it on and what was seeing? Time and time again? The focus on 405 00:28:47.799 --> 00:28:51.200 shift left is limited in two ways. Firstly, even see it in the 406 00:28:51.319 --> 00:28:55.039 language of the tools and techniques we do. They talk about from development to 407 00:28:55.200 --> 00:28:59.200 deployment as if that's the entire process. Use that's the whole loop man. 408 00:28:59.319 --> 00:29:04.799 Nobody Actually, yeah, absolutely nothing else happens planning and design, none of 409 00:29:04.880 --> 00:29:10.119 that, exactly. The light of software just descends upon us. We instantly 410 00:29:10.240 --> 00:29:18.799 know exactly, yeah, exactly, we go home. Yeah, job done. 411 00:29:19.160 --> 00:29:22.519 It's weird that we're all still employed. I don't know why that would 412 00:29:22.559 --> 00:29:27.960 be. So all of our things focus on that stage. So writing code 413 00:29:29.079 --> 00:29:33.599 through to deployment, now that leads to startlingly big gaps. It leads maintenance 414 00:29:33.680 --> 00:29:37.920 and support. So those ones, those tools that you have out in the 415 00:29:37.960 --> 00:29:41.279 world that are now in BAU, they you know, there's minimal changes happening. 416 00:29:41.720 --> 00:29:45.359 Now. That's especially true if your architecture has been fragmented in some way 417 00:29:45.960 --> 00:29:51.720 such that you know a component actually has a singular purpose or a small number 418 00:29:51.720 --> 00:29:53.519 of purposes, and you work on other components to do the rest. So 419 00:29:53.680 --> 00:29:59.079 micro services folk have this a lot. It's never built. How are your 420 00:29:59.119 --> 00:30:02.839 fancy security p this is ever going to apply again if that thing is never 421 00:30:02.960 --> 00:30:07.599 being built, because everything's built into the deployment pipeline, into the build pipeline. 422 00:30:07.160 --> 00:30:11.599 And at the other end, we talk about threat assessment. And I 423 00:30:11.720 --> 00:30:17.400 love that the movement is starting to get some energy, but we still we 424 00:30:17.519 --> 00:30:19.079 still fall back on that urge. We have to well, how can I 425 00:30:19.160 --> 00:30:23.759 automate that? Now, threat assessment is very difficult for you to automate and 426 00:30:25.079 --> 00:30:26.480 that's hard to hear as an engineer because you want to go, well, 427 00:30:26.519 --> 00:30:29.880 I just want to make the tool do it for me, and then I 428 00:30:29.960 --> 00:30:33.000 can do other things like drink coffee. But threat assessment, I've got to 429 00:30:33.079 --> 00:30:37.799 look around. Yes, sometimes you actually just have to plan a bank robbery 430 00:30:37.880 --> 00:30:42.279 with your friends. That's just how you have to operate. And so we've 431 00:30:42.359 --> 00:30:47.160 got to find space for this. We've got to start talking about development. 432 00:30:47.319 --> 00:30:52.680 Security are around more than just that middle section and more than just the people 433 00:30:52.680 --> 00:30:56.519 who write the code. It needs to be everybody in the team, and 434 00:30:56.640 --> 00:31:00.960 it doesn't need to be lots of work. We run a very kind of 435 00:31:00.039 --> 00:31:04.640 lightweight programs completely free called one hour app sex, So we aim to get 436 00:31:04.720 --> 00:31:08.640 folks in dev doing one hour of security stuff every sprint. That's it, 437 00:31:10.079 --> 00:31:14.079 just one hour, sixty minutes. But if you imagine the impact of doing 438 00:31:14.160 --> 00:31:17.599 that across you know, one hundred percent team, that's a lot of security 439 00:31:17.680 --> 00:31:22.279 every sprint. So those minute changes across all the roles could have a huge 440 00:31:22.319 --> 00:31:26.359 impact. But at the moment, unfortunately shift left and DevSecOps and the agile 441 00:31:26.440 --> 00:31:30.920 movement really is focused on that CICD pipeline and that middle chunk right which again 442 00:31:32.039 --> 00:31:34.799 is trying to automate the problem away rather than you know the problem. And 443 00:31:34.920 --> 00:31:37.880 I think you described as really well, it's not shift left, it's everybody 444 00:31:37.960 --> 00:31:42.640 fights that everybody has to be part of the solution here. And this is 445 00:31:42.680 --> 00:31:47.039 something that is that a scrub master could easily manage that. Hey, we're 446 00:31:47.039 --> 00:31:49.400 starting up a sprint. Let's do our hour. What are you going to 447 00:31:49.440 --> 00:31:52.079 work on? Absolutely, oh, like, let's let's get this at the 448 00:31:52.119 --> 00:31:56.400 front of the sprint, talk through the security elements before we go anywhere else. 449 00:31:56.480 --> 00:32:00.640 Almost absolutely, And you know, if you're white with your hour, 450 00:32:00.279 --> 00:32:02.599 you know, the first time you do it, you think about things. 451 00:32:02.680 --> 00:32:06.200 The second time you do it, you've got the guardrail that you did the 452 00:32:06.279 --> 00:32:09.880 last time you did this, and you know, these artifacts start to naturally, 453 00:32:10.759 --> 00:32:14.319 you kind of get created as part of it, and they iterate as 454 00:32:14.359 --> 00:32:17.680 you go and it really there is no done. There is no perfect insecurity. 455 00:32:17.720 --> 00:32:22.720 So if we park that idea entirely, what we have is an awareness 456 00:32:22.400 --> 00:32:27.079 and behaviors that we try and consistently apply. So you can look at this 457 00:32:27.200 --> 00:32:30.039 in any part of your life, like a gym membership. Right, buying 458 00:32:30.079 --> 00:32:35.680 the gym membership isn't actually going to do anything for me, SORR the New 459 00:32:35.720 --> 00:32:44.200 Zealand. Yeah, in between the sheep and the characters gyms foreign concept. 460 00:32:45.960 --> 00:32:47.880 So whatever it is, it's not buying the thing isn't going to get you 461 00:32:49.000 --> 00:32:54.920 there, but consistent application and shared shared participation, group participation will get you 462 00:32:55.039 --> 00:32:59.720 there. So, you know, I think perhaps I'm like the security equivalent 463 00:32:59.720 --> 00:33:04.279 of a hit, but that's okay. I really do think that there are 464 00:33:04.359 --> 00:33:07.000 no superheroes in security. There is nobody that's going to come and do it 465 00:33:07.119 --> 00:33:09.680 for us in our team and make it all go away. The best thing 466 00:33:09.759 --> 00:33:15.240 you can do is find little things, do them consistently, automate the ones 467 00:33:15.279 --> 00:33:17.960 you can that make sense and the ones that you can't do. If you're 468 00:33:17.960 --> 00:33:22.640 anything like me, I'm truly interrupt driven and horribly distracted. So create little 469 00:33:22.720 --> 00:33:27.000 robots that tell you you need to go do you think right? And the 470 00:33:27.200 --> 00:33:30.839 easier you make that for yourself. Suddenly we have a huge movement that isn't 471 00:33:30.880 --> 00:33:36.799 led by specialist security engineers. We still need them for a variety of reasons. 472 00:33:37.480 --> 00:33:39.480 But what if the majority of software security was in the deaf team. 473 00:33:39.839 --> 00:33:43.200 It was just part of what we do a little bit and a little bit 474 00:33:43.240 --> 00:33:45.720 of time, so that you built up a set of guardrails that you could 475 00:33:45.920 --> 00:33:49.599 use over and over again. So when you're doing pantesting, for example, 476 00:33:49.799 --> 00:33:53.359 how much of that can you automate versus doing you know, doing manually. 477 00:33:53.720 --> 00:33:57.240 Oh, that's a there's a load, that's a loaded question. Car, 478 00:33:58.319 --> 00:34:01.559 we're going to get in trouble, so let's do it. So I did 479 00:34:01.599 --> 00:34:05.920 about seven years as a pent tester, so been very deep in that. 480 00:34:05.960 --> 00:34:08.440 I've also been a red teamer, so where you know, the more advanced, 481 00:34:08.519 --> 00:34:13.880 sort of customized level. Now, it really does depend on the pen 482 00:34:13.920 --> 00:34:20.559 test company. So I'm going to like blanket handwave statement. But a lot 483 00:34:20.719 --> 00:34:24.639 of the early stuff in a pentest, so what we'd call reconnaissance is absolutely 484 00:34:24.679 --> 00:34:30.559 automated and has been for a number of years. Vulnerability scanning, which is 485 00:34:30.679 --> 00:34:35.320 the next stage, also heavily automated. Now, if I could give the 486 00:34:35.400 --> 00:34:39.119 audience a little bit of advice, pen testing is really expensive. Your aim 487 00:34:39.199 --> 00:34:43.199 with a pentest is to make your pen tester cry. You want them to 488 00:34:43.239 --> 00:34:47.000 be to work so hard. Oh yeah, So like the stuff that's automated, 489 00:34:47.039 --> 00:34:52.920 that reconnaissance, the information gathering, the running, vulnerability scanning, that 490 00:34:52.079 --> 00:34:55.639 you should be doing yourself like you can do that with open source tools. 491 00:34:57.000 --> 00:35:00.079 There is no magic there, and there is no magic in pen testing at 492 00:35:00.159 --> 00:35:02.880 all. In fact, if you're a dev, if you wanted to get 493 00:35:02.920 --> 00:35:06.800 into the space and learn a bit more about it, there's some really great 494 00:35:07.000 --> 00:35:10.920 free resources by bug crowd so the bug Bounty platform. They have a little 495 00:35:12.000 --> 00:35:15.280 university that you can go and just free of charge. There's no sign up 496 00:35:15.320 --> 00:35:17.280 or anything. You just watch their videos and things and learn how this all 497 00:35:17.400 --> 00:35:22.000 works, and you start to realize that there's this whole foundation that you can 498 00:35:22.079 --> 00:35:27.360 do and then automate to mean that by the time you get to a pen 499 00:35:27.400 --> 00:35:30.719 test, they really do have to focus on that really manual custom effort, 500 00:35:30.800 --> 00:35:35.639 and that's what we want in a pen test. They will only do as 501 00:35:35.719 --> 00:35:38.440 much manual effort as they have time to do, So if they're finding lots 502 00:35:38.480 --> 00:35:43.280 of junk with the vulnerability stuff, they'll never get to it. So yeah, 503 00:35:43.320 --> 00:35:46.159 it's it's a bit of a strange situation. But to answer your question, 504 00:35:46.239 --> 00:35:49.519 Carl, you want to force them to do as much of it as 505 00:35:49.599 --> 00:35:52.880 possible and do it for them. Yeah, yeah, so they have Your 506 00:35:52.960 --> 00:35:57.320 real value is going to come when they're deep down the pipeline. Yes, 507 00:35:57.760 --> 00:36:00.039 the yep, but if you've only paid for many hours, if they can 508 00:36:00.119 --> 00:36:04.320 knock you out with a simple oh, you have this port open exactly, 509 00:36:04.880 --> 00:36:07.559 this server's not be patched. I just love it. One. Questions are 510 00:36:07.639 --> 00:36:14.599 like what is that? Yeah, And there's a lot of folks who will 511 00:36:14.639 --> 00:36:17.039 say, hey, never share your code with the pen testers either, And 512 00:36:17.159 --> 00:36:22.199 I would absolutely argue with that because a penthest scoped, it's timescoped, so 513 00:36:22.280 --> 00:36:25.639 you've only got two weeks, three weeks, whatever it is. And if 514 00:36:25.679 --> 00:36:29.800 you imagine as an engineer, you were given a system and you're told find 515 00:36:29.840 --> 00:36:32.519 the most vulnerable, valuable parts of it, and you've got two weeks to 516 00:36:32.599 --> 00:36:36.199 do it, and you can't see the source code, you're really going to 517 00:36:36.239 --> 00:36:38.639 struggle. So if you want to get to the really juicy bits and get 518 00:36:38.679 --> 00:36:43.840 those bits that are really sensitive tested, it's really important to safely find a 519 00:36:43.920 --> 00:36:46.679 way to get them their access so they can then dig in and then pull 520 00:36:46.760 --> 00:36:50.840 back and then go deeper on that research. Not only that, but your 521 00:36:50.840 --> 00:36:54.280 average pen tester probably has enough knowledge to go criminal if they really wanted to, 522 00:36:54.840 --> 00:36:59.320 but they've decided not to. They decided to sell buy their talents to 523 00:36:59.400 --> 00:37:01.760 the powers of good, so you should be able to trust them. How's 524 00:37:01.800 --> 00:37:06.960 that good statement? Oh, I can see the emails are coming in already. 525 00:37:07.559 --> 00:37:10.599 Absolutely, but yeah, don't waste their time with the simple vulnerabilities. 526 00:37:10.679 --> 00:37:15.519 Knock all of those out. Do the boring basics, right, You know, 527 00:37:15.239 --> 00:37:19.800 the brains are funny. We love dopamine, and so we love focusing 528 00:37:19.840 --> 00:37:23.800 on the really novel challenges and the new things, and so we intentionally or 529 00:37:24.119 --> 00:37:30.440 unconsciously avoid those boring basics that trip us up every time. And if we 530 00:37:30.559 --> 00:37:34.239 can be conscious of that and we can work on those, then it really 531 00:37:34.320 --> 00:37:37.440 does get us much further along our security journey. I mean, it's kind 532 00:37:37.440 --> 00:37:39.599 of an embarrassment to be tipped over by any of the O WASP ten Like 533 00:37:40.000 --> 00:37:45.440 these are known, they're well documented. They I am not saying all of 534 00:37:45.440 --> 00:37:49.079 them are simple to fix, but they're just like you can scan for these, 535 00:37:49.400 --> 00:37:52.079 you can look for you know, you're doing the right things and this 536 00:37:52.159 --> 00:37:54.159 stuff and just at least get that much done. And you were saying you're 537 00:37:54.159 --> 00:37:59.679 bored by sequel injection, but I mean that still is very high on the 538 00:37:59.760 --> 00:38:02.280 one split number one, number two, Like still, well, even if 539 00:38:02.320 --> 00:38:07.199 you just look at it as a puzzle. SQL injection actually is a really 540 00:38:07.320 --> 00:38:10.599 incredible puzzle when you start looking at it from a playful perspective. So you 541 00:38:10.679 --> 00:38:14.760 know, at it's simplest and you start seeing like authentication bypassage, you're kind 542 00:38:14.760 --> 00:38:19.320 of like mean. But when you start to understand that people are using SQL 543 00:38:19.440 --> 00:38:29.079 in really ugly disturbing ways to blindly work through and around your database without knowledge 544 00:38:29.119 --> 00:38:32.239 of the schema, without any understanding of the other components, and they're using 545 00:38:32.280 --> 00:38:37.559 it to extract data up to the point where they're using either you know, 546 00:38:37.679 --> 00:38:42.480 the query speed to determine an answer, or they're pulling it out a single 547 00:38:42.679 --> 00:38:46.199 character at a time. That to me is you know, there's a fascinating 548 00:38:46.320 --> 00:38:52.639 challenge there, and so if you can appreciate the tech behind the challenge, 549 00:38:52.679 --> 00:38:57.280 it's not just hey, oh and all one equals one, that's where we 550 00:38:57.360 --> 00:39:00.719 start. But like anything in engineering, it's much much bigger and it's as 551 00:39:00.840 --> 00:39:06.800 powerful as sequel is itself, and sequel is ridiculously powerful. So yeah, 552 00:39:07.000 --> 00:39:09.559 if anyone at home's going, well, how do I learn to care about 553 00:39:09.599 --> 00:39:14.719 this more? Go deep on it, Go have a look at their really 554 00:39:15.000 --> 00:39:20.239 ridiculously dirty sequel that gets written in the offensive space. It's not bad sequel, 555 00:39:20.239 --> 00:39:23.280 it's just SEQL doing things that you would never as a polite person try 556 00:39:23.320 --> 00:39:28.159 to do yourself, it seems to me. So I do this security show, 557 00:39:28.400 --> 00:39:30.599 a podcast called Security This Week, and I am not the expert. 558 00:39:30.639 --> 00:39:36.159 I'm the dumb guy asking questions. But Duaye Laflotte is one of the guys 559 00:39:36.239 --> 00:39:39.760 on there, and he is like when I say, he could go rogue 560 00:39:39.920 --> 00:39:44.800 and make twice the money that he's working. He definitely could be evil if 561 00:39:44.840 --> 00:39:50.920 he wanted to. But like I think, like you, his reaction to 562 00:39:51.199 --> 00:39:54.480 an elegant hack is, you know, the more dangerous it is is, 563 00:39:55.039 --> 00:40:02.760 oh, this is awesome. That's like he appreciates the evil mind that went 564 00:40:02.840 --> 00:40:08.119 into creating this attack. You know, there is something about how folks in 565 00:40:08.159 --> 00:40:14.239 offensive security see the world and see systems that is really interesting. You know, 566 00:40:14.440 --> 00:40:16.840 to be able to take a complex system and you know, tilt your 567 00:40:16.880 --> 00:40:21.440 head in the right way and press this convent and to even be able to 568 00:40:21.519 --> 00:40:27.239 think like that and to have that process of exploration and play coupled with the 569 00:40:27.320 --> 00:40:32.199 technical ability to then pull that off is really interesting. And well, you 570 00:40:32.280 --> 00:40:36.480 know, nine percent of what we see out there is noisy automated junk. 571 00:40:37.079 --> 00:40:39.280 There are in amongst that the people who are coming up with these new attacks 572 00:40:39.360 --> 00:40:45.440 and these new vulnerabilities who are really very creative thinkers. And yeah, you 573 00:40:45.239 --> 00:40:47.519 as an engineer, you've got to respect them. I think they put their 574 00:40:49.000 --> 00:40:51.920 they think they put their minds to more meaningful work, right, I mean 575 00:40:51.960 --> 00:40:54.480 that My general experience with criminals is like their criminals is they don't want to 576 00:40:54.519 --> 00:40:58.320 work that hard. Oh you you've lived in small towns, haven't you. 577 00:41:01.599 --> 00:41:06.760 So I grew up in a small town that was famous for two things teenage 578 00:41:06.800 --> 00:41:10.800 pregnancy and car theft. That was pretty much our claims to fame. But 579 00:41:12.000 --> 00:41:15.519 that was it. They literally the cars. So they used to call it 580 00:41:15.639 --> 00:41:20.679 joining the family business. And you know, you were either building a family 581 00:41:20.840 --> 00:41:24.960 or robin cars. And what happens is you started to understand crime in a 582 00:41:25.000 --> 00:41:30.559 way that you didn't even understand why you were You understood it. And I 583 00:41:30.639 --> 00:41:35.159 think as I've gotten older, yeah, there are some very common, very 584 00:41:35.199 --> 00:41:38.599 basic reasons that people commit crime, but there are also some very interesting ones. 585 00:41:39.760 --> 00:41:44.840 There's a lot of psychology in there, and it's a really fascinating space 586 00:41:44.960 --> 00:41:47.559 and a lot of the vulnerability. Researchers out there don't have a criminal bone 587 00:41:47.599 --> 00:41:51.920 in their body. That's you know, why they do what they do. 588 00:41:52.960 --> 00:42:00.559 But they're insatiably curious and they think differently, and the way that they've channeled 589 00:42:00.559 --> 00:42:07.599 the energy is not it's not even intentionally malicious. It's just that their perception 590 00:42:07.880 --> 00:42:14.000 of right and wrong don't match ours. It's a very interesting space, especially 591 00:42:14.119 --> 00:42:16.280 in electronic crime. Physical crime is a little bit different. But in the 592 00:42:16.320 --> 00:42:22.199 electronic space, have you discovered any zero days? Because I know that's in 593 00:42:22.280 --> 00:42:27.239 the holy grail of like security. Not in a good many years. I 594 00:42:27.400 --> 00:42:30.199 unfortunately used to work for the UK government, so even whatever I discovered wasn't 595 00:42:30.239 --> 00:42:35.440 allowed to be put out there in the world. My days of that are 596 00:42:35.480 --> 00:42:39.599 gone. Ye. No, it's and that's a whole other different aspect of 597 00:42:39.679 --> 00:42:44.639 the work too, right, it's hunting well and you also think about the 598 00:42:45.119 --> 00:42:46.320 it's the cloud providers. It seems to be at the front of this now 599 00:42:46.360 --> 00:42:52.119 because they have a super vested interest there is a zero exploit that might affect 600 00:42:52.159 --> 00:42:55.119 the cloud and affect their customers. That's bad for them, I respect how 601 00:42:55.159 --> 00:42:59.280 it is for their customers. So you just have to look at Heroku from 602 00:43:00.000 --> 00:43:02.880 a couple of years ago. One vulnerability in a platform as service now not 603 00:43:02.960 --> 00:43:07.039 one of the major ones now, but you know, in its day was 604 00:43:07.400 --> 00:43:13.239 still got thirteen million customers, but a compromise there affected thirteen million customers at 605 00:43:13.440 --> 00:43:20.719 least twenty thousand live applications, including dial in, meeting systems, online doctors, 606 00:43:21.000 --> 00:43:24.840 and information health sharing. So you know, if you're an attacker and 607 00:43:24.920 --> 00:43:29.199 you're being super cost effective, you don't want to go and attack every single 608 00:43:29.280 --> 00:43:32.079 person individually. You're going to pick these big share components, whether it's a 609 00:43:32.239 --> 00:43:38.159 shared framework that everyone uses, WIDA or CMS. That's why word Press is 610 00:43:38.239 --> 00:43:42.199 you know, always got to target on its back because it is so widely 611 00:43:42.320 --> 00:43:46.239 used, or the platform themselves. You know, if you can compromise anything 612 00:43:46.320 --> 00:43:52.559 in aws's environment, it would be you know, Christmas a million times over 613 00:43:52.760 --> 00:43:59.079 sure for an attacker, it's a hotitreation of wealth essentially of all of resources 614 00:43:59.159 --> 00:44:02.119 being spent. While I remember meltdown Inspector and going, oh man, the 615 00:44:02.159 --> 00:44:06.480 cloud people are going to freak out. Not that there was ever a successful 616 00:44:06.519 --> 00:44:10.159 exploit against this, but just the prospect that you might be able to see 617 00:44:10.880 --> 00:44:15.639 data from a different tenet because it happened to be running on the same machine. 618 00:44:15.840 --> 00:44:20.039 You know, for a tech guy like me who's deeply the hardware, 619 00:44:20.079 --> 00:44:23.119 I'm like, I love this and the fixed for it is hard like it 620 00:44:23.400 --> 00:44:29.440 genuinely what they knock down ten percent of the performance of processors to box that 621 00:44:29.559 --> 00:44:32.440 in. But I think about a guy like Scott Guthrie at the head of 622 00:44:32.719 --> 00:44:37.400 Azure, like this is the stuff that we keep him awake at night. 623 00:44:37.199 --> 00:44:40.920 Absolutely. Yeah, Yeah, there's a lot of security vulnerability as a company 624 00:44:40.960 --> 00:44:44.639 can come back from. And in fact, you start looking if you look 625 00:44:44.639 --> 00:44:47.440 at companies that have big security breaches and look at their share price, you'll 626 00:44:47.440 --> 00:44:50.800 see a blip, but you will actually see it go up after you know, 627 00:44:51.079 --> 00:44:53.280 and there is a real problem. There seems to be no consequences to 628 00:44:53.320 --> 00:44:59.280 getting exploited. Oh like but surely nothing, loud Ashley Madison still in business. 629 00:44:59.480 --> 00:45:02.360 They get exploited, they prove that their business is a lie, and 630 00:45:02.480 --> 00:45:08.400 they're still in business. I have no comment as an American, no comment. 631 00:45:10.400 --> 00:45:14.519 Ah, did you see that vulnerability? I think it was last year 632 00:45:14.599 --> 00:45:21.000 or something, and it was in memory chips where hackers found that they could 633 00:45:21.320 --> 00:45:24.000 by just hitting a certain memory register over and over and over again. They 634 00:45:24.119 --> 00:45:30.519 raise the heat so much in that register that it actually sets the bit next 635 00:45:30.639 --> 00:45:35.119 to it, flips it from zero to one or one to zero. And 636 00:45:35.239 --> 00:45:39.039 that bit is an important bit in you know, like allowing access or something 637 00:45:39.159 --> 00:45:45.039 like that. It was just unbelievable. How does anybody protect themselves against that 638 00:45:45.199 --> 00:45:49.719 kind of thing. It's mind blowing. It's mind blowing, it really is. 639 00:45:51.119 --> 00:45:52.280 But the thing is we need to remember, again, going back to 640 00:45:52.360 --> 00:45:57.079 that dopamine part of our brain, we can be fascinated by those big edge 641 00:45:57.119 --> 00:46:00.239 case ones, but it's highly unlikely though, are going to be the type 642 00:46:00.239 --> 00:46:05.320 of things we would do. Sure, we have to hold on to them. 643 00:46:05.599 --> 00:46:08.320 I want to provide at Doom and Gloom here because this is entirely too 644 00:46:08.400 --> 00:46:13.280 happy here. It makes me feel at home. You know you've welcomed me 645 00:46:13.440 --> 00:46:16.519 in true security fashion. Yes, Next, can we talk audit frameworks because 646 00:46:16.679 --> 00:46:22.840 they're not we're friends. You know, we don't have enough existential dread on 647 00:46:22.920 --> 00:46:29.079 this show. Let's talk about it. Frameworks fabulous. I mean, the 648 00:46:30.000 --> 00:46:35.599 employer, the leadership ask us this question. Are we secure? They asked 649 00:46:35.639 --> 00:46:38.880 that question? And how do you not just lie to them? Because there's 650 00:46:38.920 --> 00:46:44.440 no way to know, to the best of our knowledge. We crave certainty, 651 00:46:45.400 --> 00:46:50.559 We crave concrete answers, not just in security and everything really, and 652 00:46:51.159 --> 00:46:53.280 this is one of those areas that we can't There isn't one. The boss 653 00:46:53.360 --> 00:46:57.800 I was able to do as an IT manager talking to leadership was like, 654 00:46:57.880 --> 00:47:00.360 listen, I think we're at a place now where it's like we have a 655 00:47:00.519 --> 00:47:04.159 club on our steering wheel. It's not that they can't steal the car if 656 00:47:04.159 --> 00:47:06.880 they really want the car, it's that our car is now are paint in 657 00:47:06.920 --> 00:47:09.320 the butt to steal, and so maybe they'll steal something else, Like we're 658 00:47:09.679 --> 00:47:15.360 we're gonna be okay with drive buys because we've done the fundamentals. But if 659 00:47:15.400 --> 00:47:20.159 someone is genuinely targeting you, there's not that much you can do. Like 660 00:47:20.320 --> 00:47:24.599 it's very very hard forget about the car, steal the beaver treadmill. There 661 00:47:24.639 --> 00:47:28.480 you go. I think we went with Otters on that. Actually did we 662 00:47:28.559 --> 00:47:30.480 go with Otters? Yeah? Oh you did? You did. I'm trying 663 00:47:30.480 --> 00:47:36.880 to let me tell you. I think they're around little buggers, instructive little 664 00:47:36.920 --> 00:47:39.880 buggers. So Laura, tell us a bit about safe stack, because this 665 00:47:40.039 --> 00:47:45.639 seems to be something important to you. Yeah, absolutely, So safe Stack 666 00:47:45.800 --> 00:47:50.400 is my company. We're we're just thirteen people, so like you know, 667 00:47:50.639 --> 00:47:55.280 company in that scale, not in like global enterprises, and we're we call 668 00:47:55.320 --> 00:48:00.760 it for profit, but with massive purpose. So we are on a mission 669 00:48:00.880 --> 00:48:05.719 to try and give everyone in development the skills that they need to build secure 670 00:48:05.800 --> 00:48:08.280 software. So whether you're a product person or UX person, develop, a 671 00:48:08.400 --> 00:48:14.199 tester, analyst, architect, everyone has something to do and so we intentionally 672 00:48:14.239 --> 00:48:16.280 build a platform so you can learn things and there's a free plan, like 673 00:48:16.360 --> 00:48:20.440 no strings, no credit cards. You can go check it out and then 674 00:48:20.519 --> 00:48:24.079 we reinvest a part of the revenue from that. So when you know, 675 00:48:24.159 --> 00:48:28.719 big banks and things, come and work with us and we offer a few 676 00:48:28.880 --> 00:48:30.840 cool things. So we have our free plan, we have parity pricing around 677 00:48:30.840 --> 00:48:37.400 the world. We also give free training to every single Compute to science student 678 00:48:37.440 --> 00:48:44.079 in New Zealand and Australia. So we're trying to use a business to grow 679 00:48:44.159 --> 00:48:50.719 a foundation of people with the skills needed to kind of naturally do security as 680 00:48:50.760 --> 00:48:53.840 part of building software. We love that there's a whole community of specialists who 681 00:48:53.960 --> 00:48:58.760 are in app second things, but the future for us is about everyone doing 682 00:48:58.760 --> 00:49:00.880 a little bit. So that's what we do. So yeah, it's a 683 00:49:00.880 --> 00:49:04.639 lot of fun. Well in some ways, better use those specialist times so 684 00:49:04.679 --> 00:49:07.440 they're not working on the fundamentals either. We're all working on the fundamentals and 685 00:49:07.480 --> 00:49:12.119 they can work on those edgier cases. Exactly, Yeah, exactly that. 686 00:49:12.599 --> 00:49:15.760 So education just get people more eligible about doing the right things. Yeah. 687 00:49:16.199 --> 00:49:22.639 So we have courses and qualifications and hands on labs. We have playbooks and 688 00:49:22.760 --> 00:49:24.639 templates, so for anything we're doing, you should be able to go from 689 00:49:24.960 --> 00:49:28.280 I now know about the thing too, I can do a thing. And 690 00:49:28.400 --> 00:49:31.920 we also have a community where you can come together with other people and ask 691 00:49:32.039 --> 00:49:36.159 anonymous questions and say, hey, this is hard, I'm struggling with this. 692 00:49:36.639 --> 00:49:38.480 What have you done? So instead of you know, just going to 693 00:49:38.760 --> 00:49:42.800 the internet and going hey, here's all of my vulnerabilities and laundry, please 694 00:49:42.840 --> 00:49:45.880 help me, there are some intentionally built spaces for you to get some help 695 00:49:45.920 --> 00:49:52.000 and support. And we're now working with about seventeen thousand engineers from eighty nine 696 00:49:52.039 --> 00:49:55.239 countries, so there's quite a breadth of experience in there. Everyone from teeny 697 00:49:55.320 --> 00:49:59.719 tiny two person nonprofits all the way up to big banks and airlines, so 698 00:50:00.159 --> 00:50:04.039 you've got really everyone at every stage of that maturity cycle. Awesome. Have 699 00:50:04.199 --> 00:50:07.679 you ever seen Hack the Box, Hacked the box dot com? Yeah, 700 00:50:07.679 --> 00:50:10.760 I'm sure you have, because who doesn't know about it. But in the 701 00:50:10.840 --> 00:50:14.800 security space, it's a place where you can come together and try to break 702 00:50:14.880 --> 00:50:19.440 into a machine. Yeah, and that's a really good exercise to do. 703 00:50:19.599 --> 00:50:22.400 And maybe you do that in your training classes too, I don't know. 704 00:50:22.920 --> 00:50:27.639 Yeah. So we've got an intentionally vulnerable crypto exchange that we built as part 705 00:50:27.679 --> 00:50:30.039 of ours, so you can play around and find the vulnerabilities in that. 706 00:50:30.920 --> 00:50:34.159 But there are some wonderful platforms even outside of our own, so Hack the 707 00:50:34.199 --> 00:50:37.239 Boxes one, but even in the free space, if you're listening and you 708 00:50:37.320 --> 00:50:40.400 want to just get started and play around and hack something. OSP have a 709 00:50:40.480 --> 00:50:45.480 project called juice Shop, which is a node application, but it's a Docker 710 00:50:45.559 --> 00:50:49.440 container. You can just download it and off you go, and it's a 711 00:50:49.480 --> 00:50:52.480 little juice Shop, as it says on the label, and you can find 712 00:50:52.480 --> 00:50:54.760 the vulnerabilities, you can play and you can hack those. So there's lots 713 00:50:54.800 --> 00:51:00.639 of really fun and free in many respects places you can go to explore and 714 00:51:00.719 --> 00:51:06.519 play. And I can't understate how important it is that when you're learning security, 715 00:51:06.920 --> 00:51:09.679 you don't approach it from a true academic I want to learn everything about 716 00:51:09.679 --> 00:51:14.639 cryptography way, but that you engage that bit of your brain that you did 717 00:51:14.719 --> 00:51:16.719 when you were a kid, that bit of your brain that would look at 718 00:51:16.760 --> 00:51:21.400 something and go what if, and that would be creative and would ignore the 719 00:51:21.519 --> 00:51:23.920 rules. As engineers, we build the rules, we follow them very well, 720 00:51:24.760 --> 00:51:28.280 and one of the best things you can learn is to just when to 721 00:51:28.440 --> 00:51:32.639 just soften those up a bit and just explore y very good. What's next 722 00:51:32.679 --> 00:51:37.639 for you, Laura, what's in your inbox? What's next? Well, 723 00:51:37.719 --> 00:51:42.440 I'm going to speak at a few wonderful conferences, so you can come say 724 00:51:42.519 --> 00:51:45.679 hi to me at any of the YAO conferences in Australia later in the year. 725 00:51:45.280 --> 00:51:51.239 And I'm also hosting the security track at QCon in London next year, 726 00:51:51.400 --> 00:51:57.360 so we'll have a whole curated day of security awesomeness. Podcast is We've got 727 00:51:57.400 --> 00:52:00.440 lots of wonderful people coming on and collecting stories, so you can checks out 728 00:52:00.519 --> 00:52:05.280 at build amazing things Securely. We're much smaller podcast than this one. These 729 00:52:05.320 --> 00:52:08.440 are like professionals. We're kind of mostly making it up. I don't know 730 00:52:08.480 --> 00:52:14.719 about that, but for a long time, we made a career making it 731 00:52:14.880 --> 00:52:19.639 up, and next year we're hoping to find ways for you know, all 732 00:52:19.679 --> 00:52:22.199 those smaller companies out there. So if you work for a giant organization, 733 00:52:22.280 --> 00:52:23.440 this probably isn't few, but if you're one of those, you know, 734 00:52:24.199 --> 00:52:29.920 between fifty engineers and two hundred engineers smaller size, We're going to be releasing 735 00:52:29.920 --> 00:52:34.840 a whole bunch of free resources and guides for how to build an appset program 736 00:52:35.199 --> 00:52:38.760 when you don't have any specialists or huge budgets and fancy things. So what's 737 00:52:38.800 --> 00:52:43.639 of space, Lots of giving out in the community, a lot of talking 738 00:52:43.800 --> 00:52:46.440 to folks, and if anyone ever wants to come and chat app SEC, 739 00:52:49.559 --> 00:52:53.519 I'm irritatingly easy to find and you can come and have a chat. I'd 740 00:52:53.519 --> 00:52:58.360 always love to learn what you're up to. Fantastic Laura, this has been 741 00:52:58.440 --> 00:53:00.519 amazing. Thank you very much for being on the show. Thank you, 742 00:53:00.960 --> 00:53:04.480 thanks for having me all right, and we'll talk to you next time. 743 00:53:04.840 --> 00:53:30.480 I'm dot net Rocks. Dot net Rocks is brought to you by Franklin's Net 744 00:53:30.760 --> 00:53:35.599 and produced by Pop Studios, a full service audio, video and post production 745 00:53:35.760 --> 00:53:39.360 facility located physically in New London, Connecticut, and of course in the cloud 746 00:53:40.000 --> 00:53:45.960 online at pwop dot com. Visit our website at d O T N E 747 00:53:45.119 --> 00:53:50.960 t R O c k S dot com for RSS feeds, downloads, mobile 748 00:53:51.000 --> 00:53:54.199 apps, comments, and access to the full archives going back to show number 749 00:53:54.280 --> 00:53:59.480 one, recorded in September two thousand and two. And make sure you check 750 00:53:59.519 --> 00:54:01.880 out our spot answers. They keep us in business. Now, go write 751 00:54:01.920 --> 00:54:10.280 some code. See you next time. Got tread middle vans The NC time 752 00:54:12.880 --> 00:54:15.199 means home, then my Texas