1 00:00:14,439 --> 00:00:18,679 Hey, what's going on? Y'all? Welcome to another episode of Adventures in 2 00:00:19,039 --> 00:00:25,280 dev Ops and joining me in the studio today my new routine co host, 3 00:00:25,640 --> 00:00:28,839 Warren Parade. What's going on? Warren? Hey? Thanks? Well, 4 00:00:28,879 --> 00:00:31,320 you know, at some point that's going to get old and I'll be the 5 00:00:31,359 --> 00:00:35,039 old co host and we'll have to come up with a new tagline for me. 6 00:00:35,799 --> 00:00:38,840 I know, I was just thinking that and I was like, damn, 7 00:00:38,840 --> 00:00:41,039 I didn't come up with anything new to say, so I had to 8 00:00:41,079 --> 00:00:45,200 go with the old, stale one. I'll work on. I'll work on 9 00:00:45,240 --> 00:00:49,479 that before next week's episode. I promise you didn't have enough homework to do. 10 00:00:49,719 --> 00:00:53,159 You've got one more thing now, right, right, It's good to 11 00:00:53,240 --> 00:00:59,520 keep busy. But also joining us today we have the co founder and CTO 12 00:01:00,159 --> 00:01:06,359 A Hero, Jonathan Elder. Welcome Jonathan, thanks for having me. Hey, 13 00:01:06,400 --> 00:01:08,760 I'm excited to have you here, and I'm looking forward to this episode 14 00:01:10,239 --> 00:01:15,280 because I've got two security experts here in the studio with me, and I 15 00:01:17,040 --> 00:01:23,760 think security is one of those really really, it's a really odd specialty to 16 00:01:23,920 --> 00:01:32,040 have because it's one that I feel like from a business perspective, like businesses, 17 00:01:32,239 --> 00:01:37,319 let's just be honest. Here, businesses tend to prioritize customer facing features 18 00:01:38,280 --> 00:01:46,480 and cheer about those much more than they do security work. But the end 19 00:01:46,560 --> 00:01:52,040 customers themselves, I don't think they ask for Like the end users of my 20 00:01:52,159 --> 00:01:57,079 applications don't ask for security related stuff. They just assume that I'm doing it. 21 00:01:57,760 --> 00:02:00,719 And so from a developer's perspective, it's really hard to feel like security 22 00:02:00,760 --> 00:02:07,560 gets the prioritization that it needs because everyone, I think everyone just assumes that 23 00:02:07,639 --> 00:02:13,719 you're doing that, because that's what you do as a good steward of your 24 00:02:13,800 --> 00:02:20,840 code. And so I'm interested to talk about that and how y'all view that 25 00:02:21,159 --> 00:02:28,439 and get some actionable tips that help us all bring security up and like make 26 00:02:28,439 --> 00:02:32,280 it the first class citizen that it should be. So, with that rambling 27 00:02:32,400 --> 00:02:38,319 intro out of the way, Jonathan, how did you get to this point 28 00:02:38,360 --> 00:02:44,039 where you're the co founder and CTO of a bureau? That's a long road, 29 00:02:47,120 --> 00:02:53,639 Like professionally it's been twenty years starting in the idea in Israel, but 30 00:02:54,120 --> 00:02:59,400 even before that, like there are many developers who are you know, tinkers 31 00:03:00,240 --> 00:03:05,840 to like pick apart things, figure out how it works, trying to reverse 32 00:03:05,879 --> 00:03:14,520 engineer stuff, whether it's you know, toasters or applications or back in the 33 00:03:14,599 --> 00:03:16,919 day like I don't know, Prince of Persia or whatever, trying to figure 34 00:03:16,919 --> 00:03:22,280 out how stuff works. So I think this was the start for me. 35 00:03:23,360 --> 00:03:30,199 I've been working on many startups since then, quite a few, and it 36 00:03:30,199 --> 00:03:34,439 took me twenty years to or maybe twenty minus five years since we started a 37 00:03:34,560 --> 00:03:40,639 bureau to start as a founder with the down plotting my partner who's the CEO. 38 00:03:42,639 --> 00:03:46,759 After we work together on a totally different thing, which is also security, 39 00:03:47,520 --> 00:03:53,520 but in a different field altogether, because security is really really broad, 40 00:03:53,800 --> 00:04:00,680 you know. Yeah, for sure, I think it's one of those that 41 00:04:00,560 --> 00:04:09,759 it's easy to to get specialized in a specialized specialty. When you talk about 42 00:04:09,800 --> 00:04:17,639 security. Yeah, there's there's a lot of niche like niches in in security 43 00:04:17,879 --> 00:04:24,079 now now people are saying cybers like. There are a lot of terms. 44 00:04:24,959 --> 00:04:29,839 There are people who are you know, working on ed R, people who 45 00:04:29,839 --> 00:04:34,279 are working like in pentests, people who are working on AppSec for thirty years. 46 00:04:34,319 --> 00:04:40,600 People. There are various fields that are everything is related, but there 47 00:04:40,600 --> 00:04:48,160 are many specialties in the industry. So there are communalities like the cat and 48 00:04:48,199 --> 00:04:56,079 mouse game with like good people versus bad people. It happens a lot, 49 00:04:56,279 --> 00:05:00,759 and it's it's like it takes different shapes in the net work security domain where 50 00:05:01,160 --> 00:05:05,800 it done. And myself we worked back in the day in Microsoft and UH 51 00:05:06,000 --> 00:05:11,879 and in in other places, but also in apsec, and also in in 52 00:05:12,079 --> 00:05:20,680 IoT and in very like diverse like sub cyber terms right on. And so 53 00:05:21,879 --> 00:05:31,319 with a hero, you're working to to provide visibility and and actionable context to 54 00:05:31,839 --> 00:05:35,959 the consumers of your platform. What does that what does that actually mean? 55 00:05:36,000 --> 00:05:41,759 What kind of things do you help help someone do or accomplish? Uh, 56 00:05:42,439 --> 00:05:47,279 there's a there's an evolution in AppSec, in application security. UH. It 57 00:05:47,439 --> 00:05:56,480 started with like very like technology related products. There was at first there was 58 00:05:56,879 --> 00:06:01,000 you know, SASS finding vulnerabilities in your code and it and it evolved, 59 00:06:02,040 --> 00:06:09,720 and there there came os S security, s c A finding vulnerabilities in open 60 00:06:09,759 --> 00:06:15,000 source, and then software supply chain security that finding stuff like this is more 61 00:06:15,079 --> 00:06:21,199 develops proper right if the GitHub configuration allows you to do such and such as 62 00:06:21,240 --> 00:06:27,920 an example and various other fields, right, secret detection, et cetera. 63 00:06:28,040 --> 00:06:34,920 So it all evolved and now it's like got a proper abbreviation, a SPM 64 00:06:35,040 --> 00:06:44,920 Application Security pasture management, which like takes everything into one single like UI or 65 00:06:45,079 --> 00:06:49,519 one single source of truth where you can see what goes on in your applications 66 00:06:49,839 --> 00:06:55,319 and it Uh, we've come a long way uh for Gartner to coin that 67 00:06:55,439 --> 00:07:03,360 term and for companies to understand that having seven different like specialized tools is not 68 00:07:03,480 --> 00:07:08,639 a good way to understand what goes on. There's a lot of reasons, 69 00:07:08,639 --> 00:07:13,360 but I think that the main one is you don't have context. Right. 70 00:07:13,399 --> 00:07:19,399 You have thirty thousand alerts, twenty thousand came from that SAS tool, five 71 00:07:19,439 --> 00:07:25,560 thousand came from that OSS tool. And now what I have three people in 72 00:07:25,560 --> 00:07:34,399 my A team covering thirteen thousand developers, We have twelve hundred poor requests a 73 00:07:34,480 --> 00:07:42,600 day. What do I do so to answer your question like this is the 74 00:07:42,639 --> 00:07:47,600 context maybe to answer your question like we look at it in like three layers. 75 00:07:48,040 --> 00:07:51,839 First is visibility, knowing what you have. I always say, you'll 76 00:07:51,879 --> 00:08:00,639 be amazed how developers, CTOs, CEO, CIOs, AppSec people they don't 77 00:08:00,680 --> 00:08:05,279 have a clue what they have. As long as you have more than maybe 78 00:08:05,439 --> 00:08:11,240 ten fifteen twenty developers, not to mention one thousand or thirty thousand, you 79 00:08:11,279 --> 00:08:13,800 don't know. I don't know which database is, what technology is, how 80 00:08:13,879 --> 00:08:20,279 many platforms for oh off you are using? How many languages are all this 81 00:08:20,720 --> 00:08:28,079 you can't fathom too much. So you can go from there to what APIs? 82 00:08:28,079 --> 00:08:30,759 Do I have? Do I have graph quel even? I don't know? 83 00:08:31,639 --> 00:08:37,720 Does it go through some engeniques? What's the technology that says don't go, 84 00:08:39,159 --> 00:08:43,000 go, no go? I don't know? So first visibility, like 85 00:08:43,440 --> 00:08:48,360 what do I have? We call it an inventory? Right. The second 86 00:08:48,399 --> 00:08:54,039 phase is, as I said, you have thirty thousand alerts, findings, 87 00:08:54,039 --> 00:08:58,639 whatever. So prioritize. Tell me what should I focus on right now? 88 00:08:58,919 --> 00:09:03,159 What will bring most value to my company? What will stop and attack, 89 00:09:03,759 --> 00:09:07,000 what will be worth my time, what will save us the most money, 90 00:09:07,759 --> 00:09:15,279 et cetera. So prioritization is the second thing after that remediation. And after 91 00:09:15,360 --> 00:09:20,799 remediation, like help me find who's the right person to talk to because I 92 00:09:20,840 --> 00:09:24,600 have again thirteen how much did I say, thirteen thousand developers? Who's the 93 00:09:24,679 --> 00:09:31,320 right person who can say this API should actually go to the internet and download 94 00:09:31,399 --> 00:09:37,480 such and such other Who I can say should I go and ask? So 95 00:09:37,279 --> 00:09:43,440 this is remediation, and after that, like the advanced customers of a PIRO 96 00:09:43,960 --> 00:09:52,519 do more of managing and prevention for such things, so they employ workflows that 97 00:09:52,600 --> 00:10:01,480 automatically whenever a certain risk goes above a certain threshold, then they will start 98 00:10:01,840 --> 00:10:07,919 a certain trigger, maybe appentest, maybe a code review. So this is 99 00:10:07,919 --> 00:10:13,399 how we help people, like three people versus thirteen thousand people maybe try to 100 00:10:13,440 --> 00:10:18,879 get a hold of application security right on. Yeah, So a big part 101 00:10:18,919 --> 00:10:24,039 of that is just, well, like you said, just set in context, 102 00:10:24,039 --> 00:10:28,480 like taking all of this information and figuring out what parts of it's relevant, 103 00:10:28,559 --> 00:10:33,759 which parts are urgent, and just trying to turn it into something actionable 104 00:10:33,799 --> 00:10:41,120 so you don't feel like you're overwhelmed and destined to never succeed. Yeah, 105 00:10:41,480 --> 00:10:48,679 it's really like I think personally, one of the most frustrating things that I 106 00:10:48,840 --> 00:10:54,279 faced in that context is people saying shift left, shift left, which is 107 00:10:54,720 --> 00:11:00,000 like, it's a nice term, I get it, but if it says 108 00:11:00,240 --> 00:11:05,480 all the burden on me, the developer or the develops engineer, then someone 109 00:11:05,480 --> 00:11:09,840 else do the job, Well, why should I be the one to handle 110 00:11:09,879 --> 00:11:16,080 everything? Right? So shift left is really important, but you have to 111 00:11:16,080 --> 00:11:22,399 do it right. If you have six thousand findings from your automat like automated 112 00:11:22,879 --> 00:11:31,399 certain process of static analysis, and you're shifting it left. You have to 113 00:11:31,440 --> 00:11:37,519 really chew it up and spit out only the three, the five, whatever 114 00:11:39,440 --> 00:11:46,399 actionable findings that I can handle. If you'll give me one hundred, it 115 00:11:46,440 --> 00:11:50,000 will be deprioritized in my I have features to develop. But if you'll say 116 00:11:50,879 --> 00:11:58,159 these certain vulnerabilities, it might have false positives, it's fine. But if 117 00:11:58,159 --> 00:12:01,840 it's two out of three, I'm fine with it because I see the value. 118 00:12:01,879 --> 00:12:05,679 I can see I'm helping my company be more productive. But if these 119 00:12:05,799 --> 00:12:11,960 three a let's say vulnerabilities are in APIs that I know that are not in 120 00:12:11,039 --> 00:12:16,519 test code. They are in some application that is facing the internet, right, 121 00:12:18,039 --> 00:12:22,519 so it's exploitable. Perhaps maybe not, but it has a certain like 122 00:12:24,000 --> 00:12:28,480 it might be exploitable, and I know the code right, it's like people 123 00:12:28,519 --> 00:12:33,399 from my team has written the code. And more than that, I'm a 124 00:12:33,480 --> 00:12:37,759 security champion, right because my team has one hundred developers. But the apps 125 00:12:39,080 --> 00:12:43,639 gave that task to me because they know that I'm like well versed in security 126 00:12:43,679 --> 00:12:48,039 stuff. Right. In that case, go on shift left. I will 127 00:12:48,039 --> 00:12:52,559 make it right. If you have a false positive, I'll help you be 128 00:12:52,679 --> 00:12:58,159 better. But I will fix it and I will accept the the two out 129 00:12:58,200 --> 00:13:05,000 of three false positives. I got a hypothetical for you here, So like, 130 00:13:05,480 --> 00:13:09,799 I know that there are these other platforms out there that are compliance driven 131 00:13:09,000 --> 00:13:15,720 checklist aggregators right there for SoC two or ISO, and they collect a lot 132 00:13:15,720 --> 00:13:20,240 of things from individual sources within your your company, your engineering organization to help 133 00:13:20,279 --> 00:13:26,919 you achieve passing some sort of certification or regulation. But it feels like your 134 00:13:26,960 --> 00:13:31,080 company, uh actually focuses on the value of security there right like actually, 135 00:13:33,000 --> 00:13:37,799 rather than some sort of checkbox approach. It really is these things are important 136 00:13:37,840 --> 00:13:46,000 to solve and not just to achieve a particular In my that's a great question. 137 00:13:46,480 --> 00:13:52,039 As my head is a CTO. I have to go through sock to 138 00:13:52,360 --> 00:13:58,799 type two. Of course I have to do that, and it's important too 139 00:13:58,840 --> 00:14:03,559 write right like show our customers that we take it seriously, even if some 140 00:14:03,679 --> 00:14:13,159 questions in those compliance frameworks are kind of mundane and seem like that they didn't 141 00:14:13,159 --> 00:14:20,600 adapt to twenty twenty four maybe, but these two are important. So in 142 00:14:20,639 --> 00:14:24,879 general, we do have like a module for questionnaires. There are a lot 143 00:14:26,360 --> 00:14:31,279 by the way, for I'm not sure from the audience here, what's the 144 00:14:31,320 --> 00:14:37,120 average size of a company that they work for, from independent contractors to one 145 00:14:37,120 --> 00:14:43,200 of thirteen thousand developers maybe or thirty thousand. But for the larger companies, 146 00:14:43,519 --> 00:14:48,720 they do have a lot of compliance going on, sock to type, sock 147 00:14:48,799 --> 00:14:58,480 to ISO, and also like they have all sorts of controls for you don't 148 00:14:58,960 --> 00:15:07,000 you can't change a certain area of the code base without answering like two hundred 149 00:15:07,080 --> 00:15:13,840 questions. So this is an area that we also help our customers and do 150 00:15:13,879 --> 00:15:18,039 it smart. Like if we can automatically answer, as you said, or 151 00:15:18,519 --> 00:15:26,879 thirty seventy sixty percent of the questions because they are code related or developer related, 152 00:15:28,000 --> 00:15:33,360 we can easily answer that. But for the rest of the forty percent 153 00:15:33,399 --> 00:15:37,840 of the questions you can go and answer. Then you can automate the process. 154 00:15:39,039 --> 00:15:41,519 I say, I mean, and I'm just really intrigued here, Like 155 00:15:41,639 --> 00:15:48,440 it sounds like you could almost utilize a pro to replace whatever automation platform you 156 00:15:48,480 --> 00:15:54,360 have for soalk two findings and utilize that to actually achieve it is that accurate 157 00:15:56,519 --> 00:16:03,720 well talk to like let's say it might require you to present that you have 158 00:16:04,120 --> 00:16:11,519 some sort of like a rule set of how you do back up and restore, 159 00:16:12,039 --> 00:16:15,679 so this is an area that we won't help you with that. You'll 160 00:16:15,720 --> 00:16:19,960 still you still also have to go through I don't know, some sort of 161 00:16:21,320 --> 00:16:26,159 an audit vendor that will the stamp you have to do that. I won't 162 00:16:26,159 --> 00:16:30,440 tell. I won't save you from that one. But for the real answers 163 00:16:30,480 --> 00:16:37,200 like that are expensive in terms of time and money to together, right uh 164 00:16:37,600 --> 00:16:47,159 uh. They will ask you show me evidence that developers, maybe statistical evidence, 165 00:16:47,200 --> 00:16:53,200 but that developers are going through such and such process in order to to 166 00:16:53,240 --> 00:17:00,840 trigger some uh some other let's say paintest or whatever. Okay, and all 167 00:17:00,960 --> 00:17:06,319 of these things, like many of these things we can derive from what we 168 00:17:06,359 --> 00:17:12,480 analyze. Because we analyze every commit in your guitar, bit bucket, git 169 00:17:12,559 --> 00:17:18,319 lab, whatever you use. Perforce. We analyze every commit, every ProQuest, 170 00:17:18,519 --> 00:17:22,319 every Gerra ticket, as a DevOps ticket, whatever. There's a lot 171 00:17:22,359 --> 00:17:27,839 of data there. And the last thing I want like our customers to do 172 00:17:29,400 --> 00:17:37,720 is go through tedious like uh like exports of things and go with their eyes 173 00:17:37,799 --> 00:17:42,880 over a thousands of rows and figure out stuff by themselves. We want to 174 00:17:42,920 --> 00:17:47,279 help as much as we can, hope I answer the question, yeah, 175 00:17:47,319 --> 00:17:48,480 No, I mean you said something really interesting to me, and I think 176 00:17:48,480 --> 00:17:52,319 maybe interesting for the listeners as well as like where do you hook into the 177 00:17:52,359 --> 00:17:56,440 process? And I got this idea, maybe there's an integration that happens if 178 00:17:56,440 --> 00:18:02,000 I change some database through terror form that I'm already a learned that this could 179 00:18:02,079 --> 00:18:08,440 have security applications. That is that accurate? Yes? Yeah, so so 180 00:18:08,640 --> 00:18:15,200 if you if you go let's say let's say that you're an advanced shop, 181 00:18:15,480 --> 00:18:18,240 right and you have everything via their form. Okay, so this is a 182 00:18:18,240 --> 00:18:25,240 good case. Uh we uh at at least hook up into your source control 183 00:18:25,279 --> 00:18:29,519 manager. Okay. If you're more advanced, we will hook into your gra 184 00:18:30,400 --> 00:18:37,079 maybe your Kubernetes environment in a w S or Google or asure. If you're 185 00:18:37,079 --> 00:18:41,720 more advanced than that, then to your API gateway, a PI security tool, 186 00:18:42,480 --> 00:18:47,759 and and and maybe your security scanner. Maybe you have sneak, maybe 187 00:18:47,799 --> 00:18:52,839 you have menned, maybe you have like dozens of others. Right. Uh, 188 00:18:52,880 --> 00:18:56,319 And we take all that data and crunch it up together. But at 189 00:18:56,759 --> 00:19:00,799 the very minimum, we analyze your code. You can opt out, you 190 00:19:00,839 --> 00:19:04,880 can choose what code to analyze and whatnot of it. But assuming that you 191 00:19:04,960 --> 00:19:11,400 have terror form, then yes we will alert if let's say a certain application 192 00:19:11,640 --> 00:19:15,720 shouldn't be connected to the internet, and maybe you hook it up into an 193 00:19:15,960 --> 00:19:22,759 ingress in GK whatever that is connected to the internet, then you can automate 194 00:19:22,799 --> 00:19:27,119 that process and put a guardrail. Right. So I should have mentioned maybe 195 00:19:27,200 --> 00:19:33,559 before that we have like a concept that we called governance, which by default 196 00:19:33,599 --> 00:19:38,759 it comes with a certain rule set, but you're free to change, to 197 00:19:38,839 --> 00:19:44,680 delete rules, to add rules, to tailor it to your specific needs. 198 00:19:45,400 --> 00:19:52,359 But you can say, you can define what's to you, what's a material 199 00:19:52,480 --> 00:19:56,480 change, as we say, right, if someone added an API, it 200 00:19:56,640 --> 00:20:00,319 might not be material to you. But if someone add then API that is 201 00:20:02,119 --> 00:20:07,160 connected to the internet and it is exposing a certain type of data, then 202 00:20:07,200 --> 00:20:11,799 maybe this is dangerous because whatever in your realm, this is what happens, 203 00:20:11,200 --> 00:20:15,680 right, And then you can say, let's define a workflow. If such 204 00:20:15,680 --> 00:20:22,079 and such happens, then open a ticket block. The PR don't allow a 205 00:20:22,160 --> 00:20:27,720 developer to change the terraform module X, y or z in such a way, 206 00:20:29,240 --> 00:20:32,960 right, and so you can control that. Usually people start with understanding 207 00:20:32,960 --> 00:20:37,240 what they have and then they evolve, like their process evolves into putting more 208 00:20:37,240 --> 00:20:44,200 and more prevention guardrails like that one. I think automated feedback to the engineering 209 00:20:44,200 --> 00:20:48,200 teams when they're performing something that matches one of these governmance rules. I feel 210 00:20:48,200 --> 00:20:52,039 like there's going to be a bunch of platform develops related people out there that 211 00:20:52,079 --> 00:20:59,519 are jumping for joy over this functionality. Honestly, yeah, this is as 212 00:20:59,519 --> 00:21:06,359 a developed like I have to people enjoy it, like people usually say, 213 00:21:06,440 --> 00:21:08,680 eat your own dog food. Right, Yeah, it's an important concept. 214 00:21:10,640 --> 00:21:15,279 So for us, it's like in the extreme, right, because our platform 215 00:21:15,359 --> 00:21:23,039 is for APSEC teams and developers. Developers are are a bunch of people who 216 00:21:23,039 --> 00:21:26,519 are really hard to please. Okay, let let's put it that way. 217 00:21:27,920 --> 00:21:34,759 And that again, like developers are used to tools like compilers or IDs where 218 00:21:34,799 --> 00:21:38,359 they get I don't know, five nines of accuracy. Right, the compiler 219 00:21:38,400 --> 00:21:45,359 doesn't make mistakes. Usually it happens, but it's really rare. That's good 220 00:21:45,359 --> 00:21:48,759 point. Actually, usually it's your fault as a developer if you see an 221 00:21:48,839 --> 00:21:53,359 error, it's not the compiler. So again, going back to the example 222 00:21:53,400 --> 00:22:00,759 from before, like going through six thousand alerts from a certain security platform is 223 00:22:00,880 --> 00:22:08,720 not acceptable for a developer, So we we really make an effort to cater 224 00:22:08,880 --> 00:22:14,640 the needs of developers where they get when we get to the developer like the 225 00:22:14,720 --> 00:22:18,000 develops as you said, the develops engineer who or who is jumping out of 226 00:22:18,079 --> 00:22:23,839 joy. We really we are working with our customers to make sure that the 227 00:22:23,960 --> 00:22:30,799 process we will start with visibility. They understand, we understand what goes on. 228 00:22:30,839 --> 00:22:41,119 And then when they let's say, automate jolting with electricity, the developer 229 00:22:41,200 --> 00:22:45,599 who did such a bad thing, do it only when you're sure, right, 230 00:22:45,519 --> 00:22:51,000 or let's say more realistically, like opening a ticket for a certain team 231 00:22:51,680 --> 00:22:56,599 when such a thing happens, is only when they are certain right. There's 232 00:22:56,680 --> 00:23:06,079 always mistakes, It's fine, but we really advise customers to evolve into it. 233 00:23:06,160 --> 00:23:11,640 And if you see that, you can not ask your develop steam to 234 00:23:11,799 --> 00:23:18,839 be always they will be alert. But don't go every day at five pm 235 00:23:18,079 --> 00:23:22,000 go through all pull requests and make sure there is no such and such right, 236 00:23:22,480 --> 00:23:26,799 don't do that. Automate that right. This is an easy thing, 237 00:23:26,079 --> 00:23:32,640 let's say so yeah, with care, but as much automation as we can 238 00:23:33,400 --> 00:23:37,839 is really the ROI is really clear for the customer. Yeah, definitely, 239 00:23:40,960 --> 00:23:45,319 Yeah, And I think that's really a great approach as well, because by 240 00:23:45,519 --> 00:23:52,759 making sure that you're relaying the information to only the people who can actually do 241 00:23:52,839 --> 00:23:57,000 something about it. You're going to minimize the tendency that we have to just 242 00:23:57,319 --> 00:24:03,759 turn off things that we we determined to be background noise, you know, 243 00:24:03,839 --> 00:24:06,839 like you like you mentioned you know, if you get ten thousand security alerts, 244 00:24:07,440 --> 00:24:10,480 we're going to turn it off as background noise, even though they might 245 00:24:10,519 --> 00:24:18,680 not be. But if you provide specific information and and remediation steps for it, 246 00:24:18,880 --> 00:24:22,400 and it's like, oh, that's that's something I can do, And 247 00:24:22,599 --> 00:24:29,119 I think that actually lends a lot of long term stability to your overall security 248 00:24:29,119 --> 00:24:37,400 process for sure. Also, there's a I think something that that is people 249 00:24:37,480 --> 00:24:45,559 tend to consolidate certain tasks. Let's say there's a there's an app SEC team. 250 00:24:45,599 --> 00:24:51,240 Let's say I get a report every day every week with a list of 251 00:24:51,319 --> 00:24:57,680 vulnerabilities. I might say, hey, John, you're the you're the remediation 252 00:24:57,839 --> 00:25:03,440 guy. H here's the list. Go every day again and again, go 253 00:25:03,519 --> 00:25:07,920 through it, make sure it's fine. You might stick some boxes. You'll 254 00:25:07,960 --> 00:25:14,400 say to the ISO person from the auditor, You'll say, I have a 255 00:25:14,480 --> 00:25:21,640 process. Here's John, here's my vulnerability person. I'm good, and you'll 256 00:25:21,640 --> 00:25:26,599 get You'll get the v there but like, at least in some cases, 257 00:25:26,640 --> 00:25:30,839 not all the time, but this in some cases, the shift left here 258 00:25:30,880 --> 00:25:37,319 is really substantial. Right out of the six thousand developed developers. Sorry vulnerabilities, 259 00:25:37,440 --> 00:25:41,440 you might say, these four thousand are irrelevant because they are in tesco, 260 00:25:41,799 --> 00:25:47,720 they are in old repositories that are not deployed anywhere. Forget about it. 261 00:25:48,160 --> 00:25:52,079 Yeah and so and so, And you narrow it down and you get 262 00:25:52,079 --> 00:25:59,279 to the twenty seven actionable vulnerabilities that like tending to will bring impact to the 263 00:25:59,319 --> 00:26:03,839 company. And then you'll say, for each one of the twenty seven, 264 00:26:03,160 --> 00:26:07,720 who's the right person? And here comes the concept that I like the most 265 00:26:07,720 --> 00:26:14,079 here, which is code ownership. In appare we have a collective code ownership, 266 00:26:14,599 --> 00:26:19,440 but when a certain problem arises, there's always the one person that knows 267 00:26:19,480 --> 00:26:25,279 about this thing the most. And it's not, you know, naively, 268 00:26:26,240 --> 00:26:32,279 the last person who touched that piece of code. It's more usually reality is 269 00:26:32,359 --> 00:26:41,680 more complicated than that. So we make huge efforts in analyzing the behavior of 270 00:26:41,720 --> 00:26:47,799 every developer, what code they are touching in which way do they like. 271 00:26:47,880 --> 00:26:55,119 There's a difference between like the CEO doesn't know well enough and he does refractoring 272 00:26:55,200 --> 00:27:00,319 and he makes the code cleaner because he wants to the difference between that guy 273 00:27:00,640 --> 00:27:11,000 and someone else who went and replaced the authentication mechanism from user password to octa 274 00:27:11,119 --> 00:27:15,599 integration datata. Right, there's a huge different difference between those two. I'm 275 00:27:15,640 --> 00:27:22,799 not saying the latter is better, but that person is way more capable in 276 00:27:23,039 --> 00:27:27,000 saying, hey, this vulnerability is real, it's actionable. This is the 277 00:27:27,000 --> 00:27:30,799 way to solve it. Maybe some other person will solve it, but this 278 00:27:30,880 --> 00:27:34,960 is the way, and this is how we can, you know, get 279 00:27:36,000 --> 00:27:41,240 to do remediation much much faster and cheaper. That's super cool. So you're 280 00:27:41,279 --> 00:27:48,119 actually building like a a historical audit of the actions of the people on the 281 00:27:48,200 --> 00:27:53,119 platform, so you can identify what their expertise is and figure out who the 282 00:27:53,200 --> 00:27:59,119 right person is without asking, without doing like an ad channel and a SLAT 283 00:27:59,160 --> 00:28:03,559 group with thirteen thousand people in it. Mm hmmm, yeah exactly. And 284 00:28:04,559 --> 00:28:12,119 we have a thing where we I feel more like, let's say it's maybe 285 00:28:12,160 --> 00:28:18,480 a bad word, like more privileged than my previous self. When we did 286 00:28:18,640 --> 00:28:25,240 in previous company, we did network security. We analyzed network traffic, so 287 00:28:25,279 --> 00:28:30,920 we connected to switch in the server farm and we tapped to the traffic and 288 00:28:30,960 --> 00:28:37,079 we analyzed it. But it started tequal zero. It started when we connected. 289 00:28:37,240 --> 00:28:42,240 Right now we are privileged is an app sec company where we connect like 290 00:28:42,359 --> 00:28:48,920 via API to let's say guitub and then we can analyze the entire history of 291 00:28:48,920 --> 00:28:53,079 a Git repository from ten years ago. Right. So in that sense, 292 00:28:53,200 --> 00:28:57,839 we have from when we start as we start to have a lot of information 293 00:28:57,960 --> 00:29:04,440 about the code behavior, who's doing what, and we analyze the behavior ever 294 00:29:04,599 --> 00:29:12,279 developer and we say this subset is what we call a security champion, right. 295 00:29:14,079 --> 00:29:19,720 So some of our customers have actually using that. They have built like 296 00:29:19,759 --> 00:29:26,160 a security champion program. So they have let's say three app sec people on 297 00:29:26,200 --> 00:29:30,799 the team, like who's in charge of the entire company, and they have 298 00:29:30,079 --> 00:29:37,319 one hundred and fifty development teams and they chose one or two people from every 299 00:29:37,400 --> 00:29:45,559 division will be like their ambassadors into security. So when there's an issue with 300 00:29:45,240 --> 00:29:52,200 product X, they can say, hey, team, we've talked before, 301 00:29:52,400 --> 00:29:57,640 we've taught you about our processes, there's such and such problem, please advice, 302 00:29:59,200 --> 00:30:03,519 right, And he's one out of seventy people, so they don't need 303 00:30:03,559 --> 00:30:07,880 to go through proper channels with the management and and do like a like a 304 00:30:07,920 --> 00:30:14,160 heavy thing. They have people they can talk to and it's not bureaucratic. 305 00:30:14,200 --> 00:30:18,799 It's data driven, which is really like it proves helpful in many cases, 306 00:30:22,119 --> 00:30:25,880 right, and that's super cool. One of the things you talked touched on 307 00:30:26,200 --> 00:30:33,920 a little bit earlier was talking about the context and the visibility of it, 308 00:30:34,720 --> 00:30:40,319 and you kind of mentioned that, you know, fixing these vulnerabilities gives you 309 00:30:40,359 --> 00:30:45,400 the ability to say, hey, we prevented or we blocked this before it 310 00:30:45,519 --> 00:30:52,200 was exploited. How much value do you think there is in that by by 311 00:30:52,279 --> 00:30:57,400 showing the things the ability that you had to stop something before it happened and 312 00:30:57,480 --> 00:31:03,440 kind of elevate secure already work to that of like future requests because everyone gets 313 00:31:03,440 --> 00:31:08,640 excited over the new future requests. Do you think that showing the security vulnerabilities 314 00:31:08,640 --> 00:31:18,119 you've re mediated helps bring bring some awareness to that? For sure? So 315 00:31:18,599 --> 00:31:22,000 I think coming back to something I think you said maybe before we started recording, 316 00:31:23,680 --> 00:31:30,759 security is a thing like everybody wants it to not exist until something hits 317 00:31:30,799 --> 00:31:36,400 a fan somewhere, right, and then oh my god, we had to 318 00:31:36,440 --> 00:31:42,000 do such and such before. I wish three months ago when we designed the 319 00:31:42,039 --> 00:31:48,640 feature we would have thought about it. I wish we drink testing. We 320 00:31:48,720 --> 00:31:55,960 would go through the list of things that could go wrong and find out about 321 00:31:56,000 --> 00:32:02,240 it. So, but the reverse of it is everyone, everybody wants to 322 00:32:02,319 --> 00:32:08,480 celebrate new features and sell it to customers. So uh, it's a hard 323 00:32:08,519 --> 00:32:15,480 bargain sometimes to for security teams to prove their their worth to the organization because 324 00:32:15,880 --> 00:32:23,440 nobody pays attention to quiet. Like the CSO can can come to a board 325 00:32:23,519 --> 00:32:30,720 meeting, or the APPSC engineer can come to a certain meeting all hands for 326 00:32:30,799 --> 00:32:36,920 the company and say, hey, for seven months no incident, everything is 327 00:32:37,000 --> 00:32:40,039 quiet on my front. They might say, okay, let's reduce the team 328 00:32:40,480 --> 00:32:45,319 right exactly. Yeah, life, life of security is really hard that way. 329 00:32:46,440 --> 00:32:52,839 But I think I think that it's a game of numbers proving. Let's 330 00:32:52,880 --> 00:32:58,920 say again, when people are used to false positives, and it's true both 331 00:32:59,000 --> 00:33:07,319 for networks, security, intrusion alerts, whatever, DLP viruses, for everything 332 00:33:07,359 --> 00:33:14,440 including appsect. When people are used to false positives, they're they're they're not 333 00:33:14,480 --> 00:33:19,279 paying attention, like everything is noise. We have a we have a concept 334 00:33:19,359 --> 00:33:29,799 of funnel where we are showing you have starting with thirty thousand alerts, and 335 00:33:30,240 --> 00:33:35,279 via various steps you go to a lower and lower and lower number until you 336 00:33:35,319 --> 00:33:39,319 get to a manageable amount of things that you can actually work on. And 337 00:33:39,359 --> 00:33:43,920 if this is the focus, and in each team, it's a little bit 338 00:33:43,920 --> 00:33:49,400 different. For some is like the is it connected to the is it exposed 339 00:33:49,440 --> 00:33:52,000 to the internet? Just no, it really reduces. For some everything is 340 00:33:52,039 --> 00:33:55,839 exposed to the internet, So there are differences. But as long as the 341 00:33:55,920 --> 00:34:04,039 number goes down and and is it becomes manageable and real, then the teams 342 00:34:04,279 --> 00:34:08,000 pay more attention. When you come as an absect to the dev team, 343 00:34:09,039 --> 00:34:16,480 you're not wasting their time. They feel once they do like there's a I 344 00:34:16,519 --> 00:34:24,679 think there's people underestimate developers or develops engineers in the industry where some say that 345 00:34:24,719 --> 00:34:29,960 they don't care about security because it's someone else's concern. I don't think it's 346 00:34:29,960 --> 00:34:35,920 true. Maybe that's just my opinion, but I don't think it's true. 347 00:34:36,119 --> 00:34:43,599 And and if if like apseck came to developers with a small number of real 348 00:34:43,719 --> 00:34:50,760 things, then the developers will be excited to deliver on it and they will 349 00:34:50,800 --> 00:34:53,880 feel that they're building a stronger product. By the way, the same thing 350 00:34:54,639 --> 00:35:01,639 is true also with performance and other things that are not like purely like features. 351 00:35:02,280 --> 00:35:06,400 Performances a feature. Security is a future. I really believe in it. 352 00:35:06,480 --> 00:35:13,599 So I think as long as the numbers are are manageable, I think 353 00:35:13,679 --> 00:35:19,599 people will treat it the same way as features, and they can even celebrate 354 00:35:19,639 --> 00:35:27,199 it. Yeah, for sure. I think especially like if you are just 355 00:35:28,159 --> 00:35:30,360 trying to say, Okay, we got to get we got to get a 356 00:35:30,400 --> 00:35:36,119 grip on our security, and you're working with a code base that's been around, 357 00:35:36,360 --> 00:35:37,920 you know, for a year or more. The first time you run 358 00:35:37,920 --> 00:35:44,360 that security scan, it's going to be overwhelming and that your first at least 359 00:35:44,360 --> 00:35:46,840 for me, my first instinct is to look at the findings and go, 360 00:35:47,039 --> 00:35:52,840 yeah, that's a problem for next sprint and then move on and next year 361 00:35:52,840 --> 00:35:55,880 I'll have the same conversation with myself. So I think there's really a lot 362 00:35:55,920 --> 00:36:01,239 of value in saying, Okay, let's just put this in context and here 363 00:36:01,239 --> 00:36:06,360 are the key things that you can focus on this brand that'll actually make a 364 00:36:06,400 --> 00:36:08,119 difference. Yeah. I mean, you're really talking about curation there, and 365 00:36:08,159 --> 00:36:10,920 I think that's one of the things that a lot of tools in the Devil 366 00:36:10,960 --> 00:36:15,440 of Space overall get wrong. They think it's like a lack of information. 367 00:36:15,559 --> 00:36:19,360 They're all about exposing as many things as possible as if that's where the value 368 00:36:19,440 --> 00:36:22,920 is. And I think the tool we haven't said but kept talking about here 369 00:36:22,000 --> 00:36:27,400 is sort of like depend upon on GitHub, which you know spams every single 370 00:36:27,440 --> 00:36:30,840 thing, and it's very difficult to know whether or not there's value in any 371 00:36:30,880 --> 00:36:32,800 one of those alerts. So realistically, you want it to be curated. 372 00:36:32,800 --> 00:36:37,320 That's where the value is, right, having not only information, but relevant 373 00:36:37,360 --> 00:36:44,039 and useful and correct information, Right, that's prioritized. Yeah, exactly, 374 00:36:45,159 --> 00:36:49,199 like this is our this is our claim to fame actually, because we're saying 375 00:36:49,199 --> 00:36:54,719 like ESPM is the is the abbreviation, and we say deep SPM because we 376 00:36:54,880 --> 00:37:02,400 really believe that just aggregating alerts, putting putting them, displaying them in a 377 00:37:02,480 --> 00:37:08,079 nice table which streams nicely, uh, and putting nice graphs on top. 378 00:37:08,519 --> 00:37:13,880 It's like, I don't want to sound disrespectful, but as you said, 379 00:37:14,000 --> 00:37:21,440 right now, we're putting context uh into into that data is really crucial, 380 00:37:21,840 --> 00:37:28,280 uh, in order to allow prioritization and remediation. So we when we say 381 00:37:28,360 --> 00:37:35,119 deep I'll give you an example, when we say deep uh we uh we 382 00:37:35,159 --> 00:37:38,840 analyze the code right, We analyze the gerry tickets, We read all the 383 00:37:38,880 --> 00:37:45,360 fields. We analyze. We know what's an API. We know what's a 384 00:37:45,480 --> 00:37:51,840 data model, and if it's safe to the database, if it's exposed via 385 00:37:52,400 --> 00:37:58,039 that a PR or that I p I we know UH if a certain UH 386 00:37:58,480 --> 00:38:02,880 like code element is in a certain module, which might be a part of 387 00:38:02,920 --> 00:38:07,639 a repository. There might be a mono repo, might be a certain application 388 00:38:07,840 --> 00:38:15,840 that has seventeen different modules from six different repositories, some in guitub and some 389 00:38:15,960 --> 00:38:22,159 in bit bucket, and some I don't know from somewhere else. So when 390 00:38:22,239 --> 00:38:28,440 we see a vulnerability, it might be a secret that we detected secret in 391 00:38:28,480 --> 00:38:34,599 code. It might be a vulnerability that came from check marks or sneak or 392 00:38:34,639 --> 00:38:39,360 someone else. We know a lot of context around it. Okay, So 393 00:38:39,800 --> 00:38:44,920 if it's part of an API, we know a lot about that API. 394 00:38:45,480 --> 00:38:52,239 If you connected to a COMI, then we can say, okay, that 395 00:38:52,360 --> 00:38:58,719 API is exposed in that cluster and is getting bombarded right now in production. 396 00:38:59,800 --> 00:39:05,400 So we try as as more and more things get connected, we add more 397 00:39:05,440 --> 00:39:10,760 context into it. So it's really really important to inject that context into those 398 00:39:10,840 --> 00:39:19,639 lists of vulnerabilities or material changes, because asking the developer to do the work 399 00:39:19,719 --> 00:39:24,440 is not realistic. Right. We see we have customers with I think the 400 00:39:24,440 --> 00:39:34,400 most has a forty something thousand repositories. Oh wow, that's that's a that's 401 00:39:34,400 --> 00:39:39,480 a number that I don't think a person, a human being can fathom in 402 00:39:39,599 --> 00:39:46,000 terms of like there's no intuition around it. So you have you have to 403 00:39:46,079 --> 00:39:52,039 have that knowledge modeled somewhere. I mean I do, I do have some 404 00:39:52,119 --> 00:39:55,360 intuition there that micro services went wrong somewhere, But you know from that, 405 00:39:58,400 --> 00:40:02,880 I mean you bring abouts an interesting aspects here, which is information about the 406 00:40:04,039 --> 00:40:07,159 likelihood of these vulnerabilities actually being a problem. And I think this is a 407 00:40:07,280 --> 00:40:10,440 difficult area to answer. You can look at some code, even with the 408 00:40:10,480 --> 00:40:15,400 context, and know that there is a security problem there. Maybe it's open 409 00:40:15,440 --> 00:40:21,360 to ssr F, you know, service I Request forgeries or something on the 410 00:40:21,440 --> 00:40:25,480 UI side that's open to cross site scripting, but it's you know, I've 411 00:40:25,480 --> 00:40:30,519 been doing research and I just cannot find actual numbers on the number of say 412 00:40:30,639 --> 00:40:36,480 data breaches there are, because the actually detecting that it's happened and knowing that 413 00:40:36,559 --> 00:40:40,840 a change that you've made is going to has actually stopped. One is really 414 00:40:42,039 --> 00:40:45,519 a challenge, and I assume that it's not even something that you would be 415 00:40:45,559 --> 00:40:51,599 able to know about. Right. We do have some statistics for interesting, 416 00:40:52,239 --> 00:41:04,320 but I can say easily that a state in terms of like level of hacking 417 00:41:04,960 --> 00:41:14,199 might might uh utilize or take advantage of some some sort of nobility that could 418 00:41:14,239 --> 00:41:19,880 be found in code and might help you to find your way through after four 419 00:41:19,920 --> 00:41:24,960 months of an attack, like doing various things in order to get to a 420 00:41:25,000 --> 00:41:32,000 certain crown jewel type of information. It happens, but many more times, 421 00:41:32,440 --> 00:41:40,400 ah, some some person has connected the wrong wires and and and opened the 422 00:41:40,400 --> 00:41:45,559 the I don't know, the some proxy server connected to the wrong the wrong 423 00:41:45,639 --> 00:41:52,599 network and like maybe it's via terraform or click ups or uh, maybe a 424 00:41:52,639 --> 00:42:01,000 certain a p I that is supposed to be under authorization is actually without because 425 00:42:01,199 --> 00:42:07,199 like a bug in the code, these type of things are not immune to 426 00:42:07,239 --> 00:42:12,760 bugs in code. And you might have like a huge wall, a firewall 427 00:42:13,039 --> 00:42:21,079 and octa and whatever in front of your application that prevents the most brilliant hacker 428 00:42:21,159 --> 00:42:27,519 to pass through. But your API doesn't require authorization. You can just approach 429 00:42:27,559 --> 00:42:32,400 it and inject things into a database or pulled data from the database. So 430 00:42:36,159 --> 00:42:46,480 I think what we see in various companies is evolving from the notion that we 431 00:42:46,559 --> 00:42:54,719 have X vulnerability is let's solve every vulnerability right, and evolving into let's do 432 00:42:55,280 --> 00:43:02,440 a threat model, analyze what I have in the most important applications or the 433 00:43:02,559 --> 00:43:08,159 most sensitive applications, which is another area that we help with. But let's 434 00:43:08,199 --> 00:43:13,960 focus on those, and in those, let's understand what's the attack vector, 435 00:43:14,440 --> 00:43:20,320 and there we will say what types of actions we think we need to do. 436 00:43:21,039 --> 00:43:24,719 Maybe make sure there are no exposed secrets. Maybe make sure that the 437 00:43:27,000 --> 00:43:32,480 APIs don't do things that they shouldn't do. Maybe it's super duper critical. 438 00:43:34,000 --> 00:43:37,960 Let's make sure we have zero verun abilities and do everything we can, but 439 00:43:38,239 --> 00:43:43,920 not for everything. So this is really important in terms of time and effort 440 00:43:44,440 --> 00:43:49,199 that the people put into it. Does that mean that you're actually also able 441 00:43:49,239 --> 00:43:55,000 to investigate the sort of transitive dependencies of source code pack venders that are being 442 00:43:55,079 --> 00:44:02,039 utilized? Yeah, actually yeah we do so, uh open sources. I'm 443 00:44:02,079 --> 00:44:06,639 assuming you're in open source, but not necessarily but yeah, I mean right, 444 00:44:06,760 --> 00:44:10,039 I mean they could be internal packages that another team has published or you 445 00:44:10,079 --> 00:44:14,719 know, obviously code that comes from outside for sure. Yeah, okay, 446 00:44:14,960 --> 00:44:17,960 so uh yeah, we do. We have a distinction between external and internal 447 00:44:19,000 --> 00:44:24,800 packages, whether you publish it via an internal Nougat or Maven or something else 448 00:44:25,239 --> 00:44:30,760 inside your organization, or even if you have a package that you copy and 449 00:44:30,840 --> 00:44:36,639 paste it into some other area. I think, for me, the most 450 00:44:37,159 --> 00:44:43,039 the more interesting thing in terms of like developing a product is that you have 451 00:44:43,920 --> 00:44:52,440 a certain module that is shared between various applications. Right So you have the 452 00:44:52,519 --> 00:44:59,039 classic example is an infrastructure package that has I don't know, utilities or ways 453 00:44:59,079 --> 00:45:06,079 to connect to you or central user service or something like that, and it's 454 00:45:06,800 --> 00:45:13,599 being used in like three different versions of that are being used in seventeen different 455 00:45:13,639 --> 00:45:21,519 applications. So what's the impact of Warren going and changing a certain threshold of 456 00:45:22,159 --> 00:45:28,159 I don't know password, the strength in that package. What's the impact If 457 00:45:28,159 --> 00:45:32,679 it's on seventeen applications, it might be more substantial, right so, and 458 00:45:32,800 --> 00:45:39,320 it could go through more than one hop of analysis. So we're doing really 459 00:45:39,320 --> 00:45:45,559 interesting things in that area. And it's hard that computationally if you think about 460 00:45:45,559 --> 00:45:52,079 it. Yeah, for sure. So Warren, you're the CTO of a 461 00:45:52,360 --> 00:46:00,079 security off company. How do you like obviously security is like front of your 462 00:46:00,079 --> 00:46:07,760 company. How do you approach this whenever you're building and deploying your product? 463 00:46:07,199 --> 00:46:13,320 Oh, definitely don't ask me that question. Sorry, Should we have the 464 00:46:13,440 --> 00:46:16,280 editor cut this part out? No, I mean it's totally fine. I 465 00:46:16,280 --> 00:46:20,280 mean realistically, we are definitely looking for products that, like you know, 466 00:46:20,440 --> 00:46:22,480 ton Scott here to review. I think a lot of the problem is that 467 00:46:22,639 --> 00:46:28,840 many products in the space fall into this sort of uncanny value where they're either 468 00:46:29,199 --> 00:46:34,480 unnecessary alerts that don't really tell us anything. We've definitely gone through the snakes, 469 00:46:34,719 --> 00:46:38,400 sneaks and dependent bots code QLs of the world, and as well as 470 00:46:38,440 --> 00:46:43,039 look at the ones that review stuff for a Soalk two and ISO, but 471 00:46:43,159 --> 00:46:47,960 they're mostly checkbox driven security and don't really focus on actually finding real problems. 472 00:46:49,480 --> 00:46:55,000 So I think realistically it's on us to do this investigation most of the time 473 00:46:55,119 --> 00:46:59,760 manually, I mean obviously using the tools that are available to make these decisions. 474 00:47:00,119 --> 00:47:02,960 Now, I think we have a lot of benefit over some other companies 475 00:47:04,280 --> 00:47:07,480 given the size that we are at much smaller, so it's not like we 476 00:47:07,559 --> 00:47:12,639 have forty seven thousand repositories that we've got I think the number is under a 477 00:47:12,679 --> 00:47:15,559 thousand, and most of them are not services. Yeah, well, I 478 00:47:15,599 --> 00:47:22,199 mean there's just an amount of overhead as far as cognitive overload that teams will 479 00:47:22,239 --> 00:47:27,000 have to deal through. So more repositories can only be managed by more people, 480 00:47:27,159 --> 00:47:30,960 and that breaks down as size increases. So I mean, realistically, 481 00:47:31,360 --> 00:47:35,000 there are things that you just don't want to have to deal with. Now 482 00:47:35,960 --> 00:47:39,320 in my position, what I've really focused on is what are the platforms or 483 00:47:39,360 --> 00:47:44,559 tools that are out there that help eliminate a whole class of problems. So 484 00:47:44,840 --> 00:47:47,559 classes of problems can be eliminated by I mean me personally, you know, 485 00:47:47,599 --> 00:47:52,519 i'd say get away from Kubernetes, but really virtual machines in general. While 486 00:47:52,559 --> 00:47:57,119 it may seem like it's easy to spin them up, the number of security 487 00:47:57,119 --> 00:48:02,280 concerns from my standpoint is just massive. There just patch schedules, et cetera. 488 00:48:02,840 --> 00:48:06,440 Even for things that are zero day, right, it's so much easier 489 00:48:06,440 --> 00:48:09,119 to delegate that to a potential cloud provider. How to get around those. 490 00:48:09,760 --> 00:48:13,840 Another thing that we're leading with I'm not sure when this is going to be 491 00:48:13,880 --> 00:48:17,639 available in production, is allowing our customers to sign the data that they're sending 492 00:48:17,639 --> 00:48:22,119 to us. That means that we have a fidelity over you know, whether 493 00:48:22,199 --> 00:48:24,719 or not that data has actually been changed, not necessarily access, but specifically 494 00:48:25,239 --> 00:48:28,639 since we are in the AWE space, we do care about when it's been 495 00:48:28,719 --> 00:48:31,440 changed, and so there are things like this that we consider novel, but 496 00:48:31,480 --> 00:48:36,800 realistically, it's about finding those tools that help us elevate what we're utilizing to 497 00:48:36,840 --> 00:48:43,679 another level. Yeah, and I think that's like a unique problem because you 498 00:48:43,719 --> 00:48:49,719 do have like a limited number of people on your team, but literally an 499 00:48:49,920 --> 00:48:59,199 unlimited number of security problems. You know, Yeah, for sure, you 500 00:48:59,239 --> 00:49:01,480 know that that's always going to be a trouble. I think I think this 501 00:49:01,559 --> 00:49:07,280 goes for everything. Focus on your core competency, whatever that is, and 502 00:49:07,800 --> 00:49:12,360 find a way to eliminate or at least delegate those concerns elsewhere. So every 503 00:49:12,360 --> 00:49:15,440 time one of those comes up, find a company that helps you eliminate the 504 00:49:15,480 --> 00:49:19,400 broadest class of them, or you know, transition to a different stack or 505 00:49:19,400 --> 00:49:22,679 something like that where you don't have those issues, because you will never solve 506 00:49:22,679 --> 00:49:25,000 every problem. And I think often you may hear things like, well, 507 00:49:25,000 --> 00:49:30,519 we can't depend on another company offering a critical component for us, because what 508 00:49:30,599 --> 00:49:32,239 happens if it's down, what happens if there's an issue there? I mean, 509 00:49:32,280 --> 00:49:37,519 like you should trust the security experts to get that right more so than 510 00:49:37,719 --> 00:49:39,679 I mean, there's no different between the set of engineers that they're hiring and 511 00:49:39,719 --> 00:49:43,840 the ones that you can hire. And they're probably focused on this, right. 512 00:49:43,880 --> 00:49:46,039 You know, we're focused on hiring people that do care about that security 513 00:49:46,039 --> 00:49:50,639 aspect, just as you know Tom's focused on this as as well. I'm 514 00:49:50,639 --> 00:49:52,360 sure, right, you know, you hire people that understand this part of 515 00:49:52,440 --> 00:49:57,079 platform management and security to go forward, and you're not going to be able 516 00:49:57,079 --> 00:50:01,679 to do it as effectively unfortunately. Time and resources, Yeah, for sure, 517 00:50:05,360 --> 00:50:12,719 we at Apparel, we do have an infinite amount of time and resources 518 00:50:12,480 --> 00:50:15,639 that that's their usp there right right there. You know you heard it there 519 00:50:15,719 --> 00:50:22,760 first, right, So a lot of times with sort of continuing on what 520 00:50:22,920 --> 00:50:25,920 you were saying there, Warren, you know, there's like a there's three 521 00:50:27,599 --> 00:50:36,159 models of solving a problem. There's do it yourself, there's tell get someone 522 00:50:36,239 --> 00:50:38,840 to tell you what to do, or there's just hire someone to do it 523 00:50:38,920 --> 00:50:45,199 for you. And so, Jonathan, what are the what's the like entry 524 00:50:45,280 --> 00:50:52,920 level do it yourself version of handling this like obviously your apiro is like the 525 00:50:53,840 --> 00:50:59,039 Hey, we're gonna collect all the data and and put it in context and 526 00:50:59,159 --> 00:51:02,719 prioritize it for you. But like, what's the entry level version of that 527 00:51:02,719 --> 00:51:07,960 that probably most of us are actually trying to do but unsuccessfully. That would 528 00:51:08,000 --> 00:51:15,840 tell us, man, there's got to be a better way. You mean, 529 00:51:15,880 --> 00:51:20,280 you mean, how how the company, like a software shop would do 530 00:51:20,559 --> 00:51:29,119 what we do manually like without yeah, uh so so like people more people 531 00:51:29,599 --> 00:51:36,519 essentially? Uh yeah, so so we see that, uh and I understand 532 00:51:36,559 --> 00:51:43,559 the like like when when you're facing a certain amount of work, then you 533 00:51:43,599 --> 00:51:50,199 can either uh focus the team on it and do it like one person for 534 00:51:50,280 --> 00:51:53,880 a small shop or one team for a larger shop that handles like the load 535 00:51:53,960 --> 00:52:01,079 for everyone. And there's the companies that uh distribute to work with the load 536 00:52:01,199 --> 00:52:09,280 on the developers. I think the most important thing to understand to maybe a 537 00:52:09,320 --> 00:52:17,679 marker that might tell you that this thing got out of hand is if like 538 00:52:17,719 --> 00:52:24,800 hopefully you're asking your developers like how they are doing and if they they feel 539 00:52:24,840 --> 00:52:32,719 that their job is going well. So if they say twenty percent, thirty 540 00:52:32,760 --> 00:52:38,519 percent, seventy percent of my time is going after things that I don't see 541 00:52:38,719 --> 00:52:45,320 any value coming out of this is a good marker that you might want to 542 00:52:45,519 --> 00:52:51,320 change the process. Either either use it like a platform, like a peer, 543 00:52:51,480 --> 00:52:55,000 or maybe something else. Either either that or don't do it. Like 544 00:52:55,159 --> 00:53:02,440 sometimes it's better to take take the lead and not go through a certain process 545 00:53:04,119 --> 00:53:12,760 save like ten percent of your one hundred developers time, that's ten ten developers. 546 00:53:13,639 --> 00:53:16,599 Ten developers can bridge the gap and bring more either more value, more 547 00:53:16,639 --> 00:53:22,960 features, or more security. So either use the right tool for the job, 548 00:53:22,360 --> 00:53:27,239 or maybe do less of it of the of the noise. Sometimes it's 549 00:53:27,280 --> 00:53:32,480 better then, like bringing everything to a halt. That's probably a really great 550 00:53:32,480 --> 00:53:36,000 point there, actually using the right tool for the job. And I don't 551 00:53:36,000 --> 00:53:37,800 think that could be said enough because you know, to answer a little bit 552 00:53:37,840 --> 00:53:42,000 more of your question, Well, i've seen the let's build our own sort 553 00:53:42,039 --> 00:53:47,119 of internal strategy for automatically updating versions of packages for instance, right, And 554 00:53:47,280 --> 00:53:51,000 it's like, well, you're building this yourself, Like why are you building 555 00:53:51,039 --> 00:53:54,000 the tool versus using something that's way more intelligent at actually finding where the security 556 00:53:54,039 --> 00:53:59,280 vulnerabilities are and focus on that one. And I think there's the other one 557 00:53:59,280 --> 00:54:01,840 I've seen, which I also am not a fan of is the replicate all 558 00:54:01,840 --> 00:54:08,159 the external packages in the world locally in your own package repository, because unless 559 00:54:08,199 --> 00:54:12,800 you have a team that is expert in reviewing that or a tool that's actually 560 00:54:12,840 --> 00:54:15,960 going to do it, you're not really doing anything other than having out of 561 00:54:15,039 --> 00:54:21,079 date versions that are available. So you're actually almost hurting yourself more than you're 562 00:54:21,119 --> 00:54:24,559 helping by using one of these because it's not solving a problem of security, 563 00:54:24,559 --> 00:54:30,039 it's solving a problem of anything reliability or where the single point of failure is. 564 00:54:30,119 --> 00:54:32,519 Right. It's not a highly reliable package manager out in the world that 565 00:54:32,599 --> 00:54:37,519 has security teams dedicated to finding vulnerabilities. It's some tool off the shelf that 566 00:54:37,559 --> 00:54:42,639 you're deployed in your own infrastructure which is out of date. Yeah. I 567 00:54:42,679 --> 00:54:47,719 think also this is a great example of sometimes not understanding the trade off usually 568 00:54:49,679 --> 00:54:54,280 most things, maybe in life, but in our field, there's a trade 569 00:54:54,280 --> 00:55:00,960 off. Like if you're saying, don't like I have a certain certain version 570 00:55:01,039 --> 00:55:07,559 of package X that is not vulnerable, then let's freeze it in time and 571 00:55:07,719 --> 00:55:12,880 not never ever upgrade it because there might be a vulnerability. There's a trade 572 00:55:12,920 --> 00:55:17,599 of there, right, both functionally and maybe maybe it does have a vulnerability, 573 00:55:17,599 --> 00:55:23,000 but it's unknown. Now I'm not saying like for everything, newer is 574 00:55:23,039 --> 00:55:29,039 better, but there's always a trade off. So yeah, I think that 575 00:55:29,079 --> 00:55:32,440 they like what what you said is really really true. If you're doing it 576 00:55:32,519 --> 00:55:39,039 yourself and like inventing things that are not your core business, then be really 577 00:55:39,079 --> 00:55:45,679 careful because you're probably not the best of breeding usually. No, I mean 578 00:55:45,840 --> 00:55:47,800 no, no, it's for true. I mean I think there's another problem 579 00:55:47,800 --> 00:55:51,920 there, which is you don't know whether or not you're doing it right. 580 00:55:52,039 --> 00:55:54,480 So you're going through the motions of things right, you know, you're even 581 00:55:54,480 --> 00:55:58,559 if maybe maybe updating the versions is the right thing, but it could just 582 00:55:58,599 --> 00:56:00,559 as easily be the case where it's not, and you're actually having a negative 583 00:56:00,599 --> 00:56:07,039 impact overall. So you're not doing the research to understand what the best practice 584 00:56:07,079 --> 00:56:10,679 trends are, and you're using your own sort of heuristics from your own experiences, 585 00:56:10,880 --> 00:56:15,480 which they're still valid, right, but just in a small niche compared 586 00:56:15,519 --> 00:56:20,119 to what the collective wisdom says, and going about that, you know, 587 00:56:20,199 --> 00:56:22,199 in that way, which may lead you to, oh, yeah, we 588 00:56:22,199 --> 00:56:24,880 need to automatically roll all versions of all packages all the time, or we 589 00:56:24,920 --> 00:56:29,239 need to freeze all of them, and I think both of them are equally 590 00:56:29,280 --> 00:56:34,960 problematic in some way. Yeah. One of the other things you know, 591 00:56:35,000 --> 00:56:39,280 you mentioned higher or use the people who are best at that. I think 592 00:56:39,320 --> 00:56:45,840 one of the things that I see common with that is whenever you go to 593 00:56:46,320 --> 00:56:51,599 like you say, Okay, I shouldn't be writing on authentication package myself. 594 00:56:51,639 --> 00:56:55,079 That's a solved problem that's been solved by people way smarter than me. So 595 00:56:55,159 --> 00:57:00,079 you go out and you start looking at available packages. Like part of that 596 00:57:00,159 --> 00:57:06,000 research is understanding who the expert really is and digging in, like dig into 597 00:57:06,039 --> 00:57:10,480 their GitHub repo. Is it being updated frequently? How many committers are working 598 00:57:10,480 --> 00:57:15,400 on this? Because if you find an authentication package that was updated three years 599 00:57:15,400 --> 00:57:22,039 ago by one person and hasn't been touched since, that may not be an 600 00:57:22,039 --> 00:57:29,159 improvement over your current authentication layer. Yeah. Sure, I mean i'd be 601 00:57:29,159 --> 00:57:31,320 curious what you know, Tom, actually if it has any information about this, 602 00:57:31,480 --> 00:57:37,079 Like are there heuristics about update frequency or the type of packages that lend 603 00:57:37,119 --> 00:57:40,920 themselves, especially in the open source world, to being more vulnerable or more 604 00:57:40,920 --> 00:57:47,719 secure? Yeah? So really interesting, especially right now, so in Apiro 605 00:57:47,960 --> 00:57:54,960 you can see a lot of like interesting properties about open source packages. Okay, 606 00:57:55,039 --> 00:58:00,559 so I think will you mentioned some of the most important ones, like 607 00:58:00,760 --> 00:58:07,599 if it's maintained or not maintained. There are other things as well, but 608 00:58:07,800 --> 00:58:12,239 right now, we just published, like I think a week ago, like 609 00:58:12,639 --> 00:58:19,320 our research team found a lot of malicious code in many guitab repositories and some 610 00:58:19,400 --> 00:58:22,239 of the guitub repositories. Like it made a lot of waves I heard about 611 00:58:22,360 --> 00:58:28,679 some of some of the guitub repositories are really things that you would like at 612 00:58:28,679 --> 00:58:34,639 first glance. You you wouldn't say there's something fishy here, right, A 613 00:58:34,639 --> 00:58:44,079 lot of maintainers, it's being maintained really st regularly. So I think not 614 00:58:44,199 --> 00:58:52,480 to be too cynical, but I don't think you can trust anything right pully 615 00:58:52,599 --> 00:58:54,599 with you. Actually, I was just thinking about this, like whatever a 616 00:58:54,599 --> 00:58:59,119 metric you're going to use, just think about how it's going to be potentially 617 00:58:59,119 --> 00:59:01,360 abused, right, you know, it's maintainers or updates or issues. You 618 00:59:01,400 --> 00:59:06,880 could easily clone an existing package out there on GitHub, have the same number 619 00:59:06,920 --> 00:59:09,559 of issues, copy everything one to one and then make just a small little 620 00:59:09,639 --> 00:59:15,360 malicious change in the package somewhere, you know, post install, or just 621 00:59:15,519 --> 00:59:19,679 for a production run time and also publish it to a new get MPM, 622 00:59:19,880 --> 00:59:22,159 you know, wherever, and you would never tell the difference unless someone actually 623 00:59:22,239 --> 00:59:25,480 investigated that source code. So those sorts of heuristics and may not even be 624 00:59:25,559 --> 00:59:31,360 valuable. Yeah, yeah for sure. But you know, the same way 625 00:59:31,519 --> 00:59:38,320 is it's hard to get like a good grasp over forty thousand repositories in your 626 00:59:38,400 --> 00:59:44,920 organization. Yeah, which there's not a lot of eyes going through that code 627 00:59:44,960 --> 00:59:50,559 base, but in like let's say React, JS and Internet there's a lot 628 00:59:50,559 --> 00:59:57,280 of people like going through. But even that repository is really large, and 629 00:59:57,599 --> 01:00:05,440 there are dark places within that repository that people like for years didn't pay attention 630 01:00:05,559 --> 01:00:13,239 to. So when you get big data, it's really like it's easier to 631 01:00:12,599 --> 01:00:20,440 to to hide in plain sight sometimes then if there's a two file repository and 632 01:00:20,679 --> 01:00:24,880 to take hold of that, so you really need the tools the machines to 633 01:00:25,760 --> 01:00:30,000 do the work for you. No, I mean that that actually gives me 634 01:00:30,039 --> 01:00:32,239 some flashbacks to I think it was a few years ago there was a bunch 635 01:00:32,280 --> 01:00:40,519 of academic centers that were intentionally making malicious changes to like Linux Foundation source code 636 01:00:40,719 --> 01:00:45,119 for the kernel as well as other things just to prove that you could get 637 01:00:45,199 --> 01:00:52,440 malicious code into an open source project under all pretenses and so like that's pretty 638 01:00:52,519 --> 01:00:57,519 ridiculous. Yeah, yeah, I remember that. That was kind of wild. 639 01:00:58,079 --> 01:01:01,159 Yeah, So nothing not things off the table when it comes to where 640 01:01:01,159 --> 01:01:04,440 problems could be. And you know, if you look at the lots of 641 01:01:04,559 --> 01:01:07,800 issues that show up in public repositories, like they're not necessarily people that know, 642 01:01:08,159 --> 01:01:12,440 you know, fundamentally every single aspect that's going on there, Uh, 643 01:01:12,679 --> 01:01:15,519 poll requests that get opened are you know you don't. No one has full 644 01:01:15,679 --> 01:01:20,159 understanding of how all the packages interact with each other, so you know, 645 01:01:20,239 --> 01:01:22,199 who is even able to validate that? I think at this point you pretty 646 01:01:22,239 --> 01:01:25,360 much need to rely on some sort of tool to do this for you. 647 01:01:30,039 --> 01:01:32,760 Right on. Cool, So I want to ask both of you this question, 648 01:01:32,840 --> 01:01:39,840 because you both have strong security backgrounds. For someone who's just starting to 649 01:01:39,880 --> 01:01:50,119 put focus on their security footprint, what's your best piece of advice on where 650 01:01:50,159 --> 01:01:58,159 to start start with? We'll start with Jonathan. Okay, So, without 651 01:01:58,440 --> 01:02:02,280 qualifying if it's a small company or a large company or like one developer, 652 01:02:02,679 --> 01:02:08,400 I think the most important thing to get a grasp on is like inventory, 653 01:02:08,480 --> 01:02:15,760 what I have. I think this is the fundamental part here. By the 654 01:02:15,760 --> 01:02:19,840 way, as a developer, you might want to reduce it as much as 655 01:02:19,880 --> 01:02:25,519 you can get rid of what you don't really need, and in large scales 656 01:02:25,559 --> 01:02:30,960 it's even more important. But knowing what you have, I think this is 657 01:02:30,000 --> 01:02:36,960 the most fundamental thing to really really understand before I do anything advanced. Know 658 01:02:37,079 --> 01:02:40,559 what you have and plot twist. Apiro can help you with that, right, 659 01:02:43,320 --> 01:02:49,920 I wouldn't I wouldn't imagine saying anything that won't lead you to say that. 660 01:02:52,280 --> 01:02:55,760 All right, Warren, what's your thoughts? Yeah? I mean I 661 01:02:55,800 --> 01:03:00,760 think actually Anton mentioned this earlier and I know I've become a broken record for 662 01:03:00,800 --> 01:03:06,000 this, but it's start with your threat model. If you build or approach 663 01:03:06,039 --> 01:03:09,079 any problem without first thinking about why you're doing it, not only can you 664 01:03:09,320 --> 01:03:13,719 what you're doing isn't going to nessly be useful or relevant. It can even 665 01:03:13,719 --> 01:03:17,239 be harmful as far as your overall approach goes. So you know concretely what 666 01:03:17,280 --> 01:03:20,679 like, what do we need to do, why are we doing it? 667 01:03:20,920 --> 01:03:23,880 And then start looking at okay, what are our options for implementing solutions? 668 01:03:23,920 --> 01:03:28,719 Because otherwise, I mean, you'll end up with the six thousand dependent on 669 01:03:29,119 --> 01:03:32,000 alerts and not knowing what to do, and the result may be developing your 670 01:03:32,039 --> 01:03:37,920 own platform that automatically increments, you know, package versions, versus knowing that, 671 01:03:37,960 --> 01:03:42,519 hey, we're getting lots of spam on our endpoints in the form of 672 01:03:42,719 --> 01:03:46,400 WP dash admin and we're not running any PHP stuff. You know, it's 673 01:03:46,400 --> 01:03:52,719 not a DUS attack, but it's someone's looking for an exposed WordPress instance or 674 01:03:52,079 --> 01:03:57,719 Mango dB or elastic search, and if you've got that exposed, then you're 675 01:03:57,719 --> 01:04:00,840 going to have a problem. So, as Youzon said, the the inventory 676 01:04:00,880 --> 01:04:03,599 of what your services are and how they're exposed to the Internet is equally valuable 677 01:04:03,639 --> 01:04:15,039 for sure, right on excellent. Any any other closing or parting thoughts on 678 01:04:15,119 --> 01:04:23,559 security before we move on to picks, I'd say, alluding to a previous 679 01:04:23,559 --> 01:04:28,519 point that you made before, that security is a feature and and uh, 680 01:04:28,800 --> 01:04:32,639 if if you do the right thing, then then people will appreciate it. 681 01:04:33,039 --> 01:04:36,360 If it's sometimes even more than doing the features. No, I mean, 682 01:04:36,400 --> 01:04:40,960 I love that approach actually, because often people see it as the like a 683 01:04:40,960 --> 01:04:45,039 cost center to prevent something and the best case scenario is that you nothing happens, 684 01:04:45,559 --> 01:04:47,079 and so the ROI you know, is a hard justifier, But I 685 01:04:47,119 --> 01:04:53,320 think the missing part there is that actually the way you've implemented security has a 686 01:04:53,360 --> 01:04:58,239 lot of value that for your product, for your end users, potentially a 687 01:04:58,440 --> 01:05:02,400 better experience with s oh and log in is it is it defining factor for 688 01:05:02,800 --> 01:05:09,039 companies, especially enterprises, who want to be secure likewise goes having the latest 689 01:05:09,079 --> 01:05:14,119 functions and features from your dependencies, being able to utilize them and not be 690 01:05:14,119 --> 01:05:17,320 stuck on legacy versions for fear of a security issue that just on my gets 691 01:05:17,320 --> 01:05:20,920 pulled in. Like using a platform like a bureau you know, helps you 692 01:05:20,960 --> 01:05:26,440 get that, helps you achieve that without getting stuck in in fear land or 693 01:05:26,719 --> 01:05:31,159 dedicating your resources in an area that's not your core competency. Yeah. I 694 01:05:31,159 --> 01:05:40,400 think that's like one of the common things that I see with teams or departments 695 01:05:40,400 --> 01:05:46,159 that are traditionally seen as cost centers is changing that perspective that you're not a 696 01:05:46,199 --> 01:05:50,280 cost center, you're just bad at marketing, you know, because there's like 697 01:05:50,280 --> 01:05:55,599 it there is like it's everything comes down to politics at some form or another, 698 01:05:56,159 --> 01:06:00,119 and so part of getting your team to not be is a cost center 699 01:06:00,440 --> 01:06:06,840 is by marketing your team and showing hey, this is these are the security 700 01:06:06,920 --> 01:06:11,679 vulnerabilities that we closed down that we were exposed to? Or from a DevOps 701 01:06:11,719 --> 01:06:16,039 perspective, hey, here's how implementing this platform allowed the engineering teams to go 702 01:06:16,119 --> 01:06:23,760 from fifteen deployments today per day to fifty deployments per day in a safe and 703 01:06:23,800 --> 01:06:29,960 secure manner. So I think really learning to market your team helps give you 704 01:06:30,360 --> 01:06:34,559 mind share across the leaders of the company and brings additional focus. And with 705 01:06:34,639 --> 01:06:39,119 additional focus, you get additional resources. I mean, last time we talked 706 01:06:39,159 --> 01:06:43,639 about product management, and I think this is closely connected to it. Like, 707 01:06:43,920 --> 01:06:45,119 you know, you can even start before that, right, Like, 708 01:06:45,320 --> 01:06:48,559 if you're going to be rolling out features or functionality or a platform to your 709 01:06:48,639 --> 01:06:53,599 organization, what do the other engineering teams actually think about? You know, 710 01:06:53,679 --> 01:06:57,039 do they care about even being secure? Because if they're not already on that, 711 01:06:57,079 --> 01:07:02,159 then it's the same challenge as marketing to external customers. You what problems 712 01:07:02,199 --> 01:07:04,679 are they trying to solve? And if security is not part of it, 713 01:07:04,760 --> 01:07:08,760 then you're really starting with an education approach, right Like, here are the 714 01:07:08,800 --> 01:07:12,760 sorts of things that could happen because of how you set up your services and 715 01:07:12,920 --> 01:07:16,480 if the organization hasn't aligned incentives actually encourage them to be secure. Then it's 716 01:07:16,480 --> 01:07:20,079 going to be an uphill battle wait for them to get hacked and then go 717 01:07:20,239 --> 01:07:24,840 oh oh okay, so now y'all are concerned about security. Oh. I 718 01:07:24,840 --> 01:07:29,280 mean there were definitely there were definitely some suspicious companies out there that were offering 719 01:07:29,320 --> 01:07:32,159 like DEDOS protection and as part of their actual operation, I mean they were 720 01:07:32,239 --> 01:07:35,320 they were hugely malicious to start out with, but uh, as part of 721 01:07:35,360 --> 01:07:39,599 their operations they would go out and actually just dds customers and be like, 722 01:07:39,639 --> 01:07:42,320 hey, you know you got d dos Because you don't, you're not using 723 01:07:42,320 --> 01:07:45,639 our product. And I mean it's a little bit suspicious if after our security 724 01:07:45,679 --> 01:07:48,960 incident you immediately get someone showing up your door saying, you know, hey, 725 01:07:49,000 --> 01:07:55,159 we could help you solve that problem. Though, it's like the mafia 726 01:07:55,280 --> 01:08:00,840 style approach they send and then go so, hey, it looks like you 727 01:08:00,920 --> 01:08:06,840 need some protection. Right on. So let's do some picks as we round 728 01:08:06,880 --> 01:08:11,800 this episode out, Warren, I've been picking on you, so I won't 729 01:08:11,840 --> 01:08:15,760 pick on you this episode. I'll actually start it off, and much to 730 01:08:15,960 --> 01:08:19,520 everyone who's a frequent listener, surprise, my pick this week is going to 731 01:08:19,600 --> 01:08:26,800 be platform con coming up this June the five day virtual conference on Platform Engineering, 732 01:08:27,399 --> 01:08:31,640 where they will have some folks talking about security topics too as they relate 733 01:08:31,680 --> 01:08:36,000 to platform engineering. And then my favorite part of the conference is at the 734 01:08:36,199 --> 01:08:41,680 end, I am going to be interviewing some of the speakers in a live 735 01:08:41,800 --> 01:08:46,760 Q and a session to close out the conference. And as I mentioned last 736 01:08:46,800 --> 01:08:49,920 week, if they're specific people you want me to talk to, or specific 737 01:08:50,000 --> 01:08:54,159 questions you want me to ask, be sure and hit me up on Twitter 738 01:08:54,840 --> 01:09:00,840 or send me a DM or any other contact method and I will filter and 739 01:09:00,920 --> 01:09:04,000 aggregate those and get those questions to ask for you. So platform con dot 740 01:09:04,039 --> 01:09:09,199 com if you want to check that out, and that's my pick. So 741 01:09:09,960 --> 01:09:12,880 Warren, what have you got? Yeah, Actually, this is timely. 742 01:09:13,279 --> 01:09:15,720 It's going to be security related. I just got back from a conference in 743 01:09:15,760 --> 01:09:20,199 Germany last week where I was actually talking about the security journey we took at 744 01:09:20,239 --> 01:09:24,800 authors and I got asked, you know, well, how do I get 745 01:09:24,840 --> 01:09:28,880 into security? How do I become an expert? Is it just the do 746 01:09:28,920 --> 01:09:30,960 I am? I either completely don't know anything or do I have to know 747 01:09:31,039 --> 01:09:33,960 everything? And the truth is, you know, you just learn things over 748 01:09:34,039 --> 01:09:38,640 time from different sources and eventually, one day you get to stand up on 749 01:09:38,680 --> 01:09:42,600 stage and start giving a presentation about security, even though you believe you don't 750 01:09:42,720 --> 01:09:45,319 really know anything. But I will say that there are a couple of great 751 01:09:45,359 --> 01:09:50,159 newsletters out there that I read myself. They may be too technical for some 752 01:09:50,319 --> 01:09:56,479 others may be way beneath them, but I highly recommend the TLDR newsletters. 753 01:09:56,479 --> 01:10:00,720 Specifically, they have one Security and there's also another one called the cloud Secklist, 754 01:10:00,760 --> 01:10:04,720 which is oriented towards cloud security infrastructure, and they've been great. They 755 01:10:04,800 --> 01:10:09,800 talking touching on a lot of different topics, and you can go deep with 756 01:10:09,880 --> 01:10:12,439 the links that are in there, and I can take you a long way, 757 01:10:12,600 --> 01:10:16,239 especially at the beginning of your security journey. Right on Awesome, how 758 01:10:16,239 --> 01:10:18,520 did you talk? Go by the way? Well, you know, like 759 01:10:18,640 --> 01:10:21,880 usual, I'm sure I did terrible, but then everyone tells me how great 760 01:10:21,960 --> 01:10:26,239 it went, so I have to I'll have to watch the video once it 761 01:10:26,279 --> 01:10:30,720 comes out online, which will probably be posted on the author's blog somewhere Right 762 01:10:30,760 --> 01:10:36,000 on awesome. All right, Johnathan, what you got for us for picks? 763 01:10:36,680 --> 01:10:43,399 Okay? So I had something else, But Warren, I think I 764 01:10:43,439 --> 01:10:48,720 can maybe connect to what you what you said because something that I feared for 765 01:10:48,760 --> 01:10:55,439 a long time happened at my family yesterday, where my son was a twelve 766 01:10:55,520 --> 01:11:01,199 year old came to me and said, Dad, I managed to hack the 767 01:11:01,600 --> 01:11:10,520 Google Dinosaur game and and made it such that I can never lose. It's 768 01:11:10,520 --> 01:11:15,720 not that advanced. It's I think it came to him through YouTube or Instagram 769 01:11:15,800 --> 01:11:20,039 or something like that where you just override the game over function or something like 770 01:11:20,119 --> 01:11:26,319 that. She's really nice. Uh so, so it came to me as 771 01:11:26,359 --> 01:11:32,079 a shock, but uh it got me thinking and and I like alluding to 772 01:11:32,560 --> 01:11:36,800 when you said how to start in the security business. Maybe uh so. 773 01:11:38,359 --> 01:11:43,680 I think my piak is is when it comes to kids, maybe uh start, 774 01:11:43,800 --> 01:11:47,640 start from the fundamentals, not not. It might be cool to show 775 01:11:47,680 --> 01:11:55,199 your friends in class that you can hack a game, but I I since 776 01:11:55,239 --> 01:12:00,920 then, I since I tried to show him the fundamentals. What goes on 777 01:12:00,960 --> 01:12:05,239 there? What does it mean a function? What does it mean to change 778 01:12:05,279 --> 01:12:10,720 it in run time? Like, uh, maybe you should prevent that maybe 779 01:12:10,760 --> 01:12:15,399 not like like really have him understand what goes on there. I think it's 780 01:12:15,560 --> 01:12:24,960 really important for kids that can see YouTube or whatever TikTok, they're they're seeing 781 01:12:25,000 --> 01:12:29,479 really advanced things in life, not only in security or coding, but they're 782 01:12:29,640 --> 01:12:33,880 really pushed to go fast and like having them understand the fundamentals, understand for 783 01:12:33,880 --> 01:12:40,439 for a non native English speaker, understand English, understand math, understand the 784 01:12:40,640 --> 01:12:45,640 like the concept, and then go and hack the Pentagon or No, we're 785 01:12:45,680 --> 01:12:51,319 not recommending that anyone does anything. I do not condone that sort of no. 786 01:12:51,399 --> 01:12:55,840 But that's a really great point actually, because there's security is so vague 787 01:12:55,880 --> 01:13:00,960 as an individual idea that really defining for yourself what it even means to go 788 01:13:00,039 --> 01:13:04,199 into security, right, Like are you interested in hacking things or even depending 789 01:13:04,239 --> 01:13:06,600 against attacks, which I think, you know, we talked a lot about 790 01:13:06,600 --> 01:13:11,800 here, but or our products that help you build up tools and whatnot. 791 01:13:11,880 --> 01:13:14,760 You know, these are all different, fundamentally different areas for sure. Yeah, 792 01:13:14,840 --> 01:13:18,239 And I think there's like just going beyond that. I think there's huge 793 01:13:19,079 --> 01:13:26,000 understated value in just having a basic understanding of how code works in a modern 794 01:13:26,039 --> 01:13:30,920 technology life that we live in now, because once you understand what's going on 795 01:13:31,359 --> 01:13:36,520 under the hood, I think you get a lot of perspective in how you 796 01:13:36,600 --> 01:13:41,800 interact with different companies, you know, whether it's through their website or their 797 01:13:41,800 --> 01:13:45,399 application or their call center or whatever. Like. If you have that basic 798 01:13:45,479 --> 01:13:49,640 fundamental understanding, I think you start to approach problems differently, even if you're 799 01:13:49,640 --> 01:13:55,199 not in a technical role. I think when you're talking to a sales rep 800 01:13:55,239 --> 01:13:59,239 of a customer support agent of a company and you get an error on your 801 01:13:59,239 --> 01:14:01,720 screen, that's as like you know, on unhandled exception, and you're trying 802 01:14:01,720 --> 01:14:11,199 to explain to them how their website is broken, right exactly, all right? 803 01:14:11,359 --> 01:14:13,880 Cool, Jonathan, Thank you so much for being on the show. 804 01:14:13,920 --> 01:14:17,079 This has been incredibly insightful, so I really appreciate you taking the time to 805 01:14:17,159 --> 01:14:21,760 join us. Yeah, thank you so much for inviting me. Yeah. 806 01:14:21,840 --> 01:14:25,359 Yeah. Happy to have you back on at any point, so let us 807 01:14:25,359 --> 01:14:29,560 know if that's of interest to you. Qaarren, thank you again for joining 808 01:14:29,560 --> 01:14:33,479 me here and co host to miss with me, and to all the listeners, 809 01:14:33,560 --> 01:14:36,640 thank y'all for listening. Love having y'all out there, and we will 810 01:14:36,680 --> 01:14:38,680 see y'all next week.