WEBVTT

1
00:00:14.080 --> 00:00:18.280
All right, here we go.
Welcome everyone to another episode of Adventures and

2
00:00:18.399 --> 00:00:22.039
deva Ops. I'm your host,
Will Button and today joining me in the

3
00:00:22.079 --> 00:00:27.359
studio our special guest Ory Moncli.
How are you or very well? Nice

4
00:00:27.399 --> 00:00:31.679
to speak to you, you too, welcome, Welcome. Can you give

5
00:00:31.719 --> 00:00:37.479
us a little introduction, a little
bit about your background? Sure? Absolutely?

6
00:00:37.880 --> 00:00:43.479
First of all, I'm doing software
development and anything related to tech since

7
00:00:43.520 --> 00:00:48.200
I was since I can remember myself, sally. It was just a hobby

8
00:00:49.159 --> 00:00:55.799
a long time, it became a
profession and last twenty plus years I'm doing

9
00:00:55.840 --> 00:01:00.320
different kinds of engineering work in the
industry, starting as a software developed and

10
00:01:00.439 --> 00:01:06.400
in the recent years i'm mostly managing
development teams. My current position, I'm

11
00:01:06.719 --> 00:01:15.239
heading the engineering team at a Kinness
in Security. Still enjoying writing software and

12
00:01:15.319 --> 00:01:19.879
learning more about different areas of technologies, things that are renewing all the time.

13
00:01:19.640 --> 00:01:23.799
So that's my passion and that's what
I do for a living, right,

14
00:01:23.879 --> 00:01:27.680
And that's a hard balance, having
a management role but still being able

15
00:01:27.719 --> 00:01:36.040
to maintain or enjoy your technical skills. Agree. I mean, I can

16
00:01:36.120 --> 00:01:42.000
see that management is an easy gateaway
for somebody that doesn't love doing something like

17
00:01:42.079 --> 00:01:47.599
that, and kind of switching roles
to something else for me out of choice.

18
00:01:47.920 --> 00:01:51.760
I'm trying to keep myself up to
date. I'm very down to the

19
00:01:51.840 --> 00:01:56.359
details. I like to keep maybe
small projects not in the critical path of

20
00:01:56.680 --> 00:02:00.159
the development, still keeping my hands
dirty and doing some work. But it's

21
00:02:00.200 --> 00:02:04.519
a matter of choice eventually, if
you like it and you find the time

22
00:02:04.560 --> 00:02:07.400
to do it, Yeah, for
sure, for sure. So one of

23
00:02:07.439 --> 00:02:13.919
the things we're going to talk about
today was security in the CICD pipeline.

24
00:02:15.479 --> 00:02:21.319
Right right, I mean security,
This to me comes with the context of

25
00:02:21.400 --> 00:02:27.039
doing things the right way, sometimes
corredated to doing things a little bit slower

26
00:02:27.080 --> 00:02:31.319
than usual because it has to be
the right way, and a lot of

27
00:02:31.360 --> 00:02:36.280
hurdles for their teams. Right,
you need to do things, You need

28
00:02:36.319 --> 00:02:42.159
to get confirmation from different authorities making
sure that this is appropriate. This is

29
00:02:42.199 --> 00:02:46.919
according to the standards, according to
whatever rule least privilege, zero, standing

30
00:02:47.039 --> 00:02:53.599
credentials, et cetera. Our job
at a Kills, among other things,

31
00:02:53.759 --> 00:03:00.680
is to make the security standards high, or keep the security standards high without

32
00:03:00.039 --> 00:03:05.560
the negative impact on velocity, like
making it simple, making it easy,

33
00:03:05.960 --> 00:03:10.199
and in some cases making it even
easier than usual. Path right, instead

34
00:03:10.240 --> 00:03:15.960
of thinking where I should store this
whatever, a secret, whatever piece of

35
00:03:15.000 --> 00:03:21.159
information that I have, what would
be the right repository, the right storage.

36
00:03:21.639 --> 00:03:24.479
Now you have a place to do
that, and it integrates well with

37
00:03:24.599 --> 00:03:32.520
a lot of technologies, authentication types, different infrastructures, platforms, cloud,

38
00:03:32.520 --> 00:03:38.080
the providers, etc. Yeah,
for sure. And I think the like

39
00:03:38.159 --> 00:03:44.360
putting it in cic D, I
think really opens up some interesting possibilities for

40
00:03:44.400 --> 00:03:47.439
you because then you can automate it, and I think that's where security really

41
00:03:49.280 --> 00:03:52.599
I think that's really where you can
start to gain ground on security. Like

42
00:03:52.639 --> 00:03:59.039
you mentioned, if you can make
the right thing the easier choice than doing

43
00:03:59.080 --> 00:04:03.039
it the wrong way, that's really
where you start to see the gains from

44
00:04:03.080 --> 00:04:09.599
that. Yeah. Absolutely. I
think that in the recent years we see

45
00:04:09.680 --> 00:04:15.439
a lot of growth and adoption of
a lot of develop tools, develops,

46
00:04:15.439 --> 00:04:21.120
tool change, should I say,
things related starting from configuration management to CICD,

47
00:04:21.240 --> 00:04:28.199
platforms, container orchestrations. A lot
of technologies evolving in this domain,

48
00:04:29.319 --> 00:04:35.199
and this becomes a very convenient tool
for automation, not necessarily just for releasing

49
00:04:35.240 --> 00:04:42.360
an artifact production, but also to
have like jobs to help maintaining the usual

50
00:04:42.439 --> 00:04:48.399
work the build environment, and related
to that, and as such, it

51
00:04:48.519 --> 00:04:55.240
becomes an interesting target for potential hackers. Right, if you gain access to

52
00:04:55.279 --> 00:05:01.120
this centralized platform that has access to
your cloud service, provide to databases in

53
00:05:01.160 --> 00:05:06.639
the organization, a lot of that, that's that's an easy target for hacking

54
00:05:06.879 --> 00:05:13.279
credentials and accessing those systems. That's
what I think we should we should,

55
00:05:13.519 --> 00:05:16.800
Yeah, we should look at when
when talking about security, how to protect

56
00:05:16.920 --> 00:05:25.240
the identities, workload identities, how
to protect different environments. Uh, and

57
00:05:25.319 --> 00:05:30.519
to do that without adding overhead on
the process. Yeah, right on.

58
00:05:31.279 --> 00:05:40.000
So what would be your for someone
who's just acknowledging the security should be part

59
00:05:40.120 --> 00:05:45.480
of your organization? What would be
the number one thing you would point the

60
00:05:45.519 --> 00:05:50.720
map first, or the first thing
to say, hey start here. Ideally

61
00:05:51.160 --> 00:05:57.759
it would be mapping what kind of
sensitive information, sensitive data? What kind

62
00:05:57.759 --> 00:06:04.959
of different identities and permissions you have
spread across your systems? Because creating identities

63
00:06:04.959 --> 00:06:11.439
and giving access is very easy,
right. You simply create another application,

64
00:06:11.480 --> 00:06:15.079
another tool, I request access,
and all of a sudden it fails up

65
00:06:15.120 --> 00:06:21.279
with touns of identities without much of
control over it. Like when I ask

66
00:06:21.639 --> 00:06:28.720
a develops person how many applications do
you have and what kind of permissions each

67
00:06:29.120 --> 00:06:33.720
in every application has to perform on
a different type of infrastructure. That's not

68
00:06:33.800 --> 00:06:41.639
a simple question to answer because in
many cases you simply don't have the visibility.

69
00:06:42.959 --> 00:06:47.160
This problem is sometimes referred to as
a secret sproll problem because you have

70
00:06:47.199 --> 00:06:55.240
a lot of different storages to maintain
secrets, to keep access, different different

71
00:06:55.319 --> 00:07:00.519
kinds of ways to manage policies access
policies. One cloud provider, you have

72
00:07:00.800 --> 00:07:06.680
different type of language and annotation and
other type of infrastructure of different things,

73
00:07:06.680 --> 00:07:13.439
So it becomes a lot of know
how on how to manage it, and

74
00:07:13.480 --> 00:07:18.319
in many cases it's kept in a
very selected few individuals' minds where to set

75
00:07:18.680 --> 00:07:29.480
what Talking about dashboards and visibility to
executive level is something that very rarely found,

76
00:07:29.959 --> 00:07:32.680
So identifying where the sensitive data is
would be the number one step.

77
00:07:32.720 --> 00:07:38.120
I think, yeah, that makes
a lot of sense, because I think

78
00:07:38.519 --> 00:07:45.720
from my own perspective, my gut
reaction to any problem is to start building

79
00:07:45.759 --> 00:07:50.519
something to solve that problem. But
actually taking a step back and documenting where

80
00:07:50.560 --> 00:07:58.079
this problem exists, where it's used, would change the perspective because then you

81
00:07:58.160 --> 00:08:01.720
kind of have a better understand of
the size and the scope of the problem

82
00:08:01.720 --> 00:08:09.800
that you're trying to solve exactly.
I would say that afterwards, once you

83
00:08:09.839 --> 00:08:16.639
have that mapped, you probably want
to sort them by the most impactful type

84
00:08:16.639 --> 00:08:22.759
of identities to the listed platforms,
right, which one has access to many

85
00:08:22.800 --> 00:08:28.720
resources, privileged access, et cetera, and then try to deal with them

86
00:08:28.759 --> 00:08:35.600
first, because the virtual blast reduce
should I say, of somebody's accessing those

87
00:08:35.639 --> 00:08:45.080
can be the most significant negatively significant
to the organization. Ideally, you don't

88
00:08:45.120 --> 00:08:50.120
want to maintain something that is lasting
forever, right, So any type of

89
00:08:52.360 --> 00:08:58.039
credential, any type of access,
should be limited in time for a reasonable

90
00:08:58.120 --> 00:09:03.600
duration. When I say reasonable,
it cannot be ten years or fifteen years,

91
00:09:03.639 --> 00:09:07.039
because in that time you can do
a lot of them. I'm talking

92
00:09:07.080 --> 00:09:11.200
in many cases minutes maybe hours to
perform some kind of tasks, but not

93
00:09:11.360 --> 00:09:18.919
much more than that. Yeah,
you know, it was just about a

94
00:09:18.039 --> 00:09:28.120
year ago I stumbled across the open
id connect, I think OIDC and I

95
00:09:28.039 --> 00:09:33.559
haven't really seen it talked about a
lot in many places, but I've actually

96
00:09:33.559 --> 00:09:39.360
fallen in love with it, and
we've updated a bunch of our infrastructure to

97
00:09:39.559 --> 00:09:43.840
use that for that specific reason,
Because whenever you go to take an action,

98
00:09:43.720 --> 00:09:48.440
the OIDC gets a set of short
lived tokens and then you can scope

99
00:09:48.480 --> 00:09:56.919
those scope the access permissions for those
credentials down to just the exact deployment that

100
00:09:56.000 --> 00:10:00.000
you're dealing with at that time.
And I thought that was such a cool

101
00:10:00.240 --> 00:10:03.159
idea. It's relatively easy to implement, but it doesn't seem to be very

102
00:10:03.200 --> 00:10:09.480
popular. Yeah, I think O
I d C is positioning as one of

103
00:10:09.519 --> 00:10:18.279
the slowly but one of the most
popular authentication methods for humans. It's in

104
00:10:18.320 --> 00:10:22.399
my opinions, it's second to summon, which is more legacy one but still

105
00:10:22.799 --> 00:10:28.799
very widely used. But I think
that over time we will start to see

106
00:10:28.840 --> 00:10:33.399
more and more. This is kind
of the evolution of some and we start

107
00:10:33.440 --> 00:10:37.960
to see more and more relying on
O I d C. The foundation or

108
00:10:39.000 --> 00:10:46.600
the underlying technology is basically all OFF
or JOT authentication, which is very popular

109
00:10:46.679 --> 00:10:54.440
for application type of authentication. A
lot of c CD platforms today are providing

110
00:10:54.639 --> 00:11:03.240
a temporary signed job that can be
used to verify to identify the actual runner

111
00:11:05.039 --> 00:11:09.600
and the right context of what kind
of project idea, who trigger the job

112
00:11:09.919 --> 00:11:18.080
or what kind of resources running,
et cetera, and all those attributes both

113
00:11:18.120 --> 00:11:26.399
coming from Native job authentication or YDC
can be leveraged for access permissions, and

114
00:11:26.440 --> 00:11:31.480
that's very handy. Like imagine that
you log into a platform and all of

115
00:11:31.519 --> 00:11:37.759
a sudden you have all the types
of permission associated with your identity without the

116
00:11:37.879 --> 00:11:43.600
need or the operational hussle of managing
those same permissions in two different platforms,

117
00:11:43.720 --> 00:11:50.360
one being the actual infrastructure, the
other one being the secret management site.

118
00:11:50.559 --> 00:11:54.720
Right, So basically take the same
like if you modify something in your IDP,

119
00:11:54.679 --> 00:12:01.159
the identity provider automatically, it reflects
to the same its management and the

120
00:12:01.200 --> 00:12:07.519
access permissions you have there. So
from an administrative perspective of managing identities,

121
00:12:07.559 --> 00:12:16.120
that's a very easy and convenient approach
where identities live only in one place according

122
00:12:16.120 --> 00:12:26.039
to one policy. Yeah, and
that's there's just so many, so many

123
00:12:26.080 --> 00:12:28.360
wins to take away from that.
The security team loves it, but also

124
00:12:30.200 --> 00:12:35.919
just the it and the support folks
like it too because then it's just less

125
00:12:35.000 --> 00:12:41.559
chainsaws to be juggling at the same
time. Absolutely absolutely, And I think

126
00:12:41.600 --> 00:12:48.559
another thing that I was talking about
the adoption of different tools and technologies to

127
00:12:48.600 --> 00:12:56.279
the develops environment, and one thing
that still is not there is the unification

128
00:12:56.440 --> 00:13:00.960
of those tools. In terms of
visibility, Okay, how many many tools

129
00:13:01.000 --> 00:13:05.840
you have, how many different users, both human users and applications are using

130
00:13:05.879 --> 00:13:11.039
specific flows, et cetera. The
fact that you're using a centralized platform for

131
00:13:11.240 --> 00:13:20.080
secrets management is giving you implicitly giving
you visibility to all types of activities in

132
00:13:20.120 --> 00:13:22.720
the develops world. Right, so
you can see, oh, this client

133
00:13:22.799 --> 00:13:30.159
is connecting from CICD platform disguise,
this application is connecting through a communities cluster,

134
00:13:30.879 --> 00:13:35.879
this flow is coming from configuration management. This is a human authenticating to

135
00:13:35.000 --> 00:13:43.480
my Jenkins webuy wherever it may be. But because of the fact that any

136
00:13:43.679 --> 00:13:52.639
entity requires access to secrets, this
gives you implicitly a wide visibility to what's

137
00:13:52.639 --> 00:13:58.320
going on inside your organization. And
that's gold for security officers because there is

138
00:13:58.320 --> 00:14:03.000
no other way that I can think
of to see all those activities coming from

139
00:14:03.080 --> 00:14:05.279
different platforms. Maybe in one infrastructure, like if you're running on a single

140
00:14:05.279 --> 00:14:11.000
cloud provider in a single flow,
maybe that is another way to see that.

141
00:14:11.080 --> 00:14:13.559
But if you're multi cloud or hybrid, if you're using different kinds of

142
00:14:13.600 --> 00:14:18.039
tools in different locations, the only
good way to show that it might be

143
00:14:18.200 --> 00:14:24.799
it would be through secrets Management Central. Yeah, so the secret manager at

144
00:14:24.799 --> 00:14:31.200
that point not only becomes the source
restoring your secrets, but also the like

145
00:14:31.279 --> 00:14:37.559
the audit tool for defining the footprint
and and use of the secrets across it

146
00:14:37.879 --> 00:14:43.559
entire organization. Agreed, Yeah,
hundred percent. And maybe as an evolution

147
00:14:43.279 --> 00:14:50.360
as a next step, applying some
kind of AI based logic on this audit

148
00:14:50.440 --> 00:14:58.200
log can detect different kinds of anomalies, like this activity is not something usual

149
00:14:58.320 --> 00:15:01.759
for this time of day, or
is a day of week or something like

150
00:15:01.840 --> 00:15:07.720
that. The number of requests here
seems unusual with respect to previous weeks.

151
00:15:07.840 --> 00:15:13.960
This application is behaving really in terms
of accessing different kinds of secrets. And

152
00:15:15.480 --> 00:15:20.440
maybe, I mean it's not something
that is part of modern solutions as far

153
00:15:20.480 --> 00:15:22.399
as I know today. But maybe
as a next step, this could be

154
00:15:22.440 --> 00:15:31.080
interesting in helping humans detecting breaches.
Security breaches attacks something that would be hard

155
00:15:31.120 --> 00:15:35.159
to detect otherwise. Oh for sure, that's actually a pretty cool idea.

156
00:15:37.000 --> 00:15:45.159
So if let's talk a little bit
about how you gain like support and sponsorship

157
00:15:45.240 --> 00:15:48.480
for this type of project. If
you want to do the full audit to

158
00:15:48.519 --> 00:15:56.000
gain to improve your security plusture,
what are some of the tools or stories

159
00:15:56.039 --> 00:16:00.799
that someone should be thinking about to
help sell the to their management team and

160
00:16:02.440 --> 00:16:06.840
get people on board with it.
Yeah. I think that this can be

161
00:16:06.840 --> 00:16:18.000
approached in two ways. One from
the security perspective, identifying areas and technologies

162
00:16:18.000 --> 00:16:26.440
that are not well protected today and
defining what would be the impact if specific

163
00:16:26.559 --> 00:16:33.320
credential specific identities would be exposed or
breached. That's one motivation. Another one

164
00:16:33.360 --> 00:16:41.879
is to facilitate as I mentioned,
unified view from an operational perspective. A

165
00:16:41.919 --> 00:16:48.919
third approach would be to meet with
certain requirements to compliance regulations, etc.

166
00:16:49.759 --> 00:16:53.600
Like in order to be compliant to
a certain standard, you have to have

167
00:16:53.639 --> 00:17:03.519
something like that, so different triggers
by different business units. And also about

168
00:17:03.519 --> 00:17:07.240
the model, I think that model
that you tell you you took about sponsoring

169
00:17:07.319 --> 00:17:15.200
that this can be sponsored by the
main driver, some kind of centralized entity

170
00:17:15.200 --> 00:17:22.680
in the organization like the CSO or
the CIO or something like that can also

171
00:17:22.720 --> 00:17:29.400
be done by the IT department if
we're talking about the operational side of things,

172
00:17:30.720 --> 00:17:34.880
and it can also be shared shared
sponsorship in a sense that it's very

173
00:17:34.960 --> 00:17:45.319
easy to know on using a centralized
platform, which departments or which applications consume

174
00:17:45.960 --> 00:17:53.559
services from the secrets management. So
ideally you can divide the payment based on

175
00:17:53.640 --> 00:17:59.240
internal shared model internal to the organization
to say, okay, the department that

176
00:17:59.359 --> 00:18:04.480
is using the most would carry most
of the costs of that sharing. So

177
00:18:07.839 --> 00:18:11.519
putting like the you know, the
dollars aside for a moment, I think

178
00:18:11.559 --> 00:18:17.680
that the motivation can come from different
angles. Each organization that we see is

179
00:18:17.720 --> 00:18:22.000
coming from a different reason, or
maybe a combination of different reasons. But

180
00:18:22.079 --> 00:18:30.160
it's definitely definitely becoming a defacto standard
for large organizations and getting lower and lower.

181
00:18:30.160 --> 00:18:34.480
Like if in the beginning it was
just for large enterprises or corporates,

182
00:18:34.920 --> 00:18:42.680
Today we see even SMBs asking about
secrets management because it's obvious that you should

183
00:18:42.759 --> 00:18:51.759
have some solution. Yeah, for
sure, Like the number of stories that

184
00:18:51.839 --> 00:18:57.119
we hear about every day just keeps
growing. It seems like the people who

185
00:18:57.119 --> 00:19:03.519
are actually impacted most by that are
the SMBs. You know. The enterprises

186
00:19:03.599 --> 00:19:10.680
I think typically have a larger they
have more people, more resources to work

187
00:19:10.720 --> 00:19:14.680
with, so maybe they're a little
bit better positioned. But you just here

188
00:19:14.720 --> 00:19:19.079
a day after day of small and
medium businesses that have been shut down,

189
00:19:19.200 --> 00:19:29.319
locked out, or been unable to
continue business because of security breaches. Yeah,

190
00:19:29.599 --> 00:19:33.240
and bridges is not something that happens
once. And that's it. I

191
00:19:33.279 --> 00:19:42.240
mean the fact that hacker gains access
to even side applications something that looks maybe

192
00:19:42.319 --> 00:19:48.559
less relevant. There is the lateral
movement, you know, like when you're

193
00:19:48.559 --> 00:19:52.920
starting small and expanding the knowledge and
gaining more and more access and more and

194
00:19:52.000 --> 00:20:00.559
more possession of infrastructure and resources inside
organization and waiting for this special moment doomsday,

195
00:20:00.680 --> 00:20:06.119
when something like that is exploding,
and when it explodes them it becomes

196
00:20:06.119 --> 00:20:14.119
a big business problem for this particular
vendor or this particular organization. So detecting

197
00:20:14.160 --> 00:20:18.359
it when it's still small, relatively
small, and the impact is still scoped

198
00:20:18.880 --> 00:20:27.279
and known. The ability to detect
and also remediate that problem right by restricting

199
00:20:27.319 --> 00:20:33.599
access to this application, rotating set
of credentials, revoking access to certain applications,

200
00:20:34.400 --> 00:20:41.559
all that is very important in the
process of securing the organization. And

201
00:20:41.599 --> 00:20:45.119
that ties right back into the mapping
exercise that you mentioned at the start of

202
00:20:45.119 --> 00:20:51.160
the episode, because now you know
what credentials this application use, what services

203
00:20:51.160 --> 00:20:56.759
it talks to, and where else
those components are used in your infrastructure.

204
00:20:59.000 --> 00:21:03.440
Yes, an interesting concept that I
think that is getting more and more attraction

205
00:21:03.839 --> 00:21:08.720
of the time is the use of
just in time credentials. Historically, like

206
00:21:08.799 --> 00:21:17.440
if you're at many years in the
industry like myself, the war files configuration

207
00:21:17.519 --> 00:21:23.559
files with static credentials using m passwords, token's API keys, and typically they

208
00:21:23.680 --> 00:21:30.319
lasted four years. If somebody got
a got a view of them, they

209
00:21:30.319 --> 00:21:36.519
can keep using them without any ability
to detect that This is a misuse right

210
00:21:36.559 --> 00:21:40.960
from if you look from the back
inside of the service side perspective, it's

211
00:21:41.200 --> 00:21:45.680
a value authentication of an authorized entity. What we see more and more is

212
00:21:45.720 --> 00:21:52.880
that there is no reason to have
standing privileges in systems across the environment.

213
00:21:52.440 --> 00:22:00.839
Okay, only when an application argument
needs access for a certain reason for a

214
00:22:00.880 --> 00:22:07.079
certain task. Only then the credentials
will be generated, and they will also

215
00:22:07.119 --> 00:22:11.440
be a thermeral like meaning they have
time to lead. They have a duration

216
00:22:11.640 --> 00:22:17.720
that after this time they will be
revoked automatically without any human intervention in the

217
00:22:17.759 --> 00:22:23.240
process. And that model is becoming
more and more popular for two main reasons.

218
00:22:23.279 --> 00:22:30.119
One is the impact like if I
forget my workstation open, if somebody

219
00:22:30.480 --> 00:22:34.160
grabs access to a certain set of
credentials, they can do so much with

220
00:22:34.240 --> 00:22:40.880
it until they expire. But secondly, it's also enforcing the use of a

221
00:22:40.920 --> 00:22:44.839
centralized system. Imagine that we're talking
about humans, and humans are very lazy

222
00:22:44.839 --> 00:22:48.200
by nature, and that's very normal, and they say, Okay, why

223
00:22:48.240 --> 00:22:53.480
should I log into a secrets management
platform statch and use them password over and

224
00:22:53.559 --> 00:22:59.480
every day and to connect to my
database? Right the second time you do

225
00:22:59.559 --> 00:23:00.599
that, you say, hey,
I can keep a copy of that because

226
00:23:00.599 --> 00:23:04.240
it's static. I can keep it
in my notepad and a story not need

227
00:23:04.559 --> 00:23:10.200
to log in anymore. And that's
true if you're talking about static secrets,

228
00:23:10.200 --> 00:23:14.079
But what if there is no static
secret anytime you need to get dynamic secret,

229
00:23:14.160 --> 00:23:18.200
then you're basically forced or enforced to
do that the right way. Now,

230
00:23:18.359 --> 00:23:25.759
our job is to make it easier
and less painful to people like that,

231
00:23:26.079 --> 00:23:30.519
in the sense that there is single
sign on integration you mentioned OIDC before

232
00:23:30.559 --> 00:23:34.200
and some and also you don't have
to retype over and over your credentials to

233
00:23:34.519 --> 00:23:41.279
get some access. But secondly,
it's mostly done by applications, and applications

234
00:23:41.279 --> 00:23:48.519
can use their trusted identities, like
if they're running on cloud service providers infrastructure,

235
00:23:48.960 --> 00:23:52.519
they can use the cloud IAM to
authenticate to a kill is similitly like

236
00:23:52.599 --> 00:23:56.920
you don't have to have an additional
set of credentials. If you're working on

237
00:23:56.039 --> 00:24:03.359
modern infrastructure like Cobernetti's clus, they
can use the Cobernetus identities to authenticate similar

238
00:24:03.400 --> 00:24:07.799
stame fetch credentials. So you find
ways to make it easy but secure to

239
00:24:08.039 --> 00:24:15.519
authenticate to secretsman on the platform rely
on just in time credentials to apply the

240
00:24:15.759 --> 00:24:22.359
principle that don't have so what's called
zero standing privileges, and also making sure

241
00:24:23.200 --> 00:24:27.839
that the credentials are biding with the
right policy in terms of access the authorization

242
00:24:27.960 --> 00:24:34.119
layer, which means that if here
it applies to the principle of least privilege,

243
00:24:34.200 --> 00:24:40.319
you don't provide anything beyond what the
application or the human requires for this

244
00:24:40.440 --> 00:24:45.440
particular task. If using standing credentials, you would have to have tons of

245
00:24:45.720 --> 00:24:52.240
sets of users and only a very
educated person would pick the right one for

246
00:24:52.359 --> 00:24:56.240
this task. But when you use
dynamic secrets or just in time access,

247
00:24:56.680 --> 00:25:00.279
it's very easy because you have access
only for read or the operations, only

248
00:25:00.359 --> 00:25:06.279
for specific set of secrets that are
required for this application. So it's helping

249
00:25:06.359 --> 00:25:11.160
in so many ways. And I
think that this is a trend that we

250
00:25:11.240 --> 00:25:15.279
see more and more, and I
think that in a few years time from

251
00:25:15.319 --> 00:25:22.480
now, it would be very rare
to see static credentials in production environments.

252
00:25:22.599 --> 00:25:26.880
Yeah, that would be cool,
Like like you have been doing this for

253
00:25:26.960 --> 00:25:32.720
a long time, and I remember
many times whenever someone would say we need

254
00:25:32.759 --> 00:25:38.039
to rotate these keys, and everyone
would just cringe because we knew that it

255
00:25:38.160 --> 00:25:42.079
was going to involve production downtime,
because nobody knew where they were used,

256
00:25:42.079 --> 00:25:45.000
and it was going to be painful
and we were going to have everyone mad

257
00:25:45.039 --> 00:25:52.640
at us. It's a huge project
for many organizations. Sometimes they run it's

258
00:25:53.000 --> 00:25:57.599
funny because we have other ways to
do that. But I so places that

259
00:25:57.599 --> 00:26:03.640
they run campaigns, like they said
the same messages, have you rotated this

260
00:26:03.200 --> 00:26:06.920
set of users? Have you've done
that? Please send me confirmation, Please

261
00:26:06.960 --> 00:26:10.599
do that. It takes months to
do that. It's very painful, like

262
00:26:10.680 --> 00:26:14.400
you, Like you said, it's
very scary. What would be the impact

263
00:26:14.400 --> 00:26:19.119
of that? And I have to
be honest, that is something that is

264
00:26:19.160 --> 00:26:25.400
not going away soon. Like using
just in time credentials is very common,

265
00:26:26.039 --> 00:26:30.680
but not necessarily for privileged accounts like
break class admins or something like that.

266
00:26:30.680 --> 00:26:37.200
That we have to stay and for
that, the solution is to use rotated

267
00:26:37.240 --> 00:26:40.880
secrets, but to do that in
an automated fashion, meaning that something that

268
00:26:40.920 --> 00:26:45.119
you don't even think about. You
have a pretty fine configuration how often you

269
00:26:45.160 --> 00:26:52.319
want to rotate those privileged privileged credentials, and at that time an automated task

270
00:26:52.440 --> 00:26:56.319
is performed and doing that, including
the validation of it, in a similess

271
00:26:56.359 --> 00:27:00.599
manner, and the new version is
kept in the management and the previous version

272
00:27:00.680 --> 00:27:06.759
is still available in case you want
to roll back or revert that change,

273
00:27:07.960 --> 00:27:12.599
and therefore no human intervention in the
process. Therefore no need to have complex

274
00:27:12.680 --> 00:27:22.160
and expensive campaigns to force people to
do that. It simply happened. It's

275
00:27:22.160 --> 00:27:26.279
a non event. Yeah, and
I think that's you know, we have

276
00:27:26.359 --> 00:27:30.839
all the tools to do that,
the technology exists. I think part of

277
00:27:30.839 --> 00:27:33.480
that is just a comfort level,
you know, because it takes a high

278
00:27:33.519 --> 00:27:40.839
level of confidence in your tooling to
just put it on autopilot like that and

279
00:27:40.880 --> 00:27:44.200
say, yeah, just rotate the
creds whenever you think it's good. I'll

280
00:27:44.759 --> 00:27:48.359
I'm sure it's going to be fine. The only way that you can achieve

281
00:27:48.400 --> 00:27:55.559
that is if all the systems,
all the applications, all the humans are

282
00:27:55.599 --> 00:28:00.119
working with a centralized secrets management because
if there are two source of one of

283
00:28:00.160 --> 00:28:04.720
them will break one the other one. Yeah, so it has to be

284
00:28:04.960 --> 00:28:10.880
relying on that, and that's one
of the biggest advantages I think of a

285
00:28:11.000 --> 00:28:18.200
centralized system. Yeah, you know, because it's specifically in areas where you

286
00:28:18.240 --> 00:28:23.640
have like multi cloud organizations. It's
so easy with AWS to just use secrets

287
00:28:23.640 --> 00:28:29.079
Manager or in GCP use their secrets
manager. But then whenever you have to

288
00:28:29.119 --> 00:28:33.799
bridge both of those, you've got
to step back to something that's external to

289
00:28:33.200 --> 00:28:38.079
both of those, and so then
you have this big social campaign. So

290
00:28:38.160 --> 00:28:44.200
now you've got to socialize your new
secrets manager to your engineering teams who are

291
00:28:44.200 --> 00:28:52.200
writing the code so that they know
that this other thing exists and that they

292
00:28:52.240 --> 00:28:56.720
should be using that rather than building
in using the built in native tools.

293
00:28:56.799 --> 00:29:00.079
And I think that social component of
it is probably one of the hardest things

294
00:29:00.160 --> 00:29:04.839
for a lot of people. I
know it is for me personally because I'm

295
00:29:06.160 --> 00:29:11.400
very I like doing things very technical, I'm not really good at socializing things.

296
00:29:11.799 --> 00:29:18.680
But that's a huge component to making
that type of effort successful. Yeah,

297
00:29:18.680 --> 00:29:25.119
one hundred percent agreed, and add
to multi cloud legacy environments on premise

298
00:29:25.720 --> 00:29:30.480
something that does not interact well with
cloud, So you get yourself a lot

299
00:29:30.480 --> 00:29:38.640
of secret silos, different policies,
different processes, different automation scripts, whatever

300
00:29:38.680 --> 00:29:44.000
you want to call that. That's
in the good case that you're automating or

301
00:29:44.039 --> 00:29:49.119
trying to automate. The other alternative
is worse that it's simply like that forever

302
00:29:49.160 --> 00:29:56.119
and everybody's afraid of touching, so
something would break. Yeah, I think

303
00:29:56.160 --> 00:30:02.440
that's a That's something I've encountered in
the past, is people hesitating to do

304
00:30:02.480 --> 00:30:07.839
this because they're afraid of breaking it. One argument I've used to overcome that

305
00:30:07.880 --> 00:30:11.799
in the past is saying, look, it's going to break either way.

306
00:30:12.000 --> 00:30:17.759
We can either choose to break it
intentionally right now for the purposes of fixing

307
00:30:17.799 --> 00:30:22.960
it, or we can wait for
it to break at some random, undetermined

308
00:30:22.000 --> 00:30:26.880
time in the future that we can
absolutely guarantee is not going to be convenient

309
00:30:26.880 --> 00:30:30.559
for anyone. So it's it's our
choice. Yeah, And I would add

310
00:30:30.559 --> 00:30:40.480
to that, maybe not following recommended
practice when it comes to production environment for

311
00:30:40.599 --> 00:30:47.079
different reasons. It can be costs, it can be laziness. Ideally you

312
00:30:47.119 --> 00:30:52.359
would want to have a staging environment
or a dev environment or testing environment that

313
00:30:52.519 --> 00:30:56.640
is identical to your production environment,
so you are able to test something before

314
00:30:56.680 --> 00:31:03.920
it applies or affects production workload.
Maintaining that is something that is expensive,

315
00:31:03.920 --> 00:31:11.200
both in the amount of resources that
you need to duplicate, but also humans

316
00:31:11.279 --> 00:31:15.039
or engineers that need to maintain it
to make sure it's synchronized, to make

317
00:31:15.039 --> 00:31:19.880
sure it's aligned, etc. But
once you're at that point, you can

318
00:31:19.960 --> 00:31:23.240
simulate a lot of scenarios. What
happens if I rotate this value, how

319
00:31:23.319 --> 00:31:27.839
what's the impact? What would break? And you do that before it's impacting

320
00:31:29.759 --> 00:31:36.200
customers, before it's impacting business,
and that would be ideal. I mean,

321
00:31:36.240 --> 00:31:40.839
if I look at our production environment
the way that it's structured, it's

322
00:31:40.920 --> 00:31:45.440
part of our pipeline. You cannot
do a single change to production if it's

323
00:31:45.480 --> 00:31:52.559
not passing all the tests, all
the validation steps that we have in staging

324
00:31:52.640 --> 00:31:56.599
environments prior to that. Now it
costs money, right, you need to

325
00:31:56.640 --> 00:32:02.119
basically double the dollars you pay for
production, but it buys you reliability,

326
00:32:02.880 --> 00:32:12.000
which in some sense values for money
for our customers. Okay, imagine it's

327
00:32:12.039 --> 00:32:21.079
something like that business critical system like
secrets management is not accessible. This means

328
00:32:21.119 --> 00:32:27.440
automatically that our customers are bleeding money
pages all over the place. I mean,

329
00:32:27.480 --> 00:32:32.240
it's it's becoming a mad place.
But we need to be very confident

330
00:32:32.279 --> 00:32:37.680
about the changes that we do,
and I think that our customers, many

331
00:32:37.680 --> 00:32:43.960
of them, are following same practices
to achieve that goal of not being afraid

332
00:32:43.960 --> 00:32:51.680
of doing changes, being less afraid. Right, an circling back to the

333
00:32:51.720 --> 00:32:58.400
c CD integrating with security thing,
what are the what are the different areas

334
00:32:58.440 --> 00:33:04.880
in a CD c C pipeline that
you think are our stop points or security

335
00:33:04.920 --> 00:33:15.000
checkpoints. So today a lot of
CICD platforms are integrating the SEM with the

336
00:33:16.640 --> 00:33:22.000
part of the deployment. Okay,
so checking out code is a honish,

337
00:33:22.119 --> 00:33:25.160
it's part of the same platform.
You don't have to authenticate to a remote

338
00:33:25.200 --> 00:33:31.000
kit tabripo or something like that.
In the past it used to be like

339
00:33:31.039 --> 00:33:35.559
that, Like I mean, I
don't know, using Jenkins or something like

340
00:33:35.599 --> 00:33:39.400
that, you have to authenticate to
a remote It triple and the second part

341
00:33:39.480 --> 00:33:45.160
is about the deployment, the CD
part of things. Right, So when

342
00:33:45.200 --> 00:33:50.960
you deploy something, it normally involves
two phases. One of them is building

343
00:33:51.000 --> 00:33:55.759
the artifact and uploading it to some
kind of artifactor or artifactory serving. It

344
00:33:55.839 --> 00:34:01.599
can be a container registry that holds
the recent version of the image. It

345
00:34:01.640 --> 00:34:07.519
can be a few sets up binaries
that you stage somewhere in the kind of

346
00:34:07.039 --> 00:34:13.639
a street bucket or something equivalent to
that. And the second phase is to

347
00:34:13.920 --> 00:34:22.320
apply the new artifacts in the production
environment. That can be by applying restart

348
00:34:22.400 --> 00:34:30.000
rollout to your communities, deployment,
or reinstalling certain components in software to pick

349
00:34:30.039 --> 00:34:37.000
them up. All of that is
like a typical CICD flow, checking out

350
00:34:37.000 --> 00:34:40.199
a piece of code, building something, getting artifacts, uploading them somewhere,

351
00:34:40.440 --> 00:34:45.519
applying it to production environment, all
those steps without any exception. Maybe just

352
00:34:45.559 --> 00:34:52.800
the buill part will require a set
of credentials okay to authenticate to get to

353
00:34:54.000 --> 00:35:00.599
doctor hub or whatever registry you have
Kubernitis, et cetera. And typically it's

354
00:35:00.639 --> 00:35:05.440
not for a long time, like
you need it for just a minute or

355
00:35:05.480 --> 00:35:10.519
two for the authentication. So just
in time is a perfect match to this,

356
00:35:12.360 --> 00:35:15.679
to this flow, and it's very
diverse, so you see a lot

357
00:35:15.679 --> 00:35:22.599
of technology. Sometimes you even use
database to query something in order to decide

358
00:35:22.639 --> 00:35:28.800
where to apply or what to do
something that's another security checkpoint to authenticate to

359
00:35:28.840 --> 00:35:35.000
that database. So I believe that
if you look at the flow, you

360
00:35:35.039 --> 00:35:42.840
will see a lot of a lot
of integrations with the secrets management that's yeah

361
00:35:42.840 --> 00:35:46.320
for sure. Yeah, just pretty
much every step along the way you need

362
00:35:46.679 --> 00:35:52.960
a different set of credentials or different
set of secrets for that step. Yeah.

363
00:35:54.639 --> 00:36:00.840
Right, So we're saying that the
secrets management platform has all of our

364
00:36:00.880 --> 00:36:07.239
secrets, So how do we how
do we set up the secrets management platform

365
00:36:07.119 --> 00:36:14.679
to be secret itself? Right?
I'm guessing that you're aiming, how would

366
00:36:15.199 --> 00:36:22.000
an application CICD pipeline, for example, would authenticate to a secrets management platform

367
00:36:22.079 --> 00:36:28.400
without having an initial secret by itself. Yeah, and that's an interesting point.

368
00:36:28.440 --> 00:36:32.480
I mean, talking about legacy workload, that probably was the case.

369
00:36:32.519 --> 00:36:38.119
I mean, there wasn't any kind
of underlying or fancy underlying infrastructure just run

370
00:36:38.159 --> 00:36:46.000
on burn metal hosts with no type
of identification for this particular workload, let

371
00:36:46.039 --> 00:36:50.639
alone in a trusted manner. So
you had to have something like that.

372
00:36:51.039 --> 00:36:58.559
Today, most of the infrastructure is
running on top of modern infrastructure. May

373
00:36:58.599 --> 00:37:04.440
it be a cloud service provider,
different kinds of services. There comberneties,

374
00:37:04.480 --> 00:37:09.719
clusters, CICD platforms, and all
of them are providing some kind of trusted

375
00:37:09.800 --> 00:37:14.920
identity. When I say trusted,
it means that it can be verified by

376
00:37:14.920 --> 00:37:20.480
a third party. If we were
talking about this job authentication, it means

377
00:37:20.480 --> 00:37:25.719
that the cicity platform is holding a
sensitive private key that is used to sign

378
00:37:25.840 --> 00:37:32.480
this job for a short duration,
and it's also providing an external endpoint with

379
00:37:32.599 --> 00:37:38.519
access to the public matching public key
that any third party can just validate if

380
00:37:38.559 --> 00:37:45.239
this is signed by this trust identity. Cloud service providers are doing something similar

381
00:37:45.239 --> 00:37:52.119
to that, using different service and
SDS service and others to be able to

382
00:37:52.159 --> 00:37:57.679
validate. And if you're still if
you're still using a legacy workload running on

383
00:37:57.719 --> 00:38:04.840
burmetals or VMS on prem there are
ways to bypass that. We have implemented

384
00:38:04.880 --> 00:38:12.159
something an authentication method called we call
it universal identity. The concept is to

385
00:38:12.320 --> 00:38:21.320
have tokens that are frequently and rapidly
rotating. So there is an initial token,

386
00:38:21.360 --> 00:38:28.119
but immediately after that it's been constantly
and frequently rotated. Each rotation is

387
00:38:28.280 --> 00:38:36.519
invalidating the previous version of the token. So the reason it's it's considered more

388
00:38:36.559 --> 00:38:44.159
secure is because a random hacker that
gets access to this improvement has no identity

389
00:38:44.199 --> 00:38:47.199
to still outside of that environment.
Like, if I see this token,

390
00:38:47.920 --> 00:38:51.599
I can maybe take it and try
to use it elsewhere. In a second

391
00:38:51.599 --> 00:38:54.840
from now, it will no longer
be valid because by then it was rotated.

392
00:38:57.440 --> 00:39:00.039
One of the questions that I asked
when you when you say short lived,

393
00:39:00.039 --> 00:39:05.039
you're talking numbers of seconds. Numbers
of seconds? Wow, right on,

394
00:39:06.800 --> 00:39:10.440
yes, And what I'm being asked
is, in order to rotate a

395
00:39:10.519 --> 00:39:14.960
token, you need to have access
to the token itself, right, This

396
00:39:15.039 --> 00:39:21.239
is the identity that allows you to
perform the rotata operation. So somebody asked

397
00:39:21.280 --> 00:39:27.800
me once, what if this hacker
is rotating the token before the valued application

398
00:39:27.960 --> 00:39:30.119
is even though it's we're talking about
seconds, we're still quick enough to do

399
00:39:30.199 --> 00:39:36.440
that. That may be the case, But one of the events that would

400
00:39:36.880 --> 00:39:40.119
because as a result of that is
the rotation of operation of the valued application

401
00:39:40.199 --> 00:39:45.920
would fail. And that event alone
can be triggered. Can be triggered in

402
00:39:45.000 --> 00:39:50.119
order to revoke access to the application
something is bad happening. I simply revoke

403
00:39:50.239 --> 00:39:53.880
access to anyone who's using this identity. So in any case, this random

404
00:39:54.039 --> 00:39:59.519
hacker would not be able to enjoy
or to get access to secrets, and

405
00:39:59.559 --> 00:40:05.880
that's based taking an old school environment
and making it a trusted environment or trusted

406
00:40:05.920 --> 00:40:09.320
identity without the secret zero problem or
the chicken and an egg problem like that

407
00:40:09.400 --> 00:40:17.199
you descript right on, and that
ties kind of into the difference between authentication

408
00:40:17.800 --> 00:40:25.320
and authorization, right, So the
sign the token is the authentication piece of

409
00:40:25.360 --> 00:40:32.679
that, and then the contents of
the token itself are the requested authorization that

410
00:40:32.880 --> 00:40:38.039
may be granted once the sign token
is validated. Right to be precise,

411
00:40:38.199 --> 00:40:44.599
the token contains a set of attributes
which in the back end are associated with

412
00:40:45.320 --> 00:40:50.519
an authorization layer. It's in our
case, it's it's based on role based

413
00:40:50.559 --> 00:40:54.800
access control or our back So it's
definitely relying on the attributes that are part

414
00:40:54.800 --> 00:40:59.119
of that token, but that the
loan is not the access role because it's

415
00:40:59.280 --> 00:41:04.840
the language is more reached and just
holding it in a token, it's about

416
00:41:04.880 --> 00:41:07.280
capabilities, what kind of access rules, which kind of secrets, what type

417
00:41:07.280 --> 00:41:13.679
of permissions based on crude attribute.
So you have a lot of data behind

418
00:41:13.719 --> 00:41:19.480
the scene and holding it inside a
token that's supposed to be relatively small in

419
00:41:19.599 --> 00:41:32.039
size is not realistic. Gotcha cool? So from someone just getting started on

420
00:41:32.199 --> 00:41:38.440
this or just trying to gain traction
on it. The mapping exercise to understand

421
00:41:38.480 --> 00:41:45.280
the scope of the problem, prioritize
it, to attack the or to address

422
00:41:45.360 --> 00:41:54.360
the biggest risk items first, and
then use that to start bringing in other

423
00:41:54.440 --> 00:42:00.400
teams to sell it to them and
show them the benefit or why they may

424
00:42:00.440 --> 00:42:05.679
have a vested interest in this,
and then from that point you may have

425
00:42:05.719 --> 00:42:07.920
a pretty good idea what your implemented
solution is going to look like to sound

426
00:42:07.960 --> 00:42:13.400
about, right, Yeah, actually
it's a it's a fair description of our

427
00:42:13.440 --> 00:42:20.519
discus piece of cake. Just an
afternoon's work, right, absolutely, It's

428
00:42:20.519 --> 00:42:28.280
always like that. Yeah, cool, All right, Well, I think

429
00:42:28.360 --> 00:42:31.800
we are coming up on an hour
here. Is there anything else that you

430
00:42:31.840 --> 00:42:39.800
would like to share or offer as
words of wisdom to someone taking on their

431
00:42:40.360 --> 00:42:49.599
security journey. I think we've covered
pretty much the main stuff that I wanted

432
00:42:49.639 --> 00:42:55.400
to discuss. Obviously we can expand
on different areas. Yeah, I see

433
00:42:55.400 --> 00:42:59.760
different topics, but I don't think
we have enough time to cover everything.

434
00:42:59.800 --> 00:43:04.920
So I think it's a good start
and maybe in future sessions. Yeah,

435
00:43:04.960 --> 00:43:08.320
it sounds like you just teed us
up for a part two of this conversation.

436
00:43:09.800 --> 00:43:19.480
Why not right on cool? So
let's do let's do some picks just

437
00:43:19.519 --> 00:43:24.719
to introduce something cool. My pick
for today is going to be the gov

438
00:43:25.159 --> 00:43:30.039
Lights go v G, o V
E E dot Com. I put some

439
00:43:30.159 --> 00:43:35.360
of these lights. We have this
recessed ceiling in our living room, so

440
00:43:35.360 --> 00:43:39.079
I put some up there and it's
just been super cool and you can control

441
00:43:39.119 --> 00:43:49.000
it all with your app and it
uses it connects to your Wi Fi and

442
00:43:49.079 --> 00:43:51.679
you know, I think one of
the biggest concern I have with all of

443
00:43:51.719 --> 00:43:59.280
these smart lights is giving them access
to my network. And yeah, so

444
00:43:59.320 --> 00:44:01.960
I don't know if you is any
secure, any more secure than any of

445
00:44:01.960 --> 00:44:07.280
the others. This is not a
security endorsement. The only disclaimer I'll say

446
00:44:07.280 --> 00:44:10.760
there is I do have an isolated
Wi Fi network, And yeah, I

447
00:44:10.800 --> 00:44:14.360
separate the networks. I don't know, it's something that I put in the

448
00:44:14.400 --> 00:44:20.320
past. One for the computers and
sensitive information and all the rest for all

449
00:44:20.360 --> 00:44:24.079
the unknown devices that I purchase online. And I don't know what the hell

450
00:44:24.159 --> 00:44:28.559
are doing exactly. Yeah, I
run three networks. I have the one

451
00:44:28.559 --> 00:44:31.360
for my work computer and then the
one that the rest of the family uses

452
00:44:31.360 --> 00:44:35.360
with their phones and computers. And
stuff. And then there's the third one

453
00:44:35.440 --> 00:44:39.199
for anything that wants to claim its
smart like, okay, well you can

454
00:44:39.199 --> 00:44:45.760
go be smart over there. Absolutely, And once when I had the time,

455
00:44:45.840 --> 00:44:50.079
I even tracked. I don't know, I took some TCP dams to

456
00:44:50.079 --> 00:44:52.559
see what kind of activity is this
device doing when I'm not doing anything.

457
00:44:53.199 --> 00:44:59.119
You'll be surprised how many packets it's
sending two different IP addresses across the globe

458
00:44:59.119 --> 00:45:02.719
where I did get a chance to
investigate. But as long as it's not

459
00:45:02.840 --> 00:45:07.159
able to access the local network at
the computer network, I'm quite okay with

460
00:45:07.239 --> 00:45:12.719
it. Yeah, for sure,
you just got to limit your exposure.

461
00:45:12.960 --> 00:45:15.960
It's about all you can do.
Absolutely. I'm also I'm also dealing with

462
00:45:16.639 --> 00:45:24.039
like improving my smart home devices.
It's a project that I started many years

463
00:45:24.039 --> 00:45:30.639
ago, when before all the easy
to plug in devices were selling online.

464
00:45:30.719 --> 00:45:36.000
I started with a small r the
window project. The initially just to turn

465
00:45:36.039 --> 00:45:42.199
on and off a light a lot
bulb. Later on, it was so

466
00:45:42.320 --> 00:45:45.599
embarrassing to buy something much cheaper than
the than the board itself to do everything

467
00:45:45.679 --> 00:45:52.800
for you, plus connecting to the
internet and Wi Fi. And today I'm

468
00:45:52.840 --> 00:45:57.239
combining it all in a mobile application. So it's very easy sometimes, like

469
00:45:57.440 --> 00:46:00.320
when I'm driving home, like I
turned on the see when when it's hot

470
00:46:00.320 --> 00:46:05.320
outside. So I get home and
everything is all brazy and nice, opening

471
00:46:05.360 --> 00:46:10.400
the the winds, the shields in
the morning and closing them at night and

472
00:46:10.440 --> 00:46:15.239
all that. So it's a project
that is ongoing, but I enjoy you

473
00:46:15.280 --> 00:46:19.239
playing with it when I have the
time. Yeah, for sure. Time

474
00:46:19.280 --> 00:46:23.480
is a big commitment there because I
find it super interesting. But meanwhile,

475
00:46:23.320 --> 00:46:28.039
when my wife is like, well
you just stop, leave it alone,

476
00:46:28.320 --> 00:46:32.280
I just want it to work exactly. You need to have a fair sef

477
00:46:32.280 --> 00:46:36.599
meccas and is something that all defence
and stuff is not working, you still

478
00:46:36.639 --> 00:46:39.079
have a knob to get what you
wanted to do. Then I need a

479
00:46:39.119 --> 00:46:45.360
staging environment for my home automation so
that I can keep production of time and

480
00:46:45.480 --> 00:46:49.760
keep it with a secrets management for
all the sensitive day that you have exactly

481
00:46:50.199 --> 00:46:54.920
exactly cool, So go VI lights
or my pick. What what have you

482
00:46:54.920 --> 00:47:01.199
got for? Sorry, it's it's
hard because most of the innovation that I'm

483
00:47:01.199 --> 00:47:09.039
playing with is related to what I
do at work. So recent evolution that

484
00:47:10.199 --> 00:47:17.400
a small gig that I did is
related to application monitoring. You know,

485
00:47:17.480 --> 00:47:22.920
sometimes it's hard to identify what specific
flow in the application is the one causing

486
00:47:23.760 --> 00:47:30.000
an unexpected use of resources, whether
it's CPU, memory and other stuff.

487
00:47:30.000 --> 00:47:34.119
There are many tools to do that
today, but the interesting part is how

488
00:47:34.159 --> 00:47:38.760
to facilitate that to the developers so
they can see exactly what's the problem,

489
00:47:38.840 --> 00:47:45.519
capturing this very moment and facilitating that. So we had a different solution part

490
00:47:45.519 --> 00:47:52.840
of our product for accessing web applications. The challenge was that this data is

491
00:47:52.880 --> 00:47:59.400
textual and can be converted to an
HTML, but it's required to do some

492
00:47:59.480 --> 00:48:04.920
kind of an operation to run or
to execute the process before the page is

493
00:48:07.199 --> 00:48:14.199
proper or rendered. So I combine
that with a small LUA script that runs

494
00:48:14.239 --> 00:48:17.519
on Engine X and that this triggers
the command to populate the HTMIL. It's

495
00:48:17.559 --> 00:48:21.639
fast enough so you wouldn't notice in
the browser that something is happening in the

496
00:48:21.639 --> 00:48:25.159
background, but it's in a click
of a button you're able to see the

497
00:48:25.199 --> 00:48:30.039
application flow. So that's that's something
I work in the site. It's not

498
00:48:30.360 --> 00:48:34.800
directly related to what I do,
but it was a nice project that I

499
00:48:34.840 --> 00:48:37.880
claim, right, and that's super
cool cool. So if people want to

500
00:48:37.880 --> 00:48:42.519
get in touch with you, talk
more about security. How can they do?

501
00:48:44.840 --> 00:48:50.199
I think the best way through my
email. It's already at a kidos

502
00:48:50.239 --> 00:48:54.440
dot io. I cannot promise an
immediate or fast response, but I can

503
00:48:54.559 --> 00:49:00.599
promise a response, so fair enough, give it a try. Awesome,

504
00:49:00.920 --> 00:49:04.039
Well, thank you so much for
coming on the show. It's been a

505
00:49:04.079 --> 00:49:07.679
great conversation and I look forward to
having you back on to talk more about

506
00:49:07.719 --> 00:49:12.280
this. Thank you very much,
Will for hosting me here. It was

507
00:49:12.519 --> 00:49:16.079
truly pleasure and fun, and I
look forward to talk against right on.

508
00:49:16.199 --> 00:49:17.719
Thanks everyone, we'll see all next
week.