¶ Intro
Hello and welcome to the high tech low code podcast. In this episode of the podcast, we are joined by Ian Taylor has our co-host. How are you doing, Ian?
I'm doing very well. Thank you, Mario.
Today's topic is cybersecurity. And for that we have the pleasure of having as our guest speakers Francesco Cipollone and Owanate Bestman. Francesco is an executive, public speaker, published author and international judge, host of the CSPC podcast and has held several roles ranging from a head of application security to head of security architecture, also armed with an extensive experience related to the implementation of security across multi cloud providers such as Amazon, AWS, Microsoft
Azure and Google Cloud. Owanate is a successful recruiter, passionate about assisting security leaders and security practitioners alike to meet their career and business goals with an excellent record of staffing high profile regulatory and commercial driven cybersecurity and technology risk programmes globally. Thank you very much, both for giving us this opportunity to have a
chat with you. I would like to start by asking how are you and if you'd like to give the listeners intro about yourself?
Go first I'm on. I'm very good. It's been a good week, good month, and no complaints on my part whatsoever. I appreciate the invitation to speak to your audience. In terms of what I do, I'm the founder of Bestman Solutions, which is a recruitment firm dedicated to assisting CISOs and security practitioners within the field
of hiring. So I specialise in placing individuals in technical positions such as security architecture, and also non technical security positions such as Policy Governance assurance, what we call GRC. Awaken a global capacity primarily within the mid to
senior market. But I also spend a lot of time advising maybe rookies trying to get into the field and location, what they should do, and what good looks like I also spend time speaking to see souls to advise them of the higher needs and how the market might impact the headcount goals and plans moving forward.
Hey, Mario, hey Ian, and how you doing?
Good, thank you.
I won't list my stuff. Because it's too long. I'm heading up the cloud secure lines for UK not and I'm the podcast, as well. I'm heading up a couple of one startup in a consultancy. So are we doing in a nutshell, I tend to help the cybersecurity space and non cybersecurity space, about securing their application, cloud and so on. And we have technology that backs us up. And we really want to help people getting better at secure coding and getting more
people in the industry. I'm a big advocate for diversity and really passionate. I mean, no one knows that I'm really passionate about bringing people from different parts of the industry into cybersecurity and getting the help that I need to get up to start. So that's a little bit about me.
¶ Background Francesco Cipollone
That's great. That's great.
So could I ask you, let's start with Frank. How did you get to where you are today, kind of talk us through your path and what made you go into the technology side of it?
It's really a funny story. So I stumbled in cybersecurity by completely by accident. So I started a career in IT fundamentally, and it was studying a university. And I took one optional field that was cyber security and cryptography. And it was really, really cool. And I started getting into it, more into it and then start challenging my professors, the professors that are challenging me, and all of that. They said, you're great at this. I said, am I? So yeah, why don't you, why
don't you? Why don't you start working on this tiny piece of work that took a year to bring it up to market. It was a little bit on earliest days of virtualization and secure in the virtualization world. And at that point in time, was absolutely not convenient at all to write. I remember writing like really low code, assembly code mix etc. to actually communicate with the virtual machine from the host machine and who is in the space knows how painful the early days was
this. I don't know if you guys wrote in assembly, but it's not fun at all. So I'm really grateful to be in the low code, almost no code because that thing was absolutely dreadful. And then I kind of grow into it day by day, so I started my consultancy and training company back in Italy. Then we sold, we started working with Microsoft and Cisco more and more, and then expand here in the UK, and really jumping from cybersecurity then back in cloud security now in application
security. Security is such a nice and wide field to be in. And sometimes it can be scary. That's why me and Owanate have done a lot of episodes, virtually and non virtually to actually help a new startup getting to this field that can be so confusing. And it's confusing for security people, I can imagine for people that are not in this field.
Thank you very much. And that is quite an interesting journey for you that. It is. Owanate would you like to give
¶ Background Owanate Bestman
us a kind of how did you kind of lean into this career path?
Well, first off, any any recruiter tells you they wanted to get into recruitment, whilst they went to university or something like that is lying, and I'm going to call them out right. Back so everyone, myself included, I fell into recruitment. First off, so I started placing, I've been in recruitment for a long time now. Well over 15 years, I think my last count was 18 years, I stopped counting, long with a couple of grey hairs. But I started off placing pharmacists, actually in NHS and
in pharmaceutical companies. But I was the first one's actually placed a pharmacist within a prison, a locum pharmacist, we call contractors locum. So that's my claim to fame. And I moved out of the public sector, and I placed individuals within it first, second and third line primarily in two banks. And this was the crazy days of recruitment, or I equate the Wolf of Wall Street. So that's all time was it was Wolf of Wall Street. Well, yeah. So and then
started refining it somewhat. I moved from organisation to organisation, and I spent the last seven years assisting security professionals, and it was just prior to that as operational risks. So that was a very good transition. Sometimes I described cybersecurity as operational risk, just with a more of it flavour. So it was quite an easy transition. And what's kept me out is some of the interesting, crazy, smart people you meet along the way. So yeah, and here I am, I set my
own firm in April. Perfect timing at the very start of the lockdown. So it was..
..a Corona company.
Yeah, I was in garden leave when it happened. I thought all right, you know, a nice thing to say anyway, so touch with. So far, so good headed in the right direction. And it gives you an opportunity to speak to even, even more people at this time, because you're able to add more value. People are more open to conversations. So all good.
Absolutely. Thank you very much.
¶ How to become a cyber security specialist
Yeah. I would like to ask, actually, from a recruitment perspective, what an applicant needs to do to position themselves in this competitive climate to secure a role. What certifications are most sought after?
It depends on how much experience they have, if they're just getting into security. Well, first off, nothing beats work experience. If you are able to link what you've done previously, in any sort of security capacity, even if it's physical security. That's very important from a certification perspective, if you're just getting into it. I think the CompTIA Security Plus is a very good certification to
have. Now there is no real prerequisites behind it before the CompTIA Security Plus, there's CompTIA network plus CompTIA eight plus but strictly speaking, it's not necessary to complete those certifications before you go to CompTIA Security Plus only a good understanding of IT, and a good understanding of Linux and Unix.
Now there, as you progress and gain more experience, there are middle ground intermediate certifications, such as CEH Certified Ethical Hacker, which off the record doesn't actually make you a hacker. It's a good strong security certification to have, but you have two years of experience behind you. Also go back to fundamentals as well as people try and move into
security. I think that is, I think people forget some of the fundamentals such as do your research on the company, do your research and what purpose security serves within the organisation realise that whilst in most organisations, it's not a money making area, it is an area in which you save money for the organisation. Either you save money by preventing the organisation as much as you can being hacked, which leads to losses of reputational risk, and also leads to regulatory fines.
It's very important, this is a very saturated market, a lot. I mean, if you look at the term cyber security, information security back in the days was IT security is information security, now it´s cyber security. You know what, cyber is a sexy term it sells, it's probably a marketing term. With that you have more individuals
interested in it. It's important to network as much as you can, obviously, we're not able to network physically here, there are associations you can join, it's important to do your research is to the organization's impact within the actual industry, what they've
done. So and also where you want to go in security, there are non technical areas in security and technical areas in security, it's important to have our goal in mind and research the certifications along with that, but nothing beats, nothing beats experience if you can, if you're not working within security currently, but you are working in an organisation, if you can put your hand up volunteer for any security related programmes, security related projects, find
a sponsor within it. And you're able to articulate that and put that into your resume, then you stand in a much better position, or ultimately research.
For those certifications do you advise any Institute?
Maybe I can pitch in because let's not forget that. There is also a lot of open source, there is a lot of open source stuff and a lot of people doing free and available. So certification is great and absolutely agree with Owanate, experience is fantastic. But also there is a lot of stuff. If I can mention the cloud secure lines is doing a lot of stuff on cloud
security. We have conferences, we have talks Owanate has been on some and we've done like the full path for DevSecOps, or certification or any kind of these things but also dive in because effectively, right now that all these conference are online, just absorb all this knowledge because it's free, and is available in there. So you don't necessarily need to do the certification. Certifications are great. But they cost money.
And right now in this moment of scarcity, where people are out of job, OWASP is a great place where everybody is pushing in. And it's not just about web application security, it was born as an open web application security framework. But it expanded and has a lot of flagship projects and a lot of great people that can guide and share their knowledge and it's
for free. So it's go out there search for IC Square or CSA or OWASP they are great or ASA that a great place to network and to get free information.
Great. Thank you very much.
Can I just add on to that as well, Mario? You mentioned a good point. I'm a big fan of the term free. I recently compiled 10 free training courses, specifically dedicated to security some aree in cryptography, some are in GRC. Some are in security architecture. These are all free and they role at various levels from intermediate rookie straight through to experts.
That's actually on my website and the publication partner Bestman solutions if you go to that I've listed 10 free training courses is also on LinkedIn as well. So go to the publication webpage of Bestmansolutions.com And they're all listed there a number of them some from Open University as well.
Okay, okay, so the website just to confirm is bestman.com, right? And we can
No, no, it's bestmansolutions.com. If you go to bestman.com we might take you to a stag company to do that as well, but
let's take the bestmansolutions.com, just confirming
Branching out into a whole new role. I thought about that. Yeah. Okay, so just to bring it back to cybersecurity.
¶ Risks that cyber security is dealing with
So obviously OutSprint were OutSystems, but taken into the platform's OutSystems powers absolutely the low code, no code type solutions we have out there. And obviously with the pandemic and people have been using these more heavily now. What would you consider the biggest risks that needs to be kept an eye on for these local systems and platforms?
I will say cybersecurity is first of all, because a lot right now we saw massive cuts in cybersecurity teams and the organisation will still need to deploy. And actually even more right now, people are trying to find different and new clever ways in
these terminal scar cities. So I really love the idea of almost no code writing and is in line with Gartner zero code or code Initiative, or citizens code initiative that I really love because it brings everybody from their organisation to actually write code or get that empathy towards engineers, and to bring effectively the prototype to
market as fast as you can. But the only problem with that is that everybody that puts together a piece of code or a piece on application, called potentially publish it up, not involved security. And that could lead into first of all, if you are lucky, in a report projects, brand reputational damage, but if you know, lucky, there could be a breach point.
So I would say low code is great, but also always involve security in you know, assessing, or maybe test the application in an environment that is safe, where client can come and try it out, but in a very safe way. And if you want to take it outside, take it outside just in a temporary basis, or put MFA plus an authentication, login so that you prevent the occasional hacker or the occasional attacker to breach your application just because you put
it there occasionally. So just always be conscious that even even if it's a demo, if it's a prototype, anything, it just affect your brand and affect your organisation or brands and test it, if you take it to production test it, it's like with a vulnerability scan, if you don't want to buy an expensive pen test code and or pen test it, because it's the best way to actually break the logic of an application. And we offer both service. So if you don't know where to go come to us.
Very generous of you, we will be looking for the discount.
Absolutely, we offer discount to authors.
Thank you very much.
Still using that as a segue and taking into account platforms such as OutSystems, or Power Apps and that the platforms such as these are helping with the current wave of digital transformation that was kickstarted by the pandemic, what would you consider to be the biggest risks that we should keep our eyes on?
Web assessments, web, I mean, if you look at OutSystem and if you look at any low code is effectively just piece of code put it together to describe a workflow to describe an application. So the traditional Promit piece of code is that you can atomically evaluate an application or a piece of code or anything that is secure by itself, but then you put it together and the different component can operate in a way that makes an application behave
in an insecure way. And that's bread and butter for an attacker because they try to break while they try first of all, occasionally, to break application to break into a system using you know the common vulnerability, you have a port open that this may be exposing a web server that is vulnerable or any other occasional stuff that
is easy to exploit. But then the next level is they try web application, they try to probe other fields, or try to see if they can steal your cookies if they can still use a session. And that's individually, it's complicated, too. But then the other part is, they try to break the logic of an application. So if you put together a prototype that maybe lead to an internal database with some user information, maybe they try to bypass the authentication, which
may be inserting some fields. So it's always better to insert those kinds of testing mentality in all your development lifecycle so that when you bring an application into production, you start thinking it like an attacker, you start trying to break your own application. And if you instil it in your own developer, they can think, first of all on how they can break their own application where they need the testing in a in a more consistent way. I don't know what you guys think?
I was thinking about what just said, and most
¶ Cyber security and low code
of these local platforms they already offer out of the box, authentication methods and whatnot. I would like to trust those authentication methods to say okay, these are secure enough to at least withstand an attack from a hacker. What's your view on that?
Yeah, I mean, I think 30% of the attack right now are through credential stuffing. So because there is so many breaches, people are just collecting. I mean, there is collection number one to collection number five, that is like gigs and gigs and gigs of files with username and password. So attacker, any kind of attacker that is worth their name, have those at hand and can
try them continuously. So even if normally an attacker or a user use the traditional credentials, it's not about that the authentication system is not safe, is that it's very common that those password might have been used somewhere else. And - I see - you could potentially build a super secure authentication method, but then you lose the consideration that an attacker will not try to break a protocol because people will have tried to secure their
protocol to the enth degree. But then they will use the occasional thing that is, do I have the credential, let's try all the credential and maybe crash the application because you try too many credential at the time. And attacker is fundamentally thinking outside of the box. And if you think outside of the box, like an attacker and say, well, I have an authentication system, and then I have multi factor, if you try them both is really, really
hard to break it. And that's actually how to get rid of, for example, things like credential stuffing, just pulled multifactor even SMS factor authentication in immediately, you've secured so much better on application with an authentication flow.
Never thought about it this way that social engineering could actually be the undoing of my application.
So you can build the most secure things, and then you break the logic of an application. For example, one thing that we're testing some time ago on a client is they built a very secure application, we vulnerabily assess the application, almost nothing showed up, they were super, super proud. And then you know what? I inserted the admin at
the end of the URL. And I bypassed complete the authentication system because it didn't - uh, that must have hurt - but they never thought somebody would have done that. And the authentication system was perfect. They had multifactor, but they forgot to take on the authentication into reauthenticate. So effectively, that was a problem or a more ingenious way will be, you know, what are still a token from a client and a replay the token
towards the application. And if the client is an admin, I replay that token, and I'm an admin immediately I stole that session, you need to think outside the box that attackers are getting, like vulnerability into laptop for that specific reason to steal credential to steal cookies to steal tokens, because that's the easy way, that's the easy way you can social engineer somebody say: I'm your boss, I need this email immediately or click on this website, enter the credential,
store the credentials, I am your admin, immediately. So you might build the most secure application, but then you forget the human aspect of cybersecurity. And it's usually the weakest link, but it´s the one that works and attacker use it. Yeah, and it's not the user is not the user fault is who design the application that hasn't thought through, or who is effectively the cyber security professionals or responsible for cybersecurity, that doesn't have a solid cybersecurity strategy. With
solid cybersecurity strategy. I say look at application security, look at vulnerability assessment, and look at the human aspects of how you can train your user to not react to weird emails or to always question weird emails. And it's as simple as that.
¶ Where is cyber security going?
Yeah, absolutely. So, as we kind of closing up through this podcast, so I'd like to get what are your thoughts? You know, what is the vision? You know, where do we see cybersecurity going, where we take into account the rapid progress we're making, as smart as hackers are getting? Where do we see this going in the future?
So let me add just a little bit because, of course, I'm Italian, I've been speaking a lot. It's my bed. But I see, I see almost like everything is getting outside data centre. More is getting into the cloud. And the only thing that we are left with is securing some codes and securing some cloud environment.
And that's where we've been investing heavily on in helping our clients secure their code and the cloud because that's where we think that cybersecurity is going to go and everything else will be almost automated or automatable. So the more you secure your code, the more you secure your user behaviour. The more you have a structured strategy, the better you are at cybersecurity.
Yeah, I certainly agree with that, especially around automation and whether or not that is artificial intelligence as well in the progression towards artificial intelligence. So I'm coming from a recruitment perspective. And I think the implementation of artificial intelligence will diversify the job descriptions and diversify the duties of security practitioner in which a lot of the monotonous activities won't be automated. And perhaps we can get back to some of the human
elements as well. And to maybe recruit people that think like hacker from a wide diversity from a wide pool of society to reflect the actual hackers, as well. So rather than being more reactive, but to effectively be more proactive. That's my wish. What do I know? Can I do if I justify CISOs? And what to do, right?
¶ Outro
Thank you very much Francesco, Owanate and Ian for being able to join us and taking time from your schedule to be able to participate in this little chat of ours. Pleasure. Thanks, again. Thank you very much all of you.
Thank you, Mario. Thank you Ian.
And with that, we end up this episode. Thank you very much for listening and hope you join us on our next episode of high tech local podcast, where we will feature another guest and approach yet another topic of extreme importance. See you soon.