How'd you like to listen to dot NetRocks with no ads? Easy? Become a patron for just five dollars a month. You get access to a private RSS feed where all the shows have no ads. Twenty dollars a month, we'll get you that and a special dot net Rocks patron mug. Sign up now at Patreon dot dot NetRocks dot com. Hey, welcome back to dot NetRocks. I'm Carl Franklin and I'm Richard Campbell doing the thing that we do. Yeah, Laura Belmains here. We're gonna be talking to her about some
really cool security stuff. But first, how are you doing? My friend? How's the new digs here? That's good to be up on the coast, you know, living by the ocean's always therapeutic. Could graduate sort of stuff out, you know, and he got it. But it's far enough away, you know, it's about three hours from the city. New doctor, new dentists, like new pharmacists, like you have to sort of figure
all this stuff out. So getting recommendations from friends and bit by bit so funny life now it's sort of like, can you go a week without going to the city, Can you go two weeks? Going to the city like, that's kind of the thing. So you're stacking up firewood, that's what you're selling me. Well, that's winter, and you know, the power lines and the in the internet come up on one set of follower poles on that highway and there are trees. So do you have a wood powered generator?
Is that how it works up there in the country? No, no, no. We just got a pop belly stove, which is a good thing. And I got a bunch of UPS and I have starlink so I can stay online for a little while. We'll see how much UPS, she who must be obeyed, allows me to have. You know, you might be able to invent a beaver treadmill that might provide some This is more odder country than beaver. You know, we'll work on it. I can feed. The movie is the right thing, Get the moose, the treadmill.
We had elk in the driveway. Well, listen, I'm not black bears. Don't bother me. You know this, right with black bears all my life. It's not a big deal. Their coat, but elk are problem. They're very large. They're also tasty, yeah, you know, especially when you mix the meat with like you know, pork fat. Yeah, well there was a dozen standing in the driveways we're coming in and where we want to put the truck, you know, like sort of look at her and go, you know, we could go to the pub, and she's
like, yeah, let's go to the pub. We just back back out our driveway to the pub for a couple hours. They were gone when we got back. Laura's looking at us like she's on the wrong podcast. I'm loving this. I live in New Zealand and so we don't have elks. We have like mammals in New Zealand, we have one. We have a bat and it's teeny tiny and endangered, and none of our birds fly because we have no mammals and predators. So you know, yeah, we're not
good at this. So I listened to this and I'm like, yeah, we can get beavers and otters and make electricity and then go to the pub. All of this is great. Yeah you have sheep though they're tasty. We yeah, we have more sheep than people and more than sheep, so yeah, not by a little either. It's like it's a lot. All right, So another bonus chit chat. Let's get started with better no framework we're all the crazy music. Okay, all right, man? What do
you got? Uh? What I got is an article that I found on LinkedIn, uh and it's Don't Bet against the Cloud, Oh, by Kendall Miller. I know Kendall, do you? Yeah? Well anyway, So basically, the article discusses why there's this this swing back towards self hosting after
years of you know, people businesses increasingly relying on cloud services. And even though some companies like Amazon, Prime Video and thirty seven Signals have cut costs by moving away from cloud service providers CSPs, there's still a strong case, so he says for sticking with cloud solutions, and he's right, sure, yeah, yeah. These cloud services like you know, Amazon, Google and Microsoft Azure offer flexibility, which is a game changer for businesses. And you
know, you read this and it seems like common sense. But why is this, you know, why are people moving away and saying no, we're going to do it ourselves. Why why the sudden change? And it's not sudden, it's a gradual change. It's a gradual I think it's a right sizing. It's certainly been a topic on run as is figuring out what payloads make sense to the cloud. We don't. Let's face it, if you're thirty seven signals, you're already running a twenty four hour a day knock right,
Like, you already have the infrastructure. So do you want to monitor somebody else's machines that you pay for by the hour, or do you want to monitor your own? Like that's sort of a balancing act. You can get into that. Do you think it has anything to do with trust? Like? Are people losing trust in the in the clouds because they're rock solid.
Yeah, they're much more reliable than any home run implementation. Again, but if you're committed to three shifts of assisted men's working around the clock to keep things up, so you're already paying for an awful lot of infrastructure, you know, the numbers start to make sense. That AWS story about moving off of serverleists onto VMS is an interesting one because that's also a story about right sizing what they You know, what's great about serverlest is that it costs
you nothing when nothing's happening. But what if you have a service that has tens of thousands of instances all of the time, Like, why are you paying for that efficiency when you don't need it, you might as well. You could easily run vms that are under full load all of the time and you'd get state for free. Well in a bunch of architectural differences. Like I think it's just this statement in Kendall's Whole Story, and I read it
a while ago. It speaks to the maturation of an industry that we're getting to a place where there is a debate of on prem in cloud hybrid. You know, what are the commits, what's the reliability? Like, there's a bunch, there's a mixture there. There is no one right solution. I think if I, if I could just add something, I think there's a little bit of a thing that we overlook when we look at the diversity
of companies using those platforms. You know, if you go and you you know you're a midsize company, you go and you're like, right, we're going to go AWS, great, wonderful. You go stand at that configuration page, that initial page, and choose the services you need, and it is like standing at one of those restaurants that's got like one hundred items on
the menu. There is something for everyone, but somehow you still leave slightly hungry and confused, and so a lot of folks, you know, very quickly adopted, Oh well, these people over here were using Zerblus, let's go do that, and went all in and they went and they try this, And it's really easy to blow up your budget and to not have the best performance in scaling because you haven't quite grasped the you know, the complexity
of using all of those parts together. And outside of our large organizations who have the expertise to really like rain that in, I can understand the temptation if that's got carried away to go back to something simpler. I think it would be really good as we enter this next stage of maturation in the cesps, for them to actually simplify a little. There's an entire group of audiences who don't need ninety options. They need four and them to be really easy
to navigate and to work with. Yeah, exactly, it's great that we can do anything we want, but like when we build software, should we really be doing all of that craziness. Actually, some design patterns work and we can just use those really easily. And it's just because you can I sound like my mum, I've reached that stage. You know. It's funny that we've had these conversations, like with Leila Porter talking about the sort of
right sizing of the monolith versus the micro services. Right, It's like, hey, Microsoft makes a lot of sense. When we have a team of one hundred and you have a team of three, it seems like overkill. So you know, I think the same thing happens inside of the cloud. It's like they're effective strategies. But and I do as I'm close to this stuff because I'm talking all these experts all the times on the shows. You can see them starting to consolidate one set of access policies that apply to all
products like that. It's but we're in the early days, so they are right sizing too. I've never had such a discussion from a better NO framework before. M This is great, it's good, but it's but one topic that we're going to talk about today. And Richard's going to bring up another one from a comment who's talking to us, Richard Grady comment to Show eighteen twenty seven, the one we did early in twenty twenty three with Tanya Janka. I entitled the show because it was the name of a book. Alice
and Bob Larn application security. Yeah, great book. Tanya is a howl and I'm a local to us for me anyway near in Victoria, just across in the island that I'm staring at from here. And our friend Hilton Gizan now out of South Africa, who's been on the show before as well.
At this point he said, Hey, Richard, question in the show about what to do about having your multi factor accounts only had a single device a smartphone which travels with you and can get lost or stolen, and I talked about how complicated the backups and recovery strategies were for those things, like that's a challenge for most people to do right. He goes on to say a simple solution is to have a second device like a tablet or a cheap older
phone or even a watch, with a backup of all those accounts. Both Google Microsoft Authenticator have the ability to export and import across devices. I've never tried this, but it might even be useful to use that to backup accounts for others. Then, and you know, I'm trying to push you, who must be obeyed, into starting to use Authenticator, So maybe this is something I got to put in front of her. It's like, look, don't worry, We'll have a backup sitting on your tallet, So if that
happens your phone, you're going to be okay. I can actually make a suggestion here because I have a five year old and eleven year old, which means that my resilience policies have to be really good. My devices do not last long, and I learned this the hard way when my five year old decided to play the game Does it swim? Yeah? I don't need to elaborate on what happened. Now, AnyWho wet device doesn't do well at multi factor authentication. Now I'm not commercially involved with it, but I use an
app called author for my non critical work account. Now that automatically will allow you to move all of your authenticators between devices, So instead of me having to migrate before the bad thing, I can actually pull that down onto a new device. Now, yes, there's risks in here. I'm a security
personal. I literally risks all day. Get somewhere. Yeah, but you know from the review I've done, you know the risk versus me losing this entirely all me managing secure backup code somewhere like there was going to be something somewhere sure, And I think for especially if these are your non critical accounts. So I'm not saying put your you know, your CSP root account passwords
in this thing. But you know, if it's you know, someone significant in your life and they're looking for a little bit of resilience, that could be a really good solution. Yeah. No, I think it's a great idea. And that's Twilio that makes athy are friends of the show also, absolutely nothing bad to say about that. It's a good product, and Hilton goodness knows you've got a copy of Music Koba already. But thanks so much for your US in common. I hope you and your family are well.
And if you'd like a copy of Us to Cobey, I write a comment on the website at dot at Rocks dot com or on the facebooks. We publish every show there, and if you comment there and everything on the show, we'll send you a copy Music Goba. Yeah. And another way that you can get a copy of Music to Code by is sending us a tweet from x or a toot from mastadon. I'm at Carl Franklin at tech hub dot social, and I'm Rich Campbell at Macedondo dot com social. Oh okay,
honest, really, it's been forever show that you've mentioned it. I just I don't know. I'm having a now your question. I'm now having questioning myself. You're having a moment. I'm having a moment. So it must be the haircut. I think it's it must be all right. Well,
let's introduce our guest today, who we've already heard from. Laura bell Maine is a global secure development leader, a best selling author and speaker, helping software development leaders worldwide engage their entire team in building secure software and officially welcome to the Dot net Rocks Show. Laura, thank you so much for having me. Apologies so jumping into your conversations. This is a really fun
podcast. You made it better by jumping in you. We're never going to complain when smart people are due to Talking about smart things makes me happy every time. Absolutely Yeah at a keywa to boot. I was born in New Zealand, although I sound like an American and I live in Canada. Where were you born? Wow? Okay, family farms. Family farms on Ohuiti Road. Wow. For those who don't know New Zealand at all, we're a tiny island. And that's a tiny place on a tiny island, like
very very specif hills and cows and sheep. So I brought Carl to the to the farm once and when we got it, we got into the rental car and it was a holding commodore. Of course. Uh. At the at the airport, I said, listen, over the next couple of hours while I'm driving, you're gonna see me randomly turn on the windshield wipers. That's because they switched the position of the windshield wipers and the turn signals, and I keep screwing them up. So when you're wondering, why does Richard
keep him in the turns which have no reason. That's why it was a delightful trip though. And your your aunts were amazing. Yeah, great, they're great people. And they and they the Knee family, which is my eldest aunt married into this family that who's the grandfather was a homesteader. He's
original Ohouiti settler. There's literally roads named of the you know, the road at the bottom of his farm is Knee Road, right like it's it's superdol And they have every sop when day when if I'm lucky enough, when I'm there. They have a party for the weedy settlers. They're amazing people. But these are genuine farmers that have grown up there and they've seen their city
grow change and so forth. They're They're hilarious. I was on the edge of my seat waiting for Gandolf to pop out from behind the rocks and trees, and he never did. Though never saw any hobbits. All the green rolling hills, but beautiful things down the road in mad a body. So anyway, Laura Bellmain, tell us what you've been thinking about and talking about lately. I bet it has something to do with secure applications. It does, but it also so I've been going to a lot of conferences, as
you do. I tend to cluster them together and do these like weird little holidays with like three or four conference because everywhere's far from where I live. And I've been hearing a lot about develop a toil that we're all very sad, and we're all very tired, and everything is hard right now, and I get it. And so we've been having a bit of an existential crisis in security of whether we in dev zecops and kind of in moving security into
the deav space that we're making people even sadder and even worse. So I've been talking a lot about where security needs to be versus why it doesn't need to be, and which parts of it actually are just making things worse and more painful. And so yeah, a lot of conversation about that at the
moment, because if I'm honest, I'm kind of bored. I'm bored of the conversation always being Hey, we found three vulnerabilities and we're home five last month, and therefore we're more secure, and now I think we can do better than just like looking back at our code and going looks all right.
So yeah, I want to kind of make security a little less painful and a little bit more focused on you know what if security really was part of software quality, right, how would we measure it then and how would we approach it if it wasn't this weird, separate, standalone thing that we all get to later when somebody makes us Yeah, well that comes down to what are the unit tests for security? Then? Isn't it partially? But for me it's it's kind of it's going old school with like the ilities, right,
it's not just does it work? Does it not? It's not just straightforward tests that you know, if we look at performance and scaling, very few organizations have really got structured tests around that. Now there's a lot of you know, more subjective appreciation, and then there's a lot logging and monitoring and observability that comes into it. But I don't think we have that maturity in security to assess where we're at because most of it it really is take
code, scan code, find things or not find things. And I really want to kind of explore and play with how we already examine our software and what we can learn from a security PERSPECTI from the things we already do in development. I mean, I love the idea of including in my CICD pipeline like the latest script giddy attacks just running against AID. Did you get anywhere? Yeah, although it's complicated, like you've got to get to an external host and poke in, yeah, and got to find a script kitty.
Absolutely. You just they're really hard to catch. I need to throw the ball multi times and give them a berry and yeah with water, but they come back. They just like it. Maybe they like the elks you can stay when we get down to it. You look at people like there was a gentleman, James. His name's going to scape me because I've now tried to say it out loud, and that's the rule of names who did a
lot of work on automated security testing. So this was the time where things like BDD security started coming out, and they were cucumber style tests that were written around open source testing and scanning frameworks for security, and there was a
lot of push at that period for getting those into CICD pipelines. The problem is that the way that the underlying tools they hook to do that work, they're very slow tools, and so it exploded pipelines everywhere and everyone got sad, and then we ended up with parallel pipelines and before we knew it, we were back to where we started. So that's the one I It was a w brains are funny things, Thank you so much. So yes, and the work you did at that time. You know, there's not a
lot of activity in that space at the moment. There's a lot of know how to build AI that builds your test for you and security, but it would be good to see how we could approach that differently. I think the big problem in that space was always the underlying tools that we were hooking into. So we couldn't do this from you know, just a raw perspective. We had to hook an open source tool. Those open source tools weren't built
to be run in tiny components. They're big frameworks that it tries to run a huge thing. Testing's got that same problem, right, if you really want to load test, it's a complicated set of tools. Absolutely. So, Yeah, I'm genuinely excited that I think we can do some really cool
stuff in the space. But I think the focus, and unfortunately the money in security is very much at those kind of code scanning, kind of glossy things, and I think it's going to take more death focus for us to make this more practical and something we can control ourselves in the death space rather than relying on external things. Yeah, you know, over on the cystin inside, I've talked to so many INFOSEAC folks who are just so Frustrated's like,
we see the vulnerabilities we have brought them forward to to leadership. Leadership is that we don't think this is that big of a risk. We're not spending money on it until it explodes. Yeah, there's an interesting conversation actually just started in the last couple of years in digital safety about the old recurring
theme of software liability and warranties. And you know, there's an argument that it will take us moving to having to be liable or have full warranty so the software you build for people to care, which I have many thoughts and feelings on, and that's a pretty scary area. But you can see historically, arguably Bill Gates's real contribution to the world, when they strip it all the way down one hundred years from now, will be he wrote the original
yula, rather his father, the lawyer did. But you know, eliminating responsibility for software to the or limiting that liability to the price you paid for it. You know, there is an argument at the time, at least what fifty years ago, that this is what will allow for rapid innovation. But now it seems like a real liability that we just have no reason to
become professionals because we have no liability. Absolutely. And you know, if you're writing an e commic site and selling widgets to people, cool, all right, you know, I get the financial liability stuff, but if your software I was talking to some I love. I collect the stories of amazing engineers who are building crazy things from sci fi. That's like my nerd hobby. And I was talking to this team and they're like, so we have built these amazing remote control cars and I'm like, hang on, no,
that's not tech. And they're like no, like full sized cars that are remote controlled over thousands of kilometers in airports, and I'm like cool. So we started realizing that, you know, this massive piece of software that was attached to a standard car. So these are not custom built vehicles. This is they have taken a you know, a Sedan or whatever and retrofitted some remote control tech into it, right, and they're in an airport and I'm
like wow. From a security point of view, that's one thing, but from a health and safety point of view, you know, moving machinery because that learning in a busy environment, and you know, like this, it's hard to be a security person right now because you're torn into There's half of me that's like, oh my goodness, there is amazing technology everywhere and look what we're doing and it's cool, and the other half of me is like,
can I just go lie down please? This is fairly terrifying. Well, you know, Apart aside from the tech, probably one of the biggest vectors for security attacks is social engineering, isn't it, And things that we don't think about because we're tech focused software developers don't think about these side channel attacks that can happen. I heard one story about people who are trying to
listen in on other people's conversations by connecting microphones to the plumbing. And you don't think about it, but your sync is listening to you, and you put a microphone on the pipe and you can actually hear everything that people in the room are saying. There's a really good example of something. Oh but this room is out, you know, has got the security surveillance and the
cameras, and fine, but what are you doing about to sink? Absolutely there was a glorious video from it a number of years ago now, but some very smart scientists discovered that they could monitor a plant that was in the room, and they could look at the vibrations on the plant, and they could actually extract the conversation from a room based on the minute movements of a plant, and like part of me is like wow, that's like it is so cool, and you know what security can be all doom and gloom.
Absolutely, lots of terrible things can happen. I will not understate those. But at the same time, I think the future of security doesn't just need people like me with massive anxiety problems that turned it into a career. Then you've got to be excited about the technology and the potential of it. Not everything is going to change the world, but to one or two people it might to be able to work on the let's mute our plants problem rather than
the really sequel injection. Really that would be nice, isn't it. Yeah? Yeah, but you know there's an underlying truth about that though. There's a reason that the OS top ten hasn't changed much from two thousand and three till now. Yeah, and that's because we're still approaching it in the same way we have twenty years ago, more or less writing software the same way. Well, I know for a fact that two factor authentication has saved my
butcher several times. Every once in a while, I get an email that says, hey, we've got a request to change your password. You know, if this wasn't you, then just ignore this. Otherwise here's the code. Uh yeah, I think I'm going to ignore that. I think you ignore that one. It's a conversation we had on run as I think it was with Sammy Laho. He said, hey, look, you know,
multi factors worked well enough that it's actually moved it off the top. It's now number two, and what's on top is unpatched servers, And that brought up this whole conversation of we're super cautious about patchy service because sometimes it breaks, but that's now a higher risk than the possibility of the breaking. So it's like it's better to deploy the patch quickly and deal with the consequence,
that is to stay unmatched. And what do you do about gramdmars that insist on clicking on links and emails and text messages that you know, I mean, that remains probably one of the biggest threat factors, this social engineering stuff. I mean, that's there's no tech that can well can you know, that can protect you from that. There never will be and there never has
been. So I love the fact that security has invented fancy words for all of these things, but in essence, human beings are jerks and have always been jerks for as long as there have been people. We have done whatever we could, whether it was line cheating, stealing, applying the technology of the time to get things we wanted. And so it's evolutionary. It's part of our culture is the willingness to bend the truth, to bend the rules,
and to change our behaviors such that we get gain. Now, you can't fix that with a web application firewall, because you know, you're as engineers, we're problem solvers. So we we you know, problems over here. Cool, I'm going to take any pathway to get there, and I'm going to build something great, wonderful. And some of us build beautiful systems and some of us build things made out of duct tape and good intentions, and it doesn't matter. This is a different style of engineering, and our
attackers are exactly the same. They are creative, they are very objective focused. They want, you know, the shiny shirt, or they want to go and you know, get the money, or they want to get political influence, whatever it is, and they'll take whatever path. It's an infinite problem space and at the moment in security, we we're very narrowly focused because it helps us focus and it's all we can do on this vulnerability class or
this vulnerability class. But we overlook the fact that if you take that one away, something else will spring up. So it has to be more holistic. Yeah, and constant and vigilant. Yeah. Yeah, yeah. It's not a good recruiting campaign for security, to be honest. I'm just telling you constantly learning and you'll always fail. So yeah, I don't know why we do it. Really, it's only what you mentioned that when although every security person I know is busy, like, nobody's being laid off in this
space either, there's only more work. Yeah, it's as frustrating it may be, and I do I mean, I appreciate your your sense of weight and concern because it can be weighty and concerning. It's it's certainly there's no lack of things to do. It's just I think it's going to be very frustrating to have the same conversations over and over and over before we go on. Why don't we take a brief break. Sure, we'll be right back, and we're back. It's not that Rocks. I'm Richard Campbell. That's
called Franklin. Hey, talking to our friend Laura Belle Main a little bit about you go on the agile side of security, which I find interesting we've been talking about the whole shifting left of security. I just don't you know, And yet most of the time security still applied after the V one's out the door. So what do you how do you even talk about shifting security left? I'm going to be a bit controversial, and I'm really sorry.
People will have feelings and opinions, Please please put them in comments and for our shows probing for us, I think what's really happening with shifting left is if you shift left for long enough, it ends up in the sea. And that's what's happening. We go, all right, it's not our team anymore. We're going to pas it to that team, and that team go cool, we don't have the time, and there's another team and they pass it on and what was seeing? Time and time again? The focus on
shift left is limited in two ways. Firstly, even see it in the language of the tools and techniques we do. They talk about from development to deployment as if that's the entire process. Use that's the whole loop man. Nobody Actually, yeah, absolutely nothing else happens planning and design, none of that, exactly. The light of software just descends upon us. We instantly know exactly, yeah, exactly, we go home. Yeah, job done.
It's weird that we're all still employed. I don't know why that would be. So all of our things focus on that stage. So writing code through to deployment, now that leads to startlingly big gaps. It leads maintenance and support. So those ones, those tools that you have out in the world that are now in BAU, they you know, there's minimal changes happening.
Now. That's especially true if your architecture has been fragmented in some way such that you know a component actually has a singular purpose or a small number of purposes, and you work on other components to do the rest. So micro services folk have this a lot. It's never built. How are your fancy security p this is ever going to apply again if that thing is never being built, because everything's built into the deployment pipeline, into the build pipeline.
And at the other end, we talk about threat assessment. And I love that the movement is starting to get some energy, but we still we still fall back on that urge. We have to well, how can I automate that? Now, threat assessment is very difficult for you to automate and that's hard to hear as an engineer because you want to go, well, I just want to make the tool do it for me, and then I can do other things like drink coffee. But threat assessment, I've got to
look around. Yes, sometimes you actually just have to plan a bank robbery with your friends. That's just how you have to operate. And so we've got to find space for this. We've got to start talking about development. Security are around more than just that middle section and more than just the people who write the code. It needs to be everybody in the team, and it doesn't need to be lots of work. We run a very kind of lightweight programs completely free called one hour app sex, So we aim to get
folks in dev doing one hour of security stuff every sprint. That's it, just one hour, sixty minutes. But if you imagine the impact of doing that across you know, one hundred percent team, that's a lot of security every sprint. So those minute changes across all the roles could have a huge impact. But at the moment, unfortunately shift left and DevSecOps and the agile movement really is focused on that CICD pipeline and that middle chunk right which again
is trying to automate the problem away rather than you know the problem. And I think you described as really well, it's not shift left, it's everybody fights that everybody has to be part of the solution here. And this is something that is that a scrub master could easily manage that. Hey, we're starting up a sprint. Let's do our hour. What are you going to
work on? Absolutely, oh, like, let's let's get this at the front of the sprint, talk through the security elements before we go anywhere else. Almost absolutely, And you know, if you're white with your hour, you know, the first time you do it, you think about things. The second time you do it, you've got the guardrail that you did the last time you did this, and you know, these artifacts start to naturally, you kind of get created as part of it, and they iterate as
you go and it really there is no done. There is no perfect insecurity. So if we park that idea entirely, what we have is an awareness and behaviors that we try and consistently apply. So you can look at this in any part of your life, like a gym membership. Right, buying the gym membership isn't actually going to do anything for me, SORR the New Zealand. Yeah, in between the sheep and the characters gyms foreign concept.
So whatever it is, it's not buying the thing isn't going to get you there, but consistent application and shared shared participation, group participation will get you there. So, you know, I think perhaps I'm like the security equivalent of a hit, but that's okay. I really do think that there are no superheroes in security. There is nobody that's going to come and do it
for us in our team and make it all go away. The best thing you can do is find little things, do them consistently, automate the ones you can that make sense and the ones that you can't do. If you're anything like me, I'm truly interrupt driven and horribly distracted. So create little robots that tell you you need to go do you think right? And the easier you make that for yourself. Suddenly we have a huge movement that isn't
led by specialist security engineers. We still need them for a variety of reasons. But what if the majority of software security was in the deaf team. It was just part of what we do a little bit and a little bit of time, so that you built up a set of guardrails that you could use over and over again. So when you're doing pantesting, for example, how much of that can you automate versus doing you know, doing manually. Oh, that's a there's a load, that's a loaded question. Car,
we're going to get in trouble, so let's do it. So I did about seven years as a pent tester, so been very deep in that. I've also been a red teamer, so where you know, the more advanced, sort of customized level. Now, it really does depend on the pen test company. So I'm going to like blanket handwave statement. But a lot of the early stuff in a pentest, so what we'd call reconnaissance is absolutely automated and has been for a number of years. Vulnerability scanning, which is
the next stage, also heavily automated. Now, if I could give the audience a little bit of advice, pen testing is really expensive. Your aim with a pentest is to make your pen tester cry. You want them to be to work so hard. Oh yeah, So like the stuff that's automated, that reconnaissance, the information gathering, the running, vulnerability scanning, that you should be doing yourself like you can do that with open source tools. There is no magic there, and there is no magic in pen testing at
all. In fact, if you're a dev, if you wanted to get into the space and learn a bit more about it, there's some really great free resources by bug crowd so the bug Bounty platform. They have a little university that you can go and just free of charge. There's no sign up
or anything. You just watch their videos and things and learn how this all works, and you start to realize that there's this whole foundation that you can do and then automate to mean that by the time you get to a pen test, they really do have to focus on that really manual custom effort, and that's what we want in a pen test. They will only do as much manual effort as they have time to do, So if they're finding lots of junk with the vulnerability stuff, they'll never get to it. So yeah,
it's it's a bit of a strange situation. But to answer your question, Carl, you want to force them to do as much of it as possible and do it for them. Yeah, yeah, so they have Your real value is going to come when they're deep down the pipeline. Yes, the yep, but if you've only paid for many hours, if they can knock you out with a simple oh, you have this port open exactly, this server's not be patched. I just love it. One. Questions are
like what is that? Yeah, And there's a lot of folks who will say, hey, never share your code with the pen testers either, And I would absolutely argue with that because a penthest scoped, it's timescoped, so you've only got two weeks, three weeks, whatever it is. And if you imagine as an engineer, you were given a system and you're told find the most vulnerable, valuable parts of it, and you've got two weeks to do it, and you can't see the source code, you're really going to
struggle. So if you want to get to the really juicy bits and get those bits that are really sensitive tested, it's really important to safely find a way to get them their access so they can then dig in and then pull back and then go deeper on that research. Not only that, but your average pen tester probably has enough knowledge to go criminal if they really wanted to, but they've decided not to. They decided to sell buy their talents to
the powers of good, so you should be able to trust them. How's that good statement? Oh, I can see the emails are coming in already. Absolutely, but yeah, don't waste their time with the simple vulnerabilities. Knock all of those out. Do the boring basics, right, You know, the brains are funny. We love dopamine, and so we love focusing on the really novel challenges and the new things, and so we intentionally or
unconsciously avoid those boring basics that trip us up every time. And if we can be conscious of that and we can work on those, then it really does get us much further along our security journey. I mean, it's kind of an embarrassment to be tipped over by any of the O WASP ten Like these are known, they're well documented. They I am not saying all of them are simple to fix, but they're just like you can scan for these, you can look for you know, you're doing the right things and this
stuff and just at least get that much done. And you were saying you're bored by sequel injection, but I mean that still is very high on the one split number one, number two, Like still, well, even if you just look at it as a puzzle. SQL injection actually is a really incredible puzzle when you start looking at it from a playful perspective. So you know, at it's simplest and you start seeing like authentication bypassage, you're kind
of like mean. But when you start to understand that people are using SQL in really ugly disturbing ways to blindly work through and around your database without knowledge of the schema, without any understanding of the other components, and they're using it to extract data up to the point where they're using either you know, the query speed to determine an answer, or they're pulling it out a single
character at a time. That to me is you know, there's a fascinating challenge there, and so if you can appreciate the tech behind the challenge, it's not just hey, oh and all one equals one, that's where we start. But like anything in engineering, it's much much bigger and it's as powerful as sequel is itself, and sequel is ridiculously powerful. So yeah, if anyone at home's going, well, how do I learn to care about this more? Go deep on it, Go have a look at their really
ridiculously dirty sequel that gets written in the offensive space. It's not bad sequel, it's just SEQL doing things that you would never as a polite person try to do yourself, it seems to me. So I do this security show, a podcast called Security This Week, and I am not the expert. I'm the dumb guy asking questions. But Duaye Laflotte is one of the guys on there, and he is like when I say, he could go rogue and make twice the money that he's working. He definitely could be evil if
he wanted to. But like I think, like you, his reaction to an elegant hack is, you know, the more dangerous it is is, oh, this is awesome. That's like he appreciates the evil mind that went into creating this attack. You know, there is something about how folks in
offensive security see the world and see systems that is really interesting. You know, to be able to take a complex system and you know, tilt your head in the right way and press this convent and to even be able to think like that and to have that process of exploration and play coupled with the technical ability to then pull that off is really interesting. And well, you know, nine percent of what we see out there is noisy automated junk.
There are in amongst that the people who are coming up with these new attacks and these new vulnerabilities who are really very creative thinkers. And yeah, you as an engineer, you've got to respect them. I think they put their they think they put their minds to more meaningful work, right, I mean that My general experience with criminals is like their criminals is they don't want to work that hard. Oh you you've lived in small towns, haven't you.
So I grew up in a small town that was famous for two things teenage pregnancy and car theft. That was pretty much our claims to fame. But that was it. They literally the cars. So they used to call it joining the family business. And you know, you were either building a family or robin cars. And what happens is you started to understand crime in a
way that you didn't even understand why you were You understood it. And I think as I've gotten older, yeah, there are some very common, very basic reasons that people commit crime, but there are also some very interesting ones. There's a lot of psychology in there, and it's a really fascinating space and a lot of the vulnerability. Researchers out there don't have a criminal bone in their body. That's you know, why they do what they do.
But they're insatiably curious and they think differently, and the way that they've channeled the energy is not it's not even intentionally malicious. It's just that their perception of right and wrong don't match ours. It's a very interesting space, especially in electronic crime. Physical crime is a little bit different. But in the electronic space, have you discovered any zero days? Because I know that's in
the holy grail of like security. Not in a good many years. I unfortunately used to work for the UK government, so even whatever I discovered wasn't allowed to be put out there in the world. My days of that are gone. Ye. No, it's and that's a whole other different aspect of the work too, right, it's hunting well and you also think about the it's the cloud providers. It seems to be at the front of this now because they have a super vested interest there is a zero exploit that might affect
the cloud and affect their customers. That's bad for them, I respect how it is for their customers. So you just have to look at Heroku from a couple of years ago. One vulnerability in a platform as service now not one of the major ones now, but you know, in its day was still got thirteen million customers, but a compromise there affected thirteen million customers at least twenty thousand live applications, including dial in, meeting systems, online doctors,
and information health sharing. So you know, if you're an attacker and you're being super cost effective, you don't want to go and attack every single person individually. You're going to pick these big share components, whether it's a shared framework that everyone uses, WIDA or CMS. That's why word Press is you know, always got to target on its back because it is so widely
used, or the platform themselves. You know, if you can compromise anything in aws's environment, it would be you know, Christmas a million times over sure for an attacker, it's a hotitreation of wealth essentially of all of resources being spent. While I remember meltdown Inspector and going, oh man, the
cloud people are going to freak out. Not that there was ever a successful exploit against this, but just the prospect that you might be able to see data from a different tenet because it happened to be running on the same machine. You know, for a tech guy like me who's deeply the hardware, I'm like, I love this and the fixed for it is hard like it genuinely what they knock down ten percent of the performance of processors to box that
in. But I think about a guy like Scott Guthrie at the head of Azure, like this is the stuff that we keep him awake at night. Absolutely. Yeah, Yeah, there's a lot of security vulnerability as a company can come back from. And in fact, you start looking if you look at companies that have big security breaches and look at their share price, you'll see a blip, but you will actually see it go up after you know, and there is a real problem. There seems to be no consequences to
getting exploited. Oh like but surely nothing, loud Ashley Madison still in business. They get exploited, they prove that their business is a lie, and they're still in business. I have no comment as an American, no comment. Ah, did you see that vulnerability? I think it was last year or something, and it was in memory chips where hackers found that they could
by just hitting a certain memory register over and over and over again. They raise the heat so much in that register that it actually sets the bit next to it, flips it from zero to one or one to zero. And that bit is an important bit in you know, like allowing access or something like that. It was just unbelievable. How does anybody protect themselves against that kind of thing. It's mind blowing. It's mind blowing, it really is.
But the thing is we need to remember, again, going back to that dopamine part of our brain, we can be fascinated by those big edge case ones, but it's highly unlikely though, are going to be the type of things we would do. Sure, we have to hold on to them. I want to provide at Doom and Gloom here because this is entirely too happy here. It makes me feel at home. You know you've welcomed me in true security fashion. Yes, Next, can we talk audit frameworks because
they're not we're friends. You know, we don't have enough existential dread on this show. Let's talk about it. Frameworks fabulous. I mean, the employer, the leadership ask us this question. Are we secure? They asked that question? And how do you not just lie to them? Because there's no way to know, to the best of our knowledge. We crave certainty, We crave concrete answers, not just in security and everything really, and
this is one of those areas that we can't There isn't one. The boss I was able to do as an IT manager talking to leadership was like, listen, I think we're at a place now where it's like we have a club on our steering wheel. It's not that they can't steal the car if they really want the car, it's that our car is now are paint in the butt to steal, and so maybe they'll steal something else, Like we're we're gonna be okay with drive buys because we've done the fundamentals. But if
someone is genuinely targeting you, there's not that much you can do. Like it's very very hard forget about the car, steal the beaver treadmill. There you go. I think we went with Otters on that. Actually did we go with Otters? Yeah? Oh you did? You did. I'm trying to let me tell you. I think they're around little buggers, instructive little buggers. So Laura, tell us a bit about safe stack, because this seems to be something important to you. Yeah, absolutely, So safe Stack
is my company. We're we're just thirteen people, so like you know, company in that scale, not in like global enterprises, and we're we call it for profit, but with massive purpose. So we are on a mission to try and give everyone in development the skills that they need to build secure
software. So whether you're a product person or UX person, develop, a tester, analyst, architect, everyone has something to do and so we intentionally build a platform so you can learn things and there's a free plan, like no strings, no credit cards. You can go check it out and then we reinvest a part of the revenue from that. So when you know, big banks and things, come and work with us and we offer a few cool things. So we have our free plan, we have parity pricing around
the world. We also give free training to every single Compute to science student in New Zealand and Australia. So we're trying to use a business to grow a foundation of people with the skills needed to kind of naturally do security as part of building software. We love that there's a whole community of specialists who are in app second things, but the future for us is about everyone doing a little bit. So that's what we do. So yeah, it's a
lot of fun. Well in some ways, better use those specialist times so they're not working on the fundamentals either. We're all working on the fundamentals and they can work on those edgier cases. Exactly, Yeah, exactly that. So education just get people more eligible about doing the right things. Yeah. So we have courses and qualifications and hands on labs. We have playbooks and templates, so for anything we're doing, you should be able to go from
I now know about the thing too, I can do a thing. And we also have a community where you can come together with other people and ask anonymous questions and say, hey, this is hard, I'm struggling with this. What have you done? So instead of you know, just going to the internet and going hey, here's all of my vulnerabilities and laundry, please help me, there are some intentionally built spaces for you to get some help
and support. And we're now working with about seventeen thousand engineers from eighty nine countries, so there's quite a breadth of experience in there. Everyone from teeny tiny two person nonprofits all the way up to big banks and airlines, so you've got really everyone at every stage of that maturity cycle. Awesome. Have you ever seen Hack the Box, Hacked the box dot com? Yeah,
I'm sure you have, because who doesn't know about it. But in the security space, it's a place where you can come together and try to break into a machine. Yeah, and that's a really good exercise to do. And maybe you do that in your training classes too, I don't know. Yeah. So we've got an intentionally vulnerable crypto exchange that we built as part of ours, so you can play around and find the vulnerabilities in that.
But there are some wonderful platforms even outside of our own, so Hack the Boxes one, but even in the free space, if you're listening and you want to just get started and play around and hack something. OSP have a project called juice Shop, which is a node application, but it's a Docker container. You can just download it and off you go, and it's a little juice Shop, as it says on the label, and you can find
the vulnerabilities, you can play and you can hack those. So there's lots of really fun and free in many respects places you can go to explore and
play. And I can't understate how important it is that when you're learning security, you don't approach it from a true academic I want to learn everything about cryptography way, but that you engage that bit of your brain that you did when you were a kid, that bit of your brain that would look at something and go what if, and that would be creative and would ignore the rules. As engineers, we build the rules, we follow them very well, and one of the best things you can learn is to just when to
just soften those up a bit and just explore y very good. What's next for you, Laura, what's in your inbox? What's next? Well, I'm going to speak at a few wonderful conferences, so you can come say hi to me at any of the YAO conferences in Australia later in the year. And I'm also hosting the security track at QCon in London next year, so we'll have a whole curated day of security awesomeness. Podcast is We've got lots of wonderful people coming on and collecting stories, so you can checks out
at build amazing things Securely. We're much smaller podcast than this one. These are like professionals. We're kind of mostly making it up. I don't know about that, but for a long time, we made a career making it up, and next year we're hoping to find ways for you know, all
those smaller companies out there. So if you work for a giant organization, this probably isn't few, but if you're one of those, you know, between fifty engineers and two hundred engineers smaller size, We're going to be releasing a whole bunch of free resources and guides for how to build an appset program
when you don't have any specialists or huge budgets and fancy things. So what's of space, Lots of giving out in the community, a lot of talking to folks, and if anyone ever wants to come and chat app SEC, I'm irritatingly easy to find and you can come and have a chat. I'd always love to learn what you're up to. Fantastic Laura, this has been amazing. Thank you very much for being on the show. Thank you, thanks for having me all right, and we'll talk to you next time.
I'm dot net Rocks. Dot net Rocks is brought to you by Franklin's Net and produced by Pop Studios, a full service audio, video and post production facility located physically in New London, Connecticut, and of course in the cloud online at pwop dot com. Visit our website at d O T N E t R O c k S dot com for RSS feeds, downloads, mobile apps, comments, and access to the full archives going back to show number one, recorded in September two thousand and two. And make sure you check
out our spot answers. They keep us in business. Now, go write some code. See you next time. Got tread middle vans The NC time means home, then my Texas