September 12, 2023 • 37 mins
Chris Romeo, Matt Coles, and Izar Tarandach attempt to demystify the concepts of Application Security (AppSec) and Product Security (ProdSec). They find that even defining and differentiating both concepts is challenging. Various articles exist about AppSec and ProdSec, but the industry is generally confused about these terms.
Discussing the role of hardware in product security initiates an animated debate. Questions arise about whether the presence of hardware makes something more of a "product" and how software-only products differ from those with hardware components. Supply chain challenges, the significance of hardware in security considerations, and the potential overlap between AppSec and ProdSec become central themes of their conversation.
They make progress during this spirited discussion, but the hosts conclude without arriving at a definitive answer. They humorously acknowledge their collective confusion and agree to revisit the topic in future episodes. This conversation deserves a part two, emphasizing their commitment to understanding and clarifying the nuances of AppSec and ProdSec.
FOLLOW OUR SOCIAL MEDIA:
➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel
Thanks for Listening!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Chris Romeo (00:10):
That's true.
That's true.
Hey, folks, welcome to anotherepisode of the Security Table.
My name's Chris Romeo.
I'm joined by Matt Coles andIzar Tarandach.
And if you remember the 1990s,by any chance, you remember the
show Seinfeld.
Seinfeld was the show aboutnothing.
This is kind of the podcastabout nothing.
(00:30):
Right?
No, come on.
We're talking about lots ofthings.
We have, we have, uh, seriousconversations about with us
sitting around a Chineserestaurant for the entire
podcast episode and nothingreally happened.
No, that's a, a Seinfeld
Izar Tarandach (00:44):
we can still say,
Chris Romeo (00:46):
hello.
And if you
Matt Coles (00:48):
No No security for you.
Chris Romeo (00:50):
If you know, yeah, that's
Izar Tarandach (00:51):
HELLOOOOOO!
Chris Romeo (00:51):
No security, no security for you.
All right.
What other Seinfeld referencecan we make a security analysis
of here?
I mean, there was the doubledip.
Double dip was invented in thatepisode where George Costanza is
at the, I don't remember what hewas doing.
He's at that party and he dipshis chip in the second time and
the kid is across the room.
(01:12):
He's like, what are you doing?
You double dipped.
I don't know what the double dipanalogy is in security, but.
I don't know, it's somewhere.
Matt Coles (01:20):
I'm sure it exists.
Izar Tarandach (01:22):
One year! It's when you have two formats of the
same SBOM.
Chris Romeo (01:26):
Okay, that was, uh, that was good.
That was good.
I, uh, that's, that is
Izar Tarandach (01:32):
HAHAHAHAHA! These vulnerabilities are making
me thirsty! Yeah.
Matt Coles (01:35):
I was, I was going to say, I was going to say
something like you're, you're,you're streaming your lugs to
SysLug and Splunk at the sametime.
I mean,
Chris Romeo (01:41):
Oh, there you go.
Now here's one.
Here's one for you though.
I bet you, there's a lot of.
CISOs that are standing beforethe board and would like to say
the following.
So we started building oursecurity program, yadda, yadda,
yadda, and then the FBI showedup.
Imagine that as a boardpresentation, so.
(02:02):
Okay, we gotta talk about s wegotta this is the this now
concludes our Seinfeld.
Uh, memorabilia section of thesecurity table.
Let's talk about AppSec versusproduct security.
There's been a number ofdifferent articles written over
the last couple of months thatwe've, we've taken a look at and
let's, we want to, we want toset the record straight from our
(02:25):
perspective, as far as what wethink of as the differences
between these things andsimilarities.
And so, shall we start with adefinition of AppSec?
What the heck is AppSec?
Matt Coles (02:42):
Izar, do you want to go first?
Izar Tarandach (02:44):
Ah, you know how I'm with definitions.
You go for it.
Matt Coles (02:47):
You know how I am with this topic.
So, uh, since we've had a lowback conversation prior to
joining on the
Izar Tarandach (02:53):
Cool.
Cool.
Matt Coles (02:54):
Well, actually no, so when we actually, Chris, if
you could start, cause thisultimately this episode really
is to, to, to give ourperception of what AppSec and
ProdSec are.
Given, and the, the statementsbeing made in these articles,
uh, you know, from, from varioussources, um, either some of
these things are brand new topeople, um, or, and, or
(03:18):
certainly there is confusion inthe industry about what these
things mean.
So, what do you thinkapplication security is?
Chris Romeo (03:28):
Yeah, let's uh, let's work our way through kind
of a definition.
Now I just happen to have donemy own definition in a talk I
did this previous year, theApplication Security State of
the Union, so I'll give you thedefinition that I put together
for that perspective.
So I think of applicationsecurity as the people, process,
(03:49):
tools, and governance that arerequired to properly secure
applications.
So for me, I go back to, I I'malways more, I'm always a bit of
a programmatic thinker, likethat's just tend to be how I
approach the world is how do weprogrammatize this thing that
we're trying to do?
And so for me, applicationsecurity is what we need to do
(04:10):
for the people, the process.
Processes, the tools, and thegovernance to properly secure
our applications.
So,
Matt Coles (04:18):
so, yeah, so really briefly.
What do you define as anapplication?
Chris Romeo (04:24):
An application is anything that has, anything that
is made up of software.
Matt Coles (04:33):
Oh, that's interesting.
So let's introduce productsecurity now.
So what's a product?
Chris Romeo (04:39):
Yeah, so, but see, I tend to think of product
security.
Hardware and softwareapplication security software,
and some of that is just where Igrew up.
As we were talking about beforewe, before we hit record on this
episode, I was at Cisco for 10years.
Cisco has 27,000 products thatare Not really, not quite that
(05:01):
many, but they have a lot.
They have, and in those daysthey had metal boxes that were
routers and switchers.
Switchers.
What's a switcher, a new wordhere.
Routers and switches that were,and I used to think of them,
there was the metal boxcomponent.
And then there was the the bitsthat were going into it to drive
that metal box.
And so I tend to, in my ownmind, based on my experience, I
(05:23):
tend to attribute productsecurity as the things that I
have to do to secure these metalboxes running the software or
You know, you can extend it tocloud services and everything
else that's a product.
But I think of AppSec andapplications as more of a
general, general thing.
Like, I don't think ofapplications as something that
(05:43):
you sell.
Like, you don't sell, like, Ican't go, I'm going to go sign
up for this new application.
Nobody says that anymore, otherthan maybe in the context of
mobile apps.
That's what an application is inthe use of that term.
So I've talked enough.
You guys tell me what your, whatyour, uh, how you break it down,
how you separate it.
Matt Coles (06:03):
So generally I look at products, products as things
that a company sells.
So they deliver to customersversus the things that they
deploy themselves, eitherinternally or for their
customers, you know, exposed totheir customers like a cloud or
SaaS service.
Um, but the product securitywould be securing the things,
(06:24):
whether those are physical or,or non physical.
Things that gets, that getsshipped externally and sold, you
know, and, and either sold orgiven or used by customers.
So, uh, potentially, or mostlikely, mobile applications,
because those obviously go.
That's software only that goes,that gets delivered outside of
(06:45):
the company.
Uh, certainly the bits that runon the product, on the physical
device and the physical deviceitself.
So the people process,processes, etc.
Uh, you know, infrastructure,networking, etc.
That might get delivered withthat, that physical box, uh, and
the firmware and software thatit runs.
Uh, and any operating software,you know, if, if we don't.
(07:10):
Thick clients are not asprevalent today, I think, but,
uh, you know, when we used tohave desktop software that
controls, you know, the boxes,um, the, those are products too.
Applications being things,business applications,
especially being things that thebusiness uses to, to Do all of
that work as well as the thingsthat they may then expose to to
(07:32):
customers like, you know,License management and support
systems and things like that Andand so product security is is
making sure that from a physicalphysical up Right, in the stack,
security wise, and thenapplications, of course, would
be anything that sits on top ofthe, on top of the
(07:54):
infrastructure.
If we think of the cloud modelof, you know, SaaS, IaaS, PaaS,
um, right, anything that sits ontop of the, the infrastructure,
at least, is the application,right, the software portion.
Izar, do you, how do you feelabout, about that?
Izar Tarandach (08:11):
Well, so you guys know me, I like to think in
terms of analogies, right?
And when I went looking for onethat could cover this.
Luckily, my wife was watchingone of those, uh, home
improvement things on TV.
And I think, and I know thereare holes in the analogy here,
but I think that what came to mymind was the difference between
(08:34):
the interior designer that'sturning a room in a building
into something functional andthat works for its purposes and
that explores well the space.
And that for me is anapplication.
And the prod security is thearchitect or engineer that comes
(08:55):
and builds the whole buildingaround that thing, including all
the plumbing and all the codesand all the safety and all the,
all that kind of stuff.
So, first of all, I was very, Idon't know, very, uh, uh, I
don't know if surprised is theterm by the question itself.
(09:17):
And especially when I read thatsome people think that Prod
Security is an emerging newthing.
Because, to the best of myrecollection, we have been doing
Prod Security for, Matt, howmuch is it now?
Matt Coles (09:29):
It's been a long time.
Izar Tarandach (09:30):
Long, long, long I mean,
Matt Coles (09:31):
mean my, my, my title, my title and your title.
Actually, we were both productsecurity engineers for a
Izar Tarandach (09:37):
We
Matt Coles (09:38):
of
Izar Tarandach (09:38):
came to work in the Prod Security office,
Matt Coles (09:41):
in, in the mid, in the mid 2000s.
I mean, so this is not a new,the term is not new.
Maybe the scope has changed.
Chris Romeo (09:49):
I think it's exposure to the market too.
It's exposure to specificcompanies because product
companies tended to be theleading.
Organizations that weredeploying product security
offices and product securityengineers.
I mean, we had it at Cisco.
We were product security atCisco Um, and that's, but that's
because we had a company thatwas driven by a lot of different
(10:13):
products that required Thatlevel of thing.
And it was funny at Cisco,Application security became
synonymous with what InfoSec wasdoing Securing the business
applications and the internalapplications.
And product security was what wewere doing as we were serving
the business units andtechnology groups to help them
build secure products.
Izar Tarandach (10:36):
So, another thing that I saw in those, in
those articles was that therewas a tendency to go for the
cardinality of the thing.
AppSec is one, PodSecurity ismany, or PodSecurity is one and
AppSec is many, that kind ofthing.
And I think that I prefer bestChris' approached to defining
(10:59):
AppSec and he went straightwhere I wanted to go, the PPT,
the people, processes, andtools.
And I think that I would extendthat and say that to me, product
security, application securityis one of the tools and
processes that goes into productsecurity.
So if I'm looking at some kindof relationship between them,
(11:20):
some kind of Venn diagrambetween them, I would say that
to me, AppSec falls.
in the middle of the, the, theProdSec bubble, but it goes a
bit outside because it can existas its own thing, right?
What would make it exist as itsown thing, I'm not so sure.
(11:43):
Is it a size thing?
Is it a focus thing?
Is it a...
Like, if somebody comes andsays, oh, what about internal
applications?
Yeah, what about internalapplications?
They don't need the samestandards and, and scrutiny that
a product would need.
Why not?
Why have two processes?
Why can't you treat yourinternal stuff as a product,
(12:06):
right?
You probably gain a lot of stuffin there.
I guess that you would probablynot lose, but you would have a,
a, a bit of, uh, Waste in there,as Jim liked to put it, but uh,
I don't see why not.
So I'm still a bit murky here onthe,
Matt Coles (12:26):
I think there's a lot of overlap.
I think there's definitely a lotof overlap.
I think what you're highlightingis there's inefficiencies if you
separate the two, right?
But I think that they aredifferent.
If we look at business systems,you know, things that a company
deploys versus things that theysell, especially if it's
(12:46):
associated with hardware,especially, right, the rules are
different.
Uh, and so while there's,there's some inefficiencies if
you separate them, becausethings like the same
vulnerability scanners that weuse to look at the firmware on a
box, uh, you know, can target a,a dust, I mean, a business
application, right?
A cloud, a cloud application orweb application.
(13:08):
The same, whether that webapplication is running, you
know, in a, You know, a privatecloud versus a, uh, on, on the
box or on, on somebody's desk.
Uh, so there, there's no reasonto separate those, right?
Those are dual purpose, uh,tools, for instance.
But...
The rules that govern what yousell and ship, right, need to
(13:32):
follow a different set of rulesthan, than how you deploy,
right?
Let's take about, think aboutlike, uh, connectivity, right?
In the business environment, youown the, you own the network.
Right.
The company owns the network.
When you deploy it, you're goingto have certain requirements.
You have a known infrastructurethat you're, that you're
deploying into, you know, saythey're on Azure or AWS, or they
have their own internal, youknow, network and infrastructure
(13:55):
and, and, you know, loginfrastructure and whatnot.
And those are the rules thatgovern that application
deployment.
When you're selling something,You're deploying that into a
customer's environment.
They're going to run their ownfirewalls, their own network
infrastructure.
They may or may not be in acloud, a public cloud or a
private cloud or a hybrid cloud.
New concept, multi cloud thesedays.
(14:17):
Uh, you know, these are, it's alot more.
Open, but you also have to becareful of things like, uh,
inbound, inbound networkrequests and poking holes in the
firewall.
Um, or what regulations you haveto, uh, have to apply.
So the design requirements andstandards and patterns that you
(14:37):
use and some of the, um, some ofthe, the constructs and systems
that might get deployed and howyou secure them and your threats
that you're looking for.
will differ, I think, and you'llhave a broader, a broader set of
things to look at if you'retalking about the thing that you
deliver versus the thing thatyou deploy.
(14:58):
However, I can see where youthink that if you wrap this, a
set of things, even if youdeploy it locally, you wrap a
set of things as a product,especially if it has a customer
facing aspect, like a businessapplication that may like a
support system, right?
If that's your, if that's yourbusiness, That is your product
or, and, and they're likeTwitter, right?
(15:20):
Uh, or X or whatever it's calledthese days.
Um, you know, that is a, that'sa business application that's
deployed for customer use.
That's, that's obviously it'sproduct.
Although some people, I guesssay we're, we're the product,
not the business system.
But so is that an application oris that a product?
It's not something they sell.
(15:41):
It's something they sell, butit's not something they deliver.
Chris Romeo (15:45):
Yeah, and they deliver it via mobile app and...
API endpoints and, and otherthings.
Okay, so I got a different, adifferent way to, I've just been
thinking about a different wayto frame the question.
That may, maybe this will, maybethis will unlock something for
us, maybe not.
Why is there an applicationsecurity industry?
(16:07):
Meaning there's a whole cottageindustry of tooling and
consulting and everything else,but there's not a product
security industry.
Izar Tarandach (16:17):
A, perhaps because there isn't a need for
one, because we all understandthat a big technical part is
being covered by the AppSec one.
B, perhaps there is, we justdon't take the steps to call it
such, because, sure, you are aVP of Prod Security.
(16:40):
That means that you have acertain number of, uh, almost
preordained functions under you.
And that makes you fraudsecurity, because as, as Matthew
said, that there are, there's anumber of things that need to
be, to be covered.
Chris Romeo (16:54):
Do you use the same tools in product security as you
do in application security?
Or are there other tools?
I can't, like the way weapproached it when I was in
product security, we didn't doanything differently than, you
could have called us, you couldhave swapped out AppSec for
product security in the core setof services that we delivered.
Right.
In our secure development lifecycle.
Matt Coles (17:15):
If you, uh, if you introduce hardware, there's a
difference, I
Chris Romeo (17:19):
that's, that, I was, yeah, that is where things
got different or, or there wereadditional things that had to be
considered.
I mean, we were dealing with,um, Root of Trust and I can't
remember what the, what's thething called?
The Hardware, um, Trusted TPM,the Trusted, yeah, TPMs.
Like,
Matt Coles (17:38):
So applications don't generally deal with TPMs
because that's all virtualizedor, or, you know, abstracted
away from the applicationdeveloper.
But when you're delivering aproduct that has physical
components, you obviously needto understand that.
Izar Tarandach (17:50):
concepts
Chris Romeo (17:55):
there...
Is there a product securityindustry and I'm just not aware
of it?
Are there tools that aretargeting the product security
industry?
Or is this like a dead end?
Matt Coles (18:06):
Well, so I, I think it, I think there, it is.
There is, but not by that name,there are security tools
targeted at product developers
Chris Romeo (18:21):
Okay,
Matt Coles (18:22):
as opposed to security teams.
So I think, uh, obviously we'regoing to debate here a little
bit, but, right?
We, as I mentioned earlier, we,we, the, a lot of the tools are
dual purpose or rather have, youknow, they have no specific
purpose other than looking atsoftware, you know, looking at
web applications or looking atthird party components in, you
(18:45):
know, inventories or, or nowanalyzing for vulnerabilities or
code analysis.
All these tools will workwhether you're doing application
development or firmwaredevelopment.
So in terms of.
And I guess, I guess this isthe, I guess maybe this is the
interesting part about whypeople see product security as
(19:06):
new, even though it's not new,is product security was very
much, I think, has always beenand really is associated with,
uh, I consider myself part of,or more closely related to an
engineering or engineeringfunction than a security
function, especially if you lookat security being IT security or
cybersecurity versus productengineering.
(19:28):
Adding security to productengineering.
And in fact, that's, I mean,that's a lot of how we approach
things, right?
Is we want to focus threatmodeling at developers.
Well, that's product, that'sdevelopers doing product work,
adding security into their role,into their day to day lives.
Uh, for, as an example.
So, I think there has alwaysbeen a strong engineering tool
(19:48):
focus with security and AppSec.
Izar Tarandach (19:53):
Good
Matt Coles (19:54):
at security, at security teams doing application
security.
By and large, I think many ofthe tools are going to be the
same though.
Again, unless we're talkingabout hardware, you know, if
we're looking at ChipSec or anyof the glitching tools or things
like that, most IT teamsprobably don't have a purpose
for that unless they'reattacking network switches.
(20:15):
Um, whereas, you know, productdevelopers have a need for that
and maybe even a dual purposeneed.
You know, logic analyzers can,can look at hardware, not, not
just from a security standpoint.
They also may use it for qualityand support purposes and test
engineering and whatnot.
And so I think that it's maybeit's been always there.
Um, or it's always beenavailable without maybe that
(20:36):
label on it, which is actuallystarting to open up my mind as
to why there's a, this, thisthought that it's, that's a new
thing, even though it's notreally new.
Izar, I know.
you're.
Izar Tarandach (20:51):
I don't know.
The, the, the more we, yeah,the, the more we talk about it.
I'm, I'm asking myself if thisis not one of those cases of,
uh, Uh, what's it?
A difference without adistinction?
Or a distinction without adifference?
Because, yeah, I, I agree thatthe tooling and the processes
(21:11):
are probably similar, but again,that Venn diagram, the, the part
of it, of AppSec that, thatslips out of ProdSec to me is so
small, so, so edge case that Iask myself if it's not just Too
much of an edge case to actuallysay these things are different.
(21:32):
Or on the other hand, you couldput on top of prod security, a
number of things, people andprocesses that really don't
belong in AppSec,
Chris Romeo (21:46):
Let me give you another example.
Let me give you another example.
that I think could be, could bean ill, could be illustrative
for us.
I like how I worked that word inthere.
Illustrative, that's a big word.
PSIRT, Product Security IncidentResponse Team.
We
Matt Coles (22:02):
Versus CSIRT.
Chris Romeo (22:03):
CSIRT, but now see, now there's another, see, for
me, CSIRT defends the network,PSIRT defends the products that
we build.
Matt Coles (22:13):
Yep.
Chris Romeo (22:13):
That's, again, so, but in AppSec, we don't have a
PSIRT.
There is no such thing.
Have you asked a, someone inAppSec, the AppSec program
leaders?
Uh, who, who runs your PSIRT?
Most times a director of AppSecdoes not have a PSIRT function.
So is this something that we canunlock that is a difference
(22:35):
between AppSec and ProdSec?
Izar Tarandach (22:39):
Again, I don't think that it's a matter of a
difference, I think that it'scomplementary.
If we already agreed, and Ithink we agreed, correct me if
I'm wrong, that AppSec is partof ProdSec, then that would just
be another bubble on the side ofAppSec, just as you
Chris Romeo (22:55):
going to, I'm going to, flip it back on you the
other way.
ProdSec is a part of AppSecbecause AppSec is, when you
think about the, I'm justtalking about from a public
perception, like you ask 10people.
What AppSec is and what ProdSecis that probably nobody can
probably give a greatdefinition.
But AppSec is
Izar Tarandach (23:12):
who should know, or just any 10 people.
Chris Romeo (23:14):
any 10 people, I'm just gonna go to the Walmart
here in my town and ask people.
But,
Matt Coles (23:19):
And by the way, sorry, sorry to interrupt,
Chris.
By the way, I, we've had theseconversations.
I don't mean just the three ofus, but other folks in the
security space have had theseconversations.
I've been part of, of some ofthese.
None of us have a goodunderstanding, I think, even
within the security space ofwhat this stuff means, right?
Are we cybersecurity?
Are we InfoSec?
Are we AppSec?
(23:40):
Are we ProdSec?
Izar Tarandach (23:41):
We are too busy securing stuff.
I don't care what's
Chris Romeo (23:44):
ha,
Izar Tarandach (23:45):
the color of the t
Chris Romeo (23:46):
me whatever you want, I will just show up and
secure your
Matt Coles (23:49):
But, but I think it's important that the way
you're asking the question isinteresting.
And the way that we'reresponding, I think is, is
doubly, uh, not adding, maybenot clearing up the confusion
for folks if they're listeningto this now, um, you know, the,
the processes that a PSIRT orthat a CSIRT follow are probably
(24:10):
90 percent the same.
Where it gets...
Where you have differences,again, is PSIRT deals with,
potentially deals with hardware,right, because you have physical
devices.
Although, CSIRT may deal withphysical devices in terms of
network infrastructure,especially, you know, access
points, but also other things.
(24:32):
People security, potentially.
And so you have, you have a Venndiagram of a lot of overlap and
then some, some pieces outsideof each of them that are unique,
I think So there's a lot ofoverlap.
Chris Romeo (24:45):
making it, I don't think it's 90 percent the same.
I think it might be 50, 50, 50percent the same.
And I've, I mean, I've, I've hada chance to work.
I didn't work for PSIRT atCisco, but I worked closely
beside a lot of people fromPSIRT.
And, um, you know, having doneincident response in the past,
like, And like I said, CSIRT isabout the network, PSIRT is
(25:07):
about the product.
Yes, there's going to be someoverlap, but that focus really
changes the core of what you'redoing as an incident response
team.
Right?
Because the PSIRT team isresponsible for most of the time
being notified about a problem.
Out from an inbound source,going to the product team,
(25:30):
testing, helping the productteam through the process of
fixing the issue, and thenrunning the communication
process to ensure we tell thepeople at the right time.
Now, when I think about CSIRT,CSIRT is, um, has no real
outbound.
They don't report to the, to thepublic as far as what happened,
what's happening, what they'redoing.
(25:50):
They may, they may receive aninbound.
If they get an inboundnotification, then things are
really bad.
Like
Matt Coles (25:57):
Well, or, well, or they're running a bug or they're
running a bug bounty.
Chris Romeo (26:01):
bounties
Izar Tarandach (26:02):
Yeah, that's exactly what I was going to ask.
Chris Romeo (26:04):
bug bounties is another, but CSIRTs don't run
bug bounties, right?
Like,
Izar Tarandach (26:08):
No, no, no.
SIRTs don't run
Chris Romeo (26:09):
product, is a product related thing.
Izar Tarandach (26:13):
Exactly.
So, let's look at that for asecond.
Products run bug bounties.
Applications, sort of not.
Chris Romeo (26:22):
Oh, they run bug bounties.
Izar Tarandach (26:23):
Can we agree with that?
Chris Romeo (26:25):
lots of application providers run, lots of SAST
tools, and like people that arebuilding applications, they're
running, everybody's running bugbounties these days.
Izar Tarandach (26:34):
So, those are not products?
Chris Romeo (26:36):
I mean, they are products.
Matt Coles (26:38):
Oh
Chris Romeo (26:39):
to Matt's definition, that we're selling.
If you're selling them, it's aproduct.
Izar Tarandach (26:45):
If I'm a
Matt Coles (26:45):
them,
Izar Tarandach (26:46):
SAST tool provider, And my tool just
happens to be SAST.
I'm selling you something.
I'm giving you a service.
You're giving me money.
How is that not a product?
Chris Romeo (26:58):
No, I'm saying it is.
I'm agreeing it is.
Because there's money being,changing hands.
But it's also an application.
It's both.
Izar Tarandach (27:05):
It's a product that's made of an application,
which we agreed already.
Matt Coles (27:10):
it's a product made up of an application.
Products that have hardware,right, but products that have
hardware also have applicationsas building blocks.
So are we suggesting
Izar Tarandach (27:20):
you the truth, I don't see the,
Matt Coles (27:22):
is product security the superset?
Because it includes applicationsand other things?
Izar Tarandach (27:27):
I don't see the hardware as such a
differentiator here.
If I think about something thatI'm selling
Matt Coles (27:33):
not dealt with hardware before?
Izar Tarandach (27:36):
yeah, but you know, it's, it's like it has
some stuff that's different, butthere isn't enough stuff in
there to put in a class by itsown.
Matt Coles (27:47):
know a bunch of hardware engineers would say
otherwise.
Chris Romeo (27:50):
I do too.
Izar Tarandach (27:51):
Dude, I, I, I know a lot of people who think
that what they do is the mostimportant thing in the world we
included, so,
Matt Coles (27:57):
Well, okay, so hold on, so hold on, so hold on.
Let's talk about, let's talkabout the, let's talk about the
real elephant in the room onthat.
That's the difference betweenhardware and non hardware.
You actually have to buildsomething and ship them
somewhere so you have all thesupply chain stuff that you have
to
Izar Tarandach (28:12):
that, but that doesn't
Matt Coles (28:13):
I deployed through CICD and it's present.
Izar Tarandach (28:17):
Okay, let me give you an example, okay?
I have this amazing thing hereon my wrist.
Matt Coles (28:22):
Yeah, it's a product.
Izar Tarandach (28:24):
and a product.
And they decided, it's ahardware product, great, great.
And it runs a specific versionof an operating system.
Matt Coles (28:32):
Yeah, same here.
Izar Tarandach (28:33):
now they decided, no, now they decided
that they're not going to giveme more upgrades.
And half of the functionality isdying because Google on the
other side decided that I haveto have the newest version
Matt Coles (28:42):
Oh, sure.
No names, huh?
Izar Tarandach (28:43):
to run.
Okay, now note that Google, theGoogle app, app ecosystem is a
completely different word.
You just know now that it's anAndroid thing.
It's not an Apple thing.
So, but that you knew from theshape.
But anyway, so my point is, if Ican remember it is, okay, this,
this thing is hardware.
Great.
So according to your definition,it makes it more of a product.
(29:06):
But you know what?
It could not be hardware.
It could be an app that lives inmy Windows machine, as if I had
one.
Chris Romeo (29:15):
That would
Izar Tarandach (29:16):
No, not sure.
I have one.
It's my game box.
Anyway, so it's running into aWindows machine, and what all it
does is run exactly the sameapps.
Is that thing less of a productjust because it doesn't live in
a
Matt Coles (29:28):
I'm not saying it's less,
Chris Romeo (29:29):
doesn't have hardware
Matt Coles (29:31):
well, I'm not
Chris Romeo (29:32):
it on your wrist.
That
Matt Coles (29:33):
I'm not saying it's less of a product.
I'm not saying it's less of aproduct.
I'm saying that it's a differentproduct.
It's a product that hasdifferent, it's a product that
has different aspects.
Software.
alone has different criteria forsecurity than hardware and
software.
Izar Tarandach (29:48):
Okay, okay, okay, okay, okay.
Another example, you have thisfirewall box, wonderful firewall
box, right?
You can get it as a 1U, youstick it in your, in your stack,
everything is beautiful andgreat.
It just so happens that you canalso get exactly the same
functionality in the form of avirtual machine that you stick
in your network, okay?
Matt Coles (30:09):
on a virtual machine, on a VM server
Izar Tarandach (30:11):
On a virtual machine, yeah,
Matt Coles (30:13):
that you deploy?
Izar Tarandach (30:14):
Yeah, yeah.
Is one of them less of a productthan the other?
Matt Coles (30:18):
It's different.
Chris Romeo (30:20):
There's still hardware underneath in the cloud
environment.
Matt Coles (30:22):
yeah, but you're not, but you as,
Izar Tarandach (30:25):
I can't do ones and zeros in my
Matt Coles (30:26):
but as the, but as a supplier of, as a supplier of
the product of the supplier, theproduct, the software only
product, you're not governingthe heart of the hardware runs,
nor do you necessarily care howthe hardware runs.
Izar Tarandach (30:38):
But does that make my product less of a
product?
Matt Coles (30:42):
Oh my god, we're not talking about making it less of
a product! We're
Izar Tarandach (30:46):
Then why are
Chris Romeo (30:46):
caress about pro,
Izar Tarandach (30:47):
why are you sticking to the hardware?
Chris Romeo (30:50):
what is it a one to five scale of how much of a
product you are?
Well, you're about a four.
I mean, you're, you're almostthe, the most
Izar Tarandach (30:57):
But if you had hardware,
Chris Romeo (31:00):
Yeah,
Matt Coles (31:00):
mean, if we really want to go that route, we could
talk about wireless sensornetworks that, you know, run,
you know, environments, youknow, smart fields and things
where you have thousands ofwireless devices out in the
field talking to it.
EdgeGateway, how much of aproduct is that?
Chris Romeo (31:14):
My primary question is why am I more confused now
than when we started this
Izar Tarandach (31:17):
I'm totally confused.
I have no idea where I went.
Chris Romeo (31:20):
I've got to go read the articles again and try to
see if I can find some wisdom
Izar Tarandach (31:24):
no, no, seriously.
Let's bring it back then.
Let's bring it back.
We're almost at time.
So let's bring it back.
Okay, so, who...
Contains whom?
Matt Coles (31:37):
I'm going to go with product security includes
application security.
Izar Tarandach (31:41):
Great.
Okay.
Chris Romeo (31:43):
Hold on.
I'm going to go on the, I'm onthe other side.
Matt Coles (31:45):
in part, and I have to say in
Izar Tarandach (31:47):
to go there.
Now we
Matt Coles (31:48):
have to say in part, we do need to, we have to have,
we have to further thisconversation somewhere, but
product security has parts that,actually, let me, let me take a
really brief step back.
If we look at product, if welook at application security,
securing applications, and we'vedefined web applications and
(32:08):
desktop software and mobileapplications as applications.
And those can be part of thethings that you sell, like that
watch that you were showingearlier.
Then products must containapplications.
Product security must containapplication security.
However, applications can be ontheir own and not be part of
products.
Izar Tarandach (32:31):
Yes, but then, but then that application
becomes a product.
Chris Romeo (32:35):
Yeah.
And I'm going to, I'm going tocome at this from a different
direction and I'm just going togo purely based on market share.
And I'm going to say applicationsecurity eats product security.
Just because applicationsecurity is the thing that
exists in the market.
There isn't a product.
I mean, that was a, that was atrick question.
There is no product securityspace.
There is no, it is, there is anAppSec space of products that
(32:59):
are built, that are used in, inproduct security programs.
Um, but there is, I mean, thereis not a, there is a...
appSec is really what everybodyrefers to what all of us do at
this point.
I mean, for example, hold on, Ihave to go check, um, on the
open worldwide product security.
(33:19):
Program, uh, website.
The OWP, no wait, there is noOWP, there's no OWPSP.
There is, is that right?
Okay.
There is OWASP, which is theOpen Worldwide Application
Security Project.
Matt Coles (33:35):
Uh, what was it called before they had a name
change to try and bring a biggertent?
Chris Romeo (33:41):
it's just web applications,
Matt Coles (33:42):
Web application.
Yes.
Chris Romeo (33:43):
point is, application security is at the
core of that.
And, I mean, at the end of theday, I don't really care what we
call it.
We're still going to do theright things to secure the
hardware.
and the software that, that gointo products and applications
both.
My point is I think AppSec hasjust become, it's just the same
way AppSec replaced SoftwareSec.
We used to call softwaresecurity, was used to be the
(34:06):
thing, and then AppSec kind oftook it away and squashed it,
and now people, nobody reallyuses software security anymore.
We don't really, we don't reallysay that or use it as a term as
much as we used to 10 years ago.
Matt Coles (34:18):
That's an interesting, that's an
interesting statement.
I agree with you.
It's interesting because maybethat's where the problem lies,
right?
That within product security,you have software and you do
software security of products...
Or you do software security...
Products that are eithersoftware or that contain
software.
You do software security.
(34:39):
Applications can be somethingdifferent then, right?
But that, that's, those termsare now sort of munched
together, as you, as youdescribed.
Chris Romeo (34:47):
I'm just approaching it from how the
industry sees it, like how...
The external view of this.
Izar Tarandach (34:54):
But now, now, just to put it in there, um, as
you guys were, were talking, Iwas looking into the inside
tomes of wisdom and experience.
And I remember one place whereit worked, where.
There was a distinction betweenproduct security and application
security.
And the distinction was thatprod security could stop
releases, application securitycouldn't.
(35:17):
Because prod security was muchmore enmeshed with the product
side of the thing with the, wehave to push stuff out because
we have consumers waiting forand paying for stuff than
AppSec.
So the escalation of risk wasAppSec, ProdSec.
ProdSec makes a decision, go, nogo.
Matt Coles (35:38):
Interesting.
The, the other aspect, and Iknow we're getting close to the
end of this episode, but the,the other aspect is, would you
consider, if you, if AppSec, isAppSec closely tied to cyber or
IT security?
And if so, are products, isproduct security,
Chris Romeo (35:56):
you're not gonna take us there, are ya?
Matt Coles (35:57):
I, I, you have to.
Izar Tarandach (36:00):
can
Matt Coles (36:00):
not
Izar Tarandach (36:01):
go with asterisk security?
Matt Coles (36:04):
well, they're just security then.
That's awesome.
We can do that.
Chris Romeo (36:06):
Asterisk.
Izar Tarandach (36:07):
Can we just go asterisk security and that's
what we do?
Chris Romeo (36:10):
with it.
Well, you know what?
We're out of time.
So we're gonna have to come backand revisit this again.
Um, we were hoping for someclarity by the end.
I think we just, we just threwsome more mud in the water and
stirred it up.
And, um, made some, somesecurity soup.
I think is what we did at theend of the day.
But we'll continue thisconversation.
We'll find, uh, we'll try tofind clarity.
(36:32):
That'll be our goal
Matt Coles (36:33):
and maybe we'll get some guests on to, uh, to help
us answer
Izar Tarandach (36:36):
Yeah, perhaps we can bring someone who,
Chris Romeo (36:38):
Smarter than us that can come and just tell us
what it is.
That's what we're going to aimfor.
Izar Tarandach (36:42):
Yep, that would help.
Chris Romeo (36:43):
We'll debate, you know, we'll debate with them.
No matter who we bring on, we'regoing to debate with them about
what it means.
But folks, thanks for listeningto The Security Table.
Stay tuned for a future episodewhere we will provide clarity.
That's true.
That's true.
Hey, folks, welcome to anotherepisode of the Security Table.
My name's Chris Romeo.
I'm joined by Matt Coles andIzar Tarandach.
And if you remember the 1990s,by any chance, you remember the
show Seinfeld.
Seinfeld was the show aboutnothing.
This is kind of the podcastabout nothing.
(00:30):
Right?
No, come on.
We're talking about lots ofthings.
We have, we have, uh, seriousconversations about with us
sitting around a Chineserestaurant for the entire
podcast episode and nothingreally happened.
No, that's a, a Seinfeld
Izar Tarandach (00:44):
we can still say,
Chris Romeo (00:46):
hello.
And if you
Matt Coles (00:48):
No No security for you.
Chris Romeo (00:50):
If you know, yeah, that's
Izar Tarandach (00:51):
HELLOOOOOO!
Chris Romeo (00:51):
No security, no security for you.
All right.
What other Seinfeld referencecan we make a security analysis
of here?
I mean, there was the doubledip.
Double dip was invented in thatepisode where George Costanza is
at the, I don't remember what hewas doing.
He's at that party and he dipshis chip in the second time and
the kid is across the room.
(01:12):
He's like, what are you doing?
You double dipped.
I don't know what the double dipanalogy is in security, but.
I don't know, it's somewhere.
Matt Coles (01:20):
I'm sure it exists.
Izar Tarandach (01:22):
One year! It's when you have two formats of the
same SBOM.
Chris Romeo (01:26):
Okay, that was, uh, that was good.
That was good.
I, uh, that's, that is
Izar Tarandach (01:32):
HAHAHAHAHA! These vulnerabilities are making
me thirsty! Yeah.
Matt Coles (01:35):
I was, I was going to say, I was going to say
something like you're, you're,you're streaming your lugs to
SysLug and Splunk at the sametime.
I mean,
Chris Romeo (01:41):
Oh, there you go.
Now here's one.
Here's one for you though.
I bet you, there's a lot of.
CISOs that are standing beforethe board and would like to say
the following.
So we started building oursecurity program, yadda, yadda,
yadda, and then the FBI showedup.
Imagine that as a boardpresentation, so.
(02:02):
Okay, we gotta talk about s wegotta this is the this now
concludes our Seinfeld.
Uh, memorabilia section of thesecurity table.
Let's talk about AppSec versusproduct security.
There's been a number ofdifferent articles written over
the last couple of months thatwe've, we've taken a look at and
let's, we want to, we want toset the record straight from our
(02:25):
perspective, as far as what wethink of as the differences
between these things andsimilarities.
And so, shall we start with adefinition of AppSec?
What the heck is AppSec?
Matt Coles (02:42):
Izar, do you want to go first?
Izar Tarandach (02:44):
Ah, you know how I'm with definitions.
You go for it.
Matt Coles (02:47):
You know how I am with this topic.
So, uh, since we've had a lowback conversation prior to
joining on the
Izar Tarandach (02:53):
Cool.
Cool.
Matt Coles (02:54):
Well, actually no, so when we actually, Chris, if
you could start, cause thisultimately this episode really
is to, to, to give ourperception of what AppSec and
ProdSec are.
Given, and the, the statementsbeing made in these articles,
uh, you know, from, from varioussources, um, either some of
these things are brand new topeople, um, or, and, or
(03:18):
certainly there is confusion inthe industry about what these
things mean.
So, what do you thinkapplication security is?
Chris Romeo (03:28):
Yeah, let's uh, let's work our way through kind
of a definition.
Now I just happen to have donemy own definition in a talk I
did this previous year, theApplication Security State of
the Union, so I'll give you thedefinition that I put together
for that perspective.
So I think of applicationsecurity as the people, process,
(03:49):
tools, and governance that arerequired to properly secure
applications.
So for me, I go back to, I I'malways more, I'm always a bit of
a programmatic thinker, likethat's just tend to be how I
approach the world is how do weprogrammatize this thing that
we're trying to do?
And so for me, applicationsecurity is what we need to do
(04:10):
for the people, the process.
Processes, the tools, and thegovernance to properly secure
our applications.
So,
Matt Coles (04:18):
so, yeah, so really briefly.
What do you define as anapplication?
Chris Romeo (04:24):
An application is anything that has, anything that
is made up of software.
Matt Coles (04:33):
Oh, that's interesting.
So let's introduce productsecurity now.
So what's a product?
Chris Romeo (04:39):
Yeah, so, but see, I tend to think of product
security.
Hardware and softwareapplication security software,
and some of that is just where Igrew up.
As we were talking about beforewe, before we hit record on this
episode, I was at Cisco for 10years.
Cisco has 27,000 products thatare Not really, not quite that
(05:01):
many, but they have a lot.
They have, and in those daysthey had metal boxes that were
routers and switchers.
Switchers.
What's a switcher, a new wordhere.
Routers and switches that were,and I used to think of them,
there was the metal boxcomponent.
And then there was the the bitsthat were going into it to drive
that metal box.
And so I tend to, in my ownmind, based on my experience, I
(05:23):
tend to attribute productsecurity as the things that I
have to do to secure these metalboxes running the software or
You know, you can extend it tocloud services and everything
else that's a product.
But I think of AppSec andapplications as more of a
general, general thing.
Like, I don't think ofapplications as something that
(05:43):
you sell.
Like, you don't sell, like, Ican't go, I'm going to go sign
up for this new application.
Nobody says that anymore, otherthan maybe in the context of
mobile apps.
That's what an application is inthe use of that term.
So I've talked enough.
You guys tell me what your, whatyour, uh, how you break it down,
how you separate it.
Matt Coles (06:03):
So generally I look at products, products as things
that a company sells.
So they deliver to customersversus the things that they
deploy themselves, eitherinternally or for their
customers, you know, exposed totheir customers like a cloud or
SaaS service.
Um, but the product securitywould be securing the things,
(06:24):
whether those are physical or,or non physical.
Things that gets, that getsshipped externally and sold, you
know, and, and either sold orgiven or used by customers.
So, uh, potentially, or mostlikely, mobile applications,
because those obviously go.
That's software only that goes,that gets delivered outside of
(06:45):
the company.
Uh, certainly the bits that runon the product, on the physical
device and the physical deviceitself.
So the people process,processes, etc.
Uh, you know, infrastructure,networking, etc.
That might get delivered withthat, that physical box, uh, and
the firmware and software thatit runs.
Uh, and any operating software,you know, if, if we don't.
(07:10):
Thick clients are not asprevalent today, I think, but,
uh, you know, when we used tohave desktop software that
controls, you know, the boxes,um, the, those are products too.
Applications being things,business applications,
especially being things that thebusiness uses to, to Do all of
that work as well as the thingsthat they may then expose to to
(07:32):
customers like, you know,License management and support
systems and things like that Andand so product security is is
making sure that from a physicalphysical up Right, in the stack,
security wise, and thenapplications, of course, would
be anything that sits on top ofthe, on top of the
(07:54):
infrastructure.
If we think of the cloud modelof, you know, SaaS, IaaS, PaaS,
um, right, anything that sits ontop of the, the infrastructure,
at least, is the application,right, the software portion.
Izar, do you, how do you feelabout, about that?
Izar Tarandach (08:11):
Well, so you guys know me, I like to think in
terms of analogies, right?
And when I went looking for onethat could cover this.
Luckily, my wife was watchingone of those, uh, home
improvement things on TV.
And I think, and I know thereare holes in the analogy here,
but I think that what came to mymind was the difference between
(08:34):
the interior designer that'sturning a room in a building
into something functional andthat works for its purposes and
that explores well the space.
And that for me is anapplication.
And the prod security is thearchitect or engineer that comes
(08:55):
and builds the whole buildingaround that thing, including all
the plumbing and all the codesand all the safety and all the,
all that kind of stuff.
So, first of all, I was very, Idon't know, very, uh, uh, I
don't know if surprised is theterm by the question itself.
(09:17):
And especially when I read thatsome people think that Prod
Security is an emerging newthing.
Because, to the best of myrecollection, we have been doing
Prod Security for, Matt, howmuch is it now?
Matt Coles (09:29):
It's been a long time.
Izar Tarandach (09:30):
Long, long, long I mean,
Matt Coles (09:31):
mean my, my, my title, my title and your title.
Actually, we were both productsecurity engineers for a
Izar Tarandach (09:37):
We
Matt Coles (09:38):
of
Izar Tarandach (09:38):
came to work in the Prod Security office,
Matt Coles (09:41):
in, in the mid, in the mid 2000s.
I mean, so this is not a new,the term is not new.
Maybe the scope has changed.
Chris Romeo (09:49):
I think it's exposure to the market too.
It's exposure to specificcompanies because product
companies tended to be theleading.
Organizations that weredeploying product security
offices and product securityengineers.
I mean, we had it at Cisco.
We were product security atCisco Um, and that's, but that's
because we had a company thatwas driven by a lot of different
(10:13):
products that required Thatlevel of thing.
And it was funny at Cisco,Application security became
synonymous with what InfoSec wasdoing Securing the business
applications and the internalapplications.
And product security was what wewere doing as we were serving
the business units andtechnology groups to help them
build secure products.
Izar Tarandach (10:36):
So, another thing that I saw in those, in
those articles was that therewas a tendency to go for the
cardinality of the thing.
AppSec is one, PodSecurity ismany, or PodSecurity is one and
AppSec is many, that kind ofthing.
And I think that I prefer bestChris' approached to defining
(10:59):
AppSec and he went straightwhere I wanted to go, the PPT,
the people, processes, andtools.
And I think that I would extendthat and say that to me, product
security, application securityis one of the tools and
processes that goes into productsecurity.
So if I'm looking at some kindof relationship between them,
(11:20):
some kind of Venn diagrambetween them, I would say that
to me, AppSec falls.
in the middle of the, the, theProdSec bubble, but it goes a
bit outside because it can existas its own thing, right?
What would make it exist as itsown thing, I'm not so sure.
(11:43):
Is it a size thing?
Is it a focus thing?
Is it a...
Like, if somebody comes andsays, oh, what about internal
applications?
Yeah, what about internalapplications?
They don't need the samestandards and, and scrutiny that
a product would need.
Why not?
Why have two processes?
Why can't you treat yourinternal stuff as a product,
(12:06):
right?
You probably gain a lot of stuffin there.
I guess that you would probablynot lose, but you would have a,
a, a bit of, uh, Waste in there,as Jim liked to put it, but uh,
I don't see why not.
So I'm still a bit murky here onthe,
Matt Coles (12:26):
I think there's a lot of overlap.
I think there's definitely a lotof overlap.
I think what you're highlightingis there's inefficiencies if you
separate the two, right?
But I think that they aredifferent.
If we look at business systems,you know, things that a company
deploys versus things that theysell, especially if it's
(12:46):
associated with hardware,especially, right, the rules are
different.
Uh, and so while there's,there's some inefficiencies if
you separate them, becausethings like the same
vulnerability scanners that weuse to look at the firmware on a
box, uh, you know, can target a,a dust, I mean, a business
application, right?
A cloud, a cloud application orweb application.
(13:08):
The same, whether that webapplication is running, you
know, in a, You know, a privatecloud versus a, uh, on, on the
box or on, on somebody's desk.
Uh, so there, there's no reasonto separate those, right?
Those are dual purpose, uh,tools, for instance.
But...
The rules that govern what yousell and ship, right, need to
(13:32):
follow a different set of rulesthan, than how you deploy,
right?
Let's take about, think aboutlike, uh, connectivity, right?
In the business environment, youown the, you own the network.
Right.
The company owns the network.
When you deploy it, you're goingto have certain requirements.
You have a known infrastructurethat you're, that you're
deploying into, you know, saythey're on Azure or AWS, or they
have their own internal, youknow, network and infrastructure
(13:55):
and, and, you know, loginfrastructure and whatnot.
And those are the rules thatgovern that application
deployment.
When you're selling something,You're deploying that into a
customer's environment.
They're going to run their ownfirewalls, their own network
infrastructure.
They may or may not be in acloud, a public cloud or a
private cloud or a hybrid cloud.
New concept, multi cloud thesedays.
(14:17):
Uh, you know, these are, it's alot more.
Open, but you also have to becareful of things like, uh,
inbound, inbound networkrequests and poking holes in the
firewall.
Um, or what regulations you haveto, uh, have to apply.
So the design requirements andstandards and patterns that you
(14:37):
use and some of the, um, some ofthe, the constructs and systems
that might get deployed and howyou secure them and your threats
that you're looking for.
will differ, I think, and you'llhave a broader, a broader set of
things to look at if you'retalking about the thing that you
deliver versus the thing thatyou deploy.
(14:58):
However, I can see where youthink that if you wrap this, a
set of things, even if youdeploy it locally, you wrap a
set of things as a product,especially if it has a customer
facing aspect, like a businessapplication that may like a
support system, right?
If that's your, if that's yourbusiness, That is your product
or, and, and they're likeTwitter, right?
(15:20):
Uh, or X or whatever it's calledthese days.
Um, you know, that is a, that'sa business application that's
deployed for customer use.
That's, that's obviously it'sproduct.
Although some people, I guesssay we're, we're the product,
not the business system.
But so is that an application oris that a product?
It's not something they sell.
(15:41):
It's something they sell, butit's not something they deliver.
Chris Romeo (15:45):
Yeah, and they deliver it via mobile app and...
API endpoints and, and otherthings.
Okay, so I got a different, adifferent way to, I've just been
thinking about a different wayto frame the question.
That may, maybe this will, maybethis will unlock something for
us, maybe not.
Why is there an applicationsecurity industry?
(16:07):
Meaning there's a whole cottageindustry of tooling and
consulting and everything else,but there's not a product
security industry.
Izar Tarandach (16:17):
A, perhaps because there isn't a need for
one, because we all understandthat a big technical part is
being covered by the AppSec one.
B, perhaps there is, we justdon't take the steps to call it
such, because, sure, you are aVP of Prod Security.
(16:40):
That means that you have acertain number of, uh, almost
preordained functions under you.
And that makes you fraudsecurity, because as, as Matthew
said, that there are, there's anumber of things that need to
be, to be covered.
Chris Romeo (16:54):
Do you use the same tools in product security as you
do in application security?
Or are there other tools?
I can't, like the way weapproached it when I was in
product security, we didn't doanything differently than, you
could have called us, you couldhave swapped out AppSec for
product security in the core setof services that we delivered.
Right.
In our secure development lifecycle.
Matt Coles (17:15):
If you, uh, if you introduce hardware, there's a
difference, I
Chris Romeo (17:19):
that's, that, I was, yeah, that is where things
got different or, or there wereadditional things that had to be
considered.
I mean, we were dealing with,um, Root of Trust and I can't
remember what the, what's thething called?
The Hardware, um, Trusted TPM,the Trusted, yeah, TPMs.
Like,
Matt Coles (17:38):
So applications don't generally deal with TPMs
because that's all virtualizedor, or, you know, abstracted
away from the applicationdeveloper.
But when you're delivering aproduct that has physical
components, you obviously needto understand that.
Izar Tarandach (17:50):
concepts
Chris Romeo (17:55):
there...
Is there a product securityindustry and I'm just not aware
of it?
Are there tools that aretargeting the product security
industry?
Or is this like a dead end?
Matt Coles (18:06):
Well, so I, I think it, I think there, it is.
There is, but not by that name,there are security tools
targeted at product developers
Chris Romeo (18:21):
Okay,
Matt Coles (18:22):
as opposed to security teams.
So I think, uh, obviously we'regoing to debate here a little
bit, but, right?
We, as I mentioned earlier, we,we, the, a lot of the tools are
dual purpose or rather have, youknow, they have no specific
purpose other than looking atsoftware, you know, looking at
web applications or looking atthird party components in, you
(18:45):
know, inventories or, or nowanalyzing for vulnerabilities or
code analysis.
All these tools will workwhether you're doing application
development or firmwaredevelopment.
So in terms of.
And I guess, I guess this isthe, I guess maybe this is the
interesting part about whypeople see product security as
(19:06):
new, even though it's not new,is product security was very
much, I think, has always beenand really is associated with,
uh, I consider myself part of,or more closely related to an
engineering or engineeringfunction than a security
function, especially if you lookat security being IT security or
cybersecurity versus productengineering.
(19:28):
Adding security to productengineering.
And in fact, that's, I mean,that's a lot of how we approach
things, right?
Is we want to focus threatmodeling at developers.
Well, that's product, that'sdevelopers doing product work,
adding security into their role,into their day to day lives.
Uh, for, as an example.
So, I think there has alwaysbeen a strong engineering tool
(19:48):
focus with security and AppSec.
Izar Tarandach (19:53):
Good
Matt Coles (19:54):
at security, at security teams doing application
security.
By and large, I think many ofthe tools are going to be the
same though.
Again, unless we're talkingabout hardware, you know, if
we're looking at ChipSec or anyof the glitching tools or things
like that, most IT teamsprobably don't have a purpose
for that unless they'reattacking network switches.
(20:15):
Um, whereas, you know, productdevelopers have a need for that
and maybe even a dual purposeneed.
You know, logic analyzers can,can look at hardware, not, not
just from a security standpoint.
They also may use it for qualityand support purposes and test
engineering and whatnot.
And so I think that it's maybeit's been always there.
Um, or it's always beenavailable without maybe that
(20:36):
label on it, which is actuallystarting to open up my mind as
to why there's a, this, thisthought that it's, that's a new
thing, even though it's notreally new.
Izar, I know.
you're.
Izar Tarandach (20:51):
I don't know.
The, the, the more we, yeah,the, the more we talk about it.
I'm, I'm asking myself if thisis not one of those cases of,
uh, Uh, what's it?
A difference without adistinction?
Or a distinction without adifference?
Because, yeah, I, I agree thatthe tooling and the processes
(21:11):
are probably similar, but again,that Venn diagram, the, the part
of it, of AppSec that, thatslips out of ProdSec to me is so
small, so, so edge case that Iask myself if it's not just Too
much of an edge case to actuallysay these things are different.
(21:32):
Or on the other hand, you couldput on top of prod security, a
number of things, people andprocesses that really don't
belong in AppSec,
Chris Romeo (21:46):
Let me give you another example.
Let me give you another example.
that I think could be, could bean ill, could be illustrative
for us.
I like how I worked that word inthere.
Illustrative, that's a big word.
PSIRT, Product Security IncidentResponse Team.
We
Matt Coles (22:02):
Versus CSIRT.
Chris Romeo (22:03):
CSIRT, but now see, now there's another, see, for
me, CSIRT defends the network,PSIRT defends the products that
we build.
Matt Coles (22:13):
Yep.
Chris Romeo (22:13):
That's, again, so, but in AppSec, we don't have a
PSIRT.
There is no such thing.
Have you asked a, someone inAppSec, the AppSec program
leaders?
Uh, who, who runs your PSIRT?
Most times a director of AppSecdoes not have a PSIRT function.
So is this something that we canunlock that is a difference
(22:35):
between AppSec and ProdSec?
Izar Tarandach (22:39):
Again, I don't think that it's a matter of a
difference, I think that it'scomplementary.
If we already agreed, and Ithink we agreed, correct me if
I'm wrong, that AppSec is partof ProdSec, then that would just
be another bubble on the side ofAppSec, just as you
Chris Romeo (22:55):
going to, I'm going to, flip it back on you the
other way.
ProdSec is a part of AppSecbecause AppSec is, when you
think about the, I'm justtalking about from a public
perception, like you ask 10people.
What AppSec is and what ProdSecis that probably nobody can
probably give a greatdefinition.
But AppSec is
Izar Tarandach (23:12):
who should know, or just any 10 people.
Chris Romeo (23:14):
any 10 people, I'm just gonna go to the Walmart
here in my town and ask people.
But,
Matt Coles (23:19):
And by the way, sorry, sorry to interrupt,
Chris.
By the way, I, we've had theseconversations.
I don't mean just the three ofus, but other folks in the
security space have had theseconversations.
I've been part of, of some ofthese.
None of us have a goodunderstanding, I think, even
within the security space ofwhat this stuff means, right?
Are we cybersecurity?
Are we InfoSec?
Are we AppSec?
(23:40):
Are we ProdSec?
Izar Tarandach (23:41):
We are too busy securing stuff.
I don't care what's
Chris Romeo (23:44):
ha,
Izar Tarandach (23:45):
the color of the t
Chris Romeo (23:46):
me whatever you want, I will just show up and
secure your
Matt Coles (23:49):
But, but I think it's important that the way
you're asking the question isinteresting.
And the way that we'reresponding, I think is, is
doubly, uh, not adding, maybenot clearing up the confusion
for folks if they're listeningto this now, um, you know, the,
the processes that a PSIRT orthat a CSIRT follow are probably
(24:10):
90 percent the same.
Where it gets...
Where you have differences,again, is PSIRT deals with,
potentially deals with hardware,right, because you have physical
devices.
Although, CSIRT may deal withphysical devices in terms of
network infrastructure,especially, you know, access
points, but also other things.
(24:32):
People security, potentially.
And so you have, you have a Venndiagram of a lot of overlap and
then some, some pieces outsideof each of them that are unique,
I think So there's a lot ofoverlap.
Chris Romeo (24:45):
making it, I don't think it's 90 percent the same.
I think it might be 50, 50, 50percent the same.
And I've, I mean, I've, I've hada chance to work.
I didn't work for PSIRT atCisco, but I worked closely
beside a lot of people fromPSIRT.
And, um, you know, having doneincident response in the past,
like, And like I said, CSIRT isabout the network, PSIRT is
(25:07):
about the product.
Yes, there's going to be someoverlap, but that focus really
changes the core of what you'redoing as an incident response
team.
Right?
Because the PSIRT team isresponsible for most of the time
being notified about a problem.
Out from an inbound source,going to the product team,
(25:30):
testing, helping the productteam through the process of
fixing the issue, and thenrunning the communication
process to ensure we tell thepeople at the right time.
Now, when I think about CSIRT,CSIRT is, um, has no real
outbound.
They don't report to the, to thepublic as far as what happened,
what's happening, what they'redoing.
(25:50):
They may, they may receive aninbound.
If they get an inboundnotification, then things are
really bad.
Like
Matt Coles (25:57):
Well, or, well, or they're running a bug or they're
running a bug bounty.
Chris Romeo (26:01):
bounties
Izar Tarandach (26:02):
Yeah, that's exactly what I was going to ask.
Chris Romeo (26:04):
bug bounties is another, but CSIRTs don't run
bug bounties, right?
Like,
Izar Tarandach (26:08):
No, no, no.
SIRTs don't run
Chris Romeo (26:09):
product, is a product related thing.
Izar Tarandach (26:13):
Exactly.
So, let's look at that for asecond.
Products run bug bounties.
Applications, sort of not.
Chris Romeo (26:22):
Oh, they run bug bounties.
Izar Tarandach (26:23):
Can we agree with that?
Chris Romeo (26:25):
lots of application providers run, lots of SAST
tools, and like people that arebuilding applications, they're
running, everybody's running bugbounties these days.
Izar Tarandach (26:34):
So, those are not products?
Chris Romeo (26:36):
I mean, they are products.
Matt Coles (26:38):
Oh
Chris Romeo (26:39):
to Matt's definition, that we're selling.
If you're selling them, it's aproduct.
Izar Tarandach (26:45):
If I'm a
Matt Coles (26:45):
them,
Izar Tarandach (26:46):
SAST tool provider, And my tool just
happens to be SAST.
I'm selling you something.
I'm giving you a service.
You're giving me money.
How is that not a product?
Chris Romeo (26:58):
No, I'm saying it is.
I'm agreeing it is.
Because there's money being,changing hands.
But it's also an application.
It's both.
Izar Tarandach (27:05):
It's a product that's made of an application,
which we agreed already.
Matt Coles (27:10):
it's a product made up of an application.
Products that have hardware,right, but products that have
hardware also have applicationsas building blocks.
So are we suggesting
Izar Tarandach (27:20):
you the truth, I don't see the,
Matt Coles (27:22):
is product security the superset?
Because it includes applicationsand other things?
Izar Tarandach (27:27):
I don't see the hardware as such a
differentiator here.
If I think about something thatI'm selling
Matt Coles (27:33):
not dealt with hardware before?
Izar Tarandach (27:36):
yeah, but you know, it's, it's like it has
some stuff that's different, butthere isn't enough stuff in
there to put in a class by itsown.
Matt Coles (27:47):
know a bunch of hardware engineers would say
otherwise.
Chris Romeo (27:50):
I do too.
Izar Tarandach (27:51):
Dude, I, I, I know a lot of people who think
that what they do is the mostimportant thing in the world we
included, so,
Matt Coles (27:57):
Well, okay, so hold on, so hold on, so hold on.
Let's talk about, let's talkabout the, let's talk about the
real elephant in the room onthat.
That's the difference betweenhardware and non hardware.
You actually have to buildsomething and ship them
somewhere so you have all thesupply chain stuff that you have
to
Izar Tarandach (28:12):
that, but that doesn't
Matt Coles (28:13):
I deployed through CICD and it's present.
Izar Tarandach (28:17):
Okay, let me give you an example, okay?
I have this amazing thing hereon my wrist.
Matt Coles (28:22):
Yeah, it's a product.
Izar Tarandach (28:24):
and a product.
And they decided, it's ahardware product, great, great.
And it runs a specific versionof an operating system.
Matt Coles (28:32):
Yeah, same here.
Izar Tarandach (28:33):
now they decided, no, now they decided
that they're not going to giveme more upgrades.
And half of the functionality isdying because Google on the
other side decided that I haveto have the newest version
Matt Coles (28:42):
Oh, sure.
No names, huh?
Izar Tarandach (28:43):
to run.
Okay, now note that Google, theGoogle app, app ecosystem is a
completely different word.
You just know now that it's anAndroid thing.
It's not an Apple thing.
So, but that you knew from theshape.
But anyway, so my point is, if Ican remember it is, okay, this,
this thing is hardware.
Great.
So according to your definition,it makes it more of a product.
(29:06):
But you know what?
It could not be hardware.
It could be an app that lives inmy Windows machine, as if I had
one.
Chris Romeo (29:15):
That would
Izar Tarandach (29:16):
No, not sure.
I have one.
It's my game box.
Anyway, so it's running into aWindows machine, and what all it
does is run exactly the sameapps.
Is that thing less of a productjust because it doesn't live in
a
Matt Coles (29:28):
I'm not saying it's less,
Chris Romeo (29:29):
doesn't have hardware
Matt Coles (29:31):
well, I'm not
Chris Romeo (29:32):
it on your wrist.
That
Matt Coles (29:33):
I'm not saying it's less of a product.
I'm not saying it's less of aproduct.
I'm saying that it's a differentproduct.
It's a product that hasdifferent, it's a product that
has different aspects.
Software.
alone has different criteria forsecurity than hardware and
software.
Izar Tarandach (29:48):
Okay, okay, okay, okay, okay.
Another example, you have thisfirewall box, wonderful firewall
box, right?
You can get it as a 1U, youstick it in your, in your stack,
everything is beautiful andgreat.
It just so happens that you canalso get exactly the same
functionality in the form of avirtual machine that you stick
in your network, okay?
Matt Coles (30:09):
on a virtual machine, on a VM server
Izar Tarandach (30:11):
On a virtual machine, yeah,
Matt Coles (30:13):
that you deploy?
Izar Tarandach (30:14):
Yeah, yeah.
Is one of them less of a productthan the other?
Matt Coles (30:18):
It's different.
Chris Romeo (30:20):
There's still hardware underneath in the cloud
environment.
Matt Coles (30:22):
yeah, but you're not, but you as,
Izar Tarandach (30:25):
I can't do ones and zeros in my
Matt Coles (30:26):
but as the, but as a supplier of, as a supplier of
the product of the supplier, theproduct, the software only
product, you're not governingthe heart of the hardware runs,
nor do you necessarily care howthe hardware runs.
Izar Tarandach (30:38):
But does that make my product less of a
product?
Matt Coles (30:42):
Oh my god, we're not talking about making it less of
a product! We're
Izar Tarandach (30:46):
Then why are
Chris Romeo (30:46):
caress about pro,
Izar Tarandach (30:47):
why are you sticking to the hardware?
Chris Romeo (30:50):
what is it a one to five scale of how much of a
product you are?
Well, you're about a four.
I mean, you're, you're almostthe, the most
Izar Tarandach (30:57):
But if you had hardware,
Chris Romeo (31:00):
Yeah,
Matt Coles (31:00):
mean, if we really want to go that route, we could
talk about wireless sensornetworks that, you know, run,
you know, environments, youknow, smart fields and things
where you have thousands ofwireless devices out in the
field talking to it.
EdgeGateway, how much of aproduct is that?
Chris Romeo (31:14):
My primary question is why am I more confused now
than when we started this
Izar Tarandach (31:17):
I'm totally confused.
I have no idea where I went.
Chris Romeo (31:20):
I've got to go read the articles again and try to
see if I can find some wisdom
Izar Tarandach (31:24):
no, no, seriously.
Let's bring it back then.
Let's bring it back.
We're almost at time.
So let's bring it back.
Okay, so, who...
Contains whom?
Matt Coles (31:37):
I'm going to go with product security includes
application security.
Izar Tarandach (31:41):
Great.
Okay.
Chris Romeo (31:43):
Hold on.
I'm going to go on the, I'm onthe other side.
Matt Coles (31:45):
in part, and I have to say in
Izar Tarandach (31:47):
to go there.
Now we
Matt Coles (31:48):
have to say in part, we do need to, we have to have,
we have to further thisconversation somewhere, but
product security has parts that,actually, let me, let me take a
really brief step back.
If we look at product, if welook at application security,
securing applications, and we'vedefined web applications and
(32:08):
desktop software and mobileapplications as applications.
And those can be part of thethings that you sell, like that
watch that you were showingearlier.
Then products must containapplications.
Product security must containapplication security.
However, applications can be ontheir own and not be part of
products.
Izar Tarandach (32:31):
Yes, but then, but then that application
becomes a product.
Chris Romeo (32:35):
Yeah.
And I'm going to, I'm going tocome at this from a different
direction and I'm just going togo purely based on market share.
And I'm going to say applicationsecurity eats product security.
Just because applicationsecurity is the thing that
exists in the market.
There isn't a product.
I mean, that was a, that was atrick question.
There is no product securityspace.
There is no, it is, there is anAppSec space of products that
(32:59):
are built, that are used in, inproduct security programs.
Um, but there is, I mean, thereis not a, there is a...
appSec is really what everybodyrefers to what all of us do at
this point.
I mean, for example, hold on, Ihave to go check, um, on the
open worldwide product security.
(33:19):
Program, uh, website.
The OWP, no wait, there is noOWP, there's no OWPSP.
There is, is that right?
Okay.
There is OWASP, which is theOpen Worldwide Application
Security Project.
Matt Coles (33:35):
Uh, what was it called before they had a name
change to try and bring a biggertent?
Chris Romeo (33:41):
it's just web applications,
Matt Coles (33:42):
Web application.
Yes.
Chris Romeo (33:43):
point is, application security is at the
core of that.
And, I mean, at the end of theday, I don't really care what we
call it.
We're still going to do theright things to secure the
hardware.
and the software that, that gointo products and applications
both.
My point is I think AppSec hasjust become, it's just the same
way AppSec replaced SoftwareSec.
We used to call softwaresecurity, was used to be the
(34:06):
thing, and then AppSec kind oftook it away and squashed it,
and now people, nobody reallyuses software security anymore.
We don't really, we don't reallysay that or use it as a term as
much as we used to 10 years ago.
Matt Coles (34:18):
That's an interesting, that's an
interesting statement.
I agree with you.
It's interesting because maybethat's where the problem lies,
right?
That within product security,you have software and you do
software security of products...
Or you do software security...
Products that are eithersoftware or that contain
software.
You do software security.
(34:39):
Applications can be somethingdifferent then, right?
But that, that's, those termsare now sort of munched
together, as you, as youdescribed.
Chris Romeo (34:47):
I'm just approaching it from how the
industry sees it, like how...
The external view of this.
Izar Tarandach (34:54):
But now, now, just to put it in there, um, as
you guys were, were talking, Iwas looking into the inside
tomes of wisdom and experience.
And I remember one place whereit worked, where.
There was a distinction betweenproduct security and application
security.
And the distinction was thatprod security could stop
releases, application securitycouldn't.
(35:17):
Because prod security was muchmore enmeshed with the product
side of the thing with the, wehave to push stuff out because
we have consumers waiting forand paying for stuff than
AppSec.
So the escalation of risk wasAppSec, ProdSec.
ProdSec makes a decision, go, nogo.
Matt Coles (35:38):
Interesting.
The, the other aspect, and Iknow we're getting close to the
end of this episode, but the,the other aspect is, would you
consider, if you, if AppSec, isAppSec closely tied to cyber or
IT security?
And if so, are products, isproduct security,
Chris Romeo (35:56):
you're not gonna take us there, are ya?
Matt Coles (35:57):
I, I, you have to.
Izar Tarandach (36:00):
can
Matt Coles (36:00):
not
Izar Tarandach (36:01):
go with asterisk security?
Matt Coles (36:04):
well, they're just security then.
That's awesome.
We can do that.
Chris Romeo (36:06):
Asterisk.
Izar Tarandach (36:07):
Can we just go asterisk security and that's
what we do?
Chris Romeo (36:10):
with it.
Well, you know what?
We're out of time.
So we're gonna have to come backand revisit this again.
Um, we were hoping for someclarity by the end.
I think we just, we just threwsome more mud in the water and
stirred it up.
And, um, made some, somesecurity soup.
I think is what we did at theend of the day.
But we'll continue thisconversation.
We'll find, uh, we'll try tofind clarity.
(36:32):
That'll be our goal
Matt Coles (36:33):
and maybe we'll get some guests on to, uh, to help
us answer
Izar Tarandach (36:36):
Yeah, perhaps we can bring someone who,
Chris Romeo (36:38):
Smarter than us that can come and just tell us
what it is.
That's what we're going to aimfor.
Izar Tarandach (36:42):
Yep, that would help.
Chris Romeo (36:43):
We'll debate, you know, we'll debate with them.
No matter who we bring on, we'regoing to debate with them about
what it means.
But folks, thanks for listeningto The Security Table.
Stay tuned for a future episodewhere we will provide clarity.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Therapy Gecko
An unlicensed lizard psychologist travels the universe talking to strangers about absolutely nothing. TO CALL THE GECKO: follow me on https://www.twitch.tv/lyleforever to get a notification for when I am taking calls. I am usually live Mondays, Wednesdays, and Fridays but lately a lot of other times too. I am a gecko.