November 28, 2023 • 46 mins
Join Izar, Matt, and Chris in a broad discussion covering the dynamics of the security community, the evolving role of technology, and the profound impact of social media on our lives. As the trio considers what they are most thankful for in security, they navigate a series of topics that blend professional insights with personal experiences, offering a unique perspective on how these elements intersect in the modern world.
Chris begins by highlighting the importance of collaboration and learning within the ever-expanding security community. Shifting to broader security concerns, Izar emphasizes the value of mentoring and the potential for institutionalizing it through platforms like OWASP. Matt critiques over-relying on AI. He advocates for tool-assisted solutions rather than tool-performed ones and stresses the importance of accurately representing AI's capabilities.
In a particularly engaging segment, the panelists explore the influence of social media and technology on personal well-being. They share anecdotes and observations on the pursuit of simplicity in a tech-driven world, discussing the concept of 'social media sobriety' and social media's impact on happiness. They conclude with a collective call to action, urging viewers to engage in positive change through volunteering, mentoring, and contributing to open-source projects. This discussion is a must-watch for anyone interested in the intersection of technology, security, and societal trends.
FOLLOW OUR SOCIAL MEDIA:
➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel
Thanks for Listening!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Chris Romeo (00:10):
we can get into that.
So, hey folks, welcome to thisepisode of The Security Table.
This is Chris Romeo joined byMatt Coles and Izar is now only
literally using one, his firstname on anything.
Um, his, the previous episodehas gone to his head and he
doesn't even put his last nameinto things anymore.
Like if you don't know who heis, then that's on you is kind
(00:31):
of his,
Izar Tarandach (00:32):
Look, when you have a name like mine, all you
need is a first name.
Chris Romeo (00:36):
That's true.
That's true.
I wish I had the same
Matt Coles (00:38):
Just remember if you have any IT calls, you know who
to
Izar Tarandach (00:41):
Don't call me!
Chris Romeo (00:44):
Come on, it's the holiday season and that's when
all of our relatives liked us tofix their, their computers,
their smartphones, their TVs,their tablets, anything that's
connected to the internet.
Izar Tarandach (00:54):
And that's why I have a t shirt that says, No, I
don't do Windows.
Matt Coles (00:59):
You know you'll find that one, that one relative who
has, you know, somethingstrange.
Chris Romeo (01:05):
Yeah,
Izar Tarandach (01:05):
My relatives, all of them, have something
strange.
Chris Romeo (01:10):
Oh, that's fun.
That's fun.
You mentioned right
Matt Coles (01:13):
can you fix my 68000 series Mac?
Come on.
Chris Romeo (01:16):
Sheldon
Izar Tarandach (01:16):
it goes like this, Oh, wait, you work in
computers, right?
Yeah, you have a degree incomputer science, right?
Yeah, so listen, you're gonnahelp me with this.
Excel.
I open it and I have thisstrange, like, stare that I do
when they say that, where veryquick they stop asking and just
(01:40):
move away.
So...
No, I'm just like looking at thehorizon with the 100 windows
stare.
Chris Romeo (01:49):
I'll say you're doing the Elon Musk thing.
Apparently Elon Musk does thatwhere he'll go into like a
trance for a while.
And then as people are talkingto him and eventually they'll
just stop talking and then he'llkind of like finish thinking
about whatever he's solving andthen he'll come back to the
conversation.
Izar Tarandach (02:03):
Yeah, exactly that, minus the solving thing,
Matt Coles (02:08):
You know with the, with the, you know with the
Neuralink, you know with theNeuralink chip he's just, you
know, organizing his threads.
Izar Tarandach (02:16):
He's running garbage collection!
Chris Romeo (02:19):
Hey, I'm, uh, that's probably true.
I'm just, I'm almost finishedwith, uh, Isaacson's book on
Elon Musk, which is the latest.
And it's fascinating.
Like, I'm, I'm learning so many,so many things about how to be a
good leader.
Like fire people during ameeting if you don't like how
they,
Izar Tarandach (02:36):
Oh, by the way, you're fired.
Chris Romeo (02:38):
yeah, if you don't like how their response is, just
immediately fire them in themiddle of the meeting in front
of everyone else.
Matt Coles (02:43):
The firings will continue until morale improves,
right?
Chris Romeo (02:46):
yeah,
Izar Tarandach (02:47):
Immediately what came up.
Chris Romeo (02:49):
yeah, I mean, he gets, he gets stuff done though.
You know, he's got a lot ofsuccessful companies, but that's
not why we're here.
Izar Tarandach (02:55):
Yeah, just be happy we don't have SCSI cables
anymore.
Chris Romeo (02:58):
uh, you don't have those?
I need to upgrade my stuff then.
Matt Coles (03:01):
And if, uh, you know, if Elon is listening, you
know, maybe we need a new gueston the show.
Chris Romeo (03:06):
Yeah, come on.
You're always welcome, Elon.
You can connect over Neuralinkfrom your, your Tesla, from a
spaceship, or from Twitter, Iguess.
VX, or 2X,
Izar Tarandach (03:16):
no.
Chris Romeo (03:17):
is.
Oh,
Izar Tarandach (03:18):
Oh, it's gonna be a blast.
Chris Romeo (03:21):
That'd be fun.
Alright, well, we wanted to havea little holiday episode, which
we all wore our most festiveholiday gear that we could find,
which is basically the samething we would wear to a holiday
party, or a Thanksgivinggathering here in the United
States.
We probably would literally bewearing the same thing that we
Izar Tarandach (03:42):
Not true, I got long pants.
Chris Romeo (03:44):
Okay.
All right.
All right.
Well, that's, yeah, that's,that's good.
Please wear long pants toholiday gatherings.
Uh, but we wanted to start ourconversation here today,
because, you know, we're closeto American Thanksgiving, with,
let's all share something we'rethankful for.
I'm going to say in security.
(04:04):
I'm gonna make it broader thanAppSec.
I wanted, I wanted to focus thisin on AppSec, but I'm like, eh,
let's, let's take the, take theAppSec blinders off, or whatever
illustration you can think ofthat would constrain us to that.
If you have something wittieryourself, feel free to insert
that into your mind now asyou're thinking.
Um, but, so what are we, like,what are we thankful for in the
(04:26):
world of security?
So, who wants to go first?
Because I'm
Matt Coles (04:28):
Why don't you go first,
Chris Romeo (04:29):
I'm thankful for nothing, so that was easy.
Izar Tarandach (04:33):
Not true, not true.
Chris Romeo (04:35):
okay, alright, I'll go first.
I'm going to take the one side.
You guys making me go first?
Guess what?
You guys are going to be reallyupset because I'm going to take
one that you want to share.
I am thankful for a communitythat the two of us...
three of us are all a part ofthat includes the likes of
Brooke Schoenfeld and Kim Vutzand Adam Shostak and Avi Duglin
(04:56):
and Siva Diller Snyder and manyother friends of ours that
we're, uh, that are our threatmodeling besties is the best way
I can think of to describe them.
So I am thankful for thatcommunity.
Uh, it's made going toconferences such a fun
experience now when I know thatsome of those folks are going to
be there, some of you are goingto be there, and we get to hang
(05:17):
out and talk, and, uh, and sothat's, that's something, and I
think that's something that,that, it's, other people can
replicate that too, like it's,yes, the, the, the group that we
have, Joined up with is aspecial group, but other people
can do the same thing.
You know, it's not, it's not,there's nothing special about,
(05:37):
we didn't, we're not like somegreat people at making groups or
whatever.
Um, but it's good to, it's goodto have community inside of our,
of our organizations and insideof our, our jobs and, and
professional careers, right?
Cause this can be a prettylonely environment if you don't
have some community to lean intoand some people to tell you when
you're full of it and stuff likethat.
So there, I took the one.
Matt Coles (05:59):
Yeah, I want to take that a step further than Chris,
so just a different, differentangle on, or not a different
angle, but a different area forthat.
So I've had an opportunity towork over the many years, uh, oh
my god, decades now of doingsecurity of some sort.
And I haven't had the pleasureof working with so many
(06:20):
interested and interestingpeople.
Talk about community, buttalking about really, uh, people
who want to share theirexperiences and share their
knowledge.
And I'm talking about folks instandards bodies.
So whether that's, uh, somethinglike OWASP, you know, a
community initiative, orsomething, you know, uh, where
(06:40):
you have to, you know, pay toget in, or, uh, or whatever, or
they're making, you know, fancy,uh, fancy documents and
specifications and, and whatnotfor the industry to follow, the
folks who define those things,uh, spend countless hours And
I'm thinking, you know, morerecently of like CVSS v.4, for
instance, with our, with thelaunch of, of v.4, the dozens of
(07:01):
people who are involved inmaking that happen, writing
documentation, sharing ideas,putting their brain power at
work to help the industry atlarge.
Uh, I am, I will say I'mthankful that we don't have to
figure this out for ourselvesand that we have an opportunity
to share amongst our, amongstthe members of the, of the
community, the securitycommunity, to make us.
(07:22):
all be more effective andefficient and capable in the
work that we do.
Chris Romeo (07:29):
He's already had a lot of time to, to ponder here,
Izar Tarandach (07:31):
Yeah, so I had to quick pivot here.
And I am very thankful for SBOMand DAST.
AHAHAHAHAHAHAHAHA!
Chris Romeo (07:41):
podcast.
Thank you, folks.
This
Izar Tarandach (07:44):
WAIT! WAIT! WAIT! There is more! There is
more!
Matt Coles (07:46):
wait, oh wait, Izar's video seems to be hung.
There's a...
Chris Romeo (07:50):
Yeah, that's right.
He's just been kicked out of thecall.
Izar Tarandach (07:52):
There's more, there's more.
No, uh, I'm actually very, very,very, uh, thankful to them
because they gave us so much totalk about, right?
Chris Romeo (08:02):
Ah.
Izar Tarandach (08:05):
And he saves! So, but actually, I, I, I, my
original one.
I wanted to build a bit on whatboth of you brought up, and I, I
think that it's not random thatthe Three of us immediately
jumped to community because injoint ways and in separate ways
(08:25):
we have had so many amazingexperiences this last year and a
bit before but the one thingthat I am really really really
thankful in terms of securityis, in terms of community, is
that, and especially outside,beyond the realm of AppSec.
(08:47):
I think that in a ways we haveshared that label of a security
that eats its own, of acommunity that eats its own.
Chris Romeo (08:55):
Hmm.
Izar Tarandach (08:56):
I think that we used to be very insular, very
closed, we used to be veryunwelcoming of new people, and
we used to be very, if you don'tunderstand, then go away, I
don't want to talk to you.
And I think that we have, wehave matured past that, and I'm
very thankful for that.
And the reason I am thankful isthat first it gives me an
(09:19):
opportunity to do something thatI really, really enjoy, which is
mentoring other people.
So people feel that they cancome up to us and say, Hey, I
want to learn some of the stuffthat you know, could you spend
some time with me?
And on the other hand, it givesme plenty of opportunity to say,
I don't know, and there arepeople who know, and I can go to
them and learn from them.
(09:41):
I think that a couple of yearsago that wouldn't be as much of
a given, but as I said, I thinkthat we matured past that and
that security got so big and soimportant and finally we got
this place perhaps at thechildren's table so far, uh, we
(10:02):
are not the dog coming under thetable and asking for a bit of
the, of the turkey anymore.
So, yeah, I'm thankful for that.
Chris Romeo (10:11):
Hmm.
Yeah, that's a good, uh, that'sa good assessment.
Because I remember...
You know, being around security,I've been in this for 26 years,
so, you know, pre Twitter, preInfosec drama, and all the
things.
And, I don't know if, maybe it'sthe AppSec community has, has
(10:32):
formed a sub group of peoplethat are just nicer to each
other.
And, but I can't think of, andmaybe I'm insulated from this,
but I can't think of any majorAppSec drama in the last year.
Of something where I was like...
There is a big disagreementbetween people in the community,
(10:53):
and I know it's happened in thepast, right?
Human beings are, are, are whatwe are, and we're gonna, we're
not gonna all get along witheverybody along the way, but I,
yeah, I think this has been areally good year of just being
open minded towards people, and,and being willing to mentor, and
like, Jenkin does this Mentoring
Izar Tarandach (11:13):
what I was thinking,
Chris Romeo (11:14):
Yeah, Tanya does this Mentoring Monday thing
where she's always looking toconnect people and and find
somebody who needs mentoringwith somebody who's willing to
mentor.
And you know, this is somethingthat all of us that have been
around for a while, we gotta, wegotta do more of this.
We gotta continue to embracethis idea of building the next
generation because You know, I'mlooking at 26 years and like, am
(11:35):
I going to do this for 26 moreyears?
I don't think so.
Like we gotta, we gotta bringsome more people.
And that's why I've been pushingour industry too.
Like let's push some of theboundaries of things people
believe and see if we can getpeople to think about these
things.
And, and instead of just going,well, we just, this is how, this
is how you do DevSecOps.
You just always have DASTsomehow in your
Izar Tarandach (11:55):
Yeah, but, you know, and don't forget to
generate an SBOM by hand.
But, with the values and theaddress for delivery.
But if you don't know what I'mtalking about, you have to watch
the previous episodes.
You're not into the insidejokes, come on, get up to it.
But anyway, uh, about mentoring,first of all...
Matt Coles (12:13):
right?
Izar Tarandach (12:14):
Right.
So, uh, about the mentoring,definitely the first thing that
comes to mind is Tanya'sefforts, which are definitely
laudable, but on aninstitutionalized level thing,
and I'm doing air quotes forwhomever is not watching, My
plan, and something that I wouldlove to have the opportunity to
(12:36):
push forward, was to involveOWASP in that.
And, as part of the making itbigger for the, uh, for the
membership, to create some formof system where people could,
almost an eBay for mentorship.
Hey, here's what I'm willing tomentor on, and here's what I'm
looking for, and cross those twosets of people.
(12:58):
So, yeah, if anybody outthere...
Loves to write this kind ofsystems and would like to to get
that going.
Please.
Let me know.
Chris Romeo (13:07):
Yeah.
It's a mentoring marketplace iswhat you're looking for.
Izar Tarandach (13:16):
Okay Where else are we going?
Chris Romeo (13:17):
No, Matt thought Matt was going to say something.
Matt was looking like he wasgoing to say
Matt Coles (13:20):
I, I, you know, the only thing I was going to add
was really was that it reallyhas been, I think, since the
pandemic, right?
Pandemic changed a lot ofpeople's outlooks on things.
And since then, the flame warsin public, uh, you know, drag
out fights around, you know, myopinion versus my opinion, uh,
(13:41):
is, is, I think is, at least inthe circles we've been involved
with, uh, right?
People are much more willing todebate, to discuss, to share
ideas, to, to mentor, uh, or tobe mentored.
Uh, oh,
Izar Tarandach (13:57):
You haven't been to Reddit lately, huh?
No, no, I kid I kid.
It's much better.
Matt Coles (14:03):
it is much better, it is, well, it is different,
and we're not talking, there'scertain platforms I suppose that
you could go to that, uh,
Izar Tarandach (14:11):
if you're going to 4chan to get your AppSec
Matt Coles (14:14):
or,
Izar Tarandach (14:15):
you're in the wrong place
Matt Coles (14:16):
or, or, oh well, I don't, I'm not on, I don't do X,
I don't do X anymore, um, but,uh, you know, and, and I think
Mastodon's a ghost town at thispoint
Izar Tarandach (14:27):
Wait, wait, wait, wait, wait, wait, I have
to parse this one.
When you say I don't do Xanymore, you mean X,
Matt Coles (14:34):
that thing
Izar Tarandach (14:34):
known as Twitter.
Matt Coles (14:35):
Yeah, the thing formally known as
Chris Romeo (14:36):
Solve for X, solve for X, please.
Izar Tarandach (14:39):
good, good, good, because otherwise we would
have to have some EDM aroundhere, and some lights blowing,
and stuff.
Matt Coles (14:45):
ha.
Chris Romeo (14:46):
different kind of X.
Izar Tarandach (14:47):
Yeah, and see if we can get Matt in the thing
again.
Chris Romeo (14:50):
Yeah.
I'm, I'm definitely not thankfulfor Mastodon because I never
figured it out.
I'm like, I consider myself tobe mildly intelligent and I just
don't get this.
Like, why don't things connectto each other?
Like, why do I say it's onething here and it doesn't get
over there?
Like, what's happening here?
Izar Tarandach (15:06):
Yeah, so I feel like Mastodon just got like, in
a block of ice somewhere, andit's waiting for global warming
to make something happen, andperhaps there's a movie there, I
don't know.
Matt Coles (15:19):
Maybe, I mean, we're, yeah, we are, we are
older.
We were older white guys withglasses and until recently all
had beards, and I'm sure wecan't figure out this
distributed computing thingcalled Mastodon, uh,
Izar Tarandach (15:34):
I got my login working, I just don't get to get
there.
Hahahaha Infosec.
exchange
Chris Romeo (15:42):
There's the problem.
I shouldn't, we shouldn't haveto define it, but you know,
that's, that's neither here nor
Izar Tarandach (15:47):
Hey, Yotsim,
Chris Romeo (15:48):
we're, we're
Izar Tarandach (15:48):
it's just your email, right?
Chris Romeo (15:51):
Yeah, I mean, I would say I'm thankful also for
this podcast, the experience
Izar Tarandach (15:54):
Oh yeah,
Chris Romeo (15:55):
in just, it's, it's been fun to just riff on things,
Izar Tarandach (15:59):
high point of my
Chris Romeo (16:00):
all right, I'm gonna let our audience in on a
little bit of, a little bit ofbehind the scenes here on the
security table, so get ready.
Izar Tarandach (16:06):
Wait, wait, wait, wait, wait.
Thanks.
Matt Coles (16:08):
wait, under the table.
This is under the table
Izar Tarandach (16:10):
This is
Chris Romeo (16:10):
under the table?
Okay, under the security table.
This is a special episode.
We are under the security table.
Yeah, he started disappearing onthe video feed.
Under the security table.
Whoops, I managed to lose aheadphone.
I was laughing so hard.
Um, but the, yeah, I mean, the,the, under the security table.
(16:31):
We don't have, listen folks, wedon't have any budget for
special effects either.
I
Izar Tarandach (16:34):
No, notice that the only camera that's not
following anybody is yours,which is supposed to follow you.
Chris Romeo (16:40):
AI camera that's supposed to be following.
Just to let folks in on a littlebit of secret here, like, we
don't actually prepare a wholelot before we start recording.
So, but it's been fun!
Izar Tarandach (16:54):
Or at all.
Chris Romeo (16:56):
we often have a topic that
Matt Coles (16:58):
is, this is my preparation for, this is my
preparation for today.
Chris Romeo (17:01):
what's good.
That's cool.
You did more than I did.
I'm just freestyling, but it'sbeen fun.
Izar Tarandach (17:05):
the security riff.
Chris Romeo (17:07):
Yeah, but it's been fun to just explore topics and
just talk about them in arecorded
Matt Coles (17:13):
Oh, oh, by the way, something else for our guests to
know, we usually choose thetopic either the day of,
Izar Tarandach (17:20):
Or 15 minutes
Matt Coles (17:21):
moments before the episode,
Izar Tarandach (17:24):
Or, even worse, 15 minutes after.
Chris Romeo (17:27):
after we, after we start recording.
Now, we often have a discussionbefore we hit record to
Matt Coles (17:33):
and
Izar Tarandach (17:33):
sometimes is better than the podcast
Matt Coles (17:35):
always complain that we don't hit record early,
Chris Romeo (17:37):
yeah, I try to hit record as soon as I possibly
can.
We can always edit out anythingcrazy anybody
Izar Tarandach (17:43):
So, now, we were planning to go with, uh, What
was the next one?
Things that we
Chris Romeo (17:50):
So this was holiday gifts.
So two holiday gifts that youwould like the AppSec industry.
to give you.
Izar Tarandach (17:58):
yes, and I'm going to add to that one.
Things that you want to bethankful for next year.
Matt Coles (18:04):
oh, now yeah, you're upping the ante,
Chris Romeo (18:07):
Come on, I was trying to sell this like it
wasn't a prediction by callingit a holiday gift.
And
Izar Tarandach (18:12):
not a prediction, it's a request.
Matt Coles (18:14):
So, so let me throw, let me throw a different
alternative for you since it isthe season of the holidays.
We just said what we're thankfulfor, for Thanksgiving.
We're going to talk about whatgifts we want, uh, for the
holidays from a securitystandpoint.
Let's consider New Year's andwhat should be somebody's New
Year's resolution around AppSec.
Chris Romeo (18:37):
Oh ho
Izar Tarandach (18:38):
I would not try to threat model with ChatGPT.
Chris Romeo (18:44):
The glo Dude, you just dropped the gloves right
off the start.
The game started and the gloveswere off and Izar's like, Let's
go.
It's go time.
Start swinging.
Wow.
Okay, let's go back to the uh,let's push those New Year's
resolutions a little bit.
down here, down the, the, uh,the agenda.
And let's, let's, let's explorethis, this holiday gift giving
(19:08):
extravaganza.
So Matt, we're going to, sinceyou appeared to have a sticky
note where you had prepared somethoughts, I'm going to
Matt Coles (19:16):
I didn't, if I didn't, I'd be, I would just be
sitting here like Stuck,
Chris Romeo (19:21):
Oh, look at Izar has literally 50.
Blank sticky notes that he'sattempting to make us think he's
prepared.
So Matt, what do you got?
Like, what, what's your, like,what, what's the gift you would
like the AppSec industry to giveyou
Matt Coles (19:34):
right, I'm going to start with, I'm going to start
with a lame one.
I have, I have a couple ideas,but I'm going to start with a
lame one.
Um, although I, I think Izar mayhave already stolen it.
Remember that hu I want theAppSec industry to remember that
humans are part of the AppSecprocess.
Izar Tarandach (19:50):
god, yeah.
Chris Romeo (19:51):
Hmm.
Interesting.
Matt Coles (19:52):
want, I want, I want, I want tools that do their
job, but I want them to knowthat there are humans at the
other end, that we cannotautomate away, as much as I love
automation, and don't get mewrong, I'm a huge fan of
automation, but...
(20:12):
There are humans in thisprocess, and I realize this now
over many years and working withpeople and even more recently
from actually from the ThreatModeling Con conference and
talking to people doing threatmodeling.
Uh, that, you know, humans arepart of this process.
We can't automate everybodyaway.
And, uh, my fear is with the,with the push to AI to replace
(20:37):
humans, uh, that we'll move totool performed, not tool
assisted.
Izar Tarandach (20:44):
Remember
Matt Coles (20:45):
that's my wish.
That's my wish that peopleremember there's humans in this
process.
Izar Tarandach (20:48):
Remember when we had the t shirt go away or I
will
Matt Coles (20:53):
Replace you with a very small shell script, yes.
Izar Tarandach (20:56):
now it's go away or I'll replace you with a very
short prompt.
And
Chris Romeo (21:02):
mini AI things that would, the chat GPT, uh, what do
they call it?
The, the things you can buildnow, the mini versions.
Izar Tarandach (21:09):
what, what,
Matt Coles (21:10):
Mini LLMs.
Izar Tarandach (21:12):
what makes me very afraid is that I think that
the industry jumped Matt'srequest rather than invest into
recognizing that there arepeople in there.
The brunt of the investment nowis into taking people away from
there.
by putting all these mini AIsand whatnot.
And going back to that NewYear's resolution, and something
(21:37):
that we have addressed inprevious episodes, people, these
things, seriously, they're likean army of monkeys randomly
typing on a typewriter, but atthe same time throwing a coin up
and down to see what's theprobable next word.
So please don't, don't, don'tsay that they have superhuman
capabilities of inference andCognizance, and that they are
(22:01):
able to do all the things thatwe should, that we are not able
to do much better than we everwill.
Because that is not how itworks,
Chris Romeo (22:09):
Sounds like you're like, sound like a marketing
person now.
Izar Tarandach (22:12):
Right?
Chris Romeo (22:12):
I want to buy whatever, whatever you're
selling here.
I'm buying man, inferenceengines.
And so that, that leads me tomine though.
Let me, let me get, let me teeup my, the gift I would like
from the AppSec industry,because it plays into what you
just said with that marketingstrewn thing.
Izar Tarandach (22:27):
the marketing stuff!
Chris Romeo (22:28):
I would like marketing, AppSec marketing,
just to stop saying stupidthings.
Okay.
Am I asking too much?
Matt Coles (22:35):
Can you give us an example there of
Chris Romeo (22:37):
I have, I have a whole bunch of examples,
actually, if you would like the,uh, the make
Matt Coles (22:41):
what's your top two?
What's your top two?
Chris Romeo (22:44):
MakeShiftHappen is, is a, this is a prominent
company that, that this istheir, their go to market
campaign across LinkedIn andmany other places.
MakeShiftHappen.
So I have so many problems withthis.
First of all, as a sensiblestartup founder, I'm never going
to put I'm not going to put acuss word into the, a place
(23:07):
where a cuss word began itslife, I'm not going to use a
substitutionary word into thatbecause I just, it's just not,
it's just, I don't know, it'sjust not very high class to do
that to me.
And like my company, my brandstands for something like, and
it's, it's not, I don't wantpeople to think of it in that
regard.
So makeshift happen, um, was oneof them.
(23:29):
I saw another one that, um.
Izar Tarandach (23:32):
Do Epic Shift!
Chris Romeo (23:34):
Well, this is my, uh, move AppSec forward campaign
for 2024.
Don't shift left, move AppSecforward,
Izar Tarandach (23:41):
Oh,
Chris Romeo (23:42):
not about, it's not about shifting, but that's,
we'll save that for anotherepisode in the future.
But let me, let me see anotherone of the examples that I had
was, um, well, it was somethingto the effect of, you know,
something about, uh, using AI torevolutionize AppSec or
something like that was the, andlike, to your point there, Izar,
like, it's not really possibleright now.
(24:03):
Like, you can't revolutionizeanything with AI.
Yeah, in a couple of years, asthis, these things continue to
get better and better.
Okay, then we can talk aboutreplacing the human thought
process or whatever, but that'snot what Gen AI does right now.
It does, it's not like it'ssitting there thinking, going,
Ooh, I got a new idea.
Let's roll this thing out.
It's pattern matching.
It's, it's guessing the nextword that it needs to reply back
(24:24):
to you with.
Based on all the other words andthings that has ever been
written that it's been able toanalyze and put together.
And so, yeah, that's the gift.
I would like those.
I would like marketing.
Just represent your product forwhat it does and leave shift
left behind.
Let's just, let's just make thata 2023 thing.
Let's start fresh in 2024.
Let's just stop shifting left.
(24:44):
Just find something else to say.
It's such a tired phrase.
Remember when Wired used to havethe wired and tired?
If you
Izar Tarandach (24:50):
Oh yeah, oh yeah,
Chris Romeo (24:52):
like, shift left is tired, leave it, find something
else.
Izar Tarandach (24:58):
okay.
The gift that I would like to begiven.
It actually connects to whatMatt stopped doing, the, uh, the
X thing, but not the formerTwitter thing.
I want us to take a page out ofGenAI, and we should start doing
(25:18):
something that GenAI does sowell.
Can you guess what?
I want people to starthallucinating.
I want people to start gettingbored, because that's where the
best ideas come from.
We are all inside the box rightnow.
We are being fed thing overthing over thing in our echo
(25:41):
chambers of Twitter and X andwhatnot or LinkedIn or whatnot
and we are being told that thisis the next thing and that here
are the millions and that thisis what the VCs are looking for
and that this is the shiftthat's going to take our
industry to the next level.
(26:02):
And a lot of people that have alot of capabilities and a lot of
talents are just sitting andconsuming all that stuff.
I want people to stophallucinating again.
I want people to stop gettingbored again.
And I want people to say, that'snot what I want.
I'm going to do one better.
I'm going to do one, onestronger.
Chris Romeo (26:19):
make something better.
So you want people to take thered pill.
Izar Tarandach (26:23):
Um, no, no.
I want people to just, you know,once you, you challenged us to,
to shift the paradigm.
from the scan cycle and allthat.
I want people to step up to thatkind of challenge.
I want people to not look atthat and say, well, that's how
we ever did it and it works, andit's an industry that's worth
(26:44):
billions and billions ofdollars, so probably something
is right here.
I want people to say, no, we cando it differently.
And I want to see what they comeup with.
Chris Romeo (26:53):
So think differently.
Izar Tarandach (26:54):
Yeah, don't be afraid of hallucinating, of
asking how cool would it beif...
Chris Romeo (27:01):
I'm gonna say, when you first got halfway through
that sentence and you wereprescribing hallucinations, I
didn't know where you weregoing.
I was a little bit concerned fora second, I'm like, Is he gonna
recommend like peyoteexperiences in the desert?
To kind of unlock our thinking.
We're
Matt Coles (27:18):
LSD
Chris Romeo (27:18):
I didn't know where you were going there.
Matt Coles (27:19):
for your TLC, uh, for your TLS.
Izar Tarandach (27:22):
So,
Matt Coles (27:23):
even say it right.
Izar Tarandach (27:27):
so, okay, so, so, so disclaimer here, like
public disclaimer, I am such acoward for that kind of thing
that I don't think that I wouldever get it there.
Even though we keep hearingabout this micro dosing thing
coming from San Jose and wherenot, but no, I don't think that
I would, that I would go there.
I think that what I really wantis for people to be bored, to
(27:50):
not always be fed by somethingelse that tells them how to
think.
And once they get there, to stepout and think differently.
Chris Romeo (27:58):
Well, you're describing a cultural problem
Izar Tarandach (28:00):
Yep.
Chris Romeo (28:00):
are that were I mean it is a it's an epidemic
what you just described It's an
Izar Tarandach (28:05):
We are limiting ourselves.
Chris Romeo (28:07):
of a lack of thinking people are such
consumers now of informationLike I I don't know about you.
I haven't watched the news inprobably 20 years.
I don't watch the news Becausethe news doesn't tell me
anything good.
The news is about telling me allthe bad things that are
happening.
And so I just don't watch itbecause I don't want to
(28:27):
constantly be thinking about thesky's falling because they spend
a lot of time saying the sky isfalling.
Yes, there are problems thathappen in the world and they're
reporting on those.
But a lot of times the 24 hournews cycle creates this thing
where they're just trying tofind something to make people
panicked about or worried about.
And so I just said, I'm just notdoing it anymore.
And that's the beginning ofunlocking my mind is I'm not,
(28:49):
I'm not, I don't have a threadrunning that's in panic mode all
the time about what's going tofall out of the sky or what's
going to, you know, what's, whatare the, what are the things
that are, I should be most,they're trying to make me scared
of today.
Izar Tarandach (29:02):
Yeah, so that touches me deep because for the
past month I have been glued tothe news 24x7 since October 7th.
And at the same time, I havebeen thinking for a long time
already, that what makes us goodat what we do, namely threat
modeling, is the fact that wehave these raiders that are
(29:24):
constantly looking for whatcould go wrong.
And me myself, speaking only formyself, I, for a long time now,
I haven't been able to turn thatoff and step away from the
professional realm and stoplooking at what could go wrong
everywhere.
And I do feel that that puts mein a constant fight or flight
(29:48):
mode.
So, sometimes I get myself withless patience than I should
have, or more stress, more worrythan I should be.
But, uh, I get what you'resaying.
People are...
I don't think that people...
What was the term that you used?
People are...
(30:08):
Limited, you said?
No.
Chris Romeo (30:11):
I can never remember what I say, so,
Izar Tarandach (30:13):
Yeah, no, I think that what's happening now
is that people have been lookingat things through a paper tube,
Chris Romeo (30:21):
mm hmm.
Izar Tarandach (30:22):
you know, getting that tunnel vision.
And what I'm challenging peopleto do, and what actually you
challenged people to do before,is to not be afraid of stepping
out of the paradigm and thinkingabout different ways of doing
things, right?
I mean, nowadays you get oneperson, one very smart person,
(30:42):
coming and saying, hey, hey,hey, Connected this thing to
ChatTPT and it's doing this andthen you get a thousand mini
me's coming out.
Yeah, I connected it too.
Yeah, I connected it too.
And then you end up with likethis huge amount of things.
Or the same thing.
I got a graph database doingthis and that in the auto.
Yeah, me too.
Me too.
Me too.
Me too.
Me too.
And, uh, I don't know.
It's, it's like, why, why is itso hard for us to innovate in
(31:06):
this industry?
Chris Romeo (31:08):
Yeah, and I'll throw out another thing, just
because we're kind of on this,how would we need to change to
get better, and I was just, Iwas looking for an episode of
the Tim Ferriss podcast toremember who I heard this from,
but they used the term socialmedia sobriety to describe how
long they had been away from thesocial media machine that, that
(31:29):
influences us.
according to an agenda, right?
And it could be X, it could beInstagram, it can be LinkedIn,
it could be anything, anysocial, Facebook, any, any
social media platform has anagenda ultimately.
And a lot of times it's to getyou to buy something or whatever
the agenda is.
But this, and I can't rememberfor the life of me who I heard
(31:50):
say this.
It's not an original thought,but just, it kind of, it kind of
got me, grabbed ahold of methough, this idea of social
media sobriety that you could beaway from.
Things and I have I'll tell youthis other story because it's
it's it's it's just a it's kindof a it fits into This this
topic we're discussing.
So I I know this kid.
He's like, I don't know 21 yearsold or so and He carries a flip
(32:16):
phone Do you guys know what aflip phone is?
Yes you do.
Of course.
'cause you're old enough toremember.
That's where we all started withphones.
He has a flip phone.
And I asked him, I said, in thismodern day and age, this is so
odd to me.
Like I'm a technologist.
I have a new phone all the timebecause I always wanna know what
the new new things are we cando.
(32:37):
And you know, I'm so driven bythe need for the latest and
greatest technologies andthings.
And I'm like, how do you survivewithout a flip phone?
With a flip phone?
You know what he told me?
He said, I don't have socialmedia.
I don't use social media.
One, it doesn't work on myphone.
Which is funny when he's sendinga text and he's literally
(32:59):
hitting like 111 to make ABC andall that.
But it really, it kind ofgrabbed a hold of me because I'm
like, and you know what I toldhim right at that time?
I said, you live a happier lifethan I do.
I'm not kidding.
Imagine a day being able to go aweek and not being consumed by
things that you see on X or whatpeople are saying on LinkedIn.
(33:21):
Or a lot of people get caught inthat Facebook rutt of, you know
how our friends are, appear tobe living such better lives than
us because everybody takes apicture of their kid's smiling.
Never when the kid's throwingthe bowl of spaghetti at them,
that never goes on the socialmedia stream.
Right?
And we've kind of, we've reallydiverted, we've really taken a
wide turn here from where westarted, but this is, this is
(33:41):
good because I think we'reunpacking something that, that,
uh, is meaningful.
It should be meaningful to a lotof people, but yeah, that story
of, of, uh, my friend James,his, his just approach to
technology, I'm like, he is ahappier person than I am.
Izar Tarandach (33:54):
You know what that sounds like to me?
That, uh...
He found the way for AppSec tooff the mind because basically
he's doing input validation,
Chris Romeo (34:05):
Yeah, he is.
Good
Matt Coles (34:06):
Is he, he's in AppSec though?
Chris Romeo (34:08):
No, no, no, no.
He's not a technology, he's nota technology guy at all.
Izar Tarandach (34:12):
Yeah, I I would I would say that that's probably
very difficult to be that kindof person and be in AppSec But
have you ever heard the conceptof kosher phones?
Chris Romeo (34:22):
No.
Yeah.
Izar Tarandach (34:23):
that there is a thing like that
Matt Coles (34:25):
Phones that are phones.
Izar Tarandach (34:27):
smartphones that are actually limited in their
capabilities So that they canonly access certain sites and
can have certain chat apps
Matt Coles (34:38):
So kids mode.
Izar Tarandach (34:40):
Kids phones, but channeled to a different public.
And that was always somethingthat really, really like...
I don't know.
The feeling that I have is thatwe are participating in the
biggest experiment in ourhistory in terms of social
(35:00):
engineering.
And it has never been so clearto me as this past month.
When you see a lot of, uh, uh,let's call them opinions.
Let's call them very excitedopinions
Matt Coles (35:17):
We used to call them FUD.
We used to call them FUD.
Izar Tarandach (35:21):
Not even that.
We,
Chris Romeo (35:22):
it's gone to disinformation, right?
Like I mean, that's a, that's amilitary term.
Like you have in, you,disinformation is, is misleading
a public for your own, for yourown agenda.
And I think there's a lot ofthat happening right
Izar Tarandach (35:37):
disinformation, psyops, and, and whatnot.
And, and as I said, I've spentthe last month glued to the, to
the TV.
And it was the first time that Isaw a commercial showing how
fake news would be posted.
On something that looked likeWhatsApp.
And the last line of the chat ofthe, uh, the chat is why are you
(36:00):
sharing this?
Why, why are you such an idiot?
And then the, the reader justgoing, don't be an idiot.
Check your things before youshare them.
And, uh, it, it just showed mehow the cycle.
closed, people used to sit downand read the newspaper, then
they listened to the radio, thenthey watched the news on TV,
(36:22):
then it was social media, now itgets everything through social
media, now TV is
Chris Romeo (36:26):
I mean, journalistic integrity is gone.
Izar Tarandach (36:30):
Totally.
Chris Romeo (36:30):
say it, like, I don't care if anybody sends me
an Instagram, I don't care, I'llargue if anybody wants to tell
me that it still exists.
And so the days of the newspaperbeing an independent thing, that
just reported the news, andthere was no side from their
perspective, they just reportedthe facts, those days are gone,
(36:52):
unfortunately.
And it plays into this whole...
Like you said, I love the wayyou described it.
It's a social engineeringexperiment and the population of
the world are the people thatare the subjects of this and
people are trying to see howthey can influence thinking and
influence big picture things,right?
(37:12):
But it's gone are the days whenyou could turn on the evening
news and Walter Cronkite gaveyou the straight shot about what
was happening in the world.
Like here's the facts peopleabout what's happening
Matt Coles (37:22):
Well, so let's, let's, let's bring this back to
AppSec then.
So, so, I, I am probably notalone in using social media,
Reddit, and LinkedIn a lot forfinding interesting or, you
know, current news aboutSecurity trends, you know, the
latest ransomware attacks, youknow, new vulnerabilities that,
(37:45):
or attack, you know, attack, um,scenarios that get, get
identified, um, you know,advances in crypto, whatever the
case may be, versus more, um,I'll say bland or, or, um, uh,
you know,
Izar Tarandach (38:01):
Inconsequential.
Matt Coles (38:03):
well, as opposed, as opposed to more academic
perhaps, or, or even moreofficial sources, right?
So like, I could look at Kev, Asan
Izar Tarandach (38:11):
Oh, yeah, yeah.
Matt Coles (38:12):
Or I could be looking at, uh, you know, MITRE
pushes out reports on a regularbasis.
Or even third parties who have,have integrity in their research
and publication methods, right?
Uh, you know, to be able to pushout articles that, that I could
go to, but I still look at thesocial media feeds.
(38:33):
but you have to take it with agrain of salt.
So I guess maybe the, in pullingit back, I wanted to ask from
both of you, what are your, whatare your reputable sources for
security news?
Izar Tarandach (38:46):
My main one is you, but...
Chris Romeo (38:49):
And my main one is Izar,
Matt Coles (38:51):
Oh, I'm doomed.
We're doomed.
So the industry is over.
It's over.
The sky is falling.
Izar Tarandach (38:55):
No, but seriously, I like what you're
talking about.
And I would say that, yes, thereare some there.
But I think that my questionhere is how far ranging would it
be to have a source for thatkind of stuff that's not
(39:15):
reputable and not trustable?
I mean, what's the impact?
How bad would it be?
Because we are all a bunch ofcynicals by nature, so that
disrespeutable source wouldfirst have to give us something
that would bring us all to thewatering hole.
Matt Coles (39:34):
Well, yeah, so let's just throw out an example there.
You're on Reddit, you're lookingat, you know, InfoSec or
Cybersecurity and somethinggoes, so and so was breached,
800 million records leaked.
Okay,
Chris Romeo (39:48):
I'm serious, I'm serious,
Matt Coles (39:49):
so there's information overload on
Chris Romeo (39:51):
I mean, we've reached the point where that
problem is, I don't even, thatdoesn't even get my attention
anymore, to be honest with you.
Izar Tarandach (39:57):
so, I'm going to give you the Reddit point of
view.
The first comment is going to bea five page treatise on the
theory, well, it's not a theory,it actually has been proven by I
don't know who, but it has beenproven, that it's actually...
A team of very talentedHungarian hackers funded by
(40:20):
Experian because it's part oftheir business model that if
there's a breach, people aregoing to give the 800 million
people who got impacted Experiantracking services.
of their data, right?
So connect the dots, man, geteducated,
Chris Romeo (40:40):
So, conspiracy theory, okay, great,
Izar Tarandach (40:42):
So that's Reddit for you.
The second comment is going tobe, dude, I worked at such and
such for years and I could havetold you it was just an accident
waiting to happen.
The third one would be, but didthey test their stuff?
And the fourth one would besomebody saying I am a first
year student and I would loveto, uh, contribute to that
(41:05):
project.
Would you kindly show me how todo it?
Chris Romeo (41:10):
The world according to Reddit, that's
Izar Tarandach (41:12):
Right?
So, but, but, but I
Matt Coles (41:14):
you're in my feed!
Izar Tarandach (41:21):
yeah, let's not go there, but...
Chris Romeo (41:24):
I
Matt Coles (41:25):
Wait, was that you?
Izar Tarandach (41:28):
As I said, let's not go there.
But anyway, the thing for me,the closing of the cycle here
for me is that if we take a lookat Chris's friend that's doing
AppSec for the mind with hisinput validation.
If we look at Matt's approachthat, hey, we could well build a
(41:50):
closed environment here ofplaces that we could rely on
stuff.
I think that connecting a bit tomy challenge of think outside
the box.
What could we as an AppSeccommunity do to change the
situation?
Is there anything that we coulddo?
Is there any kind of influencein products or in things that we
(42:11):
do that we somehow could makethe world a better place next
year by using our super AppSecpowers?
Besides threat modeling all thethings.
Chris Romeo (42:23):
mean, I think there's always an opportunity
for a group of leaders to gettogether and Come up with some
idea that would move theindustry forward and then ask a
collection of people to getbehind it and move forward with
it.
So it's not quite a manifesto,right?
Because a manifesto is, isdesigned to be greenfield and
(42:45):
last beyond just a year.
Like the threat modelingmanifesto is still going strong,
right?
We released it, how many yearsago?
Two years ago?
Matt Coles (42:53):
Three, three years ago?
Chris Romeo (42:54):
Three years.
Yeah.
So, I mean, yeah, I mean, it's,it's still going strong because
so, but, but I think a group ofpeople could get together, a
group of leaders could gettogether and say, here's, here's
some place, something we couldchange.
Here's something we could dobetter.
And then ask the community toget behind it.
I think that's, that's how youinfluence change.
Izar Tarandach (43:11):
But isn't that the AEI letter?
Chris Romeo (43:16):
Letter.
Well, I mean, the AI Letter wasjust taking a stance, right?
It wasn't, it wasn't an
Izar Tarandach (43:20):
talking about things like a moratorium and
things
Chris Romeo (43:24):
but it wasn't, it wasn't anything that anybody
could get behind and actually dosomething.
You could sign it and say, yeah,I agree with what they're
saying.
That's not what I'm talkingabout.
We don't need any, we got enoughletters in this, in this world.
We don't need people to signletters.
We need people to take action todo, to cause some positive
change, right.
Based on what you're talkingabout.
And
Matt Coles (43:41):
Well, and what, and what, uh, and what changed?
So what change do we need?
Because actually my second one,it may be related to this.
So my second gift was actuallymore of a gift idea for others.
And, and so I'm not big on, I'mnot big on, on, on gifts, like
physical things.
(44:02):
Um, and maybe this is just anevolution of I'm not, I'm not 12
anymore.
Um, but.
You know, the things are fun.
Some things are fun.
My wife got the, got me this formy birthday.
It's a fidget spinner and Ican't put it down, uh, But, um,
you know, it would be,
Chris Romeo (44:24):
Izar's got
Matt Coles (44:25):
oh, where's my, I have, I have a few, I have a few
more I could pull out.
So, uh oh.
Yeah, actually this, this, this,connect, this, this connects
fidget spinning.
And D& D because it has, it's aD20 dice roller as a spinner,
which is awesome.
Um, anyway, uh, but, so, as agift idea, uh, use that extra
(44:51):
energy when you're not lookingat Reddit or, or social media
feeds.
And go, and go volunteer.
Go volunteer your time.
Go, go mentor.
Go look at open source projects.
Pick an open source project atrandom.
Throw a dice, throw, throw,throw, throw a die or a, or a
dart at, at GitHub and, and picka project and go file bugs.
(45:15):
Go find and, go find and filebugs or PRs as Izar likes to
say.
Izar Tarandach (45:20):
so
Matt Coles (45:20):
We can, we can help improve the industry in small
steps when we're trying to,while we're trying to form
something bigger to solve biggerindustry problems.
Izar Tarandach (45:34):
definitely.
Matt Coles (45:35):
And that's my, that's my, that's my peace on
earth and goodwill towards men,uh, gift idea.
Thank you.
Chris Romeo (45:44):
in the, in another episode about New Year's
resolutions, AppSec New Year'sresolutions, but I think this is
a good place to wrap up for thisholiday themed edition.
As you can see, once again,based on our outfits, very much
holiday themed for us.
Thanks folks for joining anotherepisode of the Security Table.
we can get into that.
So, hey folks, welcome to thisepisode of The Security Table.
This is Chris Romeo joined byMatt Coles and Izar is now only
literally using one, his firstname on anything.
Um, his, the previous episodehas gone to his head and he
doesn't even put his last nameinto things anymore.
Like if you don't know who heis, then that's on you is kind
(00:31):
of his,
Izar Tarandach (00:32):
Look, when you have a name like mine, all you
need is a first name.
Chris Romeo (00:36):
That's true.
That's true.
I wish I had the same
Matt Coles (00:38):
Just remember if you have any IT calls, you know who
to
Izar Tarandach (00:41):
Don't call me!
Chris Romeo (00:44):
Come on, it's the holiday season and that's when
all of our relatives liked us tofix their, their computers,
their smartphones, their TVs,their tablets, anything that's
connected to the internet.
Izar Tarandach (00:54):
And that's why I have a t shirt that says, No, I
don't do Windows.
Matt Coles (00:59):
You know you'll find that one, that one relative who
has, you know, somethingstrange.
Chris Romeo (01:05):
Yeah,
Izar Tarandach (01:05):
My relatives, all of them, have something
strange.
Chris Romeo (01:10):
Oh, that's fun.
That's fun.
You mentioned right
Matt Coles (01:13):
can you fix my 68000 series Mac?
Come on.
Chris Romeo (01:16):
Sheldon
Izar Tarandach (01:16):
it goes like this, Oh, wait, you work in
computers, right?
Yeah, you have a degree incomputer science, right?
Yeah, so listen, you're gonnahelp me with this.
Excel.
I open it and I have thisstrange, like, stare that I do
when they say that, where veryquick they stop asking and just
(01:40):
move away.
So...
No, I'm just like looking at thehorizon with the 100 windows
stare.
Chris Romeo (01:49):
I'll say you're doing the Elon Musk thing.
Apparently Elon Musk does thatwhere he'll go into like a
trance for a while.
And then as people are talkingto him and eventually they'll
just stop talking and then he'llkind of like finish thinking
about whatever he's solving andthen he'll come back to the
conversation.
Izar Tarandach (02:03):
Yeah, exactly that, minus the solving thing,
Matt Coles (02:08):
You know with the, with the, you know with the
Neuralink, you know with theNeuralink chip he's just, you
know, organizing his threads.
Izar Tarandach (02:16):
He's running garbage collection!
Chris Romeo (02:19):
Hey, I'm, uh, that's probably true.
I'm just, I'm almost finishedwith, uh, Isaacson's book on
Elon Musk, which is the latest.
And it's fascinating.
Like, I'm, I'm learning so many,so many things about how to be a
good leader.
Like fire people during ameeting if you don't like how
they,
Izar Tarandach (02:36):
Oh, by the way, you're fired.
Chris Romeo (02:38):
yeah, if you don't like how their response is, just
immediately fire them in themiddle of the meeting in front
of everyone else.
Matt Coles (02:43):
The firings will continue until morale improves,
right?
Chris Romeo (02:46):
yeah,
Izar Tarandach (02:47):
Immediately what came up.
Chris Romeo (02:49):
yeah, I mean, he gets, he gets stuff done though.
You know, he's got a lot ofsuccessful companies, but that's
not why we're here.
Izar Tarandach (02:55):
Yeah, just be happy we don't have SCSI cables
anymore.
Chris Romeo (02:58):
uh, you don't have those?
I need to upgrade my stuff then.
Matt Coles (03:01):
And if, uh, you know, if Elon is listening, you
know, maybe we need a new gueston the show.
Chris Romeo (03:06):
Yeah, come on.
You're always welcome, Elon.
You can connect over Neuralinkfrom your, your Tesla, from a
spaceship, or from Twitter, Iguess.
VX, or 2X,
Izar Tarandach (03:16):
no.
Chris Romeo (03:17):
is.
Oh,
Izar Tarandach (03:18):
Oh, it's gonna be a blast.
Chris Romeo (03:21):
That'd be fun.
Alright, well, we wanted to havea little holiday episode, which
we all wore our most festiveholiday gear that we could find,
which is basically the samething we would wear to a holiday
party, or a Thanksgivinggathering here in the United
States.
We probably would literally bewearing the same thing that we
Izar Tarandach (03:42):
Not true, I got long pants.
Chris Romeo (03:44):
Okay.
All right.
All right.
Well, that's, yeah, that's,that's good.
Please wear long pants toholiday gatherings.
Uh, but we wanted to start ourconversation here today,
because, you know, we're closeto American Thanksgiving, with,
let's all share something we'rethankful for.
I'm going to say in security.
(04:04):
I'm gonna make it broader thanAppSec.
I wanted, I wanted to focus thisin on AppSec, but I'm like, eh,
let's, let's take the, take theAppSec blinders off, or whatever
illustration you can think ofthat would constrain us to that.
If you have something wittieryourself, feel free to insert
that into your mind now asyou're thinking.
Um, but, so what are we, like,what are we thankful for in the
(04:26):
world of security?
So, who wants to go first?
Because I'm
Matt Coles (04:28):
Why don't you go first,
Chris Romeo (04:29):
I'm thankful for nothing, so that was easy.
Izar Tarandach (04:33):
Not true, not true.
Chris Romeo (04:35):
okay, alright, I'll go first.
I'm going to take the one side.
You guys making me go first?
Guess what?
You guys are going to be reallyupset because I'm going to take
one that you want to share.
I am thankful for a communitythat the two of us...
three of us are all a part ofthat includes the likes of
Brooke Schoenfeld and Kim Vutzand Adam Shostak and Avi Duglin
(04:56):
and Siva Diller Snyder and manyother friends of ours that
we're, uh, that are our threatmodeling besties is the best way
I can think of to describe them.
So I am thankful for thatcommunity.
Uh, it's made going toconferences such a fun
experience now when I know thatsome of those folks are going to
be there, some of you are goingto be there, and we get to hang
(05:17):
out and talk, and, uh, and sothat's, that's something, and I
think that's something that,that, it's, other people can
replicate that too, like it's,yes, the, the, the group that we
have, Joined up with is aspecial group, but other people
can do the same thing.
You know, it's not, it's not,there's nothing special about,
(05:37):
we didn't, we're not like somegreat people at making groups or
whatever.
Um, but it's good to, it's goodto have community inside of our,
of our organizations and insideof our, our jobs and, and
professional careers, right?
Cause this can be a prettylonely environment if you don't
have some community to lean intoand some people to tell you when
you're full of it and stuff likethat.
So there, I took the one.
Matt Coles (05:59):
Yeah, I want to take that a step further than Chris,
so just a different, differentangle on, or not a different
angle, but a different area forthat.
So I've had an opportunity towork over the many years, uh, oh
my god, decades now of doingsecurity of some sort.
And I haven't had the pleasureof working with so many
(06:20):
interested and interestingpeople.
Talk about community, buttalking about really, uh, people
who want to share theirexperiences and share their
knowledge.
And I'm talking about folks instandards bodies.
So whether that's, uh, somethinglike OWASP, you know, a
community initiative, orsomething, you know, uh, where
(06:40):
you have to, you know, pay toget in, or, uh, or whatever, or
they're making, you know, fancy,uh, fancy documents and
specifications and, and whatnotfor the industry to follow, the
folks who define those things,uh, spend countless hours And
I'm thinking, you know, morerecently of like CVSS v.4, for
instance, with our, with thelaunch of, of v.4, the dozens of
(07:01):
people who are involved inmaking that happen, writing
documentation, sharing ideas,putting their brain power at
work to help the industry atlarge.
Uh, I am, I will say I'mthankful that we don't have to
figure this out for ourselvesand that we have an opportunity
to share amongst our, amongstthe members of the, of the
community, the securitycommunity, to make us.
(07:22):
all be more effective andefficient and capable in the
work that we do.
Chris Romeo (07:29):
He's already had a lot of time to, to ponder here,
Izar Tarandach (07:31):
Yeah, so I had to quick pivot here.
And I am very thankful for SBOMand DAST.
AHAHAHAHAHAHAHAHA!
Chris Romeo (07:41):
podcast.
Thank you, folks.
This
Izar Tarandach (07:44):
WAIT! WAIT! WAIT! There is more! There is
more!
Matt Coles (07:46):
wait, oh wait, Izar's video seems to be hung.
There's a...
Chris Romeo (07:50):
Yeah, that's right.
He's just been kicked out of thecall.
Izar Tarandach (07:52):
There's more, there's more.
No, uh, I'm actually very, very,very, uh, thankful to them
because they gave us so much totalk about, right?
Chris Romeo (08:02):
Ah.
Izar Tarandach (08:05):
And he saves! So, but actually, I, I, I, my
original one.
I wanted to build a bit on whatboth of you brought up, and I, I
think that it's not random thatthe Three of us immediately
jumped to community because injoint ways and in separate ways
(08:25):
we have had so many amazingexperiences this last year and a
bit before but the one thingthat I am really really really
thankful in terms of securityis, in terms of community, is
that, and especially outside,beyond the realm of AppSec.
(08:47):
I think that in a ways we haveshared that label of a security
that eats its own, of acommunity that eats its own.
Chris Romeo (08:55):
Hmm.
Izar Tarandach (08:56):
I think that we used to be very insular, very
closed, we used to be veryunwelcoming of new people, and
we used to be very, if you don'tunderstand, then go away, I
don't want to talk to you.
And I think that we have, wehave matured past that, and I'm
very thankful for that.
And the reason I am thankful isthat first it gives me an
(09:19):
opportunity to do something thatI really, really enjoy, which is
mentoring other people.
So people feel that they cancome up to us and say, Hey, I
want to learn some of the stuffthat you know, could you spend
some time with me?
And on the other hand, it givesme plenty of opportunity to say,
I don't know, and there arepeople who know, and I can go to
them and learn from them.
(09:41):
I think that a couple of yearsago that wouldn't be as much of
a given, but as I said, I thinkthat we matured past that and
that security got so big and soimportant and finally we got
this place perhaps at thechildren's table so far, uh, we
(10:02):
are not the dog coming under thetable and asking for a bit of
the, of the turkey anymore.
So, yeah, I'm thankful for that.
Chris Romeo (10:11):
Hmm.
Yeah, that's a good, uh, that'sa good assessment.
Because I remember...
You know, being around security,I've been in this for 26 years,
so, you know, pre Twitter, preInfosec drama, and all the
things.
And, I don't know if, maybe it'sthe AppSec community has, has
(10:32):
formed a sub group of peoplethat are just nicer to each
other.
And, but I can't think of, andmaybe I'm insulated from this,
but I can't think of any majorAppSec drama in the last year.
Of something where I was like...
There is a big disagreementbetween people in the community,
(10:53):
and I know it's happened in thepast, right?
Human beings are, are, are whatwe are, and we're gonna, we're
not gonna all get along witheverybody along the way, but I,
yeah, I think this has been areally good year of just being
open minded towards people, and,and being willing to mentor, and
like, Jenkin does this Mentoring
Izar Tarandach (11:13):
what I was thinking,
Chris Romeo (11:14):
Yeah, Tanya does this Mentoring Monday thing
where she's always looking toconnect people and and find
somebody who needs mentoringwith somebody who's willing to
mentor.
And you know, this is somethingthat all of us that have been
around for a while, we gotta, wegotta do more of this.
We gotta continue to embracethis idea of building the next
generation because You know, I'mlooking at 26 years and like, am
(11:35):
I going to do this for 26 moreyears?
I don't think so.
Like we gotta, we gotta bringsome more people.
And that's why I've been pushingour industry too.
Like let's push some of theboundaries of things people
believe and see if we can getpeople to think about these
things.
And, and instead of just going,well, we just, this is how, this
is how you do DevSecOps.
You just always have DASTsomehow in your
Izar Tarandach (11:55):
Yeah, but, you know, and don't forget to
generate an SBOM by hand.
But, with the values and theaddress for delivery.
But if you don't know what I'mtalking about, you have to watch
the previous episodes.
You're not into the insidejokes, come on, get up to it.
But anyway, uh, about mentoring,first of all...
Matt Coles (12:13):
right?
Izar Tarandach (12:14):
Right.
So, uh, about the mentoring,definitely the first thing that
comes to mind is Tanya'sefforts, which are definitely
laudable, but on aninstitutionalized level thing,
and I'm doing air quotes forwhomever is not watching, My
plan, and something that I wouldlove to have the opportunity to
(12:36):
push forward, was to involveOWASP in that.
And, as part of the making itbigger for the, uh, for the
membership, to create some formof system where people could,
almost an eBay for mentorship.
Hey, here's what I'm willing tomentor on, and here's what I'm
looking for, and cross those twosets of people.
(12:58):
So, yeah, if anybody outthere...
Loves to write this kind ofsystems and would like to to get
that going.
Please.
Let me know.
Chris Romeo (13:07):
Yeah.
It's a mentoring marketplace iswhat you're looking for.
Izar Tarandach (13:16):
Okay Where else are we going?
Chris Romeo (13:17):
No, Matt thought Matt was going to say something.
Matt was looking like he wasgoing to say
Matt Coles (13:20):
I, I, you know, the only thing I was going to add
was really was that it reallyhas been, I think, since the
pandemic, right?
Pandemic changed a lot ofpeople's outlooks on things.
And since then, the flame warsin public, uh, you know, drag
out fights around, you know, myopinion versus my opinion, uh,
(13:41):
is, is, I think is, at least inthe circles we've been involved
with, uh, right?
People are much more willing todebate, to discuss, to share
ideas, to, to mentor, uh, or tobe mentored.
Uh, oh,
Izar Tarandach (13:57):
You haven't been to Reddit lately, huh?
No, no, I kid I kid.
It's much better.
Matt Coles (14:03):
it is much better, it is, well, it is different,
and we're not talking, there'scertain platforms I suppose that
you could go to that, uh,
Izar Tarandach (14:11):
if you're going to 4chan to get your AppSec
Matt Coles (14:14):
or,
Izar Tarandach (14:15):
you're in the wrong place
Matt Coles (14:16):
or, or, oh well, I don't, I'm not on, I don't do X,
I don't do X anymore, um, but,uh, you know, and, and I think
Mastodon's a ghost town at thispoint
Izar Tarandach (14:27):
Wait, wait, wait, wait, wait, wait, I have
to parse this one.
When you say I don't do Xanymore, you mean X,
Matt Coles (14:34):
that thing
Izar Tarandach (14:34):
known as Twitter.
Matt Coles (14:35):
Yeah, the thing formally known as
Chris Romeo (14:36):
Solve for X, solve for X, please.
Izar Tarandach (14:39):
good, good, good, because otherwise we would
have to have some EDM aroundhere, and some lights blowing,
and stuff.
Matt Coles (14:45):
ha.
Chris Romeo (14:46):
different kind of X.
Izar Tarandach (14:47):
Yeah, and see if we can get Matt in the thing
again.
Chris Romeo (14:50):
Yeah.
I'm, I'm definitely not thankfulfor Mastodon because I never
figured it out.
I'm like, I consider myself tobe mildly intelligent and I just
don't get this.
Like, why don't things connectto each other?
Like, why do I say it's onething here and it doesn't get
over there?
Like, what's happening here?
Izar Tarandach (15:06):
Yeah, so I feel like Mastodon just got like, in
a block of ice somewhere, andit's waiting for global warming
to make something happen, andperhaps there's a movie there, I
don't know.
Matt Coles (15:19):
Maybe, I mean, we're, yeah, we are, we are
older.
We were older white guys withglasses and until recently all
had beards, and I'm sure wecan't figure out this
distributed computing thingcalled Mastodon, uh,
Izar Tarandach (15:34):
I got my login working, I just don't get to get
there.
Hahahaha Infosec.
exchange
Chris Romeo (15:42):
There's the problem.
I shouldn't, we shouldn't haveto define it, but you know,
that's, that's neither here nor
Izar Tarandach (15:47):
Hey, Yotsim,
Chris Romeo (15:48):
we're, we're
Izar Tarandach (15:48):
it's just your email, right?
Chris Romeo (15:51):
Yeah, I mean, I would say I'm thankful also for
this podcast, the experience
Izar Tarandach (15:54):
Oh yeah,
Chris Romeo (15:55):
in just, it's, it's been fun to just riff on things,
Izar Tarandach (15:59):
high point of my
Chris Romeo (16:00):
all right, I'm gonna let our audience in on a
little bit of, a little bit ofbehind the scenes here on the
security table, so get ready.
Izar Tarandach (16:06):
Wait, wait, wait, wait, wait.
Thanks.
Matt Coles (16:08):
wait, under the table.
This is under the table
Izar Tarandach (16:10):
This is
Chris Romeo (16:10):
under the table?
Okay, under the security table.
This is a special episode.
We are under the security table.
Yeah, he started disappearing onthe video feed.
Under the security table.
Whoops, I managed to lose aheadphone.
I was laughing so hard.
Um, but the, yeah, I mean, the,the, under the security table.
(16:31):
We don't have, listen folks, wedon't have any budget for
special effects either.
I
Izar Tarandach (16:34):
No, notice that the only camera that's not
following anybody is yours,which is supposed to follow you.
Chris Romeo (16:40):
AI camera that's supposed to be following.
Just to let folks in on a littlebit of secret here, like, we
don't actually prepare a wholelot before we start recording.
So, but it's been fun!
Izar Tarandach (16:54):
Or at all.
Chris Romeo (16:56):
we often have a topic that
Matt Coles (16:58):
is, this is my preparation for, this is my
preparation for today.
Chris Romeo (17:01):
what's good.
That's cool.
You did more than I did.
I'm just freestyling, but it'sbeen fun.
Izar Tarandach (17:05):
the security riff.
Chris Romeo (17:07):
Yeah, but it's been fun to just explore topics and
just talk about them in arecorded
Matt Coles (17:13):
Oh, oh, by the way, something else for our guests to
know, we usually choose thetopic either the day of,
Izar Tarandach (17:20):
Or 15 minutes
Matt Coles (17:21):
moments before the episode,
Izar Tarandach (17:24):
Or, even worse, 15 minutes after.
Chris Romeo (17:27):
after we, after we start recording.
Now, we often have a discussionbefore we hit record to
Matt Coles (17:33):
and
Izar Tarandach (17:33):
sometimes is better than the podcast
Matt Coles (17:35):
always complain that we don't hit record early,
Chris Romeo (17:37):
yeah, I try to hit record as soon as I possibly
can.
We can always edit out anythingcrazy anybody
Izar Tarandach (17:43):
So, now, we were planning to go with, uh, What
was the next one?
Things that we
Chris Romeo (17:50):
So this was holiday gifts.
So two holiday gifts that youwould like the AppSec industry.
to give you.
Izar Tarandach (17:58):
yes, and I'm going to add to that one.
Things that you want to bethankful for next year.
Matt Coles (18:04):
oh, now yeah, you're upping the ante,
Chris Romeo (18:07):
Come on, I was trying to sell this like it
wasn't a prediction by callingit a holiday gift.
And
Izar Tarandach (18:12):
not a prediction, it's a request.
Matt Coles (18:14):
So, so let me throw, let me throw a different
alternative for you since it isthe season of the holidays.
We just said what we're thankfulfor, for Thanksgiving.
We're going to talk about whatgifts we want, uh, for the
holidays from a securitystandpoint.
Let's consider New Year's andwhat should be somebody's New
Year's resolution around AppSec.
Chris Romeo (18:37):
Oh ho
Izar Tarandach (18:38):
I would not try to threat model with ChatGPT.
Chris Romeo (18:44):
The glo Dude, you just dropped the gloves right
off the start.
The game started and the gloveswere off and Izar's like, Let's
go.
It's go time.
Start swinging.
Wow.
Okay, let's go back to the uh,let's push those New Year's
resolutions a little bit.
down here, down the, the, uh,the agenda.
And let's, let's, let's explorethis, this holiday gift giving
(19:08):
extravaganza.
So Matt, we're going to, sinceyou appeared to have a sticky
note where you had prepared somethoughts, I'm going to
Matt Coles (19:16):
I didn't, if I didn't, I'd be, I would just be
sitting here like Stuck,
Chris Romeo (19:21):
Oh, look at Izar has literally 50.
Blank sticky notes that he'sattempting to make us think he's
prepared.
So Matt, what do you got?
Like, what, what's your, like,what, what's the gift you would
like the AppSec industry to giveyou
Matt Coles (19:34):
right, I'm going to start with, I'm going to start
with a lame one.
I have, I have a couple ideas,but I'm going to start with a
lame one.
Um, although I, I think Izar mayhave already stolen it.
Remember that hu I want theAppSec industry to remember that
humans are part of the AppSecprocess.
Izar Tarandach (19:50):
god, yeah.
Chris Romeo (19:51):
Hmm.
Interesting.
Matt Coles (19:52):
want, I want, I want, I want tools that do their
job, but I want them to knowthat there are humans at the
other end, that we cannotautomate away, as much as I love
automation, and don't get mewrong, I'm a huge fan of
automation, but...
(20:12):
There are humans in thisprocess, and I realize this now
over many years and working withpeople and even more recently
from actually from the ThreatModeling Con conference and
talking to people doing threatmodeling.
Uh, that, you know, humans arepart of this process.
We can't automate everybodyaway.
And, uh, my fear is with the,with the push to AI to replace
(20:37):
humans, uh, that we'll move totool performed, not tool
assisted.
Izar Tarandach (20:44):
Remember
Matt Coles (20:45):
that's my wish.
That's my wish that peopleremember there's humans in this
process.
Izar Tarandach (20:48):
Remember when we had the t shirt go away or I
will
Matt Coles (20:53):
Replace you with a very small shell script, yes.
Izar Tarandach (20:56):
now it's go away or I'll replace you with a very
short prompt.
And
Chris Romeo (21:02):
mini AI things that would, the chat GPT, uh, what do
they call it?
The, the things you can buildnow, the mini versions.
Izar Tarandach (21:09):
what, what,
Matt Coles (21:10):
Mini LLMs.
Izar Tarandach (21:12):
what makes me very afraid is that I think that
the industry jumped Matt'srequest rather than invest into
recognizing that there arepeople in there.
The brunt of the investment nowis into taking people away from
there.
by putting all these mini AIsand whatnot.
And going back to that NewYear's resolution, and something
(21:37):
that we have addressed inprevious episodes, people, these
things, seriously, they're likean army of monkeys randomly
typing on a typewriter, but atthe same time throwing a coin up
and down to see what's theprobable next word.
So please don't, don't, don'tsay that they have superhuman
capabilities of inference andCognizance, and that they are
(22:01):
able to do all the things thatwe should, that we are not able
to do much better than we everwill.
Because that is not how itworks,
Chris Romeo (22:09):
Sounds like you're like, sound like a marketing
person now.
Izar Tarandach (22:12):
Right?
Chris Romeo (22:12):
I want to buy whatever, whatever you're
selling here.
I'm buying man, inferenceengines.
And so that, that leads me tomine though.
Let me, let me get, let me teeup my, the gift I would like
from the AppSec industry,because it plays into what you
just said with that marketingstrewn thing.
Izar Tarandach (22:27):
the marketing stuff!
Chris Romeo (22:28):
I would like marketing, AppSec marketing,
just to stop saying stupidthings.
Okay.
Am I asking too much?
Matt Coles (22:35):
Can you give us an example there of
Chris Romeo (22:37):
I have, I have a whole bunch of examples,
actually, if you would like the,uh, the make
Matt Coles (22:41):
what's your top two?
What's your top two?
Chris Romeo (22:44):
MakeShiftHappen is, is a, this is a prominent
company that, that this istheir, their go to market
campaign across LinkedIn andmany other places.
MakeShiftHappen.
So I have so many problems withthis.
First of all, as a sensiblestartup founder, I'm never going
to put I'm not going to put acuss word into the, a place
(23:07):
where a cuss word began itslife, I'm not going to use a
substitutionary word into thatbecause I just, it's just not,
it's just, I don't know, it'sjust not very high class to do
that to me.
And like my company, my brandstands for something like, and
it's, it's not, I don't wantpeople to think of it in that
regard.
So makeshift happen, um, was oneof them.
(23:29):
I saw another one that, um.
Izar Tarandach (23:32):
Do Epic Shift!
Chris Romeo (23:34):
Well, this is my, uh, move AppSec forward campaign
for 2024.
Don't shift left, move AppSecforward,
Izar Tarandach (23:41):
Oh,
Chris Romeo (23:42):
not about, it's not about shifting, but that's,
we'll save that for anotherepisode in the future.
But let me, let me see anotherone of the examples that I had
was, um, well, it was somethingto the effect of, you know,
something about, uh, using AI torevolutionize AppSec or
something like that was the, andlike, to your point there, Izar,
like, it's not really possibleright now.
(24:03):
Like, you can't revolutionizeanything with AI.
Yeah, in a couple of years, asthis, these things continue to
get better and better.
Okay, then we can talk aboutreplacing the human thought
process or whatever, but that'snot what Gen AI does right now.
It does, it's not like it'ssitting there thinking, going,
Ooh, I got a new idea.
Let's roll this thing out.
It's pattern matching.
It's, it's guessing the nextword that it needs to reply back
(24:24):
to you with.
Based on all the other words andthings that has ever been
written that it's been able toanalyze and put together.
And so, yeah, that's the gift.
I would like those.
I would like marketing.
Just represent your product forwhat it does and leave shift
left behind.
Let's just, let's just make thata 2023 thing.
Let's start fresh in 2024.
Let's just stop shifting left.
(24:44):
Just find something else to say.
It's such a tired phrase.
Remember when Wired used to havethe wired and tired?
If you
Izar Tarandach (24:50):
Oh yeah, oh yeah,
Chris Romeo (24:52):
like, shift left is tired, leave it, find something
else.
Izar Tarandach (24:58):
okay.
The gift that I would like to begiven.
It actually connects to whatMatt stopped doing, the, uh, the
X thing, but not the formerTwitter thing.
I want us to take a page out ofGenAI, and we should start doing
(25:18):
something that GenAI does sowell.
Can you guess what?
I want people to starthallucinating.
I want people to start gettingbored, because that's where the
best ideas come from.
We are all inside the box rightnow.
We are being fed thing overthing over thing in our echo
(25:41):
chambers of Twitter and X andwhatnot or LinkedIn or whatnot
and we are being told that thisis the next thing and that here
are the millions and that thisis what the VCs are looking for
and that this is the shiftthat's going to take our
industry to the next level.
(26:02):
And a lot of people that have alot of capabilities and a lot of
talents are just sitting andconsuming all that stuff.
I want people to stophallucinating again.
I want people to stop gettingbored again.
And I want people to say, that'snot what I want.
I'm going to do one better.
I'm going to do one, onestronger.
Chris Romeo (26:19):
make something better.
So you want people to take thered pill.
Izar Tarandach (26:23):
Um, no, no.
I want people to just, you know,once you, you challenged us to,
to shift the paradigm.
from the scan cycle and allthat.
I want people to step up to thatkind of challenge.
I want people to not look atthat and say, well, that's how
we ever did it and it works, andit's an industry that's worth
(26:44):
billions and billions ofdollars, so probably something
is right here.
I want people to say, no, we cando it differently.
And I want to see what they comeup with.
Chris Romeo (26:53):
So think differently.
Izar Tarandach (26:54):
Yeah, don't be afraid of hallucinating, of
asking how cool would it beif...
Chris Romeo (27:01):
I'm gonna say, when you first got halfway through
that sentence and you wereprescribing hallucinations, I
didn't know where you weregoing.
I was a little bit concerned fora second, I'm like, Is he gonna
recommend like peyoteexperiences in the desert?
To kind of unlock our thinking.
We're
Matt Coles (27:18):
LSD
Chris Romeo (27:18):
I didn't know where you were going there.
Matt Coles (27:19):
for your TLC, uh, for your TLS.
Izar Tarandach (27:22):
So,
Matt Coles (27:23):
even say it right.
Izar Tarandach (27:27):
so, okay, so, so, so disclaimer here, like
public disclaimer, I am such acoward for that kind of thing
that I don't think that I wouldever get it there.
Even though we keep hearingabout this micro dosing thing
coming from San Jose and wherenot, but no, I don't think that
I would, that I would go there.
I think that what I really wantis for people to be bored, to
(27:50):
not always be fed by somethingelse that tells them how to
think.
And once they get there, to stepout and think differently.
Chris Romeo (27:58):
Well, you're describing a cultural problem
Izar Tarandach (28:00):
Yep.
Chris Romeo (28:00):
are that were I mean it is a it's an epidemic
what you just described It's an
Izar Tarandach (28:05):
We are limiting ourselves.
Chris Romeo (28:07):
of a lack of thinking people are such
consumers now of informationLike I I don't know about you.
I haven't watched the news inprobably 20 years.
I don't watch the news Becausethe news doesn't tell me
anything good.
The news is about telling me allthe bad things that are
happening.
And so I just don't watch itbecause I don't want to
(28:27):
constantly be thinking about thesky's falling because they spend
a lot of time saying the sky isfalling.
Yes, there are problems thathappen in the world and they're
reporting on those.
But a lot of times the 24 hournews cycle creates this thing
where they're just trying tofind something to make people
panicked about or worried about.
And so I just said, I'm just notdoing it anymore.
And that's the beginning ofunlocking my mind is I'm not,
(28:49):
I'm not, I don't have a threadrunning that's in panic mode all
the time about what's going tofall out of the sky or what's
going to, you know, what's, whatare the, what are the things
that are, I should be most,they're trying to make me scared
of today.
Izar Tarandach (29:02):
Yeah, so that touches me deep because for the
past month I have been glued tothe news 24x7 since October 7th.
And at the same time, I havebeen thinking for a long time
already, that what makes us goodat what we do, namely threat
modeling, is the fact that wehave these raiders that are
(29:24):
constantly looking for whatcould go wrong.
And me myself, speaking only formyself, I, for a long time now,
I haven't been able to turn thatoff and step away from the
professional realm and stoplooking at what could go wrong
everywhere.
And I do feel that that puts mein a constant fight or flight
(29:48):
mode.
So, sometimes I get myself withless patience than I should
have, or more stress, more worrythan I should be.
But, uh, I get what you'resaying.
People are...
I don't think that people...
What was the term that you used?
People are...
(30:08):
Limited, you said?
No.
Chris Romeo (30:11):
I can never remember what I say, so,
Izar Tarandach (30:13):
Yeah, no, I think that what's happening now
is that people have been lookingat things through a paper tube,
Chris Romeo (30:21):
mm hmm.
Izar Tarandach (30:22):
you know, getting that tunnel vision.
And what I'm challenging peopleto do, and what actually you
challenged people to do before,is to not be afraid of stepping
out of the paradigm and thinkingabout different ways of doing
things, right?
I mean, nowadays you get oneperson, one very smart person,
(30:42):
coming and saying, hey, hey,hey, Connected this thing to
ChatTPT and it's doing this andthen you get a thousand mini
me's coming out.
Yeah, I connected it too.
Yeah, I connected it too.
And then you end up with likethis huge amount of things.
Or the same thing.
I got a graph database doingthis and that in the auto.
Yeah, me too.
Me too.
Me too.
Me too.
Me too.
And, uh, I don't know.
It's, it's like, why, why is itso hard for us to innovate in
(31:06):
this industry?
Chris Romeo (31:08):
Yeah, and I'll throw out another thing, just
because we're kind of on this,how would we need to change to
get better, and I was just, Iwas looking for an episode of
the Tim Ferriss podcast toremember who I heard this from,
but they used the term socialmedia sobriety to describe how
long they had been away from thesocial media machine that, that
(31:29):
influences us.
according to an agenda, right?
And it could be X, it could beInstagram, it can be LinkedIn,
it could be anything, anysocial, Facebook, any, any
social media platform has anagenda ultimately.
And a lot of times it's to getyou to buy something or whatever
the agenda is.
But this, and I can't rememberfor the life of me who I heard
(31:50):
say this.
It's not an original thought,but just, it kind of, it kind of
got me, grabbed ahold of methough, this idea of social
media sobriety that you could beaway from.
Things and I have I'll tell youthis other story because it's
it's it's it's just a it's kindof a it fits into This this
topic we're discussing.
So I I know this kid.
He's like, I don't know 21 yearsold or so and He carries a flip
(32:16):
phone Do you guys know what aflip phone is?
Yes you do.
Of course.
'cause you're old enough toremember.
That's where we all started withphones.
He has a flip phone.
And I asked him, I said, in thismodern day and age, this is so
odd to me.
Like I'm a technologist.
I have a new phone all the timebecause I always wanna know what
the new new things are we cando.
(32:37):
And you know, I'm so driven bythe need for the latest and
greatest technologies andthings.
And I'm like, how do you survivewithout a flip phone?
With a flip phone?
You know what he told me?
He said, I don't have socialmedia.
I don't use social media.
One, it doesn't work on myphone.
Which is funny when he's sendinga text and he's literally
(32:59):
hitting like 111 to make ABC andall that.
But it really, it kind ofgrabbed a hold of me because I'm
like, and you know what I toldhim right at that time?
I said, you live a happier lifethan I do.
I'm not kidding.
Imagine a day being able to go aweek and not being consumed by
things that you see on X or whatpeople are saying on LinkedIn.
(33:21):
Or a lot of people get caught inthat Facebook rutt of, you know
how our friends are, appear tobe living such better lives than
us because everybody takes apicture of their kid's smiling.
Never when the kid's throwingthe bowl of spaghetti at them,
that never goes on the socialmedia stream.
Right?
And we've kind of, we've reallydiverted, we've really taken a
wide turn here from where westarted, but this is, this is
(33:41):
good because I think we'reunpacking something that, that,
uh, is meaningful.
It should be meaningful to a lotof people, but yeah, that story
of, of, uh, my friend James,his, his just approach to
technology, I'm like, he is ahappier person than I am.
Izar Tarandach (33:54):
You know what that sounds like to me?
That, uh...
He found the way for AppSec tooff the mind because basically
he's doing input validation,
Chris Romeo (34:05):
Yeah, he is.
Good
Matt Coles (34:06):
Is he, he's in AppSec though?
Chris Romeo (34:08):
No, no, no, no.
He's not a technology, he's nota technology guy at all.
Izar Tarandach (34:12):
Yeah, I I would I would say that that's probably
very difficult to be that kindof person and be in AppSec But
have you ever heard the conceptof kosher phones?
Chris Romeo (34:22):
No.
Yeah.
Izar Tarandach (34:23):
that there is a thing like that
Matt Coles (34:25):
Phones that are phones.
Izar Tarandach (34:27):
smartphones that are actually limited in their
capabilities So that they canonly access certain sites and
can have certain chat apps
Matt Coles (34:38):
So kids mode.
Izar Tarandach (34:40):
Kids phones, but channeled to a different public.
And that was always somethingthat really, really like...
I don't know.
The feeling that I have is thatwe are participating in the
biggest experiment in ourhistory in terms of social
(35:00):
engineering.
And it has never been so clearto me as this past month.
When you see a lot of, uh, uh,let's call them opinions.
Let's call them very excitedopinions
Matt Coles (35:17):
We used to call them FUD.
We used to call them FUD.
Izar Tarandach (35:21):
Not even that.
We,
Chris Romeo (35:22):
it's gone to disinformation, right?
Like I mean, that's a, that's amilitary term.
Like you have in, you,disinformation is, is misleading
a public for your own, for yourown agenda.
And I think there's a lot ofthat happening right
Izar Tarandach (35:37):
disinformation, psyops, and, and whatnot.
And, and as I said, I've spentthe last month glued to the, to
the TV.
And it was the first time that Isaw a commercial showing how
fake news would be posted.
On something that looked likeWhatsApp.
And the last line of the chat ofthe, uh, the chat is why are you
(36:00):
sharing this?
Why, why are you such an idiot?
And then the, the reader justgoing, don't be an idiot.
Check your things before youshare them.
And, uh, it, it just showed mehow the cycle.
closed, people used to sit downand read the newspaper, then
they listened to the radio, thenthey watched the news on TV,
(36:22):
then it was social media, now itgets everything through social
media, now TV is
Chris Romeo (36:26):
I mean, journalistic integrity is gone.
Izar Tarandach (36:30):
Totally.
Chris Romeo (36:30):
say it, like, I don't care if anybody sends me
an Instagram, I don't care, I'llargue if anybody wants to tell
me that it still exists.
And so the days of the newspaperbeing an independent thing, that
just reported the news, andthere was no side from their
perspective, they just reportedthe facts, those days are gone,
(36:52):
unfortunately.
And it plays into this whole...
Like you said, I love the wayyou described it.
It's a social engineeringexperiment and the population of
the world are the people thatare the subjects of this and
people are trying to see howthey can influence thinking and
influence big picture things,right?
(37:12):
But it's gone are the days whenyou could turn on the evening
news and Walter Cronkite gaveyou the straight shot about what
was happening in the world.
Like here's the facts peopleabout what's happening
Matt Coles (37:22):
Well, so let's, let's, let's bring this back to
AppSec then.
So, so, I, I am probably notalone in using social media,
Reddit, and LinkedIn a lot forfinding interesting or, you
know, current news aboutSecurity trends, you know, the
latest ransomware attacks, youknow, new vulnerabilities that,
(37:45):
or attack, you know, attack, um,scenarios that get, get
identified, um, you know,advances in crypto, whatever the
case may be, versus more, um,I'll say bland or, or, um, uh,
you know,
Izar Tarandach (38:01):
Inconsequential.
Matt Coles (38:03):
well, as opposed, as opposed to more academic
perhaps, or, or even moreofficial sources, right?
So like, I could look at Kev, Asan
Izar Tarandach (38:11):
Oh, yeah, yeah.
Matt Coles (38:12):
Or I could be looking at, uh, you know, MITRE
pushes out reports on a regularbasis.
Or even third parties who have,have integrity in their research
and publication methods, right?
Uh, you know, to be able to pushout articles that, that I could
go to, but I still look at thesocial media feeds.
(38:33):
but you have to take it with agrain of salt.
So I guess maybe the, in pullingit back, I wanted to ask from
both of you, what are your, whatare your reputable sources for
security news?
Izar Tarandach (38:46):
My main one is you, but...
Chris Romeo (38:49):
And my main one is Izar,
Matt Coles (38:51):
Oh, I'm doomed.
We're doomed.
So the industry is over.
It's over.
The sky is falling.
Izar Tarandach (38:55):
No, but seriously, I like what you're
talking about.
And I would say that, yes, thereare some there.
But I think that my questionhere is how far ranging would it
be to have a source for thatkind of stuff that's not
(39:15):
reputable and not trustable?
I mean, what's the impact?
How bad would it be?
Because we are all a bunch ofcynicals by nature, so that
disrespeutable source wouldfirst have to give us something
that would bring us all to thewatering hole.
Matt Coles (39:34):
Well, yeah, so let's just throw out an example there.
You're on Reddit, you're lookingat, you know, InfoSec or
Cybersecurity and somethinggoes, so and so was breached,
800 million records leaked.
Okay,
Chris Romeo (39:48):
I'm serious, I'm serious,
Matt Coles (39:49):
so there's information overload on
Chris Romeo (39:51):
I mean, we've reached the point where that
problem is, I don't even, thatdoesn't even get my attention
anymore, to be honest with you.
Izar Tarandach (39:57):
so, I'm going to give you the Reddit point of
view.
The first comment is going to bea five page treatise on the
theory, well, it's not a theory,it actually has been proven by I
don't know who, but it has beenproven, that it's actually...
A team of very talentedHungarian hackers funded by
(40:20):
Experian because it's part oftheir business model that if
there's a breach, people aregoing to give the 800 million
people who got impacted Experiantracking services.
of their data, right?
So connect the dots, man, geteducated,
Chris Romeo (40:40):
So, conspiracy theory, okay, great,
Izar Tarandach (40:42):
So that's Reddit for you.
The second comment is going tobe, dude, I worked at such and
such for years and I could havetold you it was just an accident
waiting to happen.
The third one would be, but didthey test their stuff?
And the fourth one would besomebody saying I am a first
year student and I would loveto, uh, contribute to that
(41:05):
project.
Would you kindly show me how todo it?
Chris Romeo (41:10):
The world according to Reddit, that's
Izar Tarandach (41:12):
Right?
So, but, but, but I
Matt Coles (41:14):
you're in my feed!
Izar Tarandach (41:21):
yeah, let's not go there, but...
Chris Romeo (41:24):
I
Matt Coles (41:25):
Wait, was that you?
Izar Tarandach (41:28):
As I said, let's not go there.
But anyway, the thing for me,the closing of the cycle here
for me is that if we take a lookat Chris's friend that's doing
AppSec for the mind with hisinput validation.
If we look at Matt's approachthat, hey, we could well build a
(41:50):
closed environment here ofplaces that we could rely on
stuff.
I think that connecting a bit tomy challenge of think outside
the box.
What could we as an AppSeccommunity do to change the
situation?
Is there anything that we coulddo?
Is there any kind of influencein products or in things that we
(42:11):
do that we somehow could makethe world a better place next
year by using our super AppSecpowers?
Besides threat modeling all thethings.
Chris Romeo (42:23):
mean, I think there's always an opportunity
for a group of leaders to gettogether and Come up with some
idea that would move theindustry forward and then ask a
collection of people to getbehind it and move forward with
it.
So it's not quite a manifesto,right?
Because a manifesto is, isdesigned to be greenfield and
(42:45):
last beyond just a year.
Like the threat modelingmanifesto is still going strong,
right?
We released it, how many yearsago?
Two years ago?
Matt Coles (42:53):
Three, three years ago?
Chris Romeo (42:54):
Three years.
Yeah.
So, I mean, yeah, I mean, it's,it's still going strong because
so, but, but I think a group ofpeople could get together, a
group of leaders could gettogether and say, here's, here's
some place, something we couldchange.
Here's something we could dobetter.
And then ask the community toget behind it.
I think that's, that's how youinfluence change.
Izar Tarandach (43:11):
But isn't that the AEI letter?
Chris Romeo (43:16):
Letter.
Well, I mean, the AI Letter wasjust taking a stance, right?
It wasn't, it wasn't an
Izar Tarandach (43:20):
talking about things like a moratorium and
things
Chris Romeo (43:24):
but it wasn't, it wasn't anything that anybody
could get behind and actually dosomething.
You could sign it and say, yeah,I agree with what they're
saying.
That's not what I'm talkingabout.
We don't need any, we got enoughletters in this, in this world.
We don't need people to signletters.
We need people to take action todo, to cause some positive
change, right.
Based on what you're talkingabout.
And
Matt Coles (43:41):
Well, and what, and what, uh, and what changed?
So what change do we need?
Because actually my second one,it may be related to this.
So my second gift was actuallymore of a gift idea for others.
And, and so I'm not big on, I'mnot big on, on, on gifts, like
physical things.
(44:02):
Um, and maybe this is just anevolution of I'm not, I'm not 12
anymore.
Um, but.
You know, the things are fun.
Some things are fun.
My wife got the, got me this formy birthday.
It's a fidget spinner and Ican't put it down, uh, But, um,
you know, it would be,
Chris Romeo (44:24):
Izar's got
Matt Coles (44:25):
oh, where's my, I have, I have a few, I have a few
more I could pull out.
So, uh oh.
Yeah, actually this, this, this,connect, this, this connects
fidget spinning.
And D& D because it has, it's aD20 dice roller as a spinner,
which is awesome.
Um, anyway, uh, but, so, as agift idea, uh, use that extra
(44:51):
energy when you're not lookingat Reddit or, or social media
feeds.
And go, and go volunteer.
Go volunteer your time.
Go, go mentor.
Go look at open source projects.
Pick an open source project atrandom.
Throw a dice, throw, throw,throw, throw a die or a, or a
dart at, at GitHub and, and picka project and go file bugs.
(45:15):
Go find and, go find and filebugs or PRs as Izar likes to
say.
Izar Tarandach (45:20):
so
Matt Coles (45:20):
We can, we can help improve the industry in small
steps when we're trying to,while we're trying to form
something bigger to solve biggerindustry problems.
Izar Tarandach (45:34):
definitely.
Matt Coles (45:35):
And that's my, that's my, that's my peace on
earth and goodwill towards men,uh, gift idea.
Thank you.
Chris Romeo (45:44):
in the, in another episode about New Year's
resolutions, AppSec New Year'sresolutions, but I think this is
a good place to wrap up for thisholiday themed edition.
As you can see, once again,based on our outfits, very much
holiday themed for us.
Thanks folks for joining anotherepisode of the Security Table.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
Betrayal Season 5
Saskia Inwood woke up one morning, knowing her life would never be the same. The night before, she learned the unimaginable – that the husband she knew in the light of day was a different person after dark. This season unpacks Saskia’s discovery of her husband’s secret life and her fight to bring him to justice. Along the way, we expose a crime that is just coming to light. This is also a story about the myth of the “perfect victim:” who gets believed, who gets doubted, and why. We follow Saskia as she works to reclaim her body, her voice, and her life. If you would like to reach out to the Betrayal Team, email us at betrayalpod@gmail.com. Follow us on Instagram @betrayalpod and @glasspodcasts. Please join our Substack for additional exclusive content, curated book recommendations, and community discussions. Sign up FREE by clicking this link Beyond Betrayal Substack. Join our community dedicated to truth, resilience, and healing. Your voice matters! Be a part of our Betrayal journey on Substack.