July 9, 2023 • 37 mins
The big question is if it's possible to lose the application security team and move all the functions directly into development.
What are developers' roles in application security (AppSec), and what challenges do they face? We delve into developers' responsibility in ensuring security, despite not always having the necessary tools or training to do so effectively.
We discuss "shifting everything left," which refers to integrating security earlier in the development process. We express concern that developers are being burdened with increasing responsibility without being given the power or resources to handle it effectively. This is referred to as the "inverse Spider-Man thing" - with great responsibility should come great power, but this isn't always the case in AppSec.
FOLLOW OUR SOCIAL MEDIA:
➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel
Thanks for Listening!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Chris Romeo (00:09):
Hey folks.
Welcome to another episode ofthe Security Table.
name's Chris Romeo.
I'm joined by Matt Coles andIzar Tarandach.
And.
I don't know, recently it feelslike we've been talking about
lots of reasonable applicationsecurity things.
I don't know.
This seems like it could be inthe realm of reasonable.
gonna dive right in and justread the question because this
(00:32):
has already been referred to bymy colleagues as a grenade in
the room.
That, that, uh, maybe into ourconversation.
And so that question is, shouldAppSec be a separate team or
should the responsibilities ofAppSec be completely owned by
development?
Matt Coles (00:55):
he's not gonna use it as an air sickness bag.
Izar Tarandach (00:57):
Go,
Chris Romeo (00:59):
that bad of a question.
Come on.
It'd be, even if it was popcorn,it'd be better.
So, but it, but it still works.
Matt.
Matt Coles (01:07):
All right.
So the, the quick, the quick wayI want to intro, wanna start
this conversation if it's okay.
Is asking, asking this, askingthis back to you, do you
consider quality engineeringshould be a part of development?
Because it comes down to that,that this is ultimately, I think
the root question here, shoulddevelopment own all of the
(01:31):
functions that presumablyprovided checks and balances on
their, on their activity?
Chris Romeo (01:35):
Does quality engineering even exist anymore
in 90% of the companies outthere?
Matt Coles (01:43):
Whether or not it does, the question should be,
should it, and should it, and,and or is it being done by
development today?
Izar Tarandach (01:52):
in and everybody keeps trying to sell me this
thing, uh, uh, test drivendevelopment and all that, that
good stuff.
So the, the quality is, thequality has gone much closer to
the, to the developer, right.
At least the quality of thisthing that you just wrote, does
the thing that spec needs saysthat it should be doing?
(02:13):
My point is that,
Matt Coles (02:15):
Yeah, unit testing and whatnot.
Izar Tarandach (02:16):
agree that security is a feature of
quality, we will always becoming back to the point of who
watches the watchers, and if thedeveloper is doing the security
testing now.
Not only is the testing beingdone right, the, do they know
(02:40):
what they need to test for?
Is the test valid?
are all the proper edge cases,uh, addressed?
So I hear a lot of peoplecomplain to me that as a
developer, they find themselveswriting much more tests than
code.
And now we want to overload thatwith, uh, uh, security tasks.
(03:01):
Which is an area wheredevelopers, at least my
experience, is that developersfeel much less equipped actually
do that testing.
And the question, am I doing theright thing, is much stronger
than am I doing the reasonablething?
Matt Coles (03:17):
A, and we already know that the testing that is
required for security tends tobe very cumbersome and, and in
addition to challenging.
Chris Romeo (03:26):
I'm, I'm a bit concerned I think Izar just made
an argument for compliance
Izar Tarandach (03:31):
No, no, no, no, no.
that,
Chris Romeo (03:34):
Now let me, let me, let me read back what
Matt Coles (03:36):
Where's, where's, where's, where's that jar?
Where's the, where's the,where's?
Chris Romeo (03:39):
heard you said.
I don't quote cause I can'tremember exactly, but you said
something to the effect of who'swatching the watchers should
security be able to do their,their testing?
Izar Tarandach (03:50):
So
Chris Romeo (03:51):
And so to me, I was, I was like, should
developers be, you know, who's,who's watching over the
developer's shoulder
Izar Tarandach (03:56):
no, no, no, no, when I said, who's watching the
watchers is the developerwatching themselves, so I, I
haven't touched in security atall.
Like I, I'm looking, if we thedevelopers, will that ever be
enough?
So, yeah, I, I totally seewhere, where, where you went of
compliance.
I, I, I see where you got it.
If, if I went, if I had gone,
Chris Romeo (04:17):
I was afraid I was, I was afraid.
Izar Tarandach (04:19):
gone to the side, but, but, but look, that,
that's the big problem thatwe're trying to solve, right?
Why, why are we.
Bring the jar out again.
Why are we trying to shifteverything left?
Because we want security to beless burdened by the day-to-day
stuff that we say we can scalebecause we never have enough,
uh, uh, security people and isthe security gap or myth or not
and blah, blah, blah.
(04:39):
And we go back to the roots of,of this PO podcast, right?
But.
What I'm trying to say is at, atsome point we, we, we push stuff
on top of developers and pushand push and push and push.
And it's not only a workload,but we are also pushing, uh, uh,
uh, responsibility because wekeep saying that developers are
the gatekeepers of security theywant or if they don't, they
(05:01):
factually are.
Matt Coles (05:03):
Okay.
Izar Tarandach (05:04):
My point is that, and, and we have addressed
this a number of times, we, wedon't train people sufficiently
or well enough.
We don't cover in trainingeverything that they actually
need.
yet we keep asking them more andmore and more and more and more.
And, uh, it's, it's, it's sortof like I, I keep asking you,
(05:26):
asking more from you, but I'm,I'm not giving you the tools
that you need to go there.
And if you have those tools, I'mnot giving you the time to use
those tools enough and so on andso forth.
But I think that what I'm tryingto say is, in an ideal world,
Where security was completely asa factor of quality, and we
(05:49):
could trust that developers hadenough knowledge and enough, um,
enough, uh, uh, to do thesecurity right thing.
Then we would be freeing thesecurity team to do those things
that are at a higher conceptuallevel, like figuring out the
(06:12):
next step of what could possiblygo wrong or to free them to
create more tools, to do moretesting that would validate all
the controls and all the, thedesign, uh, stuff that we put
in.
I just think that we are not,that we are very far from that
ideal world.
(06:34):
And at this time, to saydevelopers be responsible for
the whole security cycle ispremature.
And more than that, it's, it'sunfair to all involved.
would create an expectation thatwe could never fulfill.
Chris Romeo (06:56):
Hmm.
Matt Coles (06:57):
It.
So just to summarize, I thinkwhat you've said, cause we've,
we've touched upon this inother, other episodes, right?
We are, what we're talking abouthere is giving developers more
responsibility.
Making them accountable forthings without giving them more
capability.
Right?
(07:18):
So they are, we are asking themto do more without giving them
the ability to do more.
And, and so that brings achallenge.
The other piece about, you know,the, I, and again, back to this
notion of, and whether securityis part of quality.
I always use, I always usemaking them equivalent.
Not necessarily that they haveto be a part of, um, but.
(07:40):
You know if, if developers arewriting code and developers are
testing code, and developers aretesting security of that code,
and TE developers are releasingthat code, so two pieces.
First off, they are underpressure from their.
You know, their organization,their leadership, whatever, to,
to release something thatfunctions on a schedule.
(08:06):
And so there's a pressure from,from that respect that what,
what loses in that conversation,right?
What's the first to go?
If they're responsible foreverything and they're under the
pressure to release, and, andI'm not saying that, that that
solves it by having AppSecoutside of their organization.
(08:27):
But having an org, having partsof the parts of the broader
organization that have theability to pre press the brakes
right.
To, to reveal that there are,well, alright, it doesn't always
work, but the goal is, the goalis that somebody, so there is,
there's a organization outside,whether it's a quality
(08:48):
organization or a security org,or a privacy org.
Or legal or whoever it is tosay, uh, I have some concerns,
and oh, by the way, here's,here's the things that you need
to consider
Chris Romeo (08:59):
Is
Matt Coles (08:59):
in that, in that aspect,
Chris Romeo (09:00):
where we have this?
Challenge
Izar Tarandach (09:02):
the thing.
Matt Coles (09:03):
no,
Chris Romeo (09:03):
like
Matt Coles (09:04):
I don't think so.
Chris Romeo (09:05):
cuz you're describing governance, you're,
you're describing a need for thegovernance function.
So even if we pushed everythinginto development, we still have
some check and balance ofgovernance.
But, so, so I can't, like whatother parts of the business
other than security have to havea governance angle
Izar Tarandach (09:24):
So
Chris Romeo (09:25):
that requires somebody else to audit and, and
look at what's happening.
Matt Coles (09:29):
qual in, in pro in product development.
That's qual quality Engineeringdoes exist if you're talking
about product, productdevelopment, physical systems,
especially more so thanobviously cloud services
whatnot.
Sorry, Izar, go ahead.
Izar Tarandach (09:41):
are talking compliance again or governance,
and it's not, it, it's, it's onestep before that.
What we're talking here is, isverification, because now we
were putting the, the developera responsibility that needs to
be verified before it getsaccepted, right.
(10:03):
So it, it's,
Matt Coles (10:05):
Well, actually, wouldn't you even go further
back than that?
Sorry.
Is there, um, An AppSec programdoesn't start with verification.
Izar Tarandach (10:12):
start with, bring that whole thing, that
whole load to the developerright now, okay.
What we are left with at theAppSec team side is to have that
verification so that you ha canhave assurance, so that you can
have governance, so that you canhave all that good stuff.
So,
Chris Romeo (10:30):
Yeah, so verification is governance
though.
Like we can call itverification, but it's, it's
governance.
At the end of the day, it's didyou do the things you were
supposed to do, and are thereany glaring issues that came out
of it that you refused to fix?
Izar Tarandach (10:43):
when we say governance, it has a, weight of
being a security thing byitself.
I think that what I'm trying tosay is if we are bringing
security to the developer, asagain, the analogy that I always
make the same as performance,right.
You don't really have like aformal verification compliance
(11:05):
assurance thing.
Performance is just expected
Chris Romeo (11:08):
Mm-hmm.
Izar Tarandach (11:09):
and if it doesn't, we will notice because
something is going to takelonger than it should.
Oh, no,
Matt Coles (11:17):
may have performance metrics that you're, that you're
working towards.
Izar Tarandach (11:19):
to stand by that threshold that was specified,
right.
So it, it's interesting that nowyou can think of security in
terms of, okay, do we have athreshold for security that we
have to stand by?
And then we go back toreasonable security.
All, all, all things lead toreasonable security nowadays.
But the, the, the interestingthing is that the interesting to
me thing here is that it's oneof those, those cases of,
(11:44):
actually, let me put this theother way.
When, when Matt was talking andhe mentioned the, the, the pump,
the brakes, Immediately What,what came to my, my, my mind was
not exactly a car pumping thebrakes, but all of a sudden we,
we are putting developers in theposition of solving the trolley
problem, right?
They, they're coming down thestreet in this trolley, and
(12:05):
there's a fork in the road, andthey can decide which side they
take, and one side isperformance.
One side is security.
Where are you going to put yourtime?
Right?
You're going to, you're going tokill
Matt Coles (12:16):
right.
It's exactly what I washighlighting.
Yeah.
Izar Tarandach (12:19):
So
Matt Coles (12:20):
right.
Izar Tarandach (12:20):
I think the developers today are better
equipped to choose theperformance usability feature
branch than the security branch,and they will by default choose
that one because there is thisfunction of some form of AppSec
team that's going to take the,the load of going to the other
(12:44):
branch and doing those specificthings.
Matt Coles (12:50):
Do you think that champions embedded within
development teams help, helpaddress this in some way?
And actually should we considerchampions as being an extension
of AppSec in the developmentorganization?
Given the champions generally,uh, may or may not be writing
code may, it may not be buildingfeatures or working on
(13:11):
performance.
Also, in addition to securitywork.
Izar Tarandach (13:14):
I will tell you with full mouth But have seen
the light and I have been led toto think in other ways that a
proper champion program
Matt Coles (13:28):
talk to.
Izar Tarandach (13:29):
will make all the difference.
having a security champion,probably not having a proper
security champion program behindthat security champion.
Probably yes.
Is it going to solve all theproblems?
not.
So it's going to make lifeeasier for everybody?
Yes.
Matt Coles (13:50):
Yeah.
Chris Romeo (13:51):
it
Matt Coles (13:51):
So there you get.
Okay.
Chris?
Yeah.
Chris Romeo (13:55):
you don't know what you don't know.
Like champions providevisibility into more of the
problems and issues and thingsthat are taking place, and it,
it, it is a connective tissuekind of thing between the
development teams
Izar Tarandach (14:07):
Yes and no.
Chris Romeo (14:08):
to.
Matt Coles (14:09):
Mm-hmm.
Izar Tarandach (14:09):
I think that rather than visibility, they,
they provide a filter.
I think that again, in a goodSecurity Champion program, going
to get a level between thedevelopment teams and the the
AppSec team where the thingsthat are going to reach the
AppSec team are those thingsthat the champion was not able
to deal with by themselves to anunacceptable level.
(14:34):
you're going to get the morehairy things.
Chris Romeo (14:36):
Yeah.
So filtering from a goodperspective in that the champion
will be able to deal with somethings that never bubble up to
the AppSec team
Izar Tarandach (14:45):
I would go one step further that filtering is
mostly going to be what peoplein AppSec teams would consider
noise filtering.
Don't come to me with yourinjection.
Come to me with your big, big,big, hairy problem.
Chris Romeo (14:59):
Mm-hmm.
Matt Coles (15:00):
Right, so, so this is an interesting, let's bring
it back to the topic at hand.
Now imagine if that champion wasworking for himself.
I.
Because AppSec is now part ofthe engineering team.
So we're not talking abouttaking and extending AppSec into
development.
The question is, should AppSecbe part of development?
(15:23):
So what do you lose in thatsituation?
Let's say for a moment that youhave an engineering organization
that's split across multiple,multiple units.
Who gets who gets what?
Airtime.
Right.
You have, you have a, I imagineyou'll have challenges of, of
domain control across yourleadership, right?
People with different reportingstructures.
(15:45):
Unless you have a unifiedengineering team, you're gonna
have a, uh, a, a play at backand forth, right?
Chris Romeo (15:51):
have to see the, like peop engineering leadership
has to see the light of theimportance of security, the
prioritization of security toyour, to the earlier points
about at the same level asquality and performance.
I, I think you can, I think thisis the goal.
I think this is, this should bewhere we're aiming.
I don't think we're there today.
(16:12):
I don't Most mat, mostorganizations are not mature
enough for engineeringleadership to be responsible for
the application security of thethings that they build.
Now.
I think it's a good thing to getthere.
Like I, my, when I think aboutthis question's, like in 10
years from now, that's not thequestion, but I'm gonna change
the question.
In 10 years from now, is it po,would it be possible for AppSec
(16:34):
to be owned by the developmentteam?
Yes, because we're seeingtooling, security tooling should
become development tooling andany anybody that's building a
tool out there, if you're notbuilding developer tooling as an
AppSec team or as an AppSec, ifyour products aren't migrating
towards the developer andthey're stuck on the security
team, you're gonna be going outof business in the next
Matt Coles (16:55):
Can, can I, can I just jump in though?
There's more to AppSec.
There's more to AppSec thanverification.
There's more to AppSec than evendevelopment,
Izar Tarandach (17:04):
the
Matt Coles (17:04):
right?
AppSec includes, but uh, holdon, hold on.
So, if.
And I think, I think I'm, I'mcorrect here that AppSec would
include requirements and, andgood thing we're not talking
about privacy, cuz there wouldbe a, a, a plethora of those
things to worry about.
(17:25):
But let's say, you know,security for a moment has to
deal with only a handful of, ofrequire of, of standards and
basis of, of requirements.
They have to do translation fromindustry requirements into
product requirements.
That's so requirement.
Generation in the first place isnot a gentlement task today.
Chris Romeo (17:44):
though.
Like in this new world,
Matt Coles (17:46):
Right.
Chris Romeo (17:47):
should be the ones that own.
So if we're gonna have AppSec beengulfed by the engineering
department, requirementsmanagement has to be engulfed by
the product management
Izar Tarandach (17:56):
Mm.
Chris Romeo (17:56):
function.
Izar Tarandach (17:58):
But by putting it that way, you get to a
position where in a, in a, in anextreme situation, you could
have a project manager saying,you know what, guys?
Forget security.
We, we have all their stuff todeal with.
Right?
I think that in the case wherebecomes a development function,
call it requirement.
(18:18):
Call it, uh, uh, uh, Stuffwritten in stone security has to
become a value, something thatthe developer wakes up and aims
for, today it is not
Matt Coles (18:33):
Mm-hmm.
Izar Tarandach (18:33):
okay.
Chris Romeo (18:34):
Well, I mean, in product management, your example
about product management isthat, I mean, I, that, that
would be my old school answerfrom the days of days gone by.
Oh, well, product managersaren't gonna promote security.
They're not gonna, they're gonnasay, we're not doing security.
We have a customer feature todo.
don't know that that's still thecase though.
Izar Tarandach (18:51):
that's the thing.
It's not the case.
It's not the case.
But given the choice, as Mattsaid, given the choice,
something is going to give it'shuman nature.
And if,
Matt Coles (19:03):
Yeah, time pressure.
iron
Izar Tarandach (19:05):
and
Matt Coles (19:05):
triangle of program management, right.
Chris Romeo (19:06):
but are you gonna give up
Izar Tarandach (19:07):
a new feature
Chris Romeo (19:08):
in this day and age if.
Izar Tarandach (19:09):
and adding security is delaying product
going out of the door.
choice is going to
Chris Romeo (19:15):
And a, and a and a CVSs 10 Vulnerability is me
losing my job as a productmanager in this new world.
Izar Tarandach (19:22):
but then they go and find somewhere else security
is not of value.
Chris Romeo (19:29):
Yeah, I mean, if security is, if, if you're, if
you are, if the of a decisionresults in people getting fired.
Which I've never seen thathappen yet.
I haven't seen that in my careeryet, where, where a product
manager is held accountable fora I'm just saying I don't think
people are as naive aboutsecurity they were when I was in
(19:51):
a big product company.
Izar Tarandach (19:52):
not.
Matt Coles (19:53):
And we should keep in mind that the, the executive
order, so the things that arecoming out now from cisa, from
nist, the executive order, etcetera.
Are starting to bring this tothe forefront.
Right now, the peopleresponsible and we in, in order
for a moment of who actually isresponsible, but the people who
now, who are responsible today,now have to take it serious or
(20:15):
have always had to take itseriously, but now actually have
a, have a financial penalty fornot doing so.
Izar Tarandach (20:20):
point.
Why are we as securityprofessionals so happy that all
this stuff is coming out?
we are seeing the shadow of thebig stick in the sky coming
everybody.
now,
Chris Romeo (20:32):
Yeah, but remember
Izar Tarandach (20:33):
aside
Chris Romeo (20:34):
this is,
Izar Tarandach (20:35):
see, we told you you'd better do this stuff.
Chris Romeo (20:38):
but remember, all of these documents are only
governing sales to thegovernment, the US government.
Izar Tarandach (20:44):
still a, a big
Chris Romeo (20:45):
It, it, it, doesn't,
Izar Tarandach (20:46):
power.
Right?
And at some,
Chris Romeo (20:49):
but I don't, yeah, but I mean, how, how big of a
buying power is it at the end ofthe day?
Like, it's, it's, I don't.
Izar Tarandach (20:56):
we discussed this, at some point politicians
will say, wait.
Why only the government is beingasked to do this?
Why isn't
Chris Romeo (21:04):
Yeah, but they've never done it.
They've never done it in, in,I've been in this industry for
26 years and I've always thoughtthat, and they've never done it.
whatever reason, they have notbeen able to capture the private
side because that's a whole newera when we're getting into the
Geopolitical podcast now.
But like that's a whole newlevel of government oversight
(21:24):
and control.
That one stifle, I think wetalked about this before too,
stifles innovation in my mind,anytime the government comes in
and says, here's what you haveto do, innovative people just
stop doing innovative things andthey, they fall into a world
where, Least common denominator.
So I don't, I, you know, it'sinteresting that it's never
(21:46):
happened in, in the 26 yearsI've been in security.
I always thought it was, Ialways wondered why the
government didn't mandaterequirements for security for
every, every product that'screated in America.
For some reason they haven't, Idon't think they're going to.
Izar Tarandach (21:59):
let, let's do the methane and bring this back
to the initial question.
So you say if government startsputting Rob.
rules into place and expectingpeople to abide to them, then
that's going to kill innovation.
What happens when we bring that,that down to the scale of
development team the government,in quotes, being the AppSec
(22:22):
team, putting down rules thatnow they have to abide to.
Will that kill innovation aswell?
Chris Romeo (22:28):
That'll kill everything.
be the end of the technologysector, what you just described.
Izar Tarandach (22:33):
so the answer, so the answer to our.
Matt Coles (22:36):
No, no, no.
I think he's making equivalency,not, uh, not the government
being part of
Izar Tarandach (22:40):
the answer to our question is no.
Matt Coles (22:42):
Right.
Izar Tarandach (22:43):
team still needs to exist and have a function
that's not going to be fulfilledby developers, because otherwise
that's going to kill innovationand, and, and kill all the good
stuff that they do.
And I don't think that that'sthe answer that we all agree is
the right one.
Chris Romeo (23:08):
I mean, I don't see how lack of an AppSec team kills
innovation.
My point is, anytime yougovernments Kills security.
Yeah, yeah, yeah, yeah.
I mean, well, I mean, but doesit though, that's that, but
that's what we have to try tounderstand.
Does it really?
I would've said 15 years ago,yes.
If you remove the security team,everyone in development would be
(23:28):
like, ah, we're free.
Everyone we're doing, all we'redoing is feature development for
the next six years, but I don'tknow that that's still the
reality of the way productmanagers and engineering teams
view the world.
Izar Tarandach (23:40):
and I would say it depends, right?
Because again, remember when acouple of episodes ago we said,
Hey, security is not a constant,is a function, right?
So be some environments wherethe lack of an AppSec team
coordinating things, and at themost basic, like.
Different development teams andyou, you, you are drawing a, a
(24:02):
bar of security that everybody,a minimal bar that everybody
has, has to stand to.
That, that, that's a centralfunction.
There's no way to have teamscollaborate and, and figure that
bar by themselves that theremust be a not easy.
Right?
Matt Coles (24:19):
Not easily.
Yeah, not easily.
Yeah.
Izar Tarandach (24:21):
guys in a garage with the startup understanding
that all the, the stuff thatthey are using is off the shelf
is.
Cloud provider given the threatmodel is very well understood,
and they know that in theseguidelines here, if they follow
these guidelines here, theythey'll be fine until it's time
to get more complex so that thatsecurity function.
(24:44):
One of the things that it'spointing to at the graph is at
which step do you forcibly needan AppSec team in place?
Chris Romeo (24:53):
But in a perfect world, going back to the kind of
the beginning of your examplehere, wouldn't you want is now
the planning piece of the AppSecteam in a perfect world, doesn't
that exist in whatever planningin engineering?
Versus having it as separate, aseparate planning and management
(25:13):
kind of function of, of whatwe're gonna do.
Like when I come back to it, I'mlike, if I was gonna design an
organization from scratch andthere was no other constraints
on the way people perceive Iwould put the pieces together.
program management would, I'dhave program management for
engineering.
I wouldn't have programmanagement for AppSec and
(25:34):
program management forengineering as separate
Izar Tarandach (25:37):
what you, what you're saying now is perfect
word, security has such a placein the table where it's not a
separate function anymore.
So the people who already have aplace in the table that.
Generally we have agreed theseare the people with a high seat
in the table.
All of a sudden they do securityas well.
And you don't have the guy fromSecurity City on the side and
(25:58):
going, oh, but security.
Oh, but security.
So in a perfect world, yeah, butmy God, we are so far from a
perfect world.
Matt Coles (26:05):
Yeah, and that comes back down to there's a quality
team, right?
I'm gonna go back to quality.
Quality is a fun, quality is apart of that, has a seat at the
table.
They always do.
Whether they're staff separatelyor they're part of the
development team, there's alwaysa line item In program, program
planning.
Where are we with quality?
Chris Romeo (26:25):
I think, you know, we keep,
Izar Tarandach (26:26):
it's sub intended because again, quality
is a value.
Security isn't.
Chris Romeo (26:32):
but we keep coming back to quality as an example
here, and I think.
Quality as a function in a verysmall percentage of the
technological world as far ascompanies and pro to Matt, to
your earlier point, productcompanies, pr, large product
companies is where you seequality specifically called
(26:53):
upon,
Matt Coles (26:53):
Define large.
large,
Chris Romeo (26:55):
greater
Matt Coles (26:56):
uh, because.
Chris Romeo (26:57):
than Did I call it greater than a hundred
developers?
Is where, or, mean,
Matt Coles (27:02):
Okay.
That's fine.
That's fair.
Chris Romeo (27:03):
bigger than that.
I, I've, like, when I look at.
Matt Coles (27:06):
I would say with a hundred.
Chris Romeo (27:07):
I look at companies that I just don't see quality
mentioned a lot of places that Itravel anymore,
Izar Tarandach (27:12):
from quality back to performance.
Okay.
To that goes into productionand, and, uh, I've seen this a
number of times.
It's performing code.
It can be crappy code, it can bereally, really crappy quote, is
it doing what it's supposed todo in the time that it's
allotted to it?
Yes.
Ship it, So
Chris Romeo (27:31):
Mm-hmm.
Izar Tarandach (27:32):
code is code that gets shipped.
Secure code is code that takesmore time to get shipped today
because of
Matt Coles (27:44):
Today because of the way the product development or
uh, co-development is done,right.
Izar Tarandach (27:48):
my head, I, I keep going back to, I think that
what we asking from developersnow is the, the inverse
Spider-Man thing.
Like with, with great powercomes great responsibility, we
are asking them for a lot ofresponsibility without giving
them a lot of power.
Chris Romeo (28:04):
I like that.
That's good.
That's a whole talk.
There's a right there
Izar Tarandach (28:08):
wait, let, let me put
Chris Romeo (28:09):
in that title.
Matt Coles (28:12):
Yeah.
Chris Romeo (28:12):
Add it to your list cuz that's, that's good.
That is, that's, that'severything that's wrong with
AppSec right now.
Izar Tarandach (28:17):
you know, and, and we give them the, the, the
power in very um, Small amounts,very focused amounts.
We're giving them, uh, I don'tknow, code helpers in ideas.
We're giving them Lins.
We're giving them sca.
We're giving them sas.
I will not say desk.
We are giving them, yes, we haverasp.
(28:38):
And.
We, we are put putting this loadon top of the developer all the
time, but we have to at the sametime realize that each one of
these things that we are givingthem has a whole backend that
has to be kept fed by people whounderstand security and not
(28:59):
development.
that, I think, is the finalfunction of the AppSec team,
which is to feed all thesemechanisms of power that we are
giving to the developer.
Matt Coles (29:11):
Yeah.
So one, one thing, and maybe,and this is, this is probably a
good place to stop it.
I'm gonna tee it up maybe for afuture.
Conversation, are we giving themthat, of that capability or that
responsibility, or are theyasking slash taking
Izar Tarandach (29:26):
Yeah,
Matt Coles (29:26):
that responsibility?
Izar Tarandach (29:27):
forcing on them because it's the way that we are
finding to scale up the AppSecteam that as we have agreed, we,
we never can man enough.
We never can person enough
Chris Romeo (29:44):
I'm glad we got this all figured out.
So the next 10 years of AppSec,it's gonna be easy for everyone.
That's right.
He has more, ladies andgentlemen, there's more popcorn
to be eaten while someone elsetries to make a statement.
Like that's a, that's a thing.
So, I mean, I think when I, whenI summarize this, I think about
AppSec owned by development orbeing integrated.
(30:08):
I'm gonna say integrated is abetter word than Owen.
So, so AppSec integrated indevelopment should be a lofty
goal that we aim towards, Ithink that is the perfect state
for.
way these, for really optimizingand making things go really
fast, having people having thesetwo functions But Izar to your
(30:31):
point, until we get to the pointthat the, the era where security
is valued, it's, it'sunderstood, non-negotiable
everywhere.
It's gonna be tough to, to nothave a separate team that can do
it, but we can aim in thatdirection.
Izar Tarandach (30:46):
but, but notice that we haven't touched a whole
different conversation that'sconnected to this.
What happens when securitybecomes a function of
development, you have a highrotation in your development
roster.
So that's one more part oftribal knowledge and, and
culture gets changing all thetime.
(31:08):
And how do you deal with that?
Chris Romeo (31:10):
it's, I think it's, it, it ultimately comes down to
your development developerexperience, right?
That's a big thing now of, ofhaving the right tools that
simplify ramp up for newdevelopers that.
Provide the information thatdevelopers need to be the
highest, you know, as productiveas they possibly can, maximize
(31:31):
productivity.
And when we start thinking aboutAI coming into that, that's
gonna be a part of developerexperience as well.
But, you know, if, if, ifsecurity is part of developer
experience, then I think it, ithelps to solve that problem that
you're describing about turnoverand ramping up new people.
that's what I see in 10 yearsfrom now.
(31:51):
I would be shocked.
If developer experience wasn'tfully in, including security and
AppSec pieces all being fullyintegrated.
Izar Tarandach (32:01):
same time, don't forget that on the side of the
on the side of the experience,on the side of the culture and
all that good stuff, we alsohave a lot of uh uh, Good
advances the, the basics of thething.
Like for example, the adoptionof rust Now in the Linux, Kerno,
it's memory safe, but it isperformance, it is on par with C
(32:21):
and, and other performancelanguages.
So that, that, that's a goodone, Do, do, do.
Chris Romeo (32:30):
Yeah, I 10 years you're gonna get a lot of
improvements, right?
Like the ecosystem, to yourpoint, the ecosystem is gonna
improve in 10 years as well.
That will make this even easierto include in the developer
experience.
Like imagine a world where c.
I mean, I don't know when we'regonna eradicate.
C Eradicate means 0%, will be aday.
(32:52):
There will be a day where
Matt Coles (32:56):
We have assembly still in, in use.
What?
forget, forget seat for a momentnow.
But actually, and actually that,that's even, I mean, we can get
into a whole, whole can of wormshere.
Like Kubernetes has, Kubernetesprobably has to go, uh, if we're
gonna talk about security, uh,right, because I mean,
misconfigured mis misconfiguredservers is a, is still a big
(33:18):
problem.
I, I believe.
Chris Romeo (33:19):
about, it's more of an infrastructure problem.
If we're doing away with theAppSec team, we don't have a
team.
There's no AppSec team that,
Izar Tarandach (33:27):
or is that a DevOps problem?
Matt Coles (33:31):
Uh, that's an interesting
Chris Romeo (33:32):
I
Izar Tarandach (33:33):
talking security, Is that a dev sec sec
DevOps problem?
Like whose problem is it?
Chris Romeo (33:38):
It's almost like this, it's almost like
development and, and
Izar Tarandach (33:40):
Oh my
Chris Romeo (33:40):
are, are converging.
I mean, when I think Kubernetes,I think about there is running
Kubernetes yourself and there'sKubernetes that the cloud
provider provides for you as amanaged service that does
insulate you from a lot of the,the shooting yourself in the
foot of things.
Matt Coles (34:01):
I, I, you know, I find, I find it astonishing
that, that you are so divorcedfrom product development,
physical things that ship tocustomers, that contain a
plethora of technologies.
it's like you're, it is likeyou're enduring an entire, like
(34:22):
half the population, I mean,Seriously, the world is not all
cloud yet.
Chris Romeo (34:27):
It should be.
Why is it not all cloud?
Izar Tarandach (34:29):
His savings for a cloud today for Yeah.
So where are we on time today?
Matt Coles (34:36):
give you, give you, give you one power failure, and
you'll know why the whole thingcan't live in the cloud.
Chris Romeo (34:41):
doesn't fail.
Izar Tarandach (34:42):
is perfectly re uh, uh, redundant.
Chris Romeo (34:45):
Now we're gonna start talking about reliability.
So, all right.
I think this is, uh, I think we,I don't know.
I feel like we made a little bitof progress on this.
I, I think it's, it's there.
There's nothing to be done.
Well,
Izar Tarandach (34:56):
agrees.
Chris Romeo (34:57):
all in favor.
Matt Coles (34:58):
There we go.
Chris Romeo (35:00):
Our, just, just to let everyone, if anyone else
ever listens to this, that isour one audience member.
Izar Tarandach (35:04):
And the
Chris Romeo (35:05):
And uh, the dog can only hear Matt's portion.
So very, the dog is very against
Izar Tarandach (35:11):
No, no,
Chris Romeo (35:11):
and I in anything that we say cuz can't hear.
Izar Tarandach (35:14):
He's getting the whole
Chris Romeo (35:15):
Oh, good point.
Good point.
Well folks, thanks for listeningto another episode of the
Security Table.
Um, we'll bring anotherchallenging question after Izar
is raising his hand.
Izar Tarandach (35:27):
we finish that, we have to put, put a call out
here.
folks, were listening to us.
As you all know, the three of usare big fans of threat modeling.
And we are coming up, we, we arepart of the, uh, beautiful brain
that's thinking up the threatmodel con.
At the end of this year, we arelooking for submissions
conference.
Matt Coles (35:48):
Conference conference.
Not a, not a, not the other.
Con
Izar Tarandach (35:51):
Now it's a conference and we, we are
looking for, uh, uh,submissions, papers, and stuff
for you to present.
please look into our, each.
Each one of us has their own,uh, social media presence.
Take a look in there.
We have made many posts andposts with the, uh, the pointer
to the, uh, the cfp.
(36:12):
And we, we really lo lookforward to, to meeting new
people with new ideas there.
So even if you think that it'ssomething crazy, and you know
what, I'm gonna volunteer if youwant to submit things, but you
don't think that, uh, they're,they're ready enough or you
think they're not good enough oranything like that.
By all means, reach out to meand I'll be happy to work with
you and polish that, thatsubmission to the point that you
(36:33):
feel good about it.
uh, uh, we, we are expecting tohear from you guys,
Chris Romeo (36:40):
All right, I'm gonna send my submission, oh
wait,
Izar Tarandach (36:43):
Oh, don't you have a keynote or something?
Chris Romeo (36:46):
I might, I might be, I might have an opportunity
to address our audience.
So, hey, uh, folks, thanks forbeing a part of the security
table again, we look forward totalking to you again soon.
Hey folks.
Welcome to another episode ofthe Security Table.
name's Chris Romeo.
I'm joined by Matt Coles andIzar Tarandach.
And.
I don't know, recently it feelslike we've been talking about
lots of reasonable applicationsecurity things.
I don't know.
This seems like it could be inthe realm of reasonable.
gonna dive right in and justread the question because this
(00:32):
has already been referred to bymy colleagues as a grenade in
the room.
That, that, uh, maybe into ourconversation.
And so that question is, shouldAppSec be a separate team or
should the responsibilities ofAppSec be completely owned by
development?
Matt Coles (00:55):
he's not gonna use it as an air sickness bag.
Izar Tarandach (00:57):
Go,
Chris Romeo (00:59):
that bad of a question.
Come on.
It'd be, even if it was popcorn,it'd be better.
So, but it, but it still works.
Matt.
Matt Coles (01:07):
All right.
So the, the quick, the quick wayI want to intro, wanna start
this conversation if it's okay.
Is asking, asking this, askingthis back to you, do you
consider quality engineeringshould be a part of development?
Because it comes down to that,that this is ultimately, I think
the root question here, shoulddevelopment own all of the
(01:31):
functions that presumablyprovided checks and balances on
their, on their activity?
Chris Romeo (01:35):
Does quality engineering even exist anymore
in 90% of the companies outthere?
Matt Coles (01:43):
Whether or not it does, the question should be,
should it, and should it, and,and or is it being done by
development today?
Izar Tarandach (01:52):
in and everybody keeps trying to sell me this
thing, uh, uh, test drivendevelopment and all that, that
good stuff.
So the, the quality is, thequality has gone much closer to
the, to the developer, right.
At least the quality of thisthing that you just wrote, does
the thing that spec needs saysthat it should be doing?
(02:13):
My point is that,
Matt Coles (02:15):
Yeah, unit testing and whatnot.
Izar Tarandach (02:16):
agree that security is a feature of
quality, we will always becoming back to the point of who
watches the watchers, and if thedeveloper is doing the security
testing now.
Not only is the testing beingdone right, the, do they know
(02:40):
what they need to test for?
Is the test valid?
are all the proper edge cases,uh, addressed?
So I hear a lot of peoplecomplain to me that as a
developer, they find themselveswriting much more tests than
code.
And now we want to overload thatwith, uh, uh, security tasks.
(03:01):
Which is an area wheredevelopers, at least my
experience, is that developersfeel much less equipped actually
do that testing.
And the question, am I doing theright thing, is much stronger
than am I doing the reasonablething?
Matt Coles (03:17):
A, and we already know that the testing that is
required for security tends tobe very cumbersome and, and in
addition to challenging.
Chris Romeo (03:26):
I'm, I'm a bit concerned I think Izar just made
an argument for compliance
Izar Tarandach (03:31):
No, no, no, no, no.
that,
Chris Romeo (03:34):
Now let me, let me, let me read back what
Matt Coles (03:36):
Where's, where's, where's, where's that jar?
Where's the, where's the,where's?
Chris Romeo (03:39):
heard you said.
I don't quote cause I can'tremember exactly, but you said
something to the effect of who'swatching the watchers should
security be able to do their,their testing?
Izar Tarandach (03:50):
So
Chris Romeo (03:51):
And so to me, I was, I was like, should
developers be, you know, who's,who's watching over the
developer's shoulder
Izar Tarandach (03:56):
no, no, no, no, when I said, who's watching the
watchers is the developerwatching themselves, so I, I
haven't touched in security atall.
Like I, I'm looking, if we thedevelopers, will that ever be
enough?
So, yeah, I, I totally seewhere, where, where you went of
compliance.
I, I, I see where you got it.
If, if I went, if I had gone,
Chris Romeo (04:17):
I was afraid I was, I was afraid.
Izar Tarandach (04:19):
gone to the side, but, but, but look, that,
that's the big problem thatwe're trying to solve, right?
Why, why are we.
Bring the jar out again.
Why are we trying to shifteverything left?
Because we want security to beless burdened by the day-to-day
stuff that we say we can scalebecause we never have enough,
uh, uh, security people and isthe security gap or myth or not
and blah, blah, blah.
(04:39):
And we go back to the roots of,of this PO podcast, right?
But.
What I'm trying to say is at, atsome point we, we, we push stuff
on top of developers and pushand push and push and push.
And it's not only a workload,but we are also pushing, uh, uh,
uh, responsibility because wekeep saying that developers are
the gatekeepers of security theywant or if they don't, they
(05:01):
factually are.
Matt Coles (05:03):
Okay.
Izar Tarandach (05:04):
My point is that, and, and we have addressed
this a number of times, we, wedon't train people sufficiently
or well enough.
We don't cover in trainingeverything that they actually
need.
yet we keep asking them more andmore and more and more and more.
And, uh, it's, it's, it's sortof like I, I keep asking you,
(05:26):
asking more from you, but I'm,I'm not giving you the tools
that you need to go there.
And if you have those tools, I'mnot giving you the time to use
those tools enough and so on andso forth.
But I think that what I'm tryingto say is, in an ideal world,
Where security was completely asa factor of quality, and we
(05:49):
could trust that developers hadenough knowledge and enough, um,
enough, uh, uh, to do thesecurity right thing.
Then we would be freeing thesecurity team to do those things
that are at a higher conceptuallevel, like figuring out the
(06:12):
next step of what could possiblygo wrong or to free them to
create more tools, to do moretesting that would validate all
the controls and all the, thedesign, uh, stuff that we put
in.
I just think that we are not,that we are very far from that
ideal world.
(06:34):
And at this time, to saydevelopers be responsible for
the whole security cycle ispremature.
And more than that, it's, it'sunfair to all involved.
would create an expectation thatwe could never fulfill.
Chris Romeo (06:56):
Hmm.
Matt Coles (06:57):
It.
So just to summarize, I thinkwhat you've said, cause we've,
we've touched upon this inother, other episodes, right?
We are, what we're talking abouthere is giving developers more
responsibility.
Making them accountable forthings without giving them more
capability.
Right?
(07:18):
So they are, we are asking themto do more without giving them
the ability to do more.
And, and so that brings achallenge.
The other piece about, you know,the, I, and again, back to this
notion of, and whether securityis part of quality.
I always use, I always usemaking them equivalent.
Not necessarily that they haveto be a part of, um, but.
(07:40):
You know if, if developers arewriting code and developers are
testing code, and developers aretesting security of that code,
and TE developers are releasingthat code, so two pieces.
First off, they are underpressure from their.
You know, their organization,their leadership, whatever, to,
to release something thatfunctions on a schedule.
(08:06):
And so there's a pressure from,from that respect that what,
what loses in that conversation,right?
What's the first to go?
If they're responsible foreverything and they're under the
pressure to release, and, andI'm not saying that, that that
solves it by having AppSecoutside of their organization.
(08:27):
But having an org, having partsof the parts of the broader
organization that have theability to pre press the brakes
right.
To, to reveal that there are,well, alright, it doesn't always
work, but the goal is, the goalis that somebody, so there is,
there's a organization outside,whether it's a quality
(08:48):
organization or a security org,or a privacy org.
Or legal or whoever it is tosay, uh, I have some concerns,
and oh, by the way, here's,here's the things that you need
to consider
Chris Romeo (08:59):
Is
Matt Coles (08:59):
in that, in that aspect,
Chris Romeo (09:00):
where we have this?
Challenge
Izar Tarandach (09:02):
the thing.
Matt Coles (09:03):
no,
Chris Romeo (09:03):
like
Matt Coles (09:04):
I don't think so.
Chris Romeo (09:05):
cuz you're describing governance, you're,
you're describing a need for thegovernance function.
So even if we pushed everythinginto development, we still have
some check and balance ofgovernance.
But, so, so I can't, like whatother parts of the business
other than security have to havea governance angle
Izar Tarandach (09:24):
So
Chris Romeo (09:25):
that requires somebody else to audit and, and
look at what's happening.
Matt Coles (09:29):
qual in, in pro in product development.
That's qual quality Engineeringdoes exist if you're talking
about product, productdevelopment, physical systems,
especially more so thanobviously cloud services
whatnot.
Sorry, Izar, go ahead.
Izar Tarandach (09:41):
are talking compliance again or governance,
and it's not, it, it's, it's onestep before that.
What we're talking here is, isverification, because now we
were putting the, the developera responsibility that needs to
be verified before it getsaccepted, right.
(10:03):
So it, it's,
Matt Coles (10:05):
Well, actually, wouldn't you even go further
back than that?
Sorry.
Is there, um, An AppSec programdoesn't start with verification.
Izar Tarandach (10:12):
start with, bring that whole thing, that
whole load to the developerright now, okay.
What we are left with at theAppSec team side is to have that
verification so that you ha canhave assurance, so that you can
have governance, so that you canhave all that good stuff.
So,
Chris Romeo (10:30):
Yeah, so verification is governance
though.
Like we can call itverification, but it's, it's
governance.
At the end of the day, it's didyou do the things you were
supposed to do, and are thereany glaring issues that came out
of it that you refused to fix?
Izar Tarandach (10:43):
when we say governance, it has a, weight of
being a security thing byitself.
I think that what I'm trying tosay is if we are bringing
security to the developer, asagain, the analogy that I always
make the same as performance,right.
You don't really have like aformal verification compliance
(11:05):
assurance thing.
Performance is just expected
Chris Romeo (11:08):
Mm-hmm.
Izar Tarandach (11:09):
and if it doesn't, we will notice because
something is going to takelonger than it should.
Oh, no,
Matt Coles (11:17):
may have performance metrics that you're, that you're
working towards.
Izar Tarandach (11:19):
to stand by that threshold that was specified,
right.
So it, it's interesting that nowyou can think of security in
terms of, okay, do we have athreshold for security that we
have to stand by?
And then we go back toreasonable security.
All, all, all things lead toreasonable security nowadays.
But the, the, the interestingthing is that the interesting to
me thing here is that it's oneof those, those cases of,
(11:44):
actually, let me put this theother way.
When, when Matt was talking andhe mentioned the, the, the pump,
the brakes, Immediately What,what came to my, my, my mind was
not exactly a car pumping thebrakes, but all of a sudden we,
we are putting developers in theposition of solving the trolley
problem, right?
They, they're coming down thestreet in this trolley, and
(12:05):
there's a fork in the road, andthey can decide which side they
take, and one side isperformance.
One side is security.
Where are you going to put yourtime?
Right?
You're going to, you're going tokill
Matt Coles (12:16):
right.
It's exactly what I washighlighting.
Yeah.
Izar Tarandach (12:19):
So
Matt Coles (12:20):
right.
Izar Tarandach (12:20):
I think the developers today are better
equipped to choose theperformance usability feature
branch than the security branch,and they will by default choose
that one because there is thisfunction of some form of AppSec
team that's going to take the,the load of going to the other
(12:44):
branch and doing those specificthings.
Matt Coles (12:50):
Do you think that champions embedded within
development teams help, helpaddress this in some way?
And actually should we considerchampions as being an extension
of AppSec in the developmentorganization?
Given the champions generally,uh, may or may not be writing
code may, it may not be buildingfeatures or working on
(13:11):
performance.
Also, in addition to securitywork.
Izar Tarandach (13:14):
I will tell you with full mouth But have seen
the light and I have been led toto think in other ways that a
proper champion program
Matt Coles (13:28):
talk to.
Izar Tarandach (13:29):
will make all the difference.
having a security champion,probably not having a proper
security champion program behindthat security champion.
Probably yes.
Is it going to solve all theproblems?
not.
So it's going to make lifeeasier for everybody?
Yes.
Matt Coles (13:50):
Yeah.
Chris Romeo (13:51):
it
Matt Coles (13:51):
So there you get.
Okay.
Chris?
Yeah.
Chris Romeo (13:55):
you don't know what you don't know.
Like champions providevisibility into more of the
problems and issues and thingsthat are taking place, and it,
it, it is a connective tissuekind of thing between the
development teams
Izar Tarandach (14:07):
Yes and no.
Chris Romeo (14:08):
to.
Matt Coles (14:09):
Mm-hmm.
Izar Tarandach (14:09):
I think that rather than visibility, they,
they provide a filter.
I think that again, in a goodSecurity Champion program, going
to get a level between thedevelopment teams and the the
AppSec team where the thingsthat are going to reach the
AppSec team are those thingsthat the champion was not able
to deal with by themselves to anunacceptable level.
(14:34):
you're going to get the morehairy things.
Chris Romeo (14:36):
Yeah.
So filtering from a goodperspective in that the champion
will be able to deal with somethings that never bubble up to
the AppSec team
Izar Tarandach (14:45):
I would go one step further that filtering is
mostly going to be what peoplein AppSec teams would consider
noise filtering.
Don't come to me with yourinjection.
Come to me with your big, big,big, hairy problem.
Chris Romeo (14:59):
Mm-hmm.
Matt Coles (15:00):
Right, so, so this is an interesting, let's bring
it back to the topic at hand.
Now imagine if that champion wasworking for himself.
I.
Because AppSec is now part ofthe engineering team.
So we're not talking abouttaking and extending AppSec into
development.
The question is, should AppSecbe part of development?
(15:23):
So what do you lose in thatsituation?
Let's say for a moment that youhave an engineering organization
that's split across multiple,multiple units.
Who gets who gets what?
Airtime.
Right.
You have, you have a, I imagineyou'll have challenges of, of
domain control across yourleadership, right?
People with different reportingstructures.
(15:45):
Unless you have a unifiedengineering team, you're gonna
have a, uh, a, a play at backand forth, right?
Chris Romeo (15:51):
have to see the, like peop engineering leadership
has to see the light of theimportance of security, the
prioritization of security toyour, to the earlier points
about at the same level asquality and performance.
I, I think you can, I think thisis the goal.
I think this is, this should bewhere we're aiming.
I don't think we're there today.
(16:12):
I don't Most mat, mostorganizations are not mature
enough for engineeringleadership to be responsible for
the application security of thethings that they build.
Now.
I think it's a good thing to getthere.
Like I, my, when I think aboutthis question's, like in 10
years from now, that's not thequestion, but I'm gonna change
the question.
In 10 years from now, is it po,would it be possible for AppSec
(16:34):
to be owned by the developmentteam?
Yes, because we're seeingtooling, security tooling should
become development tooling andany anybody that's building a
tool out there, if you're notbuilding developer tooling as an
AppSec team or as an AppSec, ifyour products aren't migrating
towards the developer andthey're stuck on the security
team, you're gonna be going outof business in the next
Matt Coles (16:55):
Can, can I, can I just jump in though?
There's more to AppSec.
There's more to AppSec thanverification.
There's more to AppSec than evendevelopment,
Izar Tarandach (17:04):
the
Matt Coles (17:04):
right?
AppSec includes, but uh, holdon, hold on.
So, if.
And I think, I think I'm, I'mcorrect here that AppSec would
include requirements and, andgood thing we're not talking
about privacy, cuz there wouldbe a, a, a plethora of those
things to worry about.
(17:25):
But let's say, you know,security for a moment has to
deal with only a handful of, ofrequire of, of standards and
basis of, of requirements.
They have to do translation fromindustry requirements into
product requirements.
That's so requirement.
Generation in the first place isnot a gentlement task today.
Chris Romeo (17:44):
though.
Like in this new world,
Matt Coles (17:46):
Right.
Chris Romeo (17:47):
should be the ones that own.
So if we're gonna have AppSec beengulfed by the engineering
department, requirementsmanagement has to be engulfed by
the product management
Izar Tarandach (17:56):
Mm.
Chris Romeo (17:56):
function.
Izar Tarandach (17:58):
But by putting it that way, you get to a
position where in a, in a, in anextreme situation, you could
have a project manager saying,you know what, guys?
Forget security.
We, we have all their stuff todeal with.
Right?
I think that in the case wherebecomes a development function,
call it requirement.
(18:18):
Call it, uh, uh, uh, Stuffwritten in stone security has to
become a value, something thatthe developer wakes up and aims
for, today it is not
Matt Coles (18:33):
Mm-hmm.
Izar Tarandach (18:33):
okay.
Chris Romeo (18:34):
Well, I mean, in product management, your example
about product management isthat, I mean, I, that, that
would be my old school answerfrom the days of days gone by.
Oh, well, product managersaren't gonna promote security.
They're not gonna, they're gonnasay, we're not doing security.
We have a customer feature todo.
don't know that that's still thecase though.
Izar Tarandach (18:51):
that's the thing.
It's not the case.
It's not the case.
But given the choice, as Mattsaid, given the choice,
something is going to give it'shuman nature.
And if,
Matt Coles (19:03):
Yeah, time pressure.
iron
Izar Tarandach (19:05):
and
Matt Coles (19:05):
triangle of program management, right.
Chris Romeo (19:06):
but are you gonna give up
Izar Tarandach (19:07):
a new feature
Chris Romeo (19:08):
in this day and age if.
Izar Tarandach (19:09):
and adding security is delaying product
going out of the door.
choice is going to
Chris Romeo (19:15):
And a, and a and a CVSs 10 Vulnerability is me
losing my job as a productmanager in this new world.
Izar Tarandach (19:22):
but then they go and find somewhere else security
is not of value.
Chris Romeo (19:29):
Yeah, I mean, if security is, if, if you're, if
you are, if the of a decisionresults in people getting fired.
Which I've never seen thathappen yet.
I haven't seen that in my careeryet, where, where a product
manager is held accountable fora I'm just saying I don't think
people are as naive aboutsecurity they were when I was in
(19:51):
a big product company.
Izar Tarandach (19:52):
not.
Matt Coles (19:53):
And we should keep in mind that the, the executive
order, so the things that arecoming out now from cisa, from
nist, the executive order, etcetera.
Are starting to bring this tothe forefront.
Right now, the peopleresponsible and we in, in order
for a moment of who actually isresponsible, but the people who
now, who are responsible today,now have to take it serious or
(20:15):
have always had to take itseriously, but now actually have
a, have a financial penalty fornot doing so.
Izar Tarandach (20:20):
point.
Why are we as securityprofessionals so happy that all
this stuff is coming out?
we are seeing the shadow of thebig stick in the sky coming
everybody.
now,
Chris Romeo (20:32):
Yeah, but remember
Izar Tarandach (20:33):
aside
Chris Romeo (20:34):
this is,
Izar Tarandach (20:35):
see, we told you you'd better do this stuff.
Chris Romeo (20:38):
but remember, all of these documents are only
governing sales to thegovernment, the US government.
Izar Tarandach (20:44):
still a, a big
Chris Romeo (20:45):
It, it, it, doesn't,
Izar Tarandach (20:46):
power.
Right?
And at some,
Chris Romeo (20:49):
but I don't, yeah, but I mean, how, how big of a
buying power is it at the end ofthe day?
Like, it's, it's, I don't.
Izar Tarandach (20:56):
we discussed this, at some point politicians
will say, wait.
Why only the government is beingasked to do this?
Why isn't
Chris Romeo (21:04):
Yeah, but they've never done it.
They've never done it in, in,I've been in this industry for
26 years and I've always thoughtthat, and they've never done it.
whatever reason, they have notbeen able to capture the private
side because that's a whole newera when we're getting into the
Geopolitical podcast now.
But like that's a whole newlevel of government oversight
(21:24):
and control.
That one stifle, I think wetalked about this before too,
stifles innovation in my mind,anytime the government comes in
and says, here's what you haveto do, innovative people just
stop doing innovative things andthey, they fall into a world
where, Least common denominator.
So I don't, I, you know, it'sinteresting that it's never
(21:46):
happened in, in the 26 yearsI've been in security.
I always thought it was, Ialways wondered why the
government didn't mandaterequirements for security for
every, every product that'screated in America.
For some reason they haven't, Idon't think they're going to.
Izar Tarandach (21:59):
let, let's do the methane and bring this back
to the initial question.
So you say if government startsputting Rob.
rules into place and expectingpeople to abide to them, then
that's going to kill innovation.
What happens when we bring that,that down to the scale of
development team the government,in quotes, being the AppSec
(22:22):
team, putting down rules thatnow they have to abide to.
Will that kill innovation aswell?
Chris Romeo (22:28):
That'll kill everything.
be the end of the technologysector, what you just described.
Izar Tarandach (22:33):
so the answer, so the answer to our.
Matt Coles (22:36):
No, no, no.
I think he's making equivalency,not, uh, not the government
being part of
Izar Tarandach (22:40):
the answer to our question is no.
Matt Coles (22:42):
Right.
Izar Tarandach (22:43):
team still needs to exist and have a function
that's not going to be fulfilledby developers, because otherwise
that's going to kill innovationand, and, and kill all the good
stuff that they do.
And I don't think that that'sthe answer that we all agree is
the right one.
Chris Romeo (23:08):
I mean, I don't see how lack of an AppSec team kills
innovation.
My point is, anytime yougovernments Kills security.
Yeah, yeah, yeah, yeah.
I mean, well, I mean, but doesit though, that's that, but
that's what we have to try tounderstand.
Does it really?
I would've said 15 years ago,yes.
If you remove the security team,everyone in development would be
(23:28):
like, ah, we're free.
Everyone we're doing, all we'redoing is feature development for
the next six years, but I don'tknow that that's still the
reality of the way productmanagers and engineering teams
view the world.
Izar Tarandach (23:40):
and I would say it depends, right?
Because again, remember when acouple of episodes ago we said,
Hey, security is not a constant,is a function, right?
So be some environments wherethe lack of an AppSec team
coordinating things, and at themost basic, like.
Different development teams andyou, you, you are drawing a, a
(24:02):
bar of security that everybody,a minimal bar that everybody
has, has to stand to.
That, that, that's a centralfunction.
There's no way to have teamscollaborate and, and figure that
bar by themselves that theremust be a not easy.
Right?
Matt Coles (24:19):
Not easily.
Yeah, not easily.
Yeah.
Izar Tarandach (24:21):
guys in a garage with the startup understanding
that all the, the stuff thatthey are using is off the shelf
is.
Cloud provider given the threatmodel is very well understood,
and they know that in theseguidelines here, if they follow
these guidelines here, theythey'll be fine until it's time
to get more complex so that thatsecurity function.
(24:44):
One of the things that it'spointing to at the graph is at
which step do you forcibly needan AppSec team in place?
Chris Romeo (24:53):
But in a perfect world, going back to the kind of
the beginning of your examplehere, wouldn't you want is now
the planning piece of the AppSecteam in a perfect world, doesn't
that exist in whatever planningin engineering?
Versus having it as separate, aseparate planning and management
(25:13):
kind of function of, of whatwe're gonna do.
Like when I come back to it, I'mlike, if I was gonna design an
organization from scratch andthere was no other constraints
on the way people perceive Iwould put the pieces together.
program management would, I'dhave program management for
engineering.
I wouldn't have programmanagement for AppSec and
(25:34):
program management forengineering as separate
Izar Tarandach (25:37):
what you, what you're saying now is perfect
word, security has such a placein the table where it's not a
separate function anymore.
So the people who already have aplace in the table that.
Generally we have agreed theseare the people with a high seat
in the table.
All of a sudden they do securityas well.
And you don't have the guy fromSecurity City on the side and
(25:58):
going, oh, but security.
Oh, but security.
So in a perfect world, yeah, butmy God, we are so far from a
perfect world.
Matt Coles (26:05):
Yeah, and that comes back down to there's a quality
team, right?
I'm gonna go back to quality.
Quality is a fun, quality is apart of that, has a seat at the
table.
They always do.
Whether they're staff separatelyor they're part of the
development team, there's alwaysa line item In program, program
planning.
Where are we with quality?
Chris Romeo (26:25):
I think, you know, we keep,
Izar Tarandach (26:26):
it's sub intended because again, quality
is a value.
Security isn't.
Chris Romeo (26:32):
but we keep coming back to quality as an example
here, and I think.
Quality as a function in a verysmall percentage of the
technological world as far ascompanies and pro to Matt, to
your earlier point, productcompanies, pr, large product
companies is where you seequality specifically called
(26:53):
upon,
Matt Coles (26:53):
Define large.
large,
Chris Romeo (26:55):
greater
Matt Coles (26:56):
uh, because.
Chris Romeo (26:57):
than Did I call it greater than a hundred
developers?
Is where, or, mean,
Matt Coles (27:02):
Okay.
That's fine.
That's fair.
Chris Romeo (27:03):
bigger than that.
I, I've, like, when I look at.
Matt Coles (27:06):
I would say with a hundred.
Chris Romeo (27:07):
I look at companies that I just don't see quality
mentioned a lot of places that Itravel anymore,
Izar Tarandach (27:12):
from quality back to performance.
Okay.
To that goes into productionand, and, uh, I've seen this a
number of times.
It's performing code.
It can be crappy code, it can bereally, really crappy quote, is
it doing what it's supposed todo in the time that it's
allotted to it?
Yes.
Ship it, So
Chris Romeo (27:31):
Mm-hmm.
Izar Tarandach (27:32):
code is code that gets shipped.
Secure code is code that takesmore time to get shipped today
because of
Matt Coles (27:44):
Today because of the way the product development or
uh, co-development is done,right.
Izar Tarandach (27:48):
my head, I, I keep going back to, I think that
what we asking from developersnow is the, the inverse
Spider-Man thing.
Like with, with great powercomes great responsibility, we
are asking them for a lot ofresponsibility without giving
them a lot of power.
Chris Romeo (28:04):
I like that.
That's good.
That's a whole talk.
There's a right there
Izar Tarandach (28:08):
wait, let, let me put
Chris Romeo (28:09):
in that title.
Matt Coles (28:12):
Yeah.
Chris Romeo (28:12):
Add it to your list cuz that's, that's good.
That is, that's, that'severything that's wrong with
AppSec right now.
Izar Tarandach (28:17):
you know, and, and we give them the, the, the
power in very um, Small amounts,very focused amounts.
We're giving them, uh, I don'tknow, code helpers in ideas.
We're giving them Lins.
We're giving them sca.
We're giving them sas.
I will not say desk.
We are giving them, yes, we haverasp.
(28:38):
And.
We, we are put putting this loadon top of the developer all the
time, but we have to at the sametime realize that each one of
these things that we are givingthem has a whole backend that
has to be kept fed by people whounderstand security and not
(28:59):
development.
that, I think, is the finalfunction of the AppSec team,
which is to feed all thesemechanisms of power that we are
giving to the developer.
Matt Coles (29:11):
Yeah.
So one, one thing, and maybe,and this is, this is probably a
good place to stop it.
I'm gonna tee it up maybe for afuture.
Conversation, are we giving themthat, of that capability or that
responsibility, or are theyasking slash taking
Izar Tarandach (29:26):
Yeah,
Matt Coles (29:26):
that responsibility?
Izar Tarandach (29:27):
forcing on them because it's the way that we are
finding to scale up the AppSecteam that as we have agreed, we,
we never can man enough.
We never can person enough
Chris Romeo (29:44):
I'm glad we got this all figured out.
So the next 10 years of AppSec,it's gonna be easy for everyone.
That's right.
He has more, ladies andgentlemen, there's more popcorn
to be eaten while someone elsetries to make a statement.
Like that's a, that's a thing.
So, I mean, I think when I, whenI summarize this, I think about
AppSec owned by development orbeing integrated.
(30:08):
I'm gonna say integrated is abetter word than Owen.
So, so AppSec integrated indevelopment should be a lofty
goal that we aim towards, Ithink that is the perfect state
for.
way these, for really optimizingand making things go really
fast, having people having thesetwo functions But Izar to your
(30:31):
point, until we get to the pointthat the, the era where security
is valued, it's, it'sunderstood, non-negotiable
everywhere.
It's gonna be tough to, to nothave a separate team that can do
it, but we can aim in thatdirection.
Izar Tarandach (30:46):
but, but notice that we haven't touched a whole
different conversation that'sconnected to this.
What happens when securitybecomes a function of
development, you have a highrotation in your development
roster.
So that's one more part oftribal knowledge and, and
culture gets changing all thetime.
(31:08):
And how do you deal with that?
Chris Romeo (31:10):
it's, I think it's, it, it ultimately comes down to
your development developerexperience, right?
That's a big thing now of, ofhaving the right tools that
simplify ramp up for newdevelopers that.
Provide the information thatdevelopers need to be the
highest, you know, as productiveas they possibly can, maximize
(31:31):
productivity.
And when we start thinking aboutAI coming into that, that's
gonna be a part of developerexperience as well.
But, you know, if, if, ifsecurity is part of developer
experience, then I think it, ithelps to solve that problem that
you're describing about turnoverand ramping up new people.
that's what I see in 10 yearsfrom now.
(31:51):
I would be shocked.
If developer experience wasn'tfully in, including security and
AppSec pieces all being fullyintegrated.
Izar Tarandach (32:01):
same time, don't forget that on the side of the
on the side of the experience,on the side of the culture and
all that good stuff, we alsohave a lot of uh uh, Good
advances the, the basics of thething.
Like for example, the adoptionof rust Now in the Linux, Kerno,
it's memory safe, but it isperformance, it is on par with C
(32:21):
and, and other performancelanguages.
So that, that, that's a goodone, Do, do, do.
Chris Romeo (32:30):
Yeah, I 10 years you're gonna get a lot of
improvements, right?
Like the ecosystem, to yourpoint, the ecosystem is gonna
improve in 10 years as well.
That will make this even easierto include in the developer
experience.
Like imagine a world where c.
I mean, I don't know when we'regonna eradicate.
C Eradicate means 0%, will be aday.
(32:52):
There will be a day where
Matt Coles (32:56):
We have assembly still in, in use.
What?
forget, forget seat for a momentnow.
But actually, and actually that,that's even, I mean, we can get
into a whole, whole can of wormshere.
Like Kubernetes has, Kubernetesprobably has to go, uh, if we're
gonna talk about security, uh,right, because I mean,
misconfigured mis misconfiguredservers is a, is still a big
(33:18):
problem.
I, I believe.
Chris Romeo (33:19):
about, it's more of an infrastructure problem.
If we're doing away with theAppSec team, we don't have a
team.
There's no AppSec team that,
Izar Tarandach (33:27):
or is that a DevOps problem?
Matt Coles (33:31):
Uh, that's an interesting
Chris Romeo (33:32):
I
Izar Tarandach (33:33):
talking security, Is that a dev sec sec
DevOps problem?
Like whose problem is it?
Chris Romeo (33:38):
It's almost like this, it's almost like
development and, and
Izar Tarandach (33:40):
Oh my
Chris Romeo (33:40):
are, are converging.
I mean, when I think Kubernetes,I think about there is running
Kubernetes yourself and there'sKubernetes that the cloud
provider provides for you as amanaged service that does
insulate you from a lot of the,the shooting yourself in the
foot of things.
Matt Coles (34:01):
I, I, you know, I find, I find it astonishing
that, that you are so divorcedfrom product development,
physical things that ship tocustomers, that contain a
plethora of technologies.
it's like you're, it is likeyou're enduring an entire, like
(34:22):
half the population, I mean,Seriously, the world is not all
cloud yet.
Chris Romeo (34:27):
It should be.
Why is it not all cloud?
Izar Tarandach (34:29):
His savings for a cloud today for Yeah.
So where are we on time today?
Matt Coles (34:36):
give you, give you, give you one power failure, and
you'll know why the whole thingcan't live in the cloud.
Chris Romeo (34:41):
doesn't fail.
Izar Tarandach (34:42):
is perfectly re uh, uh, redundant.
Chris Romeo (34:45):
Now we're gonna start talking about reliability.
So, all right.
I think this is, uh, I think we,I don't know.
I feel like we made a little bitof progress on this.
I, I think it's, it's there.
There's nothing to be done.
Well,
Izar Tarandach (34:56):
agrees.
Chris Romeo (34:57):
all in favor.
Matt Coles (34:58):
There we go.
Chris Romeo (35:00):
Our, just, just to let everyone, if anyone else
ever listens to this, that isour one audience member.
Izar Tarandach (35:04):
And the
Chris Romeo (35:05):
And uh, the dog can only hear Matt's portion.
So very, the dog is very against
Izar Tarandach (35:11):
No, no,
Chris Romeo (35:11):
and I in anything that we say cuz can't hear.
Izar Tarandach (35:14):
He's getting the whole
Chris Romeo (35:15):
Oh, good point.
Good point.
Well folks, thanks for listeningto another episode of the
Security Table.
Um, we'll bring anotherchallenging question after Izar
is raising his hand.
Izar Tarandach (35:27):
we finish that, we have to put, put a call out
here.
folks, were listening to us.
As you all know, the three of usare big fans of threat modeling.
And we are coming up, we, we arepart of the, uh, beautiful brain
that's thinking up the threatmodel con.
At the end of this year, we arelooking for submissions
conference.
Matt Coles (35:48):
Conference conference.
Not a, not a, not the other.
Con
Izar Tarandach (35:51):
Now it's a conference and we, we are
looking for, uh, uh,submissions, papers, and stuff
for you to present.
please look into our, each.
Each one of us has their own,uh, social media presence.
Take a look in there.
We have made many posts andposts with the, uh, the pointer
to the, uh, the cfp.
(36:12):
And we, we really lo lookforward to, to meeting new
people with new ideas there.
So even if you think that it'ssomething crazy, and you know
what, I'm gonna volunteer if youwant to submit things, but you
don't think that, uh, they're,they're ready enough or you
think they're not good enough oranything like that.
By all means, reach out to meand I'll be happy to work with
you and polish that, thatsubmission to the point that you
(36:33):
feel good about it.
uh, uh, we, we are expecting tohear from you guys,
Chris Romeo (36:40):
All right, I'm gonna send my submission, oh
wait,
Izar Tarandach (36:43):
Oh, don't you have a keynote or something?
Chris Romeo (36:46):
I might, I might be, I might have an opportunity
to address our audience.
So, hey, uh, folks, thanks forbeing a part of the security
table again, we look forward totalking to you again soon.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Therapy Gecko
An unlicensed lizard psychologist travels the universe talking to strangers about absolutely nothing. TO CALL THE GECKO: follow me on https://www.twitch.tv/lyleforever to get a notification for when I am taking calls. I am usually live Mondays, Wednesdays, and Fridays but lately a lot of other times too. I am a gecko.