Why Do Engineers Hate Security?

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Chris Romeo (00:09):
Hey folks.
Welcome to another episode ofthe Security Table.
This is Chris Romeo, joined byMatt Coles and Izar Tarandach.
And the topic for today is thesound of silence.
So We will literally just sithere silently for 15 to, no, we
couldn't.
There's no way we could besilent for 15 seconds or 30
seconds either.

(00:30):
But, uh, we were joking aboutthe sound of silence and I was
made, it was made aware to methat there is a remake of the
Sound of Silence by Disturbed.
So this is not a music podcast,but we figured we'd start there
and I have a feeling we're gonnacome back to the sound of
silence.
I think we can tie it in at theend to what we're gonna talk
about today.
So, question I'm posing for Mattand Izar and I guess the rest of

(00:52):
the universe as well, is.
How can you be a security personthat engineers don't hate?
How can you be a security personthat engineers don't hate?
So let's, let's unpack the, the,the second half of that.
First, like, do engineers hatesecurity people?

Izar Tarandach (01:13):
I think that hate is a strong word.
But it's useful.

I thought you were gonna say no.
It should be more like dislike.
It should be a soft No, you'relike, it's a hard, it's a tough
word, but it's

it's, yeah.

point.

Matt Coles (01:30):
We, we need, we need a chart cuz there is, there is
most definitely a non-zeropercentage of hate going on
It's, it's, it may be small ofthe grand scheme of things, but
it's a word.
It's an important word.
is not inconceivable

it's,

Matt Coles (01:47):
hate

it's another, it's another one of those things
that you go, it depends, and itdepends on what kind of security
person, like are we talkingcompliance, because then even
security people hate thinkingcompliance people.
But

True, true.

not personally,

Matt Coles (02:12):
and there's, I mean, there, there's different levels
of hate, right?
There's, there's, there's, oh,he's coming.
Oh, I gotta do something.
Now, this person is evil.
Why is he, why is he or shehere?
Uh, Get outta my, get outta myoffice before, before I throw
something at you

Well there, no, there's one before that.
That is turn out the lights andmaybe they won't think we're
actually in here.

And There's one.

Everyont be quiet.
Lights out.

There's one after that.
That's the voodoo doll right?

So why though?
Why, why do engineers, let's sayit's not, I mean, we shouldn't
use the word hate, like, let'ssay dislike, let's just soften
it a little bit so we get more,more tens of percentage points
that

So,

the, in the graph here.
So, but why, what, what, whatdoes security do in, in both of
your experience, that makesengineers want to run away and
hide and, and, and find ways tonot deal with us?

So per personal, personal story time, uh, once
had the team.
That circulated an email saying,stop talking to Izar.
Because every time that we givehim more details, he finds more
problems.
Right.
So it's not like there was hatein there.
I mean, nobody went with,perhaps there was, and I, I

(03:29):
wasn't aware, but the, the, thefact of the matter is that, uh,
I, I think that there is onething that we can agree, right?
That, uh, Maror and dium apart,the one substance in the
universe that's the rarest and,and most costly is developer

(03:50):
time.
And we, security people areconstantly asking for developer
time and that raises a lot of,uh, uh,

Matt Coles (04:11):
We don't

not expectations, but

It is a challenge.

Matt Coles (04:14):
don't just ask for their time.
We're not just asking for theirtime though, is there, right.
I mean, security overall and,and we all do it to some

Wait, I lost my audio.

Matt Coles (04:24):
We're asking them to do something different.
Right.
We're asking them to expendresources to reveal information
and that, and that isn'tnecessarily a bad thing, but
we're also, you know, peoplelove to say, oh, you're
interrupting your, you're,you're affecting our velocity,
right?
So you're, you are impactimpacting their ability to meet

(04:47):
their needs and theirrequirements.
Uh, and, and that's, and, andthat is a very.
Traditional, uh, originally Ithink a traditional view in the
way that security operated.
And now a more, um, what a wordI'm looking for.
It's not traditional, like it'scompletely not in my head.

(05:08):
Um, uh, stereotypical, that'sthe word I'm looking for.
It's a very stereotypical viewof, of security.
Oh, they're always roadblocks.
Right.
We've, we've gotten a, I thinkI'm a not un, not a, not a, a
not undeserved label of beingroadblocks to progress.

Hmm,

Matt Coles (05:31):
And I think we're getting better about that over
time.
And, and I say we collectivelyin the grand scheme of security,
uh, professionals, um, But, butstereo, typically, I think
we're, we're seen as, you know,speed, bumps, roadblocks, and,
and otherwise nets on theprocess.

We talked in a previous episode about
guardrails and paved roads as a,a thing that limits that
friction because the paved roadsare there to give the, the
guidance and give the, thecorrect components, the IAM
policies, the things that arehard for individual, uh,
developers to have to try tofigure out and come up with a
secure configuration for whenyou give them that paved road.

(06:11):
But when I think about thechallenges that engineering has,
for example, with security, ifwe go to the, to the, the, the
executive or leadership level,I, I think that this is part of
the challenge.
This is part of the, part of thewhy.
Part of why they don't.
Always embrace everything thatwe want to do.
Because if, for example, I'mrunning an engineering team that

(06:34):
has, let's just say a hundreddevelopers, let's just make a
nice round number and you'retelling me that you want to
introduce this thing calledthreat modeling, and I ask you,
well, what is that gonna, what'sthat?
How, how much effort are mypeople gonna have to put in?
Well, uh, if they each expend800..., 8 hours a month, We
think we can, we can really makea move on this whole threat
modeling thing and get better atit as an organization.

(06:56):
But then what I have to do as aleader though, is I have to go,
okay, I have a hundred peopletimes eight hours.
How many person months is that?
How many person years is that?
Like that has a cost that has agigantic cost.
When you start talking aboutdoing something across a
hundred.
Now imagine if you have a.
Thousand developers or 10,000developers.
Now it's eight hours times10,000 developers.

(07:19):
That's people I have.
You're basically asking me totake a classroom full of people
and dedicate them to threatmodeling for the whole year when
I, when I do the aggregate kindof analysis.
So I think that's part of thechallenge.

But here, here's the thing, once upon a time when
I was, um, perhaps not so young,but much more naive, security
professional.
I would look at you and say, butI need the time because I'm
going to give you A, B, C, D, E,and things are going to be
better at, at the end of it.
But now I, I, I can already lookaround and, and empathize with

(07:53):
those people and see how they,they think and see what's behind
the thought from their side, andunderstand that most times what
I'm putting on the table issomething that's very
intangible.
Against the very tangible thingthat you just put of the 800
hours in there.
Right.
So it, it's not even, uh, thefact that I'm coming and asking

(08:18):
something that's very expensiveto them, it's that what I'm
putting against that it'ssomething that they can't value
beforehand.
It makes it very hard for themto achieve a, a, a, a positive
decision.

and it's hard to see the return on investment.

Exactly.

When you're telling me, you can tell me, Hey, for
that 800 hours, you gonna,you're going to have, on
average, you're gonna eliminatetwo security vol.
Two security, let's just saybugs, that you'll have to,
you'll have to expend time andeffort on a, from a re, rework
perspective.
So we can do an equation, we cando some formulas.

(08:55):
But myself, as an engineeringleader, if I take all my
security experience and I throwit away and say, I'm just gonna
pretend I'm an engineeringleader, and I just know
engineering.
Show me the money type ofscenario.
Like you can't prove to me thatyou're going, I'm gonna expend
the 800 hours.
That's a, that's a given, butyou can't prove to me that I'm
gonna get 1600 hours of relieffixing two bug.

(09:19):
You know, two security bugs aregonna get eliminated from each
of those developers world, whichis actually gonna double.
You're gonna invest eight hours,but they're gonna save 16 or 24
or 40, or whatever it's going tobe.

Because again, you come in and you're selling
insurance, right?
Unlike established insurance,we, we don't have enough data to
point out to, to actuarialtables and say, these are the
chances that I'm going to makeyour your word a better word if
you do the things that I'masking you.

Hmm.

Matt Coles (09:46):
It's actually interesting that you say that
you use that analogy of sellinginsurance, right?
Like.
Farmers or, or State Farm orwhatever to, but think of who
we're talking to.
We're talking to home builders,contractors and carpenters.
And, uh, to use this analogy,right, we're talking about

(10:07):
trades.
Uh, the people who, you know, doplumbing and electrical and
whatnot, these are, these arethe engineers we're talking to.
They don't get homeownersinsurance for the, for the
homes.
They build.
So why do we talk insurance...

they get liability insurance.

Yeah.

Matt Coles (10:24):
get liability insurance

They carry liability insurance, which is
the, I think is the, theconnection to what Izar is
saying.
You're offering me as anengineering leader, liability
insurance, saying I'm gonna get16 hours you that we're
predicting this event's gonna,you're gonna have some number of
events and I'm telling you, I'mgonna save you twice as much
time.

Matt Coles (10:41):
but they also get data.
They also get data sheets.
They also get, um, uh,regulation, you know, uh, uh,
Permits and regulations from,from towns that they have to
follow.
Right.
We're not talking about...
Go ahead, Izar.

Just, just to strangle the analogy here,

Matt Coles (10:59):
Yeah.
Cuz that

if, if I ask somebody to build me a house, I
get a subcontractor who's goingto do the electrical?
That person does their work.
I move into the house.
The house catches fire, and thefire firefighters say, Hey, it
started because the electricalwas not up to code, and
something just burned up.

(11:22):
You wanna tell me that the, thatperson that put your electrical
in place doesn't have anyliability?
They do.

Mm.

So, there there is, uh, uh, the issue that I, I
can choose to go for insuranceor I can choose to sit on top of
that person and make sure thateverything that they they're
doing is up to code.
So we are the guys who are...

who are.
That's why you have buildinginspectors, right?
Like I've heard people use thishouse building analogy about
software as well, and you havethe building inspectors who are
doing the checking.
So, The security teameffectively is doing the checks
at the right points and theinspections to say, this thing's
been built to whatever the codewas, the requirements that we've

(12:02):
declared that where they'regonna be,

So do people hate building inspectors?

yes.

I, I, I don't know.
I'm asking cause I have no clue.

I, I think when you're a house builder, when
you're a builder and you have,you, you have a, just like in
security though, with home, andI'm not a home builder by the
way, but you have a range ofinspectors.
You have inspectors that willhold you to the every letter of
the law.
Oh no.
It says that you have to have 74nails per foot.

(12:35):
I counted 73 here.
Fail.
Like, does, does that one nailnot being at 74 somehow reduce
the structural integrity of thehouse?
No.
That's just a, so the inspectorcan be a stickler that.
And, and we as the consumer, weas the people who are gonna move
into the house, we want thatinspector to be like, 73, you're

(12:55):
gonna gimme 80 cuz you missedone.
You're gonna give me more.
We want the cons as the personwho owns the house, we want it
to be as safe as possible, butas the person who's building the
house, You want a happy medium.
You don't want the inspectorwho's, who's giving you a list
of 5,000 items that are wrongwith the house, including, um,
there was an extra stone in thedriveway that was sitting in the

(13:17):
front yard.
A pebble, uh, you can't havepebbles off the driveway.
Pebbles have to be within twofeet of the driveway.

So what it, what, what I think you're
telling me because in the middleI had to change my headphones
and I missed half of that.
Uh,

It was brilliant by the way.

I, I'll, I'll hear it.
I'll I'll, I'll hear it on theepisode.
I'll hear it on the

Matt Coles (13:38):
was epic.
Yeah.

on the, um, impression that I got from the
tail end there is that I wouldhate that person less if what
they brought to the table waswait for it reasonable.

Yeah, somewhere in the middle between extreme and
weak there is a reasonablenessthat sits in the middle, even in
the home building process where,and, and a lot of inspectors are
reasonable cuz they work withbuilders all the time and and
whatnot.

Matt Coles (14:10):
Yeah.
Pragmatism.
Pragmatism, is that other word?
We should be, we, we could usethere.

So pragmatism, born from empathy and
perspective taking

Matt Coles (14:21):
And experience,

and experience, meaning.

Matt Coles (14:24):
so, right, because, because that home builder is
going to know, well, 73 versus74, you know, the building code
is, is designed for the 120,130, 140% scenario.
And so that's okay.
They can make that reasonablecall if there's nothing else

(14:45):
wrong or that there's nothingelse of significant value of, of
interest, right?
They can make, be pragmaticabout, about that.

Mm-hmm.
Okay, so why else?
We talked about resource.
I think I, we can bucket thiswhole conversation in resource
management is a reason whyengineering or engineers dislike
what they get from security.
But there are, there are, thereare plenty more buckets like I
can think of.
Not...

(15:14):
improper tuning or fidelity oftool results.
Is a reason that developers, andthat's not a resource thing,
that's just annoying cuz yourtool generated 500 Jira tickets
for me, and now I have to goclick through'em and try to
resolve all of them.

Matt Coles (15:26):
You know, at the fundamental root, I think this
comes down to the eyes over theshoulder, the over the
oversight, the somebody else ispaying is somebody else.
There's a measure of control,but there's also a measure of
somebody else is telling me howto do my job.

Yeah, yeah, yeah, yeah, yeah.
And, and that connects to whatBrooke always says, that, uh,
nobody likes to be told thattheir baby is ugly.
So sometimes we go threatmodeling, but we end up
criticizing a design when weshouldn't be.

Mm-hmm.

Matt Coles (16:04):
Well, it needs to happen.
Just not a critical eye to thedesign needs to, needs to be
placed, but we shouldn't becriticizing it cuz then it
becomes personal for thedevelopers.

Yeah, we're not critic.
We always, and when I think oflike something we could add to
the Threat Modeling Manifesto,not that we could add anything
to something that was soperfect, but there could be an
angle there about, you know,respecting the person,
respecting the engineer.
I'm trying, I can't word itcorrectly, but basically
respecting the engineer,attacking the design so that the

(16:37):
person knows, Hey, I don't thinkyou're a bad engineer.
This is just what the processis, is we need to think about
what could go wrong.
I'm not saying this is evengonna happen.
I think you're an excellentengineer, but some people could
be, could be, could take thatvery, it could.
It could be a rough receipt forthem.
Like you're, so you're tellingme I'm a bad engineer, Izar.
You're telling me I suck atcoding.

The, the, corollary, the, the corollary of
the, the discussion with Brookeon that was that when we come
in, it's not that we, we, we aretelling you that your baby is
ugly.
We have to make it clear fromthe beginning that we are here
just to make sure that, thatyour baby survives what it looks
like is your problem.

(17:15):
Which crib you're going to putit on.
It's your thing.
No, we, we we're not even apediatrician.
We're, we're the, the, the, the,

Matt Coles (17:24):
The neonatal nurse.
The neonatal nurse.

Guardians of the Crib.
Guardians of the Galaxy,Guardians of the Crib.
You can choose.

No, the guardrails of the crib.

Ahh Guardrails of the crib.
Oh, that's nice.
That's a good, that's a nicevisual illustration.

A a and that sort of brings us back to, to
what you said of the discussionthat we had on guard, guard
rails and safeguards.
I, I don't think that developerslike those specifically because
it reduces the friction.
I think that it reduces thefriction because by putting
those in place, we sort ofdisappear in the background.

(18:00):
We security professionals justdisappear.
We, we.
We infuse the developmentpractices with those guardrails
and safeguards, and that let,lets us take a step back and
just look at how they're beingused, rather than, are you doing
the right thing?
Are you doing the right thing?
Are you doing the right thing?
And now and now.
Are you doing the right thingnow?
And now.

That's, developer enablement though.
Like that's really the end gameto what we do.
If we can, if we can integrateAppSec slash security slash
whatever does secure by designslash threat modeling slash
whatever we wanna call it, if wecan integrate that into
developer workflows, processes,and tools instead of being

(18:40):
something different like wetalked about before in the
previous episode as well.
That's how you really eliminatethe friction, cuz then this is
just how we build software.
It's not, we're not doingsecurity things.
We're just building software ina flow.

But is that the end game?
Cause I, I, I love how we, we.
We build arches here withouteven knowing things that we, we
talked about in previous, uh,episodes.
At the end of the day, the endgame is not putting those
safeguards and guardrails inplace and giving people tools
that work and need less tuningor give less false positives.

(19:16):
I think that at the end of theday, that the end game is for
for for developers to have theirown security mindedness.
And realize that those are toolsof their job, tools of, of their
trade.
Right?

Matt Coles (19:30):
Similar to quality.

Exactly.
So

I mean, I think that's, I think that's a pie in
the sky view.
I think that's the

it is aspirational, of course.
Yeah.

Matt Coles (19:39):
I think we need to work.
We need to work towards itthough.
We,

but what I'm saying is developer.
Developer enablement.
Putting those functions andfeatures and things into the
existing tools like GitHub andGitLab, for example, are going
through this, this, thistakeover of the market where you
can have SAST now from GitHub.
That's in GitHub.
You can have SCA, you can haveall these things.
They've put those where thedevelop they, they've integrated

(20:04):
them into the development tools,so the developers don't even see
something different.

Oh,

so that, what I'm saying is that's a gateway to
what your inspiration is.
You want developers to just carewhen you can get there, but
this, one of the steps along theway is to help them see is to
take away the friction of othertools and other things that are
outside of their normal flow.

So let, let's go there for a second.
Yeah, GitHub is giving them thatfrictionless thing, but when
they receive the notice from,from the tool saying, there is
something wrong here.
Is their reaction,"Yay! The toolfound something wrong that I can
go and fix?" Or is it,"Oh God,one more thing that I have to

(20:47):
stop now and go deal withbecause of this damn tool."
That, that, that's the last stepof the, of the thing here that,
that's the aspirational part.

It's an 80/20 breakdown.
By the way.
I think 80% of the people arelike,"Oh.
Again?" There's 20% of peopleout there that are like, okay.
I think, I think we're, I thinkthere's 20% of the people that
are, that are with us.
Maybe I'm being too, too excitedor whatever in this, but I feel
like there is a movement ofpeople that get what we've been
teaching for 15 years or 20years here, and they understand

(21:22):
maybe it's because they've hada, a data breach or a gigantic
vulnerability as a result of amistake they made.
And so now they've just got it.
They're like, I, I felt thepain.
I get it.
I gotta deal with these things.
I don't know.
I don't know where it lands.

Yes.
But to go back to the questionof today, do those people stop
hating security professionals?
Or do they stop seeing them asextra work because now they see
how those things are actuallynecessary?

Matt Coles (21:58):
So I wanna, I wanna add, throw out a question to you
guys with respect to developerenable.
If we look at developerdevelopment enablement as sort
as a, a phase where securityblends into the background,
right?
Where we become, where we createthings or specify things or

(22:19):
guide people to adopt tools andother things, training and
whatnot, that helps them dotheir job and include security
in it.
And that's not necessarily a badthing.
I'm, I'm not su not in thisquestion, I'm not suggesting
anywhere that it's bad to be onthat path, but do you think that

(22:41):
there's a place, the, the waythat, the way I like to think
about how I don't piss offdevelopers that I talk to is to
be a.
To be a trusted partner.
That's a real, that's not the,that's a very, uh, overused way
of saying it.
I think.
Um, you know, I enjoy sittingwith the engineering team and

(23:06):
becoming a part of their groupand working with them closely.
Yes, it takes a lot more time.
It doesn't scale very well, butit helps that we can talk about
engineering problems togetherand introduce security into that
without it being, oh, you haveto do this because this policy

(23:28):
says X, Y, and Z, and you know,I'm here to enforce it.
No, I'm, I'm an ar, I'm an anarchitect, you know, I'm
bringing the security view, the,the, the voice of the customer.
We can debate as engineers.
Right?
And, and you gain trust thatway.

It's a scalability problem though.

It's not, I, I,

do I, do that with 10,000 developers?

Matt Coles (23:51):
you have to, or maybe.
Maybe Do you have

security person.

Matt Coles (23:54):
but.

I don't think.

every 25 maybe.
So now I basically need my10,000 developers.
I need four to 140 to athousand, 40 times.
I need 400 secure.
I need 400 Matt Coles, which Iwould take that, don't get me
wrong, I would have anorganization of 400 Matt Coles

Matt Coles (24:12):
We, we had, we had the, we had this challenge, uh,
uh, two decades ago with howmany quality engineers do you
have per developer?
Per, per, how many quality?
How many developers do you haveper quality engineer?

Yeah.
And we, I mean, we never solvedit.
I don't think we ever

Matt Coles (24:26):
to one.
Something like that.

Yeah.
And, and the same thing'shappening here.
Like that's, that's a, i, I, Ithink that's a, a, a noble goal,
but I have yet to find anybodywho can resource to it, because
you can't resource to it with 10people.

But this is not going to solve the problem as
This, this doesn't solve it.
This, this just moves the, thisjust reduces the, the, the, the
blessed radius of the problem.

Matt Coles (24:50):
does it solve, doesn't it solve the, how do we
not look like jerks to, todevelopers?

Yes.

Matt Coles (24:56):
Okay, so we've ans we we can solve it.
It's a way, It's

no, no, no, no, no, no.
Sorry.
You said, does it solve or doesit not solve?
I, I'd say it doesn't, does notsolve, and the the reason is, is
very simple.
Once upon a time you weredeveloping something, you would
open a terminal, open vi writecode, compile, push.

(25:21):
Nowadays things have reached alevel of spec spec
specialization both for thedeveloper and for the, the
security person.
That creates a, a sense ofotherness that for each other
we, we, we are always going tobe separate species, but with

(25:42):
some common DNA and thatotherness.
I, I, I, I think it, it, itjust, it just, it just makes
the, the, the, the wholedialogue not more complicated,
but more heavy.
We, we, we are pulling indifferent directions.

See, I don't see that I, I see it in Matt now.
I don't think Matt's model worksfrom a scalability perspective,
but I think it does work from abuilding trust and security is
no longer this faceless entitythat's throwing work at us
because Matt's there with thatteam of 20 engineers and he's
like, Hey, I understand thissucks that we just, we just did

(26:21):
this tool to spit this out.
I'm gonna roll up my sleeves nowand let's see if we can get this
going.
Like, you're leading, you'renot.
You're not just saying, Hey,good luck folks.
I'm gonna go home.
I know it's 3:00 PM I'm headinghome for the weekend.
Enjoy.
You're there rolling up yoursleeves.
You're with them, and they'relike, Hey, Matt is part of this
team.
He's with us.
He's, he's leading from thefront.
He's helping us solve theproblems that he has control

(26:41):
over can or can influence.
And so I think, I think I'm withMatt on this one.
I think they do end up trustingyou.
They, they, they lose theirdislike because you're one of,
you're with them, you're part oftheir team, you're embedded on
the team.

Matt Coles (26:52):
Mm-hmm.

But no, because the problems that we solve as
security people are removed fromthe problems that they solve as
development people.
Their volume is much bigger.
We appear once in a blue moon todeal with a finding or to deal
with threat modeling or to dealwith this thing or death thing.

That's not the model we're talking here.

Matt Coles (27:15):
It's not the model

In Matt's model, Matt is with the team.

Yeah.
With the team that, that's whatI'm saying.

He sits in there where their cubes are.
He has a cube there.
He hangs out with them all day.

And most of the time he has his thumbs and they
go circling until somethingshows up.

Matt Coles (27:29):
No, no, no, no, no.
So

Unless you're telling me that you become a
developer, that just happens tobe a security expert as well.

Well, I think you do some development in that
world though.
You do.

I, believe me, I don't want my code going into
production.

Oh, mine's not allowed.
It's been banned by the whatevercode institute of the world.

So what am I doing?
I'm, I'm reducing the quality ofthe, the team because either I
embed as a hundred percentsecurity person, or I embed as a
poor engineer that knowssecurity.
If I am a hundred percentsecurity person, I'm sorry.
Even in my most self,self-aggrandizing dreams, there

(28:06):
isn't a hundred percent of thetime security issues to be
addressed.
So I am basically idling thereuntil something happens.
It's like I'm going to bring afirefighter.

You're leading the threat models.
No.
You're, you're, there's no wayYou're idling, you're leading
the threat model process.

Matt Coles (28:22):
Participating in architectural reviews...

You're doing code reviews you're doing code
reviews of PRs that are comingthrough.

Matt Coles (28:27):
Well, and in fact, in fact, I would, let me just,
let me just throw out a, a, anexample, right.
Uh, in a previous life, uh,working with, with a comp, with,
you know, engineers at this is,was the way it worked and it was
a small company, made it alittle bit easier, right?
I sat in design reviews, inarchitecture reviews when they

(28:47):
were talking about how toimplement something.
I was present because with theensuring skills that I, that I
could bring to the table, inaddition to the security
knowledge, I could act asanother pair of eyes as a peer,
that built trust.
So while I wasn't writing code,I was influencing the design so

(29:08):
that we didn't have to dosecurity later.
We can influence, we caninfluence the thing at the
ground when they're defining itor when they're implementing it,
or when they're deploying it,or, Hey, so-and-so customer just
called and they have thiscomplaint or issue.
We can do the translation.

But matt, that, that,

Matt Coles (29:29):
yeah, I know that doesn't scale.

no, it's not that it doesn't scale.
That's exactly my point.
You were able to do it back thenbecause I'm, I'm willing to bet
The stack that was used for thatspecific application and the
deployment model and all thatgood stuff was way more
contained than what we havetoday.

Matt Coles (29:47):
Uh, I think that there's still a ton of companies
out there, small companies outthere, especially that's, that
still happens.

Yes, and those companies, the good ones do have
security staff on board.
Many of them still see it as acost sink and say later on when
we get bigger.
But today, in the embeddingmodel of the, the, the norm, not
normal of the, the 80% ofcompanies out there, my point is
that to bring a security personin, That also has all the

(30:19):
knowledge of the stack to beconsidered a peer by software
engineers.
You, you, you're looking for a aa, a four-leafed, uh, uh,
four-leafed unicorn.

People call'em unicorn devs.
The DevSecOps unicorn idea isyou have someone who knows Dev,
Sec and Ops all together, andthey're unicorns cuz you don't
see them very often.

And basically what

Everyone says they saw one, but no one ever can
prove it.

And what, what you end up is with a rhino that
somebody painted white.

Alright.

Okay.
And you know what?
I'm gonna put my hand up and sayI'm one of those.
I mean, I can talktechnicalities with engineers
all day long, but I know that Iam not at their level.
At the same time, I don't expectthem to be at the level of
expertise that I bring in thesecurity side, right.

Matt Coles (31:11):
That makes sense.
Yes, I would agree with thatand, and I agree.
I, you know, I'm not an expertcoder in many languages that
they use, but I don't think youhave to be.

Yeah, I agree.

Because you are looking at the principles.
But the problem is that once youagree on the principles on the
design and they go do theirmerry sprint dance, you will sit
back and wait for something topop up to happen.
You will not be doing 24-7threat models and code reviews
and this and that and the otherone.

Engineering teams turn over five to 10% of their
staff a year.
That's, that's what people havealways tell me that, you know,
I, cuz I've heard that argumentmade in different contexts that
like you're going to, and forexample, in the training space,
you're going to train everybodyand there's not gonna be any
more people to do it.
Well, every year, 5-10% ofpeople in your engineering team

(32:04):
turnover.
So there's always new people whoare coming in cold.
They don't have a perspectiveon, on educa or uh, security.
They haven't so, I don't think,I mean this is, this is a weird
place for me cuz I'm literallyarguing both sides of the
argument.
I actually don't think thisworks from a scalability
perspective, but I do think itworks from an expertise and a
trust perspective.

(32:25):
So I'm in a really weird spot.

I I'm

I should just be quiet.

I, I'm not even looking at the...

Matt Coles (32:29):
We're not talking about whether it solves the
security problem, right?
We're talking about whether ornot there's a trust issue, and
with that, this approach worksto solve that trust issue.

Look at at, at the end of the day, the trust.
Okay?
The trust.
I agree with you completelybecause all of a sudden you
have, okay, let, let's putthings aside for a second.
The scale scaling, the three ofus agree, this doesn't scale.
Great.
So let's look at a hypothetical,small company, small team, but
with the resources to havesecurity staff at hand.

(33:04):
So I agree with Matt, the, the,the trust issue gets solved
because all of a sudden you havea security person at hand.
So for the developer team to nowsay, whenever I have a security
problem, I have a person that Ican just turn 90 degrees and
talk to them directly.
That definitely solves the trustproblem.

(33:26):
What I'm saying is that veryquickly what went up is that
security person getsunderutilized.
And all of a sudden as asolution to that, because people
in this line of work don't don'tlike to be bored or bad things
happen when they get bored.

Matt Coles (33:42):
All right.

All of a sudden these people find themselves
writing code for the product,right?
Because you can only write somuch security engineering until
stuff starts to work and you'rehappy.

Doesn't that spur you on it as a security person
though, if you're in that role,to expand your knowledge?
Because it certainly did for me.
So I've been in that role beforewhere I was, I was kind of at
the center of, of buildingsomething and I had brought my

(34:20):
security knowledge andexpertise, but I didn't truly
understand the language andframework and everything.
So I went and learned it becauseI was like, I wanna be more
effective in what I'm doing.
And so, yes, it took me a littlebit of time.
I wasn't, I didn't come in readyto solve problems, but over a
period of three to six months, Igot to the point where I
understood that framework.
I understood the language.
It was Ruby on Rails.

(34:40):
I'm like, I, I understand how itworks.
I understand what the challengesare.
It made me a better securityperson.
Cause now I understood it fromthe inside out.
So I wasn't ready on day one,but by day 180 I was.
You still didn't want my codegoing into production, but I
had, I had taken steps to bettermyself cause I wanted to be more
effective with my my peers.

But I think that there's a reason why most AppSec
people, and and I make a pointhere to say, just the AppSec,
not definitely not all parts ofsecurity, why they tend to be
bit more generalists than deepdive into issues, right?
Because the technology out theremoves really, really, really

(35:24):
fast.
And if we spend the time to godeep into something, we're going
to miss the other 180 thingsthat happened meanwhile.
I I, I just don't think thatthat's, that that metamorphosis
turns the security person intosomething that the developers

(35:44):
automatically like more.

Matt Coles (35:48):
Not automatically.

I mean, I, I, I can't imagine, I, I can imagine
that security person in asprint, everybody's talking
about something and they raisetheir hands and say, we cannot
ship because we didn't do the,uh, authentication authorization
right.
And everybody looks

Hopefully you told them at the beginning.

No.
And everybody looks at them.

Hopefully you're telling them at the beginning.

Perhaps

Matt Coles (36:06):
hopefully you don't

perhaps they were

Matt Coles (36:08):
as, we can't ship that.
That defeats the purpose.

No, perhaps they were telling all, all the way
through and they were beingtold.
MVP.
We have to put things out.
We have to prove that it works.
Blah, blah, blah, blah, blah,blah.
Bolt on.
And then everybody looks at,"Dammit Carl." Really?

Matt Coles (36:23):
Well, so remember this word, remember that word,
pragmatism, right?
You in this model.
In this model, there are timeswhen you have to be comfortable.
It's in part a trust thing, andit goes both.
It's sort of a trust in twoaspects, right?
There's, there's gettingdeveloper trust and help and
having them recognize you as apeer.

(36:47):
Sometimes that means smoothingover the edges when it comes to
the way that com, thatcompliance, hard compliance
things, right?
Can you not ship?
Because you don't haveauthentication.
Well, maybe MVP, sorry,

That, that's how we sound for, for developers by
the way.

Great illustration.
That's what we sound like isjust a barking dog always
nipping at their heels.

Matt Coles (37:19):
so maybe hold on.

But I, I think that at the end of the day here,
uh, Matt makes an excellentpoint.
This makes people trust youmore.
But at the end of the day, the,the, the question that we are
battling with today, justbecause they trust you, do they
like you more?
Sorry.
Just because they trust you.
Don't they hate you?

Matt Coles (37:43):
They hate you less Certainly.

They hate you less.
They like you more cuz you're,you're humanizing your function.
You're not a, you're not a, abox off to the side who's, who's
sending things across, throwingit over the wall, and we don't
even know who's over there, butthey're just telling us our
stuff is terrible and we can't,we can't move forward.

So you, you you

it's, Matt said, our stuff is not great, but he's
helping us figure out how to fixit,

Matt Coles (38:07):
right.
And realizing that and realizingthat MVP may me, may mean good
enough and not great.
Right?

You, you think that somebody's saying he's a
pain in the ass or somebody'ssaying he's a pain in the ass,
but he's right.
That,

But he's our pain.
painted

Matt Coles (38:24):
Right,

that, that involves

Matt Coles (38:26):
it goes because the other, because it isn't just an
inward facing thing, it's anoutward facing thing, right?
You're there to defend andtranslate from other teams,
right?
So when the security team or thecompliance teams, your C,
whoever comes along and says,Hey, you're not meeting this.
The standards like, well, Butthey're doing the best they can.
Now you become the voice whenyou're talking to the
developers.
You're voice of the customer.
When you're talking to others,your voice of the developer, you

(38:50):
can provide that layer.
It's not

I think, uh, I think, I think Matt and I have
have made our point here.
We,

so let, let's, yeah, let, let, let's say that
you, that you manage to convinceme fine.
Okay, cool.
Now we are talking just thetechnical aspects of the thing.
Can we step back and talk a bitabout the soft skills of
security people?

Matt Coles (39:12):
All of this requires soft skills.
All

do, to do it right?
But if you don't, but if youdon't, it's still effective
because you're talking techtechnicalities.
You're talking.
So something that you can, youcan point at a line of code and
say, this is not a line of codethat should be here.

Matt Coles (39:27):
You

if you do that nicely or if you, if you, if
you're a pain in the ass aboutit.

it's, I mean, I've come to reali, I came to
realize, uh, it's probably been10 years, eh, maybe not that
long ago since I realized it.
But, uh, I started talking and Iknow Izar, you talk about this
as well, this whole idea ofdeveloper empathy.
As security people.
If we don't have empathy for thedevelopers, then we really are
not very effective and we're notreasonable.

(39:51):
Just to use another term thatwe've been throwing around, it's
not reasonable to, to beunempathetic of our developer
partners in this process.
And when I think developerempathy, it means I should
realize the pain that my toolinginflicts on people's job
operations, what they have to doon a day-to-day basis.

(40:13):
I should understand, how thatimpacts them, how it impacts the
team, the resourcing.
But I should also.
It's, so, empathy is one thing.
Soft skills is another thing.
And, and soft skills is more ofa thing about how are we
influencing, how are we, how arewe leading, how are we
influencing without starting afight but instead collaborating

(40:38):
and making an argument.
But for me it comes back toempathy is always at the core of
that.
Like if I don't have empathy formy development teams, I'm, I'm
never really gonna get very farcause I'm gonna be stuck in all
the old traps that we've had forthe last 25 years.

you

Matt Coles (40:50):
there are ways to solve the scaling problem, by
the way, there are things youcan do.
no, no, not perfectly.
Not perfectly.
Sorry.
You can help with the scalingproblem, right?
Things like making it arotation, right?
So maybe you're not with themfull-time, or maybe with them
full-time for a period, a periodof time.

Yeah, but then you don't, you don't have the trust

and then you you introduce,

Matt Coles (41:12):
you, you gain, you gain trust over time with that,
with that team.
And you, as you're rolling offof that team to the next one,
you have spent time training thetrainer, working with the
champion and getting thechampion confident in their
role, right?
So, so you become a member ofthe team, a connected member of
the team up here.

(41:33):
You gain trust, you get invitedto things, but you're there to
help with the exp...
Explicitly, you're there tosupport them, enable them
support and enable them, really.
Right.
So, and, and again, none of thisis perfect.
It doesn't solve the securityproblem.
It solves

But that's a coaching, what you just
described there is a coachingprogram, not a, not a developer.
Embedding not, not embedding asecurity person.

Matt Coles (41:58):
I think they can be done together.
I know they can

drop in, parachute in, and then they go away

Matt Coles (42:04):
Not that's, that's not what this is, that's not the
type of program that I'm talkingabout.
the, the, the

I want, I want to, we're almost outta time here and
I want to get, I wanna make surewe capture Izar's empathy
thoughts.
Cause I know he's, he's talkedabout this a lot.
We can, we can have anotherepisode where we argue about how
Matt's idea was not scalable andthere's no way that it possibly,

Matt Coles (42:23):
I'm not gonna argue against that.
I just say,

Uh,

No, I, I,

be a short episode.
But Izar, what do you think onempathy?
What, what, what do you talkabout with people?

I, I, think that I, I see the point of what, what
Matt's saying, right?
And, and, and I, I agree to anextent.
To go back to the empathy, Ithink that it was very
interesting that you pulled theempathy thread to the side of us
as security people, looking atthe tools and things that we
give the developer and feelingtheir pain on what they're,

(42:52):
they're suffering in their hand.
But another thing that we alwaysjoke about is that, uh, you
measure security code reviews byWTF per second, and.
One thing that we miss is thatsometimes those WTF, they, they
have a reason.
Developers live in, in aconstrained world that, that

(43:15):
they're not free to do whateverit is that they want, and
sometimes it may happen that thethings that we ask them to do
lie beyond the constraints thatthey have for a number of
reasons.
And, uh, uh, uh, an importantpart of our empathy is, is, is
understanding how they live inthat constrained world and how
what we asking can be the, thestraw that breaks the camel's

(43:37):
back.

Hmm.
That's a good thing to rememberas well.
That is, I, I, I, I can say Ihaven't thought about empathy in
that particular vein that youdescribed, but I think it's a
powerful.
Thing that I should be, I shouldbe thinking about.
I am I asking them to dosomething that's beyond what
they can do.
So they can't e they can't makeme happy and they can't make the
rest of the team happy by fixingwhatever the issue was or

(43:59):
whatever.
Like they're stuck in a, avortex almost.

And, and that leads to another thing,
something that I, I learned frommy wife that we use that word
empathy, but it's almost likerisk.
We, we use the word, but we meansomething else.
People who have empathy for eachother run the risk And that's
not the one people who, who,who, who, who feel empathy for

(44:23):
each other, they.
Run the risk of falling into thetrap of commiserating together.
So they realize that there is alimit to what they can do.
And they, they dwell in that,oh, well that's the suck.
That, that, that's, that's whatwe have to do.
Right.
And I think that what we areactually talking about here is

(44:43):
perspective taking.
It's that getting to their shoesand, and look at a word from
that angle rather than, Feelingbad because they are under
constraints or, or somethinglike that.

Do people really commiserate

Oh, I commiserate all the time.
I commiserate all the time,

Matt Coles (45:02):
Yeah.

I'm

with myself.

it really commiserating?
If you're with yourself though,

Well, it depends.

Matt Coles (45:08):
schizophrenic, maybe.

it depends how many voices you have in your
head.

That's true.
That's true.

Matt Coles (45:14):
Or, you know, peyote or LSD whatever you...

Let's circle back around and let me ask the
question one more time cuz Iwant and then we gotta, we have
to tie it to the sound ofsilence somehow, because that's
what I offered in the beginning.
But the question we asked washow to be a security person.
How do you be a security personthat engineers don't hate?
And so just to recap, we talkedabout.
A number of different things,but if we work our way backward,

(45:39):
we talked about empathy and softskills and influence and
embedding developers within thatenvironment.
Um, resource management.
We talked about, uh, the overthe shoulder th lick.
Look at people, you know, peopledon't want to be looked over the
shoulder.
They don't, they don't likethat, I guess.
But final answer here, 30seconds or left for less for

(46:01):
each of you.
How would you, how would you,what would be your, your summary
of how to be a security personthat engineers don't hate based
on your own unique experience?
Matt, first.

Matt Coles (46:16):
I, I, I, I have nothing else to add.
Uh, really, it, it's about, not,it, it's about being part of
their world.
I, I, I don't think there'sanything more than that.

Okay.
So you did have more to add cuzthat was more so just fyi.
That was a good summary though,of being part of their world.
That's a good summary.
You said it differently than youdid before, but it gives you
another view of, oh, okay.
I'm part of their world, I'mpart of their existence and how
they're doing their job.
Izar, what about you?
What's your, your

So a, a, as we speak, one of the voices in my
head is going back and remindingme that I was there when I saw
Matt do what he described when Isaw him embedding with the team,
and I saw the results and I sawhow much respect he got from
that team.
So I'll, I'll have to go backand say, yes, Matt is right.
That is extremely important.

(47:09):
Then when we extrapolate to theproblem, if it doesn't scale,
then I think that if we takeinto consideration everything
that we talked about here,empathy, uh, perspective taking
and, and all that good stuff,and embedding, add all that
together.
And I think that the one-linerthat I come up with is get
closer to them.
Don't, don't remove yourselffrom the picture.

(47:30):
Insert yourself into the picturethat they are pen painting.
Understand that it's not yourpicture.
You, you are just background.
You're just there to make thepicture look better.
Well, in some cases, but, uh,

and I think, I mean, that is.
The thing I take away from thisas well, all of the things you
said, you know, the and, and thedifferent areas that we talked
about, but it is a scalabilityproblem and, and maybe there is
things we can do.
Maybe there's there, there arethings we can do to try to embed
security with less than a25-to-one ratio of devs to

(48:07):
security people, because I mean,we're all gonna agree.
We've never seen a securityorganization that was allowed to
grow and build a embeddingprogram.
That was at those levels with,you know, 10,000 engineers and
400 security people that werejust doing embedded efforts
inside of the team.
And, and we don't see that, Idon't see that being a reality,

(48:27):
especially as

Matt Coles (48:28):
we sort of meet halfway.

less.

Matt Coles (48:30):
We go about halfway with security champions, right?
Because they're developers whogain security experience, not
the other way

That's a good, I'm gonna, I'm gonna, If we're
gonna, we're gonna press pauseon that and we're gonna carry
that forward to a futureconversation of the difference
between embedding a securityperson versus a security
champion.
And what are the things you getfrom each of those.

Oh, we're going to talk about security
champions.
Yay.

yeah, yeah, yeah.

Well, we had to

Pandora's box though, of opening that because,

Matt Coles (48:57):
Yeah.

I almost wanna start making my argument.
I'm not going to, I'm gonna saythank you for joining us here on
the security table, talkingabout how to be a security
person that engineers don'tdislike.
Hopefully that describes you.
If it doesn't, hopefully you canapply some of these things we
talked about so that people willlike you just 1% more per day.
Thanks everybody.

All Episodes

Episode Transcript

Popular Podcasts

Dateline NBC

24/7 News: The Latest

Therapy Gecko

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}Why Do Engineers Hate Security?

Episode Transcript

Popular Podcasts

.css-r6mb8g{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:1;overflow:hidden;}Dateline NBC

24/7 News: The Latest

Therapy Gecko

All Episodes

Why Do Engineers Hate Security?

Dateline NBC