David Girvin - Bootstrapping your AppSec program

I must have scared half of you guys out of here I'm sorry hello everybody way in the back how's it going all right so who am I uh I'm David girvin I shouldn't be in Tech people made mistakes I ended up here I'm really not understand a background as a ship captain and an engineer and stupid things like that but somehow I hacked my way into Tech and I've worked for some companies like one password and we act purple and bit Discovery and now I am a senior product engineer product security engineer of architecture I don't know I have some stupid titles I don't really care about but it works so I have a very different view on how these things should be and I think one of my values in the industry is I see when things suck so I'll be pointing out things that suck and making fun of everybody in different places if you're in sales I'm already sorry because I make fun of you a lot but those are my kids and my wife who are way too good for me and yeah some other weird things in there I don't need to read them all right okay okay what are we going to talk about uh we're going to outline building an appsec program uh with a different perspective on management integration I'll go over the cool tool stuff and Technical stlc and all that kind of stuff that you need to like have in place but everybody talks about that stuff right it's not a big deal you can like look up any of Tanya Jenkins stuff and there's a million things on like how to set up your tooling and everything but I'm more interested in Social Engineering uh for good I used to do it for bad now we do it for good uh I'm not one of those like I went to college and was a good person I was a crappy person and very good at sneaking into places and figuring these kind of things out and went the other direction now I try to do it for good uh I have some interesting thoughts appsec is sales if you suck at sales you suck at appsec so these are like skills we can all learn and think differently being a part of a team is super important to me and uh everything I failed at which is a lot of things so I I'm uh grossly incompetent um warning Concepts and thoughts are based on anecdotal experiences from building application Security Programs at places like one password and all these other fancy companies uh if you disagree with it it's perfectly fine if you need to email me and complain about my talk or any views I have that is my email address um if you find me abrasive and sarcastic but somewhat Charming you are correct so and if you hang toilet paper over the back of the roll please leave now you're not welcome in this talk because you're a psychopath so what can we think about here syllabus this is what we're going to run through I don't need to read all this stuff right but um these are things that and you can grab my uh slides uh just hit me up on LinkedIn or whatever or maybe we'll put it on the website I don't know how besides Augusta works but um I have a bunch of this stuff in here and these are great blueprints like when you're thinking about it it just doesn't go for just appsec I use this for everything because I build Out programs teams at our company I love hiring and that kind of stuff too so okay what is appsec application security or product security is a team program designed to protect all of your code you own that means everybody that has code should have an appsec team no matter how small the company you know unless you like Farm it out which is fine too um that includes the code your engineers write as well as third party party libraries and open source tools you use yes if you hack together a bunch of crap using every third party Library known to man you are still responsible for that it's also tools that you use you know you're running all these open source tools there's vulnerability in there you are responsible it's a strong relationship with engineering and sea level stakeholders I know I look like a cartoon and someone who does not speak well I've spent most of my life chasing surf around the world I'm not like a normal human and I can still speak to the sea level every day and do it's internal sales you are selling to your engineering team because they don't like you because you're the [ __ ] who said your code sucks now you got to fix it and they said I spent seven months building it that specific way because I thought it was right that's a big hurdle to get over uh we'll go through that don't worry uh it's a smart use of tools and testing uh I should have like bolded smart there because everybody throws every tool they can find especially open source ones that stuff and that's not really the way to go it's an understanding that if business doesn't flow there's no product secure this is a huge issue in appsec and we're starting to like mature in a way that's really interesting and we're seeing that we are actually a part of the business if we don't produce profit we do not get paid so we can't just roadblock everybody we have to like relax a little bit I can't just push our glasses up and scream it's not old school grumpy gatekeeping if you're that guy stop it no one likes you at all especially people like me who come from outside the industry I worked in construction for years on the engineering side of things those guys exist there too and no one liked them there either it's not dumping a thousand volumes on engineering and saying fix it this is I I do Consulting with my company with it's called honey badger engineering for a reason because it's just ridiculous but anytime I get caught into Consulting that's happened they started an abstract program they said screw you I ran sassed uh yelling when someone something can't get fixed right away you have to be the nicest person in the world or at least be sarcastic enough to convince people that you're nice building a wall and starting a war with engineering that is how you ruin a program immediately and I've picked up the pieces from multiple people who started it that way because they were way better at appsec than me but they weren't good at this side why spend money here yeah there's a lot of memes I'm like 12. so uh I'm really older than I look but uh 2020 the average cost of business affected by a data breach the United States is 8.64 million that's a lot of money especially since half of cyber security companies in my opinion are vaporware and they're put up by VC companies they're just trying to get absorbed so if you if you lose money and you don't make money guess what you're doubles suck so reputational damage can be far worse than uh the original dollar lost I am huge on this so I threat model companies a lot of the times and do SWOT analysis for their space because I have a nerd on the side for business which is very opposite but my day job is very nerdy but I nerd out on like how business works and like you know uh the two big companies I've worked for which was one password in Red Canary I told both of them their biggest fear shouldn't be the data actually lost which would suck I mean obviously it's if anybody ever lost trust with them um because people trust their password manager and they really trust Canary they literally have all of your Telemetry from every single endpoint you have in your company so um it's a different kind of way to start thinking about it um it's estimated that we lose 250 to 600 billion dollars of intellectual property being stolen every year that's why you go to China and you see all the BMWs but they're not BMWs and they weigh like 6 000 pounds it's very strange um hopefully your insurance mandates it I know insurance is a bad word but it needs to it needs we need it for policy and Regulation and stuff not in the real world but in cyber security uh it's not 2004 and you're a damn adult that's my favorite line in this whole thing because I keep telling myself that every morning in the mirror I try to tell myself that all right first one let's go over hiring controversial take soft skills are more than important than being a Smee I know this is really weird I know I exactly it just uh if you didn't hear the the breath on the recording it was there um hot takes are so hot right now if you're a jerk nothing will get done at knapsec this is not pin testing I love pin testing I'm an offensive security guy if I could just break crap and laugh all day I would I mean it'd just be amazing but that's not the reality your first hire in my opinion oh this is my opinion right it's I'm full of crap anyway so uh 50 50 mix of amazing soft skills and application security if you can find that one guy or lady or whoever is going to be um I don't want to tell your principal engineer but whatever everybody needs someone that's going to Mentor well you need that person to be balanced uh if they're just super technical but they suck at talking to people they will not Mentor well I promise you and if they're not technical enough but they're really friendly well then they're going to look stupid in a meeting at some point if they're the upper range of people I've been that person multiple times high level of understanding of apps that's okay you know around the people that I work with I work with some of the best engineers in my opinion in the world I would say that I'm non-technical I'm obviously technical I code and I break and all that kind of stuff but I am Matt Graber is one of my colleagues I am not sitting there finding new dll injections from Microsoft before they hit the market and that kind of stuff um but you know it's I have a very good overarching understanding of how security works because I'm a bad guy and uh and I loved that part of it um you don't need 10 years of Dev experience stop trying to find the Unicorn everybody wraps Up's like I want to get that senior web engineer who fell in love with security and works 10 hours a day and then studies for four hours a night and never talks to their family that's the guy that I want and I wanted to do it for a hundred thousand dollars a year that person does not exist and if you do find him guess what someone like dragos or someone else is going to grab him and pay him a quarter million dollars a year and you're like dang it so don't look for that um you need to find people from everywhere you need to find good Bridge Builders this is a huge huge huge deal it's such a hard skill to find it's very easy to burn Bridges uh but you need to look for that in your interview process and and you know I'm the uh extrovert that adopts all the introverts in my company I'm like quarterly hackathons we all meet up in Denver I take everybody that doesn't have friends basically they have friends but not in the office right and I take them to the bar and buy them steak and make them get drunk and talk to people and um that's also kind of like how I pair up people on my team if you get someone who's just this awesome software developer and they want their soft skills to work you need to buddy that person up with someone who's going to let them grow and they'll grow them too I mean I have a guy who's wrote half the code for simgrip on my team now I'm very thankful I stole him but he helps me with my like deeper python understanding and I help him not tell Engineers they're stupid it's like it's a mutual relationship and it's wonderful and we're good buddies if you just walked in I'm super sarcastic I don't really call my Engineers stupid they're way smarter than me um appsec has insane salaries you probably can't afford it if you can then build a better team than me and and do the talk like right like I wish I could just pay everybody a quarter million dollars uh and this is just a plug for me funny sarcastic people can be great bridge Builders we work primarily with Engineers it's a different audience than traditional infosec and that's really true GRC people corpsec people in my opinion you want a different personality type there are more of the disciplinarians and in reality because they have to be they can enforce those things you know if you're downloading some sort of malware porn thing on your on your workbox then you should be told you're being stupid right like that's NADA but you know if you're dealing with super smart engineers and you're like I just don't think we should use that Library you shouldn't be forceful you need to learn you know it's a different it's a different vibe yes that is literally I have a baby about that old I think she made that face to me earlier um and I never noticed that so hiring uh posing view hire Rockstar security developers fixed all the bad code so I have friends like Jim manicode and and all these like super famous abstract people who are all developers and they're like no we don't need appsec teams we need real security developers and they go in there and they fix everything for everybody and that's their job and I'm like well one if you get a really deep code set like we have uh you're not gonna unless you're in that deep every day you have no idea what's going on there you know people should write notes in their code they don't so no one knows what's going on you're just trying to figure things out and you don't have time for that but two that does not scale at all um so even if you can find them it's very hard there's not enough of them so it will never scale like that's great when you have 100 people right what about when you have ten thousand and eight thousand of them are developers I mean we have to be able to scale at appsec or you end up like all the other companies that get breached because they don't have web security right um what else do I write here I forgot they can easily uh become a block for engineering I see that all the time because it becomes schmee versus me it's like I'm smarter than you and I'm smarter than you and everybody's so smart and then nothing gets done and then everybody's like I don't talk with that team now because they're dick heads like that's your biggest fear that's how you should go into appsec it's like we don't want we want to be the cool guys okay so this is a big deal for me uh leadership I'm really really really passionate about leadership because from coming from multiple Industries and coming into into a leadership position in security kind of right off the bat and being in Tech uh leadership sucks especially in security and I have some great friends of mine I've had some hard conversations with because I see how they lead their teams and not at our company like we're just friends and I'm like you're a dick like don't do that like you need to change things and they don't even get it you know a lot of people were just really good at what they did and they got put into leadership and that's not necessarily the best skill set for that so um this is where many teams fail good security person isn't necessarily a good team leader if your team leader doesn't genuinely care about the individual's success as well as the teams you get shitty middle management and there's so much as far as the eyes can see that's the meme I should put there but uh man so don't ever forget that you can your HR team which is this is their job and they forget this needs to build out paths to success for individual contributors and people leaders such a big deal like if someone can't get to principal and make great money the only way to make good money is to go into the leadership and people leading but they suck at people leading guess what everybody suffers for that so you know have hard conversations with uh HR people about this kind of stuff because it's important especially if you want to retain talent because Talent will leave in a heartbeat so my things servant-minded leadership this means your customer focused team you're leading your team so they're your customer so you're customer focused all the time um you're actually focused on your team members success and leading from the front doing the work you're the block person you're not throwing your team under the bus you know if your team screws up you take the hit it's hard stuff you know it's it's really it's really difficult to get your brain around that stuff sometimes especially when they do something really stupid but um you know everybody around me was like and I'm not even the director right now at our company I'm actually like some weird shitty middle management thing um but I care about all the guys on my team I guess I'm the that the lead engineer or something it's like when we have one-on-ones I'm actually asking them like hey dude what do you want to do like where what what's going to be interesting where do you want to go with your career how can I help you with that and even if it means them going somewhere else you know um these are real people you know it's not just about you and the company and it's it's a but when you do that and people see the sincerity of it they bust their ass for you not only do that but they do better work they feel more comfortable and there's not this like I have to get over this person on the team and I have to be better than them and blah blah blah it cuts all that crap out we have a very honest company I just turned on a giant pay raise to leave my company and go do a CSO job somewhere else and I won't because there's such good leadership there right now so it's trickle down um humility and honesty uh makes up for not knowing everything gives team the chance to shine yeah oh man if you can lead from the front with I don't know that does anybody else know the answer to this I don't want to make the wrong decision here and you give someone else a chance to step up and like show that they knew something there it's such a big boost especially for younger Engineers you got guys in their 20s uh that means the world I've actually had guys slack me after meetings and be like dude thanks for giving me the chance to talk about that it meant the world to me and I'm like cool yeah I didn't know and I didn't want to sound like a dick so I said I don't know um it's always worse to to try to be like know it all boss guy um honest visibility be open where you're crushing it where you need help such a big deal we have a very very my team is very mean uh in a loving way we're all actually tight we make fun of each other constantly but we're also incredibly honest with everything uh when we know we suck at something we're just open about it because we don't worry about getting fired because we're all tight we're not trying to throw each other the bus um like when it comes to like some of my code I'm like my code is trash please don't look at that you can go fix it I'm gonna go run a tool and like make some speech somewhere and then we'll be good you know and they know that um taking responsibility for your failures and learn to care about other people which is so difficult have you guys met people have you ever driven a car people suck and you have to somehow care about them every day as the boss that is so hard to do like just driving from from Rome because we were evacuated by families were from Florida stay at my buddy's house to drive over here to do this talk today I'm like I have my kids in the back and I'm like trying to hold it together like I'm gonna murder half the people on this road because people are driving like idiots and like I have the kids in the car and then I like always think about this and I'm like these are people the real people somehow have to care about them I don't know how to do that right now but when it comes to your team you know people are going to be butts and you just somehow have to be like okay well I'm bleeding and this is servant minded leadership which is I'm just going to kind of figure out how to make your life better it's where you stop being a butt and I'm gonna tell you you're a butt so that's an important part of it too it's that Honesty part this guy haunts my dreams because the first actually both companies that came in there was this guy and this guy bu