Building World Class Security-First Engineering Culture - Roman Zhukov

okay um the other day I had a conversation with an engineer um in the company and they asked me for advice how to get rid off of these 10 Jus that security team assigned to me and by the way I have the manor support for for that ask that's all we typically have Prett much a number of companies right welcome to the talk everybody so excited to be here for the very first besides goway and today we will be talking about uh Security First culture especially when it comes to tech companies to engineering companies or engineering teams uh my name is Roman um I work for red Huts but today's all the views and opinions all my my own please don't sue

us for anything um and a bit a bit of background of myself um right now I'm doing uh security and Community engagement at redut I also support a number of Open Source projects and initiatives as a security Champion architect uh I am an engineer essentially uh I'm also engaged into the standards compliance mentoring a few startups um my career started a long ago and I did a number of um good things all in security I broke and I secured uh software and it systems for Enterprises I um just worked for Intel a month ago uh as a head of product security for uh Data Center and AI software business group and most importantly uh during my

career I educated thousands of Engineers and still alive can you believe it um and also uh I kind of really excited to do some of the uh nice things um my passion is to create world changing technologies that I Ed just for good not for bad and I do some uh sports stuff I I play for the uh Guardians volleyball team um my greetings to goway volleyball team located here in goway and this picture at the very far right I think made um from um my one of my camping activity uh just right there in con Mara the beautiful space all right um so why we're here uh the one reason is this is a beautiful

statistics or other report that came out of the um company called jet iio they did the survey and the question was what are the biggest challenge you face when it comes to securing uh your own code and you know complexity of modern architecture and applications of course that's the case but like of the knowledge training guidelines like of priority these things in the top three um who who of us would like to do some extra work especially on weekends and you know on in the evening especially when um especially when you don't know what it is for okay I see one person wants to do some extra work but uh how much of us wants to

do great I I will come to you and need some some help with with my backlog so and how how much of us just wanted to do some exciting work build the Great applications or great projects or do something wonderful so a lot of us so that's that's what hopefully we will be talking about today uh doing something wonderful um one of the other questions that uh or um or or the quote that that was there uh the biggest issue was that the product team or product team or engineering team is always trying to get features out so we don't really focus on security unless uh we are under the gun of the compliance right and this is

obviously a good leverage but uh my experience told me that not the best one um the other quote is my organization prioritize uh shipping as fast as possible over security right because other guys they're pushing for things to get shipped faster uh performance review and we are overwhelmed and Etc um yes that's that's uh what we have and still have um in a number of companies uh but what we all as an Engineers as developers or other contributors uh in the industry would like to to do uh quite obvious things right have some fun right not like struggling with things um also we would really like to use familiar environment and tools that's supportive and non

blocking um keep up with Cutting Edge technology innovate do some good stuff um solve our own team challenges uh because that's that's we are belonging to the team right we wanted to be the team play players and do something that's available inside the team and most importantly be proud of the work and feel valued in the team in the department and in the company right it's um and let's think about how we can make it all happen um another uh another portion I really like this report and um you can kind of check and download it um uh the another question was how would you describe the collaboration between the development team and the security team

at your company uh the very interesting question uh that's that's um uh that is you know really challenging some sometimes and this is the scale at the very at the very bottom from 1 to six St from one is an Excellence right and six we don't even have a security team right and and you can SP on the 3 four five and six that combined are are kind of the the the most popular answer that's okay it may be some kind of fair right but still not at the best and excellent level unfortunately um now what could Sol solve all our problems and resolve all these tensions between security un team uh Security First culture

um what does that mean Security First culture actually this is a really complex process I would say quite obviously this not a state right as we um as we usually say in security that security is is not a Target it's a journey and that so much applies to secure the first culture uh that that is not like you can achieve in the minutes or in the week or in the year uh this is the uh picture how uh we saw it uh at Intel for example and this is quite obviously complicated and combined from the other things like uh rating and training automation standards customer Outreach and other kind of pillars um if you wonder that it applies only for the

big companies that have kind of enormous resources to kick all these programs off um I will try to debunk this myth and you know we will see some of the simple examples how you can really boost your security for culture even though you don't have a lot of resources for example how to start also um first of all uh security starts uh with uh with a manage with with the management and often the time um I have a question um like or I had a question and I was in charge of security like show the value of what we were doing or you know we have this um the the big hole in apis so what right you know um

often the case and that's that's why um security uh becoming a permanent part of engineering leadership agenda comes to play because if it's not on the agenda of our leaders of our managers and Beyond um if nobody talks about that it becomes less valuable naturally right so we just need to do exactly opposite um show customer wins uh quotes and money of course um there are 1,1 ways how we can uh quantify security and outcomes of security is not that that easy right it's it's all complicated but if we just can show the little examples from the uh top down from the leadership level to all of the teams hey we just uh did this nice

security hard or we actually mitigate this vulnerability before it becames available for the nice pesters uh out there we saved uh money or otherwise we have this quote from from the customer that says okay uh that's that's really good job to to you know to improve secur the posture of the product we not trust you or we trust even more your product or project uh it's very important to show explicit right in the simple words now focus on how security can help overall project health and uh and um uh developer practice practices maturity overall um actually uh quite a number of times I've seen that security help um to build the good processes the good

engineering processes themselves unrelated to security it could be quality like a obvious AE of security but it also could be just a good engineering practices how you write your code or how you deploy your your applications whether or not you have the good documentation uh or uh blueprints or whatever and security can help with with this just to uh just to make your product better uh and not necessarily like secure right it's it's a nice additional positive outcome which could be a driver of uh security in first engineering culture um it's good to engage uh trusted uh Engineers or persons uh highly valued in the company or in the team I again have seen it plenty of times in my career

when um when uh nobody talks uh about security and when some big voice comes and say hey actually this is a good job that seems done like uh closing the gaps in security or this is the good improvements that we plans and it would be nice if uh you know we we collectively come and invest a little bit into the security efforts this this is this really matters but often uh is under estimated to to bring these uh people to dialog uh break down simple examples from from the very right um and this is some could sound a little bit controversial because um sometimes uh or or many of times we we say Okay shifting security left right

um this is a nice term but I think this term is overwhelmed a little bit uh um under marketing and everything so um simple examples from the way right for example if you can see okay uh if you can come to the engineering team and say hey show me the uh kind of how your application is deployed in production and you know what could possibly go wrong with with that or points or ask specific questions about those apis or website or whatever publicly facing and try to to start this dialogue then breaking down to some um additional question saying okay how we now can can make things better right and slightly moving from the right to the left but

showing the simple examples otherwise um again it's it's all by experience um if you come to team and say hey now we use these static analysis tools or we use this uh secure composition and as this new cool tool that's that we bought from the respectful vendor and now you should spend uh enormous amount of time to implement it uh and probably I will tell you later why but you know it's it's it's it's under compliance right something like that it it works but you know it's not uh it's it's not uh it is not helping to build the the security first culture to be quite honest I'm not saying these tools are non valuable but

examples um also always should be shown and this is maybe this is an issue or um for for us as a Security Professionals we also need to to prove right and this is uh we can't get rid off of it unfortunately we always need to prove and as simple as we do that as as easier than we can perceive somebody to follow um you know our practices or or the good practices that we try to bring into the teams um more to the examples um and all the examples inspired by through stories I have some even some numbers um not necessarily like related to some of the companies but in inspired uh by the truth to stories I had one case study uh

development team struggled with the prioritizing security documenting and review activities over some cool features that uh you know like modern uh SSO for example single sign on feature that they building into their products um as we all know like documentation and Especial security documentation is not may not seem like that fascinating work and oftenly overlooked but um earlier the team was advised to reserve just uh fixed 10% of the time and that was the for the first La then they secured lower amounts of time like 5% permanently of the time for all the development functions to do some security work and this is actually a great example how easily you can uh you can try to you know boost or you you you

can try to make security happen because often the case development teams say hey show me the task show me the D task give me the task but you don't necessarily know what tasks could be over the soft software development life cycle right so that to reserve the fixed amount of time uh actually could be quite helpful outcomes of this key study was um using this 10% of time um over the couple of weeks let's put it that way um uh team uh with the help of security Engineers but development team itself they created threat model and review it with security Engineers also uh they collectively found the the kind of web authentification uh implementation which

was um really an improvement from what development team thought before uh with the best open source so tool at that at the time that was available and actually um it later saved um around 30% of secureity development tasks and you know it's explicit for everybody because it brought improvements it brought some kind of value to the product itself and also it saved some of the tasks that um I kind of referred at the the start of my presentation right this 10 100 GS so they they were able to cut them because threat model eventually uh is made for you know for the good reason right to to to reduce unnecessary work and to see and to show the value of kind of

security actions that team need to perform um now it it started with the kind of management and with all this processing stuff but then it continues through security Champions this is the topic uh deserve like a couple of hours itself to speak about um I was building security Champions program uh for um quite a few companies in my career but um in the nutshell who are they security Champs um they are uh just a good persons just a good Engineers uh wanted to be or ideally if they are already authorities influencers and you know developer Advocates or whatever uh engineering work ad advocates inside the team um it's better if they have split kpis uh but reports to kind of business or

engineering uh unit and again I saw a number of fails when security Champions were assigned from the um independent team from the product security or from the security team to the you know to the engineering department so that they are not in the department and that's it and vice versa why by when security Champions just don't have enough exposure to the security team so it should be um it should be splited kpis um they adopt corporate policies uh using Ze Centric approach right um this is very important um to to empower your SEC Champions to be those adopters and those enablers that could truly truly say to the to the to the team right that

you know or or switch this style of fork from not it's forbidden because of the policy or the regulation to yes let's do it our own way but our secure Own Way um again it's often underestimated how much effort um how much effort it could save just to have uh security Champions uh on the team uh to to saying hey this is the good way how to do things it's our own way anyways this is not like how product security team uh said us to do that work it's own own way but it's secure way right it's it's kind of a cultural also uh thing and and and the team work and this is very important security

Champions should be empowered to say no to what our team to security team um it's probably uh a little bit dangerous to say no to Legal team inside the company but they anyways should be empowered to say no to um maximum number of other teams providing the reason and that is that is how I've been building uh kind of Security First engineer culture uh at Intel and other companies like hey guys we just uh don't do um uh these particular tasks this way because you know we use the different Technologies for example or we use different approach in our team or in um you know our our devops tools or our programming languages are different and

we do it that way but this is the reason why so it helps you to build trust between engineering team and security team otherwise they are not going to trust each other and that's actually that actually remains as a big gap as they see in companies I of work with with a a few companies also out there and they see these kind of lack of trust they don't trust each other and that's why they try to you know push some of the things that maybe doesn't make sense um and the best accuse Champions are grown from the engineering team uh to be quite honest I mentioned this example um when they kind of were assigned from the

outside but uh again to my experience uh the best ones are really grown inside the team um and curiosity is the key here again this is a topic for the for the another couple of hours how to how to Foster uh secur Champions how to find uh These funds inside the teams but I think curiosity is the key is the um one thing that again to my experience attracts security Champions I think I um my career I was kind of um uh I I was growing like up to 100 security Champions overall and they most of them um were like really good Engineers uh with the Curiosity how to do things right and and that's that's

the key that typically helps rather than again wi words try to assign somebody from that outside one related example also based on the true story um a team had the lowest uh secure development metrics you know in the especially in the big companies uh we all have uh so software uh secure development life cycles and we have our kind of security risk management teams and Etc um and we love our metrics we measure teams and we try to see hey uh you you know this team is doing good in terms of SEC security because of some of the metrics for example uh whether they uh they don't breach you know the um the the uh policies or or or or the tasks or

or they kind of do all the necessary tasks that weend to them other teams maybe don't do these tasks and this is the fail something like like that so that the different metrics how we measure um different teams how they do day-to-day uh job related to security uh and formal um assigned security person was replaced uh by the uh just a middle engineer desired to pursue security pathway and I will be talking about this a little bit later right about this desire to grow in security as a driver as an inspirational driver uh now the results for this team we remember they they had some of the lowest uh secure development metrics or maturity level inside the company as a

team um as a result it turned out that team um uh workarounds like some of the security checks right because they okay uh I misunderstood the description of the security task for example or Security check uh or or I thought that's that's one is too heavy right and uh this new security Champion helps to leverage some of the automation fils automation is of course also a a big um a big helper in all security related stuff and some open source scanners with even providing out mitigations for some of the stuff um in in our modern worlds when we have all of these thousands of uh CBS coming up for all of our projects like walk for

J by the way I was this person uh who was called on on the phone do you remember this nice picture uh the previous previous talks right when there was a dinner and they said okay we don't we don't want to be this person who was called on the phone having the family dinner in the ni restaurants I was this person in Lo for J times when this vulnerability came to to ask to handle all this disaster but yeah um as a result this security Champion helped to uh builds the nice uh a nice level of Automation and um then even though conducted team training to tackle the most important question why or so what

right why we should do this um this kind of additional security investment so they they they show them AI right returns of investment the value that this kind of engineering work essentially brought to uh the team so that's that's um I think quite quite um quite important example now um make security easily accessible probably uh this is also related not only to engineering teams specifically and but especially I I want to allow it uh in the context of engineering or it teams because security um like awareness for the overall company from infos perspective for the kind of average worker of the company I think uh is at quite high level of maturity right now for almost all the uh

medium and big companies but when it comes to uh transparency or education or awareness for engineers it's all quite a mess right because we do our own things that's that's what we are made for right to to kind of get our hands dirty in some of the uh engineer stuff why should we listen some of the other guys and do some silly things right um make security easily accessible by establishing security portal uh one entry point for all the questions uh again even for the um medium and big companies that's not often the case when you can find all the information onstop shop like all the engineers then can come and say hey this is this is uh the information I'm

looking for how to make this how to make this task how to make this scan uh why I do this security what about the comp what about compliance uh and Etc so this very important uh regular newsletters uh and being transparent to all also I believe this is a heritage um that we are carrying as a Security Professionals because historically security is the such a closed area right where don't often talk to each other or to somebody else um because it's sensitive topic right is often perceived to be like a sensitive area not really transparent and available for everybody but uh just a newsletter just to sh in your friendly face to the rest of the

team uh is really good and again I've done this uh within a number of companies um specifically product security new newsletter which shows um not only your friendly face but also shows the um something that matters for the team it's not about okay this is the tons of hacks are happening outside right this is in use or Etc but something that really could be personalized to the team and say hey this is the hack that happens and this is the top three measures that we are doing inside this company that you as a team can apply right right away to prevent it moving forward for example right it should be personalized mid developers wear that well are utilizing

existing established uh in uh development and defs environments C ICD environment and and Etc this is also a question about accessibility um not an easy one but uh the especially when you start your security your product security program or if you don't have hundreds of people working on security team it's quite useful to um utilize the native feature of the existant developer environment even though uh there are tons of tools available out there the features Incorporated in GitHub g whatever uh tools you may use security features uh could be quite helpful to start with um other tips other tip coming from um the practice standpoint run um set up ask me anything even starting with

Anonymous one right and I did this experiment a couple of times and again this is probably came from the lack of trust or in anticipation of punishment by security team for the developers and for the others okay I have this problem in the product but when I what if I come come to these policy guys or to these Security Guys um what would be the consequences right this is lack of transparency and Trust um so you can even set up there and um like ask me anything in the anonymous way right besides your kind of regular office hours uh to to to the engineers and you I'm sure you will surprised um how much increase you you

will see in reporting of these questions of these concerns of the of issues and actually this is the one of the greatest metric of the uh successful uh Security First culture inide company when uh Engineers they uh they are happy to report anything related to security openly and transpar transparently to uh to security teams tailor rooll based trainings Pathways and interactive Labs also help um and yeah you can even use this uh fancy chat boards uh and you know with all this AI uh coming up it's you know it's it's actually becoming more and more easy uh to uh do the simple things like ask me anything about security or let's do some exercises let's do some fun stuff fun

stuff will be at the next slide um but tor based approach actually works uh as opposed to have like a one yearly product security training uh which you most probably have along with your safety training legal and compliance code of conduct and that and between all these trainings this product security one I don't know boring stuff right um now make security valuable and appreciated uh one of the most important things um and uh by by this I mean bake security into the corporate recognition program um oh my I I've seen um I've seen so um not that many actually uh positive uh examples of this simple step like to bring uh you know security to

the regular corporate recognition program like whether you do this uh thank you program inside inside the company then can be could be con converted to some of the perks like I don't know um gift cards or or something or just recognition by uh the management that could be very nice right and is very very nice it's very visible and this is simple to bring uh security stuff into this um also uh it would make sense to make it as a as a part you know of of or or make it as a as a separate recognition program for security it's more for big corporations but still would work uh Embrace collaborations outside your team uh that can boost networking for the

engineers so that again security is more valued because it's all about networking uh typically uh typically for engineers if they they're not secur Engineers they're normal Engineers um security adds additional value uh provide you an additional networking opportunity to work outside your normal team which is good for career um speaking of uh career show career paths uh Advanced by security um I've seen a number of cases when um security uh uh helps you to grow as an architector the principal engineer and Etc um security contribution uh show that's that's always desires contributions to hardening and testing of the product overall quality right this is very important as I mentioned at the very beginning to stick uh security

as a cultural thing to other values that are inside your company like are we here to build the quality products show them uh include to teams and managers qpi could be a hard thing that is not the first step when you're building your program but as it evolves it's surely needs to be included into the overall kpis at some point um fun beats formalities um do fun stuff around security CTF is a great example right where we having fun why don't we bring these type of things inside the company and try to do some fun um companywide competitions always boost engagement because we are naturally as a humans wanted to compete wanted to you know be recognized for for

something um it could be some simple things uh in the big companies uh we do we do uh some of the belts program for for example like um security belts when you go over the stage uh within your kind of education program and then you solve some stuff and then you show up you do some labs and you grow uh and then eventually you recognize as the more and more important uh security person inside the company with all these fun secretly pages and Etc again this is more for big companies but it could be uh that could be you know the the the simple start with a simple things uh security challenges with leaderboards like ctfs happening there uh is also a

good thing uh practical exercises like hecaton um Advanced labs and classes for practitioners all the engineers right we're all the engineers we all like to you know to do things right to do the real things instead of listening to uh the endless trainings probably trainings are helpful but not all the time right we wanted to do things and advanced labs and classes for practitioners targeting some specific um areas technology areas specific programming languages or you know like clouds Etc could really help uh with this cultural Journey right instead of just okay this is compliance only thing uh train the trainers scal Champions are also a good stuff uh to um to to find some persons who want to then to each

others to be the trainers to be the Champions um another example uh from the practice that I wanted to bring up here is um engineering team with um more than 1K head count um and 12 types of different engineering roles um do many of projects or products uh over their five programming languages quite a quite a mess isn't it um and they had only one yearly training class for everybody like I mentioned along with EIC sense compliance um less than 10% competition of optional security training and you know the feedback for for that was like all right uh this is this is okay that we need to do these security trainings but the I mean the feedback from the

audience from the try is but you know it's quite boring still um now uh after the Improvement after after um the there was a role-based training program implemented as I mentioned that's quite useful to implement like Ro based because one of the common things that I get in my practice from the engineers it is not related to me why you show me the secur strengths I don't do I don't do this right it's it's it's it's unrelated um so with all based trainings it's all different um and even even if you can put some uh Automation in place and say hey what of these trainings from the list you want to take right and they

take it on on their own based on their expectation what would be more relevant for for them it's it's good it would be good because you know they they they will learn at least something right from from one of their options provided and then of course they will feel themselves more empowered to take the decisions okay I'm taking this TR training not like the not like you mandated me right but I decided to take it and the feedback was uh more uh of course better for these types of uh improve improved uh educational program um and relevance uh was better and increase of the requests I wanted to learn more the these kind of tailored to me like I

don't know specifically web security trainings was so Valu to me I want to to learn more how to you know hack apis or how to hack this react or something things now um results um you can not trust me right because it's like okay that's all the good things but uh what results other big companies actually uh they they they had after this improvements uh this is two piece of Statistics from uh Intel's annal product security report which is accessible you can download it the one for the uh previous year um and the one for the two years back um more than 90% of vulnerabilities actually found uh were found inside the company by the

employees before they're getting disclosed publicly to to Their audience another percentage was like reports from external reporters but this this means something like a lot of stuff really found inside um another example uh this time from redot from our uh product security risk reports uh the the current one is for um the past few years but still shows the dynamic right then you can um have an idea how how it was improved all the time by invest by investing uh in security and in security culture also um now you may ask me a question this is all like really heavy right uh I don't I don't even know how to start because you know I need to do this uh

these training classes I need to go to my man to my management I need to do this I to do that uh it's only applicable for the big companies how to start if you have Z resources or you have no idea how to start we can start with this class for example which I also helped a little bit to develop this is free class by Linux Foundation um developing secure software really Basics but really well made and can give an example for uh for for almost all the developers y SEC is important it contains some of the labs and some of the Practical exercises that they uh would need to take and again this is

free for everybody you can just take this class and promote inside your company and this alone could be the really really great step if you don't have any resources or any idea how to start simple things um key takeways um security is the first mindset especially in the um engineering teams or it teams or Tech teams is quite a journey um but it all starts with a leadership get executive L buying and keep explaining why equip them I mean high level management with the uh information and and you know with the ability to say why we do this and why it's important with a certain examples uh I showed you a couple of examples before um give security Champions

freedom in tools and processes that is controversial right because again especially in the B companies or in the companies that are highly regulated we can't really say okay you you are not doing uh PCI DSS right now for the bank right it's you know it's impossible but uh be creative and give security Champions freedom in tools and processes and you will be surprised by the good results again it should be kind of carefully taken but uh it's proven to be more successful rather than mandating necessarily what to do show how show a couple of options and let them uh try to uh do their own secure way be transparent and and development value driven uh and encourage reporting issues

uh as I said it's it's it's quite necessarily to invest into the security marketing inside the company um it's a separate skill but it's really really necessary to show um the rest of the company that we at security to do something that's you know uh we are human beings essentially because other otherwise you saw this tigers and others right early on uh be creative Beyond yearly corporate training um with uh your programs uh there are tons of ways how to have fun with all this stuff uh collaborate with people uh get them together uh try to find the lies um try to find the kind of good Engineers that want to learn more and want to just do

creative and new things uh and remember ver class security culture um starts from simple things right it's not like something that is over complicated especially the first steps but specifically for the engineering teams they all should be or must be engineering Centric uh that's that's a key point that still is you know quite not often the case for some of the teams that uh that I see and that I talk to and now I have a quite bonus for you to you know to wake up a little bit on this afternoon what do you think I mean what we have been talking about all of this security education and also we have been talking about all of these hacks and

stuff that happened in the wild right pretty much all the day uh what remains what do you think the root Coast or as we call it uh cwe right a common weakness enumeration for the most exploited in the world vulnerabilities over past decades I put the because of course it's based on some of the reports which you know which may differ from report report but what do I think what remains um the the root cause for the most exploited in theice uh we we saw this a couple of hints in the previous talks cwe name one people uh good one okay anything else that's also good um good stuff sorry absolutely of course we can't

blame blame people for everything but um but yeah this is improper input validation could you imagine that this stuff that is a root C for like you know uh a number of uh Bridges all all of us like when we have lack of Access Control it eventually came um uh specifically from improper input validation which remains a most common weakness for uh in this case in this report for uh the over decade right so uh that means the two things that um pesters will have job and that we are not done with the security education and security culture as we can still uh get this input validation at the the best level uh inside the engineering team so uh a

long way to go but I think we're on the right direction all this um and let's chose secure the first engineering Centric culture and afterwards we can watch all this big stuff thank you

I'm cautious on time but maybe we can take yeah one two

questions um gra lecture English not um so very passion about the engineering but I also

make it's really it's amazing that you you build something very fact that in the AI part of that is m

[Music]

yeah exactly regulations help uh at some degree at De and now with CRA for example and act and all this stuff uh yeah actually we at least I see that it's it's yeah it will be helpful for for us as security persons um to to you know to show the more importance of their security education you're right great one more question sure yeah so there are some tools that we use let's say for take example of dat even let's say security team or our we we found vulnerability uh it's very long or sometimes Lely process to fix that or do consultations are there like alternatives for like ver is pretty robust so I feel that is like are there

any alternatives where we can make this process smoother from the developers point of view like uh any tools or something like that yeah um that's that's a good point I didn't mention any tools because there's a separate talk about Automation and security tools that's you know um yes there are a plenty of tools that you can use both uh from the educational perspective and from the tooling perspective it itself like to simplify some of the work I would uh I would encourage you to look into the what we are doing as part of the op ssf for example uh to tool set like these open source tools and practices that are all free all open that you can use right

away um inside the company another commment for um I'm not against also of course um great Enterprise level uh tools but um but I think we all should think from the um I mentioned it um meet Engineers were wear that well if the tool is not that friendly for engineering environment the it is not going to be used in the way anyways like you want um so even again try to use open source tools there are plenty of them and second try to use the native features of the existing tools that are inside the company that's going to be helpful right thank you