Security is already here – it's just not evenly distributed yet

so I'm very happy to be here when Patrick McNeil asked me to come and speak I was like I don't know and he said the theme is dumpster fire and I said I think I can work with that I can I can I can work with that so the title of my talk is Security's already here it's just unevenly distributed and I asked a lot about you know are we getting better are we getting better at security you've been doing this for 20 years are we getting better and I'm like yes and no right there are some places where it's better and there's a lot of places where it's not better than it was in the 90s

so it's both right it's it's better and worse there are places that you can build something securely or rely on something and there's a lot of places where you can't rely on whatever the vendors or the companies you're dealing with are so that that's how I started think about its unevenly distributed and the quote is kind of a take-off of if anyone's a William Gibson fan I read Neuromancer you know in my early 20s it was kind of a seminal book for me this he was they he was the seminal cyberpunk writer and I follow him on Twitter and one of his famous quotes is the future is already here it's just unevenly distributed which you know it's

that's pretty deep right when you think about that it has to start somewhere and spread and I thought well you know if security is somewhere maybe we can hopefully get to spread so that's what I'm gonna talk about today just gonna start off with this picture because I think it's so it's so fun and if you don't know which one is in that Senate hearing room that's me right there with the long hair if you notice they let us testify with our with our hacker names see it says weld pawn there in space rogue and mudge kingpin Brian oblivion and Senator Thompson who I think was from Tennessee was the was the chairman of the committee at the time and he

he told a story in the press the next day where his son asked them you know did you do anything interesting today dad and he said yeah I had a hearing and I was questioning a guy called space rogue so I think that I think the Senators kind of enjoyed it too but you know the fact that they let us testify with our hacker handles was sort of like giving us some respect for for what we were doing they basically said we know you guys have day jobs and you know poking holes at companies like Microsoft could put your job at risk right it's crazy that sometimes that even happens today but back in the nineties that that

happened all the time right vendors would would pressure companies say hey we're not going to do business with you if you you know are making us look look bad because that's what disclosure was back before today where it's much more much more accepted but the thing that really we did at the loft and the 90s was the concept of adversarial testing which vendors didn't didn't understand companies didn't understand they put their technology out there and they thought it was secure because they had authentication and authorization and logging and all the things that all the compliance people said that they had to do to have a secure piece of software but of course it was riddled with buffer

overflows and just stupid logic errors right I found I found a vulnerability in in Windows in the late 90s where I don't know if your member back then but you could if you weren't connected to a domain you could have local user accounts on your machine and you could you know have file shares like that and there was actually a different authentication path it went through and the way that they checked to see if your password was correct to connect to the share was to do a string compare and when they did the string compare they used the the length of the string that you sent them so all you had to do to it

- if it was an alphanumeric password all you had to do was cycle through single letters ABCD and it would just compare the first letter that you sent to the first letter in the password that was the the passwords stored on the system so stupid stupid stuff like that I think that qualifies as a dumpster fire right we should have some something that happens when someone says dumpster fire but this was this was sort of we were figuring out this this way of using hacker techniques of you know reverse engineering fuzzing and just trying to do things that break the assumptions that the programmers had to to find vulnerabilities they're beginning sort of the vulnerability research and that

got noticed by Microsoft and they actually wanted to have a meeting with us and said you know how are you doing this stuff like breaking our SMB protocol like how do you how do you do that and we're like hey we set up you know two machines and we sniffed the network and we look at the packets and we try to figure out how it's working and then we you know we we set up like a Linux machine to just send you know the the right with the right request that we think is going to log us in or let us take over a connection and they're like what's this Linux thing you know like

they did all their testing on Windows boxes where the stack the network stack always like took control and wouldn't let them actually really test their software so they're like huh that's interesting you actually look at the packets on the wire with another operating system so we kind of started to teach them to do that and this article here in a times where I'm back in the left there with the sunglasses see I cut I cut my hair much didn't cut his hair but that came later so this guy larry lands like wanted to hear about you know microsoft's meeting with you why is Microsoft meeting with hackers and we're just kind of opening their eyes to like

you're you're not really doing any security testing you're just you're just not you think you are and then a few years later the loft which I have bittersweet thoughts about joined at stake and we helped start this security consulting company with the whole concept of you know using good hackers to battle bad hackers and the idea was you know we would sell our services and we would do code reviews we would fuzz we would do manual pen testing on on applications so that vendors could could ship you know secure applications and I worked on several applications for Microsoft at the time and so there was this period where people were not doing security at all and people actually started started

to do things sort of in the early early 2000s and I did that up for about four years and it was all you know it was all manual there were no tools to do this and then in 2006 me and dill dog Christian riu found it very code and the idea there was there's just not enough security experts to go around there's just too many developers writing too many applications there weren't enough people let's just try to automate all the things that we could automate so that's where we came up with binary static analysis to basically automate code review we came up with you know web scanning to scan applications and other tools that would just really help

developers secure secure the software that they were building so now we want to talk about you know where we are where we are now like what are what are the problems and when we testified before the Senate in 98 we famously said and this was the sound byte that everyone latched on to we didn't really know about sound bites back then but we we got a lesson was we can take down the internet in 30 minutes is what was what we said and everyone was like whoa you can take down the internet in 30 minutes and we didn't really want to say exactly how to do it but we said you know we're gonna what we're gonna tell like the

people that could potentially fix this how to do it and what we were talking about was the BGP protocol so the border gateway protocol is how different networks route traffic between each other right and this is how the different routers talk to each other between different different network systems and that's actually what kind of makes an internet work right and it's totally on offense it's totally unauthenticated some people would have filters that said I'm only going to take PGP protocol over this port from these IP addresses but a lot of places didn't have those filters because he had to manage that and it slowed things down and it was just sort of wide open so you

could just spoof bgp packets and tell and tell a router that hey we're at your traffic through there well what if you tell all the routers throughout all their traffic through one place that's that's not gonna work right and those were the things that we were we were talking about so that was back in 98 guess what they didn't fix it they came up with secure BGP actually it was fixed by IETF there's a secure BGP protocol but no one implemented it right everyone would sort of have to implement it and no one no one implemented it because if you're backwards compatible what's the point right so everyone would have to go to secure BGP and 20 years

later no one has done it right so even though the solution exists no one no no one has done that and if you look up here this is a tweet I follow this BGP stream because you know I'm into the BGP protocol and what they do is they whenever there's sort of an anomaly in in BGP in in in new routes that are published they they they they tweet about it and you can see here that it's a US Department of Energy's network is being routed through China Telecom that's probably not the best route right that's probably not the best route so this still this still happens today and there was an interesting attach it's not

common that people use it for attacks this is probably just the sniff traffic right but there was an attack using this in 2018 on my ether wallet so my ether wallet is a place where you can you know store your aetherium right and you can go to their website and you can do transactions with your account well someone they were using route 53 which is a DNS service by Amazon someone did a BGP attack on route 53 so this is a BGP attack on Amazon you think they would know what they're doing but you can't it's really hard to control this they routed all the the route 53 DNS traffic through to through their DNS server where they were

publishing a new IP address for my ether wallet so all the traffic went to a different website they even registered a certificate for that website because once they had control of the traffic they're like hey this is my email this is my domain I want to register a certificate so it even showed up with a with the lock right and so this is a problem with like these foundational problems that never get fixed and they stole they're usually these attacks I should say are usually short-lived there's groups like manag and you know BGP stream that are publishing and noticing these things and someone will contact route 53 and say this doesn't look right like maybe you want to fix

that but it takes a few hours typically to get this stuff noticed and fixed in two hours they stole 17 million dollars in ether right so if you can compromise something within an hour or two and get away with your with your heist this is a perfectly fine attack you know there's other things that are that are still broken right like DNS you know people take over DNS all the time people DDoS DNS servers to take take things down you know we we have DNS SEC but that's also not really ever implemented DNS over HTTP is really a privacy thing for end-users it doesn't really solve the DNS problems so you know I saw this stat the other day that

you know the average DNS attack against your financial services company costs them 1.1 million in this case it was pounds but you know this is this part these problems have been around forever right and doesn't seem like there's any any motivation to fix them so you know clearly this is part of our part of our dumpster fire and I think you know certificate authority is just kind of the same thing with Type O squatting anyone can get a let's encrypt everyone sort of like wants to bypass all the UI warnings you know you know for most users a certificate attack is going to mess them up and of course we have developers not implementing certificate

validation properly to write like you know all those mobile apps I think when we look last looked at this like 70% of mobile apps don't validate that certificates are valid so you can just you know man in the middle there TLS connections with you know self-signed certificates in that it just thinks it's fine right the other thing that I see is is is a problem is security vendors of course not all the security vendors out there are my company but you know in general security vendors like to say we make you secure right like every firewall vendor on the planet is like you need to secure your network I put in the firewall now my network is secure

you know that language to the average person is just completely wrong that didn't secure the network it does some it does some stuff there's some level of security maybe you can say it's a little more secure you know by our product and make your network a little more secure it's not that exciting to the marketing folks but that's the truth right Oracle's unbreakable I don't think so right so the marketing people like to use these superlatives but superlatives are misleading and they lead people to think that they're secure like I got my firewall the company said it makes my network secure I got my endpoint security the company said it makes my endpoint secure and my you know

my files got breached what happened then we blame the user for doing something stupid right now it's users fault users screwed up they didn't do something right you know that's that's sort of the dumpster fire we have with with the way we talk about security to people buying security technology or services I don't know what the solution to that one is but it's just an ongoing problem that we never seem to be to be dealing with the the other problem I see all the time is people think everything is secure by default well no it's insecure by default like the first time I saw like you know like remember they don't really do this that

much anymore about remember when you first like installed Windows T nt somewhere and then had like lockdown instructions right it's wide open and then you have to do all these different things I remember one of the first NSA guys to locking down like NT for there was like three hundred and fifty three pages like no one is gonna do this no one is going to do this so it's inherently insecure because you shipped it wide open right so I think that that's the same thing we see with you know IOT devices with any kind of software people install you know it's the same thing with privacy you know I'm not gonna talk about privacy today but

it's the same thing oh you signed up for an account you know you're completely exposed it's not private at all oh do all these steps to make it private like that's right like that's just crap right and that's that's what we live with and and the thing that I deal with a lot is developers and developers think they're writing secure code by default right they're like I've been doing this for 20 years I write high-quality code it's performant code it does the functionality it's done on time I'm a good developer they think because of all those things that's also secure you know talk to a developer that's what they really think they don't think they need

to do anything else to make their product products secure but we all know like all security is a completely completely separate domain than quality and performance right functional quality and performance I went to and back in 2002 I went to Java one with at stake and we actually had a boot there because we were working on a tool and we had a service that we would sell to people writing Java applications and we told them you know we can we can help you make sure that your java application is secure you work at a financial services company you know you're making an online banking portal or whatever you know hire us we have tools and we'll we'll make

your your application secure and the developers basically came up and they were like chuckling and laughing like who are these goofy dudes like what are they talking about I I know Java is secure that's why we chose to write in Java it's secure right because that was the marketing for Java right son marketed Java as a secure alternative to C and C++ which which was which was the languages people were using before that and because it was a secure language not more secure or eliminate some security vulnerabilities which you know no one wants to say that they said Java was secure so all the developers thought Java was secure and that's why we had a decade of really

crappy web apps before people started to say oh maybe he should have some security process here before I put my application in interpret into production and it was just such a mind change for them we actually showed them like this is how sequel injection works and they were just in complete disbelief because their mind was already set that they chose Java because Java was was secure so now I'll pick on the vendors a little bit I don't know has anyone heard this saying you know the Cobblers that accomplished children have no shoes and the idea is you know the cobbler is so busy you know working you know dusk to dawn to put food on the table and and

just barely scraping by making shoes that he doesn't have time to make shoes for his own children so his his own children don't have shoes because he's focused on making money right he's got a support his it's got to support his family well guess what security vendors are exactly the same they're trying to make their products as quickly as possible and get them to market and you know having extra security processes or having to hire security people to help them actually secure their own stuff cost money in time and I have the data to show that actually security products security vendors have the most insecure software so this is applications we looked at a few years ago and the orange

bar here is whether it failed our testing which is it had had a critical or high vulnerabilities when we when we did testing and you can see the financial services apps are actually pretty good only 37% failed out of all the ones we did I was like that's there they're doing actually pretty good the financial services people are thinking hey if our app gets breached and our customers lose a lot of money in some transaction or something we're gonna we're gonna lose business right like it was it was a business requirement a business imperative for the financial services software makers to do that maybe PCI and PA DSS had something to do with that but this also

other non regulated software that are doing doing better even learning and growth and customer support are doing better than security products seventy-four percent failed right how does that make you feel the security companies are the ones who care the least about making secure software it's completely ridiculous right but it's there in the data in our testing and let me let me tell you there's another data point here just don't listen to me Mudge tweeted this last year he says the percentage of security software 3.8% in DoD and US government so three three point eight percent of the software that's deployed at the DoD and then the US government is security software it makes up 28% of the security

vulnerabilities that they find on their network more than a quarter of the vulnerabilities are coming from less than four percent of software right so think of all the work that people are doing to maintain and configure and patch all their security solutions right because the security vendors don't make secure software pretty crazy I think that's it that qualifies as dumpster fire we should have had like drink if you say that right so where are we going right so I saw this op-ed in The New York Times and it was by the general counsel of the NSA and he basically said you know technology is changing so fast we just can't keep up with that and that

that is definitely a huge factor that I see out there why we're in the state of insecurity if we just sort of stopped no new protocols you know no new No new IOT products and like we took a breath for a year and just sort of made sure everything was secure and got down our security debt and then you know worked from there we probably be okay well that's never gonna happen right we're never we're never gonna do that so we're gonna be constantly churning in the state of there's new protocols there's new ways of deploying software there's new languages people are doing new things with software like blockchain and AI that we don't even know how to

secure and people are putting all this money out there and all this risk so that's that's gonna that's going to continue so I totally agree and I also agree what you know sort of the threat space is going to be you know all all pervasive so that's that sounds like we're gonna be in a world of hurt for the for the future the other thing I see out there is you know Marc Andreessen famously said software is eating infrastructure I'm sorry software is eating the world and so you could look at that as what are the different places software is eating and one of the things is infrastructure right that's the cloud right where everything is becoming

software-defined and that's one of the things that's giving us this unprecedented speed in deploying applications is that we can just spin up all these machines without plugging anything in or screwing things interacts and we could just build stuff with off-the-shelf components whether they're services from your cloud provider or they're there they're open source things speed is the name is the name of the game and then the whole DevOps movement is really encapsulating the concept of you know operations now is just software right and developers can do their own they can do their own ops the next phase I see of this is dev sec ops which is developers are going to be able to do

you know their own their own security and security shifts from you know securing physical networks to securing all that software to find stuff and applications so we're also in a period of having to change how we do how we do security and you know I think software is starting to eat security right we're starting to see developers do security without security experts which is really the only way to do it because you know we're outnumbered like a hundred to one right we can't we can't be everywhere there's a developer writing code and making mistakes constantly we just can't do that so we need automated systems that developers can use the flip side of that is security people are and I'm not

talking about product vendors making software that you deploy or appliances running software security people in enterprises in the cloud security people actually writing code to to you know be security engineers to have some of whose full-time job as security and the way that they solve security problems in their organization is is to write code this is kind of something that Dino daizo he talked about at the black hat keynote it's just one of the things he does at stripe is he actually writes software to do his job of making sure the apps that stripe builds are are secure so that's sort of where we're going and so now I want to talk a little bit about you know wait how do we how do

we deal with this right because it seems pretty bad like is there any solution is there any way out so you know I look on one side of the equation and you know we have companies like d-link which don't really try to secure their routers right they don't patch them when they know that there's vulnerabilities and they recently you know end-of-life a few routers that have a CBS s tense core vulnerability in them and they're not going to fix it because it's that routers end-of-life well guess what they're still selling it right you can go buy a brand new one right you can go buy a brand new and they're not pulling them from the shelves it's a forever

vulnerable router that they're still selling today and there's no regulation over this right there's actually those this FTC consent decree over d-link that came out last year that's what this this headline is here but that was actually not not for this it was just that they they weren't they weren't patching things that they knew about was was really what what it was and said they were so of course the router secure I'm sure it's all over the marketing right it's totally secure you know and then we have you know the the leaky bucket problem which you know is sort of the s3 bucket that you know developers are using and there's no security process at all

right they're just doing whatever they want with us three buckets and you know there's there's no there's no policies there's no review there's nothing and this is how we end up with you know 15 million people in Ecuador having their PII exposed on the internet right we have these catastrophic failures you know the same thing with the lastest search there's all kinds of things that developers are like this is cool this is really powerful stuff I can just spin up all this stuff for all this data in there and it's great and get my job done and and there's no there's no security processor or controls so you know that's that's sort of one potential future that

could just keep going right we could we could have insecure cloud technology we could have insecure IOT devices but you know on the other hand this is where security is unevenly distributed there are people and organizations that are actually making you know secure software like I look at IO s and Windows 10 and chrome right if you look at how many billions of people are using this technology and how it's not a constant shitshow right it's it's not like you know Windows 10 is not like you know Windows XP was it's just not it's not it's not bad we don't have like a global worm problem they've actually got their act together and so like how can we do

more of that and distribute what they are doing and less of what you know d-link and and what everyone is doing with the rest three buckets how do we how do we distribute the security more more more widely so you know this is saying and this is something you know I had heard the saying and I did some research it's actually something that JFK said when he was talking about his economic policy he said I want an economic policy that's like a rising tide that will that will lift all boats right my economic policy isn't going to make the overall you know GDP go up because that could just you know make all the rich companies be more

productive and all the rich people make more money in the middle class and the poor stay exactly where they are he wanted an economic policy that would lift lift all the boats like the tide does whether you're a big boat or small boat and so I I got thinking like we should think about security that way right we shouldn't just be saying like well let's have big bug bounties for you know Windows 10 and all the security talents out there is going after making security 10 Windows 10 incrementally more secure right we could do that and there would be some benefit to that but then you know someone's just gonna spin up a leaky bucket or they're going to

just plug in some IOT device and it's not going to matter that you know Windows 10 went from you know a vulnerability density of you know one vulnerability per million lines of code to one for every two million lines of code right that won't make a difference when you can just plug in something that has no security done to it and your data is owned right so I think we need to people have talked about sort of getting people above the security poverty line and I think we need to think about things that can do that so this would be a better you know this is this is nicer right we can all drive our boats so I

want to you know I think we should think about things that can be a prod ly not to just the security of leaders that's easiest for the sort of the people that are at the bottom to to apply and you know I already talked about we're gonna help the people that are below the security product priority line so let's look at where you know security is unevenly distributed and think about what are the security leaders doing like what what are the thing that they're doing and so one thing that they do is they you know they assume the network is compromised right they the security leaders like Google use a you know a zero trust network they famously

came out there beyond Corp network architecture and they published it like anyone can can do this and this actually tools out there that are that are almost like consumer grade that you can build a zero a zero trust network and I think that's the that's the that's the that's the direction that we need when you need to go in and we can look at what Google did they did this in response to the Aurora attacks the facts that there the Aurora attacks the fact that they're Chinese branch office was trusted just because of its location on the network they said hey we can't we can't we can't do this we're a global company you know

we can't have every network node be be trusted in some way we need to go to a zero trust model and I think you know every company should probably go to a zero trust model with their with their network if they're building out you know software in the cloud go with the zero trust trust model and the second thing I think leaders do is they build security in from the very beginning right when they start we're gonna build this system they start thinking about security early right whether it's a piece of software whether it's some infrastructure they're doing and they don't think about security security later right this is really hard for startups to do but at

some point they have to start thinking this way they have to start doing this because otherwise you don't build security in until you have that huge breach and that FTC consent decree like what's happened to Twitter it happened to snapchat because they didn't they didn't do any security until they were you know five six years in as a company and had you know tens of millions of users and it actually cost them more money to to do security to do security later so building security in is is is is critical and that's what all the security leaders do you wouldn't get iOS Chrome or the security of Windows 10 unless it was built in from the very

early stage of the development process and the other thing security leaders do is they expect they expect their suppliers to do this too and they ask their suppliers they don't they don't say oh you know you have a big brand name you know I'm sure you wrote secure software they don't they don't think it's secure by default they say prove it to me prove to me if you want me to buy your software or use your service to run my company you have to prove to me that you're doing all the things that I'm doing when I build my own software like I don't want to have extra risk in my organization just because I'm using a

supplier right so that's what that's another thing that security leaders do if you've ever tried to sell anything to Apple I be Apple Microsoft or or Google you wouldn't you would know that they they scrutinize you the other thing is they they leverage the work of others right so if someone is doing something secure they they use that right they use something that's been open sourced that that they know is secure that some other group has put out you know Microsoft is actually gonna be switching over to Chrome as their built-in microphone ten browser because they said hey you know what chrome is actually doing a better job than we're doing and we're just gonna we're just gonna go that way the

other thing I think is important is operate less software because software is hard to operate securely first of all it ships in securely so you have to do all that extra patching to make it extra configuration you have to do the lockdown guide and then you have to maintain its patch level right like why would you want to do that when you could do sass and make the person who's writing the software configure it securely and keep it patched right and put all the onus on the sass providers instead of receiving software and letting that software vendor shift all their liability to you right it's your fault you didn't the lockdown guide we had the patch out

there you didn't patch it in time right when you operate software the system we have I know it's not that great right where the the vendors disclaim all liability right so you are liable if you operate the software if you use a SAS provider the SAS provider needs to operate that software securely they need to they need to keep it patched but all SAS providers aren't the same you know you want to you want to hold them accountable all right you want to look for their architecture you know dye stands were distributed immutable and ephemeral like if they're using the cloud are they using that kind of architecture what is their what is their crypto are they doing keep good

key management you know what algorithms are they using these are things that you have to ask a SAS provider don't assume the SAS provider is is secure but I don't think that the market can can solve you know all problems a lot of stuff I'm talking about is like organizations making good decisions with where they're going to put their money I think that there's some problems that really just can't be solved like the you know the insecure IOT device because those become sort of environmental problems we're like the marina botnet was able to DDoS DNS servers and lots of lots of lots of places and so a lot of insecure I o T devices become an

environmental problem because it allows attackers to leverage this computing power to launch attacks and DDoS that anywhere anywhere on anywhere on the network so it sorts to become something like you know pollution like each individual person you know polluting might not be bad but everyone polluting makes it so that people get asthma right so we need to have some some some minimum standards around there I think the UK what their secured by design initiative for IOT is is heading in the right direction so very basic stuff that you're like oh my god there somewhere there's actually shipping products that aren't doing these things and it they are and that's why it has to be there so these minimum standards like no

hard-coded passwords right in an IOT device again that's not secure by default you know the the the device needs to be securely updatable yes people ship devices that you can't update securely like no signs no signed updates right and the third one is that they have to have a a response capability a vendor response capability if someone finds a vulnerability they actually have a process where they take in that vulnerability and update their software and and update their device I don't think it's a lot to ask but it's crazy that we live in a world that people are shipping stuff that doesn't even have those minimums that we have to do that so I think we do need some

government standards around minimums or at least labeling whether you meet the standard or not like does it meet the minimum standard or not maybe you can still sell the product but you know it's like cigarettes it's like if you use this product your your data is eventually gonna get stolen like a picture of your data flying away or something on the box because we need transparency to understand you know what's a good product and what's a bad product because right now we just we just don't and so that means that the market can't the market can't decide and there's no incentive for the small people the small vendors to to put in security so I talked about the forever

vulnerable routers still for sale and I said well what's the solution to that well there should be an expiry date like milk on a piece of hardware that you buy right if you if you're buying a TV a smart TV and it's going to be end-of-life after four years where they're not going to ship patches anymore shouldn't that be something that you know about a time of purchase and it's clearly it's clearly available to the consumer and I think if we start to start seeing end-of-life dates on software and hardware people would people would at least know that they need to upgrade like maybe the d-link router was only a hundred bucks and you had it for six

years and you know upgrading to another one four hundred dollars maybe it's not a big deal but the thing is people don't even know they don't even know that they're their hardware it needs to be decommissioned and they need to they need to they need to buy something new they don't even know so this is where transparency can can can make a can make a big difference and then this is I think I'm talking to the audience here of you what what what can you do right what can security people do to talk to business leaders and we need to communicate some of the things I talked about we need to communicate that we can't trust Internet infrastructure

if we're building something securely that's operating over the internet we have to put in extra stuff to make sure that that that that we are mitigating the fact that bgp is never going to get fixed DNS is never going to get fixed certificates are always going to be a problem you know that would that would maybe say hey maybe we should be pinning our certificates in our mobile app or at least be checking for certificate validity you know if people don't know these things how are they going to do it so we still have to constantly be educating and the other one I think is really around around security products where you know people think if I just

get all the right security products that I check all the boxes that that I'll be secure and we all know that's not true but there's still CISOs out there that don't think this especially organizations that don't have CISOs right they have just you know a CIO or a head of IT and they think that they you know if they get the rights right few security products right set of security products they'll they'll be they'll be secure and you know we have to make sure people know that that's that's not true and lastly and I think this is really one of the most important things is you know technology is not secure by default it takes work and don't me a

lockdown guy actually make your stuff secure and think of this as you know a supply chain problem where whenever you're buying something you're inheriting risk unless you do your due diligence and you because there's no regulations here like when you buy a house you know it was it passed the inspection right it was built to the building code and it passed the inspection so you don't have to do much due diligence about the safety of the house right when you buy it like the banister isn't just gonna fall off right someone checked that it's are supposed to be a fire door between the garage and the house it's there right because someone check that with technology

there's no building code there's no inspector it's up to you to do that and I think that most most business leaders don't don't understand this they don't think this way they think that there's a you know there's a big brand there so of course they did it by they did it securely we all know from the data that if it's a security product that doesn't know it doesn't matter how big the brand name is so I think that's probably the most important thing that we need to get across the people that have the have the checkbook and are buying things that you're buying you're inheriting a huge amount of risk unless you do your due diligence and push back

on your vendors so I think I'm about at a time I don't know if we have time for a couple questions or not I think yeah so if anyone has a question we happy to have you try this something on someone in the back there

yes oh I think well I like the idea of FedRAMP I don't like the idea that it's like super complicated and no one can get fed ramped right I can tell you that very code has been trying to get fed ramped for like three years now they it's just it's just a complete complete dumpster fire so drank so I like the concept of Fred ramp I just think that the whole thing is is really broken the amount of paperwork and consultants and all this stuff is is I like the concept of it where the federal government is saying hey you know if I'm gonna buy your sass solution your cloud solution I need to do my due diligence and make sure you

did yours but we need we need lower tiers that are simpler simpler to me you know sock two is better it's not as bad as as FedRAMP and that's definitely something that I would look to my sass providers to say you know especially if I had you know my customer data or my employees data at that sass provider I'd want to make sure that they were sock - compliant yeah I still think it can be solved with technology right you can force people to use two-factor like and if you look at like all the ways to factor bypass like you know people hijacking SMS and stuff like that those are all technical attacks I think the

people problems can all be solved we're just not willing to do it and people aren't willing to like do something which it takes a little bit more time like how much longer does it take to log in with your like with your duo or whatever I don't know five seconds all right come on right so yeah the anxiety yeah that's what I liked about duo they made it 60 seconds instead of like whatever it was with RSA SecurID so I I don't buy it I think that I think that we can saw the people problems want to do it I agree I agree you know fall backs to insecure protocols like fall back to you

know once you have to factor in place falling back to one factor is insecure right and I think that it's very clear to people that like we're shipping it secure you're turning the knob to insecure and then and and then thinking about it that way they've they've decided to take on risk okay what we do is we don't do it that way we say my technology is secure my system is secure use it oh there's this lockdown guide that allows you to do to factor that's really what I'm talking about it's like flip it flip it around so I guess we're pretty much out of time thank you so much [Applause]