1 00:00:12,719 --> 00:00:17,840 welcome back everyone 2 00:00:15,040 --> 00:00:20,720 we are about to jump into a chat with uh 3 00:00:17,840 --> 00:00:23,119 mario about uh apsec on a budget 4 00:00:20,720 --> 00:00:25,840 uh mario is a software developer turned 5 00:00:23,119 --> 00:00:28,160 security engineer his passions are open 6 00:00:25,840 --> 00:00:30,000 source security and privacy 7 00:00:28,160 --> 00:00:32,000 he spent the last few years doing 8 00:00:30,000 --> 00:00:34,399 security in the fintech space but 9 00:00:32,000 --> 00:00:37,040 nowadays he's a senior security engineer 10 00:00:34,399 --> 00:00:39,920 at canva and spends his days 11 00:00:37,040 --> 00:00:43,200 there spends his days helping developers 12 00:00:39,920 --> 00:00:45,680 creating better and more secure code 13 00:00:43,200 --> 00:00:47,520 um murray is also going to take up most 14 00:00:45,680 --> 00:00:49,760 of the block so any questions please 15 00:00:47,520 --> 00:00:50,800 have them ready for hallway chats after 16 00:00:49,760 --> 00:00:53,120 the talk 17 00:00:50,800 --> 00:00:54,800 take away mario 18 00:00:53,120 --> 00:00:57,600 good thanks 19 00:00:54,800 --> 00:00:59,199 hello everyone welcome to my talk 20 00:00:57,600 --> 00:01:00,719 on a budget 21 00:00:59,199 --> 00:01:03,840 i would like to start with something 22 00:01:00,719 --> 00:01:06,400 that's super super obvious right like 23 00:01:03,840 --> 00:01:10,159 budget is important it's important for 24 00:01:06,400 --> 00:01:13,119 any organization anything of any size 25 00:01:10,159 --> 00:01:15,520 that's well known but i also make an 26 00:01:13,119 --> 00:01:17,840 argument that's even more important for 27 00:01:15,520 --> 00:01:19,520 application security teams 28 00:01:17,840 --> 00:01:22,000 and that's the case because of the 29 00:01:19,520 --> 00:01:24,240 constraints common constraints that any 30 00:01:22,000 --> 00:01:26,159 application security have it doesn't 31 00:01:24,240 --> 00:01:28,000 matter if it's a small organization or a 32 00:01:26,159 --> 00:01:29,759 large organization they all have the 33 00:01:28,000 --> 00:01:30,880 same set of constraints 34 00:01:29,759 --> 00:01:33,200 let me talk a little bit about the 35 00:01:30,880 --> 00:01:34,479 constraints 36 00:01:33,200 --> 00:01:36,400 so there are three constraints that i 37 00:01:34,479 --> 00:01:38,240 feel like are common amongst all 38 00:01:36,400 --> 00:01:42,159 application security teams 39 00:01:38,240 --> 00:01:44,320 the first one is operational work or bau 40 00:01:42,159 --> 00:01:46,960 can be in your company that becomes a 41 00:01:44,320 --> 00:01:49,840 constraint when there is a lot of bau 42 00:01:46,960 --> 00:01:51,759 work and your team cannot concentrate on 43 00:01:49,840 --> 00:01:54,880 doing more meaningful impactful change 44 00:01:51,759 --> 00:01:57,119 in the company don't take me wrong bau 45 00:01:54,880 --> 00:01:58,719 and operational work is super important 46 00:01:57,119 --> 00:02:00,719 that's what makes the company going 47 00:01:58,719 --> 00:02:02,799 that's make sure the process are being 48 00:02:00,719 --> 00:02:05,040 followed and everything is going 49 00:02:02,799 --> 00:02:07,280 smoothly we are talking about like 50 00:02:05,040 --> 00:02:09,759 vulnerability triaging we talk about 51 00:02:07,280 --> 00:02:11,200 design review we are talking about fine 52 00:02:09,759 --> 00:02:12,879 tuning tools 53 00:02:11,200 --> 00:02:14,800 so there are all things that we need to 54 00:02:12,879 --> 00:02:16,560 do but they are 55 00:02:14,800 --> 00:02:19,120 in the sense to keep the company working 56 00:02:16,560 --> 00:02:20,160 not necessarily to improve to move the 57 00:02:19,120 --> 00:02:22,160 needle 58 00:02:20,160 --> 00:02:24,160 um to improve the secure posture of any 59 00:02:22,160 --> 00:02:26,239 organization that becomes a big 60 00:02:24,160 --> 00:02:27,760 constraint when you have a lower budget 61 00:02:26,239 --> 00:02:30,640 maybe you don't have the right tools or 62 00:02:27,760 --> 00:02:32,319 you don't have uh enough people that 63 00:02:30,640 --> 00:02:33,440 operational work is pretty much all you 64 00:02:32,319 --> 00:02:35,920 can do 65 00:02:33,440 --> 00:02:38,080 during your day job that makes abstract 66 00:02:35,920 --> 00:02:40,560 things like a bit more stressed and a 67 00:02:38,080 --> 00:02:42,640 bit more overworked 68 00:02:40,560 --> 00:02:44,800 they know any abstracting 69 00:02:42,640 --> 00:02:47,680 knows their where their bodies are bored 70 00:02:44,800 --> 00:02:49,280 right like they all know there are 71 00:02:47,680 --> 00:02:50,560 vulnerabilities that need to be 72 00:02:49,280 --> 00:02:52,319 addressed 73 00:02:50,560 --> 00:02:55,120 bad design decisions they need to be 74 00:02:52,319 --> 00:02:57,040 revisited that uh systems that are like 75 00:02:55,120 --> 00:02:58,879 outdated they need to be patched they 76 00:02:57,040 --> 00:03:00,720 all know that and then again that 77 00:02:58,879 --> 00:03:02,400 becomes a big constraint in a low budget 78 00:03:00,720 --> 00:03:04,400 environment if you are doing a lot of 79 00:03:02,400 --> 00:03:07,360 operational work and you don't have time 80 00:03:04,400 --> 00:03:09,200 to go back and fix those so keep like a 81 00:03:07,360 --> 00:03:10,640 lot of stress on the application 82 00:03:09,200 --> 00:03:12,319 security 83 00:03:10,640 --> 00:03:14,159 because they cannot do the change they 84 00:03:12,319 --> 00:03:16,080 wanted to do 85 00:03:14,159 --> 00:03:18,400 and the final constraint is to have 86 00:03:16,080 --> 00:03:20,080 malicious actors right and that's very 87 00:03:18,400 --> 00:03:22,159 specific for security and you're not 88 00:03:20,080 --> 00:03:25,040 going to find in any other department 89 00:03:22,159 --> 00:03:26,799 because we are talking to people like uh 90 00:03:25,040 --> 00:03:28,879 malicious actors are people who don't 91 00:03:26,799 --> 00:03:31,360 play by any rules don't pay like any 92 00:03:28,879 --> 00:03:32,720 frameworks if you have a market team for 93 00:03:31,360 --> 00:03:34,959 example 94 00:03:32,720 --> 00:03:36,959 the market team competes with 95 00:03:34,959 --> 00:03:38,720 competitors of other companies so there 96 00:03:36,959 --> 00:03:40,000 is like a framework there are some rules 97 00:03:38,720 --> 00:03:41,519 they need to follow 98 00:03:40,000 --> 00:03:43,680 when you talk about malicious actors 99 00:03:41,519 --> 00:03:46,000 they don't play by anything 100 00:03:43,680 --> 00:03:49,040 the only boundaries they have is their 101 00:03:46,000 --> 00:03:51,519 own budget they also have a budget they 102 00:03:49,040 --> 00:03:53,360 also are a business of some sort 103 00:03:51,519 --> 00:03:55,120 if their budget is bigger than yours 104 00:03:53,360 --> 00:03:57,599 that becomes a constraint they're gonna 105 00:03:55,120 --> 00:03:58,799 be able to to do more damage than you 106 00:03:57,599 --> 00:04:01,760 have 107 00:03:58,799 --> 00:04:04,239 um so that's that's the train main 108 00:04:01,760 --> 00:04:06,799 concerns right like and in my experience 109 00:04:04,239 --> 00:04:09,200 that like is is very common like um 110 00:04:06,799 --> 00:04:11,680 where i am now there's a lot of strong 111 00:04:09,200 --> 00:04:13,439 uh secure investment in the company and 112 00:04:11,680 --> 00:04:14,480 then i can see improvements year after 113 00:04:13,439 --> 00:04:16,320 year 114 00:04:14,480 --> 00:04:17,519 but having our other working on the 115 00:04:16,320 --> 00:04:19,759 companies 116 00:04:17,519 --> 00:04:21,600 that the budget's not quite there or is 117 00:04:19,759 --> 00:04:22,560 very very low 118 00:04:21,600 --> 00:04:24,800 and 119 00:04:22,560 --> 00:04:26,320 that's the reality for the majority of 120 00:04:24,800 --> 00:04:29,120 australian companies 121 00:04:26,320 --> 00:04:31,520 so there was this survey from sofos uh 122 00:04:29,120 --> 00:04:35,280 earlier this year talking about a lot of 123 00:04:31,520 --> 00:04:37,600 metrics of application uh cyber security 124 00:04:35,280 --> 00:04:39,120 and they asked a lot of leaders in the 125 00:04:37,600 --> 00:04:40,800 in the business i talked talk about the 126 00:04:39,120 --> 00:04:42,960 cybersecure budget 127 00:04:40,800 --> 00:04:44,960 and determine knowledge they use is is 128 00:04:42,960 --> 00:04:47,040 not where it's supposed to be 129 00:04:44,960 --> 00:04:48,400 which i find quite funny because it's 130 00:04:47,040 --> 00:04:49,680 not where it's supposed to be can be 131 00:04:48,400 --> 00:04:51,280 anything from 132 00:04:49,680 --> 00:04:53,840 zero to like oh it's actually a good 133 00:04:51,280 --> 00:04:56,560 budget but you need a little bit more 134 00:04:53,840 --> 00:04:57,759 but the reality that's it we don't have 135 00:04:56,560 --> 00:04:59,040 much budget 136 00:04:57,759 --> 00:05:00,560 we don't even we have lots of 137 00:04:59,040 --> 00:05:03,360 constraints 138 00:05:00,560 --> 00:05:05,600 so it's kind of a problematic situation 139 00:05:03,360 --> 00:05:06,960 isn't it 140 00:05:05,600 --> 00:05:10,320 but there is hope 141 00:05:06,960 --> 00:05:13,440 there is hope although the best solution 142 00:05:10,320 --> 00:05:15,600 for low budget is better budget there 143 00:05:13,440 --> 00:05:17,280 are things you can do to make sure 144 00:05:15,600 --> 00:05:19,600 everything's working smoothly and then 145 00:05:17,280 --> 00:05:22,639 you can make meaningful change a little 146 00:05:19,600 --> 00:05:24,880 bit of creativity strategy and kindness 147 00:05:22,639 --> 00:05:26,800 can go a long way 148 00:05:24,880 --> 00:05:28,880 so i'm gonna bring like six tips i have 149 00:05:26,800 --> 00:05:31,360 used before in my career that hopefully 150 00:05:28,880 --> 00:05:32,639 can help you as well 151 00:05:31,360 --> 00:05:35,199 let me start 152 00:05:32,639 --> 00:05:36,479 with things like call like zero budget 153 00:05:35,199 --> 00:05:38,400 things 154 00:05:36,479 --> 00:05:41,199 there are things that 155 00:05:38,400 --> 00:05:45,039 you can do and don't spend any money 156 00:05:41,199 --> 00:05:47,440 no money so anyone can do it 157 00:05:45,039 --> 00:05:48,960 and the first one is what i call like 158 00:05:47,440 --> 00:05:50,080 find allies 159 00:05:48,960 --> 00:05:51,759 right 160 00:05:50,080 --> 00:05:52,639 that's the number one thing you need to 161 00:05:51,759 --> 00:05:55,039 do 162 00:05:52,639 --> 00:05:56,720 we security always asking people to do 163 00:05:55,039 --> 00:05:59,759 things for us we are always asking 164 00:05:56,720 --> 00:06:03,120 people like uh to fix a vulnerability to 165 00:05:59,759 --> 00:06:04,800 triage uh um a bug report so we're 166 00:06:03,120 --> 00:06:07,360 always asking people to do stuff 167 00:06:04,800 --> 00:06:09,120 sometimes we also need to ask to make 168 00:06:07,360 --> 00:06:11,520 more meaningful changes structure 169 00:06:09,120 --> 00:06:13,360 changes which people can be 170 00:06:11,520 --> 00:06:16,080 a bit defensive about it because it 171 00:06:13,360 --> 00:06:18,479 requires a lot of work 172 00:06:16,080 --> 00:06:20,720 so i'll give an example when i was 173 00:06:18,479 --> 00:06:22,800 working in a company 174 00:06:20,720 --> 00:06:24,160 raped for canva i was working a company 175 00:06:22,800 --> 00:06:26,400 where they 176 00:06:24,160 --> 00:06:28,800 don't didn't have much secure budget 177 00:06:26,400 --> 00:06:31,440 the secure budget at the time was my 178 00:06:28,800 --> 00:06:33,440 salary i was the first ever security 179 00:06:31,440 --> 00:06:36,479 engineer there was a really good 180 00:06:33,440 --> 00:06:38,160 experience by the way to to be creative 181 00:06:36,479 --> 00:06:40,080 with low budget 182 00:06:38,160 --> 00:06:42,400 um and then 183 00:06:40,080 --> 00:06:44,080 as you can imagine my first few weeks i 184 00:06:42,400 --> 00:06:46,400 found a lot of vulnerabilities right 185 00:06:44,080 --> 00:06:47,440 left and center lots of bad practices 186 00:06:46,400 --> 00:06:49,440 everywhere 187 00:06:47,440 --> 00:06:51,840 so i had to do some meaningful 188 00:06:49,440 --> 00:06:53,680 structural changes in the way we did a 189 00:06:51,840 --> 00:06:56,800 few things to make sure we improved the 190 00:06:53,680 --> 00:06:59,199 needle of the secure posture 191 00:06:56,800 --> 00:07:02,080 so the change that i wanted to do is 192 00:06:59,199 --> 00:07:04,319 email verification 193 00:07:02,080 --> 00:07:06,080 any secured person knows that if you 194 00:07:04,319 --> 00:07:08,240 start the conversation about email 195 00:07:06,080 --> 00:07:10,800 verification you know that's gonna be a 196 00:07:08,240 --> 00:07:13,440 hard conversation it's not gonna get any 197 00:07:10,800 --> 00:07:15,520 easy people have like they get defensive 198 00:07:13,440 --> 00:07:17,120 quite quickly and there's a good reason 199 00:07:15,520 --> 00:07:18,479 for it that's where the kindness needs 200 00:07:17,120 --> 00:07:20,080 coming we need to understand where the 201 00:07:18,479 --> 00:07:22,880 people are coming from 202 00:07:20,080 --> 00:07:25,120 the reason being is that emails email 203 00:07:22,880 --> 00:07:27,599 verification makes the sign up flow of 204 00:07:25,120 --> 00:07:29,360 any application harder 205 00:07:27,599 --> 00:07:31,759 and makes it make sure like users 206 00:07:29,360 --> 00:07:34,080 there's a drop on the user side um of 207 00:07:31,759 --> 00:07:36,560 user signing up there are solutions for 208 00:07:34,080 --> 00:07:39,039 that there are ways to go around that 209 00:07:36,560 --> 00:07:40,639 but was having a hard time to start this 210 00:07:39,039 --> 00:07:41,919 conversation people didn't want even to 211 00:07:40,639 --> 00:07:44,639 start this conversation they were trying 212 00:07:41,919 --> 00:07:46,960 to focus on something else 213 00:07:44,639 --> 00:07:50,000 so what i did instead i i went to like 214 00:07:46,960 --> 00:07:52,879 to my buddy on the risk team right and 215 00:07:50,000 --> 00:07:55,199 risking unnatural allies of any security 216 00:07:52,879 --> 00:07:56,960 team because they are looking at risks 217 00:07:55,199 --> 00:07:58,479 all across the company 218 00:07:56,960 --> 00:08:01,440 some of them are going to be cyber 219 00:07:58,479 --> 00:08:03,120 security risks and i was talking like to 220 00:08:01,440 --> 00:08:04,960 this person and say hey 221 00:08:03,120 --> 00:08:06,560 i'm having a hard time you know like i'm 222 00:08:04,960 --> 00:08:08,960 trying to push for these people don't 223 00:08:06,560 --> 00:08:10,479 start even the conversation he told me 224 00:08:08,960 --> 00:08:12,960 like wow 225 00:08:10,479 --> 00:08:15,199 i i also have this same problem we are 226 00:08:12,960 --> 00:08:17,520 having this problem at this moment like 227 00:08:15,199 --> 00:08:19,039 i'm just responding to this because we 228 00:08:17,520 --> 00:08:21,440 don't have email verification we had to 229 00:08:19,039 --> 00:08:23,599 send some information for a few users 230 00:08:21,440 --> 00:08:25,120 and the emails were wrong and we sent to 231 00:08:23,599 --> 00:08:27,360 different people where the emails were 232 00:08:25,120 --> 00:08:28,240 valid so 233 00:08:27,360 --> 00:08:31,440 people 234 00:08:28,240 --> 00:08:32,800 got pii from them so this is not good 235 00:08:31,440 --> 00:08:33,919 and it happens 236 00:08:32,800 --> 00:08:36,000 already 237 00:08:33,919 --> 00:08:38,399 and there was amazing information for me 238 00:08:36,000 --> 00:08:40,560 because he provided me data that i 239 00:08:38,399 --> 00:08:43,120 didn't have because from my side was a 240 00:08:40,560 --> 00:08:46,320 concern but they didn't have any kind of 241 00:08:43,120 --> 00:08:48,880 like a security breaches on on that side 242 00:08:46,320 --> 00:08:50,959 but he knew what was happening on on his 243 00:08:48,880 --> 00:08:53,440 side and then i could come back and make 244 00:08:50,959 --> 00:08:55,360 a more compelling argument to the to the 245 00:08:53,440 --> 00:08:57,680 engineering and say we need to do that 246 00:08:55,360 --> 00:08:58,560 that is already happening problems the 247 00:08:57,680 --> 00:08:59,680 risk 248 00:08:58,560 --> 00:09:02,240 um 249 00:08:59,680 --> 00:09:04,480 department is also aware of this and 250 00:09:02,240 --> 00:09:06,000 they don't also want the fakes 251 00:09:04,480 --> 00:09:07,600 so then we start to make the 252 00:09:06,000 --> 00:09:10,000 conversation still was a hard 253 00:09:07,600 --> 00:09:12,560 conversation but i managed to move like 254 00:09:10,000 --> 00:09:15,920 they need a little bit like let's let's 255 00:09:12,560 --> 00:09:17,680 start having this start discussing this 256 00:09:15,920 --> 00:09:18,959 and there are other allies in other in 257 00:09:17,680 --> 00:09:20,000 your organization that you can try to 258 00:09:18,959 --> 00:09:22,720 find 259 00:09:20,000 --> 00:09:25,200 um legal people are usually good allies 260 00:09:22,720 --> 00:09:27,360 as well um infrastructure people they 261 00:09:25,200 --> 00:09:31,120 are usually are secure aware and they 262 00:09:27,360 --> 00:09:33,040 try to make everything is more secure so 263 00:09:31,120 --> 00:09:34,800 find these people find how they can help 264 00:09:33,040 --> 00:09:36,640 and try to collaborate with them you're 265 00:09:34,800 --> 00:09:38,399 going to need them before trying to make 266 00:09:36,640 --> 00:09:40,800 a meaningful change when you have a low 267 00:09:38,399 --> 00:09:40,800 budget 268 00:09:41,440 --> 00:09:47,279 the second one is super super important 269 00:09:44,000 --> 00:09:49,040 cannot stress this enough do not waste a 270 00:09:47,279 --> 00:09:51,360 securing incident 271 00:09:49,040 --> 00:09:52,800 security incidents are big propellers 272 00:09:51,360 --> 00:09:55,440 for change 273 00:09:52,800 --> 00:09:57,600 the worse the incident the more change 274 00:09:55,440 --> 00:10:00,000 you can try to make 275 00:09:57,600 --> 00:10:02,000 but be in your best behavior during the 276 00:10:00,000 --> 00:10:04,079 incident you're in the spotlight 277 00:10:02,000 --> 00:10:05,440 everybody's looking what the security is 278 00:10:04,079 --> 00:10:07,760 doing it 279 00:10:05,440 --> 00:10:10,880 that's not the time to blame people 280 00:10:07,760 --> 00:10:13,040 that's not the time to say i told you so 281 00:10:10,880 --> 00:10:15,839 that's the time to make sure the problem 282 00:10:13,040 --> 00:10:18,640 is fixed and then after the problem is 283 00:10:15,839 --> 00:10:20,160 fixed you can try to use that to get 284 00:10:18,640 --> 00:10:21,760 something for you 285 00:10:20,160 --> 00:10:23,920 so for example 286 00:10:21,760 --> 00:10:25,600 um when i joined this company at the 287 00:10:23,920 --> 00:10:27,279 very early stages of the interview they 288 00:10:25,600 --> 00:10:29,279 told me mario we are hiring a security 289 00:10:27,279 --> 00:10:32,320 engineer but we are not thinking hire 290 00:10:29,279 --> 00:10:35,040 anyone else for the next 12 18 months 291 00:10:32,320 --> 00:10:36,800 i'm like okay all right yeah that's your 292 00:10:35,040 --> 00:10:38,640 decision let's see 293 00:10:36,800 --> 00:10:41,760 what i can do with that 294 00:10:38,640 --> 00:10:44,079 three months in three months 295 00:10:41,760 --> 00:10:46,399 uh i was having a conversation with a 296 00:10:44,079 --> 00:10:48,000 colleague of mine like uh in the kitchen 297 00:10:46,399 --> 00:10:50,560 and then we're just talking about like 298 00:10:48,000 --> 00:10:53,920 uh some practices we have in the company 299 00:10:50,560 --> 00:10:55,839 and she suddenly dropped a very bad 300 00:10:53,920 --> 00:10:58,640 practice she just like said something 301 00:10:55,839 --> 00:11:02,399 really bad and then i said oh 302 00:10:58,640 --> 00:11:03,519 wait a minute do we do we do that here 303 00:11:02,399 --> 00:11:05,440 she's like 304 00:11:03,519 --> 00:11:07,120 possibly yeah 305 00:11:05,440 --> 00:11:08,880 then okay 306 00:11:07,120 --> 00:11:10,959 i came back my computer started to do 307 00:11:08,880 --> 00:11:13,200 some investigation and 308 00:11:10,959 --> 00:11:15,519 it was bad it was really bad 309 00:11:13,200 --> 00:11:16,640 so i had to go that was before covet 310 00:11:15,519 --> 00:11:19,279 right 311 00:11:16,640 --> 00:11:20,959 uh owing the office so i went like tried 312 00:11:19,279 --> 00:11:22,640 to find the head of engineering at the 313 00:11:20,959 --> 00:11:24,000 time and he was 314 00:11:22,640 --> 00:11:25,600 in a meeting room 315 00:11:24,000 --> 00:11:28,240 having a meeting but i knew that 316 00:11:25,600 --> 00:11:29,200 incident was urgent so i knock on the 317 00:11:28,240 --> 00:11:31,440 door 318 00:11:29,200 --> 00:11:33,440 open a little bit to say hey 319 00:11:31,440 --> 00:11:35,680 i need a little bit of your time 320 00:11:33,440 --> 00:11:37,920 he was like right now 321 00:11:35,680 --> 00:11:40,720 i'm like yeah right now 322 00:11:37,920 --> 00:11:43,360 he was visibly annoyed he left the room 323 00:11:40,720 --> 00:11:46,480 he was annoyed and he's like well what 324 00:11:43,360 --> 00:11:48,399 do you want so urgent talk about it 325 00:11:46,480 --> 00:11:50,079 then i explained what i just discovered 326 00:11:48,399 --> 00:11:52,560 and impact 327 00:11:50,079 --> 00:11:54,320 his face went pale and he's like oh okay 328 00:11:52,560 --> 00:11:56,480 thanks for letting me know 329 00:11:54,320 --> 00:11:58,399 and they took a few weeks for me to 330 00:11:56,480 --> 00:12:00,639 actually finish this incident from start 331 00:11:58,399 --> 00:12:01,760 to end and again again operational work 332 00:12:00,639 --> 00:12:02,720 right like 333 00:12:01,760 --> 00:12:04,240 incident 334 00:12:02,720 --> 00:12:05,519 response or just make sure the company 335 00:12:04,240 --> 00:12:08,399 is working 336 00:12:05,519 --> 00:12:09,839 and fixing like other smaller bugs but 337 00:12:08,399 --> 00:12:11,839 that's considered operational work this 338 00:12:09,839 --> 00:12:14,480 bau 339 00:12:11,839 --> 00:12:17,440 after when this after incident was done 340 00:12:14,480 --> 00:12:18,560 and closed i had to talk to him and say 341 00:12:17,440 --> 00:12:20,240 look 342 00:12:18,560 --> 00:12:21,839 that's the last three months that's 343 00:12:20,240 --> 00:12:24,000 pretty much what i have been doing like 344 00:12:21,839 --> 00:12:25,200 only operational work only incident 345 00:12:24,000 --> 00:12:28,000 response 346 00:12:25,200 --> 00:12:29,519 if you gonna start doing that like a 347 00:12:28,000 --> 00:12:33,040 long term i'll not be able to make any 348 00:12:29,519 --> 00:12:35,360 meaningful change i need an extra person 349 00:12:33,040 --> 00:12:37,920 and i got a yes 350 00:12:35,360 --> 00:12:40,320 right and i got a yes because he could 351 00:12:37,920 --> 00:12:42,480 see there was like a a big problem the 352 00:12:40,320 --> 00:12:44,240 problem was worse than he expected and 353 00:12:42,480 --> 00:12:46,480 the security incident 354 00:12:44,240 --> 00:12:48,720 that securing specifically went to high 355 00:12:46,480 --> 00:12:51,360 levels like the ceo had to know about it 356 00:12:48,720 --> 00:12:52,800 they went to the boards was was nasty 357 00:12:51,360 --> 00:12:54,480 was very nasty 358 00:12:52,800 --> 00:12:56,079 and that's really big propeller for 359 00:12:54,480 --> 00:12:57,920 change so if you are 360 00:12:56,079 --> 00:13:00,079 have low budget when there is a security 361 00:12:57,920 --> 00:13:02,000 incident make the best you can from the 362 00:13:00,079 --> 00:13:03,920 incident make sure your leaders know 363 00:13:02,000 --> 00:13:06,079 what's happening make sure like you 364 00:13:03,920 --> 00:13:09,040 finish the incident you close it off and 365 00:13:06,079 --> 00:13:11,839 then you can make a big impact 366 00:13:09,040 --> 00:13:14,560 and then you can use that to have a bit 367 00:13:11,839 --> 00:13:16,720 more influence in your organization 368 00:13:14,560 --> 00:13:19,519 so there are two tips that you can use 369 00:13:16,720 --> 00:13:21,519 today like in your organization for zero 370 00:13:19,519 --> 00:13:23,279 budget 371 00:13:21,519 --> 00:13:24,959 i want to talk a little bit about tools 372 00:13:23,279 --> 00:13:28,720 and techniques 373 00:13:24,959 --> 00:13:31,200 tools for security is problematic 374 00:13:28,720 --> 00:13:33,279 open source can go 375 00:13:31,200 --> 00:13:36,079 a lot far 376 00:13:33,279 --> 00:13:38,480 but it doesn't go to the very end 377 00:13:36,079 --> 00:13:39,440 um let me talk about what i 378 00:13:38,480 --> 00:13:40,800 want to 379 00:13:39,440 --> 00:13:42,639 tell 380 00:13:40,800 --> 00:13:44,959 so open source right 381 00:13:42,639 --> 00:13:46,880 there are many tools in security they 382 00:13:44,959 --> 00:13:48,480 have good open source tools i love open 383 00:13:46,880 --> 00:13:50,160 source i contributed to open source 384 00:13:48,480 --> 00:13:51,199 that's amazing 385 00:13:50,160 --> 00:13:53,440 but 386 00:13:51,199 --> 00:13:55,680 be careful with open source there are 387 00:13:53,440 --> 00:13:56,720 the open source projects which are well 388 00:13:55,680 --> 00:13:58,639 maintained 389 00:13:56,720 --> 00:14:00,000 there is an active community 390 00:13:58,639 --> 00:14:02,079 people are 391 00:14:00,000 --> 00:14:03,680 actively developing 392 00:14:02,079 --> 00:14:04,720 and there is open source projects to 393 00:14:03,680 --> 00:14:06,240 somebody 394 00:14:04,720 --> 00:14:08,560 did over the weekend 395 00:14:06,240 --> 00:14:10,320 put in github and it's left unmaintained 396 00:14:08,560 --> 00:14:12,399 by five years 397 00:14:10,320 --> 00:14:14,160 make sure you choose the the project 398 00:14:12,399 --> 00:14:17,839 that makes sense to organization brings 399 00:14:14,160 --> 00:14:17,839 more solutions and problems 400 00:14:18,240 --> 00:14:21,839 but um thesaurus can only go so far 401 00:14:20,320 --> 00:14:24,720 there are lots of things that we need to 402 00:14:21,839 --> 00:14:26,880 do as absec team members that open 403 00:14:24,720 --> 00:14:28,839 source doesn't cover very well yet might 404 00:14:26,880 --> 00:14:31,040 be in the future but not very well 405 00:14:28,839 --> 00:14:32,480 yet so one of the things that i want to 406 00:14:31,040 --> 00:14:34,560 do 407 00:14:32,480 --> 00:14:35,760 for the company was introduce dependence 408 00:14:34,560 --> 00:14:37,760 management 409 00:14:35,760 --> 00:14:40,560 looking at vulnerable dependencies make 410 00:14:37,760 --> 00:14:42,880 sure they are fixed make sure they are 411 00:14:40,560 --> 00:14:45,519 working as expected 412 00:14:42,880 --> 00:14:47,680 and i started with some open source tool 413 00:14:45,519 --> 00:14:50,160 but that wasn't working fine like that 414 00:14:47,680 --> 00:14:53,600 wasn't working the way i expected 415 00:14:50,160 --> 00:14:55,279 so i tried to look um to other tooling 416 00:14:53,600 --> 00:14:57,519 like to buy tooling 417 00:14:55,279 --> 00:14:59,440 and they are bloody expensive 418 00:14:57,519 --> 00:15:01,040 they are super expensive i knew if i 419 00:14:59,440 --> 00:15:02,880 tried to get these numbers i went to my 420 00:15:01,040 --> 00:15:04,959 leadership and say when you spend that 421 00:15:02,880 --> 00:15:07,360 much money for this one single two 422 00:15:04,959 --> 00:15:08,560 they'll say no for sure for sure they'll 423 00:15:07,360 --> 00:15:10,800 say no 424 00:15:08,560 --> 00:15:12,639 luckily at the time 425 00:15:10,800 --> 00:15:14,880 there was a group of engineers trying to 426 00:15:12,639 --> 00:15:16,800 make a business case to move the source 427 00:15:14,880 --> 00:15:19,519 code to github 428 00:15:16,800 --> 00:15:22,240 a github at the time it still has this 429 00:15:19,519 --> 00:15:24,720 dependable right and the pentabot does 430 00:15:22,240 --> 00:15:26,480 provide some of like the capabilities i 431 00:15:24,720 --> 00:15:28,480 needed for dependence management 432 00:15:26,480 --> 00:15:30,800 so rather than like trying to push for 433 00:15:28,480 --> 00:15:32,399 other more expensive tools i managed to 434 00:15:30,800 --> 00:15:34,639 go back and say look there is they are 435 00:15:32,399 --> 00:15:36,560 doing this use case already i can add my 436 00:15:34,639 --> 00:15:38,560 use case on top of it and make their 437 00:15:36,560 --> 00:15:40,399 argument more compelling 438 00:15:38,560 --> 00:15:41,600 and make sure the leadership can try to 439 00:15:40,399 --> 00:15:43,759 get this tool 440 00:15:41,600 --> 00:15:45,519 it wasn't the best tool for me but it 441 00:15:43,759 --> 00:15:48,160 definitely went a lot further than i 442 00:15:45,519 --> 00:15:50,240 wanted so that was really good 443 00:15:48,160 --> 00:15:52,160 it's a bit hard though this one it's not 444 00:15:50,240 --> 00:15:55,040 every time you can do that but if there 445 00:15:52,160 --> 00:15:56,240 is opportunity to get other people uh 446 00:15:55,040 --> 00:15:58,320 having 447 00:15:56,240 --> 00:15:59,839 leveraged the tool you need that's also 448 00:15:58,320 --> 00:16:02,160 make your argument more compelling it's 449 00:15:59,839 --> 00:16:04,240 not only security asking for something 450 00:16:02,160 --> 00:16:08,680 it's like security or engineering or 451 00:16:04,240 --> 00:16:08,680 infrastructure or whatever else 452 00:16:09,759 --> 00:16:13,519 i want to take talk a little bit about 453 00:16:12,320 --> 00:16:15,920 um 454 00:16:13,519 --> 00:16:18,560 scale influence 455 00:16:15,920 --> 00:16:20,480 as any abstract team member knows there 456 00:16:18,560 --> 00:16:23,040 is nothing 457 00:16:20,480 --> 00:16:23,759 we can um there's there's nothing there 458 00:16:23,040 --> 00:16:25,600 is 459 00:16:23,759 --> 00:16:27,519 we cannot be involved in every single 460 00:16:25,600 --> 00:16:29,519 thing that's not possible we cannot 461 00:16:27,519 --> 00:16:32,399 review every single line of code we 462 00:16:29,519 --> 00:16:35,040 cannot we ever design a dock we cannot 463 00:16:32,399 --> 00:16:36,399 be like on top of every single thing 464 00:16:35,040 --> 00:16:38,639 right that's 465 00:16:36,399 --> 00:16:42,959 just not possible 466 00:16:38,639 --> 00:16:45,600 so we need to first get some influence 467 00:16:42,959 --> 00:16:46,399 and then we need to scale that 468 00:16:45,600 --> 00:16:48,959 right 469 00:16:46,399 --> 00:16:51,839 so i'll talk a little bit about how you 470 00:16:48,959 --> 00:16:51,839 can try to do this 471 00:16:52,959 --> 00:16:58,079 so the first thing is you can try 472 00:16:56,079 --> 00:17:01,279 to give value first 473 00:16:58,079 --> 00:17:03,199 that's like very basic human behavior 474 00:17:01,279 --> 00:17:04,880 if you have somebody that's always 475 00:17:03,199 --> 00:17:06,480 asking you for something 476 00:17:04,880 --> 00:17:08,480 there's somebody that's always going 477 00:17:06,480 --> 00:17:10,480 after you and asking like hey can you do 478 00:17:08,480 --> 00:17:11,919 something for me i need this favor 479 00:17:10,480 --> 00:17:14,000 you're not gonna like this person very 480 00:17:11,919 --> 00:17:16,079 much and that's 481 00:17:14,000 --> 00:17:18,480 that's human behavior that's you me and 482 00:17:16,079 --> 00:17:21,039 everybody else you work with 483 00:17:18,480 --> 00:17:24,079 so you need to provide value for then as 484 00:17:21,039 --> 00:17:25,600 well and there are many ways to do it 485 00:17:24,079 --> 00:17:28,319 but i'm going to share one way that 486 00:17:25,600 --> 00:17:29,360 worked very well for me 487 00:17:28,319 --> 00:17:30,720 is 488 00:17:29,360 --> 00:17:34,000 i was 489 00:17:30,720 --> 00:17:35,360 two weeks in on that company and 490 00:17:34,000 --> 00:17:37,280 they were at the time they were 491 00:17:35,360 --> 00:17:38,559 rebuilding the optic authentication 492 00:17:37,280 --> 00:17:41,760 system 493 00:17:38,559 --> 00:17:44,320 which was amazing it was really needed 494 00:17:41,760 --> 00:17:46,080 they did like a really good job 495 00:17:44,320 --> 00:17:48,080 all the way like from define 496 00:17:46,080 --> 00:17:50,240 authentication is and which systems 497 00:17:48,080 --> 00:17:52,000 we're going to use to the very bottom 498 00:17:50,240 --> 00:17:53,840 how we're going to implement it that was 499 00:17:52,000 --> 00:17:55,600 really nice 500 00:17:53,840 --> 00:17:58,240 there was one part of the design dock 501 00:17:55,600 --> 00:18:00,559 that i wanted a bit of change 502 00:17:58,240 --> 00:18:03,200 but look we need to read the room 503 00:18:00,559 --> 00:18:05,840 i was just two weeks in 504 00:18:03,200 --> 00:18:08,400 first ever security engineer 505 00:18:05,840 --> 00:18:10,799 they didn't know me i didn't know them 506 00:18:08,400 --> 00:18:12,720 there was very little chance 507 00:18:10,799 --> 00:18:14,640 that i could come up with something like 508 00:18:12,720 --> 00:18:17,200 um and then influence them to actually 509 00:18:14,640 --> 00:18:18,640 make the change that i needed right 510 00:18:17,200 --> 00:18:20,000 everybody was still looking at me it's 511 00:18:18,640 --> 00:18:22,559 like what's gonna happen now i have a 512 00:18:20,000 --> 00:18:24,720 secure engineer 513 00:18:22,559 --> 00:18:26,240 luckily it was my first two weeks so i 514 00:18:24,720 --> 00:18:27,919 didn't have a lot of operational work 515 00:18:26,240 --> 00:18:28,960 yet that was the first two weeks where i 516 00:18:27,919 --> 00:18:30,480 was 517 00:18:28,960 --> 00:18:32,000 doing 518 00:18:30,480 --> 00:18:33,840 knowing about the company talking to 519 00:18:32,000 --> 00:18:34,799 people so there was not much on that 520 00:18:33,840 --> 00:18:36,960 side 521 00:18:34,799 --> 00:18:38,240 so what i did instead i implemented 522 00:18:36,960 --> 00:18:40,320 myself 523 00:18:38,240 --> 00:18:41,360 now with help of course the infrared 524 00:18:40,320 --> 00:18:43,360 thing 525 00:18:41,360 --> 00:18:45,520 at the time was doing some really nice 526 00:18:43,360 --> 00:18:46,960 developer tooling that was doing some 527 00:18:45,520 --> 00:18:49,360 really good uh 528 00:18:46,960 --> 00:18:50,240 tools on that space and i said like can 529 00:18:49,360 --> 00:18:52,799 i 530 00:18:50,240 --> 00:18:54,320 try to do a poc can i like figure out 531 00:18:52,799 --> 00:18:56,000 something i want to implement this kind 532 00:18:54,320 --> 00:18:58,000 of feature 533 00:18:56,000 --> 00:19:01,039 and they were super helpful they helped 534 00:18:58,000 --> 00:19:04,559 me develop this i created the pr 535 00:19:01,039 --> 00:19:06,480 and i did the poc dev stage broad it 536 00:19:04,559 --> 00:19:08,880 worked right 537 00:19:06,480 --> 00:19:11,039 and i managed to implement what the 538 00:19:08,880 --> 00:19:14,480 things that i want to request 539 00:19:11,039 --> 00:19:15,600 so that and that um that alone showed 540 00:19:14,480 --> 00:19:18,799 them 541 00:19:15,600 --> 00:19:21,120 a lot of things so then like if uh i 542 00:19:18,799 --> 00:19:23,280 can't get my hands dirty right like if i 543 00:19:21,120 --> 00:19:25,600 need i'm not just a secure engineer 544 00:19:23,280 --> 00:19:27,520 that like uh doesn't know anything about 545 00:19:25,600 --> 00:19:30,640 appsec or software engineering you know 546 00:19:27,520 --> 00:19:33,039 i i know how to code i know how to do it 547 00:19:30,640 --> 00:19:35,200 i also show them if like i need to get 548 00:19:33,039 --> 00:19:38,720 my heads dirty to help them i'm gonna do 549 00:19:35,200 --> 00:19:40,320 it like i'm more than happy to do it and 550 00:19:38,720 --> 00:19:43,440 that improved the design and they didn't 551 00:19:40,320 --> 00:19:45,440 request much from them so that was a way 552 00:19:43,440 --> 00:19:47,440 to get like an influence 553 00:19:45,440 --> 00:19:50,000 to my knowledge these changes still in 554 00:19:47,440 --> 00:19:52,880 production to this day of course people 555 00:19:50,000 --> 00:19:54,240 involved evolve it and change it 556 00:19:52,880 --> 00:19:56,000 but the basic 557 00:19:54,240 --> 00:19:57,039 structure is still that which is really 558 00:19:56,000 --> 00:20:00,480 nice 559 00:19:57,039 --> 00:20:02,880 um so that's one way to give to give 560 00:20:00,480 --> 00:20:04,880 value first and get some influence 561 00:20:02,880 --> 00:20:07,120 i'm pretty sure everybody can come up 562 00:20:04,880 --> 00:20:08,159 other ways like other ways that i have 563 00:20:07,120 --> 00:20:09,520 seen 564 00:20:08,159 --> 00:20:12,559 is like doing a good treadmilling 565 00:20:09,520 --> 00:20:14,240 session is a really good way to get like 566 00:20:12,559 --> 00:20:16,240 influence and people say like oh there's 567 00:20:14,240 --> 00:20:17,520 actual session was actually really 568 00:20:16,240 --> 00:20:20,159 really good so 569 00:20:17,520 --> 00:20:23,039 um i want to learn more about that that 570 00:20:20,159 --> 00:20:25,679 sort of stuff so but the main concept 571 00:20:23,039 --> 00:20:28,240 here is give your value first sometimes 572 00:20:25,679 --> 00:20:30,080 do yourself do the thing make sure your 573 00:20:28,240 --> 00:20:32,480 change pushes to all the way to 574 00:20:30,080 --> 00:20:35,720 production and make sure everything is 575 00:20:32,480 --> 00:20:35,720 well aligned 576 00:20:36,080 --> 00:20:40,080 the second part of it 577 00:20:37,760 --> 00:20:41,760 is how to scale your influence right and 578 00:20:40,080 --> 00:20:43,600 then you need to have influence to scale 579 00:20:41,760 --> 00:20:46,080 influence so the first part is a little 580 00:20:43,600 --> 00:20:48,159 bit how to get some of these influence 581 00:20:46,080 --> 00:20:49,919 but there was a time at the company 582 00:20:48,159 --> 00:20:52,159 where people were like getting to know 583 00:20:49,919 --> 00:20:55,280 me i was able to make some changes i i 584 00:20:52,159 --> 00:20:56,480 was able like to to get some things done 585 00:20:55,280 --> 00:20:58,640 i 586 00:20:56,480 --> 00:21:01,840 i was lucky enough to get somebody else 587 00:20:58,640 --> 00:21:04,240 to help me uh working on that too but 588 00:21:01,840 --> 00:21:06,240 that was not enough right two people is 589 00:21:04,240 --> 00:21:07,520 not enough so how do i scale that how do 590 00:21:06,240 --> 00:21:09,440 i make sure 591 00:21:07,520 --> 00:21:12,159 the security the right secure things is 592 00:21:09,440 --> 00:21:14,000 still happening even not in the room 593 00:21:12,159 --> 00:21:16,000 uh or if i'm like there is 594 00:21:14,000 --> 00:21:18,720 a difficult decision to make they're 595 00:21:16,000 --> 00:21:20,880 gonna make the right call right 596 00:21:18,720 --> 00:21:22,640 and i'm calling here secure friend 597 00:21:20,880 --> 00:21:24,320 friends you can call security champions 598 00:21:22,640 --> 00:21:25,840 it doesn't matter the name 599 00:21:24,320 --> 00:21:27,760 but the important thing is you need to 600 00:21:25,840 --> 00:21:29,360 find and then again a little bit about 601 00:21:27,760 --> 00:21:30,480 find the lies you need to find people in 602 00:21:29,360 --> 00:21:32,640 your organization 603 00:21:30,480 --> 00:21:34,799 they want to learn about security and 604 00:21:32,640 --> 00:21:36,880 they are there they might not be 605 00:21:34,799 --> 00:21:40,559 super passionate enough 606 00:21:36,880 --> 00:21:43,120 to just like make a move and in like a 607 00:21:40,559 --> 00:21:44,559 go to a full-time position security but 608 00:21:43,120 --> 00:21:45,919 they want to learn about more about 609 00:21:44,559 --> 00:21:47,760 security they are interested in the 610 00:21:45,919 --> 00:21:49,600 subject they find like that's 611 00:21:47,760 --> 00:21:51,679 challenging exciting and they want to 612 00:21:49,600 --> 00:21:54,080 learn more about it it's amazing and we 613 00:21:51,679 --> 00:21:55,520 need to leverage this right 614 00:21:54,080 --> 00:21:56,880 the way i did it 615 00:21:55,520 --> 00:21:58,799 was um 616 00:21:56,880 --> 00:22:01,280 i come up with like this group like the 617 00:21:58,799 --> 00:22:03,600 secure champions i open to 618 00:22:01,280 --> 00:22:05,440 everyone and say look if you want to 619 00:22:03,600 --> 00:22:06,799 learn more about security 620 00:22:05,440 --> 00:22:08,720 if you want to have fun doing some 621 00:22:06,799 --> 00:22:10,880 security activities 622 00:22:08,720 --> 00:22:12,960 come come aboard we're going to do some 623 00:22:10,880 --> 00:22:15,600 cool stuff 624 00:22:12,960 --> 00:22:17,520 uh and yeah at the beginning i got four 625 00:22:15,600 --> 00:22:19,679 or five people which was like amazing i 626 00:22:17,520 --> 00:22:22,559 was concerned that nobody would actually 627 00:22:19,679 --> 00:22:23,919 sign up so i got four it was good 628 00:22:22,559 --> 00:22:25,679 um 629 00:22:23,919 --> 00:22:28,400 and then i come up like with some cool 630 00:22:25,679 --> 00:22:31,600 exercises like for example i deploy a 631 00:22:28,400 --> 00:22:34,559 vulnerable lambda and then i ask then to 632 00:22:31,600 --> 00:22:36,960 go and hack and everybody who could hack 633 00:22:34,559 --> 00:22:39,840 it you i'll pay some coffee 634 00:22:36,960 --> 00:22:42,640 i paid lots of coffee so that's not very 635 00:22:39,840 --> 00:22:44,000 low budget but it was really effective 636 00:22:42,640 --> 00:22:45,679 to get like um 637 00:22:44,000 --> 00:22:47,520 to get people uh 638 00:22:45,679 --> 00:22:50,080 interesting insecurity and try something 639 00:22:47,520 --> 00:22:51,600 simple something like challenging and 640 00:22:50,080 --> 00:22:54,000 something that make them think right 641 00:22:51,600 --> 00:22:55,840 like because when they hack it something 642 00:22:54,000 --> 00:22:57,840 they start to think about it 643 00:22:55,840 --> 00:22:59,760 so did i boot something that's also 644 00:22:57,840 --> 00:23:01,440 vulnerable to this there's a really 645 00:22:59,760 --> 00:23:03,200 effective way to get them to start to 646 00:23:01,440 --> 00:23:05,520 think about security 647 00:23:03,200 --> 00:23:06,720 i started like lock picking competitions 648 00:23:05,520 --> 00:23:09,679 as well 649 00:23:06,720 --> 00:23:12,159 i got like i had a few locks at home 650 00:23:09,679 --> 00:23:13,200 like yeah cliche secure engineer sorry i 651 00:23:12,159 --> 00:23:14,000 do have them 652 00:23:13,200 --> 00:23:16,159 but 653 00:23:14,000 --> 00:23:17,919 i brought them to the office uh i get 654 00:23:16,159 --> 00:23:19,919 them to do a little bit of lock picking 655 00:23:17,919 --> 00:23:21,360 and try to understand like um how 656 00:23:19,919 --> 00:23:23,039 hacking is not that different right 657 00:23:21,360 --> 00:23:24,720 you're trying like to put some input and 658 00:23:23,039 --> 00:23:27,039 see what's gonna happen which kind of 659 00:23:24,720 --> 00:23:29,039 error you get which kind of outputs you 660 00:23:27,039 --> 00:23:30,720 have to to open the lock 661 00:23:29,039 --> 00:23:33,440 um i got like some free training 662 00:23:30,720 --> 00:23:35,679 resources as well so they could go and 663 00:23:33,440 --> 00:23:37,840 learn about more security and what 664 00:23:35,679 --> 00:23:39,760 happened was amazing because like every 665 00:23:37,840 --> 00:23:41,440 monthly meeting they were coming back 666 00:23:39,760 --> 00:23:43,440 with nice 667 00:23:41,440 --> 00:23:45,039 and they were starting to discuss secure 668 00:23:43,440 --> 00:23:47,200 challenges that they have their own 669 00:23:45,039 --> 00:23:49,279 teams and they started like oh look we 670 00:23:47,200 --> 00:23:51,200 are trying to design this feature 671 00:23:49,279 --> 00:23:54,640 and this is not working very well 672 00:23:51,200 --> 00:23:56,080 um so how do i how do i do this and the 673 00:23:54,640 --> 00:23:57,760 people start to talk about it i didn't 674 00:23:56,080 --> 00:23:59,919 even need to say anything 675 00:23:57,760 --> 00:24:02,480 do it was like talking helping each 676 00:23:59,919 --> 00:24:04,799 other and come up with resources if 677 00:24:02,480 --> 00:24:06,640 there's anything that was like um they 678 00:24:04,799 --> 00:24:08,640 need my support they're going back to me 679 00:24:06,640 --> 00:24:10,799 and say mario like look can you help 680 00:24:08,640 --> 00:24:12,559 look at this i think this code's a bit 681 00:24:10,799 --> 00:24:14,480 like um uh 682 00:24:12,559 --> 00:24:15,279 vulnerable can you have a look 683 00:24:14,480 --> 00:24:16,799 and 684 00:24:15,279 --> 00:24:19,279 for me it was really nice as well 685 00:24:16,799 --> 00:24:20,559 because i could go back to them and say 686 00:24:19,279 --> 00:24:22,720 like look i want to talk a little bit 687 00:24:20,559 --> 00:24:25,120 about security of your team i know who 688 00:24:22,720 --> 00:24:26,880 they should approach right is the person 689 00:24:25,120 --> 00:24:28,159 that's already like 690 00:24:26,880 --> 00:24:31,440 focused about securities all right 691 00:24:28,159 --> 00:24:33,279 thinking about security and to be honest 692 00:24:31,440 --> 00:24:35,120 the level of the person doesn't matter 693 00:24:33,279 --> 00:24:37,520 that much right 694 00:24:35,120 --> 00:24:38,799 even if they are like more junior or 695 00:24:37,520 --> 00:24:40,640 mid-level 696 00:24:38,799 --> 00:24:42,080 they still know enough that they can 697 00:24:40,640 --> 00:24:44,640 provide you some value give you some 698 00:24:42,080 --> 00:24:46,880 hints and insights right so that was 699 00:24:44,640 --> 00:24:49,440 useful for me as well to go back to the 700 00:24:46,880 --> 00:24:52,320 teams and talk to them 701 00:24:49,440 --> 00:24:54,880 uh i also went like the the time company 702 00:24:52,320 --> 00:24:57,120 was not not too big and we had a 703 00:24:54,880 --> 00:24:58,960 company-wide demos and i always talk 704 00:24:57,120 --> 00:25:00,240 about it like look 705 00:24:58,960 --> 00:25:01,760 that's the cool stuff you're doing 706 00:25:00,240 --> 00:25:03,440 you're losing you're missing you're not 707 00:25:01,760 --> 00:25:05,679 going you're not going there 708 00:25:03,440 --> 00:25:08,799 and i managed to get like after a few 709 00:25:05,679 --> 00:25:10,799 months from four five to nine ten which 710 00:25:08,799 --> 00:25:13,760 was amazing right like there's a lot of 711 00:25:10,799 --> 00:25:17,679 people actually interested in 712 00:25:13,760 --> 00:25:19,919 anyone like um learn more about security 713 00:25:17,679 --> 00:25:23,200 uh another good way to scale influence 714 00:25:19,919 --> 00:25:24,720 for people who are not part like are not 715 00:25:23,200 --> 00:25:27,440 that passionate about security to 716 00:25:24,720 --> 00:25:30,720 actually jump to these sessions 717 00:25:27,440 --> 00:25:32,320 is i was i used to 718 00:25:30,720 --> 00:25:33,360 tell them about the security since we 719 00:25:32,320 --> 00:25:35,760 had 720 00:25:33,360 --> 00:25:37,279 right and then it was a really nice way 721 00:25:35,760 --> 00:25:39,360 to show like look 722 00:25:37,279 --> 00:25:41,120 again no blame i didn't talk about 723 00:25:39,360 --> 00:25:43,520 people in about anything i just talked 724 00:25:41,120 --> 00:25:45,919 about like this happening 725 00:25:43,520 --> 00:25:47,679 and there was a bad situation 726 00:25:45,919 --> 00:25:49,679 and then we managed to fix it but we 727 00:25:47,679 --> 00:25:51,520 took like that amount of resources i got 728 00:25:49,679 --> 00:25:54,080 i had to get to the engineers for a few 729 00:25:51,520 --> 00:25:55,200 days i spent two weeks on this on this 730 00:25:54,080 --> 00:25:56,640 so we need to be make sure that it 731 00:25:55,200 --> 00:25:59,039 doesn't happen again 732 00:25:56,640 --> 00:26:01,120 and that's useful there's like uh people 733 00:25:59,039 --> 00:26:03,120 they might not be very passionate about 734 00:26:01,120 --> 00:26:05,440 security but they surely don't want to 735 00:26:03,120 --> 00:26:08,159 give like more trouble so that's another 736 00:26:05,440 --> 00:26:08,159 way to scale 737 00:26:08,840 --> 00:26:13,440 influence and 738 00:26:11,279 --> 00:26:14,480 just to finishing off 739 00:26:13,440 --> 00:26:16,480 there are 740 00:26:14,480 --> 00:26:18,640 what i want to talk about it's the very 741 00:26:16,480 --> 00:26:19,840 last thing is the most important thing 742 00:26:18,640 --> 00:26:22,840 as well 743 00:26:19,840 --> 00:26:25,279 if you are liking a low budget 744 00:26:22,840 --> 00:26:27,919 setting you'll probably be like 745 00:26:25,279 --> 00:26:30,559 overstressed and overworked 746 00:26:27,919 --> 00:26:33,760 so do not despair it can be a very 747 00:26:30,559 --> 00:26:35,120 stressful situation i know i was there 748 00:26:33,760 --> 00:26:37,279 but you need to understand that small 749 00:26:35,120 --> 00:26:39,520 victories they compound 750 00:26:37,279 --> 00:26:41,279 right like a victory you have today can 751 00:26:39,520 --> 00:26:43,279 get a little bit more influence to do a 752 00:26:41,279 --> 00:26:45,679 bit a bit bigger changer 753 00:26:43,279 --> 00:26:48,000 than the week after and so on so far 754 00:26:45,679 --> 00:26:50,320 they compound 755 00:26:48,000 --> 00:26:53,279 so when i was when i joined that company 756 00:26:50,320 --> 00:26:55,039 i was the first security engineer and 757 00:26:53,279 --> 00:26:56,400 lots of vulnerabilities lots of things 758 00:26:55,039 --> 00:26:58,880 to fix 759 00:26:56,400 --> 00:27:01,360 and people didn't know me i was having a 760 00:26:58,880 --> 00:27:03,440 hard time influence people 12 months 761 00:27:01,360 --> 00:27:06,159 later 762 00:27:03,440 --> 00:27:08,640 a lot of the critical fixes well were 763 00:27:06,159 --> 00:27:10,559 there like they happened 764 00:27:08,640 --> 00:27:14,159 um they 765 00:27:10,559 --> 00:27:16,080 were invited me for like a security lead 766 00:27:14,159 --> 00:27:17,600 security engineering leads meeting talk 767 00:27:16,080 --> 00:27:19,440 about priorities 768 00:27:17,600 --> 00:27:22,080 uh for the next quarter or so even 769 00:27:19,440 --> 00:27:24,559 though i wasn't a team lead 770 00:27:22,080 --> 00:27:26,960 people easy even using to call me like 771 00:27:24,559 --> 00:27:28,720 head of security and always reply to 772 00:27:26,960 --> 00:27:30,880 them and say if i was ahead of security 773 00:27:28,720 --> 00:27:33,200 i would have a budget 774 00:27:30,880 --> 00:27:35,200 um but anyway i 775 00:27:33,200 --> 00:27:37,360 it's possible to make change you need to 776 00:27:35,200 --> 00:27:39,360 be patient 777 00:27:37,360 --> 00:27:40,480 please do not despair and you take care 778 00:27:39,360 --> 00:27:42,640 of yourself 779 00:27:40,480 --> 00:27:45,120 burnout is the thing and if you're in a 780 00:27:42,640 --> 00:27:47,840 low budget setting it can be really 781 00:27:45,120 --> 00:27:49,760 really difficult so take your time like 782 00:27:47,840 --> 00:27:52,240 um budget is not something we control 783 00:27:49,760 --> 00:27:53,919 very much just exact team members is a 784 00:27:52,240 --> 00:27:56,240 leadership decision 785 00:27:53,919 --> 00:27:58,480 so you you can't do what you can do with 786 00:27:56,240 --> 00:28:00,880 the resources you have so just be 787 00:27:58,480 --> 00:28:03,279 patient take care of yourself 788 00:28:00,880 --> 00:28:06,240 do not spare 789 00:28:03,279 --> 00:28:08,320 yeah that's why i had to talk today 790 00:28:06,240 --> 00:28:11,320 thank you very much you're hiring by the 791 00:28:08,320 --> 00:28:11,320 way 792 00:28:16,960 --> 00:28:21,440 i'm not listening um 793 00:28:19,440 --> 00:28:22,480 chris 794 00:28:21,440 --> 00:28:26,880 hey 795 00:28:22,480 --> 00:28:26,880 first person to be on camera and muted 796 00:28:29,039 --> 00:28:32,960 well done me i was typing your 797 00:28:30,799 --> 00:28:35,840 two-minute remaining thing out just as 798 00:28:32,960 --> 00:28:35,840 you finished 799 00:28:36,320 --> 00:28:40,880 um thank you very much it was great uh i 800 00:28:39,760 --> 00:28:44,240 imagine there are going to be some 801 00:28:40,880 --> 00:28:46,320 questions based on the chat so uh please 802 00:28:44,240 --> 00:28:48,000 have a chat in um 803 00:28:46,320 --> 00:28:51,120 in the hallway track 804 00:28:48,000 --> 00:28:54,240 we are breaking for lunch now so we will 805 00:28:51,120 --> 00:28:56,880 see you all again at half past one uh 806 00:28:54,240 --> 00:28:59,440 australian eastern time 807 00:28:56,880 --> 00:29:02,440 have a great break everyone 808 00:28:59,440 --> 00:29:02,440 thanks