The Security Table

The Security Table is four cybersecurity industry veterans from diverse backgrounds discussing how to build secure software and all the issues that arise!

All Episodes

The Security Table

Looking Back, Looking Forward

November 28, 2023 • Chris Romeo • Season 1 • Episode 37

0:00 | 46:14

Join Izar, Matt, and Chris in a broad discussion covering the dynamics of the security community, the evolving role of technology, and the profound impact of social media on our lives. As the trio considers what they are most thankful for in security, they navigate a series of topics that blend professional insights with personal experiences, offering a unique perspective on how these elements intersect in the modern world.

Chris begins by highlighting the importance of collaboration and learning within the ever-expanding security community. Shifting to broader security concerns, Izar emphasizes the value of mentoring and the potential for institutionalizing it through platforms like OWASP. Matt critiques over-relying on AI. He advocates for tool-assisted solutions rather than tool-performed ones and stresses the importance of accurately representing AI's capabilities.

In a particularly engaging segment, the panelists explore the influence of social media and technology on personal well-being. They share anecdotes and observations on the pursuit of simplicity in a tech-driven world, discussing the concept of 'social media sobriety' and social media's impact on happiness. They conclude with a collective call to action, urging viewers to engage in positive change through volunteering, mentoring, and contributing to open-source projects. This discussion is a must-watch for anyone interested in the intersection of technology, security, and societal trends.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

Chris Romeo 0:10

we can get into that. So, hey folks, welcome to this episode of The Security Table. This is Chris Romeo joined by Matt Coles and Izar is now only literally using one, his first name on anything. Um, his, the previous episode has gone to his head and he doesn't even put his last name into things anymore. Like if you don't know who he is, then that's on you is kind of his,

Izar Tarandach 0:32

Look, when you have a name like mine, all you need is a first name.

Chris Romeo 0:36

That's true. That's true. I wish I had the same

Matt Coles 0:38

Just remember if you have any IT calls, you know who to

Izar Tarandach 0:41

Don't call me!

Chris Romeo 0:44

Come on, it's the holiday season and that's when all of our relatives liked us to fix their, their computers, their smartphones, their TVs, their tablets, anything that's connected to the internet.

Izar Tarandach 0:54

And that's why I have a t shirt that says, No, I don't do Windows.

Matt Coles 0:59

You know you'll find that one, that one relative who has, you know, something strange.

Chris Romeo 1:05

Yeah,

Izar Tarandach 1:05

My relatives, all of them, have something strange.

Chris Romeo 1:10

Oh, that's fun. That's fun. You mentioned right

Matt Coles 1:13

can you fix my 68000 series Mac? Come on.

Chris Romeo 1:16

Sheldon

Izar Tarandach 1:16

it goes like this, Oh, wait, you work in computers, right? Yeah, you have a degree in computer science, right? Yeah, so listen, you're gonna help me with this. Excel. I open it and I have this strange, like, stare that I do when they say that, where very quick they stop asking and just move away. So... No, I'm just like looking at the horizon with the 100 windows stare.

Chris Romeo 1:49

I'll say you're doing the Elon Musk thing. Apparently Elon Musk does that where he'll go into like a trance for a while. And then as people are talking to him and eventually they'll just stop talking and then he'll kind of like finish thinking about whatever he's solving and then he'll come back to the conversation.

Izar Tarandach 2:03

Yeah, exactly that, minus the solving thing,

Matt Coles 2:08

You know with the, with the, you know with the Neuralink, you know with the Neuralink chip he's just, you know, organizing his threads.

Izar Tarandach 2:16

He's running garbage collection!

Chris Romeo 2:19

Hey, I'm, uh, that's probably true. I'm just, I'm almost finished with, uh, Isaacson's book on Elon Musk, which is the latest. And it's fascinating. Like, I'm, I'm learning so many, so many things about how to be a good leader. Like fire people during a meeting if you don't like how they,

Izar Tarandach 2:36

Oh, by the way, you're fired.

Chris Romeo 2:38

yeah, if you don't like how their response is, just immediately fire them in the middle of the meeting in front of everyone else.

Matt Coles 2:43

The firings will continue until morale improves, right?

Chris Romeo 2:46

yeah,

Izar Tarandach 2:47

Immediately what came up.

Chris Romeo 2:49

yeah, I mean, he gets, he gets stuff done though. You know, he's got a lot of successful companies, but that's not why we're here.

Izar Tarandach 2:55

Yeah, just be happy we don't have SCSI cables anymore.

Chris Romeo 2:58

uh, you don't have those? I need to upgrade my stuff then.

Matt Coles 3:01

And if, uh, you know, if Elon is listening, you know, maybe we need a new guest on the show.

Chris Romeo 3:06

Yeah, come on. You're always welcome, Elon. You can connect over Neuralink from your, your Tesla, from a spaceship, or from Twitter, I guess. VX, or 2X,

Izar Tarandach 3:16

no.

Chris Romeo 3:17

is. Oh,

Izar Tarandach 3:18

Oh, it's gonna be a blast.

Chris Romeo 3:21

That'd be fun. Alright, well, we wanted to have a little holiday episode, which we all wore our most festive holiday gear that we could find, which is basically the same thing we would wear to a holiday party, or a Thanksgiving gathering here in the United States. We probably would literally be wearing the same thing that we

Izar Tarandach 3:42

Not true, I got long pants.

Chris Romeo 3:44

Okay. All right. All right. Well, that's, yeah, that's, that's good. Please wear long pants to holiday gatherings. Uh, but we wanted to start our conversation here today, because, you know, we're close to American Thanksgiving, with, let's all share something we're thankful for. I'm going to say in security. I'm gonna make it broader than AppSec. I wanted, I wanted to focus this in on AppSec, but I'm like, eh, let's, let's take the, take the AppSec blinders off, or whatever illustration you can think of that would constrain us to that. If you have something wittier yourself, feel free to insert that into your mind now as you're thinking. Um, but, so what are we, like, what are we thankful for in the world of security? So, who wants to go first? Because I'm

Matt Coles 4:28

Why don't you go first,

Chris Romeo 4:29

I'm thankful for nothing, so that was easy.

Izar Tarandach 4:33

Not true, not true.

Chris Romeo 4:35

okay, alright, I'll go first. I'm going to take the one side. You guys making me go first? Guess what? You guys are going to be really upset because I'm going to take one that you want to share. I am thankful for a community that the two of us... three of us are all a part of that includes the likes of Brooke Schoenfeld and Kim Vutz and Adam Shostak and Avi Duglin and Siva Diller Snyder and many other friends of ours that we're, uh, that are our threat modeling besties is the best way I can think of to describe them. So I am thankful for that community. Uh, it's made going to conferences such a fun experience now when I know that some of those folks are going to be there, some of you are going to be there, and we get to hang out and talk, and, uh, and so that's, that's something, and I think that's something that, that, it's, other people can replicate that too, like it's, yes, the, the, the group that we have, Joined up with is a special group, but other people can do the same thing. You know, it's not, it's not, there's nothing special about, we didn't, we're not like some great people at making groups or whatever. Um, but it's good to, it's good to have community inside of our, of our organizations and inside of our, our jobs and, and professional careers, right? Cause this can be a pretty lonely environment if you don't have some community to lean into and some people to tell you when you're full of it and stuff like that. So there, I took the one.

Matt Coles 5:59

Yeah, I want to take that a step further than Chris, so just a different, different angle on, or not a different angle, but a different area for that. So I've had an opportunity to work over the many years, uh, oh my god, decades now of doing security of some sort. And I haven't had the pleasure of working with so many interested and interesting people. Talk about community, but talking about really, uh, people who want to share their experiences and share their knowledge. And I'm talking about folks in standards bodies. So whether that's, uh, something like OWASP, you know, a community initiative, or something, you know, uh, where you have to, you know, pay to get in, or, uh, or whatever, or they're making, you know, fancy, uh, fancy documents and specifications and, and whatnot for the industry to follow, the folks who define those things, uh, spend countless hours And I'm thinking, you know, more recently of like CVSS v.4, for instance, with our, with the launch of, of v.4, the dozens of people who are involved in making that happen, writing documentation, sharing ideas, putting their brain power at work to help the industry at large. Uh, I am, I will say I'm thankful that we don't have to figure this out for ourselves and that we have an opportunity to share amongst our, amongst the members of the, of the community, the security community, to make us. all be more effective and efficient and capable in the work that we do.

Chris Romeo 7:29

He's already had a lot of time to, to ponder here,

Izar Tarandach 7:31

Yeah, so I had to quick pivot here. And I am very thankful for SBOM and DAST. AHAHAHAHAHAHAHAHA!

Chris Romeo 7:41

podcast. Thank you, folks. This

Izar Tarandach 7:44

WAIT! WAIT! WAIT! There is more! There is more!

Matt Coles 7:46

wait, oh wait, Izar's video seems to be hung. There's a...

Chris Romeo 7:50

Yeah, that's right. He's just been kicked out of the call.

Izar Tarandach 7:52

There's more, there's more. No, uh, I'm actually very, very, very, uh, thankful to them because they gave us so much to talk about, right?

Chris Romeo 8:02

Ah.

Izar Tarandach 8:05

And he saves! So, but actually, I, I, I, my original one. I wanted to build a bit on what both of you brought up, and I, I think that it's not random that the Three of us immediately jumped to community because in joint ways and in separate ways we have had so many amazing experiences this last year and a bit before but the one thing that I am really really really thankful in terms of security is, in terms of community, is that, and especially outside, beyond the realm of AppSec. I think that in a ways we have shared that label of a security that eats its own, of a community that eats its own.

Chris Romeo 8:55

Hmm.

Izar Tarandach 8:56

I think that we used to be very insular, very closed, we used to be very unwelcoming of new people, and we used to be very, if you don't understand, then go away, I don't want to talk to you. And I think that we have, we have matured past that, and I'm very thankful for that. And the reason I am thankful is that first it gives me an opportunity to do something that I really, really enjoy, which is mentoring other people. So people feel that they can come up to us and say, Hey, I want to learn some of the stuff that you know, could you spend some time with me? And on the other hand, it gives me plenty of opportunity to say, I don't know, and there are people who know, and I can go to them and learn from them. I think that a couple of years ago that wouldn't be as much of a given, but as I said, I think that we matured past that and that security got so big and so important and finally we got this place perhaps at the children's table so far, uh, we are not the dog coming under the table and asking for a bit of the, of the turkey anymore. So, yeah, I'm thankful for that.

Chris Romeo 10:11

Hmm. Yeah, that's a good, uh, that's a good assessment. Because I remember... You know, being around security, I've been in this for 26 years, so, you know, pre Twitter, pre Infosec drama, and all the things. And, I don't know if, maybe it's the AppSec community has, has formed a sub group of people that are just nicer to each other. And, but I can't think of, and maybe I'm insulated from this, but I can't think of any major AppSec drama in the last year. Of something where I was like... There is a big disagreement between people in the community, and I know it's happened in the past, right? Human beings are, are, are what we are, and we're gonna, we're not gonna all get along with everybody along the way, but I, yeah, I think this has been a really good year of just being open minded towards people, and, and being willing to mentor, and like, Jenkin does this Mentoring

Izar Tarandach 11:13

what I was thinking,

Chris Romeo 11:14

Yeah, Tanya does this Mentoring Monday thing where she's always looking to connect people and and find somebody who needs mentoring with somebody who's willing to mentor. And you know, this is something that all of us that have been around for a while, we gotta, we gotta do more of this. We gotta continue to embrace this idea of building the next generation because You know, I'm looking at 26 years and like, am I going to do this for 26 more years? I don't think so. Like we gotta, we gotta bring some more people. And that's why I've been pushing our industry too. Like let's push some of the boundaries of things people believe and see if we can get people to think about these things. And, and instead of just going, well, we just, this is how, this is how you do DevSecOps. You just always have DAST somehow in your

Izar Tarandach 11:55

Yeah, but, you know, and don't forget to generate an SBOM by hand. But, with the values and the address for delivery. But if you don't know what I'm talking about, you have to watch the previous episodes. You're not into the inside jokes, come on, get up to it. But anyway, uh, about mentoring, first of all...

Matt Coles 12:13

right?

Izar Tarandach 12:14

Right. So, uh, about the mentoring, definitely the first thing that comes to mind is Tanya's efforts, which are definitely laudable, but on an institutionalized level thing, and I'm doing air quotes for whomever is not watching, My plan, and something that I would love to have the opportunity to push forward, was to involve OWASP in that. And, as part of the making it bigger for the, uh, for the membership, to create some form of system where people could, almost an eBay for mentorship. Hey, here's what I'm willing to mentor on, and here's what I'm looking for, and cross those two sets of people. So, yeah, if anybody out there... Loves to write this kind of systems and would like to to get that going. Please. Let me know.

Chris Romeo 13:07

Yeah. It's a mentoring marketplace is what you're looking for.

Izar Tarandach 13:16

Okay Where else are we going?

Chris Romeo 13:17

No, Matt thought Matt was going to say something. Matt was looking like he was going to say

Matt Coles 13:20

I, I, you know, the only thing I was going to add was really was that it really has been, I think, since the pandemic, right? Pandemic changed a lot of people's outlooks on things. And since then, the flame wars in public, uh, you know, drag out fights around, you know, my opinion versus my opinion, uh, is, is, I think is, at least in the circles we've been involved with, uh, right? People are much more willing to debate, to discuss, to share ideas, to, to mentor, uh, or to be mentored. Uh, oh,

Izar Tarandach 13:57

You haven't been to Reddit lately, huh? No, no, I kid I kid. It's much better.

Matt Coles 14:03

it is much better, it is, well, it is different, and we're not talking, there's certain platforms I suppose that you could go to that, uh,

Izar Tarandach 14:11

if you're going to 4chan to get your AppSec

Matt Coles 14:14

or,

Izar Tarandach 14:15

you're in the wrong place

Matt Coles 14:16

or, or, oh well, I don't, I'm not on, I don't do X, I don't do X anymore, um, but, uh, you know, and, and I think Mastodon's a ghost town at this point

Izar Tarandach 14:27

Wait, wait, wait, wait, wait, wait, I have to parse this one. When you say I don't do X anymore, you mean X,

Matt Coles 14:34

that thing

Izar Tarandach 14:34

known as Twitter.

Matt Coles 14:35

Yeah, the thing formally known as

Chris Romeo 14:36

Solve for X, solve for X, please.

Izar Tarandach 14:39

good, good, good, because otherwise we would have to have some EDM around here, and some lights blowing, and stuff.

Matt Coles 14:45

ha.

Chris Romeo 14:46

different kind of X.

Izar Tarandach 14:47

Yeah, and see if we can get Matt in the thing again.

Chris Romeo 14:50

Yeah. I'm, I'm definitely not thankful for Mastodon because I never figured it out. I'm like, I consider myself to be mildly intelligent and I just don't get this. Like, why don't things connect to each other? Like, why do I say it's one thing here and it doesn't get over there? Like, what's happening here?

Izar Tarandach 15:06

Yeah, so I feel like Mastodon just got like, in a block of ice somewhere, and it's waiting for global warming to make something happen, and perhaps there's a movie there, I don't know.

Matt Coles 15:19

Maybe, I mean, we're, yeah, we are, we are older. We were older white guys with glasses and until recently all had beards, and I'm sure we can't figure out this distributed computing thing called Mastodon, uh,

Izar Tarandach 15:34

I got my login working, I just don't get to get there. Hahahaha Infosec. exchange

Chris Romeo 15:42

There's the problem. I shouldn't, we shouldn't have to define it, but you know, that's, that's neither here nor

Izar Tarandach 15:47

Hey, Yotsim,

Chris Romeo 15:48

we're, we're

Izar Tarandach 15:48

it's just your email, right?

Chris Romeo 15:51

Yeah, I mean, I would say I'm thankful also for this podcast, the experience

Izar Tarandach 15:54

Oh yeah,

Chris Romeo 15:55

in just, it's, it's been fun to just riff on things,

Izar Tarandach 15:59

high point of my

Chris Romeo 16:00

all right, I'm gonna let our audience in on a little bit of, a little bit of behind the scenes here on the security table, so get ready.

Izar Tarandach 16:06

Wait, wait, wait, wait, wait. Thanks.

Matt Coles 16:08

wait, under the table. This is under the table

Izar Tarandach 16:10

This is

Chris Romeo 16:10

under the table? Okay, under the security table. This is a special episode. We are under the security table. Yeah, he started disappearing on the video feed. Under the security table. Whoops, I managed to lose a headphone. I was laughing so hard. Um, but the, yeah, I mean, the, the, under the security table. We don't have, listen folks, we don't have any budget for special effects either. I

Izar Tarandach 16:34

No, notice that the only camera that's not following anybody is yours, which is supposed to follow you.

Chris Romeo 16:40

AI camera that's supposed to be following. Just to let folks in on a little bit of secret here, like, we don't actually prepare a whole lot before we start recording. So, but it's been fun!

Izar Tarandach 16:54

Or at all.

Chris Romeo 16:56

we often have a topic that

Matt Coles 16:58

is, this is my preparation for, this is my preparation for today.

Chris Romeo 17:01

what's good. That's cool. You did more than I did. I'm just freestyling, but it's been fun.

Izar Tarandach 17:05

the security riff.

Chris Romeo 17:07

Yeah, but it's been fun to just explore topics and just talk about them in a recorded

Matt Coles 17:13

Oh, oh, by the way, something else for our guests to know, we usually choose the topic either the day of,

Izar Tarandach 17:20

Or 15 minutes

Matt Coles 17:21

moments before the episode,

Izar Tarandach 17:24

Or, even worse, 15 minutes after.

Chris Romeo 17:27

after we, after we start recording. Now, we often have a discussion before we hit record to

Matt Coles 17:33

and

Izar Tarandach 17:33

sometimes is better than the podcast

Matt Coles 17:35

always complain that we don't hit record early,

Chris Romeo 17:37

yeah, I try to hit record as soon as I possibly can. We can always edit out anything crazy anybody

Izar Tarandach 17:43

So, now, we were planning to go with, uh, What was the next one? Things that we

Chris Romeo 17:50

So this was holiday gifts. So two holiday gifts that you would like the AppSec industry. to give you.

Izar Tarandach 17:58

yes, and I'm going to add to that one. Things that you want to be thankful for next year.

Matt Coles 18:04

oh, now yeah, you're upping the ante,

Chris Romeo 18:07

Come on, I was trying to sell this like it wasn't a prediction by calling it a holiday gift. And

Izar Tarandach 18:12

not a prediction, it's a request.

Matt Coles 18:14

So, so let me throw, let me throw a different alternative for you since it is the season of the holidays. We just said what we're thankful for, for Thanksgiving. We're going to talk about what gifts we want, uh, for the holidays from a security standpoint. Let's consider New Year's and what should be somebody's New Year's resolution around AppSec.

Chris Romeo 18:37

Oh ho

Izar Tarandach 18:38

I would not try to threat model with ChatGPT.

Chris Romeo 18:44

The glo Dude, you just dropped the gloves right off the start. The game started and the gloves were off and Izar's like, Let's go. It's go time. Start swinging. Wow. Okay, let's go back to the uh, let's push those New Year's resolutions a little bit. down here, down the, the, uh, the agenda. And let's, let's, let's explore this, this holiday gift giving extravaganza. So Matt, we're going to, since you appeared to have a sticky note where you had prepared some thoughts, I'm going to

Matt Coles 19:16

I didn't, if I didn't, I'd be, I would just be sitting here like Stuck,

Chris Romeo 19:21

Oh, look at Izar has literally 50. Blank sticky notes that he's attempting to make us think he's prepared. So Matt, what do you got? Like, what, what's your, like, what, what's the gift you would like the AppSec industry to give you

Matt Coles 19:34

right, I'm going to start with, I'm going to start with a lame one. I have, I have a couple ideas, but I'm going to start with a lame one. Um, although I, I think Izar may have already stolen it. Remember that hu I want the AppSec industry to remember that humans are part of the AppSec process.

Izar Tarandach 19:50

god, yeah.

Chris Romeo 19:51

Hmm. Interesting.

Matt Coles 19:52

want, I want, I want, I want tools that do their job, but I want them to know that there are humans at the other end, that we cannot automate away, as much as I love automation, and don't get me wrong, I'm a huge fan of automation, but... There are humans in this process, and I realize this now over many years and working with people and even more recently from actually from the Threat Modeling Con conference and talking to people doing threat modeling. Uh, that, you know, humans are part of this process. We can't automate everybody away. And, uh, my fear is with the, with the push to AI to replace humans, uh, that we'll move to tool performed, not tool assisted.

Izar Tarandach 20:44

Remember

Matt Coles 20:45

that's my wish. That's my wish that people remember there's humans in this process.

Izar Tarandach 20:48

Remember when we had the t shirt go away or I will

Matt Coles 20:53

Replace you with a very small shell script, yes.

Izar Tarandach 20:56

now it's go away or I'll replace you with a very short prompt. And

Chris Romeo 21:02

mini AI things that would, the chat GPT, uh, what do they call it? The, the things you can build now, the mini versions.

Izar Tarandach 21:09

what, what,

Matt Coles 21:10

Mini LLMs.

Izar Tarandach 21:12

what makes me very afraid is that I think that the industry jumped Matt's request rather than invest into recognizing that there are people in there. The brunt of the investment now is into taking people away from there. by putting all these mini AIs and whatnot. And going back to that New Year's resolution, and something that we have addressed in previous episodes, people, these things, seriously, they're like an army of monkeys randomly typing on a typewriter, but at the same time throwing a coin up and down to see what's the probable next word. So please don't, don't, don't say that they have superhuman capabilities of inference and Cognizance, and that they are able to do all the things that we should, that we are not able to do much better than we ever will. Because that is not how it works,

Chris Romeo 22:09

Sounds like you're like, sound like a marketing person now.

Izar Tarandach 22:12

Right?

Chris Romeo 22:12

I want to buy whatever, whatever you're selling here. I'm buying man, inference engines. And so that, that leads me to mine though. Let me, let me get, let me tee up my, the gift I would like from the AppSec industry, because it plays into what you just said with that marketing strewn thing.

Izar Tarandach 22:27

the marketing stuff!

Chris Romeo 22:28

I would like marketing, AppSec marketing, just to stop saying stupid things. Okay. Am I asking too much?

Matt Coles 22:35

Can you give us an example there of

Chris Romeo 22:37

I have, I have a whole bunch of examples, actually, if you would like the, uh, the make

Matt Coles 22:41

what's your top two? What's your top two?

Chris Romeo 22:44

MakeShiftHappen is, is a, this is a prominent company that, that this is their, their go to market campaign across LinkedIn and many other places. MakeShiftHappen. So I have so many problems with this. First of all, as a sensible startup founder, I'm never going to put I'm not going to put a cuss word into the, a place where a cuss word began its life, I'm not going to use a substitutionary word into that because I just, it's just not, it's just, I don't know, it's just not very high class to do that to me. And like my company, my brand stands for something like, and it's, it's not, I don't want people to think of it in that regard. So makeshift happen, um, was one of them. I saw another one that, um.

Izar Tarandach 23:32

Do Epic Shift!

Chris Romeo 23:34

Well, this is my, uh, move AppSec forward campaign for 2024. Don't shift left, move AppSec forward,

Izar Tarandach 23:41

Oh,

Chris Romeo 23:42

not about, it's not about shifting, but that's, we'll save that for another episode in the future. But let me, let me see another one of the examples that I had was, um, well, it was something to the effect of, you know, something about, uh, using AI to revolutionize AppSec or something like that was the, and like, to your point there, Izar, like, it's not really possible right now. Like, you can't revolutionize anything with AI. Yeah, in a couple of years, as this, these things continue to get better and better. Okay, then we can talk about replacing the human thought process or whatever, but that's not what Gen AI does right now. It does, it's not like it's sitting there thinking, going, Ooh, I got a new idea. Let's roll this thing out. It's pattern matching. It's, it's guessing the next word that it needs to reply back to you with. Based on all the other words and things that has ever been written that it's been able to analyze and put together. And so, yeah, that's the gift. I would like those. I would like marketing. Just represent your product for what it does and leave shift left behind. Let's just, let's just make that a 2023 thing. Let's start fresh in 2024. Let's just stop shifting left. Just find something else to say. It's such a tired phrase. Remember when Wired used to have the wired and tired? If you

Izar Tarandach 24:50

Oh yeah, oh yeah,

Chris Romeo 24:52

like, shift left is tired, leave it, find something else.

Izar Tarandach 24:58

okay. The gift that I would like to be given. It actually connects to what Matt stopped doing, the, uh, the X thing, but not the former Twitter thing. I want us to take a page out of GenAI, and we should start doing something that GenAI does so well. Can you guess what? I want people to start hallucinating. I want people to start getting bored, because that's where the best ideas come from. We are all inside the box right now. We are being fed thing over thing over thing in our echo chambers of Twitter and X and whatnot or LinkedIn or whatnot and we are being told that this is the next thing and that here are the millions and that this is what the VCs are looking for and that this is the shift that's going to take our industry to the next level. And a lot of people that have a lot of capabilities and a lot of talents are just sitting and consuming all that stuff. I want people to stop hallucinating again. I want people to stop getting bored again. And I want people to say, that's not what I want. I'm going to do one better. I'm going to do one, one stronger.

Chris Romeo 26:19

make something better. So you want people to take the red pill.

Izar Tarandach 26:23

Um, no, no. I want people to just, you know, once you, you challenged us to, to shift the paradigm. from the scan cycle and all that. I want people to step up to that kind of challenge. I want people to not look at that and say, well, that's how we ever did it and it works, and it's an industry that's worth billions and billions of dollars, so probably something is right here. I want people to say, no, we can do it differently. And I want to see what they come up with.

Chris Romeo 26:53

So think differently.

Izar Tarandach 26:54

Yeah, don't be afraid of hallucinating, of asking how cool would it be if...

Chris Romeo 27:01

I'm gonna say, when you first got halfway through that sentence and you were prescribing hallucinations, I didn't know where you were going. I was a little bit concerned for a second, I'm like, Is he gonna recommend like peyote experiences in the desert? To kind of unlock our thinking. We're

Matt Coles 27:18

LSD

Chris Romeo 27:18

I didn't know where you were going there.

Matt Coles 27:19

for your TLC, uh, for your TLS.

Izar Tarandach 27:22

So,

Matt Coles 27:23

even say it right.

Izar Tarandach 27:27

so, okay, so, so, so disclaimer here, like public disclaimer, I am such a coward for that kind of thing that I don't think that I would ever get it there. Even though we keep hearing about this micro dosing thing coming from San Jose and where not, but no, I don't think that I would, that I would go there. I think that what I really want is for people to be bored, to not always be fed by something else that tells them how to think. And once they get there, to step out and think differently.

Chris Romeo 27:58

Well, you're describing a cultural problem

Izar Tarandach 28:00

Yep.

Chris Romeo 28:00

are that were I mean it is a it's an epidemic what you just described It's an

Izar Tarandach 28:05

We are limiting ourselves.

Chris Romeo 28:07

of a lack of thinking people are such consumers now of information Like I I don't know about you. I haven't watched the news in probably 20 years. I don't watch the news Because the news doesn't tell me anything good. The news is about telling me all the bad things that are happening. And so I just don't watch it because I don't want to constantly be thinking about the sky's falling because they spend a lot of time saying the sky is falling. Yes, there are problems that happen in the world and they're reporting on those. But a lot of times the 24 hour news cycle creates this thing where they're just trying to find something to make people panicked about or worried about. And so I just said, I'm just not doing it anymore. And that's the beginning of unlocking my mind is I'm not, I'm not, I don't have a thread running that's in panic mode all the time about what's going to fall out of the sky or what's going to, you know, what's, what are the, what are the things that are, I should be most, they're trying to make me scared of today.

Izar Tarandach 29:02

Yeah, so that touches me deep because for the past month I have been glued to the news 24x7 since October 7th. And at the same time, I have been thinking for a long time already, that what makes us good at what we do, namely threat modeling, is the fact that we have these raiders that are constantly looking for what could go wrong. And me myself, speaking only for myself, I, for a long time now, I haven't been able to turn that off and step away from the professional realm and stop looking at what could go wrong everywhere. And I do feel that that puts me in a constant fight or flight mode. So, sometimes I get myself with less patience than I should have, or more stress, more worry than I should be. But, uh, I get what you're saying. People are... I don't think that people... What was the term that you used? People are... Limited, you said? No.

Chris Romeo 30:11

I can never remember what I say, so,

Izar Tarandach 30:13

Yeah, no, I think that what's happening now is that people have been looking at things through a paper tube,

Chris Romeo 30:21

mm hmm.

Izar Tarandach 30:22

you know, getting that tunnel vision. And what I'm challenging people to do, and what actually you challenged people to do before, is to not be afraid of stepping out of the paradigm and thinking about different ways of doing things, right? I mean, nowadays you get one person, one very smart person, coming and saying, hey, hey, hey, Connected this thing to ChatTPT and it's doing this and then you get a thousand mini me's coming out. Yeah, I connected it too. Yeah, I connected it too. And then you end up with like this huge amount of things. Or the same thing. I got a graph database doing this and that in the auto. Yeah, me too. Me too. Me too. Me too. Me too. And, uh, I don't know. It's, it's like, why, why is it so hard for us to innovate in this industry?

Chris Romeo 31:08

Yeah, and I'll throw out another thing, just because we're kind of on this, how would we need to change to get better, and I was just, I was looking for an episode of the Tim Ferriss podcast to remember who I heard this from, but they used the term social media sobriety to describe how long they had been away from the social media machine that, that influences us. according to an agenda, right? And it could be X, it could be Instagram, it can be LinkedIn, it could be anything, any social, Facebook, any, any social media platform has an agenda ultimately. And a lot of times it's to get you to buy something or whatever the agenda is. But this, and I can't remember for the life of me who I heard say this. It's not an original thought, but just, it kind of, it kind of got me, grabbed ahold of me though, this idea of social media sobriety that you could be away from. Things and I have I'll tell you this other story because it's it's it's it's just a it's kind of a it fits into This this topic we're discussing. So I I know this kid. He's like, I don't know 21 years old or so and He carries a flip phone Do you guys know what a flip phone is? Yes you do. Of course.'cause you're old enough to remember. That's where we all started with phones. He has a flip phone. And I asked him, I said, in this modern day and age, this is so odd to me. Like I'm a technologist. I have a new phone all the time because I always wanna know what the new new things are we can do. And you know, I'm so driven by the need for the latest and greatest technologies and things. And I'm like, how do you survive without a flip phone? With a flip phone? You know what he told me? He said, I don't have social media. I don't use social media. One, it doesn't work on my phone. Which is funny when he's sending a text and he's literally hitting like 111 to make ABC and all that. But it really, it kind of grabbed a hold of me because I'm like, and you know what I told him right at that time? I said, you live a happier life than I do. I'm not kidding. Imagine a day being able to go a week and not being consumed by things that you see on X or what people are saying on LinkedIn. Or a lot of people get caught in that Facebook rutt of, you know how our friends are, appear to be living such better lives than us because everybody takes a picture of their kid's smiling. Never when the kid's throwing the bowl of spaghetti at them, that never goes on the social media stream. Right? And we've kind of, we've really diverted, we've really taken a wide turn here from where we started, but this is, this is good because I think we're unpacking something that, that, uh, is meaningful. It should be meaningful to a lot of people, but yeah, that story of, of, uh, my friend James, his, his just approach to technology, I'm like, he is a happier person than I am.

Izar Tarandach 33:54

You know what that sounds like to me? That, uh... He found the way for AppSec to off the mind because basically he's doing input validation,

Chris Romeo 34:05

Yeah, he is. Good

Matt Coles 34:06

Is he, he's in AppSec though?

Chris Romeo 34:08

No, no, no, no. He's not a technology, he's not a technology guy at all.

Izar Tarandach 34:12

Yeah, I I would I would say that that's probably very difficult to be that kind of person and be in AppSec But have you ever heard the concept of kosher phones?

Chris Romeo 34:22

No. Yeah.

Izar Tarandach 34:23

that there is a thing like that

Matt Coles 34:25

Phones that are phones.

Izar Tarandach 34:27

smartphones that are actually limited in their capabilities So that they can only access certain sites and can have certain chat apps

Matt Coles 34:38

So kids mode.

Izar Tarandach 34:40

Kids phones, but channeled to a different public. And that was always something that really, really like... I don't know. The feeling that I have is that we are participating in the biggest experiment in our history in terms of social engineering. And it has never been so clear to me as this past month. When you see a lot of, uh, uh, let's call them opinions. Let's call them very excited opinions

Matt Coles 35:17

We used to call them FUD. We used to call them FUD.

Izar Tarandach 35:21

Not even that. We,

Chris Romeo 35:22

it's gone to disinformation, right? Like I mean, that's a, that's a military term. Like you have in, you, disinformation is, is misleading a public for your own, for your own agenda. And I think there's a lot of that happening right

Izar Tarandach 35:37

disinformation, psyops, and, and whatnot. And, and as I said, I've spent the last month glued to the, to the TV. And it was the first time that I saw a commercial showing how fake news would be posted. On something that looked like WhatsApp. And the last line of the chat of the, uh, the chat is why are you sharing this? Why, why are you such an idiot? And then the, the reader just going, don't be an idiot. Check your things before you share them. And, uh, it, it just showed me how the cycle. closed, people used to sit down and read the newspaper, then they listened to the radio, then they watched the news on TV, then it was social media, now it gets everything through social media, now TV is

Chris Romeo 36:26

I mean, journalistic integrity is gone.

Izar Tarandach 36:30

Totally.

Chris Romeo 36:30

say it, like, I don't care if anybody sends me an Instagram, I don't care, I'll argue if anybody wants to tell me that it still exists. And so the days of the newspaper being an independent thing, that just reported the news, and there was no side from their perspective, they just reported the facts, those days are gone, unfortunately. And it plays into this whole... Like you said, I love the way you described it. It's a social engineering experiment and the population of the world are the people that are the subjects of this and people are trying to see how they can influence thinking and influence big picture things, right? But it's gone are the days when you could turn on the evening news and Walter Cronkite gave you the straight shot about what was happening in the world. Like here's the facts people about what's happening

Matt Coles 37:22

Well, so let's, let's, let's bring this back to AppSec then. So, so, I, I am probably not alone in using social media, Reddit, and LinkedIn a lot for finding interesting or, you know, current news about Security trends, you know, the latest ransomware attacks, you know, new vulnerabilities that, or attack, you know, attack, um, scenarios that get, get identified, um, you know, advances in crypto, whatever the case may be, versus more, um, I'll say bland or, or, um, uh, you know,

Izar Tarandach 38:01

Inconsequential.

Matt Coles 38:03

well, as opposed, as opposed to more academic perhaps, or, or even more official sources, right? So like, I could look at Kev, As an

Izar Tarandach 38:11

Oh, yeah, yeah.

Matt Coles 38:12

Or I could be looking at, uh, you know, MITRE pushes out reports on a regular basis. Or even third parties who have, have integrity in their research and publication methods, right? Uh, you know, to be able to push out articles that, that I could go to, but I still look at the social media feeds. but you have to take it with a grain of salt. So I guess maybe the, in pulling it back, I wanted to ask from both of you, what are your, what are your reputable sources for security news?

Izar Tarandach 38:46

My main one is you, but...

Chris Romeo 38:49

And my main one is Izar,

Matt Coles 38:51

Oh, I'm doomed. We're doomed. So the industry is over. It's over. The sky is falling.

Izar Tarandach 38:55

No, but seriously, I like what you're talking about. And I would say that, yes, there are some there. But I think that my question here is how far ranging would it be to have a source for that kind of stuff that's not reputable and not trustable? I mean, what's the impact? How bad would it be? Because we are all a bunch of cynicals by nature, so that disrespeutable source would first have to give us something that would bring us all to the watering hole.

Matt Coles 39:34

Well, yeah, so let's just throw out an example there. You're on Reddit, you're looking at, you know, InfoSec or Cybersecurity and something goes, so and so was breached, 800 million records leaked. Okay,

Chris Romeo 39:48

I'm serious, I'm serious,

Matt Coles 39:49

so there's information overload on

Chris Romeo 39:51

I mean, we've reached the point where that problem is, I don't even, that doesn't even get my attention anymore, to be honest with you.

Izar Tarandach 39:57

so, I'm going to give you the Reddit point of view. The first comment is going to be a five page treatise on the theory, well, it's not a theory, it actually has been proven by I don't know who, but it has been proven, that it's actually... A team of very talented Hungarian hackers funded by Experian because it's part of their business model that if there's a breach, people are going to give the 800 million people who got impacted Experian tracking services. of their data, right? So connect the dots, man, get educated,

Chris Romeo 40:40

So, conspiracy theory, okay, great,

Izar Tarandach 40:42

So that's Reddit for you. The second comment is going to be, dude, I worked at such and such for years and I could have told you it was just an accident waiting to happen. The third one would be, but did they test their stuff? And the fourth one would be somebody saying I am a first year student and I would love to, uh, contribute to that project. Would you kindly show me how to do it?

Chris Romeo 41:10

The world according to Reddit, that's

Izar Tarandach 41:12

Right? So, but, but, but I

Matt Coles 41:14

you're in my feed!

Izar Tarandach 41:21

yeah, let's not go there, but...

Chris Romeo 41:24

Matt Coles 41:25

Wait, was that you?

Izar Tarandach 41:28

As I said, let's not go there. But anyway, the thing for me, the closing of the cycle here for me is that if we take a look at Chris's friend that's doing AppSec for the mind with his input validation. If we look at Matt's approach that, hey, we could well build a closed environment here of places that we could rely on stuff. I think that connecting a bit to my challenge of think outside the box. What could we as an AppSec community do to change the situation? Is there anything that we could do? Is there any kind of influence in products or in things that we do that we somehow could make the world a better place next year by using our super AppSec powers? Besides threat modeling all the things.

Chris Romeo 42:23

mean, I think there's always an opportunity for a group of leaders to get together and Come up with some idea that would move the industry forward and then ask a collection of people to get behind it and move forward with it. So it's not quite a manifesto, right? Because a manifesto is, is designed to be greenfield and last beyond just a year. Like the threat modeling manifesto is still going strong, right? We released it, how many years ago? Two years ago?

Matt Coles 42:53

Three, three years ago?

Chris Romeo 42:54

Three years. Yeah. So, I mean, yeah, I mean, it's, it's still going strong because so, but, but I think a group of people could get together, a group of leaders could get together and say, here's, here's some place, something we could change. Here's something we could do better. And then ask the community to get behind it. I think that's, that's how you influence change.

Izar Tarandach 43:11

But isn't that the AEI letter?

Chris Romeo 43:16

Letter. Well, I mean, the AI Letter was just taking a stance, right? It wasn't, it wasn't an

Izar Tarandach 43:20

talking about things like a moratorium and things

Chris Romeo 43:24

but it wasn't, it wasn't anything that anybody could get behind and actually do something. You could sign it and say, yeah, I agree with what they're saying. That's not what I'm talking about. We don't need any, we got enough letters in this, in this world. We don't need people to sign letters. We need people to take action to do, to cause some positive change, right. Based on what you're talking about. And

Matt Coles 43:41

Well, and what, and what, uh, and what changed? So what change do we need? Because actually my second one, it may be related to this. So my second gift was actually more of a gift idea for others. And, and so I'm not big on, I'm not big on, on, on gifts, like physical things. Um, and maybe this is just an evolution of I'm not, I'm not 12 anymore. Um, but. You know, the things are fun. Some things are fun. My wife got the, got me this for my birthday. It's a fidget spinner and I can't put it down, uh, But, um, you know, it would be,

Chris Romeo 44:24

Izar's got

Matt Coles 44:25

oh, where's my, I have, I have a few, I have a few more I could pull out. So, uh oh. Yeah, actually this, this, this, connect, this, this connects fidget spinning. And D& D because it has, it's a D20 dice roller as a spinner, which is awesome. Um, anyway, uh, but, so, as a gift idea, uh, use that extra energy when you're not looking at Reddit or, or social media feeds. And go, and go volunteer. Go volunteer your time. Go, go mentor. Go look at open source projects. Pick an open source project at random. Throw a dice, throw, throw, throw, throw a die or a, or a dart at, at GitHub and, and pick a project and go file bugs. Go find and, go find and file bugs or PRs as Izar likes to say.

Izar Tarandach 45:20

Matt Coles 45:20

We can, we can help improve the industry in small steps when we're trying to, while we're trying to form something bigger to solve bigger industry problems.

Izar Tarandach 45:34

definitely.

Matt Coles 45:35

And that's my, that's my, that's my peace on earth and goodwill towards men, uh, gift idea. Thank you.

Chris Romeo 45:44

in the, in another episode about New Year's resolutions, AppSec New Year's resolutions, but I think this is a good place to wrap up for this holiday themed edition. As you can see, once again, based on our outfits, very much holiday themed for us. Thanks folks for joining another episode of the Security Table.

Podcasts we love

Check out these other fine podcasts recommended by us, not an algorithm.

The Application Security Podcast

Chris Romeo and Robert Hurlbut

The Threat Modeling Podcast

Chris Romeo