Join us for the final episode of The Security Table for 2023. Chris, Izar, and Matt answer fan mail, make fun predictions for the upcoming year, discuss their resolutions for improving cybersecurity, and make a call to action to global listeners. Highlights include the reach of the podcast, explaining Large Language Models (LLMs), Quantum LLMs, Software Bill of Materials (SBOM), and the importance of teaching secure coding from high school level up. Chris, Izar, and Matt share their passion for making cybersecurity more accessible, practical, and effective through critical discussions and innovative ideas.
FOLLOW OUR SOCIAL MEDIA:
➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel
Thanks for Listening!
Join us for the final episode of The Security Table for 2023. Chris, Izar, and Matt answer fan mail, make fun predictions for the upcoming year, discuss their resolutions for improving cybersecurity, and make a call to action to global listeners. Highlights include the reach of the podcast, explaining Large Language Models (LLMs), Quantum LLMs, Software Bill of Materials (SBOM), and the importance of teaching secure coding from high school level up. Chris, Izar, and Matt share their passion for making cybersecurity more accessible, practical, and effective through critical discussions and innovative ideas.
FOLLOW OUR SOCIAL MEDIA:
➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel
Thanks for Listening!
Hey folks, welcome to another episode of The Security Table. In fact, the final episode of 2023. We'll do more after, you know, when 2024 comes around. Ah, this is Chris Romeo, always glad to be joined by my friends Izar and Matt.
Matt Coles:You didn't do it right, Chris. It's Izar. Izar. Tarandach.
Chris Romeo:sorry. Izar.
Izar Tarandach:I'm still going for the one
Chris Romeo:The one?
Izar Tarandach:word.
Chris Romeo:Okay. Izar. Sorry. Izar is in the building. Uh, he's just, he's just moved from the green room to the camera spot that you see him here after consuming all the green m and ms that we had available in
Izar Tarandach:the crowd goes wild.
Matt Coles:Where's the popcorn when you need
Chris Romeo:well, that's a, that's a good point there about the crowd. So we got to see some statistics about the security table from, uh, from the time we launched early in 2023. And as it turns out, we're big in. Dublin, Ireland. That's our number one, uh, city around the world. So shout out to anybody in Dublin, Ireland, who's listening to us. And we also learned that we're, we're gigantic in Australia. So let's see, Perth, which I want to visit Perth. It's on the west coast, right, of Australia. So, um, Auckland. These are two places in Australia where we have a number of listeners. So
Matt Coles:Good thing, good thing Auckland is not in Australia and they're not going to be
Chris Romeo:Oh, it's in New Zealand. Sorry. Sorry. I knew that better. I knew that better than
Izar Tarandach:Wars have begun for less.
Chris Romeo:That's true. That's true. So thank you. So let's, uh, yeah, that'll be, no one will ever hear that because I'll have it completely cleaned up. No, I won't. It's fine.
Izar Tarandach:Only in Australia.
Chris Romeo:Sorry Auckland, I've been to, I've been to New Zealand. I spent a, a, a roaring 16 hours in New Zealand and I need to get back for a longer period of time. Um, but yeah, super excited to see we've got people listening to the table from all over the world. Um, something about our wacky, zany banter is, uh, what's, what's drawing people into the conversation here. Uh, we're going to talk about Resolutions, but also, eh, predictions. But, I'm going to talk about resolutions and then maybe Izar and Matt are going to talk about predictions. And then I'll make fun of predictions. But, we did get some fan mail here on the security table, which is pretty exciting. Like, we have our, I think this might be our first piece of fan mail. Alright, here, I'll read it to you
Matt Coles:Could have been
Izar Tarandach:the only one. It
Matt Coles:Could have hate mail, so, you know.
Chris Romeo:but we just, you know, we just kind of leave that alone. But, okay. Hi! I'm a big fan of the Security Table podcast, and I listen to it every time I'm at the gym. Sometimes your opinions contribute to elevating my heart rate, so thank you. I don't know, is that a good thing or a bad thing? I don't know what, I don't, uh, I don't know if that's like, you know, I'm so mad and furious that you people are just missing the boat so badly that it's raising my heartbeat. But, after listening to many episodes, I think I can predict what will happen next. Like right now. I think the next episode will be about predictions for the year 2024. Now, I am that good, or is it just due to information disclosure? Only two people know. Um, I don't know who the two people are, but
Matt Coles:that's a good
Chris Romeo:I thought there's three of us, so like, did two of the three of us know this is an inside job? But this, uh, this fan did provide us with a prediction for 2024, so let's start there, and we'll, we'll consider this prediction and decide whether we, uh, Want to attack it, agree with it, or something else. We will have our first large scale security breach on the pipeline, or leak, of a popular AI. People will get disclosed on previously unknown details such as how the AI is tied to their privacy. Major worldwide outrage will ensue, but will last four days. It's very specific that it's going to last four days. So, all right, what do you, I mean, how do you guys respond to this? What do you, what do you think about this prediction?
Izar Tarandach:But, uh,
Matt Coles:Crazy, crazy fan mail.
Chris Romeo:It is very, very specific. But I mean, is there a chance this
Matt Coles:I'm sure, I'm sure this is, it sounds like an inside job. Like there's something, something gonna happen. You know, this person knows that they're, maybe they're the culprit.
Chris Romeo:mean, let's push beyond
Matt Coles:last four
Chris Romeo:let's, let's push beyond that as, as far as who may have actually done this. And is it, is this, is this a potential problem?
Izar Tarandach:look, at this point, and again, connecting to what we did on the last episode, where we sort of got to the conclusion that, uh, AI is nice, LLMs are great, but they're just one more piece of software, right? And uh, the same way that every single other piece of software out there, at some point the controls failed and breaches occurred, I think that it's a matter of when, not if.
Matt Coles:Yeah, I agree. And, and, you know, it is, it is highly likely, I think from, from the discussion, the attack is not going to go through the prompt,
Izar Tarandach:Yeah,
Matt Coles:The attack is going to come from a database breach. Somebody's going to leave something on, you know, unprotected in the cloud. You know, we've seen that a time and time and time again, uh, or some piece of device, some hardware will get lost or something. So, I mean, these are classical computer systems. They have classical security vulnerabilities.
Chris Romeo:What about the privacy tie in, though? This, the, like, he's, he's making this conclusion, or drawing this conclusion that AI, LLMs, have more private data in them than we realize. That was part of the prediction, so do we think that there is a collection of personally identifiable information included within some of these big time LLMs?
Matt Coles:I think if an LLM has any source, any sort of history, right, understanding what was asked of it by a set of users. Uh, and if then, if that information is unfiltered in any way, uh, then, then I think yes, I think it could certainly draw conclusions. I, I imagine somebody could ask it, uh, and, and maybe in a way that would bypass the, the injection filters. Uh. You know, who, who's been asking you questions, what type of questions have they been asking you, right? These are all great ways to start drawing conclusions about the user base.
Izar Tarandach:But
Matt Coles:give you potentially identifiable information. We know that, we know that with IP addresses or, or even, even secondary data with respect to health information, right, to put you into a population. So we know that that exists today for privacy.
Izar Tarandach:that assumes that all the basic rules of security and multitenancy have been broken, that the LLM knows about all the sessions that are happening at the same time, things that we wouldn't do in any other SaaS or shared application.
Matt Coles:Who, where, where do you get the, where do you get the sense that, that, that it's a multi tenant, segregating multi tenant enforcing system? It should be, it should be, yes.
Izar Tarandach:you shouldn't have access to any kind of context or whatever happens in my session. So, if what you described ever were to happen, I would say that, hey, somebody here got more problems than an LLM.
Chris Romeo:But I think that's what's happening right now though. What Matt just described is, what you've described is what you, what we want to see, but that's not how these things work right now. If you use ChatGPT through the, through the web interface, the user, the license agreement allows them to Repurpose your requests as trading data for future, uh, future brightening of the model. So if you give up some information in there, you, you could accidentally give up personally identifiable information, which then technically they could insert as trading data back into the model.
Matt Coles:Well, even if they, even if it's not injecting back into the model through the, again, through prompt data, let's go back to the original training data. I mean, it was fed, The internet, right? So in theory, it has access to Facebook posts or, you know, IRC channels or other session information, things that might have identifiable.
Izar Tarandach:no, no, no, wait,
Matt Coles:No, no, no,
Izar Tarandach:there is something, I need to get my head around here. A bunch of some things. So people are saying, oh, this thing went and slurped Reddit and got everything from there. Okay, fine, cool. But when you start saying this thing went to Facebook and slurped out there. Went to
Matt Coles:suggest, I don't know if it is or not.
Izar Tarandach:No, but other people have said that in the past. It went into Facebook and got whatever is public. It didn't go into Facebook as some admin and slurped everything that's out there and whatnot. All the private stuff that people should, to the extent that people do, keep private on a place like, uh, like Facebook, didn't do it, didn't make it into the training data, right? Because it's still private,
Chris Romeo:Yeah, but Meta is building their own models, right? So are they using Facebook and Instagram data to teach their own internal models?
Matt Coles:Or WhatsApp.
Chris Romeo:data that's bigger than what you could get via the public interface.
Matt Coles:Also, remember all those, remember all those stored databases, remember all those databases that get breached because somebody leaves them exposed with no credentials? If you have a, if you have a bot that's, that's, uh, you know, indexing the entire internet for training data, something, almost certainly some of that data is going to be pulled in. If it goes to haveibeenpwned. com,
Izar Tarandach:But how is that different from, uh, the engines that we had? The, the internet way back machine, uh, Google itself, that also indexed the whole internet. What? Like, uh, uh, confession, up to, up to last week I've been using LLMs as like a glorified Google. Go find me stuff and I'm going to figure out if what you're saying sounds like truth.
Matt Coles:I think it's the potential for the correlation, right? The search, I think, I think, very naive thought here, that the search engines are basically SQL queries. Here's a term, get me the term, find all the pages that match this term. And it does very little heuristics. It does some, I know it does some because you ask for certain, certain words and it goes, Oh, I think you actually meant this word over here. So I'm going to give you that result instead. But the ability, the power of the LLM to understand not only the words that you use in your query, but the intent behind your query and the, Sort of the predictive nature of what it thinks you want makes it much more powerful than just basic search engine. And that's where I think the risk would come in.
Izar Tarandach:I, I feel like I'm missing something here, cause, it's almost like people ascribe Magical powers to LLMs, and I simply don't see it. Look,
Matt Coles:I think the other problem we have right now is LLM's work in a, in a mysterious way. I, I, you know, the, the idea that multiple people have said, you, you ask it stuff, we know what the code is, we know what the code is, but we don't understand how it gets to the results. And. Yeah, I, it is almost certainly something we could know, but people don't.
Chris Romeo:That's really scary.
Izar Tarandach:from college days I already learned that the fact that I don't understand something doesn't mean that it's not explainable. That's for sure. But, I start getting worried when people who actually understand the thing, people who actually wrote that thing, look at me and say, yeah, we can't really trace the path between The conclusion and the, whoop,
Chris Romeo:Oh, that's an AI
Izar Tarandach:Physical control. That's it. The machines are coming after me. That's it. But
Chris Romeo:gotta, we gotta silence Izar, he's gotta be done now.
Izar Tarandach:But this one is actually physical. I have a physical control there. But So now I forget what I was saying. So explain explainability, right? So People to me and say, yeah, we can't draw a convoluted line between the conclusion and the premise. It got there somehow, lord knows how. So that worries me, not because of the thing itself. which, hey, cool, technology, yay, there are people who understand it, I don't, but where people are going to take those conclusions and go forward with, right? So, uh, a bunch of the, of the, the examples that came up last, uh, last week. The, the, the chatbots doing the travel thing, okay, fine, sure, yeah, whatever, do something with your, with your tickets. But the AI systems doing, uh, uh, weapon targeting, that, that's a bit more worrisome to me. If you can't explain to me what happened. between clicking the mouse on, uh, uh, a UAV camera feed and a missile landing on that site, that, that, that takes some, some minutes of sleep off of my night.
Matt Coles:So I asked, I did ask BARD for some insight into how it gets to the answers that it gets to. And of course, you know, they're not going to tell me, tell me the algorithms and everything, right? That's, that's IP right there. But, but one thing I think I noticed from, from its response, from what I did get out of it, was there were a lot of things in the pipeline, right? There's a lot of things in the information processing pipeline from training to responding to prompts. A lot of filters, a lot of passing data back and forth. Very classical system problems that we have where you have, uh, you know, say a microservice development where you have lots of microservices that do different things and do data passes along this chain. And it follows a path, and you could probably trace that path. Uh, if you so desire, but, but most people probably don't. Uh, and, and so there's, or the problem of APIs where you call different APIs and, and you sort of lose track of the, of the processing flow. Um, and possibly that you're calling APIs that other people own or wrote that you don't have visibility into. So all classical system problems. I, I'm, I'm yes, I agree. I'm nervous that. Not knowing, and hopefully, and I know that there is research going on to know it, um, but But boy, somebody put, I think you said it, you said it best in a private, you know, when we were talking offline, you know, some well placed print statements would really go a long way here to figure this out.
Izar Tarandach:You know,
Chris Romeo:Maybe, maybe that's our homework for, uh, for the holiday break here is try to figure out how LLMs actually work. Cause somebody has to understand somewhere.
Izar Tarandach:listen, the moment that we figure out how they do work, we get the, the, the keyword for next year, which is going to be quantum. And now soon we're going to have quantum LLMs. So we won't know how that stuff works on two levels, right? We don't know how the hardware works. We
Chris Romeo:Is a prediction? Is this your first prediction? That quantum LLMs, you heard it here first, are the new thing for 2024?
Izar Tarandach:I for one, welcome our quantum LLM overlords.
Matt Coles:You can know where they are or when they are. But not both at the same time.
Izar Tarandach:If we, if we're going to start predictions here, I have to get into Nostradamus mode, so let me know beforehand.
Matt Coles:Wait, wait, Heisenberg, right? You need Heisenberg for this.
Izar Tarandach:Or I don't.
Chris Romeo:Are we talking about the Heisenberg reference from Breaking Bad or the original scientist?
Matt Coles:I was talking to the original scientist,
Izar Tarandach:We're talking quantum, why do you, why do you continue using or? It's always and.
Matt Coles:also need to bring in Schrodinger, right?
Izar Tarandach:And his cat,
Chris Romeo:And his cat, which
Izar Tarandach:That must be one pissed off cat.
Matt Coles:Yeah,
Chris Romeo:That's true.
Matt Coles:Or not.
Chris Romeo:Alright, so I'm gonna, I'm gonna book that though as your first prediction. That quantum LLMs
Izar Tarandach:Quantum LLMs.
Chris Romeo:and I'm, you know what? I'm going to do the same thing that everybody does with predictions. I'm not going to write them down and I'm not going to think about them after we finished recording this and we're never going to talk about them
Izar Tarandach:Oh, and I'm gonna do what everybody does with predictions, I'm gonna qualify it. I'm not talking about a full LLM, I'm talking about an experimental two qubits thing that knows how to throw a coin and basically tell you what color the coin is. What the?
Chris Romeo:you're throwing cryptocurrency and Bitcoin into this?
Izar Tarandach:Oh, do I have to? Wait, wait, wait, there's, there's
Chris Romeo:about a traditional coin, but I'm like, if you can bring somehow blockchain into this as well.
Izar Tarandach:a startup in the making there, wait.
Chris Romeo:No, there's a prediction in the, you might, you might have a unique prediction that no one else has said. It's a quantum LLM stored on the blockchain.
Matt Coles:I think you just invented a new cryptocurrency, a quantum cryptocurrency.
Izar Tarandach:we need a quantum, uh, a quantum ledger. Your money may be there. Perhaps
Chris Romeo:might not.
Izar Tarandach:It may be going up, it may be going down.
Chris Romeo:know,
Matt Coles:isn't that all cryptocurrency right
Chris Romeo:I was going to say there's a number of legal cases going on right now that are making that particular argument that that's what cryptocurrency exchanges were doing was like, maybe your money's there, maybe we've used it for something else. It's, you know, it's, it's
Matt Coles:Flip a coin and you have a better result.
Chris Romeo:Alright, well,
Izar Tarandach:What is money, after all?
Chris Romeo:It's true. What is money? What
Matt Coles:Just an instrument of exchange, that's all, that's all money is.
Chris Romeo:That's true. Alright, Matt, you gotta go next now, but Izar has dropped the first one in conversation. He didn't even we didn't even, like, he just made it appear in the context of the conversation so he is Nostradamus after he
Matt Coles:I think, I think,
Chris Romeo:outfit. Oh, boy. Well, Matt, you go ahead. Well, the audience is entertained by some fun. Tomfoolery? I don't know if that's the right word that's happening in the
Matt Coles:Izar, Izarfoolery, it's Izarfoolery.
Izar Tarandach:I,
Chris Romeo:right, Matt. What's your, what are your, what are your thoughts, Matt? Give us one to keep us moving.
Matt Coles:So I think, so very, probably very tongue in cheek, but also probably very true, that, uh, our, uh, darn.
Chris Romeo:It's Nostra Izar.
Matt Coles:Nostrizar.
Izar Tarandach:It's Nostradamus.
Chris Romeo:Nostraldamus.
Matt Coles:to all
Izar Tarandach:for predictions.
Matt Coles:to, to, for all of our, for all of our listeners who are listening and not watching the video, you are missing,
Izar Tarandach:Nostradamus has entered the building.
Chris Romeo:Izar is in full costume here with a hat, hair, and a
Izar Tarandach:I need a renaissance thing.
Chris Romeo:Yeah, it's,
Izar Tarandach:wanted to do that.
Chris Romeo:uh, you lost the hat
Izar Tarandach:Lost a head.
Chris Romeo:yeah,
Matt Coles:It's behind you.
Chris Romeo:I don't
Matt Coles:The closest, closest
Izar Tarandach:Oh my god! It's behind me! It's behind me!
Chris Romeo:All right, Matt, go ahead. What's your, what's your, you were kind of in the middle of it and then we
Matt Coles:Oh, darn. I don't know. You know, predictions are resolution, you know, I kind of like your idea of resolutions. Predictions are so, predictions are so challenging. I mean, and I don't want to get into a lot of trouble with these. Uh, I think a prediction, I'll make a prediction, uh, about our, one of our favorites. SBOM that, uh, SBOM will be, will, will reach, reach its peak of, of acceptability, but also its peak of, of whether it's valuable or not. Uh, so we've done a lot in 2023 for hyping this thing called SBOM like SBOM's gonna solve, you know, world hunger. Uh, and I think like the AI cycle, SBOM will reach a, a a point where. Um, first off, I hope we, we also start introducing other terms, right? So, in addition to SBOM, we'll have HBOM, and we'll have, uh, uh, potentially other things as well. Attestation is gonna get big. And I have a feeling that what will end up happening is that SBOM will sort of take, go off of people's tongues as the next big thing. Uh, and, um, and be replaced by, by some realism that SBOM is just an inventory and that, uh, or HBOM is just an inventory and that attestation of that data is really the important part, not necessarily the, not necessarily the production of an, of a JSON based document.
Chris Romeo:Yeah, and
Matt Coles:so that's my, my prediction is the value will really come out of that and we'll, we'll stop the hype of everyone producing SBOM and really everyone has now a better handle on what they actually are building.
Chris Romeo:all right, Nostra Izar looks like he wants to say something,
Izar Tarandach:I predict that in an office somewhere, somebody is going to finally look around and say, SBOM, I found a use for it! And then the whole industry that started last year by talking, we need SBOMs, we need SBOMs, we need SBOMs, will finally close in an harmonious ecosystem that will actually get those SBOMs and do something with them, rather than just go around showing to people, I have an SBOM, I have an SBOM, I have an SBOM.
Chris Romeo:I'm gonna, I'm gonna take it a step further, and I'm gonna, I'm gonna continue on this thread
Izar Tarandach:Okay, doesn't bother me.
Chris Romeo:and I'm gonna make a prediction, okay, I'm gonna make a prediction here, not a, not a resolution. My prediction is that SBOM is gonna be used as a swear word in 2024. So people are going to be like, SBOM!
Matt Coles:Totally doing that right now,
Chris Romeo:just for those that are of the same vintage as the three of us here, if you were fond of a particular television show in the 90s, it was kind of called the television show of the 90s, Seinfeld had this, whenever he saw, yeah there you go, my threat model is better than your SBOM. But what happened whenever one of the neighbors, who happened to be a postman,
Izar Tarandach:Hello, Newman!
Chris Romeo:Exactly. So, you know, Newman was kind of a cuss word in Jerry's vernacular there. And so my prediction is that SBOM, yes, SBOM is going to be the same thing. It's going to be, people are going to be sitting in their office going, Mmm, SBOM!
Izar Tarandach:but that's the thing, that's the thing, I think that's what Matt said. Uh, bears, bears, uh, uh, uh, repeating. I think that finally it's going to become like, uh, a useful thing, of course. But, uh, uh, there'll be distinctions and there'll be the understanding that, uh, the practical value that comes out of it is only what you make of it and not, uh, or perhaps what somebody asks you to attest that you will make that value out of it.
Chris Romeo:Well, attestation is a whole new animal, right? Because now this is a legal thing. That's
Izar Tarandach:The lawyers have entered the chat. Hmm.
Chris Romeo:And everybody else is muted or left because attestation, it's all fun and games when I'm just sending you an inventory. But when I have to make a statement about it, now it's, now I gotta have my whole building filled with lawyers write, now all of a sudden SBOM's gonna be 10, 000 pages. Or it's gonna be a paragraph.
Matt Coles:going to have that giant legal disclaimer on the metadata.
Chris Romeo:That's probably actually the real truth is what's going to happen is there'll be a legal disclaimer that says use at your own, uh, peril will be the, the
Izar Tarandach:Or it's going to be cryptographically signed and that's going to give it value and we are going to have one more secret to protect and one more secret to be leaked and one more secret for people to run with and we're going to have the whole certificate signing drivers
Matt Coles:What do you, are you going to, are you going to have timestamping for SBOM digital signatures?
Izar Tarandach:Y yes. But if the time spa, uh, timestamp has expired, there would be a whole different thing saying that at the time of attestation, the timestamp was good. So the attestation is still good. It's almost like this happened before
Matt Coles:It never, never, never happened before. I have another prediction that
Chris Romeo:Okay, here we go
Matt Coles:want to make before I forget it. Somebody, somebody will have listened to our podcast, multiple episodes now, and listened to your take on that nasty four letter, begins with a D word,
Chris Romeo:with a D word.
Matt Coles:DAST, and try to build and actually be successful at building a DAST tool that you find valuable. Uh,
Chris Romeo:I might even invest in it. Who knows?
Izar Tarandach:Look, I can predict that. If there's a person, like what Matt described, there's another person who happened to work at some. company that likes to actually make predictions, that's right now thinking about a new acronym to call that old thing called DAST, and create a whole new branch of the industry that does exactly the same thing,
Chris Romeo:Now I'm
Izar Tarandach:a completely new name!
Chris Romeo:I'm trying to, I'm trying to dream it up myself now, right now on the fly, as far as what would that new acronym be.
Matt Coles:uh, here's a, here's a shout out to the person who wrote us the fan mail to use his, his or her AI skills to come up with some suggestions.
Izar Tarandach:yeah,
Chris Romeo:Alright, so that's, I mean, I would love to see that. I would, I would even invite that person on as a guest of the podcast to enlighten
Izar Tarandach:Wait, his or mine?
Chris Romeo:his or mine, what.
Izar Tarandach:His, his person or my person?
Chris Romeo:Now I'm talking about if somebody invented, yeah, either
Izar Tarandach:yeah, his person.
Chris Romeo:yeah, I mean his one, his would be probably more interesting, but I, because if somebody, if somebody showed up here and brought a new acronym, I think I might just fly off the screen, you might see me
Izar Tarandach:Which I'm going to predict happen. The new acronym, not you flying off
Chris Romeo:yes, yes, I probably will fly off the screen though, but all right, so let me change, let me change the direction here and give you a resolution, okay, not a prediction. You guys already covered two of my resolutions, by the way. I had four written. Two of them have already been covered as predictions. But here's one that I think we can all get, uh, get behind and be passionate about. Resolution, teach secure coding at the university level. Secure coding education at the corporate level is an excellent programmatic approach. Levels everyone's security knowledge. However, it's still, we're still in a world where at the university system they're not being taught secure coding.
Matt Coles:Oh my god. So, do you want, uh, do you want Izar or me to go first on the, on responding to you?
Chris Romeo:I think you can both speak at the same time and I'll just put you in. No, go ahead, Matt. You're first.
Izar Tarandach:I'm guilty of that. We usually do speak at the same time, but it's because of me, not Matt. Yep,
Chris Romeo:polite gentlemen here of the security table.
Matt Coles:Uh, you've already missed the boat if you're talking the university level.
Chris Romeo:Ooh, okay. Good. Good.
Matt Coles:also, and, and second, and second, uh, how many people, especially new people entering this field are going to university first?
Chris Romeo:Okay. I like
Izar Tarandach:So here's the thing. As in all so many fields, and as Matt said, college is too late. People take classes in college to pass those classes, not to, sorry, learn most of the stuff, Especially at the, at the, the bachelor's level. And then when you go up in, in other levels, you get to know more and more about less and less. So unless they are heading into a cyber security field, they are going to have less and less of that expertise. And then you fall into the, okay, so what do we teach? Which language do we teach this week? I don't know what colleges are teaching this week. I think it's, could be even Python. I think that
Chris Romeo:A lot of Python is what I've heard.
Matt Coles:Java and Python, I think. Nobody does C anymore, I don't think.
Izar Tarandach:resolution into teach security principles, the same way that you teach CS 101. That's the same way that you teach data structures, then teach security principles. But at the same time, I'm going to pull it the way that Matt pulled to earlier than college.
Chris Romeo:Yeah.
Izar Tarandach:there are many high schools out there that have electives for Intro to Computer Science. And, uh, I know for a fact that security is not even being considered there.
Chris Romeo:But I mean, if we can't, if we can't consider security at the university level, here's my counter to that. I, I, I would love to see that. I love, what you're describing would be awesome. If we could say, hey, in our, um, STEM programs around the country, s security is a, is a foundational piece of how we're approaching computer science. That would, I mean, I'm not arguing against that being the, the dream, right? But if we can't even do this at the university level How could we possibly do it at the, at the secondary school level where those teachers are paid less and they have less resources and less.
Izar Tarandach:Yeah.
Matt Coles:I have a thought. I'd like to issue a challenge. And I don't know how many people are listening to our podcast that can take up this challenge, but I would issue a challenge that So, you mentioned STEM programs. Even if we get a portion of them, we can't certainly get all of our secondary schools. There's just too many of them in the country, here in the US at least, and we're not even talking about the rest of the world. But if folks in our industry reach out to their high school, local high schools, and even do a seminar, You know, a couple hours, uh, total, even into a STEM program, if there's a, if they're doing any computer science, you know, work, just introduced those principles and to introduce, say, threat modeling as a practice, then, you know, that, that's a start that gets people interested, perhaps at least gets things in the top of their head. Uh, and, you know, so maybe the challenge here is that, you know, if, if security folks are looking for volunteer opportunities, See if there's an opportunity to volunteer at a local school. Um, you know, even a small portion starts to get the ball rolling.
Chris Romeo:So we as an industry need to, your suggestion is it's, it's on us as practitioners in the industry to go and, and try to, try to offer our assistance anywhere we can.
Izar Tarandach:So, had you people voted me in at OWASP, not bitter at all, had you people voted me in,
Matt Coles:not bitter at all, no.
Izar Tarandach:not bitter at all, one of the, the, the, one of the basis of my program was to, to actually close in, into this gap between a high school and local industry, right? So, The idea comes from my son. He's taking an intro to computer science now at high school, and how could, would it be, how could, would it be if, as part of that four year computer science elective program, we would have a security even parallel track, right, that in the first year would teach the basics of cyber, cybersecurity. And the second year would expose them to open source tools. On the third year, they would have the ability to go to a local. company, a local place of work, and actually help that become part of that place. Hands on. On the fourth year, they might have an internship in a bigger place, and that internship would be a ramp up into going straight into the job. Jump the college, right? So, for people who already plan to go to college and become computer scientists and not, perhaps it wouldn't make a difference. But I have the feeling that this could change the way that a lot of people consider what they're going to do during and after high school. And it would solve that gap that we talked about in one of our first episodes.
Chris Romeo:Um, my local high school here in North Carolina has that program now. They don't have the security focus. They have a, um, they ha it's like an IT academy is what they call it. And the kids enter it as freshmen. They have to, they can apply to get into the IT academy as freshmen and it's a, it's, it's part of their curriculum for four years. And to Matt's point, I had the opportunity, they invited me to come in and just talk about cybersecurity. I probably talked, I just really told stories. I wasn't, I didn't have, I'm like, I'm not going with slides to talk to high school kids. Like, I just told stories about things I'd seen happen in my career and, and famous people that I had a chance to chase, a different area of my career. Um, where the more interesting stories come from. But, I sat there after, they probably hit me with questions for probably 30 or 45 minutes. Good questions too, like, like just asking about how, you know, just, it was a, it was, you know, probably the best set of questions I've received in the last couple of years from an audience, because they just, they were, they were just pinging me about how this all fits together.
Izar Tarandach:They are an audience that's not yet cynical enough to just look at a job and say, These are the dollars that I can make with this. These are the kids that they listen to your stories, to our war stories, and they still get that Romantic war games hackers and Matrix vibe of, ah, I'm doing something amazing by TikTok on my computer. Right? So that, that's, that's the audience that we have to, to, to reach out to. That's why I wanted OWASP to like, put forward the curriculum that could support teaching this in high schools and then make the, the, the link between industry and those, those pipelines and bring those kids in as interns. At the end of their high school move,
Matt Coles:We, we used to have that program when I was in high school. I was a member of Boy Scouts and we used to do that program. It wasn't, it wasn't part of the Boy Scouts directly. It was something related to it, but, uh, where we, we would go and go visit companies, uh, to learn about what they do and then, and then eventually, um, Uh, you know, there was intern opportunities perhaps later, um, so it doesn't have to be necessarily with the high school itself, but I'm sure, so I'm sure those programs exist, um, other areas like that, where we have opportunities to influence, and by the way, I'm not big on kids, but. This is where we need, this is where we need to put the effort in order to make, to solve this problem, right? The university is too late and people are, are less, less inclined to go to university these days with, with the costs and whatnot. So, and companies are starting to relax those requirements for having a university degree, uh, to, to get at least an entry level position as a developer. So, um, you know. Maybe we need to focus on curriculum. Maybe we need to focus on a set of people. I know here in our area, I think a votech school, a vocational school, is probably a better place to get a larger group of people who, a group of students, um, as opposed to the local high school. Um, but, uh, yeah, things like that we probably have to be innovative about as an industry, not just as teachers.
Izar Tarandach:let's take a joint resolution and a call for action to the people in Australia that are listening to us right now. Reach out to us if you have ideas, if you can, if you feel that you can influence something like this. And let's at least put a plan in place that, uh, who are the people that we need, what we need to define, and see if we can spend 2024 making something like this become a reality. Because we can change some lives here, people.
Matt Coles:Is, uh, does OWASP, does OWASP have a track, does OWASP have a, have an education or
Izar Tarandach:They have an educational committee, yeah, and I had a chance to speak with them. Amazingly supportive people, but at the time OWASP wasn't, uh, uh, equipped to embark into something like this. So I spoke to some other people who are more on the educational side of the thing, people with hands in high schools and stuff like that, and everybody expressed an interest, right? But first of all, I, I, I don't think that it should be just on a US thing. It should definitely be a global thing. So I would welcome more opinions and visions on, on, on the subject. And, uh, second, at some time I looked around and I said, hey, you know what, I would need some program management skills in here that I definitely don't have. I can barely program manage myself to go from bed to breakfast. So
Matt Coles:Well, so the other thing I would, I would just add there is there are other organizations, of course, that maybe there's a concerted effort that can be done here,
Izar Tarandach:Yep.
Matt Coles:So OpenSSF as an example, right? There's, there's a large, good number of, of well funded companies that, that are, that are helping to support that effort. And education is a, is a recognized challenge, right? Having developers who are aware of secure coding practices or secure design patterns, or the processes, even running SAST or DAST or IAST or whatever, um, having those skills when they are, Singular maintainers of open source components that large enterprises around the world rely on,
Izar Tarandach:Yep.
Chris Romeo:Yeah,
Matt Coles:of opportunity, I think, there.
Chris Romeo:this is one of those things, and Izar, you mentioned this a bit in your explanation. This is about changing the future. This isn't something that has a, even a, even a one year return, two year return, maybe not even a five year return. This is something that'll take ten years to watch it blossom. and, and impact the industry. And yeah, it does definitely seem like something OWASP should be behind as far as driving this. So, yeah, I mean, I think that's something that we, we're, we're calling all, all of our listeners out there, no matter whether you're in Australia, Dublin, or somewhere else around the world to, uh, to join us in this, let's, let's take this on as a security table mission and see what we can do in, in 2024 to, uh, cause I'd love to, to do something with this too. Um,
Izar Tarandach:Told you guys you should have voted on me.
Chris Romeo:Yeah, I mean, I wish I would've remembered to vote. I'm so sorry that I
Matt Coles:I wish I had, I wish I had tasked my, I wish I had
tasked the AI to, to
Matt Coles:submit, uh, many, many votes on your
Chris Romeo:I can admit I did vote for you, Yar. I did. I was, I was behind
Izar Tarandach:Oh, so you were
Chris Romeo:I was the one,
Izar Tarandach:were the one,
Chris Romeo:my vote is the only one. No, I'm kidding. You did. You did, you did Well. You, uh, you're poised for a 2024 move. That's, that's how I see it right now as your unofficial campaign manager. So
Izar Tarandach:I want to go for the, uh, the, the comedians this year. Yeah.
Chris Romeo:There you go. So let me, let me read my, my final resolution here. And I feel like it kind of sums up a lot of the noise that I may have generated in 2023. So here's what it is. Think outside the AppSec box. Stop doing things because it's the way we've always done it. Stop adding tools to your program because these are the tools a serious AppSec program has. That should have been in the air quotes. Think for yourself. Understand the risk and threat a given tool and technology provides. Factor against the ROI versus cost, and then build a program that makes sense for your organization.
Izar Tarandach:Yeah. Yeah. I mean, I, I see programs that collect tools the way that, uh, we used to collect those small cars when we were kids, you know what I'm talking about? Yeah. Matchbox cars. Like, one more shiny tool after another, and when you ask them what they're getting out of them, they'll go, uh, Uh, I have a secure program! So, having the tools is not enough, and, and, Letting the tool dictate how you're going to work might not be the best solution. So, perhaps, I would extend that resolution with ask of vendors to provide People with tools that enable them to work the way they want, not the way that the vendor wants.
Chris Romeo:Yeah, and work efficiently. So I don't know if you saw Brooks, Brooks Schoenfeld's post yesterday on LinkedIn. He said he'd been having a conversation with somebody else in the AppSec industry that was running a program. And this program leader said, I'm no longer, I'm no longer allowing tools that generate noise without value.
Matt Coles:Uh, noise without value, or was it require care and feeding?
Chris Romeo:Requiring, I'm sorry, you're
Izar Tarandach:Both. Both, both,
Chris Romeo:I think it might have
Izar Tarandach:No, just both.
Chris Romeo:yeah, okay. Require care and feeding, yeah. So I thought that was a very interesting take, though, on the frustration of someone who's running a successful program and dealing with tools that, and I think his point was that he had to tune, he's not buying anything, he has to tune all the time and
Izar Tarandach:Yeah,
Chris Romeo:Like, he wants it to just execute and go. So Matt, you gotta look on your face like
Matt Coles:yeah, I do,
Izar Tarandach:a problem with that,
Chris Romeo:Okay,
Matt Coles:I'll, Izar go, Izar go first,
Izar Tarandach:That's asking for the silver bullet,
Matt Coles:right?
Izar Tarandach:it just freaking doesn't exist. The question here is not if the care and feeding needs to be done, the question here is the amount of care and are you feeding the right things, right? Because, you know, the smell of what comes out depends on what you put in.
Matt Coles:Yeah, having a tool, having a universal tool that can, that can do everything without you, you telling it what you need. That sounds wrong. Uh, I mean, we, as Izar said at the silver bullet, right? We've been chasing that for years, for decades, um, and you get what you get. I mean, you get the, you get the kit, everything in the kitchen sink and you get all the noise that comes with it. Or you get results that you don't know what to do with. And so, you know, we know this with SAST as an example. If you're having, if you have custom code constructs, or you're doing things slightly differently, you're going to have to tweak it to get value out of the tool. Otherwise, you're just going to get garbage. And, and so, The care and feeding, the care and feeding should be, should be, give the, have the ability to do the tweaking effectively and efficiently for what you need to contextualize it, but not, but not require care and feeding to make it operate, right? If you have to continuously supply hardware, you know, resize databases in order to make it function. have a constant, you know, internet con, uh, connection to some, you know, strange cloud service somewhere to get rule updates on a, on some, you know, two o'clock in the morning every day. I, I can imagine that's the care and feeding that we, that we want to start, avoid, you know, look to try and minimize or avoid. The tweaking and the contextualization, though, I think we absolutely critically need still.
Izar Tarandach:I think that this also goes towards what we had back in the 60s. With the, you know, if you wanted to talk to the computer, you had to go into the basement and talk to people that wore, uh, uh, white, uh, smocks and had, uh, ties because they, they were basically the, the, the prized hood of the IBM, right? And they knew how to translate your stuff into cards that went into the machine and, and then people said, okay, we need to popularize this, democratize this. And we ended up with the computers that we have today. But it's not like you don't care and feed for them, you do, but you get directly what you want from them. And I think that tools are the same thing. As Matt said, if you have to keep special people just to feed the tool, the prized hood of that tool, the people who know how to speak the language that that tool knows, and that you have to keep worrying about resources and give it one more terabyte and one more terabyte and
Chris Romeo:hmm.
Izar Tarandach:one more agent into 1, 000 other places. Then you are working for the tool and not the tool working for you.
Chris Romeo:But I mean that's, a lot of what we suffered with from tools perspective is over the last two decades is tools that require almost constant care and feeding.
Izar Tarandach:so you're working for it.
Chris Romeo:yeah, so I mean that's, so I get where, I don't even remember who the, I don't even know if Brooke ever said who the original person was, I don't think he did, but I get where that person is coming from though, about historically, I can see where that, how that conclusion was reached, because we have dealt with a lot of technologies and tools that required, that just generated constant noise, required constant care and feeding to get any amount of value out of them, and that's what this person was concluding is not going to be acceptable
Matt Coles:and SAS doesn't, SAS does not automatically solve the problem, by the way.
Izar Tarandach:and that's why we need,
Matt Coles:oh, you just have a different, you have a different set of problems, right? You have a different set of care and feeding that has to occur.
Izar Tarandach:and that's why we need quantum LLMs.
Chris Romeo:I thought you were going to land the plane with reasonable application security, which would have been a, which would have been such a great ending to this episode and the, and the ending of 2023 for our recording process, if you would have just said, and that's why we need reasonable application
Izar Tarandach:No, but that's the thing. That's the thing. We still need reasonable application security. But at this time, because of the tools and the care and feeding, and because we haven't yet taken the time to look into that, we still can't quantify and we can't define what's reasonable, and that's what we should, that's what we should, do
Matt Coles:That's the best prediction of 2023. That's the best prediction for 2023. We will still be, we will still be debating what reasonable application security
Izar Tarandach:but I, I could say that working together by the end of 2024, we could have a very good. Approach to what that is.
Matt Coles:And if
Chris Romeo:we could continue that prediction every year. At the end of the year, we will probably still be discussing and debating what reasonable
Izar Tarandach:no, I don't think so. I don't think so. And actually, perhaps we should do an episode with more people coming in and asking ourselves what's reasonable.
Chris Romeo:What is reasonable? Well, gentlemen, this is the end of our wrap up episode for 2023. So it's been a true joy working with you throughout this year to bring our opinions and discussions, debates, and even a little bit of argument to, uh, around the security table. But I know that's, uh, we, we've heard from our audience. That's what they enjoy about our
Izar Tarandach:The joy of security.
Matt Coles:And, and, and we should, we should thank, we should thank the various guests we had over, over the course of the year. We should, we should do that more. We don't bring enough guests on, but
Chris Romeo:Yeah.
Matt Coles:yeah.
Chris Romeo:definitely. Thank you to all those guests that took their time to really educate us. I can say every guest we brought on the security table brought my knowledge of something further or challenged my thinking or did all those good things. So
Izar Tarandach:which reminds me of the two things that we Try to go back to all the time. Nobody knows everything and we should always be learning more and don't take yourselves too seriously, people. It's just security.
Chris Romeo:that's a good way to end the episode right there. Thanks folks for listening to security table all year. We'll be back in 2024 to provide more witty. things and wisdom and whatnot along the way. So thank you.