The Security Table

Prioritizing AppSec: A Conversation Between a VP of Eng, a Product Manager, and a Security "Pro"

Chris Romeo Season 2 Episode 6

Prompted by fan mail, Chris, Izar, and Matt engage in a role-playing scenario as a VP of engineering, a security person, and a product manager. They explore some of the challenges and competing perspectives involved in prioritizing application security. They highlight the importance of empathy, understanding business needs and language, and building relationships within an organization while dealing with security threats and solutions. They end with insights into the role of AI in AppSec, its prioritization, and its limitations.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

Chris Romeo:

Hey folks, welcome to another episode of the Security Table. This is Chris Romeo joined by Izar Tarandach, Matt Coles. We are the Knights of the Security Roundtable. We have an interesting way to kick off this episode, so I don't even know how to introduce it other than I'm just going to read it because I'm not, I don't know, I don't know

Matt Coles:

Yeah, like that.

Chris Romeo:

any preamble that I can attach to this. So let's just, let's just run, I'm just going to read it. So we got this Suggestion from a fan out there by way of fan mail. Yes, we do have fan mail at the security table. It is a You know takes us a few hours a week to pour through it Every once in a while, there's something nice most of it is just people yelling at us, but

Matt Coles:

We're training an LLM to take care of it for us.

Chris Romeo:

Yes, excellent. We will we will definitely be working on that project. But this kind listener sent us a prompt, as if we were perhaps AI agents, and so maybe we are, but I'm just going to read the

Izar Tarandach:

I identify as an untrained LLM.

Matt Coles:

We obviously, we obviously hallucinate, so you know, it's gotta be

Chris Romeo:

true. Well, that's only under certain situations, it depends on other,

Izar Tarandach:

9 to 5.

Chris Romeo:

to other inputs, you know, that may have caused hallucination. Alright, here's the prompt. Matt, you're now a well respected product manager. Chris, you're a reasonable VP of engineering. And Izar, you're a security person that has sociopathic tendencies. How would you prioritize application security within your organization? Include opposite viewpoints and competing priorities. I mean, we were going to do that anyway.

Izar Tarandach:

Wait, wait, wait. I have to get into character here.

Chris Romeo:

Please do. Yeah,

Izar Tarandach:

Nothing

Matt Coles:

seen.

Izar Tarandach:

Okay.

Chris Romeo:

he's the same!

Izar Tarandach:

Nothing changed.

Chris Romeo:

No difference! No difference. Alright. So we have a product manager, that's Matt. We have a VP of engineering, that's me. And then we have Izar, a security person with sociopathic tendencies. So, security person should be the one that's the most passionate and positive about prioritizing AppSec within your organization. Why don't we, why don't we start with the security person? Because if we're supposed to start with the VP of engineering or the product manager, we're probably doomed already as an organization. If I'm, if I'm pushing AppSec more than you as a security person, then we're probably doomed. So Izar, why don't you kick us off here and, and, uh, make a case for how we should prioritize AppSec within this organization.

Izar Tarandach:

But I'm sociopathic.

Chris Romeo:

Yes.

Izar Tarandach:

Okay. We just finished the round of DAST of today. and we got 100 things that came out of CVSS 10. I don't care what they are, I'm not checking them, and you guys are fixing them now.

Chris Romeo:

Well, that's, I mean, I don't think you could have done that any better. I mean, that's, sorry, I need, I need to get into character as well. I'm out of character here. I'm breaking the fourth wall a la Deadpool here. Um, okay. Let's, so Matt, you're the product manager. Um, you're the one who would be responsible for prioritizing slash scheduling this work. What's Izar's, would you say thousand CVSS 10 findings that your DAST tool provided?

Izar Tarandach:

Sure, why not?

Chris Romeo:

Okay. That you're de and and I guess you're demanding that we fix them by

Izar Tarandach:

I'm not demanding anything, I'm saying that that's what it's gonna be.

Chris Romeo:

Okay. And when, what's our deadline?

Izar Tarandach:

Now, they're critical? Three days. No, half a day. No, four hours.

Chris Romeo:

product manager. How do you, how do you respond to that?

Matt Coles:

Well, obviously I'm, I'm, I'm a reasonable product manager. So I'm, I want, and I'm very well respected. Sorry, I'm not reasonable. I'm really very well respected, which means I drive a hard, I drive a hard product, uh, life cycle. And while I understand your concerns, we have deadlines to meet. And we have features and functions that we need to deliver in order to meet our customer customer needs. So how did these What a thousand CVSS 10s? What's CVSS? What's 10? Why should it... I understand you have a challenge, but where does this fit in our feature set? So have you filed these in the backlog? Have they been reprioritized? Where they fit now in our workstream? I need to throw it back to you because I don't have enough information in order to make a decision in order to how to prioritize these things. Help me understand that.

Izar Tarandach:

I don't have time to open tickets. CVSS 10 means it's critical. The risk is off the roof. The probability is incredible. The impact will be unbearable. Fix it now.

Matt Coles:

Does it affect any of our features?

Izar Tarandach:

Yes.

Matt Coles:

Which ones?

Izar Tarandach:

I don't know.

Matt Coles:

Well, it's important. It's important for us to understand that so we can know which features we're going to deliver and which ones we're not.

Izar Tarandach:

So you figure it out. These are critical. Stop everything that you're doing. You figure it out. It's your product. You shouldn't have written it that way in the beginning.

Chris Romeo:

Well, hey, I'm, I'm the one who's responsible for writing it. So now you're, uh, now, now you're aiming in my direction. But unfortunately, uh, Mr. Security person, we, uh, are a resource constrained organization, and we have a roadmap that's been defined by Matt. As a well respected product manager, what makes him well respected is his ability to lay out a vision for our customers and marry that with a roadmap. And unfortunately, I only have enough resources to create the beautiful things that Matt has described on this roadmap and make that a reality. So I don't have any, I don't have resources. I mean, maybe we can get to it next year, in 2025, but I'd have to check, uh, I'd have to check with my assistant.

Matt Coles:

We do, we do have a release plan coming up so you, we could put it on the backlog and prioritize it into the next, uh, next product cycle.

Izar Tarandach:

That's fine, I have three things. I have a phone, a whistle, and the phone number of the SEC.

Matt Coles:

I think we need to bring in legal here.

Chris Romeo:

From all sides. We all need representation here. I'll get my private attorney on the line here, but wait, but wait, hold on. We're not a publicly traded corporation. So you could call the SEC, but they won't help you because that's the Security and Exchange. That's the Security and Exchange Commission.

Matt Coles:

So, so being, being very well respected, I want to, I want to understand your, your concerns. Does this impact our European customers?

Izar Tarandach:

Yes. This impacts all of our customers, wherever they are, whatever they do. These are TANS! The DAST is screaming!

Matt Coles:

How will this, how will this, how will this impact our vision for the product?

Izar Tarandach:

You can't see the product, the DAST is screaming!

Chris Romeo:

so what are, what is our, what's the customer perception of these things? Since I know you're a security person who is not completely out of touch. You do know that we have customers. Customers buy our product. Customers use our product and in exchange for that they send us money. So what's the customer perception of these issues that you've described?

Izar Tarandach:

Customers live for security. They are, right now, they are bringing the pitchforks and the torches in the direction of the building. You guys have like, one hour to come to the media and say we are going to fix all these DAST findings. Otherwise, this whole place is going to be in ruins by tomorrow morning. CVS 10 people! It doesn't get any bigger than that.

Matt Coles:

So you have to understand, of course, that we, we have a, we have a limited budget. We have a customer deadline to meet. We have a certain set of features that we have to deliver. So, I understand your concerns, and I want to be respectful of that, and I want to make sure that your, uh, your concerns are, are validated here, but I need them in the backlog in order for us to prioritize them to be fixed, so that Chris and his engineering team can take the appropriate action at the appropriate time to get these resolved in the quickest way possible.

Chris Romeo:

Your call is important to us. Please stay on the line.

Izar Tarandach:

Okay, I'm going to go in your direction. I'm going to open two tickets. One of them says, fix the 1, 000 findings from the DAST. And the other one says, next week, after you release, stop everything and embark on a six month journey of threat modeling.

Chris Romeo:

Okay, Bill Gates and the trustworthy computing memo. You're not the CEO.

Izar Tarandach:

Hey, it's a ticket, somebody has to close it.

Chris Romeo:

Okay, so I, so I was listening to this at this podcast as a VP of engineering because I wanted to learn more about security and they were talking about how terrible DAST is in the modern era of application security. So how can you, how can you justify a tool that these obviously very wise, very smart podcast hosts were talking about as being something that was. Not great at provide, how do we know these findings are correct? I call, I call foul on your findings. I think your findings are incorrect.

Izar Tarandach:

Look, that's heresy. You heard this from a podcast. I make podcasts. I went to a conference, a three letter conference, and they told me that DAST is the best thing ever. Okay, we spent a lot of money on this. Like, I have licenses, and I have swag, and they flew me to conferences to talk about, uh, DAST. DAST is good. You have to respect the DAST. It's the last thing that we do before things go into production.

Matt Coles:

What's DAST?

Izar Tarandach:

I don't know.

Chris Romeo:

Wait, isn't it your job to know? So you're, you're trying to, you're trying to disrupt our roadmap and our future vision for customers and you're trying to make my engineers work an extra hour a week in this process, all for something you don't really understand?

Izar Tarandach:

Did I mention CVSS 10?

Matt Coles:

What's CVSS?

Izar Tarandach:

No, no, no, no, you have to focus on the 10. 10 is bad. 10 is high. 10 is red. I'm painting red here.

Chris Romeo:

thousand? What's the, what's the scale?

Izar Tarandach:

Ten is the biggest there is. Like, it doesn't get thinner than ten.

Matt Coles:

10 is usually a good number, right? So we, when we rate, we rate our NPS score from our customers, you know, 10 is, 10 is good, right? Not zero.

Chris Romeo:

Ten is

Matt Coles:

if you're telling, if you're telling me 10, I think that that's a good thing.

Izar Tarandach:

Ten is great if you're an attacker.

Matt Coles:

Who's going to attack our product?

Izar Tarandach:

Everybody. I told you, risk is off the roof. Probability? One. Impact? One hundred zz a billion millions of

Matt Coles:

have to, I'll have to reach out to

Izar Tarandach:

have the spreadsheet to prove it.

Matt Coles:

I'll have to reach out to our sales and marketing team because we haven't, we haven't gotten any requirements, uh, about attackers,

Izar Tarandach:

Wait, you mean that book that we gave you about that SDLC thing? You guys didn't read it?

Matt Coles:

uh, it's in my backlog.

Izar Tarandach:

Do you have an abuse story for things on your backlog? As in, I don't read things that are in my backlog?

Matt Coles:

I deliver requirements,

Izar Tarandach:

I require you to read the book!

Chris Romeo:

And he delivers results.

Matt Coles:

we, we ship on time,

Izar Tarandach:

Yeah, but with CVSS 10!

Matt Coles:

Hasn't been a problem yet.

Chris Romeo:

So, who do you report to, Mr. Security Person?

Izar Tarandach:

God! No, actually, to the, the, the CISO. Yeah,

Chris Romeo:

Okay. So, what is the, what is the CISO's perspective on this, what we believe is an unruly requirement you're placing upon us? Shall we escalate this to your boss?

Izar Tarandach:

I don't know. I forwarded him the report. He saw all the reds. He started crying. I don't know what he's doing.

Chris Romeo:

It's very hard to stay in character here. He started crying.

Izar Tarandach:

It was a very movie moment.

Chris Romeo:

Was there, was there like sad music playing in the background too?

Izar Tarandach:

Just my assistant playing the violin.

Chris Romeo:

Wait, you have an assistant?

Izar Tarandach:

Don't you?

Chris Romeo:

No.

Izar Tarandach:

I have a minion.

Chris Romeo:

we're, we're a lean, uh, we're a lean engineering and product teams.

Matt Coles:

I

Izar Tarandach:

My minion goes to the gym twice a day. Look, you have to be agile because we're firing in your direction and you have to dodge that. So,

Chris Romeo:

to dodge your

Matt Coles:

That's a, that's an engineering problem if they want to, if they want to deal with, uh, how agile you said. Um, I'm sure that works out well. As long as we get the customer deliveries on time, I'm okay with that. I don't want to, again, I don't want, I'm not, I'm not dismissing your, your, your concerns here, but we do have, we do have a, we do have a release timeframe we're working towards. Henner, VP of Engineering. If you, uh, if you look at these tens, you prioritize a few to get into the schedule without slipping the schedule too much?

Chris Romeo:

Hmm. Well, the team's already maxed out based on our sprint planning sessions, uh, Mr. Product Manager, that we did in our Agile Fall Ops process, as you know, that we used to, uh, schedule all the work and ensure it gets delivered in, uh, rapid turnaround time.

Matt Coles:

I was paying attention, I swear.

Chris Romeo:

Yeah, I'm starting to wonder, but

Izar Tarandach:

look, I'll paint a picture with crayons for you guys here. The Titanic had a schedule to arrive wherever it was going. The iceberg in the middle was a 10.

Chris Romeo:

Okay.

Izar Tarandach:

guys decide it. History

Chris Romeo:

we, so. Help me understand how we could prioritize

Matt Coles:

Well, by that, by that analogy, though, by that analogy It's not our problem. If we're building a Titanic, it's outside of our control. What do you, what do we need to do here? This is not our product that's broken here, right? A Titanic was fine until they hit the iceberg.

Izar Tarandach:

The iceberg is not moving.

Matt Coles:

So, the iceberg is the tit

Izar Tarandach:

drive around it, or you build a stronger Titanic.

Chris Romeo:

But that's an operations problem, not a, not a, not a development and design problem. The Titanic didn't sink because it was designed poorly. It sunk because there was an operator error. And they didn't dodge a production class issue.

Matt Coles:

event, it failed to avoid a foreseeable event.

Izar Tarandach:

I just send DAST reports, I don't care.

Matt Coles:

You're asking us to disrupt your entire schedule for stuff you don't care?

Izar Tarandach:

Yes,

Matt Coles:

We have other things to do, we have a release schedule, uh,

Chris Romeo:

We have promises we've made to customers.

Matt Coles:

When you have more for us, uh, please,

Izar Tarandach:

I have a crying

Matt Coles:

and we can,

Chris Romeo:

Well, that's not our problem because

Matt Coles:

don't care!

Chris Romeo:

That's a different management chain. We don't report to the CISO. So they can cry all they want

Matt Coles:

If, if he has a concern, he can raise it, he can raise it to, to our, our leadership, um, until that happens.

Izar Tarandach:

Okay,

Matt Coles:

into, tie into our, tie into customer features and we'll, we can talk again.

Izar Tarandach:

I'm totally going your way then, so instead of you guys fixing all that stuff, uh, we are going to close everything that we think is fine on the WAF. We're going to close a couple of ports on the firewall that we have no idea why you guys opened, and you guys are going to patch a number of libraries that we don't really know how they impact the functioning of your product. And, uh, what else can we do? What else can we do? Oh, yeah, yeah, yeah, we're going to ask you guys to, uh, add a bunch of stuff in your containers so that we can totally look inside them whenever we want and measure all kinds of failure rates, uh, if we feel like it. Uh, the only problem is that those things have a failure rate as well. We, we don't quite measure those, but, uh, they, yeah. just so you know, they have. Can you do that?

Matt Coles:

Uh, Mr. Engineering, is that feasible?

Chris Romeo:

well, we would need the, uh, work to be prioritized by our product management team so that it could be broken down into small manageable bites versus that long list of years of effort that It's Mr. Security Team just, uh, described here. So if we can break it into smaller chunks, we can certainly scope it and, I'll, and add it to our planning process that we go through.

Matt Coles:

You know, we do have requirements that, that we, we start with at the beginning of our project, and it would be really, really nice if these had been added, uh, at that time. But if you can give us a set of requirements now, we can certainly look into where it would fit and how we might, uh, get it into the, into the backlog.

Izar Tarandach:

I told you to read the book!

Matt Coles:

I, I paid attention, I swear.

Chris Romeo:

We're, I was waiting for the movie. When the movie comes out, then I'll watch it.

Matt Coles:

Audiobooks, so I can listen to it on the golf course.

Izar Tarandach:

war games. I, I have an army of monkeys throwing coins up and down desperately just to come up with a probability for these attacks, okay? And right now, the monkeys are high, the probability is high. So, we're going to have to do something about this. I gave you an option. You can go and fix this stuff, or we can put all kinds of band aids. And you keep asking me for more and more and more. What else can I give you? I already told you. CVSS 10. That's

Matt Coles:

you understand, do you understand

Izar Tarandach:

for panic.

Matt Coles:

do you understand how our, how our, how releases work? Do you understand how we get products out the door that, that our customers can use, that they can, pay us for that? We can then pay for you.

Izar Tarandach:

I don't speak engineering. I try to float above that kind of thing. It's very strange.

Chris Romeo:

How about, uh, embracing the language of the business? Because we work for a business here, and if the business doesn't deliver results for customers, customers go away, customers don't send us money, and you no longer get paid.

Izar Tarandach:

The business is under attack. If it happens, the customers won't pay us. They will sue us. They'll be getting money out of us, not putting money in.

Chris Romeo:

feels like a Chicken Little thing. The customer, the customer, the business is under attack, the business is under attack, the sky is falling, the sky is falling. It seems like every time you come to a meeting with us, you tell us how the sky is falling. And then every time we scramble to try to fix the whatever the problem is, it turns out that it's not that big of a deal. So what, how, what, what level of sky is falling? Are we at here chicken little,

Izar Tarandach:

I can't tell you because I don't have budget for monitoring.

Matt Coles:

So what you're telling me, so what you're telling me is that you suspect that there's a problem, but you have no evidence that there's a problem.

Izar Tarandach:

No, my monkey simulated the whole thing. I have a Monte Cristo, Monte something simulation that speaks. Everybody talks about that stuff and say that it's awesome. And the one that I'm, that I did is saying that we are constantly under attack and people are exploiting us. Like, if you look behind you, there's an attacker right there behind you.

Chris Romeo:

nobody here.

Matt Coles:

So what's the worst? So tell me what's the worst case? What's the worst case scenario? How much of an impact are these or is this issue? If under the worst, under the worst case scenario, What's the impact?

Izar Tarandach:

of dollars.

Matt Coles:

Billions.

Chris Romeo:

But wait, you said you don't know any, you don't pay attention to the business. How do you know we make billions of dollars?

Izar Tarandach:

It's what my monkeys are telling me. That the probability times the impact equals the risk. So, they came out with the probability, they came out with the impact. Don't ask me those questions!

Matt Coles:

Sure. So Mr. Sociopathic, uh, uh, security person, did I call that

Chris Romeo:

No, he has sociopathic tendencies. He's not sociopathic. We're not labeling

Matt Coles:

Are we sure? Are we sure?

Chris Romeo:

He seems to be demonstrating them, but quite well.

Izar Tarandach:

Wow.

Matt Coles:

I want, I want to understand your numbers a bit more to understand where that's going to fit in where, where, where our customers might have issues. having said that, if you had examples of where there would be, you know, where some of these tens are causing problems, and will cause problems, and we can directly tie it to features, missing, either missing features, or features that we would deliver that wouldn't be meeting the needs of the customer, then absolutely we'd want to prioritize the fixes.

Izar Tarandach:

Don't

Matt Coles:

can help us understand that, if you can help us understand that, we, it'll make it easier for us to build a case if we need to slip the schedule by some amount of time, or if we need to, uh, add a quality release, or if we need to throw additional resources at the problem. You need to help me understand that so that, so that I can get the requirements in and make sure

Izar Tarandach:

you read the news? Just

Matt Coles:

schedule on, back on track.

Izar Tarandach:

last week, a studio, NASA. and the lab that makes COVID vaccines. They all got busted with exactly the same, the same findings. We are a target!

Chris Romeo:

So let's, uh, let's, let's do this. Let's press pause. On

Izar Tarandach:

Oh, thank God. Whew!

Chris Romeo:

cause I think, I think it's, I think it's, it's worth spending a few minutes reflecting on some of the opinions we were taking here and giving people some more context on it because we were staying in character for the most part, other than when Izar said something. Very funny. Uh, other than that, that's when I broke character for a minute, but, but let's, uh, let's, let's kind of break this down a little bit as far as, yes, Izar, you are taking the far extreme opinion, but with every, with every bit of comedy, there's always a little nugget of truth. That's attached to it. So from your guys perspective, like what, what are some of the, what are some of the, I guess, takeaways or, or, uh, Suggestions that we can make for people to really prioritize AppSec amongst three very diverse functional teams here that have different priorities.

Izar Tarandach:

So, I, I, I think that, okay, I'm tired. I'll tell you what, this got me tired. But, uh, I, I think that we, we managed to exemplify here. A lot, but a lot of all the stuff that for the past, I don't know what, 50 episodes or something like that? That we have been screaming against and that we have been suggesting solutions for. So, when you guys told me, think like an engineer basically, almost. And I came with, I don't care about the engineering, I have my own stuff to deal with. to me, goes to the root of the prioritization problem. And how can I dare telling someone, based on the flimsiest of evidence, that they have to stop what they're doing right now just to fix a red light that showed up in some single pane of glass on my site. And if I don't make the effort and I don't take the time to speak the language of the people that are basically Sorry, to use a horrible cliché here, the people that I'm serving, because security is a support function. Security, most of the times, is not the business, it's a supporting function to the business. So if I don't take the time to understand the way that they think, the way that they prioritize their own stuff, and get myself, insert myself into that process the right way, nobody's getting anything done. And

Chris Romeo:

think a continuation of that thought, though, is empathy.

Izar Tarandach:

Yes!

Chris Romeo:

Matt and I, because we're security professionals at heart, we were playing the roles of VP of engineering and product manager who were asking for empathy. Ultimately, that's what we were asking is for you as a security person to put yourself in our shoes. And understand the needs of the business, the needs of the roadmap, the needs of the customers, the needs of the vision that we've cast for this particular product. And we kept throwing you that, we kept fishing, we kept putting that line in the water and reeling it, reeling it, reeling it. And we just couldn't get you to take a bite of that, that hook and, and kind of be, be a fish that's been caught here on, on having this empathy. And so that's, that's one of the things, the big takeaways I have is. Empathize as a security person with your engineering team. Know your product management process as good as your product manager does. Know what their challenges are so that when you come to them, you can, you can weave that solution you need into their process, their workflow. And then they're not going to be like putting their hands up like, no, no, no, no, get away from me. They're going to say, you obviously took the time to understand how I work, what my priorities are, and you're making a request that's reasonable. Going back to reasonableness

Matt Coles:

yeah,

Chris Romeo:

that fits within my process. So it's all about, for me, it's all about empathy.

Matt Coles:

yeah. And I, in addition to empathy, I think the other key thing that came out of this scenario was things like, you know, even the language that you use and how you approach it, right? I mean, gobbledygook, right? Uh, if, if you, if you weren't, if you, if you're not steeped in, in the security language, you know, CVSS10 and DAST and, you know, flying monkeys! I don't know, right? And so, and so while you expect, uh, you know, people in, in, while you expect, I think you expect most people in high tech today to, to, high tech especially. Uh, but not all, not all application or system development or high, high tech companies. But you expect folks to be reasonably up to speed on basic concepts, right? what security is, what ransomware is, what vulnerabilities are, but not necessarily what they mean. And when you throw around a lot of, a lot of big words or fancy words or acronyms that aren't well explained, it goes back to that empathy part. Come to my level. Don't, uh, don't just assume. That the person that you're talking to has a Trent has a built in, uh, you know universal translator for your language, right? And it was interesting, you know, you rent you ramped up the sky is falling Bit, you know throughout throughout the throughout the play You know keeping your keeping your cool and understanding, you know, help guide us through the process, right? Because part of this is, you know, oh, I need you to do something for me, or I need you to do something, right? And once you tie it to the, once you tie it to the process and you tie it to the business language, then Then the fun begins because now that product, that product manager probably needs to figure out, okay, well, where does this fit? How am I going to make this work? Right? My engineering team is going full tilt and already 120 percent over capacity. And you want to add more to that. How do I, how, what can I do to make this better with it? Because I, as a product, product manager, I don't want to drop the ball on this, because I know, like, I should know by now, that legal is going to come down on me, that our customers are going to flip out, right? I'm not trying to annoy you, but there just isn't enough time

Chris Romeo:

Speaks to relationship building though. Security people need to build relationships with their products and engineering peers so that when you do, and if you build that trust up, if you really, if the sky really is falling because of an issue and you've already built that trust in that relationship, those folks are going to be like, okay, I trust you. I trust the fact, you're not showing up at my door 12 times a year with the sky falling. It's really, this is the first time you've come to me, I know you've been a straight shooter and you've been, you've worked as best as you can to protect my teams from being negatively impacted by the requirements that are coming out of security. So if you have that trust already built, then when I come and say, you know what, Uh, Matt, Chris, the sky is really falling right now, we gotta jump on this. Then you'll, you'll, as a security person, you'll get that coverage. They'll give you the benefit of the doubt, cause they're like, You know what, this, this person's been really straight shooting with us the whole way through, and we trust them.

Matt Coles:

well and you know, sorry, one other thing on that, so after you build a relationship, those same people, the product manager, the VP of engineering, whatever, are going to be more likely to do things like bring you in early,

Chris Romeo:

Mm.

Matt Coles:

right, make you part of the process, hey, we're working on these new features, is there anything we should be concerned about here, right, You know, in this scenario, you came to us with a thousand, you know, tens from the DAST tool, like out of the blue, completely unawares, right? And that's great if you're doing a pen test at the end and, and you're, and we paid for that effort, right? But to throw that much disruption at the end of, into the middle of a release, but if you have built a relationship, they're more likely to have, have your team as part of the process. Uh, have the security team as part of the process early to avoid the problems as opposed to being, you know, disrupted by it later.

Izar Tarandach:

so three things that I wanted to, uh, to connect to. So on, on the subject of empathy, I, on YouTube, there's a talk of mine, I don't remember the name, but talking all about empathy. And I think that's the important thing there is that in order to build that partnership, we have to be careful not to fall into the trap, into the trap of, uh, Commiserating, rather than being empathetic. It's very easy for the security person to be empathetic with the, uh, the developer team, and they keep saying things like, oh, we don't have resources, and then you just sit down by their side and say, yeah, you don't have resources, I don't know how you're going to be able to do this thing, well, I understand, we're going to push it for the next time, so Develop the kind of empathy that leads people to results and not sits down commiserating with them in there. And then on the subject of, uh, uh, talking the same language, right? I, I have been trying for a while now to stop talking to developers about risk. They don't understand risk, they're not interested in risk. rather talk to them about priorities. They live on priorities. That's how they decide what's the next thing that's going to get done. So I think that as security professionals, it's important for us to understand enough of the business and understand enough of how things get done so that we can actually point at priorities in a way that makes sense. to them. And the third thing I forgot. Yeah. Yeah. The third thing is not something that you guys directly talked about, but that just popped in my head as, as you were talking, there is one trend going on right now that by definition, I think is going to completely miss the empathy side. And it's going to have big problems with, with deciding the priorities, because it's going to miss that, that human side. And that's the AI prioritization. So I think that it, It's something that we should be thinking about now that AI is getting into all of our tools and things like that. If it's not time for us to really, really, really embrace the soft skills as security practitioners and provide that layer that AI is not going to give. So, we should be always there translating those priorities and results and requirements. to the development people, because ChatGPT is not going to do it for you.

Chris Romeo:

Yeah.

Matt Coles:

and actually the big question really is, should AI be the direct interface to the developers? And you have to then Explain what it meant versus, uh, you know, being a tool that you use to deliver better, more timely information in a way that makes sense, right? So, so, yes,

Chris Romeo:

I was going to say that's where I'm landing. That's where I'm landing is more is AI should be helping AppSec folks to be better, but not be the direct conduit to the development teams. Not at this point. It hasn't been proven that it has enough goodness to, to, and value to really provide good advice in my mind.

Izar Tarandach:

That's a discussion that I think is worth having, and where I'm landing with it is that we should be careful not to fall into two cases. The first one is where we as security practitioners become the the oracle, in double quotes, where we interpret the words of the wise AI to the developers. And the second one is that places that can't afford or can't find a security practitioner will just say, well, we're going to rely on the cheap alternative and that's going to be talking to an AI. And then sit on that and not move forward because, to the best of their understandings, all their needs are being fulfilled.

Chris Romeo:

Yeah. And that, that, as you said, that's a question for another day and another episode, but, um, I want to thank our, uh, our, our number one fan for this excellent prompt, because this was a lot of fun to, to put ourselves in other, perspectives and argue from that and, and send things back that we've heard. I know I'm, I'm guessing Matt, you did the same thing I did. I was kind of reflecting on things that I had heard people tell me, and I was trying to channel those and send them back towards the security team. Uh, but I think this was a really valuable exercise.

Izar Tarandach:

wait, wait, where do you think that I took my stuff from?

Chris Romeo:

Yours is for real

Izar Tarandach:

Don't answer, don't answer.

Chris Romeo:

Oh,

Matt Coles:

I, I, I do, I do want to say, uh, I want to be careful. You know, I know a lot of product, product managers and, and VPN. So I'll just say my first thought when, when I saw the scenario was what, what have I done to you? Why am I the product manager? But that's. I do want to, I do want to say, you know I've worked with a lot of wonderful people over the years, nothing of what, nothing what I said as a product manager, hopefully, I mean, I, I play the stereotypical, uh, in this scenario, so, um, you know, my apologies if I offended anybody, but that was not the intent. We were having good fun with this, um, when it was presented and, you know, Izar really took his role to heart.

Izar Tarandach:

No, no, no, no, my role doesn't have a heart.

Chris Romeo:

Yeah, that's true.

Matt Coles:

You unleashed the, you unleashed the beast.

Chris Romeo:

That's what happens. All right, folks, thanks for tuning into this episode of Security Table, and we'll have another prompted scenario for you at some point in the future, because that was a lot of fun.

People on this episode

Podcasts we love

Check out these other fine podcasts recommended by us, not an algorithm.

The Application Security Podcast Artwork

The Application Security Podcast

Chris Romeo and Robert Hurlbut