We are at BLACK HAT USA 2022, come see us at #IC75, check out our BlackHAT training sessions
DevSecOps

Talking about Information Security with Chitra Elango

February 21, 2022

Welcome back to the AppSecEngineer Podcast! This week we spoke to Chitra Elango from Fannie Mae. In our conversation, we spoke about differences in work culture between the East Coast and West Coast of the US, the work she does at a massive organization like #FannieMae, and how a newbie to application security can get into the AppSec industry. We even spoke about ‘DevSecOps fatigue’, how developers fit into a product team’s security strategy, and the soft skills both team members and leaders needs to employ when working with people in various disciplines on a project.

Starting Out in AppSec and Dealing with DevSecOps Fatigue with Chitra Elango | AppSecEngineer Podcast

Rahul - Okay. We are live. Hello and welcome to another episode of the AppSecEngineer podcast. My name is Rahul and today I'm going to cut down on the introduction of the person who's coming in because I think there's a lot of that I'm going to ask her myself though we've had the opportunity to work for a couple of months or probably more than a year now, but the introduction section of it in terms of who she is and into what she's doing right now, all of that is going to be something that we are going to see over the next 45 minutes or so, but I'm sure for people who've been in AppSec for a while now, you would have... you would definitely know about Chitra and her work at Fannie Mae, so let's get started. Hello, Chitra. Welcome to the AppSecEngineer podcast .

Chitra - Hey Rahul...Thank you for having me. I really appreciate that. There's a little lag, but then I can, I think we can fix it ... 

Rahul - yeah... today we've got a little bit of a lag issue going on, so hopefully by the time you guys see this there is nothing. It's all fine. So Chitra like I said, we have interesting questions and I've seen some of your podcast that you have done with few others.. So we're going to make this slightly different. We're not going to get too technical. And this is going to be more about knowing more about your journey, knowing more about what we can learn from, from your experience and what you have to offer in terms of advice for people who are actually getting into AppSec or want to get better at AppSec.

So, right. So, let's get started. So I want to first start off ....we've been talking for a while. We've been working for awhile is that I've never had the opportunity to understand from you is in terms of how did Chitra become head of AppSec, become this person that she is now in AppSec and known in all of these province. I guess pretty much on both the Eastern  and Western province, so how did this come to happen? 

Chitra - Oh, well, I wouldn't tell you I was born, my aspiration was to become an engineer that was not the case. You know, I'm from India. So in India, at least in South India, Southern Indian parts of..... Southern States of India, it's either engineering or medicine.

We never had anything other than that. So that was my first introduction to STEM or science. You know, I got my bachelor's in computer science. I wouldn't say it was by, you know ,I wanted to become an engineer. I was just given two choices and I saw one of my older brothers, you know, a doctor studying really hard.

And my second brother, who is an engineer, studying for his engineering degree didn't spend as much time as my older brother. And then I said, I have two things. What do I want to do? And I chose engineering. So, you know, that's how I was first introduced to the STEM or engineering and, you know, my information security, I think, it was by chance, by luck, probably it was meant to happen.

I don't know. I... I have to thank..... There's this person called Akshay Sivananda who was then the AppSec manager and, you know, Anthony Johnson who was a CISO of Fannie Mae in 2015. And I'm very grateful that they gave me an opportunity in information security. I by trade I'm a developer. I was a developer for, I think 18... 15 to 18 years. And then by chance, I was given an opportunity in information security. So that's how I stepped into information security, that was by chance and after that it's history. Yeah. After that it's history. I took my development background and started plugging it into AppSec. I think that was a successful, you know, 

Rahul - so what has now, what is now become to be the mantra of a successful application security. You pretty much started that by, by default, right? 

Chitra - By default. Yes, actually, you know, I have to tell you in 2015 when I was talking the pain points, because I was a developer by trade, right. So when I was talking, you know, from the development or developers perspective, people thought I was crazy, you know, they didn't like me being in the information security field because I was more talking towards and protecting the, you know, developers rather than speaking for the information security. Yeah. Yeah. I did speak about that in 2015, now it's become the mantra. 

Rahul - Yeah. Right. So do you first... do you remember your first... first bug that you found in security. Do you remember the first "aha!" moment where you found a security vulnerability or, or, I mean, this is one of those questions that, I know you're the senior director right now, but if there's somebody in Fannie Mae who is a developer or who is who's way down the value chain, if {Laughter } they want to know what was Chitra's first bug. 

Chitra - Sure, actually it wasn't my first bug. I remember in 2015, I think when I started with information security it was July 6th, I think, after, you know, July 4th weekend and there was a huge thing in InfoSec and I can't speak too much about it and I was pulled into this meeting where the CISO, the deputy CISO, Christopher Porter, Chris Porter, I mean, he's one of the greatest guys I have ever known in security, but we'll talk about him later on. So, you know, he was sitting there and then I had my manager, AppSec manager, and seriously I would say I didn't understand too many things that were spoken because it was more on the penetration testing.

So that was my first... I wouldn't say it's a bug, probably it was, you know, people were talking about are we under exploitation? Are we being, you know, exploited? Is there a vulnerability being exploited in Fannie Mae. So that was my first experience sitting with all, you know, the CISO, the deputy CISO and AppSec manager and trying to resolve it.

And I have to tell you when I went in I did not probably know too much about what was going on, but being a developer and luckily it was an application security layer vulnerability so I was able to give a lot more input and by the end of, you know, finding this issue and remediating, I have to tell you I got an email from, you know, Bruce Lee who is my boss's, boss's boss {Laughter} and that was a"aha!"moment, you know, I walked in not knowing much but then walked out with all kudos. So that was my first experience. 

Rahul - So visibility three levels up on...on. 

Chitra - Yeah, three levels and it was very funny..{Laughing} you know that particular instance because it was a long weekend, not a long weekend, it was a weekend.

This particular thing happened on Friday and Oh!! no.., actually it was Thursday. So we spent all of Thursday night and Friday, and it was Friday seven o'clock when we really, you know, fixed and we did everything; we said we are okay, and we were about to walk out and my daughter had one of her important results,

we were waiting for her results. And, you know, when I got this email, my CISO and deputy CISO said, do you want to check your email? I said, no, not now...and, you know, they actually made me read that email and I said.. that was the first time in my life, I think, I got such a personal email from such a top person, so that meant a lot to me.

Rahul - And like you said, there's never looking back ever since. It's been Fannie Mae all the way. 

Chitra - No... it's... I mean, I wouldn't say ...they are such great, smart people in the industry. I think I had great mentors and, you know, great advisors like for example, I would like to mention Chris Porter.

I don't know if he's okay with me mentioning his name, but he is one of the smartest people in technology, in security and he also is an empathetic person and he supports the, you know, what do you say, all innovative things, you know, you need to have a leader who can understand, articulate the innovation for them to support and we have a strong leadership in Fannie Mae and, you know, the CISO is Chris Porter. So I think because of such support it's possible. 

Rahul - Yeah. I want to talk about Fannie Mae now as you've created a good segue Chitra. So one of the, one of the questions that I always love to ask, and this is... this probably a question that has come into every podcast of ours is, and especially with you, is there is this view of application security, especially in the US in two extremes, right. So you have the, you have the bay -area type companies who are small, nimble and doing good things in application security. And then you have large giants, like Fannie Mae, where, where the complexity of application security is very different, right. There are two separate levels of complexity, right. So I don't want to talk about the complexity today, but I just want to talk about the... what are the, what do you think are some of those very clear opportunities or strengths that larger organizations have either in terms of innovation or in terms of just doing things. I don't want to lead you... lead you to an answer specifically, but I'm just asking, what do you think are, are the specific strengths or opportunities that larger organizations have and leaders in large organizations, like yourself, have in terms of the next big thing in AppSec. 

Chitra - Sure. The main difference I see between, you know, the West Coast and the East Coast is unfortunately, I think, the East Coast are producing engineers, cybersecurity engineers, and supplying them rather than product oriented, right. So I see a lot of companies from the West, you know, innovating and

you know, building products and, you know, selling it. But I think that's what is lacking on the East Coast, but in terms of companies, because I come from a finance company and I've worked in a finance company for a very long time, I'll stick with, you know, finance and Fannie Mae like companies. 

In the industry where I come from, I think, we don't build products as such. We do build... when I say we don't build products, we don't build security products and, you know, sell because it becomes proprietary to Fannie Mae and we host it in Fannie Mae. We cannot sell these products. If we can sell products we build, I think all of us will be multimillionaires at this point of time because Fannie Mae has amazing talent where we build in-house.

For example, to give you an example, we build the DevSecOps pipeline moving security to the left where we are building the externalized API agnostic of the pipeline and, you know, we integrate with the threat model and also, you know, write test cases. Not many tools can do everything, right. Tools can only do so much.

You have algorithms, example static code analysis. It looks at the algorithm and it'll predict to a certain degree, but if you have a threat model and if you have internal resources who have written the applications, write test cases to that, nothing can beat it, right. So that's where, you know, the products are different from the service- oriented companies, like ours, who build in-house products.

That's the major difference I see. 

Rahul - Right. And talking about, talking about teams and talking about building and services, one of the first things that comes across to anybody's mind when they, when they're comparing the East Vs West is this huge cultural change that larger organizations need to bring about in terms of driving application security, I mean, yes, there, there is top management. I mean, we've been lucky to have people like Chris at Fannie Mae who's driving this, but let's talk agnostically not necessarily with respect to Fannie Mae but just taking an example, right. So in these large organizations when people think and even, even from an, even from a consulting side of things, right. If people on the other side of the fence who want to work with larger organizations, they first think in terms of how do we cross this culture barrier. So as someone, as someone you've been with and you've pretty much been in the thick of things in AppSec at Fannie Mae, so what has been your kind of experience or secret sauce, if you will, that you could, you could probably share in terms of that things that have worked for you in building these large teams. 

Chitra - Sure. So one of the things I've looked at is let's talk about the products, right, where we get the services. These companies where they are, you did mention there are several startup companies on the West Coast and Fannie Mae is a big fan of, you know, encouraging and promoting, you know, smaller companies

if they have the product that we think will... at least have 50% of what we are looking at. We work with them to make their product fit for Fannie Mae. So that is one of the greatest, greatest things that Fannie Mae does. We just don't go into the market, look at the biggest company because they are expensive sometimes.

Do we want to spend so much time and money and built a product for someone big in the industry, probably not. So we choose some companies who are startup and then we work because we get a lot of, you know, a good feedback from them. It's two ways. We give them our customer feedback and they build those features within the products.

So that way it helps both, it's a win-win for both. So that's what we have done in the past few years. We start up with several, you know, smaller companies. We work with them. We become sort of their, you know, testing platform if you may call and then, you know, we help them with their features because it's not just helping them, we're helping ourselves because... for example, let me give you this example. There's not a single tool I've come across probably that can, you know, correlate all of the, you know, vulnerabilities from different toolings. There could be several tools at this point of time. Even those tools, you know, don't give me the risk metrics, risk rating. So you have the vulnerability management from the infrastructure, the middleware, and you know, your applications, but can you tell me for this particular application this is the risk rating. They do partially, most of them do parts of it but not a single tool does it holistically. So if we can work with a company who has at least the correlation of the vulnerabilities, it's easier, much easier to build the risk factor into it. So that's how we are working with the vendors. Coming to your next point about building these great teams, right? Yeah, I mean, I think, I have a history of building good teams, at least the application. When I started as an analyst in the application InfoSec team five years ago and, you know, once I became a manager, I stabilized the application security and I actually started the conversation for Red Teaming.. Red Team. And once I took over the... took over the application or the vulnerability management team as a director, my first step was building the Red Team because, Red Team, we passionately call them internal hackers. I think that is one important piece, I don't know if many companies are missing, at least Fannie Mae did not have the Red Teaming. Now, we have the Red Team effort in addition to the Red Team, we also, you know, partner with the, what do you say, Threat Detection and Response Team and do the Purple Teaming. So that is something I'm very proud of, you know, I started that conversation and then next, you know, last year, I think 2019, we started something called... ahh..2020. I keep forgetting what year we are in. 

Rahul - We completely forgot 2020...We want to forget 2020 {Laughing} 

Chitra - So 2020, we did as part of AppSec, we built the DevSecOps with static code and you know, some pieces of DAST, but then I thought, you know, I took this to my CISO and my VP, who is Nick Mistry.

I took this proposal and I said, we need to build a new pillar because it's just not SAST, we need DAST. We need all of the APIs, all of the security tools for containers, for compliance, we need to build all of these things and we built that team in 2020, and believe it or not we have around 10 capabilities within a year we have given out to empower the developers and we are able to do in such a way that it's agnostic, its self service. They don't have to depend on information security folks because getting an information security member is next to impossible…

Rahul - not even for Fannie Mae. 

Chitra - Not only, I think even...{Laughing} it becomes so difficult to find these folks.

So the other thing what we are trying to do is we steal developers. It's not that because I come from a development background and my whole team comes from the development background for DevSecOps. We steal good developers and train them. We have the carrot hanging saying that you come with your development background, we train you in security. So people are sold on that because security and, you know, development background is the thing that you need in the industry. So that's how we built the DevSecOps team. And now, there's a new pillar that we are going to be building which is called security champions. I think there are companies which do security champions programs or security guardians programs, but I don't think they are doing it the way that Fannie Mae is doing it. We have an umbrella called security champions. Then we have a pillar within that which is for content development and we depend on companies like you, we45, to create the contents and, you know, the assignments and the detailed online training. And then, we also have trainers who train development squads. We have around 200 to 250 squads in Fannie Mae will be training those developers. Then there is another important piece I think is very different from what other companies are doing in the industry is security advisors, embedding the security advisors from the information security team into each squad. It's going to be 1: 15 or I don't know, probably 1:15 ratio and then, you know, train the developers to become security coaches or guardians eventually. So that way, you know, we are going to have a scalable, you know, security culture within Fannie Mae, that's the vision. Hopefully, you know, it's going to materialize..

Rahul - Absolutely. You touched upon a very interesting point there is about, I mean, you've ... it sounds like almost your predominant internal hiring mechanism is to kind of take developers and get them trained on in application security right. So one of the things that we're trying to establish with AppSecEngineer as a brand is for us to promote this cross-killing of developers into security, security into DevOps, QA into security and what not, right. So what would your advice be for any developer who's listening to this podcast right now, right?

And this is something I've found quite interesting as well is, if there were to kind of put up six month to a one- year plan of sorts to say that, okay, I am interested in application security. I want to get into it. What would be your advice in terms of saying how can... how can a person just go about... what could be their first few steps in terms of learning this whole domain and being, and being employable?

Chitra - Sure. 

Rahul - So like you want to just answer? 

Chitra - Sure, sure. Okay. Let's step back, right. Your question was more of how can a developer who wants to get into security what they can do to be part of the security team, right. Developers by default are security experts in my opinion, right. Because they are the source of... they're the source of the code. So they are writing the code. If they can follow, you know, the basic application security OWASP top 10 and a little more beyond that and now we are talking about cloud. So let's... as a developer, if I were a developer looking into, you know, looking to get into security, I would, you know, start looking at cloud, looking at serverless and look at container. These are the keywords that you may call it buzzwords. So the container, serverless, cloud... cloud could be, you know, we are heavy on AWS, but it could be any cloud.

Look at this, what are the security compensating controls? Because we need to realize that within the cloud environment somebody is doing it.... holding it for us, right? We don't have too much control, but you need to look at the inherent risk versus the residual risk. So let's get the compensating controls in place. So learn about your networking, learn about the perimeter. What happens at the different layers of, you know, your... basically seven layers. Just look at each layers. You already are expert in development. So you know the application layer well. After that, I think people to get into holistic idea, I think they should take security plus, that's the basic. it gives you the end-to-end, you know, of what security is. So get all of those and, you know, a little free search on access management, because that's the first step right after you get your network layer, it's your authentication authorization. And I think... I don't have too much to say to the developers because in my view they are... they are the best, right. I know...., you know, training a developer to become a security person is so much easier. I don't know if you can make at least all of the, you know, security people into developers; I don't know the answer to that, but I can tell you 99.9% you can make good developers into security people if they can learn about the network layer, the different layers and, you know, end- to-end of what compensating controls you need. That's all  I think... that's all it is... 

Rahul - and I know for the fact that Fannie Mae, especially your team is hiring. I know you put out a couple of tweets and LinkedIn posts saying that you're, you're, you're hiring, but I'll probably put it up in the description for people who are interested. But I want to ask you another question in terms of, in terms of the non-technical skills of a developer, right. As and, as and more we start going into application security, it's not just the technology skills that's required because I think one of the things that a lot of them agree upon is that a security person also needs to have a lot of people skills, right. Because there is, there is, this developer who is {Laughing) this application security who's now talking to multiple people. I mean, it's, it's not... and especially with the siloed model that we're going with or with the security champions model like you just said. If there was a candidate who... who would come and attend this interview..

I mean, they probably have to go through multiple loops before they land into a... land into an interview with you, but I'm just saying what would, what, what, what would, what would your advice be for, for, for security engineers or developers turn security engineers in terms of what would they need to, how can they prepare for application security....? 

Chitra - That's a great point. Most of the times I think we miss the soft skill piece of it. We always talk about, you know, the technicality and... the soft skill I think, when we do interviews in Fannie Mae in general, especially my team, we are looking for attitude and aptitude, you know, one of the simple analogies I give is some kids, you know, eight months they start walking and running or walking probably. And some of us take, you know, a year, year and a half to walk but it doesn't matter, we all walk eventually, right. It's just the pace at which we learn is different but I think the attitude and aptitude of that learning I need to walk, that is the most important. So when we are looking to hire people in addition to the technical skills, we are not asking... I know all the time when we post jobs, not only in my team, we ask for five different skill sets in one person, we are trying to get the unicorn of unicorns, right, which is impossible, but you know what?

We just try our luck. Yeah. And when they come to interviews, we're looking for just 50% of the 100%. But if they have the great attitude and aptitude to learn and be a team player, that's all we care about, right. We can train you and you have the attitude to learn and be a team player. And one of the things I always like is never be with  my way or highway... always, you know, we all learn everyday. Security especially is evolving. The landscape is changing because developers are becoming security people and then they become hackers, right. So the landscape is changing. So every day you need patience and if you like reading mystery books, Security information.... {Laughing } Security is the best because everyday it's like a mystery you are trying to solve.

Rahul - That's possibly the most unique thing that I've ever heard till date of advice saying {Laughing}  read mystery books. I mean, that's, that's, that's very interesting. That's probably going to go as the tagline on this particular video {Laughing} at some point, 

Rahul - You know, this is quite interesting because as and when you're answering it, I'm getting ideas for another question, I'm going to ask you right now is especially... especially knowing somebody like you who's been hands-on in development and you've been a developer, you've had your time there and then that interest got you into information security and then application security and now you are... . now you're a senior director. Your heart is still in development. Your heart is still in ensuring that you get your hands dirty and things like that. But then every once in a while, especially for executives at your level you need to maintain the balance between governance, compliance and application security, right, and out of which governance and compliance.... And you talked about the fact that if you're, if you're looking at somebody who is looking at documentation and 9 to 5, AppSec is not your cup of tea, 

Chitra - no it's not…

Rahul - But governance and governance and compliance, at least it's my personal opinion, it's still a lot of documentation and reading between the lines. So, but, but jokes apart, how does... and especially...  especially environment like, like Fannie Mae right, at one end you are regulated, you're closely watched in terms of your... in terms of your mandates

and yet here you are trying to build a team that is moving towards innovation. That's trying to build the best in class... use the best-in-class platforms, so how do you maintain this balance between compliance slash governance and next in or latest AppSec innovation. 

Chitra - Yeah, the AppSec innovation, you know, everybody... let's back up to the compliance, right. What is compliance? In the past, they would have excel sheets or a word document PDF. I don't know what they use these days but there will be a checkbox, right, do you satisfy all of these things. But just imagine if you can automate all of those in your pipeline, be it auditor's second line, first line, anybody right. If you can go at point of time and get the information how was this application doing in terms of vulnerabilities, the host it's sitting on, what are the vulnerabilities of the host operating system or the middleware it's sitting on? If you can get real life point in time data, why would a compliance person like the auditors or the risk control management team worry, right. They'll be very happy because we're making their life easier, right. So I think that's what most companies including Fannie Mae is moving towards, you know, automating everything within a pipeline including your governance and compliance. What is compliance? You'll need to know these are your deviations.

These are the rules. First these are your standards. These are your rules. You need to follow. These are your guardrails. If you're going to be deviating from that you need to be notified. And after notification,you need to take remediation. So if all of these can be done in an automated fashion that's compliance.

So I don't think application security or the compliance with the governance is anything different. It all should be baked in into the pipeline and I would call it as end-to-end stream value, whatever you want to call it {Laughing},  it should be, all in one. So that's.... . 

Rahul - And, and also do, do you see, I mean, one of the patterns that I've seen is that be PCI, be it SOC ,or be it HIPAA for whoever it's relevant.

One of the things that all these, all these regulators are adding is a very close watch in terms of the clauses that pertain to software security, right. I still remember PCI was one of the first ones who said that every small change to a platform needs to undergo a security assessment. So in some, in some form or shape, they too are trying to play catch up with, with the whole AppSec iteration model right. So... so do you see that there is a possibility for to actually use compliance as a  trigger point if you will to better AppSec automation or the other way around, and we know for a fact that doing AppSec automation would eventually help compliance, but for organizations who don't have an excuse to actually go ahead and innovate an AppSec, maybe they can actually use some of these compliance needs, right.

Chitra - Oh ...yeah. You know, in Fannie Mae itself, right, we use COBIT NIST framework. We do use all of the frameworks and I think it's becoming a normal practice these days when something has to be built, we take that product and we start off with the framework that matter. You have several frameworks, whatever the framework that is pertinent to that product, we start coming up with

guardrails. For example, we did the TFE or Terraform Enterprise with Sentinel guardrails, right. Right. So in that particular case, we did not just start developing it but we created the guardrails and mapped it to the NIST framework. So that is becoming a norm now. And then we automated all of these things.

So if a compliance officer or the auditor comes in and asks us what framework are you following in terms of compliance and governance? And we can tell them NIST is one of, I mean, I'm just giving you a name, right. Yeah... it may change. So we can tell these are the guardrails. These are the, you know, NIST framework items they map to. So yeah, we take a holistic approach. We don't go from developing and then map it back to NIST or a framework. We actually map it first and see what are the gaps that we have if we have any and how we are going to be compensating. So we go left to right instead of going building it and mapping it. So that's what to do.

Rahul - Interesting. In terms of teams Chitra and this is another question that's very... probably your... you are better poised to answer this because organizations like yours still have the.... I don't know whether it's called luxury or whether it's just the state of affairs, you still have QA as teams. Like you still have QA as a... or probably as functions right. You still do functions as QA because today something that I was speaking to another company who was ten-membered strong and they said, okay, can I talk to your QA? They said, we don't have anyone called QA. It's just developers who just test security and things like that, right. But assuming that or maybe let's not talk about Fannie Mae only, assuming that there are teams today who have QA teams, right. And which is still a very vibrant industry, right. And I often wonder and I don't want to ask you this because it's easier for people like me to just write this on a piece of paper, on a slide, but I want people listening in to see whether it is actually a possibility is today QA wherever they are existent are still gatekeepers of, of actually sending a product out to production, right. They still are people who call out a go or no-go at some point in time, right. Now what, how do you think teams can actually kind of leverage these folks at QA in terms of actually adding value from a security perspective, because in my mind I'm thinking you have somebody who has the keys to the kingdom, who has some level of authority or at least in terms of telling you whether a product is...  they're still validating or publishing the certificate....  certification of a or they probably providing a value to a product going out

right. So what is the possibility of them kind of jumping onto the security bandwagon and sharing that responsibility? 

Chitra - I mean, probably I'm ignorant. I'm sorry about that. I thought QA, the word QA, quality analysis and a team... QA is still there because for any product.... 

Rahul - As in the verb... 

Chitra - yeah..as in a verb {Laughing} right. I don't know if there was any action in a team, peace to it.

Right. oh!! really....I understand. I have not seen them..., 

Rahul - No...I have not seen them but... but I, I assume that larger organizations did have {Laughing} them because I don't know, where did these people go but..? 

Chitra - Yeah, I think there was a shift right in the industry, I think three to four years. I, I don't know if I can pinpoint when the change happened.

So I think we stopped calling QA as QA and developers. It's all one squad. So you have develop...., you have everybody doing everything within the squad. So I don't think we tag them as, you know, developers or, you know, testers or you also had acceptance, user acceptance folks, a team by itself. So we did have developers, unit testers.

They did the unit testing. Then you had the integration testers. Then you had the QA testers and then you had the acceptance user testers.. You had all of these people, but I think that all stopped at least when we started moving. I mean, generally the world started moving towards the agile way of doing things and two sprints... Within two sprints how many things can you do, right? Are you going to test and have manual intervention, probably not. So I think that's where the automation piece came into picture and we don't call them as testers anymore. So I don't know how to answer that question because I don't know if they still exist but if they do exist... you go ahead.

Rahul - No, I was just, I just wanna, I just wanna rephrase that question differently, maybe that would help. Let's assume there was somebody in that era of QA where it was actually a function as a team and they had certain skills in them, right? So QA had certain skills. An automation engineer had certain skills with him or her and now cut to 2021 where as we just discussed this, there's this whole dissolve... this whole team has now dissolved and the lines are very fluid. So how would, how would..., how can you repurpose those skills from a security perspective? Maybe that makes more...... 

Chitra - Yeah. That actually I can, you know, answer, but again I'm not a pro within the QA piece, so I'll take a, you know, chance on {Laughing}... so on that. I think QA, right. Eventually they should have done some kind of testing be it manual or you said automation. Automation is perfect. But then if there are tools that has GUI for automation, probably, you know, they need to change that and do hands-on in a Python. Ruby on Rails is very, very easy. It's not very complicated. If they know the business logic and the workflow logic, I think they can easily, you know, learn some kind of scripting. If they can do that then probably they can easily, you know, even become developers and then eventually go the same path as developers, get some security knowledge and, you know, become security folks. QA to security probably they can help with penetration testing and, you know, static code analysis. I don't know. I don't know how much of a value add a direct move from QA to security would be, but definitely if they step back and become developers and then take the route of the developers getting into security that probably might be a better option for them. 

Rahul - Right. Now, of course, now for a question that's very uncommon, but I still want to ask this. Words of wisdom from a senior director in application security to sales and marketing professionals who are in, in DevSecOps or application security and things like that, because thankfully I haven't received them as yet, but I know a lot of my.... my peers in other organizations who, who get notes back from senior folks saying, what are you talking about? Right. And I think, {Laughing} I think, I think the main issue is... is in terms of ever since DevSecOps came.. And I sometimes... I sometimes... I think twice before they use the word DevSecOps, because it's now over used  so much.

So I'm just going to say until a point when we started seeing application security in scale, this whole wave of AppSec automation, the whole wave of DevSecOps, SecDevOps, rugged DevOps, whatever you want to call it, right. It's just led to the plethora of products and services in this space. And as somebody who probably gets at the very least one or two new product brochures every week {Laughing} to your inbox ...how... What would, what, what can you tell or how can you help the life of, of a sales professional in this domain to make a better mark on people?

Chitra - Yeah, you know, I don't get just two a week. I get, I get almost 20 to 30 a day and ...wow!! Sometimes it's very difficult to go through, you know, every one of them, but sometimes some of them catch my eyes. I don't know if I have to give the secret out. They would, you know, make it very personal. They would read about the company. They would read about the journey of the company and then say, these are the things you have but I think you're missing this. Right. And then we can help you there. Those are the things that, you know, will pick up my, you know, I'll just pick it up and I'll see, okay, this person has done their research before reaching out.

They're not just sending a mass e-mail, they have taken the effort to actually go and look, what my company does, what our journey has been so far and what they can help us with. So I think that is one small trick I would let, you know, sales people just don't send mass.... You can send but I don't think many people will respond to you.

And sometimes we have within the company, like Fannie Mae,you have some filters. They usually, you know, even my personal account it goes to junk. So sometimes we might not see it. And the other thing is get into conferences, talk about your products and then, you know, send emails on a personal note, just don't send mass. I don't read most of them. That is one thing... 

Rahul - Yeah. Sorry, go ahead. Go ahead. 

Chitra - And the next thing what I've seen is everybody wants to build the pickoff keywords, SAST, DAST. No... DAST and SAST are old methods, right? We are moving towards IAST and Threat Modeling and writing automated test cases. Think differently, don't be inventing the wheel that's already invented and had several iterations. Right. Do something which the industry has not thought about, and invest in that and speak about it and send emails to talk about those things, not use keywords like my, you know, people talk about pipeline. Pipeline is a pipeline if you don't have your plugins, right. It's not of value add.  So speak about what your pipeline, what your tech capabilities within the pipeline are. And sometimes this is the irony and and I don't know if I have to laugh or feel sad about it. Many vendors and many companies would take the presentation or the white paper my team and I have put or some other peers of mine have put out; they will take the same thing, come up with beautiful powerpoint presentations and come and present it to me {Laughing} and they'll be trying to sell an idea which I was talking about five years ago, built it and have matured it to a certain level and I'll be sitting there and, you know, do I stop them and say you stole some of my ideas and you're talking here. I don't know how to.... So I think we have to be a little innovative.

Everybody is building products. Another thing I'm hearing these days is compliance automation, cloud compliance automation is the key word. People use the cloud and compliance because they think it's fancy. Yes, it is fancy, but they come up with products and examples... simple things developers can write automation in-house itself.

Why would I go and buy for something, you know, spend money for something that can be easily created.. S3, public or private? Why would I need a tool to do that? I can easily write that myself, right. So focus on something not the basic things that every tool does, go beyond that to an advanced level of crawling and going through the business logic.

If you can look at the perimeter. For example, let's take an API, look at the API. How does it flow? What is the database? What are the things that you can find? Combine it with threat modeling. So do all of these things and build a product. Just don't build a product with SAST, DAST and say this is it...So that's something, you know, I would like to tell.. 

Rahul - Unfortunately I can't name the person because if he's watching this later on, he wouldn't want to be, but I know there was this person who actually created the word DevSecOps and any mails that had the word DevSecOps from an external..., even external mail, it would go into junk because he was tired of getting emails that just say DevSecOps..., DevSecOps and the product

had nothing to do with DevSecOps. It had absolutely nothing to do with DevSecOps, there was no automation at all. So he said, you know what, anytime any mail that comes and... you said pipeline but in his words it was, it was DevSecOps like anything that had that just goes into junk. So I know Chitra we are at the top of the hour, so I have one final question for you but this is more in terms of outward looking, right. And I often say this that, you know, we've been lucky enough that the last two, three years have for various reasons put application security in prime time slot of product engineering, right, be it in large organizations like Fannie Mae, be it in smaller ones. Thankfully for us AppSec professionals, people know in terms of this is important and this needs to be done, right. And, and, and, and so that's, that's a good thing. What do you see happening in the next? I won't, I wouldn't say five years, but the next one and a half to two years. So where do you think... what is your assumption or what is your, where will you put your money on in terms of where the next big thing is going to be?

It could be either in terms of what you're seeing in Fannie Mae or outside. 

Chitra - I think generally my.... I don't know, this is my take, right. We have all of these tools. Like you mentioned, there are several people building tools, companies like us built to... I mean, built services and we also use tools. But one thing which I think is an issue all around is culture change, right. So if you can change the culture with so many tools and so many compliance and governance, if nobody's taking action or nobody knows how to take action, what's the whole point of building all these nice things? So I think moving everything to the left; empowering the developers, we are talking about  empowering the developers, but I think the training piece and making the developers become security savvy. I think that is where I think we should be focusing and spending more time and money. The tools, we're there....almost there. Probably, you know, something other than cloud can come up. I don't know what else will come up, but then that is an iteration of constant change, right. There's nothing stopping it. But I think the source of building products is the developers. We need to change that culture. Training is what I think and the security advisors and coaches or the security champion program I think is what is going to add more value

and I think it's going to not frustrate many people too because when you have developers come to the deployment phase and you're breaking their build and not letting them go into production, that's not a win-win for anybody, right. So if you can move everything and train them from get-go, these are the threat models for your stack, via architecture this is how you need to do, these are the tools that can solve these issues, but then you need to, you know, take care of all of... for example, authentication authorization. I don't think there is a tool that can do it unless you write a script for testing that, right. So things like that... training... that's where I think I'm going to say we need to focus more because everybody has come up with different tools. And the next thing I think is automation of the compliance end-to-end. I don't know if we are going to lose our jobs. I don't think anybody is going to... the main question I keep getting from my team.... my team and outsiders is, with all this automation are we going to be losing our jobs? No. I mean, my team has grown from, you know, few number to several people now,

right. Are we losing jobs by automating? No, we are spending more time with innovation and coming up with better ways of doing penetration testing or static code. If a tool can do with automation 50% of my testing, I need to spend 50% on the actual hardcore, deep down which the tools cannot find, right.

So it's just changing the way you do things. I think that's what it is. The automation end- to- end and, you know, the training that's where I think things are going to change. And the other... the third piece I'm thinking is risk. All of us are talking about, you know, the CVEs versus the CVSS, right. CVE is the static one, it tells, you know, it's critical. Does it really mean critical to my...  my company?.., probably not. So we need to come up with a data lake. I don't know if people are doing this. I've been asking this in the industry. I'm... I'm looking at a data lake where it says, let's take a cloud environment. These are the inherent, these are the compensating controls.

And if I get a CVE for 10, if it says it's critical with all of my compensating controls and all of the tech stack I have, does the residual risks still stay 10 or is it going to become a low? So that data lake and data..., I know it's going to take time but the first time is a tough one but after that it's going to be an iteration.

So if we can come up with that and when you also add the FAIR model, that's what Fannie Mae does. We use a FAIR model and come up with the risk. How much is a dollar amount? What is the real risk? So if we can build all of that process in addition to your vulnerabilities, because not many times your critical is going to be critical. It could be critical outside, but you need to come up with an algorithm to calculate that risk for your company. So that is something... I don't think there is a company that does that. They do in parts and pieces but not a holistic, you know, vulnerabilities of application, vulnerabilities of your infrastructure, your cloud, you know, deviation, you know, configuration deviation, everything together correlated and assign a risk rating. My residual risk rating, not the inherent one. So I think that is what the future state is for me. If there is a company that can... that is doing this, I'll be more than happy to talk to such companies. 

Rahul - You have already given two product ideas and you've said, you said that you want this {Laughing} so for this particular podcast, if not for anything else, for people who are in this domain, you know somebody who is a potential buyer if you are in that particular domain, so I'm going to definitely put that out there, but on that note Chitra, thank you so much for being part of this program. I know, I know you've had a busy schedule and we've been trying to speak for a while but I'm glad this could happen. So thank you so much for your insights and look forward to talking to you soon.

Chitra - Oh..., thank you very much. And this is one of the, you know, fun podcasts. Usually it's all technical and this was a mix of technical and non-technical, which I really like. Thank you for the..., I know I've been putting off this for a long time but thank you for this opportunity. Appreciate it Rahul. Take care. 

Rahul - Thanks Chitra.

Chitra - Bye-bye.

Abhay Bhargav

Abhay Bhargav

Abhay is a speaker and trainer at major industry events including DEF CON, BlackHat, OWASP AppSecUSA. He loves golf (don't get him started).