Popular with:
DevOps
Security Engineer
DevSecOps

Talking OWASP DevSlops and AppSec Communities with Nancy G. and Nicole Becher

Updated:
May 27, 2021
Written by
Abhay Bhargav

In this episode of the AppSecEngineer Podcast, we have the pleasure of hosting not one, but two leading security practitioners as guests: Nancy G. and Nicole Becher!

They talk about the origins of DevSecOps and how they came to lead OWASPDevSlop, a project designed to help people learn more about DevSecOps. As leaders of OWASP Chapters in the US and Canada, they’ve both been heavily involved in building the application security community, from conferences to major community events.

Chapters
0:00 Pre-Start Intro
1:15 Introduction of Nicole Becher and Nancy G
5:16 Earliest recollections of Devsecops definitions and usage
9:30 Most important factors for building a Devops/ Appsec community
18:00 Insights of most important topics from OWASP Devslop podcast
22:55 Career advice for different Appsec Engineering professionals
26:20 Importance of coding in security engineering
30:20 Top 5 resources for security engineering starters
38:50 Overemphasized and underemphasized aspects of Devsecops
45:20 Future of Appsec and limelight areas

Talking DevSlop, Starting a Security Career with Nancy G & Nicole Becher | AppSecEngineer Podcast

Rahul - Hello everybody and welcome to another episode of the AppSec engineer podcast. It's been a while since I met all of you. Let us chime in for today's episode. 

Two people that I really kind of look up to in terms of talking about podcasts and talking about things that we're doing here at AppSecEngineer. So today's one of those episodes where  we are going to really talk about the other side of Application Security, which is not the technology side but more in terms of the community side of AppSec, in terms of what goes on building a community, what goes on in terms of... what are the kinds of trends that we are seeing?

What is it that people like to see? What is it that people like to know about and much more of such interesting questions. So for those of you who've not been under the rock in AppSec, you would have heard of the OWASP DevSlop community, and today we've got Nikki and Nancy from OWASP DevSlop.

Hello. Thanks for joining us. 

Nancy - Hello, thank you for inviting us. 

Rahul - No problem. I mean, we've been talking for a while Nancy and we wanted to do this. I'm glad you kind of chimed in and thanks for joining us too Nikki. 

Nikki - Hey guys. Good to be here. 

Rahul - Awesome!!. So what are we going to do today, I was just like.. I mean...we would be like... we just talked before we started recording.  I  have a ton of questions around the whole community side of Application security right. I mean, we just started this very, very recently with us here at WE45 AppSecEngineer but, you know, one of the channels that I've been personally kind of following for a while has been the DevSlop Community and the kind of shows that you've been doing. So we are going to start off with really the kind of genesis of OWASP Devslop and what is it that you wanted to kind of achieve with the community? Where did it all start off from? just a little history lesson if you will. 

Nikki - Yeah. So the history is actually kind of a good story, you know, for about, I guess maybe almost a decade, I spent a lot of time writing crappy web apps that were, you know, intentionally vulnerable just for training, you know, for people to sort of learn their skills, test out BURP or ZAP or something like that and spend a lot of time doing that. And one of them I published, it was a vulnerable Rails app, like maybe, I don't know, eight or nine years ago, and Tanya Janca, who I think most of the community knows really well sent me an email, like an SOS email an hour before she was supposed to do a demo saying, I don't know you but all of a sudden, you know, your Rail site is down. Can you bring it up because I have a demo in an hour and I was like, wow, people are actually using this thing. I had no idea. So I got myself together, pulled the back up, you know, got it back up. But I think she did her demo. So that's how Tanya and I met. And then, you know, we were all at OWASP AppSec 2018 in Belfast.

And, you know, I see Tanya in real life. And I was like, I think you're the person that emailed me. And she was like, yeah, I emailed you. And then she's like, here's Nancy. And I was like, “Hey Nancy”. So we all sorta met like about two and a half years ago. I guess it's like three years ago now, was this 2017? 

Nancy - 2017 in Belfast,

Nikki - yes. Alright, so that's like almost four years ago now. Wow! Yeah, my clock is off. 

Nancy - Yeah [Laughter]

Nikki - so we sorta met like that and then we were like, Hey, there's probably a lot more we can do here in terms of, you know, showing off. I think we, we tried to take that approach where it's like, you know, like... it's like demo things and show things and like show off things that can go wrong and nothing has to be perfect and we're not perfect, you know, and we sort of took that approach and we kind of came up with this idea to like, you know, build out either a tool,

a software... something, you know, and then, you know, I'll let Nancy sort of chime in here on... on her contributions to take away further. 

Nancy - Also Nikki, wasn't it that the time where we started, at least for me, I started to hear more about DevOps,  DevOps practices and that also would have triggered you and Tanya to start the project, to find the project. Was DevOps... because you called the project DevSlop , didn't you?

Yeah. Yeah, that's true. We were like, you know, a lot of people were building out pipelines including the organizations I was working for at the time. And I was like, wait a second. I don't know if I really understand what's going on here. Like what's the pipeline. I mean, I get it at a high level but I got to implement it to really understand it.

And then it was like, Oh, you could plug in all these security features. Like, what do they look like? How does this work? How do you like get this right in a large organization? There's culture, there's soft skills. There's all sorts of things. So yeah, we tried to like get our heads under that problem and really, deeply understand what Dev actually means.

What does it mean to shift the community in that direction or the developer community in that direction? What does it mean for security? I think we felt things were changing and we wanted to understand where the puck was headed. 

Rahul - And you, and you probably seen DevSecOps move from SecDevOps to DevSecOps to Rugged DevOps.

I don't know what they call it anymore. You could call it Susie for all it matters [Laughter] it doesn't really matter anymore. It's been while..... 

Nikki - Can you still hear me? Yeah, I can hear you. Yeah, your screen is frozen though, but I can hear you. Ah, I'm gonna refresh stream... I'm refreshing streaming. 

Rahul - Yep. No problem. Okay. No, I was just saying that you've probably seen the entire stream of, of DevSecOps, right, ever since it started. What was it? I mean, what is your earliest recollection of the first reference of the phrase DevSecOps? Was it 20...?

For me it was 2016 or 2015 RSA. That's when the first reference of DevSecOps actually happened. I think it was Shannon Leitz or somebody who kind of spoke about it; the first time in the DevSecOps RSA, 

Nancy - I think it was Shannon actually doing the, the keynote at the Belfast, at Global AppSec Belfast. She was actually, so for me, I think Belfast was the first time I heard about DevSecOps. And I also will talk, maybe about this later, but I didn't have.... I don't have an AppSec background, right. I was curious, I was just starting my AppSec journey at that point. So I pretty much heard about AppSec and DevSecOps at the same time back in 2017.

So yeah, so  that's how they got curious about DevSecOps and started DevSlop. I was new and met Tanya. Tanya and I come from the same city in Canada in Ottawa. We both work at the government at the time and she was just starting. She was... it was even before SheHacksPurple, right. 

In Belfast, Tanya was not SheHacksPurple, yeah...{Laughter} She was Tanya Janca, yeah.. Her first, her first international talk, right. So anyway, so I was not really part of the project. I just saw Nikki and Tanya meeting and  being very excited about the whole thing and ,you know, starting the project and eventually Tanya needed help and I started chiming in and just helping in the background.

And as you work for Microsoft as a DevOps advocate it was easier for her to create content and keep up DevSlop. But when she left Microsoft that wasn't the case anymore. So I joined the project as a project leader back in 2018. And when she actually left the leadership of the project in 20... at the end of 2019, I said okay, so we need to do either we continue consistently or we, we end the project, right.

Like, what are we going to do with this thing? And I don't know what you think Nikki, but I feel like DevSlop is also an uncommon project, right? Like it's not a documentation project. It's not a tool project. It's not a core project. And for a while, even for myself, people were asking like what it's DevSlop… like I'm not sure [Laughter] we're figuring it out. But when I decided to focus on early 2020 with the show, the show module that we called and what it consists of is basically inviting a subject matter expert talking about a specific problem space and how they integrated security into their DevOps practices.

So we talk cloud security, we talk infrastructure security, AppSec as well, a bit everywhere, right. And I think that was new because the OWASP community is used to talk about pure AppSec but talking about Cloud security is a bit new to talk about Kubernetes. We address a few new topics, so there's a mix of that during the show but, yeah, early 2020 was when we started doing the shows consistently.

Rahul - Right. How many, just curious, how many do you kind of remember the number of guests you've had on the show, just top of your mind or you have it...obviously you have it written somewhere, I know. 

Nancy - Somewhere I could probably count it down, but 

Nikki - I think it was like 60 back in November. So let's just add 20 now.

So maybe it's like 80 to 100, it's estimation there, but... right. Yeah. 

Rahul - Which, which also congratulations on the award with the DevSecCon Community Initiative Award, right. That was in 2020. This happened recently, right? 

Nancy - Yes. That was, yes, it was for 2020 but we received the award, you know, it was announced, I think, two weeks ago, sometime in March 2021 but it was for our work during 2020. So yeah, the year where we pretty much decided to consistently go live, not weekly, the plan was not weekly, but it was almost weekly. {Laughter}. 

Rahul - Right! No, I completely get it because like I said, we just started off doing this and there's a lot of work that goes around in kind of building a show like this,

right. I mean... and it's not just a show, it's a community. It's kind of getting, getting the topics aligned, ensuring that it's agnostic at the same time, it's something that's relevant. So I think, what do you see?  So for people who want to.... ever since the pandemic kind of hit us, right? Everybody's doing podcasts, everybody's doing a lot of these things, but what is it?

What is it that really, what is it that you think are the non-negotiable cornerstones of building an AppSec community in today's context? What is it that you think is that secret sauce in terms of really keeping people engaged? Because you can bring people in but then keeping them engaged is another thing, right. So what do you think are people wanting to really kind of have a bite off?

Nancy - I'm not sure if it's specific to AppSec, but I've definitely noticed a difference when we started being consistent. I keep repeating that because that really was the game changer, right. Not going live a week and not hearing from us for a month and a half and then coming back.

So back then we had a schedule. It was almost every Sunday at 1:00 PM; sometimes at 5.30 but we started back at 1:00 PM Eastern time. So it was a habit basically that people had to come and watch the show. So I think that was the main game changer. And other than that there was... I would say that we had

fun, you know, like we're all interested in these topics. We were genuinely interested and whether there were five people watching or twenty five or a hundred or a thousand views, you know, I enjoyed this time spent with Nikki and Tanya at the time as well as the guests talking about these topics. So a genuine interest and the fact that it's... it's a Sunday, understanding that it shouldn't be, shouldn't feel like a classroom or it shouldn't feel like a lecture.

And we're here to have fun to learn something new but not taking ourselves too seriously, but also not thinking of ourselves seriously but, you know, doing serious work like just how we took care of the podcast and being consistent with it. Those are the things that I think makes a difference.

And about the pandemic. Oh, sorry. Sorry. 

Rahul - Yeah, finish up... 

Nancy - I was just going to say about the pandemic. I think it was an advantage for us the fact that like we were already doing what everybody's starting to do now. I think a few communities stopped and like what are we going to do? We can't meet anymore. And we just kept going and we just kept going, see them catch up, kind of understanding, Oh, if everybody's doing that, we're going to, going to have to

to switch it up and that's where we started finding more guests, more co-hosts just to, to make sure that we were not.... just another podcast with guests with theslides. 

Rahul - So ironically, it's funny that the problem that we had with the pandemic though is that you suddenly had a lot of speakers who wanted to speak and now it was about having, {Laughing } having to really weed off the ones that were not interesting,

right. {Laughing} How do you saying no to a lot of them because now everybody's at home and like I can speak. I can present, {Laughing} like then as community owners you need to then kind of really choose, right. So I was just curious in terms of your selection criteria. 

Nancy - Yeah. But not only that I felt like every, the same speakers were or the best speakers were going to this different communities and the same talk was

in every community 's YouTube channel. So, you know, something was off about that. Something needed to change so... go ahead Nikki...{Laughing}  

Nikki - I think another thing that we try to aim for is like, listen, we all like to understand that there's a lot of different tools and things you can choose from in the cybersecurity space. There's point solutions, there's new products, there's new open source products. There's, there's just a variety of things out there and I think that we learned really quickly that our audience, you know, not even necessarily our audience, I think this is definitely driven by our audience, but I think people in the security space, it's really great to watch a tool or like learn how a tool functions like in a really short amount of time. So if you're hearing all about a certain type of, you know, a tool that's out there or a security product that's out there, like, what does it actually do? You can go to the website, you know, you could get through the marketing and then try to drill into actually what it does.

But it's really cool to just watch, you know, real people in the real world trying to actually do this or implement this thing and figure it out. And you can actually learn a lot and just sort of narrow down, like, how you reason that what that tool is. So I think, we definitely focus on that learning outcome objective here which is like at the end of this hour we hope that you understand this thing incrementally better.

And I think we're really, deeply committed to like making sure that that happens but in a fun way, and, you know, listen, it doesn't always go according to plan, but we try to keep it running along that path as much as possible like really driven on, like, we want you to learn something and like it's cool to be a beginner, be intermediate, be super advanced, whatever you want, like whoever you are, but we really want you to just kind of like learn like, Hey, what is this thing?

Like I heard all about like, infrastructure as code, checking tools. Like, what are these things? How do they work? Like, I don't know. Like so that's sort of like where we like to focus on. 

Nancy - Oh, sorry. {Laughter} 

That's something I haven't mentioned a lot, when talked to Nikki, is also the credibility. I think Nikki adds a lot to that to the podcast as a practitioner, as somebody extremely technical like the conversation that she has with her guests, right. I find that it brings the conversation elsewhere and I can even see like when she asks a question to her guests like they, they, their eyes light up because they're like, Oh, she gets it. {Laugher} right. And having that credibility. 

Nikki - It's very kind…

Nancy - No, it's true. Like you can tell her 

Nikki - We are all learners here

Nancy - No, absolutely. Like there are every speakers but when they... And it's not, you know, comparing but it's just, you know, you ask a question to speaker there. They're trying to teach you, but then Nikki comes in with a question and they're like, Oh, I'm talking to a peer, like, I'm not just trying to teach someone that doesn't know anything about my field. She actually gets what we're talking about and I think we, we get a range of different  audience because of that; the beginners, but also more advanced users and practitioners because they're like, Oh, it's not just about the AppSec

one-o'-one, it's.. it's, we're actually discussing problems that happen in real life and that definitely I need to credit Nikki for that. 

Rahul - Yeah. And I, I completely agree because that's one of the things that I loved about the DevSlop is, and, and that's pretty much something that we kind of closely relate to.

it's relevant and it's practical hands-on, right. It's not just people wheeling off theory. There's always something quantifiable that you can get at the end of that episode. And that's really something that's quite interesting. I do have some serious questions after this but before that I wanted to kind of understand who does your media package?

I'm a big fan of the post that you do one {Laugher}. So who comes up with that? Who, who, what what's, what's going on there? 

Nancy - {Laughter} Okay. You want to know the secrets? Okay.  No...{Laughing}We have, I have a great relationship with a graphic designer and I come up with concept. I give him like inspiration but I can't take credit  because he reads my mind, I pretty much tell him... tell him something and he comes up with different topics. 

Rahul - Those are great. Those, you, you never miss a DevSlop episode on your timeline. You know what I mean? It's yeah, it always is.... there's something about it that you just can't watch above, right. It always, always kind of grabs your attention and it's, it's tastefully done.

It's fun. It's vibrant. I think I also kind of really, it really kind of resonates that whole perception of what DevSlop is. So I think a huge shout out to the freelancer whoever it is unnamed. So we'll, we'll keep him as the unnamed because we don't want others kind of biting him off.

Nancy - No..But I'll add that branding was very important to the project, right.

Like it's part of the consistency that I'm talking about, right, that our posts on a timeline is recognizable. And at first, I think, that was what grabbed attention more than content. And it's like, Oh, this one project where there's a bunch of ladies talking about AppSec. That's fun. But suddenly people started listening and it became more than that but I think a lot of it started with branding and it was a way to show that we were taking this project seriously I think as well. 

Rahul - Yeah, absolutely. Cool. So I want to kind of, one of the things I wanted to do today was to kind of, if I were to consider, there was some questions that I had. If I were to kind of consider the DevSlop project to be this or rather your insights from the DevSlop  project to be something that an AppSec practitioner kind of glean as a trend if you will, so a couple of questions there. So for all these over these hundred guests that you've you've had on your shows, if you were to kind of really kind of look back and say, and if you were to kind of draw an inference to say what the future could look like, just curious in terms of where, what kind of topics are you seeing a) garner the most interest and also have, and do justice to that interest in terms of views, in terms of people commenting, in terms of engagement per se and what are the and more importantly what are the topics that garnered a lot of interest yes but don't really stand up to its engagement as much as it did with interests. I'll give you an example. In my, in my experience one example of the latter is Threat modeling, right. We've always seen a lot of interests garner in Threat modeling when you talk about it, when you kind of really, really put a lot of posts around it, but you don't really see the rubber meet the road when you actually see people adopting it and things like that, right. But I'm just kind of curious, you had this, you've had this hundred guests or eighty guests. So do you kinda topics and, and domains that you think are, are of  most interest enough  probably least interest at this point in time?

Nikki - {Pause} You want.... I'll take it. Yeah, {Laughter} I got it. So I think ,you know, I think there's a few topics here that, that tend to generate more interest. I think one is just cloud security, which is a really nebulous pun- intended term. But you know, like it's a big term, right? It is a big domain. What is cloud security?

There's a lot of different things that means. But I think whenever you slice up a little sliver of cloud security, I think a lot of people are interested. I think there's a lot of people out there that are working for organizations that are either fully developing in the cloud or on the cloud or moving totally in the cloud. So there's just like an enormous amount of interest for that domain. I think another area is bug finding and bug hunting. I think there's just like a sexiness around that where people are just sort of captivated by how this works and how they could hunt, you know, you know, either hit bug bounty programs or do their own bug bounty or bug hunting or just bug finding.

So I think those two areas, I think, generate most of the or in my perception of the, the higher engagement shows. 

Rahul - Okay. And what do you... what do you think are the topics that probably need a little bit more evangelizing or  you think it's too early or it's probably ahead of the game at this point in time.

Nikki - That's a good question like where is this thing headed? I think, you know, you know, we've talked, we talked a little bit about this. Like I think, you know, AppSec culture, security teams, the relationship between security and developers, like that's a timeless discussion that we all have, you know, as security professionals. But, I think, there's a lot of room there to engage more with developer communities and security communities to like, you know, at least tell stories on how that relationship has been improved or enhanced over, you know, different types of companies, large enterprises, small startups, etc.,

It's a lot of, you know, I think the industry matters and the company size matters. I think we do want to focus a little bit more on that. It's a very soft skill, right? So, you know, it's not, it's not necessarily a technical skill but it has a lot of technical value. Other areas that I think are interesting Kubernetes. I mean everybody seems to love to talk about Kubernetes these days, right? There's an enormous amount of complexity in there. I find myself, you know, sort of struggling to keep up with what's going on in there but, you know, really excited to learn. So I think people again are, I'm assuming they're faced with large scale Kubernetes deployments and working with them and developing on them and they're kind of like do I really have this covered end to end? Do I really know everything? Is there something I could do better? I think just normal questions like that might be things that our audience might want to see in the future. That's just my opinion though. So yeah, 

Rahul - No..sure. 

Nancy - If I go back to more of the statistics like the meetup RSVPs and  the Youtube analytics, right. I would say that anything that's pure AppSec and even the foundation of AppSec like any... if you put OWASP  top 10 in the title, I know we'll have a big crowd. Like Nikk's ...like Nikki mentioned also anything that's more offensive that's more sexy than {Laughter} other topic ,offensive security more than defensive security. So we tried to balance that out. We are a DevOps.. DevSecOps project but I do find that when we talk about apps, pure AppSec project, and beginner foundational project, that's where we attract. So that makes me think that we're not, you know, the industry is still maybe not new, but there's a lot of people just trying to get in and understand the foundation of AppSec because that's really where we get the most of our audience and yeah...

Rahul - Right. No... a great segue for one of the other questions that I had but you talked about people getting into the AppSec. One of the things that the larger objective of AppSec engineer as a brand and even for this podcast is really to kind of bridge the gap between skill and certifications in the Application security community,

right. Because there's a lot of... so one of the things  we're still seeing is a lot of career opportunities in AppSec but you're not necessarily seeing that trickle down towards actually filling those positions, right. You have... you still have a lot of those openings up there and people are still always like, you know, we still not got the right candidate, so there's always that something missing in an AppSec professional.

So, again, just leaning off of your experience of meeting people, looking at the domain and things like that, what would you... what would be your one piece of advice to a) somebody who's just starting off in AppSec and b) somebody who wants to kind of better himself or herself in the AppSec value chain in terms of learning, in terms of skilling, whatever it is. I mean, because we... we've got these two people, two personas always come back to us, right? You either have somebody who wants to get into AppSec. They could be somebody from the developer community. They could be from QA. They could be from, I don't know, DevOps or there could be somebody who is, you know, somebody who's putting like three, four years in AppSec and now they're thinking of where can I go from here? So any advice to these specific two personas of, of people based on what you're seeing in terms of trends and things like that. 

Nancy - I think that's for you, Nikki. {Laughing} 

Nikki - Yeah, so I think getting into AppSec, so this is such a hard question to answer. I think if you're coming from nothing like not nothing, but if you're coming from this is your first job and you sort of have a technology background, I think

the best way to sort of really understand AppSec deeply is to develop software and just be on the other side of the equation, right. And, and learn like a lot of these new, you know, or I guess they're not new anymore but just learn like a lot of the new web development paradigms that are going on out there and deeply understand them.

If you're already a developer and you want to get more into AppSec, I think I would say like it could help to learn other areas of cybersecurity, you know, like to help contextualize your understanding of application security. So networking, you know, cloud because all of those things like are really like, you know, we're budding up on like massive adjacencies between these, these different domains.

So I think just having that cross domain knowledge is super helpful, especially to even like identity and access management protocols, OAuth, SAML, things like that. I think all of those things kind of help well-round a developer who then wants to get more into security and a security person that doesn't have development experience.

I always feel like you should just like kind of hit, hit it from the opposite angle to try to figure out to just get more domain depth. I don't know if that makes sense, but I hope... 

Rahul - it does because there's, there's always one slide in all of my presentations, at least that I do, which says we for years bantered about developers needing to understand security but it's about time you said that the security teams need to get code, right. And we keep talking about, we keep talking about automation. We keep talking about, you know, these great things with integration but if you kind of really look at it the lowest common denominator of automation is a piece of code, right? So code times N is automation if you really kind of break it down that way. So I think it's about time that security professionals really kind of took to code because I think I, I mean, I, I completely, you know, endorse that thought and I completely get what you're saying. So it's about, it's about the really that cross-functional integration between Dev and security from a skill perspective.

Yeah. 

Nikki - Yeah and you also are able to understand the plight. It's not the right word, plight, the journey of the developer, pressure, you know, the developer... developers are under pressure just like security people are under pressure. It may be different pressure. It may come out in different ways but, you know, just that empathy across the line there unlike who it is that you're... who is the person that

just wrote that code and what kind of pressure are they under? You should understand that if you want to be a good security professional or if you want to be a good application security professional because you're going to have to interact with them, you're going to have to coach them or, or support them and that relationship needs to work. And I think it only works if you really understand like how they work. And yeah, I agree with you completely. See it's our job to understand, you know, developers more so than I think even developers should understand security, and I think we default to developers need to understand security. We're going to turn them into security people. Are we really, is that, is that really something that'll work? I'm not sure. You know, I don't have the answers to these questions but.... 

Nancy - Now how relevant that is, but I think it was yesterday actually because part of my, part of what I do with DevSlop is also connect with other communities and try to find... try to make sure that it's not always the same names and faces that we see. So diversity, it's important for me. So I connected with someone from women who code cloud and she was telling me about her background; fifteen years as a developer in .NET, extremely competent and smart. And, you know, one of the first question I always ask is do you know about OWASP? And she's like, Oh, you know, very vaguely understanding knowing what it was.

So it's always surprising, in the last three years ever since I've been introduced to OWASP for three- four years, it's easy to forget that not everybody knows about application security and even people where you would expect to know about that. And even myself like now I keep talking about application security program, but I need to remember that when I first heard about OWASP, where I work, we didn't even have an AppSec security program and that's not something new.

There are still a lot of workplaces where there's no program per se. So I feel like security also needs to communicate more and instead of, maybe not instead, but having security professionals speak at developer conferences with builders and, and instead of talking to ourselves, go elsewhere and outreach and I know that's something that OWASP has been trying to do for a long time.

I think there's still a lot of work to do there because it's hard to understand how somebody can be in a field for so long and, and have a successful career and never have heard about some, {Laughter} some very foundational principle that I'm as a I'm not a builder, I'm not a developer and I will teach them and reference and give them advice on where to find information on how to do their jobs securely, that's really odd. So I think there's something we need to change about that as well. 

Rahul - Interesting. Yeah. And I've, and one of the, I mean, guilty as charged when we kind of do make hires for, for junior positions in application security, right. The most toughest questions to answer are the most simplest ones, right.

So they... if somebody even todate, if somebody comes and asks me, Hey, I want to get into application security, can you give me five links that I can go through? I have OWASP and I don't.. I really don't know what the other four are because looking back I really can't think of because our journeys in AppSec have been so organic.

It's never been, it's never been like a lesson plan, right. It's never been like, you go here first learn, learn about app... software security conceptually here, then you jump there for something else. So I don't know. I mean, do you have, like, what would your kind of five top of your mind links be for somebody who wants to get into, who wants to just read about what AppSec?

Do you have something like that? I'm just curious. It's never, it's not part of my questions today, but since we kind of touched upon it, I'm like curious {Laughter}

I know we call dibs on OWASP 

Nikki - Yeah,  you call dibs on OWASP. I think the next thing I would say is, you know, write a web app, like literally try to make your own web app. It could be like super basic, try to make a React app. I mean, I did that one weekend and WOW! You know, like like, like, I don't know. I just feel like that's how you really could start to understand like, okay, like this is the goal of AppSec, right.

I mean, it's not always website but, you know, in this context we'll just assume it is, but this is our goal. And so I don't know like how does it work? How do..., how did these people build these things? And what am I supposed to do? How do I secure this? Like what could go wrong during the building process?

And then I feel like the wheels start to turn a little bit. You have context, you're like, Oh, I'm pulling down all these packages from where, where are they coming down from? Oh, WOW! I guess that's what they mean by supply chain attacks, right. Because I don't know where these packages are coming from and then you start writing some code and you're like, Oh, I guess I could do it this way or that way.

Oh, I have to take input from something else. You know, a third party, a human, you know, maybe something can go wrong there. And I feel like that doesn't answer your question about where the five links are at all. So I'm just going to stop myself, {Laughter} but that is how I would try to walk you down here because I don't know of any other links.

Rahul - Yeah...No, but it sounds like a great answer to a possible question could have been what was the genesis of the Pixie project? Was that how it started though?

{Laughter} did you know how the Pixie project start? 

Nikki - Yeah, I, I just really wanted to learn like Node and Angular just that MEAN stack stuff. I was like, wait a second. JavaScript's really getting serious about itself. It's everywhere, right. Like what's going on? And like, I, I sort of just needed to understand that. So I was like, all right, it's actually really fun to write bad software because you know, you have to like, you know, a lot of the frameworks now are trying to like, you know, there's a lot of good guardrails in there.

And then you have to like undo these guardrails. So it's kind of cool. Like you're like, all right, how do I get cross-site scripting to execute in an angular context. I got to like bypass a whole bunch of controls here, right. So, so you sort of have to learn that and I feel like you learn interesting things about the other side of that, the creation of security when you're trying to bypass security. But yeah I always just like whenever I need to learn a topic that I really don't understand, I just feel like I need to like have something that, that happens as a result of learning it; otherwise, I'm just like reading things and watching YouTube.

And I'm like, what did I just learn? I got to put it into action otherwise it's just right out of my head. Yeah. Yeah. 

Nancy - But it's true. There's no clear learning path I feel. And I think that's something that's... I think that's what you're trying to do with AppSecEngineer and I find that when I try to look for resources to help someone get into AppSec, I find a lot, a lot of resources and learning platform on the offensive side of things, right.

How to hack something? You can find ten website but learning platform that are focused on building and defending and building securely are very rare. And I think the number one recommended book is the Web Application Hacker's Handbook, right, which is not a builder's handbook book I would say.

And I don't have resources for DevSecOps I tend to recommend Julien Vehent  book secure. I forget his book. I forget the book title, but the Julien Vehent book, I think it was one of the first workbook that started from the beginning and taught you the foundation and how to build things securely. But other than that, I feel like we're overwhelmed with a bunch of platforms and resources on how to attack software which is one way, but shouldn't be the only way. So, and yeah.

Nikki - It is one way. Yeah. I feel like it drums up the excitement of like, Ooh, hackers, you know? And so, yeah, but I hear you. I don't know. I mean for some people it must work really well. And I think, you know, maybe that's how I sort of kind of came up. I was like,  I guess, we're a lot older than these kids today that are learning in different ways but, you know, just sort of misusing software and trying to figure it out how to misuse software. Right. So I think there is that angle where, you know, unintended outcomes might lead you down a curiosity path.

But I think to Nancy's point, you know, if we want to build like Robust AppSec engineers that know how to interface with, you know, developers and, you know, all sorts of people in an organization it's a little bit beyond like, LOL!! Look at that cross -site scripting, you know, it's, there's a lot of skill that has to happen to, to get that communication across. So it's hard, you know, and there's a soft skill aspect here that, you know, I guess we, I don't know if we even teach that ever. 

Rahul - Hmm. No ...I know. I always say when somebody's really draw... if you were to kind of, if you want to kind of really look at the various pieces of an AppSec engineer's roles and responsibilities 9 out of 10 times you would forget the soft skills, but could you really need to be a people person to work in AppSec because you're not just somebody who's just going to be heads down in your laptop or computer and just writing code or fixing issues. You've really got to manage people in multiple departments, especially if you're kind of working for a smaller shop, you know, 

Nikki - or even a larger one. Yeah, yeah, yeah, yeah.

Totally... 

Rahul - people skills are ....people skills are absolutely interesting. Yeah. While Nancy you were talking about learning about AppSec, I think there was a certain innocence in a Google search that we've lost because today if there's somebody genuinely wants to say, where can I learn fundamentals about the application security? There's a 90% chance that he or she is going to be routed to a SAS platform where the market is a bid that particular search phrase and say fundamentals of application security... Yeah.... source code analysis and they'll be like, what? {Laughter} Right. So there's, there's really, so I don't think Google search would.... would help anybody get into....  could get those things, but I'm actually thinking out loud. I mean, we really don't have resources for somebody to just learn application security even if they don't want to go through programs,  all that they want to do is read, right, and I wonder maybe if somebody from OWASP is watching this right at some point in time, even within the OWASP community, if there could be like... if they could just be like articles that could be arranged in a fashion for people to go one, two, three, four.

That's great. 

Nancy - I think the content is there but the learning path is not there because and I think you can see ...I just thought about this. If you're in the Slack of the OWASP foundation, you have a bunch of newbies coming into the community slack and saying, I'm used to AppSec, where do I get started? And like, if you just look at the website, they're probably overwhelmed by the amount of information because I'm pretty sure there's nothing that needs to be reinvented.

The information is out there and the links are sometimes in another Slack channel and they were sending me a bunch of links on the foundation of AppSec and application security. And they're like from 2015 and 2014 and they're still valid. So the information is out there, but where to start with..

{pause} I think you mentioned that a bit earlier is that you, you kind of figured out your path and if we don't have a learning path or direction to give and we should be able to say, okay, start there. And you might, or, you know, having modules and saying, you know, this is the type of things that you should learn and go one by one and have some more direction than we have right now because it can be overwhelming. And I'm convinced that it's not the lack of information because all the time I find gems in the OWASP website and I'm like, I didn't even know that it existed. Right. So it's there, but we, we don't, we don't point it out to people and we don't have a learning path to, to direct them to

I feel. 

Rahul - Yeah. Yeah. I think, like I said, if somebody in OWASP can just put these things together and just create interlinks in a way that people can look for it, I think that'd be great but...{Laughter}  talking about DevSecOps and Automation and things like that right. We've talked about the fact that the whole DevSecOps phrase has been kind of changed over a period of four or five years but that apart

what do you think or rather if you have more than one great, but do you, do you think there are or there is anything in DevSecOps that's a) overemphasized or b) underemphasized? Because one of the things that I kind of talk about with, my marketing or sales team is you always have the problem of DevSecOps being this castles in the air where anybody who's listening to the various possibilities of AppSec automation is immediately going to be… they're going to be sold more than what they need to be sold on. Right. They're going to be like, okay, it's gonna, it's this magic pill that's going to solve a lot of things in AppSec. Right. And, and, and so you're always kind of focusing on those really easily or easily achievable aspects of AppSec when you talk about DevSecOps and I feel that's where people are really concentrating a lot of talks on, but again I want to get your perspective of, of, of what you think is one overemphasized aspect of DevSecOps and a really under estimator or an underdog of DevSecOps that people don't necessarily talk about as much.

Nikki do you want to go first? 

Nikki - Yeah. Yeah. I think the, the Sec part is, is.. I'm going to be careful with my words here but I think the Sec part is not as automateable as we would all love and wish and expected to be. I think we, we, we tend to fall for, yeah, we were automating everything away and it's all gonna be easy, peasy.

And, you know, it's, it's just not that simple, right. False positive rates are pretty high, you know. What tools does it have enough context? Are you triaging these bugs, right? Who's doing that? How do you contextualize that? Is that really a critical or is that a low, you know, I think there's a lot of gaps there still in how we ingest an or, or, or triaged security- related data.

And I think that automation is helping but it's not like some sort of like magic bullet here, right. In terms of, you know, solving security sort of out of the box. I think we as an industry are always waiting for this, like, you know, mystical, magical bullet that is never gonna arrive. I mean, I used to think it was coming but I guess it still hasn't come in. I don't know if it ever is coming but I think there is that and I think that's just something we fall for. Iteration after iteration of security technology. Right. We somehow think that this is the thing that's going to solve it. And then we, we are like let down and then we sort of put our, you know, dust off the dirt here and then get back on the horse and then it happens again in five years. So I think that's just who we are as, as a community or maybe there's just some magical technology that really hasn't been invented yet. But yeah, I think that's one of the things that we don't talk enough about is like, what is... what can you capably and reliably automate from a security perspective reliably and consistently and, ROI that in a way that meets your business's objectives.

I think we still have ways to go there. {pause} Well, yeah, I forgot the other side of your question. 

Rahul - The other one was ...other one was what is it that keep...what's working?? Yeah. How do you just keep talking? It is over emphasized, right? You can't, it's just, it's not worth it. yeah...that you're talking about. 

Nikki - Yeah...I answered it., yeah, {Laughing}

Rahul - Nancy…

Nancy - Yeah. I guess what you said, we're not talking about enough. I think Nichole mentioned that as well as the soft skills necessary that there are plenty of tools, but that work but, you know, they're not... they are  not the solution and you may implement them and you might still have issues. So I think soft skills, it's processes and people are also part of, of making a solution successful

and we're not talking about that and we're, we're trying to.... to make and it happened even on the show, right, where I'm very impressed about a tool and then I go back home and I try it and like, Oh, it's actually like there's things that don't work as well or there's, {Laughter} you know, there are, there are gaps, right? Like there are gaps but what about that? What about my context? What about, and, and I, I used to ask and I still do, but ask why are they still trying to build  another IAM tool, another cloud security tool. Why are there so many things you seem to be doing the same? Oh, we check about CIS control and like why another one?

It's because {Laughter} I feel like everybody's trying to, they realize that they need the customized solution and it's not that easy to automate and everybody has different context that is hard to document. Right. But I do like the policy as code, everything as code, trend, even if it's not a bit like threat modeling  thing that you were talking about.

We love talking about it, but I don't see it in the field as much like policy as code and things like that. I love the idea of it but I haven't seen it in my workplace. But I liked that because I feel like it's a great way for us to, to define our requirements and to make sure that we're..

We're talking the same language and that we're talking about the same thing and there's a, there's a fail and there's a pass instead of... I do a lot of document review and interviewing people for... to assess controls and I love the process, the promise of it because I feel like it would be a way for me when I talk to an engineer that were like the code would be the, the language we both speak and make sure that we're talking about the same thing because sometimes just the vocabulary or just reading a control, I'm not sure that we're talking about the same thing. So. 

Nikki - Yeah, but back to your other question about, and I totally agree with you Nancy, but back to your other question about why is AppSec so hard for beginners to get into? I think this just illustrates it. It's  its scope creep. AppSec is like a continual amount of scope creep, right. So now we're bringing in policy and compliance and infrastructure, right. That's all becoming code now which is...  whose job is that.. is that the AppSec team? sounds like it, it sounds like it's code. And I feel like, you know, we keep evolving the domain into something larger and larger and larger, it creates like, you know, a higher learning curve for newcomers to come in. And I think that's like on us to figure out something to, to do there. I don't know. I don't have a good answer for that one, 

Rahul - yeah..absolutely... I mean, yeah, I think it's anybody's guess, but I think it is just like many things in AppSec. I think you can only kind of do like a best estimate of what's gonna, what's gonna happen and, and one of the things that I get asked a lot which I'm going to kind of put on you is if you were to consider the last decade as the decade that gave us AppSec automation, put application security as it gave a prime time in product engineering if you will right? If, if, if that was the decade that was last. What do you think resides for AppSec in the next five years? What is your hunch in terms of where... what's going to be the next big thing in AppSec? Is it learning? Skilling? Is it, I don't know, things like more tooling... more or now that we have tools.

Is it something around managing vulnerability? So where do you, where would, where would you put your money on the  AppSec poker table? 

{Laughing} 

Nancy - want to go first Nikki?. 

Nikki - Sure. I think, you know, I guess you could divide this up into, there's going to be technical problems and then there's going to be, you know, sort of the people problems of AppSec or just building the AppSec career. I think some of the technical problems probably are going to center around, you know, expansion of things like Kubernetes and more of these cloud native orchestration frameworks that themselves have enormous amount of complexity within, right. Their machines within machines, within machines and we went pretty deep there.

And then I think there's, there might be other domains that sort of brush upon like application security, like, I don't know, data science areas and machine learning algorithms and how do you validate that stuff? And is there an application security component there? Can that data be misused or, you know, or, or can you feed bad data into a model? I think there are some challenges. At least I have been looking at that in my professional, you know, workplace like around that area and trying to figure out, well, who's responsible for this. Is this a data science problem? security problem? I don't actually have an answer for that one, right. So I think that there's some going to be some good technical challenges coming up in the domain and I think we're going to still live with the fact that we continue to expand this domain, right. And we're trying really hard to keep newcomers attracted to the fields, right. But we're not that skilled, that creating a good environment for newcomers to the field to feel welcome, to feel, you know, like it's okay to be a beginner, you know, it's okay to not know. I think we still struggle with that stuff in InfoSec more broadly which is, you know, the arrogance of InfoSec, right. 

And, and, you know, so, and I think that that's a challenge and that's a, it's a problem for us as a community. And we have to, I mean, if we were so great, like, you know, we wouldn't have all these stories to tell that have happened in the news over the last like 10 years,

right. So obviously there's a lot to learn here. So I think it's a, it's a, maybe this is the decade where we kind of learn those lessons and maybe create a more welcoming community. 

Rahul - Interesting. Nancy…

Nancy - yeah...I don't know if it's the future but I liked the idea that... like, yes  education and learning and understanding is, is important, but sometimes I kind of feel bad for developers. I feel like we're trying to put so much into their... the load is getting bigger every day and the amount of information that they need to know to do what we want them to do is.... I'm not sure if it's reasonable and I'm just talking security and I think they have pressures  from other areas as well.

So if we can give them tools that they can be creative and do what they want to focus on which is create and be creative and, and, and build, but give them tools that make them do that securely from the start. So all the secure default and their roadmap, the paved road tendencies, I really liked that because sometimes I do feel bad about how much do they need to know {Laughter} to just do because at end of the day, they have a product to deliver. And I don't think it's reasonable for them... for us to ask that they know so much and put that on just one individual and then ask them to, to be faster and to be first to market and things like that. So to better building tools that allow them to build securely without security have it to be top of mind because it's taken care of for them. 

Rahul - Right. I think interestingly, one common emotion that both of your answers gave. It's quite interesting. It's not a technology, a decade of technology. It's probably going to be a decade of empathy more than anything else. Right. It's probably just going to be that. Just, just give people a break. Right. And just, just kind of just, just be more... just have more empathy I think; developers for security, security for each other. And, and just, and back to what Nikki said back when we started off the show, gone are the days where you could evangelize AppSec by evangelizing fear, fear-mongering does not work anymore. Right. It's not just about attack, attack, attack. It's people really want to know about, you know, it's, it's, it's not like selling insurance anymore. I mean, selling insurance has become more subtle these days, so I only can imagine AppSec being something more interesting. So I know we are almost at the end of the show. I want to kind of ask you one and this is again I'm not sure whether you had the opportunity to say this in any of the other platforms, but for people who do follow and I'm one of them who do follow the OWASP DevSlop Community, what is on Nancy and Nikki's mind in terms of next big things for the community? What can we expect in the next ....and which we're still in March? So what can we expect over the next few months? What do you want to... what's new? What are you going to continue doing or things like that ? 

Nancy - We are working on some stuff; Nikki, go ahead. {Laughter}  

Nikki - Yeah, we had our builders CTF about a month and a half ago. And I think they're looking to do more of these type CTFs where you can, like, it's a CTF but you're building something and you're learning along the way. And we're trying to figure out like how to do that at scale and or at, you know, at our scale and how to, you know, get the community to feel like they're actually learning something because I really like deeply committed to that. The goal at the end of this, you committed your time, you're going to learn something. Right. So we liked that format of like builder's CTFs and we want to kind of continue down that road. So. 

Nancy - Yeah, that's definitely, that's been something new. We only started at the end of 2020 and I'm loving it. Like it was we, we didn't know it... it's new like DevOps CTF, a bunch of people were like what are you talking about?

I've never heard about that. And the security space has taken, you know  ownership of CTFs, but we're kind of taking it back and say, Oh, we can use it for learners as well and for builders as well. And it's been the last one we had on Kubernetes and it has been over two days and it was great to see people committed and spending hours on the solution. So we want more of that because that's what, that's what they want. That's the feedback we got as well. Something I'm focusing on that... it just building connections and relationship with other communities and as a developer community outreach like stop talking to, to ourselves. {Laughing} Yeah. It's the people that are building and don't know... people that I think should know about OWASP and... are the builders of our software, but have no idea that we exist. I think that, that shouldn't happen and that they should be aware that we're here becauseI do think that the OWASP has a lot of resources and the information is there. It's just to make it accessible and maybe digestible, change the format, change how we present it, but the information is there.

Rahul - Awesome. Sounds, sounds about... sounds really exciting because like we said the DevSlop is not a typical OWASP project, right. It's not, it's not content in the way that you'd expect in a OWASP project. It's not a tool. It's really a resource presented in a different format in a, in a very, very interesting and encouraging format.

So, but those of you all who have still not checked out the DevSlop project, please do so. Thank you Nikki and Nancy for participating in this podcast, as always a pleasure to talk to about a few and I look forward to more exciting episodes. 

Nancy & Nikki - Thank you. Thank you for having me. Thank you for having us. Thanks for having us.

Rahul - Thanks, bye..

Source for article
Abhay Bhargav

Abhay Bhargav

Abhay is a speaker and trainer at major industry events including DEF CON, BlackHat, OWASP AppSecUSA. He loves golf (don't get him started).

Abhay Bhargav

FOLLOW APPSECENGINEER
CONTACT

Contact Support

help@appsecengineer.com

1603 Capitol Avenue,
Suite 413A #2898,
Cheyenne, Wyoming 82001,
United States

Copyright AppSecEngineer © 2023