We Hack Purple Podcast

We Hack Purple Podcast Episode 65 with Frank Cipollone

January 27, 2023 Tanya Janca / Frank Cipollone Season 3 Episode 65
We Hack Purple Podcast
We Hack Purple Podcast Episode 65 with Frank Cipollone
Show Notes Transcript

In this episode of the We Hack Purple podcast host Tanya Janca met with Frank from Phoenix Security in the UK! We talked about this latest white paper ‘SLAs are Dead, Long Live SLAs!’, how AppSec folks aren’t necessarily ‘great’ at maintaining their own SLAs, and how to empower a team to do their own governance and be responsible for their own risk. We talked about how to figure out the security maturity model you are looking for, and what kind of language we can use to help a client decide it for themselves. We also talked about how to get several industry experts to work on the same document together: spoiler alert, it’s hard! Listen to hear more!

The White Paper: SLAs are Dead, Long Live SLAs! Data Driven Vulnerability Management

Frank’s Podcast: Cyber Security and Cloud Podcast

Several MORE White Papers from Phoenix Security:

Priority: https://phoenix.security/whitepapers-resources/vulnerability-management-in-application-cloud-security/ 

Vulnerability management and regulation: https://phoenix.security/whitepapers-resources/whitepaper-vulnerability-management-in-application-cloud-security/

Upcoming Webinars with Frank!
16/02 - 4m GMT - Brooks Shoenfield - SLA, application security and data driven programs : https://youtube.com/live/dfANH8WKavY?feature=share

22/2 - 5 PM GMT - Chris Romeo - Data Driven Application security programs, how to measure maturity and scale : https://youtube.com/live/wqlC-cClqYE?feature=share

Frank’s Bio:
Francesco is a seasoned entrepreneur, CEO of the Application Security Risk based posture management Appsec Phoenix, author of several books, host of multi award Cyber Security & Cloud Podcast, speaker and known in the in the cybersecurity industry and recognized for his visionary views. He currently serves as Chapter Chair UK&I of the Cloud Security Alliance. Previously, Francesco headed the application and cloud security at HSBC and was Senior Security Consultant at AWS. Francesco has been keynoting at global conferences, have authored and co-authored of a number of books. Outside of work, you can find me running marathons, snowboarding on the Italian slopes, and enjoying single malt whiskeys in one of my favourite London clubs.

Very special thanks to our sponsor: Phoenix Security!
Phoenix Security ingests data from any security tool, cloud, or code, correlates vulnerabilities, contextualizes, prioritizes and translates into risk. Phoenix Algorithm selects the subset of vulnerabilities more likely to get exploited in the next 30 days, delivering them to the engineers' backlog.
From Code to cloud contextualize, Prioritize enables security engineers to act on the risk that matters most without burning out.

Join We Hack Purple!

Join us in the We Hack Purple Community:  A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter for even more free knowledge! 

You can find We Hack Purple Podcast, in audio format, on Podcast Addict, Apple Podcast, Overcast, Pod, Amazon Music, Spotify, and more!

welcome to the We Hack Purple podcast where each episode we meet a new person

who is part of the information security field but usually, quite frankly, appsec. I

just want to talk about application security! I'm Tanya Janca I am your host as usual but today I have Frank from

Phoenix security and our sponsor is Phoenix security

so what a coincidence will you please introduce yourself Frank

 I'm Frank or Francesco cipolone as my mom used to call me a Franco friends

um I've been insecurity for quite a long time and doing a lot of different things I

started the careers developer then move into infrastructure security when it was

still uncool and you had to still configure server and other stuff and then move slowly and gradually to the

cloud from the very early days when it was we've really agree to configure Azure and other stuff thank you

and Cloud security and and back all full force in application security and then

trying to combine the two so here we are talking about abstract once again

yes so Frank and I have been friends for quite a while and oh yeah and I'm Tanya

Jacob I'm very bad at remembering to tell people who I am I'm the host I'm old news you all already know me so

Frank and I were talking and he said he wrote a white paper and I was like

tell me more and then we're talking and talking about it and then it was like well what if you just came on the podcast and told people about it because

so you first like you wrote away paper away papers are hard to write but

somehow you managed to get all these different people from the community to so can you tell us about how you did

that exactly um I I think every time I put something together

I think wouldn't be so cool if somebody write a

section of it and there is a good part in the bad part let me start with a good part that you get a lot of different

perspective on a white paper and a piece of paper and

the bad part is that it grows inorganically and you need to add a little bit of coven and create a single

voice on the white paper because otherwise it's just a bunch of sticked out article in in section but it's

really cool because especially right now I think we are at the cosmos something different we are seeing application of

security really flourishing and application security and Cloud security

with a fantastic discussion around contextualization or how we can do

really application security better because just fixing consistently stuff doesn't work anymore and that

fundamentally sparked the discussion of all right so how do we do better

vulnerability Management on application security but most importantly how do we manage and measure progress

and all of a sudden all Us in application security we we just said we need to be the best and everybody needs

to be the best and having that conversation slowly but surely we realized but not everybody's at the same

level of application security at the maturity level there is a maturity scale and not all the measurements are

actually fit for purpose so we said okay now we need to write something we need to write about

maturity and different level of maturity and what works at the early days and it

doesn't work at the later days and vice versa and then we start seeing some patterns

because we start saying okay how do we measure how to fix stuff slas it's the

most things that or service level agreement that insecurity is how long do you have to actually fix something

and then we start thinking well as upsec has this measurement also operational

security has this measurement and what is the difference and then we

start debating okay maybe there are some consistencies so let's add also operational security to the mix because

it's still part of the same vulnerability management life cycle and something that became

seven bullet points on a piece of paper and and a lot of ideas turn up into 40 pages of a book

and there's a good and bad part I guess on the white paper but um it took us eight or nine months to

put it together because we brought it we rewrote it uh we're divided in three sections to actually uh govern all this

mass of knowledge that start growing um but in the end we managed to put it all on paper in a coherent form

in a flowing forms that I think I'm really proud of because it's really hard to write collectively collaboratively

but most importantly writing about the subject that is so complex and has so

many face setting and and areas that people get it wrong

I feel like working with other people when you create is kind of

wonderful because they have all these great ideas and different experiences that they can share but I also find it

kind of awful because I'm like why is this taking five times as long

yeah an open source and and writing and navigating our own time you can be

really strict on things or you know you can but you can't you need to be subtle and like

please please please get these reviews yes and it's okay

you manage service level agreements or you taught you talked about service level agreements slas

I don't know if you've noticed this but I think you might agree like us security folks will say you said you know the SLA

says this will be fixed in three days blah blah blah but then when it's us

being on time with stuff we're not as good sometimes right

we're not scalable I think we're not scalable and I think the conclusion that we we

reached when we were talking about SLA was

we detect something but we don't know the impact of that Tic Tac so we say you

shall fix things in x amount of days but not all those things are actually the

same and I think in operational security we we get it a little bit easier

quote-unquote easier airport for who is listening foreign

effect of applying a patch could be straightforward could also be

disastrous when you when you switch a framework when you upgrade um

Apache for example or your swap virtual machine from java version to another

Java so it could be quite distracting but most of the time it's kind of goblin is kind of well tested now in software

security it's a wild west because there is a lot more stuff that can get deprecated the unit testing the

traditionally we don't see in patching it's much broader

and the reason that I think rigor and governance and

need to fix that we have in operational security we've been living with patching

with fixing things for quite a long time and there is two or three framework like PCI DSS soft to another framework that

dictate um how long you should fix certain things so overall as a security and operation

we're quite well used through the patch Thursday of Microsoft or when we release things I mean upset we don't have the

equivalent so it's like telling developer to actually change mentality but in application

security we haven't had that mentality for almost never and I suppose the funny part of actually

seeing how operational security goes used to certain things that are perfectly applicable to application

security but also how difficult is to adopt the same concept because there is resistance from a developer world to

adopt new things as human we don't like to change the way we operate it also on the other side we developed

are not encouraged to fix stuff unless there is business buying

but the challenge is how do we talk to the business about problems then you think you have a

fantastic stories about that I have a whole bunch of stories about that there's I was thinking though like

whenever someone says we'll just patch it when they use the word just

to me it means they don't necessarily understand the level of complexity like you were saying like if if it's a piece

of software and it has a dependency well that dependency might have eight other dependencies underneath that that has 12

more underneath those and it could be that you have to re-architect your entire application or

rewrite certain parts or remove giant parts and I think that the level of

complexity just it's not acknowledged when you say oh yeah just patch it just fix it

which is upgrade well I think upgrading a library is probably I'll go on a limb is probably the easier

Parts but then the challenge is you have to ripple effect of all the dependency and the challenge as well is those

dependents it might be on a piece of code that has been built and nobody has even touched anymore so nobody has

knowledge about that piece of code has a ripple effect that are hard to get well

in patching we don't see that many effects like this because we get a package we upgraded Maybe

they'll the the equivalent I can think is if a system is not maintained anymore and you know you don't want to touch it

you leave it there because it probably works until it tumbles over

um it kind of can't stay like that I agree I want to take this brief moment to

thank our sponsor and our sponsor is Phoenix security and Frank since you're

actually on the show while you are the sponsor can you say a bird an execurity

just like a couple sentences yes and I think our philosophies to help

the human aspect of application security we are trying to help both aspect in both

areas or from a developer perspective from a security perspective not getting burned out and the way to do this is to

select what's really matter what what are the vulnerability real Matters by contextualizing vulnerability looking at

what's of the Iran and where you run it and as well connecting to the third aspect that is

the business so how do you translate all these very very complex problem to the

business to a business Persona and go there and say we have this risk profile we have this potential impact can you

let us Focus for the next couple of Sprint for one Sprint you decide to get

to this level that as an organization we agree and creating that line of connection is really really important

for us for a single reason we don't want security burnout and we don't want people to fall out of this industry

because it's already so hard to get into and that was my why why I started the Phoenix security so as a tagline we are

contextual based risk vulnerability management from code to Cloud

oh that's a really good Tech I like that tagline that is very attractive but thank you speaking about that though

it leads me into so one of the things you covered in your white paper that I was excited about was

you talk and this is a thing that I I talk with constantly when I work with clients uh through Ian's research

the maturity level they want to meet so like what security Assurance level or security posture are you looking for how

do you how do you approach that in the white paper or how do you approach that in general well I think in general is more

against whom you want to defend like which threat do you want to defend and

in the white paper we we tackle that in Risk level what is the risk level you want to be at

um that is not entirely considering the threat that you want to defend because certain threats you'll be almost

impossible to defend against um you want to defend at NSA level against National States attacker yes do

you have National States uh attack budget will actually put two or three four companies in control and then an

operational team they react on a millisecond like probably not probably you want to scale it down and probably

defend your business against script kPa and um well who doesn't know the script give

you people that can just download things from the web and just launch an attack with meta exploit or other tools and

those probably occasional attacks look at it with some targeted taxes is what most of the business will be in unless

the national critical infrastructure where in that case they might be targeted and the other side is okay now you

decide the risk level do you want to be how quickly do you want to recover from an attack that I think is cyber security

resiliency so you get around someone do you have backup that you can restore or do you get a service knocked down uh or

do you get a Ransom or The Leverage of vulnerability on a service that get knocked down can you scale it can you swap it how quickly

can you do it how quickly can you get back to operation that are I think the

same two-phase of the same coin want to not get attacked and the other one to

recover very quickly and sometimes as a business we we focus on one and we

forget the other one I I have worked at so many places where

I say well what's our business continuity plan or do we have a disaster recovery plan especially when working

with governments uh if if something happens what are we gonna do and I remember one of the

directors saying oh well I'll Panic accordingly and I was like no we need a plan and he said

well I'll just resign and I was like no quite frankly if I as your boss I I'd

just fire you if that literally was your plan like oh I'll just abandon all hope I'm like no there might be an emergency

someday and we have to be ready for it and when I worked in the government um I got to see disasters and sometimes

they went really well and I was really impressed and um Titans they didn't

um so when you're talking about it in your I have so many questions about maturity

level um does does the white paper give any and for everyone that's listening just

to be clear obviously in the show notes we're gonna have a link to the white paper we're gonna have a link to all the thing all the things that Frank talks

about because I don't want you to be left out um so if you're panicking and you're driving your car somewhere you're like

oh no where will I get the white paper you'll get it don't worry um but in the white paper how do you

how do you get them to decide the maturity level or like how are their approaches for that or is there any

advice maybe that we could give our listeners questions I think what we have what we try to keep

we try to keep it simple uh because you can have endless questionnaire but then nobody replies uh the question is you

know do you even do pen testing do you do cold scanning do you do you assess uh any threat like four or five questions

like this gets you very quickly to a maturity stage where you don't have any maturity and then you know you can even

report to the board or to the rest of the business we have X number of vulnerability and that's perfectly fine

I think we're demonizing a lot reporting based on severity and vulnerability and

I'm full of your debts because I said we shall report based on risk it depends

actually it depends on the stage of your maturity level or your stage of the organization so

not because I mean if you get on the Journey of risk that is not that complicated and we make it very

complicated for some reason and security but it's actually not but I'll talk about that later around about that later

but there are maturity stages in maturity Journey um even if you ask do

you have an upset person you know that could be a determination of where you are with the program or not in that

particular case or do you do any threat assessment threat modeling any pen testing you know those are simple

questions that you can answer and if you reply yes to many of them then probably you're a higher maturity level I think

we we go up to maturity level four and then you get to the enlightenment of this maturity level

um higher than four I mean we have a couple more levels we started for zero for some reason

Seven Levels some companies are at zero Frank I do

meet with companies sometimes and they have made zero application security

efforts so far and some of the companies are are larger companies where they have way

more than 500 people and they have you know 20 30 40 devs and they they literally have nothing and so

I like that you give them a place to go because quite frankly sometimes I'll start the call and the people seem

nervous it's like I'm not here to judge you if you're here you want to make it better so you and I are on the same page

with that so let's find out how we can go from zero to one and then plan for

one to two Etc I I really like that you have a level for everyone even if the

level is welcome laughs it's because we realize that we're very

judgmental as a security and sometimes we say we shall do this so you shall do that without recognizing that even a

small percentage of improvement is better than you know Ten Thousand Mile journey and ten

thousand more Journeys start with a single step one in front of the others and that's how you get the momentum but

also I recognize that not all the teams are not the same maturity level you

might have teams that have a security Champion or that's a cops person in the team or somebody's security minded and

sometimes they have absolutely no clue where even to start and that's why I really like the ending

or the second part of the white paper where we talk about security okr and when you do risk level vulnerability

management across application security or operational security that's really powerful because each team can

self-govern you can define a strategy as a business saying we want to be at this

risk level and then every team can self-govern and can decide okay maybe for two sprints

we're not going to deploy any security fix any security patch because we need a release in x amount of days otherwise we

might lose that market opportunity whatever but in that way you compare security risk against operational risk

against um business risk and it's the same risk we

try to make it different but it's actually the same risk and business people are paid well and are well

trained on actually evaluating risk so if you communicate with a business owner about this is your risk level you are

responsible you are accountable for it we help you going faster it's a totally

totally different topic in discussion rather than

go in there and saying you have SLA you need to fix all your critical vulnerability in two days and by the way

the clock already started taking two days ago ah

yeah that's not security that's gonna work it's not gonna work so there was another thing in your white

paper I know I'm asking 100 questions but there's another thing that I liked where you talked about I like the way

you worded it how can you Empower a team to do their own governance and to be

responsible for their own risk and so I want to highlight enabling them rather

than yelling at them or telling them how wrong they are or giving them a 100 page policy that makes no sense but actually

preparing them and giving them the knowledge and training they need so they can do that and actually be responsible

for their own risk can you talk about that a little bit yeah and I talk you even better a story

because I lived through it I leave the mental shift in the in the Shifting the eyes of the business and

the developer how they look at security um so I've run multiple programs and

fundamentally Phoenix in in a lot of the things that I write is trying to distill

a lot of this knowledge on what I learned what they did wrong and what would be good

and when we were reporting of course vulnerability by the numbers and and pushing SLA because that was the policy

we had consistent fight and we don't have time and maybe prove me that this

vulnerability is actually hackable in my home and then I had my security Champion team spending three days trying to

figure out if there is an exploit available how bad it is let me do approve a concept it went back after two

weeks of development and they didn't even remember having that conversation well when we started empowering each

team and saying okay we have measured that you know by your code base your library based on where they run your

current date is risk level and the organization has decided to be 10 below that risk level so are your

current speed of rate of measurement you it'll take you I don't know 10 days 50

days to fix the amount of vulnerability we want you to fix but having this

inside having looked at your code base or your vulnerability you have I don't know 50 cross-site scripting that you

can solve for 50 input validation issue that you can solve with a simple OS library that does input validation for

you and maybe there will be some exception but the one upgrade or using this in the code you can fix at scale 50

vulnerability Happy Days you can go back to doing your job all of a sudden they start welcoming Us

in every Sprint in every spring planning because we were helping them hitting their own goals

faster because all of a sudden we had this deer call they were saying the steering committee around vulnerability

management that was setting risk Target for Rich lying business and then those cascaded to which business owner and as

a product owner you start saying you're developer this is one of the scorecard one of the things that we're going to

get measure against all of a sudden it wasn't security dictating things or specific stuff it was empowering them to

decide what to do when to do it and then maybe raising an exception and an

exception was risk against risk so it was a much more flexible and fluid way

to treat security risk in the way it should be and then as a security

Champion team was coming in there as a hero to help them achieving faster and

getting their goal faster so they were welcoming us instead of six months before they were fighting us to death

and it was a total total shift my security Champion team was ahead of work 80 guy they they regained

their passion to actually doing security they were helping people getting better

not bashing them on their head to to say you're an idiot and sorry for the word

you need to fix vulnerabilities because they're bad they were actually helping them achieving their objective faster

and in a smart way it was a dramatic change I love that so there's so few happy

security stories I know right maybe I should add that as

a feature to the podcast like tell me a happy security story where something good happened and you were like that was

awesome I love this I really liked the positivity and I like how in the white

paper it's we can do this like you know here's things

actually by the way I have that rules in my podcast to actually close on a positive message

is the rule for every guest to close on a positive note because security time and it can be mentally

training it can lead to burnout I've seen tons of burnout in my teams and

it's painful it's it's because I think we have lack of communication

and we do things over and over

without thinking on on how to make them better because we have so much work to do and sometimes with two pieces of

rolling a square Stone without thinking well maybe let's hold on a second maybe let's make it round and let's work in a

smart way but that requires two things they're surprised stopping for a second it is scary and business support will

actually say let's stop doing the things that we were doing yesterday and let's do something new and something Innovative and something

more clever it's hard no but uh

it's I hope there are listeners and our viewers are like yeah a happy story where it worked we can do this

so I am supposed to wrap out with wrap up with you now um

I so there was a surprise that you have for OAS members yes

so we released we actually released in in January um now this month uh the version 3 of

the platform and um we have a historical operation with the war spin because we are where we are

with the platform because of all the help but all there was member we want to give an extended license to them to

actually test only the full pledge platform with unlimited resources so we're gonna reach out to all of them

with their freebies to actually use the platform and get they're both rolling with their application security program

even if they don't have any security tool we offer them their ability to actually plug in in their

um clouds in their GitHub uh doing web assessment and web does assessment with

our orchestrators up so we give even a startup that doesn't have any security

knowledge or any security tool Deputy to actually get going with this methodology and Enterprise resources at zero cost

because we want everybody to be a little bit better off from an upside perspective and be a little bit happier

to do upset so anyone that has followed me at all knows I love love oh ask I'm such a huge

fan so if you are an OAS member you take note and also you get

um a license I believe to secure the flag and there's a couple of other things too now so it used to be you

became a member and you got literally nothing except you could say I'm a member and then you have 50 less dollars

but now or if you're meeting your lifetime member you have 500 last

dollars um but now you get things for being a member and so uh Andrew vanderstock if

you're listening everyone become an oauth member um it's roughly fifty thousand dollars

or seventy thousand dollars worth of freebie right now oh

yeah so

um for people who don't know what oasp is it's the open web application security project it is a gigantic

Community online um there's an international non-profit foundation and they organize

a bunch of stuff like OAS appsec which is happening next month in Dublin and

I'm one of the Keynotes and I'm ridiculously excited they also have chapters all over the planet

including in Victoria BC where I live in Ottawa where Frank lives in the London

UK in London UK not the London UK um and many and over 300 places around the

world we have open source projects like defect dojo and they're just they do awesome stuff and if you haven't heard

of Oz I suggest you go to owasp.org and check it out right after you visit our

sponsor Phoenix security um and with that security it's actually

easy it's super easy we made it got security and Frank is there anything

else that you want to promote or share or talk about before I wrap up

yeah we brought other white paper uh you actually contribute to the early book

where we described few things about how to get upset uh program going and we

wrote another couple of books on um contextual vulnerability management so how to translate fundamental disc

vulnerability with context and how that gets you better off at prioritizing things and what are the regulation

Frameworks that you can use leverage to actually push your vulnerability Management program to The Next Step

um and I've learned a lot about upset so if you're not sick of object I have also podcasts running that is called the

cyber security podcast about all or cseb that is available everywhere over csep

or cybercloudpodcast.com you can find us awesome this is fantastic listeners I'm

gonna have a link to everything Frank said so you don't have to go try to search the internet for it and find random things that aren't as good

thank you so much to our sponsor Phoenix security and Frank thank you dear

listener and viewer I really really appreciate the support you give we have purple and with that we will see you next time

let's say bye Frank thank you so much stay safe