Host Tanya Janca Learns what it's like to be a Security Architect, with Barbara Schachner! Barbara is a Security Architect at Dynatrace. She has spent half of her 15 years of experience in the security industry on the defensive side and has built and led the Red Team at Siemens.
After moving to the defensive side, she has worked as a security officer at Siemens before joining Dynatrace where she is passionate about working with people to find easy-to-use but reliable ways to improve security in architecture, code and #devops workflows.
Thank you to our sponsor Thread Fix!
Buy Tanya's new book on #ApplicationSecurity: Alice and Bob learn Application Security.
Don’t forget to check out #WeHackPurple Academy’s NEW courses, #AppSec Foundations taught by Tanya Janca! https://academy.wehackpurple.com/
Join our Cyber Security community: https://community.wehackpurple.com/
A fun and safe place to learn and share your knowledge with other professionals in the field.
welcome to the we hack purple podcast where each week we interview a different member of the information security industry to learn what it's like to do their jobs cyber security has so many cool different facets features all sorts of different types of things that we need to do to protect people as well as the systems and the data that we represent and so i'm your host tanya jenka and this week we are going to have barbara and she is a security architect i'm very interested to hear all about this as you might have known the several the last several few weeks we have been sponsored by thread fix who are powered by denim group and we really really appreciate their support but without further ado you're probably all thinking the same thing tanya stops talking and bring on barbara well here is barbara thank you so much for coming on the show barbara tanya thanks a lot for having me on the show i'm very excited to be here thank you for saying yes so you are a security architect can you tell me what that's like or like what is a security architect do yeah actually i'm a security architect but i'm also the team lead for security architecture and testing so like in 40 of my job i'm doing security architecture topics where i discuss a lot with developers software architects and product managers about the features they are building and new services they are introducing and i tried to put on my hacker's head and try to understand how the things are going to work and i try to find the things that need to be improved so that the things cannot be that easily hacked and then in like 30 of my job i'm doing um the team lead um topics where i'm working with my team on on improving topics and the rest of um like 30 i'm also contributing to improving our overall product security program so like i'm looking at our vulnerability handling workflows and see whether we can improve anything i look at our vulnerability kpis to identify topics where we have let's say bigger issues that we need to work on and yeah that's actually my job that's awesome i've never had a chance to work somewhere where we had a full-time security architect so that especially when i was at dev that would have been amazing to be able to say like i'm building this app um is that okay so it would be so it would be really nice to be able to work with someone that actually can show me the way um it's always been like figuring it out a lot on your own and having a resource like that sounds so valuable so if you were going so what is a day like in the life of an a security architect like do you you know have to make lots of phone calls do you go lots of meetings do you sit there just whiteboarding things and and throwing stuff or what do you do day to day yeah so basically the nice thing but also challenging thing of the job is that you know no day is like the other so when you come in the office in the morning you never know what what is waiting for you so typically the first thing what i do in the morning is i look whether anything urgent or important has been coming up over the night or in the morning so i take take a look at current vulnerabilities and our dashboards emails whether there's anything that needs immediate attention um yeah and if there is something then you know you just handle it um accordingly and if there's nothing yeah i can start my day with you know a little bit of socializing with the team uh in the mornings we have several stand-ups i have a stand-up in my team then we have stand-ups with the different security teams to exchange on current topics and i'm also attending a stand-up where it's about the current state of our production system and whether there's anything from security side that people should be aware of yeah and then i also use the morning hours rather to sync with my team and have one-on-ones with the team and then the afternoons i typically yeah i have a lot of meetings so so there's different ways i like to interact with the teams so on the one hand there are many people coming up with questions as you just said as a developer you would have liked to have someone to talk to so yeah it's just many people approaching me and and scheduling meetings like half an hour or an hour where they just want to talk about what they plan to do and they want to know is this okay have we thought about everything that's needed or is there anything else we need to take care of um yeah so that's a lot of the time i'm spending but then i also have some teams where i know they are working on very important and very security sensitive features so with those teams i interact in a more constant manner i regularly attend for example their review and planning meetings so that i know what topics are coming up what have they done in the last sprint is there anything is everything okay or is there anything where we should dig deeper and then i also have other teams where i just think like on a monthly basis and either with management or team leads or architects where we have maybe a list of topics that we want to work on over time and we regularly take a look whether the priorities are still the same how things are progressing and whether they need some kind of advice on any of this yeah that's the difference that's the different ways of interacting with people so my calendar is is typically pretty much filled with meeting but that's also the part of the job that i really like very much that you can talk to people and that you can also see when you explain things to them to them about risks and why they should do things in a different way you also get good feedback back and you see things happening like security improving and that's really a cool feeling oh that's awesome when i so i was at dev for a very long time and then i switched over and i was a pen tester for a bit and then i switched to application security and application security you spend some time doing code and hands-on things and other times with people and when i was a pen tester it was lonely i was like i need to speak to other humans this sucks and so i love this idea of you need to kind of be a social butterfly a bit to be a good architect i like this i like this because they need your brain this is good what type what types of personality traits do you think someone needs to do your job well like do they need to be a good listener i think first of all you need to be very curious you need to have a drive to understand how things are working why things are working well why something is an issue how you can do it better and also you always should think a step further you know like if you have a finding on a certain area you can fix it on that one place or you can look further and think about well what's the root cause it's the root cause a technical problem is it maybe a management timing resource problem that's also something you need to address uh or if it's a technical problem can we solve it in another way which makes it more reliable like when also in the future people change the code again that the problem doesn't happen again so i think curiosity is is very important but then also as you already said things like communicating and listening so i think empathy is is very important um you need to to try to understand you know also the pain of the people like developers have so many things to care about and security is just one of them and if you think their security is their um most important topic every day then yeah you are not meeting them where they are you know yeah so you have to understand their pain and you know there are maybe times where you can stress more on topics and there are other times when they are under a lot of pressure um but you have to think whether some topics maybe can wait for for a while until till you do that and so i think for that you have to listen of course very well you have to talk to people you also have to listen a little bit between the lines i think um there are also things that people don't tell you and or people are not saying and that can also mean there is an issue there you know you you also need to to build a trustful relationship so that they are telling you those things yeah um which which makes it much easier to to work on security of course you have to be a good communicator so you have to be able to explain them why they have to do something so my experience is if you can make people understand why there is a risk why it would be better to do it another way then it's hardly a problem then that they take care of the topic but only when they don't know why they should do it and it's just you know like the 50th entry in an excel file they have to check then then it's hard to get them motivated yeah so i think it's really a lot about communication so you have to like communication and you have to be good in it do you feel because it sounds like you're also doing kind of negotiation and persuasion a bit like you're kind of um like you're explaining the risk and then getting kind of like their buy-in like like maybe you're convincing them do you feel like that's part of it too maybe a little bit yeah i would call this like leading without authority and influencing people right because you you want to get security topics tackled but you don't have any authority over the people you have to work with so the only way you can get things done is by making people care motivate people and yeah explain why they should do it and then you get their buy-in and then it's hardly an issue to to get things done if they understand the reason because my experience is that everyone wants to build a great product and wants to build good code and also they don't want to have to get up when there is an incident so if they understand that it's making their life easier you know and it's really easy to get things done i should use that when i'm convincing people barbara that's such a great idea like well you wouldn't want to have to get up in the middle of the night for a security incident would you yeah that's a great idea you probably wouldn't want to have to explain to the customer why this happened oh this is good this is good so i also like to or in general our approach is that you know people building things are also responsible for what they build so they are also responsible developers who build code they are also responsible when that code runs in production so also security is included in that responsibility and every product architect is also responsible for the security of the architecture bills and we are just like enabling them to do it in the right way and we are there as a sparring partner and you know to have a second eye on things but we it's not our responsibility to do everything right because if you have the philosophy in a company that security is is just the job of the security team then you know it just will never work out yeah we can't do it unless everyone's on board yeah i agree right what types of technical skills does someone need to have in order to become a security architect because you you can't start at an architect right can you or like you have to build up to it yeah i wouldn't recommend starting as an architect so i think you you really need a strong technical foundation there so i think either it would help to have a strong background either in pen testing as a basis where you really get to understand all the details about the vulnerabilities how you can exploit things and you also already think a little bit as a tester probably about how you can avoid those things so that's one basis you can have but you can also on the other hand come from a software engineering point where you you know your stuff in software engineering and then in addition you build up security know how and you think about how you can build your software in a secure way but i would really recommend to have at least like five years of experience really somewhere where you are a technical expert and and then you add to that with experience on you know project management working with people getting things done influencing people politics strategy so there's a lot of things you just learn over experience i would say and over time i agree with that too oh that's good can can someone take training to become a security architect is that like a thing that or what training would you want someone to go on and learn or what types of things would you want them to learn so that they could be a security architect so personally um i've done a university program for five years about information security so i i find that very helpful because you have a lot of time and really you cover a lot of topics and a lot of areas from security like biometrics forensics incident handling security processes also security law and of course all the technical things like network security programming etc so so if you have a chance to do that i would definitely go for like a security program at least one or two years somewhere where you just get exposed to different topics and and you can get a broad overview but yeah sometimes maybe you don't have the chance to do that and and you have to build that up while while working and then you can definitely do some some self study i would i would go for obvious material like looking at the overs cheat sheets asvs there are also some some pretty good books i would look for um books about um secure design principles i am supposed to mention this remember i told you i'd be really awkward alice and bob learn application security i am supposed to mention this this this has a chapter about secure design so there i did it good job tanya doing your marketing checkbox yes thank you perfect right so i'm sure that is a great basis also to to get started on the topic yeah because i feel like to be a good security architect it you need to know like a little bit of many many things right because if if you don't even understand what identity is then how can you explain oh well you need multi-factor here because if you don't know those things then i've had security professionals tell me before oh yeah that's two-factor authentication but it's really a password and then security questions like no those are the same factor those are both things that you know and like i can't ask that person questions anymore if they don't know that so i feel like what you're saying you have to know like a little bit of so many things to be able to you should have a little bit of knowledge in all the different security domains and then there should be some domains where you really have a more detailed knowledge like web application security would definitely be an area where it's beneficial to have a deep knowledge also nowadays cloud security is definitely a good topic to dig into network security used to be very important so you were saying earlier if someone wants to be a security architect that a really good path could potentially be you know being a pen tester and learning all the security offensive side because when you know how to exploit something you usually understand it or being a software developer and then kind of like learning the other rule set what what other types of work experience do you think could maybe help someone be a good um to be a good security architect you're mentioning maybe learning about project management or it feels like you have to be good at everything to be a security architect am i am i overstating that by a lot i think over time you you also have to learn to to do things based on your personality so you don't have to be good at everything but you have to find out your strengths and how to do things in a way that you can create impact and that can be very different for me than it is for you um so so that that's one thing where i at least needed time to find to find out what works for me what doesn't work so so that's definitely one thing and when you ask about different kind of jobs that would help yeah personally i started out with penetration testing then i did two years of red teaming so that adds some some additional kind of thinking because in penetration testing you you take a very deep look at a particular target and you think about how you can with the time you have identify as many things that should be improved as possible but as a red teamer you take a completely different look again because there you really have to combine vulnerabilities from different systems to find your way in to the network let's say and then to move within the network and to really get to a target so it's it's some different way of thinking where it's more about combining vulnerabilities finding the weakest link in a system and that definitely also helps [Music] to develop that kind of adversarial thinking that also helps to be a security architect yes and i also worked for a while as a security officer and that's actually not so so different from a security architect in some ways because there i also worked with service managers about how they can improve how their services are working so parts of it were also pretty technical where you discuss network setup authentication topics etc but then there are also more organizational topics when you work as a security officer where you know you have to fill out compliance checklist and you have to ensure that everything follows internal policies and that's probably a little bit more in the top of his security officer than in the top of a security architect because there you really focus on the technical work nice but i guess it also helps if you would work as a security analyst and analyze security events you would also get exposed to a lot of different information about what incidents could happen what is a real problem what is just looking like a problem so that is definitely i think also a starting point for for that kind of career nice this is really good advice because it feels like if someone's working in any other area of security that in some way it will probably help them when they're an architect someday like all of that experience adds up oh it's good okay so briefly i am going to thank our sponsor our sponsor this week is threadfix the most stupendous vulnerability management system this side of the galaxy i told them i would say whatever they wanted and that's the sentence they came up with and i love it because most the sentences i have to say are boring and prefix is super fun okay so i have way more questions barbara so um a question that we always ask is does being a security architect pay well so i don't mean please tell us how much you get paid i mean does it pay well like for how hard you have to work and how much knowledge and experience you have to have and then the job that you get is it good because some jobs people think get paid a lot and they don't and some jobs get paid way more than people might realize and so is being a security architect pretty darn good i think in the security area it's it's it's a pretty good job um there's definitely a broad range i think of of the salary you can get um but as it's it's a pretty senior role you can be a senior or on a senior or on a principal level i would say you can also earn a good salary with it and i would maybe if you want to compare it with like being a caesar i think the the top band of the security architect salary could be similar to the lower band of the caesar celery band so that's pretty cool but as a season of course you have so much more responsibility and accountability so i think a security architect job is is really a good cost benefit yes i was a cso for four months and i'm like yes all these gray hairs are named siso it's hard it's very hard um so so do you feel that there's lots of opportunities in our industry for someone to become a security architect like if would you say there's lots of jobs or some jobs or they're really hard to come by i think that's that's pretty many jobs you could get um because you know it's very hard to find good security people anyway so maybe so maybe you could use the jobs but but it depends also a lot on what you want if you want to work on really cool interesting tech stuff then of course you may look for for a modern tech company and depends on how geographically flexible you are you may not have really cool opportunities in your area but if you are flexible i think you have a lot of possibilities and it also depends i think on whether you want to go deep in a topic then maybe you want to work as a consultant in the area of security architecture where you really focus on one particular topic and you get projects in that area or you you work for a really big company where you really have a lot of security architects and you can focus on a particular area but if you rather want to go abroad then you know you have to get maybe a company that is just building up the topic and where you are one of the first security architects and you can just work on a wide variety of topics so i think there are really many opportunities but it depends also a lot on what exactly you would like to do that's exciting because it depends on the job how many opportunities there are like we had someone who was an open source intelligence gathering person and there's not that many jobs in that field compared to security because people keep building things right and then they need security architects and they're just building stuff all the time those those software developers they build amazing things constantly and they need barbara's i mean security architects to come and look at the things so what would you say is the thing that you like the best about being a security architect so personally i really like it a lot to work with people and also to get this kind of constant feedback about people understanding what you explain to them people taking up your arguments people really working on the topics also like when you hear people argue about security topics after a while you have worked with them they argue like with your arguments and then you really see that that it has worked and so that's really a cool part of the job also personally i've worked in defense sorry i've worked in offense now i'm rather on the defensive side and i i find this much more [Music] satisfactory because on the offensive side i always had the impression that it's always too late when you identify the things so either the services are already built or they're already live and changing them is so difficult so i always wanted to to get to an earlier stage where you can avoid the kind of problems already early on yes and i find that much more fulfilling i love this so i talk a lot about shifting security left or pushing security left and what we mean is earlier like we want someone like barbara to review your architecture before you go and code everything and make a giant mistake that she could have helped with i say this all literally all the time okay so i think what's also important though is that whatever you can automate you should automate so an architect you know should not talk about the things that you can do via tools so like you can do static code analysis you can do third party library scans you can do vulnerability scans automate penetration tests etc so and that's the things you shouldn't have to take care of as an architect but as an architect you should really talk to people about those things that you can't automate and that you need people for yes i literally earlier today i i was presenting to some people and it said automate as much as humanly possible in and then in brackets it says in all parts of your life not just this presentation because that's how yeah i feel like there's a lot of me just nodding and being like i agree with barbara i agree with barbara so now that we've we've heard the thing that you like the best about your job what do you like the least about being a security architect yeah well you know there's always that kind of free residual risk you have so we all know there's no hundred percent security and even if you do your best to get things done to get to the highest level of security you can there's always things that can happen and yeah that's just the risk that comes with the job and that's what you have to accept i i so no one has mentioned that yet on the show is the thing they like the least of that it will never be 100 secure in that like worry that we as security professionals feel like i'm so terrified that one of my clients will have a data breach someday and i'm like what if it's not something i told them to do like to protect or worse what if it's something i told them to do and then they didn't do it and i should have pushed harder for the thing and i'm a failure i think this is a security thing like that we don't talk about that much to people outside of security so right and and i think i think that's very important because you also have to take that kind of risk as a security architect or security consultant officer i think oftentimes people don't dare to say or security people don't dare to say that's okay because they are afraid that they may miss something or you know you have your internal checklist and you know all the best practices and if not all of them are done then you feel uneasy you know but you also have to make these risk decisions so so what's really worth to invest in and what's not and i have had you know discussions about things that are best practice but in in some cases they are just you know slowing down people not making people able to to operate things in in a good way or just taking too much time etc and you you always have to make these these balanced decisions and there as a security person you you have to to help the teams to to make the best decisions for that case and that also sometimes means that speed maintainability extensibility is maybe more important that some of the nice to have security topics but then not having all of them done makes security persons of course often feel not very good so and it's our job to give people that the best context so that they can make the smart decisions about what's what has to be done and what can be done later for example this is i feel that this is a truth about security that a lot of us don't talk about like that ache of i wish i could do more or you know the client you give them the best information you can and then they make a decision and you're like i hate that decision you just made like we could do better ah and yeah sometimes but i'm also not i'm also not saying that um you should just like let them make every decision so you you have to think about whether you have to put in a veto kind of yeah and then you have to be very strong about your opinion um and have to discuss with people but there's also many things where there is room for you know improvement you maybe you cannot do that practice exactly and that that best practice exactly in that way but you find kind of mitigating controls in other areas and then the risk is also acceptable yeah there's a lot of negotiating and compromising in security right right and i think if you're gonna be good at it it's a skill that you have to learn like whenever i've worked with security people that just won't compromise at all they stop getting invited to meetings and people stop asking and then you can't get your job and i think exactly and i think so an important part of the job is also understanding the business and the use cases so because then you you can understand where there's room for negotiation you know what has to be supported and um where you can build your your mitigating measures let's say around it but if you really understand the business and what's their drivers and whether speed is more important or functionality at the moment then you know the different levels that you can work on to bring the risk to an acceptable level but if you just come with your like 120 items checklist and you want everything done the way it's written down then as you said people people stop talking to you yeah and they can go around us and then life is very bad i have i have more questions so like let's say someone's listening to this and they think that sounds awesome i want to be a security architect someday what are some steps that they could take towards becoming a security architect yeah as i already said some kind of education about yeah security and a broad variety of security topics would be really a good foundation and then i also think that mixture between offensive and defensive shops is really a good step to take in the collection of experiences to to get the kind of knowledge you need and the kind of experience you need to work in that area okay so last question if you were going to offer advice to someone so someone's considering becoming a security architect or they're like i love this episode with barbara i want to be just like her when i grow up or just maybe they've always wanted that and that's why they're watching if you could give them a piece of advice any piece of advice what would it be i think always or start thinking about what would be a good solution for this problem so if you feel a vulnerability or if you're working on some security topics what's really a good solution for this and what's the best solution for this and the best solution is often depending you know on the individual situation and you have to ensure like maintainability reliability of the solution it should be easy so that people you know don't fall around this again if they change the code later and start that kind of discussions also with developers or penetration testers about what could be good ways to fix something and i think over time you you just get get more experience in that kind of discussions and you can build up some experience in thinking about these topics in in that way and yeah that will just um that's a path to to to get used to that kind of thinking you need as a security architect oh that's awesome i like that advice because you don't really have to have the job to start looking at the architecture of every app you encounter that's so true right did you find that once sorry did you find that once you became a security architect that you couldn't stop seeing security architecture issues that you wanted to help with like if you like download a mobile app or you like oh i see problems with this yeah i think in general if you work in security you you get pretty paranoid so yeah i'm i'm i'm very defensive or conservative you know in the kind of services i i'm using privately but but again it's a kind of risk decision so yeah that's true you have to make your personal risk decisions and some things you you just accept the risk in others you you look for mitigating measures like multi-factor authentication and in others you just don't use certain services but i do have a smartphone i have one too i have one too and thanks to my marketing team as of two weeks ago i have a facebook account so if people want to talk to my interns they can become friends with me on facebook because i'm not logging into that evil platform then it's just a decision about what kind of information you want to share there right yeah marketing marketing stuff yeah i've already told my family don't become friends with me i'm not gonna there's gonna be nothing personal on there barbara thank you so much for coming on the show it's been such a pleasure and thank you for putting up with my technical difficulties at the beginning you are such a charming guest thank you very much for coming on thank you very much i was very happy to be here thank you thank you okay thank you to everyone who watched today and listened to the wee hack purple podcast i am tanya jenka your host every week we meet awesome humans like barbara who teach us about super cool jobs like being a security architect and that's what we're trying to do here at we hack purple for this podcast is let everyone know about the different types of jobs that exist so that they can consider if that's something that they want for themselves something that they want their future to be we hope that you enjoyed this episode i would like to personally thank threadfix for being such an amazing sponsor as usual always pouring us being super awesome and barbara for being a really great guest we actually had a lot of technical difficulties earlier and she was wonderful and super patient with me as i troubleshot everything under the sun so i hope to see you again next week where we're gonna do more interviews and until then may all the things you hack be purple