We Hack Purple Podcast

We Hack Purple Podcast Episode 43 with Leif Dreizler

June 24, 2021 Leif Dreizler / tanya janca Season 1 Episode 43
We Hack Purple Podcast
We Hack Purple Podcast Episode 43 with Leif Dreizler
Show Notes Transcript

Host Tanya Janca meets Leif Dreizler who manages the Product Security team at Segment. The ProdSec Team is focused on partnering with software engineering teams to design and implement security features for the Segment product. Leif got his start in the security industry at Redspin doing security consulting work and was later an early employee at Bugcrowd. He helps organize the Bay Area OWASP Chapter, the AppSec California Conference and LocoMocoSec.

Thank you to our sponsor 10Security

Buy Tanya's new book on Application Security: Alice and Bob learn Application Security.

Don’t forget to check out  We Hack Purple Academy’s NEW courses, #AppSec Foundations taught by Tanya Janca! https://academy.wehackpurple.com/

Join our Cyber Security community: https://community.wehackpurple.com/
A fun and safe place to learn and share your knowledge with other professionals in the field. 

Subscribe to our newsletter! Sponsorship info: info@wehackpurple.com

Find us on Apple Podcast, Overcast + Pod 

[Music] so[Music] welcome to we hack purple podcasts where each week we meet with a different person from the information security industry to ask them all about their job how they got that job their career progression and how you could potentially one day get a job just like theirs and this week we are talking to leif dreisler and he is going to tell us all about his awesome work at segment this week's podcast is sponsored by 10 security the gentleman who created defect dojo but without further ado i know what everyone wants let's meet leif[Music] hi hey thanks for having me on the podcast i really appreciate it thanks for being on the podcast i've been excited to have you especially after uh reading your blog for a little while yeah uh i love hearing that i feel like uh you're kind of a infosec celebrity and somebody that i've watched a lot of talks and read blogs from from so it's amazing to hear that from uh somebody that's been inspiring to me throughout my career oh feeling the love on the we have a podcast can you tell our audience a little bit about like maybe the title of your job and i think you're allowed to say where you work since you share the blog so it's like not very good op tech if you were to hide that and i feel like it's probably okay yeah my opsec is inherently bad because i'm the only leaf drizzler and so uh it's very easy to find me uh fortunately or unfortunately um but yeah if you ever want to find me on twitter leaf drysler only one same thing on linkedin very very easy to find but uh yeah i work at segment and i'm the engineering manager for the product security team um the product security team at segment is a little bit different than a lot of other product security teams in the sense that we function more like an engineering team and actually partner with engineering teams to design and build security related features that are customer facing so segment isn't a security company but we do a lot of b2b business like we have a lot of business customers that care deeply about security and so they care about things like single sign-on 2fa scim and so we work with engineering teams to design and implement these types of features and i know prosec is a little bit of an overloaded term and many orgs use it synonymously with application security we actually have a separate application security team that's focused on tooling training internal consulting uh to help our engineers write secure code on their own and this includes things like bug bounty programs uh managing tooling like snick teaching other engineers to do their own threat modeling um and that's actually something that was recently blogged about by my coworker chief and i just dropped a link to that in the chat for if people want to check that out on their own time it's a really good blog cool yes um oh and let's copy it to the chat too so um yeah we actually just realized that we both know g van and that he's totally awesome and he is one of the leaders of the oas vancouver chapter with farshad yeah jeevan's awesome i uh referred jeevan and then i got two hockey assists because he referred two people um and so it's like a nice little tree of referrals uh and he's responsible for all of our vancouver hires uh in security which is great oh that's amazing that's awesome we're all friends a lot of good people know a lot of other good people that's a thing i've seen cool okay so we shared uh your blog post and or we shared a link to one of your blog posts in there which everyone obviously is going to read as soon as this episode's over so open it so you have the link but then stay with us so so first of all i have to of course ask questions about product security so stuff like multi-factor authentication etc so i logged into one of my banks today and they asked for uh my password and then they asked for a security question and they're like it's a two-step verification and i was like don't you dare call that don't you dare i wouldn't say there are two factors but there are two steps i guess i feel like it's dirty yeah because because the average person's like oh yeah i do i do two-factor then i'm like no you don't your bank is tricking you with crappy security it's two of the same factor yeah it's uh you know what high school did you go to what was the mascot or whatever it's like okay that's pretty easy to find for many many people luckily for those types of things like if i do get asked i always just save some random string of characters like it just becomes another password and i throw that into one password and you know don't really worry about it but yeah for the average person they're definitely picking like whatever their actual high school mascot was since your company does b2b i feel like if you're selling so first of all like your team is making security features for businesses they're not going to put up with that crap right if you're like oh we added security questions so now it's two-step verification they'd be like no that's not mfa go back to the drawing board do you think that business customers are potentially like a lot more savvy than the average consumer definitely and they also have the ability to like lobby on their own behalf because they're like hey we're giving you a lot of money and so we expect you to to have sso or we expect you to have scim um and like features like that like it's you know i would say businesses are generally like okay with paying more for like whatever that enterprise level of feature set is like whether it's security or not um but yeah they definitely have demands across the business and i think it's fine because security is really just one part of our engineering organization and they have demands across all sorts of engineering requests and i think that it's totally fair that they would have some that are within the realm of security as well would you say that so like if you don't know the answer it's okay but would you say that they're motivated because they want to protect their own business or they're motivated because they want to protect their customers or they're motivated because they're like if our products more secure that's a selling feature or is it like a whole mishmash i think it's all those and it really just depends on the specific customer like i would say that in many cases we are b to b to c so something like nike or etsy and so in that case like i'm sure they do care about their own employees data that's within our systems but i'd say they probably care more about their customers data um but then it you know it's probably the i i guess yeah if you're b to b to b then it's probably the same thing like you probably generally care more about your customers data than your own employees data and so i think that it it's probably a combination of all those things that you said but yeah i'd say the biggest motivation is probably making sure that their own customer data that's going through segment is safe i was actually doing research last night for a pitch i had to do today and apparently in 2020 almost one percent of the entire gdp of the entire world went to cyber crime oh so just like straight up ransomware or like i guess other things like every single type of nefarious related cyber like cyber crime which is like absolutely mind-blowing so yeah i've not heard that that's pretty interesting though i guess they're probably all like bitcoin theft that like falls into that bucket um like ransomware i'm not sure like what else would would fall into that offhand but yeah those two are probably pretty big yeah they are would you say like that business customers are becoming way more security savvy i know these are off script but i'm just like superheroes sounds cool i think the the like more you swim up the like enterprise chain like it's very it's very security-centric like they'll send you whole questionnaires um that i don't totally understand why they send so many questionnaires while also asking for compliance stuff because i feel like if you say like hey we have sock too like that shouldn't get you out of all the questions but it should at least get you out of answering the questions that sock 2 is meant to cover like we will share our sock to report with customers and i feel like they should share the burden and like they're not incentivized at all because they're just like whatever we're paying you money like fill out the spreadsheet that you already have the answers to in the sock 2 report but i do feel like they should if they were being friendlier to the ecosystem have an augmented questionnaire that's like hey we'll check out your sock to report we still have these other questions you know that that aren't covered by sock too to augment that but um yeah customers really do dig into security pretty heavily especially as you you get to like the larger customers were you surprised by just how many checklists that you had to fill out as part of your job so luckily i don't have to fill out too many of those we have an awesome governance risk and compliance team that also serves as our uh defenses for sales enablement and so they do like a first and second and maybe even a third pass to try to answer these questions before uh giving them to the rest of the security org and then we've also invested in a tool called lupio which is actually a canadian company um that helps automate the responses and so it serves as like a library of answers and then sales engineers can upload the spreadsheet and it'll go through the spreadsheet and find similar questions that you've answered before to be like hey like maybe you want to use this answer that you've provided and so the sales engineers do the first pass and then the grc team does like the second and third pass and then if there's anything that's left over that's like a new question or like a question that we answered but it was a long time ago uh then we'll we'll uh take a look at it but yeah we we try not to have the engineering teams look at those too frequently okay so now i'm going to ask questions that are on script just for a bit and then i'll probably get interrupted with your yeah can you just can you describe your job and maybe describe like what a day is like in the life of like do you know what i mean like yeah sometimes people's meet like jobs are just like all meetings or sometimes it's like lots of spending time with i don't know i'll shut up now no i get what you mean so um i'm as i mentioned i'm the product security manager at segment and i manage a group of individual contributor software engineers and so i do have a decent amount of meetings i think that's pretty similar to a lot of other engineering managers um but i don't manage any other managers and so a lot of what i spend my time doing is trying to help uh the individual contributors on my team uh with their work and be able to grow autonomously and so we have a couple people that have joined in the last couple of weeks we have uh an intern for the summer and so i try to spend at least a little bit of each day helping um one of those two people uh work on whatever they're working on and sometimes it's writing up a guide in advance that has some intentionally missing pieces it's like hey you know check out this part of the code base uh try to trace what's happening you know back to this other service or something like that and then you know generally here's what you're trying to accomplish and so it's a combination of like pointing them in the right direction uh you know putting some bread bread crumbs along the way but also uh making sure that they're doing a decent amount of research on their own um and so yeah i would say it's a good mixture of like things that are like planning related meeting with other teams meeting with people on my own team and just making sure that uh the teams that we interact with and the people on my team are successful um but we're also hiring more people so we have a senior and a staff role open and so if you're a software engineer that's interested in security features uh we have a really modern tech stack you'd mostly be working with typescript and react uh i'd love to chat you can just give me a dm on on twitter and linkedin cool good we want people to have jobs so this is awesome and lee's really nice and so is gvan so you get to work with at least two awesome humans so it's a good deal jeevan is the the manager on the appsx side so he's uh like one of the teams that we work with super closely so he's also under the security engineering umbrella nice what types of so like it takes a certain type of person that can do this job right what types of personality traits or maybe i don't know sometimes people might say like aptitudes would you say that someone needs so that they could be good at this job yeah so i don't think that there's like a specific like pattern or like set of buckets that somebody needs to fall into to be successful at my job like i think that there's a lot of different uh like personality types or traits that somebody could possess and be successful i do think that all managers need to be empathetic uh regardless of whether it's like an engineering manager or just like i don't know just some somebody who's managing something else but uh your team is always going to be composed of different people that think about and react to things differently and so and same thing with other teams like other teams are gonna have different priorities they may be understaffed they may not have a focused mission and you need to try to be understanding of what the people and teams you work with are going through even if it's something that you don't fully understand or like you know maybe it's something that you've never done but uh on top of that i would say you need to be good at prioritization uh i think this applies to most leadership roles like there's really no shortage of good ideas at segment but you have to focus on a couple of things um to make sure that you're what you're building is high quality and kind of uh in that's in that same vein uh having a good system to keep track of all the things that you need to do is important i think that uh once you've been at a company for a while you're probably gonna get tagged into docs all the time have people messaging you on slack like once you know things like people need things from you uh and it's easy to get distracted and forget to reply to somebody's question or whatever and so you need to have a good system in place to make sure that you're staying on top of everything how do you choose like for prioritizing i i teach this course for we hack purple and i go in and like we build appsec program together and it's the toughest part of the course is the team will come up with like well we have 20 apps at goals and i'm like you get three to five and then you know we need at least 10 and i'm like if you have 10 things you're all you're never going to finish any of them and so three three to five guys and it's like constant battle or you've got to be really good at convincing managers people above you that you need more people uh that will increase what you can work on but yeah uh i think luckily one thing that is nice about the way that our team's set up is we are similar to a like a product engineering team and so you can fall back on some of the things that uh like other product facing teams um use as part of their prioritization is like is this something that customers are asking for is this something that we've already built that's broken that customers have told us about um is there is this something that uh you know we've started to see show up in security questionnaires even if it isn't something that's really getting in the way of deals like you can kind of get a sense from reading those here and there that like maybe there's this new thing that that customers are going to be expecting over the next like six to 12 months and so i think that it's a little bit easier than you know maybe an appsec team that isn't tied so closely to the the goals of the business but i think what we do across security engineering regardless of if it's my team or one of our partner teams is we try to rate things on like a combination of like business slash security value and then effort and we try to pick things that have like a good ratio and sometimes it's like this is actually a ton of work but the value is going to be really high and so it's worth it um and it's you know i think it using something like that it's easy to just pick off a bunch of stuff that it's like okay this is easy and it's going to have a big difference uh eventually if you're doing a good job i think you'll probably run out of those at some point like your org will have just done enough of those easy ones with big impact but you should always keep an eye out for something like that and then from there yeah you just got to figure out like what's going to be a good ratio of effort to security and or business value and i think that's easier at a b2b company because your customers inherently care way more uh consumers on average i would say don't really care about security maybe there's a couple of things that they use like if it's like medical related or financial related but uh there's a lot of the apps that i use it's like if they got hacked like i would be kind of upset but i'd probably still keep using them and then it's like at the end of the day it's like if your customers aren't gonna leave like why should your business really care about security and like obviously it's the right thing to do and there's regulations that you can run afoul of if you just don't care at all but it's very different in the b2b space where your customers will just straight up cancel contracts that might be worth you know hundreds of thousands or millions of dollars whereas at the individual consumer level it's like uh if that like athletic brand that i buy clothes from gets hacked it's like well i'm probably still gonna buy shorts from you so it's it's okay[Laughter] it's like i still like those shorts yeah it's like i still want the shorts it's like you already lost my info you can't really lose it again and probably already out there anyway and so it's just not the same as like when you're selling to another business that uh cares and has a lot more weight that they can throw behind an event like that would you say too that business customers are more likely to give you direct actionable feedback than the average consumer uh i would say most i assume most consumers give no feedback to like any of the brands that they interact with it's like maybe there's a small percentage of people that like will write a review or like send in a complaint or say like oh i really like this thing but i'd say you know that's probably in the very very small minority whereas businesses they'll just be like hey like you don't have a way to force everyone in our workspace to use sso it's like all right that's a great idea let's build that um i think the businesses are definitely more vocal and i think it's because they know they can be like if one customer is like i wish the pocket on this pant was a little bit bigger you'd be like all right well we're not doing that uh but if a business customer is like hey we've spent two mil a year with you uh we'd really like this thing it's like well we should take a look at that and see if we want to build that i wonder if too like if an individual um so for instance like i ordered some food from a restaurant i ordered a vegetarian meal and i eat meat but i go vegetarian some days to the environment blah blah and then i got it and there was shrimp in it and i was like oh what and i was like oh maybe i should call and tell them and i'm like i don't really care though like i eat shrimp it's fine like i was trying to be vegetarian today but like i also don't care and i'm like and but then i thought about well i used to be a vegetarian and i would be furious yeah if they had put me in my meal i'm excited maybe i should tell them and then guess what i did i did nothing and so they got no feedback like if you're flexible it's almost worse not to eat the shrimp because it's like otherwise you're just gonna toss it of course i'm gonna eat the shrimp yeah right did i get less cheese that's the real question because that's what you should call about is you need to figure out in lieu of this shrimp would i have gotten more cheese paneer is like one of my favorites anyway yes it's so good yeah it's like that i feel like if i were to go vegetarian i would eat indian food even more than i do now because there's so many same thing with like a lot of stuff like asian dishes in general like there's so many good meals that are like oh this is not just something where we took the meat out and put in a lame replacement it was like oh this meal was just good without meat yeah it's just awesome yeah oh my gosh i love indian food anyway okay so i'm glad we agree asian food's the best um so someone in that comment is like very true 100 so so like your job i feel like there's some skills that a person's gonna need to to do that type of work so what types of technical skills do you or maybe like technical experiences would they need to be able to one day do a job like yours because you can't just like walk out of college and do your job probably there's probably nothing that they need woefully unqualified to do my current job my as my first job out of college um yeah i think you know similar to like the traits and like aptitudes like i don't think that there's like a you know a firm set of requirements like i think that you could probably come from a variety of different backgrounds and be successful if it's something that you were really focused and motivated to be successful in but at least for me i have been served incredibly well by having a background and experience writing software especially security features i think for me as somebody who manages individual contributors it's really important that i can be there to help give feedback for the types of things that they're working on uh i'm familiar with the code base that they're they're working in and that you know i can frequently point them in the right direction uh if they're stuck on something like i can help them debug whatever they're working on and that's just like some of the things that's made me successful but i really think that that provides a lot of value for the team especially because as of a month ago there were just two of us and so i spent a decent amount of my time working on individual contributor type engineering uh tasks um i also think that having some sort of like product sense is pretty important i've never been like a product manager or anything like that but um even though we're building security features usability is incredibly important if your sso process is annoying people are just not going to use it which means they're probably just going to use the username and password and like maybe turn on mfa um i'm far from a product expert like i'm really lucky to work with our enterprise software engineering team was an amazing product manager rachel but i think that having at least some of that sense to be like hey this flow is just not very good or like what can we do to make this easier for people like you really want to make security stuff easy because generally it's something that is making somebody's life more annoying and you want to make it as easy as possible and like the gold the golden goal is just like is it easy and secure and that's why i feel like sso is a good example of this is once you get it set up like you just click octa and you click one button and you're logged into segment it's easier than entering in a username a password a 2fa code and it's preferred from like a security and i.t side and so i think that designing things to be like that is uh really important but it it's something where you're going to need good designers you're going to need good product people and like i don't think you need to be all of those but at least being able to work with those other groups to come up with something and kind of show them like hey here are a couple other apps that do this really well or really poorly i think having like a list in your mind of apps that you've used that do this uh at varying degrees of good or bad is really helpful i have almost never got to have a manager where they could actually help me with my technical stuff that is awesome like at microsoft for i had three different managers and there was one where i remember he got into the code with me and i was like this is amazing yeah but the other two had never coded as far as i know and so it's it's helpful i think it can be augmented by like if you have more senior people on the team that can kind of serve as that like technical leadership it probably reduces the importance of like having a manager that can do those things but um our team's pretty small and uh i i think that it still serves you pretty well even even as the team grows just to like have built some amount of production quality software like when you're reviewing your team's design docs and things like that like you're just gonna kind of have a sense for like i've kind of seen something like this either work well or like not work so well before and i think just having a manager that can uh provide input into those decisions and uh help their team avoid mistakes or do things more efficiently is pretty helpful yeah it's fantastic okay i want to take a brief second to thank our sponsor 10 security do you want help with defect dojo well why not hire the guys that built it that's 10 security greg and matt for the win two thumbs up i also want to mention that we are still doing book streams once a month for all of 2021 for alice and bob learn application security and if you want an invite go to aliceandboblearn.com and you can get automatic calendar invites and all that fancy jazz to your inbox and lastly but most excitedly the secure coding course from we have purple is actually a thing so if you are on the advanced list which you can get at wehackpurple.orgnewsletter.wehacpurple.com secure dash coding dash course uh you can get 20 off and you get invited friday instead of everyone else who has to wait until june 30th so saving 50 bucks is pretty sweet and getting a week early access is also even sweeter but no matter what please go check out the course and i feel that that is enough marketing for now let's go back to leaf so you might have imagined i have more questions for you so i get that you don't have to have lots of programming experience in order to do this job but it's like a really nice bonus if you've had that experience but imagine you could design like the best background ever or things that you could learn to try to work towards having a job like yours someday so uh we had someone on the show mary galloway she's awesome and she's a security architect and she said yeah i just like looked at jobs i wanted and all the experience they said and i went and i made a checklist and did it like you're awesome right she is badass um she's episode three you should totally check it out but anyway imagine you could like make a a list of work experience that would make like that would have helped you become the person you are today like what types of things would be on it if someone wants to try to like kind of steer over there yeah so as you mentioned like coding is pretty important um i studied computer science in college uh i don't think that that's a requirement like whatever path you you take to learn how to code is great like if you're self-taught if you go to a boot camp if you do a computer science degree like whatever works works uh i know that i definitely would not have been able to like have the self-discipline to like teach myself how to program at 18 years old and so going to college and having somebody like give me assignments and stuff like that was definitely the way to go for me but uh you know not for everybody and um i think there's there are a lot of like great trainings out there i don't really have too many to recommend for like intro to software development but there was a training that we brought in uh about a year and a half ago uh reacttraining.com um that was specifically like a two-day react course that i took as well as a bunch of other people at segment and we found it to be pretty useful um that was like a private training just for segment but they also do paid workshops so if react is something that your org uses or like that you're interested in learning more about i would i would definitely recommend them um and then cover security too or was it more just how to be awesome at react it was just react stuff so it was really just like hey you know we're expecting that coming into this you know javascript you know how to write code you just don't know how to use react and uh so it was all it was all focused on like using react hooks and um like all the latest best practices and things like that so yeah it was really helpful from like a react specific standpoint um but i mean my background like my path is definitely not the path you need to take like i started out as a computer science major uh while i was still in school i started working as a security consultant so i did a couple years of pen testing mostly appsec stuff which was pretty fun got to see a bunch of different organizations some doing a good job others not so much and then from there i went and i was a sales engineer at bug crowd for about two and a half years so getting some of that customer uh facing experience like very different from what i was doing uh as a consultant very different from what i'm doing now at segment um but i think that one of the things to think about is like if you're trying to move around within your career i think that you just need to get good at uh like drawing parallels between what you're doing now and what you're trying to do next and there's a lot of jobs that like you know seem not very similar but if you're able to draw those connections you can convince somebody how similar they are um you know people will be like oh wow you've really like jumped around it's like yeah kind of but before segment i was a sales engineer and in sales you spend a lot of time educating people and persuading people you do this a lot in appsec uh i also blended my experience with the consultant with my experience at bug crowd to demonstrate like hey i know the basics of apsec while being honest about where my gaps are um and so i think that you need to just be able to uh like help people connect those dots the other thing is involvement in the community like that's probably the other most important thing is uh people are much more likely to interview or refer to somebody that doesn't have like whatever the perfect background is if they have a personal personal connection uh every job i've gotten has originally been through somebody that i met at like a conference or work or meetup or whatever so yeah that that's definitely like a couple pieces of advice there and then for on the management side uh there's a training from laura hogan uh that i've worked part of the way through i haven't completed it but uh they have a background as at a variety of different like engineering leadership roles and i found the training to be really helpful so far it's great to kind of get you in the mindset of trying to be more reflective and like thoughtful in the way that you approach certain conversations and uh tips for one-on-ones tips for planning tips for uh like helping your team succeed like there's a lot of there's years of experience that she has uh condensed into into this course so um if you're looking specifically to make the jump from uh like an individual contributor role to like a manager role i think that that's worth checking out for sure or if you're already in a manager role that's awesome leaf because you would not believe how many awful managers i've had and they might be a really nice person or a brilliant engineer but they're an awful manager and they're certainly not a leader yeah i mean it's a different set of skills like so i think a lot of people you know they reach a certain level of engineering and they get pushed into this new role or they see it as like this is the next thing that i need to do in my career and so i think that it's important for organizations to really show engineers like hey you don't have to be a manager like you could be a staff engineer or principal engineer an architect or you know whatever is about that like they're you need to create a path for people to excel at what they're good at and not everybody is going to be good at being a manager like being a manager yes yes they're not some people aren't very good at and some people are awesome at it but they don't like it i'm actually um i downloaded like this parenting app so i am a step mama and i was like i like to be the best at everything so i'm like i'm gonna learn everything about parenting i'm that person so i'm like i'm gonna read 100 books um well it's an important thing to be prepared for like you're shaping somebody's life in a pretty significant way so exactly and you want to be like the most positive you can be and not only just be like a disney mama where like everything's perfect like sometimes they cry and you have to like comfort them and so i was like doing a little lesson on this app and it was explaining like when they cry how to comfort them in a way so that like they feel safe and because like i was like i just kind of hug them i'm like do you want to hug and i like kind of listen but there's like a whole bunch of things you can do so they feel even more safe and i'm like why no one tell me this before this is just stuff like you can learn in a book like this is amazing until like the idea of a marketing or sorry a management course that like tells you how to be reflective and tells you how to kind of like hear your employees actually hear what they're saying actually respond in a way so that they get what they want and you get what they want persuasion i think that persuasion is probably the number one skill that security people need if they want to get their jobs done yeah you got to convince other people to help you like security is really a cross-cutting discipline it's not something that the security team can just keep the company safe uh it's something where you need everybody to help keep the company safe and it's really something where it's like it's kind of a failed model if the security team has to do all the work because they're never going to be as familiar with all these different technologies and frameworks and processes like you have a whole company of engineers and other people working on important stuff is like the security team can't understand all these things like there's just not enough room in the human brain for them to be an expert on all of the different things and so that's why our appsec team at segment has it really security as a whole but like uh kind of the main charter of appsec is to really like empower engineers to make good security decisions on their own and we're obviously here if they want to talk about stuff and like work through things but really it's like okay you need to figure out when it's safe to patch this system you need to be the one who's identifying threats as part of your design and like sure if it's like a bigger project like we'll collab on like whatever that process is but for the day-to-day stuff it's like you need to be able to make a good decision on your own because there's way more of you than there are of us and it's also just it's not really our responsibility it's like you wrote this code you you maintain the service security is just a part of good software it's not something where the security team can swoop in and like fix all this stuff for you it's like you need to be keeping this thing in a secure state the way that you keep it in a reliable state we have a comment in the chat that i feel totally applies to security so kellen's saying the thing about parenting is there's always more to do and more to improve so so true with security yeah being a good security professional seems like a direction that we go in rather than something we just achieved we don't just achieve security in like one step it's a thing like it's a practice like you know how you don't do yoga one time you have to keep doing yoga and that's why they call it a practice i feel like what you're saying like so you support everyone through the thing but they're the ones that have to do a lot of the work and i like it when my guests agree with my philosophies on security and it happens rather often i have to say because i get to select my guests and so that's awesome i get to research them but it's good when you say things that i say a lot so then i can point to clients and be like listen to leave listen to me yeah i think it's it's really just the way that like modern security orgs are running it's like i think people have figured out that just like telling people no and like telling people that stuff's broken and like not helping them fix it and not giving them tools to like fix things easily i think we've kind of just seen that that model didn't really work like a perfect example of segments like hey you need to patch your docker containers we will provide you with a set of images that get updated regularly and as long as when you restart your builds it'll pull in the new stuff for you automatically you just need to go in and like restart things and like not to trivialize the effort of like hey well what happens if you restart something and it breaks or whatever but like you can't just tell all these different engineering teams like hey go figure out patching independently and like we're just going to scan it and tell you that it's bad like you need to give them some sort of uh you know paved path as netflix says to like do the right thing and like make the right thing easy and if people want to go off the paved path into the jungle it's like okay maybe they need to figure out how to do patching but if you're following the normal ways that your company builds software the security team should be either doing this on their own or partnering with other teams to help build something to like make the right thing easy we have another comment in the chat it's encouraging to see so many of your guests have a good mindset i don't know so many security-minded and empathetic focused people or i didn't know that so many security-minded and empathy-focused people existed in this profession yeah very nice compliment i think that a lot of those people probably know each other and so if they're on tonya's podcast then uh that might be nice i think it's a little bit of like a bias towards the people that that she knows but like i think that it is like a wave that is like coming across the industry like it's not like it's just me like there's plenty of people at working at companies that like feel similarly to this and are are successful because of it my second last dev job i remember i used to call the lead of the security team dr no because he would just come to meetings and say no all he would do is say no his name was bruce and he would just say no all the time and he would never say no but you can do this it's just no you can't do that what can we do you're a dev you should know and it was like a lot of blaming a lot of finger pointing and so one day i i just told his manager i'm like i just can't like i have a job to get done and like it's just a wall of no with him if you want to tell me you can't do something you have to give me a solution of what i can do all i hear is know and how much my team sucks and my team literally wants to go around him and we're software developers we can go to proud whenever we damn well want we're following the processes out of respect for you and so we need to work here and so i remember we he came to a meeting like a month or two later and he's like yeah so i have to say yes in this meeting and we have to compromise so let's do this and then it was so much better like yeah i mean at first it was a bit not awesome but he would be like no and he's like but we can find a way to you for you to accomplish your business goal and i'm like great and then we started like coming up with things so if if we have to do a big search and they're like okay you can't use inline sql like great but i have like a 50 different search thing that i have to create so i need some help because my junior dev made an inline sql statement we can't have that we have to use a parameterized query or something safer can we brainstorm this together instead of you just telling me i suck and to go back to my desk with my head down right like there's got to be a conversation i think it's because a lot of security people just don't know enough about the stuff that they're trying to defend and if you don't know how to make a workable solution you're just going to be like no because you don't know what to suggest and so i think that that's another attribute of like a lot of modern security engineers is they actually do know the systems they actually you know they know aws they know how to write code and not to say that like everybody in the security industry like needs to be a software developer but if you're working on a security engineering team as an individual contributor it's going to be a lot easier to get stuff done in a way that works for your company if you understand how stuff gets built and can build things yourself um like when our cloudsec team goes to a team they're like hey we need you to do this like they know enough about what that team does to give them something that's practical and teams are way more down to do your security asks when it's clear that you've put thought into what you've asked them to do and you have tried to make it as easy as possible and you're just coming to them with like you know the final 15 or 20 of the work rather than like hey you need to do all this and we don't know how to do it so you need to also figure it out like that's not good luck losers bye okay so before um ben in the chat asks i'm going to ask the cheese question so this do you already know what the cheese question is no no okay so in the first episode i i wanted to ask so does your position pay well so not like exactly how much money you make but is this a good paying position versus because some of the jobs we have been quite surprised to find out they really don't pay very well so for instance startup founder does not pay well for the first year or two i know but i can't afford paneer now so life is going really good at we have purple but that said um so it turned into the cheese question because i realized one day as when i was a software developer like i went to the grocery store i was looking at two different types of cheese trying to decide which one i could get because previously i could only afford to get one type of cheese per week and i really like cheese as pre so i discussed cheese i'm talking a lot like way more than i should um but so then i realized i could afford both and i'm like i've made it i'm a software developer now like i have full-time work and like i can just buy both cheap i can buy cheese and yeah right and it was like really exciting i realized i didn't have to count every penny at the grocery store and i could just kind of buy the things i wanted and it was all gonna be okay and so i think a lot of people don't understand how much each different job actually does so does being like like a manager of a security product team pay well is it like a good paying job for how hard you work and how much you need to know yeah i think so i mean a lot of it is dependent on the stock price of twilio which is our parent company because there is a you know decent amount like equity-based compensation but yeah i think that the the pay is pretty good and i think that engineering manager jobs at successful software companies generally paid pretty well like like having successful engineers in a company that that build software like you need to pay competitively and because you know there's google and netflix and amazon and you know plenty of other bigger companies than you that are going to pay more and so yeah i think you need to pay competitive at like most uh successful software companies if you want engineering managers that are decent or better are you saying that if you wanted to you could eat paneer once every week definitely yeah so definitely one or more times a week have you all the cheese humble fog that's one of my favorite cheeses what i need to link to this after just yeah it's humble like humble california and then fog it's a good one i'm on it i'm on it i really like buffalo mozzarella because i'm growing tomatoes and i grow a basil as well and you put but it's just like oh my gosh um good combo cheese is so good okay so i have a really tough question for you now that is a two-parter so it's very difficult leaf yeah what is your favorite part of your job and what is the least favorite part of your job or the part you like the best and the part you like the least it's hard yeah so the the part that i like the best about my job is i like that it really is a blend of security work and things that are customer facing and that really combines like aspects of my two previous jobs obviously this is like a little bit different than both of them but um our team really has the opportunity to shape how customers think about our security program um and what i mean by that is unfortunately most users of the segment application have no idea how much work goes into corporate security incident response uh governance risk and compliance you know maybe like a couple people at the company will look at the salk 2 report but generally like most of the people logging into the app won't see it but they do get exposed to the security features of our product which is how we show them that we're investing in security and this is something that we care enough about to have people build features that like relate to this part of our business into our uh like what we bring to customers very cool and then yeah for the least favorite i think this one's pretty tough because generally i really like my job i would say it's mostly there's like specific parts that i don't like of work that i do like so i really like interviewing and recruiting people but i don't really like sourcing candidates uh like there's aspects of like our quarterly planning and tracking that i don't really like but when it gets down to like actually working with people to plan an individual project or multiple projects uh i really like helping people come up with a successful design you know circulate it incorporate feedback and then actually deliver on like whatever they're doing so i'd say you know there's usually like some aspects of something that i generally like another example like outside of work is i love connecting great speakers to conferences and meetups but i don't like having to follow up to confirm their details making sure that they can still present like you know reviewing stuff like i'm sure you know what that's like as somebody that's helped organize a lot of stuff and running your own podcast like the whole speaker concierge thing is actually kind of a nightmare yeah it really is it really is um twice this year uh we had our guest just not show up and i got five minutes notice and so that was stressful and it's not like it happened it's like at a conference this is you know if you've never organized a conference that's great uh here's a conference organizer secret there's always at least one organizer that has a talk ready to go and it's not something that it's like maybe something they gave somewhere a year ago and it's gonna be a little bit rusty but if there's somebody who literally just like doesn't show up to their segment like you're just gonna get an organizer who's just gonna go up there and just do whatever for 40 minutes or whatever so yeah if you are somebody who speaks it stuff like please please please tell people that you can't make it or whatever like i know that that can be an awkward conversation and you might want to avoid it but there are a lot of people that are depending on you showing up and so please tell us we won't be that mad as long as you tell us early but if you just straight up ghost like we're not going to invite you to stuff again like if somebody goes to me for a conference like i just wouldn't invite them or like and i would have reservations about accepting another talk from them and it's like maybe that isn't fair but it's like i don't want to get burnt twice by the same person it's like if you tell me a week in advance hey this thing happened or if you tell me afterwards like oh like this thing came up like my my kid got sick or whatever it's like okay cool like that's totally understandable like life happens but if you just don't show up and you just act like you never got invited and never confirmed i'm gonna be upset not acceptable at all yeah i've been the backup speaker a lot of times like i'm like i got my laptop i got like five top i actually went to see a a conference like a little ottawa conference and they only had six speakers the whole day and they got up and they're like yeah so the guy after this guy like just didn't show so i guess and it turned out like he broke in his arm he'd been in a fender bender and broken his arm and they're like he just texted him totally understandable yeah so i just went up and i was like hi i can speak and they're like oh my gosh seriously i'm like yeah i have a talk ready and i have my thing and they're like we know you get up there and so i was like hi everyone everyone's like oh and i was just like i yeah there's one of my like maybe like for like fifth talk or third talk ever and i was just like i am so scared shitless i am so scared and i was like what if they say like no and they're like you suck go away no one want and they're just like oh this is so great like now because they're really worried people would like go off and it's like summer and it's like beautiful out and they're like oh we're worried everyone's going to go out on an hour break and just never come back and so they're like yes that's the fear of absolute california and locomotive sect it's like the venue is almost nice yeah i do i really love those two events i really do okay so we have six minutes left and so i'm theoretically not supposed to just talk to you all night this is the hard part where i attempt to wrap up so i want to ask you two more questions and so one of them so i'm going to tell you both of them so that you can like segue from one to the other so the first one is what is actionable advice that you would or like any advice that you would give to someone that wants to get into a job like yours and then if someone wants to know more about leaf drysler where can they find out more yeah sure you can cover those so i think that uh one thing that's really helpful is just like if you want to get into product security and you want to be building security features every time you log into an app check out its security features are they well implemented what do they offer were they easy to find were they easy to turn on um having a list of examples is gonna make it a lot easier when you need to go to your design team and your product team and be like hey we need to build this um a perfect example is single sign-on it's like you might just think okay hey we just offer single sign-on and people use it and they're good to go um but there's actually a lot of nuances one of them is like does the app allow you to force single sign-on so like everyone in the organization has to do it does it allow for exemptions maybe somebody hired a contractor and they don't have an account with octo one login or azure uh how do you get those people into the app does the app have a tile that's pre-built in all these different identity providers those aren't things that you would necessarily like know to to build or to think about unless you just looked at this in a decent number of apps and like actually turned on this feature and so i think that that is a pretty actionable step that you know people can can take is like you know everyone uses pieces of software like how well implemented are these features and then if people want to know more about me uh i have a website it is leaf.pizza um it's really just a collection of all the like blogs and conferences like i i don't blog or present anything on the site directly it's just like links to everything but if you want to like read stuff that i've written or check out podcasts or whatever uh it's on there and then as i mentioned like i am the only leaf dreistler if you look me up on twitter and linkedin you will find me uh and that is really it awesome i so it was funny because a bunch of the team that we hacked purple was like that pizza and we thought yeah there's a new tld coming out pizza i was like i'm buying leaf dot pizza and so i just logged in in the first week and i guess no other leafs out there wanted leaked out pizza and it's pretty easy oh and so also someone wants to have a shout out to your shirt so when leaf and i met was in hawaii and of course he was wearing hawaiian shirt and if you see his image on twitter she's wearing this super bright colored shirt so i wear a super bright colored dress in hopes that he would wear an awesome shirt and he did those are paired yeah two cans it's kind of become like a trademark of mine i guess if you can really call it that but um yeah we uh like i just always wear like fun shirts to to conferences and it all started there was a shirt the first conference i presented at it was a lobster shirt it just had like lobsters on it and since then i've always made a point to wear a hawaiian shirt for um for the conference and so yeah i guess the the final shout i'll put is i have two jobs uh a staff and a senior that i'm hiring for the ones i linked say remote us it's also totally fine if you live in british columbia we have an office in vancouver you don't have to work out of it but uh i don't know that we can hire in the other uh parts of canada but we can definitely do bc and anywhere in the us is good nice that is very close to where i live i am on the little beautiful island just off the coast i can like wave to you yeah well if you ever want to go grab lunch with the uh segment security team if you're in uh vancouver just hit up jeevan and there's three of three of the security team is is out of that office so i usually hassle g-van if i go to vancouver and far chad because the lost people are my are my people yeah they're our people i should say so yeah they have been wonderful to me on many many occasions and the b-sides people in vancouver also a plus awesome sauce but i'll just keep talking so thank you so much for coming on the show this was really great and thank you for all the resources you shared i'm going to link them all in the show notes so if you are listening to this later go to wehatpurple.com and then click on podcasts and then go to like previous podcasts and this is i believe episode 43 and so just scroll on down to leaf you should be near the top and um and check out all the awesome links he shared thank you so much again for being on the show yeah thanks so much for having me it's great awesome you were just listening or watching to the we hack purple podcast where each week we meet someone awesome like leaf drysler who tells us about how they got their awesome job what their jobs like to do if the job pays well if there's lots of opportunity if this is something that might be right for you thank you so much for tuning in thank you for listening thank you to 10 security for sponsoring us again they also sponsored a whole handful of diversity scholarships and i really appreciate those guys um thank you for leave for being on that was super great and all the resources he shared were super awesome sauce if you want to work with leaf you should look up segment um so segment.com and then go to their careers page there's going to be probably jobs going on there as like you could probably keep checking and with that i'm going to say goodbye oh and i forgot to introduce myself i'm tanya janka but hopefully you all know that by now have a great night