Software Security Gurus Webcast Episode #3: Dr. Brian Chess

Matias Madou:

Welcome to the Software Security Gurus webcast. I'm your host, Matias Madou, CTO and Co-founder of Secure Code Warrior. This webcast is co-sponsored by Secure Code warrior. For more information, go to www.softwaresecuritygurus.com.

Matias Madou:

This is the third in a series of interviews with security gurus, and I'm super pleased to have with me today, Dr. Brian Chess. Welcome Brian.

Brian Chess:

Thank you, Matias. Good to be here.

Matias Madou:

Thanks. Hey, Brian, do you mind sharing a few words about yourself?

Brian Chess:

Well, sure thing. So Matias, we met because I was one of the founders of Fortify Software and oh boy, I don't even know... I don't know if I want to do the math on how long ago that was. It was a while ago.

Matias Madou:

It is.

Brian Chess:

Now.

Matias Madou:

13 years for me when I joined.

Brian Chess:

These days, I run cloud operations for the NetSuite Division at Oracle. Although I should say that I'm not representing Oracle in any way on this call. I'm only speaking for myself.

Matias Madou:

Yeah. Interestingly enough, you do have a PhD. I introduced you as doctor, but my previous two guests also had a doctorate. Chenxi Wang is doctor as well as Gary McGraw is a doctor and none of us are professors. So there seems to be an option to also land in industry if you have a PhD or if you do a doctorate.

Brian Chess:

You know, I knew I should ask some of them if they knew,too. I knew when I was going to school that I didn't want to teach, because...I learned that from being a teaching assistant in classes. And every time through the classes, the students had to be taught again. And I found that very, very frustrating. And I'm sure the students were not very happy with me that from one semester to the next they weren't learning because of course they were different students, right? But I wanted more advancement, I think in my own thinking. And it felt like teaching. Wasn't going to give me that.

Matias Madou:

Yeah. I'm not sure if that's the reason why we started Secure Code warrior, but it may be one where you don't want to teach the thing over and over again, so you just make software. And you just make it interesting and scalable. No. So, all kidding aside.

Matias Madou:

So I have actually two topics in mind for today's webcast.And for the first one, I actually will do the math for you. I'll take you 20 years back in time, when you started the company called Fortify Software. You were the Chief Scientist next to being the Co-Founder you were the Chief Scientist, of Fortify Software. So you were able to build something that was very relevant the first decade of this century. And today people say Agile and DevOps and security needs to change and adapt to the new way of working. But I was not so sure. So assume you receive the golden USB stick from Fortify Software the day you left 10 years ago and you plug it into your computer today. Is it still relevant that piece of software from 10 years ago, or have we radically changed today in the way we create software?

Brian Chess:

Well I was talking about how I wish students would advance more. And I think I, maybe I would say the same thing about the state of software security, which is, I wish I could report more advances than we've seen in the last 13 years. But what I see in my work is that maybe that hasn't happened, at least not to the extent that I wish it would. I think if you backed up and you asked me 13 years ago, what I thought was going to happen next was, I was thinking that we would have a security advance that would be a little bit like moving from flip phones to smart phones. That the smartphones would just erase all of the stuff that had come before them. And that's not what happened. It was a little bit more like the move from radio to television.

Brian Chess:

So television gets really popular, but radio doesn't go away. And it looks like what we've had to do is keep adding layers of security techniques. So for example, static analysis did not replace penetration testing. It got added on top of penetration testing. And I think people are talking about really cool advances today in terms of maintaining the velocity that you can have with a piece of software. And that's what DevOps and DevSecOps is all about, maintaining velocity, but it has not done away with all of the stuff that came before it. So static analysis is still relevant, but penetration testing is still relevant, too.

Matias Madou:

Do we make the job of a developer, so whose job are we making harder in that paradigm? Seems like everybody's job, but especially application security or also the developers or, or like who... You know, whose?

Brian Chess:

[crosstalk 00:05:28] So I think that security generally benefits from things that hold still. So if it doesn't change, then we have a longer time to figure out what might be wrong with it and how we want to fix it. And so an increasing rate of change probably makes the security people's job harder. And now security does everything can to share that burden back to the developers, but probably imperfectly.

Matias Madou:

Is that the problem between reactive and proactive is the fact that we haven't moved enough to proactive security? The fact that we need to do more layers of reactive or finding the problem kind of ID instead of trying to embed security in there from the start?

Brian Chess:

No. So I think if you look at modern frameworks and development methodologies, they consider security to a much greater extent than they did before. And there is an element of security that is always going to be reactive because we're going to know more about what's secure versus insecure tomorrow than we do today. Yeah. So have we gone far enough? No. And, and you can, and you can see that by just reading the newspaper about bad software practices, about vulnerabilities that were absolutely preventable, that continue to make their way into the software. But I don't know that I can say that it is just a matter of enablement.

Brian Chess:

So enablement problems would be... Have we built the right frameworks? Have we done the right training? I think we still have a mindset problem where people prioritize getting to market, getting the new feature out ahead of some of their obligations in terms of security.

Matias Madou:

Yeah.

Brian Chess:

I think there is something that's changed in a big way in the last decade, and that is the rise of privacy. And one way you can look at privacy is it's the way people have found to advocate for the common good.

Matias Madou:

Mm-hmm (affirmative).

Brian Chess:

So, and we've started to build that into laws to say,"Hey, it's not really just about your bottom line. It's also about the fact that there's some of my data in there and I should have some rights when it comes to how you deal with my data." And we've chosen to call that privacy. And I think, I feel like that is a really big advance since back in the Fortify days.

Matias Madou:

I actually agree with that because if I look at our salespeople and what I hear in the market, I see regions where it's more important than other regions. For example, in the Nordics here in Europe, it is a very big thing. If you can tie it back to privacy and all their new laws, and you'rein line with that, for sure you can get your software in there, but it's different than other regions where privacy doesn't really matter, or they careless about that. And your software doesn't really, or your software doesn't really have to apply to that. But in certain areas, they seem to care way more than other areas.

Brian Chess:

So maybe I'll try a couple of other analogies there, Matias. So does the world understand that smoking is bad for you? Because we've been talking about that for quite a while now. Or how about wearing your seatbelt when, when you drive? So we've understood for quite a while now that there's a serious safety concern, but what do you have to do in order to understand that concern? You have to know something about statistics, and then you have to understand that the statistics apply to you. And so what's the chance that the next line of code that you write has a major security problem in it?It's probably pretty small, but if you write enough of them, then chances are very good. You have a security problem. So do you understand that this applies to you?

Matias Madou:

That's a very good analogy I've never heard before. So good, good, good.

Matias Madou:

So let's see, let's switch to another topic, the second topic and let's talk about something that you've done twice now, which is growing development teams twice in your career. You started off with a very small engineering team once at NetSuite, even before you started Fortify, you worked for a time at NetSuite where you had a couple engineers and you grew that team, but you also did it at Fortify. You know, you're a Co-Founder of Fortify, so you started with a couple of engineers and you grew that team steadily.

Matias Madou:

So one day you've mentioned to me that you had the impression that the people you hired earlier on were kind of better or more capable than the people that you hired later. But then you actually revisited that statement because you said, you know what, maybe we didn't spend enough time with these people that we hire afterwards because the initial set of people, you know, if you're two people, well, you can sit next to them and help them and make sure that they're they're up and running.

Matias Madou:

But if you're suddenly 20 or 40 or a hundred people, it's really hard to sit next to everybody and help them write code and write secure code. General secure... General development practices. So you've went from 20 to 40 engineers at Fortify, from 500 to a thousand that NetSuite. Have you learned any tricks on how to overcome that? Like we only have 24 hours in a day. How can you help the developers in the most effective way to be as good as your initial two developers?

Brian Chess:

So, Matias, I mean, I remember sharing that story with you, but maybe I didn't tell you just exactly how spooky it was with some of the early Fortify people. So with some of my Co-Founders at Fortify, you know,we would get...one person would head off on an airplane to Asia. The other person had head off on an airplane to Europe, and then we'd come back home to California and say, well, "Hey, they asked me this question, what did you say?"

Brian Chess:

"Oh, they asked me the same question over in Europe.What did you say?" And we would have given exactly the same answers to questions we'd never heard before. It was spooky. It was almost like ESP where we were just so in sync on some topics that it was hard to explain.

Brian Chess:

And exactly, as you said, I think the answer was we had just spent so much time together that we shared values. And so we didn't have to know the specifics in order to know what to say. And then I watched that sort of that decay with the people who we spent less time with, and so we shared less with, and so we just weren't as in sync. So, I mean, I think it's a poor manager who blames their humans. To just say, "Oh, well, you know,that person, isn't very good, and so we encountered this problem." So, of course there are people who are better than others at a particular task. So I don't want to say that everyone is exactly the same, but if you're not getting what you want out of somebody, chances are just as good, that that's your fault as their fault.

Brian Chess:

And so I wish that I could say that in the intervening time that I've come up with a way to speed this process along or to get more out of it, but I don't know a shortcut to getting in sync with somebody other than spending a lot of time with them. Once you do that, though, wow is it powerful. You know, you can take that a long, long way. So, you know, maybe the biggest mistake where I see this made is people say, "Hey, I can outsource this work and I can get it done really cheap if I just hand it to some people who are long way away". And then they're disappointed with what they get back. And they think, "Oh, well, I must've hired really bad people."Well, no, you just thought you were going to get something cheap. And that low price tag turned into a low investment of time. And then you didn't get what you wanted and that's no surprise at all.

Matias Madou:

So yeah, in that scenario, you have to be also really close to these people. And I assume that's the reason why you quite often, are also on an airplane and the guys reporting into you are also quite often on an airplane visiting offices and sitting next to people, I assume.

Brian Chess:

Spending a lot of time with people investing in them and trying to get to the point where we share values. And what I've found when I do that is that we can utilize people all over the world very, very effectively and have good relationships with them. I got to say in times like we're in today where everybody's working from home, I think that's really paying off.That we have those strong connections. I'll tell you sort of the next chapter of that story for me, because building teams of dozens of people is not the same as building teams of hundreds of people. And so the role I find myself in today is not hiring very many engineers directly myself. Now I'm handing that responsibility to people and I'm coaching them on "how do they build a strong team?" and "how do they make the investment that's required in order to get what they want out of a group of people?" So I'm having well,no shortage of challenges there.

Matias Madou:

Yeah. Any... So do you heavily rely on certain tools or mechanisms or these days it's no longer possible to do in person meetings, but what is a trick because, if you have a 500 or a thousand people, and even if you have your people managing other people, how do you do it? Like what is your like weekly thing where you say, "you know what, if I do this, I'll be able to more or less get the thousand people all going into the same direction?"

Brian Chess:

Well, I mean, I wish I had a better story here, Matias, but I mean, my day is spent jumping between email, Slack, text messages, video calls, phone calls. Is that I don't know, was that five or six different mechanisms? And especially when I'm doing it all from home, like I am these days, it's just this constant rotation of these tools. So I don't know that there's a way out of investing a lot in communication. I think it's got to be that way.

Matias Madou:

I think it's interesting I also heard Slack. So you, you must have worked directly with engineers too, because that's what they do.That's what they use. They no longer read emails. I think.

Brian Chess:

You know, I spend enough time on Slack that I think people are a little surprised when I pop up here or there, but not too surprised. I know that's about how I want it. I spend a fair amount of time trying to pull other executives into Slack and say, "Hey, look, there are some advantages here". and I think that they're similarly unhappy that there one more communication challenge or one more communication channel that they've got to balance.

Matias Madou:

Yeah, that's a lot. We have different mechanisms. So maybe a final and personal question. I have two kids, I have two boys and they go to school in a very remote place in Flanders, Belgium. And that school, they talk about Fortnite and playing old games, essentially, not about technology, but you live in Silicon Valley. I would assume there's a big difference. How does your boy get along with technology? How does he learn about technology? Is it also because you're telling him, or is it the way more natural environment in school and friends where they chat about that at a young age? Because over here it's pretty much nonexistent.

Brian Chess:

Matias, I think you have just invited me to brag about my kid.

Matias Madou:

Go for it.

Brian Chess:

So I'm just going to take it. I'm going to do it.

Matias Madou:

Do it.

Brian Chess:

So last night we watched a movie from the eighties named"War Games" and I hadn't seen it. So it's Matthew Broderick and the NORAD people have decided to take the humans out of the loop and they just had the computer controlling the nuclear missiles. And it's a really bad deal, but along the way, Matthew Broderick pulls out this eight inch floppy disc for his home computer. This just huge ancient thing. And that goes on the screen. And my kid says, "Oh, big data."

Matias Madou:

Nice

Brian Chess:

And I thought that was just, just fantastic. Him finding a silly ways to relate the old to the new.

Matias Madou:

Fantastic.

Brian Chess:

So for him the important thing these days is hanging outwith his friends online and they don't use Slack. They use Discord. Discord is basically Slack for gamers. And so he's gotten into writing Slack bot, or I'm sorry, Discord Bots. So, you know, it's a bot to be able to talk to his friends when he isn't able to, and he showed me what he was up to. He showed me what he was up to the other day and I pointed to a line of code. And I was like, that is a vulnerability. You need to change it right now. He'd, hard-coded an API key into a source code. And he said, "Oh. Oh yeah. Okay. I get that."And out it came. So I was really happy to have spotted a vulnerability in his code. And I was really happy with the way he responded to it. He understood why that was a really bad thing and out it came. So it gave me a little bit of hope that maybe things can get better.

Matias Madou:

Yeah. I think he's at the right time to get a free license from Secure Code Warrior to beef up his skills.

Brian Chess:

Okay, Matias. I'll take you up on that.

Matias Madou:

Sounds good. All right, Brian, thank you very, very much for accepting to be the third guru on the Software Security Webcast. Thank you very, very much for being on the show.

Brian Chess:

Oh, thank you, Matias.

‍