Ted Harrington: Hackable: How to do application security right

Transcript

[0:00:20] DA: If you don’t’ fix your security vulnerabilities, attackers will exploit them, it’s simply a matter of who finds them first. If you fail to prove that your software is secure, your sales are at risk too. To defend against hackers, you have to think like them. As a leader of ethical hackers, Ted Harrington helps the world’s foremost companies secure their technology. His new book, Hackable teaches you exactly how. You’ll learn how to eradicate security vulnerabilities, establish a threat model and build better, more secure products, gaining you a competitive edge to earning trust and winning sales. Hey listeners, my name is Drew Applebaum and I’m excited to be here today with Ted Harrington, author of Hackable: How to do application security right. Ted, thank you for joining, welcome to the Author Hour podcast.

[0:01:08] Ted Harrington: So excited to be here, thanks for having me.

[0:01:10] DA: Let’s kick this off. Can you give us a rundown of your professional background?

[0:01:15] Ted Harrington: Yeah, I’m a leader of ethical hackers. We’re the good guy hackers and essentially, companies who need to understand how attackers might exploit their system so that they can improve it and make it more secure and make it better, those are the companies essentially that I’ve been serving for a long time and I wrote a book that basically captures all of the things that I’ve learned over the many years of doing this and so that’s sort of my background is helping serve companies who want to build better, more secure technology.

[0:01:54] DA: Now, why was now the time to write the book? Did you have an ‘aha’ moment, was there some inspiration out there or sometimes there’s some down time because of COVID?

[0:02:02] Ted Harrington: It’s always been on my bucket list, right? I always wanted to write a book and as my career went on and I accumulated all this knowledge about how to solve these security challenges that I see my customers face and the sort of lightbulb moment was when I found myself in a meeting with a chief technology officer and he says this colloquial phrase to me, or the way he said it was very informal and it really stuck with me and he said, “You know Ted, I don’t like monsters and I don’t like getting bitten in the butt. But I don’t even know what the monsters look like or why they jump up and bite me in the butt.” Retelling that story just – it always brings a smile to my face. Partly because it’s ridiculous phrasing but it’s also a really good encapsulation of a problem that so many people face, this, “I don’t know what I don’t know,” challenge and after that meeting, I really started thinking about that, it sort of stuck with me even though it was kind of a whimsical moment in an otherwise serious meeting and I really realized two thing, two conditions. The first condition was, I noticed that many people seem to have the same problems. I mean, every single day, I’m having meetings and conversations with people where they all say one or more of essentially 10 primary themes and as I started writing it down, I realized, every meeting was, one or more of those things came up and that was sort of an ‘aha’ moment for me. I’m having the same conversations over and over again where these leaders in technology are struggling with the same thing. And then the second ‘aha’ moment as I was thinking about that was I started thinking about well, “How do you solve those things?” And I realized, every single one of those problems, there is widespread misunderstanding and misconceptions about how to solve them and you take those two things together and you’ve got these people who have these really big problems. The advice out there, the conventional wisdom about how to solve those problems is not just wrong, it’s like 180 degrees wrong. That was the moment that I knew, “I need to write this book,” when I realized the combination of those two things exist in the world and this book addresses that, it tells you, “Here’s how you solve these primary challenges and here is the lie or the misconception that’s holding you back and here’s what to replace it with.”

[0:04:38] DA: You clearly have a lot of knowledge in the space but were there any learnings or major breakthroughs that you found while writing the book? Maybe while doing research or just by going through an introspective journey while you were writing?

[0:04:49] Ted Harrington: Yeah, definitely. I noticed, I mean, the process of writing a book itself is transformative and I don’t know, maybe that sounds trite to someone who hasn’t gone through it but I mean that word in every sense of the word. I’m a different person now than when I started it and so, it definitely changed me in terms of how I think about things and ideas and even how I think about other books but a couple of the real specific things within my profession and area of expertise that were different, one thing I noticed is that I understand the ideas so much better now, the ideas that I thought I already understood, right? Which prompted me to go write this book, I said, “I totally know this, I got to write a book about it.” But hammering the same idea and refining it and polishing it and smoothing it over and over and over again. It’s almost like, I guess a metaphor for this would be like sandpaper, right? There’s that really gritty sandpaper and you smooth that and it’s like, “This isn’t going to smooth anymore,” and then you use the next layer and you’re like, “It’s actually getting smoother,” and you use the next layer and it’s getting smoother. By the end, it doesn’t even seem like the sand paper has any grit to it but it’s still smoothing and that’s how I feel about my understanding of the ideas and not just the ideas themselves but my ability to communicate the ideas to our customers, to the many people who work at my consulting company and it’s just, I guess I didn’t expect that part and that is, was an amazing, wonderful thing to have received as a result.

[0:06:23] DA: Now, did you have a specific audience in mind when you wrote the book, is this book just for software engineers?

[0:06:30] Ted Harrington: There’s probably three, not probably, there are basically three groups that I wrote this for. The primary group is for the person or group of people who is responsible for security of the security of the technology that they’re building. That’s the core person I wrote it for, that’s usually the chief technology officer or the vice president of engineering, people like that. The second group would be developers themselves. So software developers, they’re the ones who the business looks to and they’re like, “Okay, make the app do this thing and also, you better make it secure which you haven’t been trained on but you better do it anyway.” I feel their pain, right? “Oh and also, you have deadline coming and you can’t delay.” It’s like, how are they going to deal with that? And then, the third group is other security professionals who want to understand these ideas better, want to be able to communicate them better, maybe they focus in other disciplines, maybe [inaudible] response or something and less about the sort of ethical hacking side which you know, is where I focus and so it’s in that order that I wrote the book for but the book serves all three of them.

[0:07:41] DA: What can readers expect from reading the book?

[0:07:46] Ted Harrington: Well, they can expect that I pulled no punches for sure. This is the same as what it takes to be successful even as a security consultant, right? Which is, you got to tell people how it is. Even when it’s not what they want to hear and that was something that at first I grappled with a little bit where I said, you know, I struggled with wondering, “This is the truth, is someone going to reject this because this is such a departure from the norm?” And I was working with my editor on that, she gave me really great council and she said, “You’re writing this book to tell people what they need to do so you got to tell them how to do it.” That felt like the green light to me to say all right, well, then my instincts are right, we got to just say it how it is. Frank truth is the first thing, I call out a lot of nonsense. I try to do it in a way that’s professional and fair and balanced and objective, you know, not injecting any sort of emotion or bias into it but there’s so much nonsense that happens in security and I try to call it all out. You’re going to get the real truth and some people who are maybe the subject of that are not going to like that unfortunately. I don’t name any names so it’s not like I say any individual person or company but someone who believes in a certain approach that’s fundamentally flawed, they might not like that. And then the final thing would be, people are going to leave with being able to think differently, I’m going to change their mind and they’re going to know exactly what to do. I give them, this isn’t just lofty abstract concepts, it’s – here’s the concept, here’s the principle and here’s how to apply it and here’s what you need to go do.

[0:09:26] DA: Now, on the flip side, is there something you want readers to know that is not in the book?

[0:09:31] Ted Harrington: Yeah, there are several things that are not in the book. The first one worth mentioning is maybe even an extension of what I just mentioned about harsh truths but what’s not in this book, there is no silver bullet, there’s no easy button, there’s no magic solution, there’s no get-secure-quick scheme, that just doesn’t exist. That’s actually one of the pieces of nonsense that exists in security today is that so many approaches try to say, ”Buy the solution and your problem completely goes away,” and unfortunately, as beautiful as a promise as that is, it’s just not true. Someone’s not going to read this book and be able to walk away and say, “Well, if I just go buy a license to a product or if I just go spend this certain money then two weeks later, my problem is completely gone.” That’s just not the way security works. And then the other thing that’s not really in here, that people might expect to be in here is I’ve really focused on application security which is essentially having to do with any sort of system running software, cloud services, you know, all the different elements to application security I talk about but I don’t talk too much about other domains like network security or any elements of defending against humans, any mistakes that human people make. We touch on those things and a lot of the principles apply but this is really about applications.

[0:11:03] DA: Now, I think we hear about in the news all the time that big sites get hacked, small sites get hacked, there are cyber criminals out there. Can you give us a general overview, how is the security of our apps right now in general?

[0:11:17] Ted Harrington: Well, I’d say really like anything in the world, it’s on a spectrum and there are companies that definitely do it well and I’m in a privileged position that I actually know a lot of them, I’d actually say maybe not all of but most of the customers, most of the companies that I get to serve in our consulting business, they sort of fall into that category or they’re on their way to it, right? They might not fully have transformed their thinking yet but they’re in the process. But I think that companies like that are more in the minority of the world and where the rest of the world sits, so if you think of it on a bell curve, the one end of the bell curve is companies who are doing it right, the other end of the bell curve is companies who know better and are intentionally doing it wrong and are really trying to skirt the rules and effectively trying to misrepresent their security, there’s definitely a lot of companies like that out there but they’re not the majority either. What’s in the middle of the bell curve is the companies who are really struggling, who want to do this right but they have – first of all, they don’t even know how to do it and they’re stressed, not because they’re not intelligent and not filled with intelligent people but because they just – no one has laid out for them, “Here’s what you have to do,” right? You can try to read a whole bunch of articles and white papers and things that are confusing and Ted Talks and all the stuff but it’s just not simple and that’s where I’d say the majority of applications are today where they do want, genuinely want to be secure but they don’t know how to do it, they don’t know where to start, they have all kinds of technical restraints, they have business constraints like the CEO doesn’t understand it and the CFO doesn’t understand why to fund it appropriately and that’s where most applications sit today.

[0:13:04] DA: Yeah, let’s dig a little deeper in there, what are some of the most common problems that companies face when they are approaching their own security.

[0:13:11] Ted Harrington: I mean, that’s the common thread that I weave throughout the whole book. How many hours do we have here? I’ll just pick out a few highlights. One of the real challenges is that people don’t actually really, when I’m saying people, I’m talking about people who work at companies that are building software, right? Or building applications. They don’t necessarily know how to secure their solution or maybe they have ideas on it but they don’t know everything. Their focus is building, right? Their focus is building the solutions so they can serve their customers, they don’t spend every waking moment thinking about the attacker. That’s difficult, right? Because this profession is – this area of expertise does require a relentless amount of dedication to understand it all. You take that and then you pair it with the fact that pretty much any company that builds anything has these intense deadline pressures, right? They set a time when they’re going to release the product and that’s when money’s going to be rolling in or if they already have a product out, they need to release the next version. Those deadlines often force certain decisions like, “Well, I guess we’ll have to – we’ll defer security to the next release.” That’s kind of something that happens perpetually. Another challenge is that they, companies really struggle to understand how to even prove the return on investment and by that, they mean, you know, security is often measured as a lack of a bad thing, right? We didn’t get breached, we didn’t have a security incident but how do you measure that, right? Not getting a bad thing is, you can’t really measure that. They just don’t know how to even talk about it as a business advantage and then of course the people who have to do the work, the developers like I was alluding to before, they’re the ones who it’s now being put on their plate to say, “Hey, make sure you build this thing securely and also you don’t have any time, money or resource to do it. So good luck.” That's pretty hard for any company, even a company that says, “Hey, I got money. I’ve got interest, I’m motivated. I’ve got the right people.” That’s still a lot of problems to deal with. And so one by one in the book I try to attack – not attack, that’s the wrong word. That’s sounds, I don’t know, adversarial, I try to address each one and reverse the thinking on it and give ideas for what to do about it.

[0:15:37] DA: Now let’s say it is on your whiteboard, right? “We are going to make our app more secure.” Do you suggest bringing in external partners or should you rely solely on your internal team to build these security measures?

[0:15:51] Ted Harrington: Yeah that’s a really good question because that’s another area of real common misconception is that people often think one or the other. They either think security is something that you’re supposed to entirely outsource, you don’t hire any security people at your company, outsource it. And some people think, well you don’t outsource security at all, you build your own team in house and actually both of those are wrong. Security is a team sport. It really requires both. The capabilities, in house even if it is just fractional in house. For example, you might have a person who is, security is not their primary job, but they are responsible for ensuring positive and effective collaboration with the external security partner. So yeah, you’ve got some internal resources or even if it is just a partial resource and then you work with an external expert or consulting firm of some sort, who can help you think through your challenges. And then those two have to work in really close collaboration, which is something that’s also itself often overlooked and that’s the way that you do it, even at small companies who don’t have many people. So for example, you know one of our customers has I think eight people, right? And so they just can’t afford to hire a full-time security person nor would that be what I recommend but what they do, someone like that is that they look at one of their people and they say, “Okay, you of course have responsibilities X, Y and Z but you’re also the person who makes sure that Ted’s team has everything that they need. They have all of the access that they’re able to translate the results for us so that we can improve, like that’s your job.” And then on the other end of the spectrum, you know we have Fortune 10 enterprise customers who have entire departments whose job is to work with us and companies like us. So it really is a team sport, it requires both.

[0:17:47] DA: Now I love what you bring up towards the end of the book, which ism security is actually a competitive advantage and you can make money off of your investment into security, which makes it a much easier sell to your CEO. Can you talk to us about that competitive advantage?

[0:18:03] Ted Harrington: Yeah, you asked me before about what were some of the things that you learned or maybe you asked – I can’t remember how you phrased it but let’s use the word revelation. What was something that was revealed to me and this was one of those areas that as I was thinking about it, this was always in the back of my mind, that how do you justify the investment and security? Because as much as I, as someone who is on this mission, I am so overly obsessively passionate about why technology should be secure, I am also able to realize and recognize that security in of itself while it’s an ideal and it is something worth pursuing, it doesn’t on its own make a business justification. So that begets the question, well what does beget the business justification? And as I started looking at all of the people that I knew, our customers, people that aren’t our customers, my friends in the industry, I realized it really comes to this situation that we play a part in an ecosystem that we are almost tangential to but we play an important role to. Which is that organizations who buy applications, whether that’s they pay for license or they pay for more of like a subscription through a sass model or whatever the model is, they are paying money in order to be able to use some sort of system that someone built. Their expectation, their demand, they want those solutions to be secure and at the same time, those companies are now selling their service or their solutions, they both struggle to actually secure their solutions, for all of the reasons that we talked about here today, they struggle to actually do it and then they struggle to be able to communicate it. One of the things that I did in the course of this study was, or the course of writing a book, I did a mini little study that was I won’t even call it research, it was just more of curiosity and I looked at, I think it was 200 enterprise class application websites to see how do they talk about security. And the ideas that are reflected in my book, only about 4% of all of those companies actually talk about security in the way that this book recommends. So that tells us two things, right? Number one, the buyer is demanding security and number two, 96% of the people selling things to them don’t know how to talk about it, don’t know how to secure it and don’t know how to prove it. That’s an enormous opportunity for a company to be able to do the right thing. So first of all, we’re talking about the right thing out the gate, which is building better, more secure solutions is inherently a good thing in of itself. It doesn’t even need a business justification but we’ll obviously extend it to one. So you start with an inherently good thing and then you gain this ridiculously powerful competitive advantage. So when other companies are saying these really hollow nonsensical claims like, “Oh, we use bank level security.” It’s like that doesn’t actually mean anything. You’re able to say, “Well, here’s what we do, here is how we do it, here is what it means to you and here’s how you can make a decision.” And the recipient of that is able to say, “Wow. First of all, no one talks to me like that. I now have insight to make a decision, I’ve never pretty rarely see.” And it makes them trust in it and it gets rid of that fear and so when all of that happens, it leads to sales. Now you still, if you are on the selling side, you still have to build a solution that your buyer wants, like it doesn’t matter how secure it is if it doesn’t solve a problem but what happens is security as the blocker, security as the thing that prevents the sale is now removed and instead of it being in your way, it is now actually in the way of your competitors because your competitors, they have to clear that bar. They can’t clear that bar, you have cleared that bar, which means your bar is now in front of them. And that’s really, really powerful and that’s how it leads to sales. It’s how it helps you make money. It is actually a really positive marketing investment and in the last chapter in the book, I teach people exactly how to do that.

[0:22:25] DA: Now Ted, let’s take a step back and say that you are forming a company today and you want to create this ultra-secure app. Tell me what does doing security right look like?

[0:22:41] Ted Harrington: Well, I mean starting from the very beginning, building security in from the outset and that is a real mindset shift that many, many companies first of all aren’t even aware that they should think that way and then once they are aware of that, it’s like changing culture at an organization to try to make that happen, which is astronomically difficult. So the way you are framing the question is of course, well I don’t have to deal with that legacy problem. I can start out the gate saying security is a priority, it’s going to be a part of our mission and our vision and now what we do is we have the right mindset and we know how to work with this sort of team sport idea and we can start building security in from the beginning and when we do that, what that does is it has this super powerful domino cascading effect where each decision that we make as we’re building the solution, because security is baked into it, we have just saved ourselves headache and heartache down the road later in terms of remediating issues because we are getting rid of the issues at the moment they are being introduced and that’s hugely powerful. So not only does it make it hurt less later, it also makes it easier and it is more effective and it is absolutely the right way to do it.

[0:24:02] DA: You also give the reader exercises and real world examples on your website. Can you talk about some of the resources that are available there?

[0:24:11] Ted Harrington: Yes, there are a couple of things. This podcast is the first place that I have talked about this. I will start with the one that’s pretty cool. Nobody knows this yet but I am now telling people, I am telling you.

[0:24:25] DA: All right, world exclusive right here.

[0:24:27] Ted Harrington: Yeah, this is the breaking news. There is actually an Easter egg hidden in the cover and it is a code that can be deciphered and so one of the resources that I give away is actually walking you through how to decipher the code. So you got to go find the code and then one of the resources that I give people is how to actually break it, how to reverse it and so not only do you get, like that’s kind of a fun exercise, it is a fun experience but it actually as I’m – It is not just step by step like, “Do this, do this, do this,” it is, “Do this, now this is what you might be experiencing if you are actually an ethical hacker trying to reverse engineer something.” And so whether, no matter how technical you are or you’re not, it gives you that sort of firsthand experience of the thought process of how you work through breaking something apart that seems indecipherable and so that is definitely one of the things that I giveaway and it’s right there, hiding in plain sight.

[0:25:31] DA: This is a very old reference but do hackers still run around in rogue places and wear rollerblades?

[0:25:38] Ted Harrington: I don’t know. Did hackers ever wear rollerblades?

[0:25:43] DA: [Inaudible] the movie Hackers in the 90s.

[0:25:45] Ted Harrington: Oh from Hackers, yeah. Okay, yes. So I do reference rollerblades in the book. No, the more common stereotype for hackers right now, which is oh man it is so bad, is hackers always and you have seen it in every single piece of stock art of every security breach headline you have ever seen, it is a hacker is wearing a black hoodie, you can’t really see their face, they’re hunched over a keyboard, the keyboard has some green screen, you know green code on it and none of that at all. I mean well, we all do like wearing, everyone in the security committee likes wearing hoodies and a lot of them are black but the whole black hoodie archetype is a little ridiculous because the truth is that both the good guy hackers and the bad guy hackers, they’re just like you and me and your parents and your siblings and your cousins. They are just people out trying to get better and make a living and solve problems and a lot of them don’t have the same moral compass that the rest of us do. And that’s really the main difference is that they don’t see evil the same way we do but otherwise they’re just like you and I.

[0:26:52] DA: Well, thank you for tolerating my obscure reference. I appreciate that and Ted, writing a book especially like this one, which is going to help a lot of business professionals is no small feat. So congratulations on publishing.

[0:27:04] Ted Harrington: Thank you.

[0:27:06] DA: And my final question for you is if readers could take away only one thing from the book, what would you want it to be?

[0:27:14] Ted Harrington: It’s that this is a chaotic mess, security is a chaotic mess, right? It’s hard, it’s difficult, it’s complicated, it seems expensive, it just seems like a nightmare but it can be handled and that’s the positive I want people to leave with is that if you – so if you read my book, but what I am about to say I believe this also about really anything that any credible security person could teach you. If you come with a mindset of you are here to learn and to change your mind and to keep getting better and to apply and learn new techniques, then you are going to leave having read this book seeing a brighter future. You are going to know what to do and you will be able to do security right and a lot of security people, they sort of stick to the doom and gloom and more of like, “Oh the sky is falling,” and maybe in some cases that is true but that’s not what I want you to leave with. I want people to leave with feeling inspired, feeling equipped. You know what to do, you know why to do it, you know how to do it and I will have achieved my goal if even one person can go solve their problems because they’ve read this book and that’s my hope is that eventually I give that really positive feeling to somebody of, “I had this problem I was trying to solve. I read a book, I’ve now solved the problem and I feel good about it.” That’s what I hope everybody will get out of it but at least one person is the goal.

[0:28:43] DA: Well, I think you will achieve that goal tenfold. Ted, this has been a pleasure and I am excited for people to check out this book. Everyone, the book is called Hackable and you can find it on Amazon. Ted besides checking out the book, where can people find you?

[0:28:55] Ted Harrington: Yeah, I’d recommend the easiest thing is just go to my book’s website. It is hackablebook.com and obviously all of the information about the book itself is there. You’ll link to the Amazon page to buy it but also if you want to connect with me on LinkedIn or on Twitter or if you want to email me and just talk about these ideas or if you think that you want to hire me or our company for any services, literally anything that you would need to do in relation to this podcast you will find it at hackablebook.com.

[0:29:23] DA: Awesome Ted, thank you so much for coming on the show today.

[0:29:25] Ted Harrington: Thank you for having me.

[0:29:28] DA: Thanks for joining us for this episode of Author Hour. You can get Ted Harrington’s new book, Hackable, on Amazon. Also, you can also find a transcript of this episode and all of our other episodes on our website at authorhour.co. For more Author Hour, subscribe to this podcast on your favorite subscription service. Thank you for joining us, we’ll see you next time. Same place, different author.