 Rwy'n meddwl, onwyd. Mae'n meddwl, ac mae'r ffordd, rydyn ni wedi'i ei ffodol. Drupal South 2017 wedi'u gyda'r peth o'r gwybod. Felly rydyn ni wedi'u gweithio'r gweithio'r cyflwyno. Mae'n gweithio'r gweithio a'r ffysig yw. Rydyn ni'n gweithio'r gweithio? Mae'n gweithio'r gweithio, ac mae'n gweithio'r gweithio'r gweithio'r gweithio'r gweithio. Rydyn ni wedi bod yn ffodol cobbol a'r 170. Rydyn ni wedi'u gweithio'r grondiwys a'r grondiwys ni'n rhan o gwneud i fod diolchau ym partingodau i wneud i angen i gael rhai i gwybodol. Ac rydyn ni wedi dros â'r gweithio sydd yn Iertydd. Rydyn ni wedi'i gweithio i'r cyflwyno'r amser. Rydyn ni wedi'u gweithio i'r gweithio. Rydyn ni wedi'u gweithio'r amser, onw, i'r gweithio. Ond oedd y gallwn eich sefydlu ar gyfer sydd i am ddigwerthu cyfaint, ac yn y ddweud y gwaith y ddefnyddio cognitive a'r ddisynwys. Mae'r ysgol yn ymddangosio i ddweud y dyfodol yn ffynu'r technaf yn ymddangosol i ddim yn gweithio ar gyfer y mae'n gwneud hyn yn ymddangosio sydd yn ymddangosio a'r ddweud yn ymddangosio argylcheddau cyfnodol. A mae'r ddweud yn hynny'n cael ei ddweud o'r ddweudio. Y gallwn i'n mynd i gael i gael i'n ffaith gennymau i'r bywysgau newydd bryd i'r ffwrdd. Mae'n gael yn ystod y bywysgau diolch. Ymgyrch chi'n gweithio'n gwneud arbennig yma, mae'n gweithio'n gweithio'n gweithio'n gweithio arbennig a'i'n gweithio'n gweithio ddim yn ei gwybod. Ym thyf â'r byw, mae arbennig eich hyn yn y ffwrdd yma, eich hefyd, yma'r eich hefyd, mae'n gweithio'n gweithio'n gweithio'n gweithio. I decided, you know what? Well, this week, I decided that I was so excited about all of this amazing technology that was being built in the world. And I didn't want to focus on the doom and gloom of it all. That I would hunt down the people building amazing technology and I would interview them. And so what you're going to see, or hear if you go find it, is a weird view of software security that's focused on the tech we're building and not about the problems. It's about how we secure an amazing future with hope. Now, this is a new talk for me today. I want to share the why I'm doing this. I want to give you some of my enthusiasm, if you will. And the echo has calmed down a bit, which is wonderful. I'm going to tell you the story of three technologies that are all present in New Zealand, that are being actively delivered and developed in New Zealand, that have a security impact that you would never imagine. Because you know what? People don't avoid security. I really truly believe that. I truly believe that as an engineer, we want to build good, high-quality software. Please raise your hand if that's you. You want to do a good job every day. Good, few. It's always worrying whenever I was like, no. No. We want to do a good job. And security is part of doing a good job. The reason we don't do it isn't because we don't want to. It's because we lack a why. Why does this even matter? Why does security work in this world? So I want to share some of those stories with you. And then I want to kind of do a bit of a call to action at the end and tell you about some of the really cool challenges that are emerging in secure development, in software security, that the only people who can fix those, who can solve them, are folks like you. If the future doesn't belong to me, I'm going to explain why. So I'm going to start off in a vineyard. Right. How many of you have actually visited a vineyard? Good. Just checking. We do have to check these things. We all know this is where they grow the grapes and eventually squish them into a bottle and then you drink the thing. I think there's a process somewhere in the middle, but largely grapes happen, wine happens, and something between the two. Right. So they look a bit like this, right? Now how many of you feel like this is the opening of a really good security story? It doesn't feel like it, right? Oh, you do. Okay. Well, I like you. You can stay. So why on earth would grapes have anything to do with security? Well, grapes are a fundamental industry in New Zealand, right? We grow a lot of them. We turn them into wine and we sell that wine for high prices everywhere in the world. Wonderful. Great. If you read any newspapers, you'll know this is part of our GDP and we're very proud of it. And we work very, very hard to make sure this industry works. So the biggest challenge in vineyards will not appear to be a security challenge. It appears to be like any other primary industry. You have something that ripens and has to be halved at a certain time of year and you have to know when to do that and you have to get your product to the right people at the right time. So why is this a security challenge? Well, it turns out that everything in the wine industry is really sensitive to time and quantity. Now, if you remember your basics of security, which you won't remember, but I'll forgive you, we care about three things. Confidentiality, so protecting information from those who shouldn't have access to it. Integrity, so we can trust information. And availability, so having that information available when we need it for whatever purpose. Now, in a vineyard, this is a really good example of where data integrity, data availability and confidentiality matter. Let's talk about why. Oh, hello. Apologies, throw me a little, but we're going to get there. So, why does it matter? Well, it matters because when grapes are harvested we don't have a big stack of people sitting around waiting for the grapes to be ready. We hire them on demand. We sell price for those grapes and for the vintage of wine they produce. That is negotiated when the vintage is being prepared and we know how many grapes are ready. In a year like this where we've had massive storms and floods, the prices and availability of grapes and other fruits has been really impacted. So this impacts the businesses. How many people they hire? What prices they can make for things? How many boxes they need to put them in? I think it relies on the count of grapes, which is like the least sexy piece of secure information you'd ever imagine, right? But I want to show you some cool tech that's happening to make this easier. So, did you know that there's a New Zealand company called Cropsey who have built sensors that can mount onto a tractor, any tractor, doesn't have to be a fancy one, and it can automatically detect the health and the readiness of grapes ready for harvest. Who thinks that's cool? I think that's pretty cool. So you mount one of these things on the front of your tractor? I mean, is it pretty? No. But it's going to go around a field, it's fine. And it can tell you the number of grapes. Now, why does security matter? Because this thing can tell you straight away, which means this thing can order your boxes and tell you when you need staff. This thing can tell you when to get the spray out if something has gone wrong. I don't know, I'm not a pharmatype. But it can tell you when to respond. So if we damage that count, if we cannot trust the count of grapes, if we cannot trust the data from our sensors, then people lose jobs. Grapes do not turn into wine. Countdown has less sales next year because there's less wine available. It all flows on. So in itself, vineyards are a bit of a security problem. But one we never talk about, right, because it's not personally identifiable information. Every business is like this. Whether it is agriculture, fisheries, our primary industries need security too. So let's talk about athletes. We do those too. We grow those in New Zealand too. Any of you athletes? No, it's okay. It's a much harder question than the vineyards one. We're all like wine, sports. Okay, right, cool. So these are some of my heroes. These are the Black Ferns. When I grow up, I want to be like them, but without the incredible fitness, because I'm a realist. Now, what we don't realise is to build and grow a high-level athlete is a security problem. Really is. Because there aren't many of these people, and they have to be trained for years and years and years to do what they do. And they have to be kept safe from harm. So how do you keep an athlete safe from harm using technology? Another cool technology. So there are wearable sensors and fabrics being developed in New Zealand right now that can tell you things like, has my person's head been injured? Are their muscles experiencing strain? How quickly are they moving? How much are they sweating? What is their heart rate? What is their pulse? Now, that feels very invasive to me. I feel like I'm not sure I would like to wear clothing that knows that much about me. But professional sports, that's really important. Now, how does this look? Well, we've got everything from goggles that can help you navigate environments so that you can spot the risks ahead of you. We have literally pairs of socks that are Bluetooth connected that can measure your gait, so the length of your stride and whether your feet are in the right place if you're running. And for our rugby players, this is super, super important. It's not just about getting the most out your athlete because they're an investment you want money from them. It's about keeping them safe. And I want to show you the tech in particular that's doing that. Now, this isn't a rugby player. This is an American football player. But we have a similar technology, not in a whole hat, but in a headband for our rugby players. Now, this little tiny piece of tech can tell you if you have had a head injury sufficient enough to cause brain trauma. Now, for those of you who have kids who play sports or have played sports yourself, if you've been in the rugby space, you know that head injuries are a massive concern. They might happen now, but you may not feel the results of them for years to come. So this tiny bit of technology helps with that. So keeping this safe is also a security problem because if we can't trust the data from the sensors, we have a problem. People are going to get hurt. If we share that data too widely, working at high-performance teams, then are we going to harm an individual player? Say they're having a bit of a bad time. You know, they've had an injury at their training. Do we really want all of their training information, all of their body stats sent to the highest bidder? Probably not. Probably doesn't sound very nice thing as a professional athlete. Every technology is a security technology. And I'm excited. Now, I'm going to round up with one that seems to be very COVID-related. Any of you in trucking and logistics have ever worked in them? They're amazing places. You think it's just trucks and package. Put package and truck, go. It really is not. The logistics space in New Zealand is massive. Now, whether you're talking about the big mainframes and things of the world or the hundreds of tiny smaller businesses that evolve into that ecosystem, we're talking about millions of packages every single day. And not only do the packages need to get to where they go safely, but there's silly things like, well, if a company now has temporary ownership of a million packages, because they have to get them from A to B, then where do you stack them? There's a lot of security in logistics and shipping that you would never even imagine from what temperature the room is currently at for those who are shipping-sensitive flowers, food, things that are perishable to choosing where you put things so that you can get them out again and find them if any of you have lost luggage in the recent COVID-related luggage fiascos. And this is all related to that. So, how do you decide in a warehouse where to put a box? I wish it was like my sort of filing system where you just go put the box in the corner and eventually you put more boxes around it and the boxes just hang out and then it all works fine. But you have to be a bit more careful. How many of you know... Anyone know what that is, a graph of? Ah, nerds. Who? What is it? It is Dijkstra. Any of you punished with Dijkstra when you were a student? Many of us. We all have the wounds. So, Dijkstra's algorithm is a mathematical way of looking at the distances between places and its path traversal. Which route should I take between these locations? And logistics is Dijkstra at an extreme level. Not just at a city, but even within a warehouse. If you've got 15 packages to take from logistics place A to B and you've got to find them, get them out, put them on a lorry and then get them to somewhere else, all of that matters. Now, does it matter in a confidentiality sense? Possibly. If you're a thief you might want to know where all of the fancy things are very efficiently path navigate around and find them all. Is it an integrity problem? Well, kinder, because if you're going to go around a warehouse and things aren't where they say they're going to be, you're going to have a bad time. Is it an availability? Absolutely. None of us like our shipping being slow or late. So, we now have machine learning algorithms that can sort our packages and can choose where to dynamically store them in a warehouse such that they can be pulled out again in the most efficient patterns. And we also have these little guys and many like it. We have robots. Now, I'm not saying robots are going to take all our jobs. I don't believe they will. I think they'll make us more efficient. But your robot isn't going to know that, you know, Terry likes to put boxes on shelf number three because it's the nearest where they go for their break up each day. They need something predictable. So, when we're introducing machines and robots and machine learning, this predictability, this quality of data matters. So, if we are going to project logistics, that's a security problem too. We don't want people to know where the sensitive things are. We don't want our supply chain to be disrupted. We learned in COVID that when our supply chain is disrupted, bad things happen. And I'm excited. I'm excited about logistics and vineyards and athletes and people who are silly enough to take jobs who are doing the AI for in washing machines. I have questions. I really do. So, what does it mean for you lot? Well, how many of you think the technology you're building every day is exciting? Oh, come on. I know it's early. I think it is. How many of you think the technology you're building every day has a security impact in the world? If you didn't, you didn't watch the last... It does. All of it does. Whether it's in fashion or e-sports or in home appliances and devices, there is a security angle to everything, and more importantly, there is a reason to be excited that technology exists and a reason to want to make it the best technology it could possibly be, and that includes security. So, how are we going to do this all together? The world is full of amazing technologies. You probably use them every day without even thinking about it, and that's cool. We want more of this, and they're helping every industry. I want it to no longer be the case that we stand at the front of the room and say, high health, keep health people and finance, yep, security matters for you, but the rest of you will get to it later. It's not the case. It's part of what we do and it's part of quality for every industry. Now, our security guidelines, the things that we give out to people to say, hey, you should follow this, we're not built for this amazing technology future. Not at all. Now, this is a really timely day to give this talk because somebody is in Congress right now telling people that he let Pandora's box get opened. Do we know who's doing that? Anyone know? Mr Sam Altman is currently in Congress telling us that you need to regulate AI. The irony of him doing that after he opened the box is not lost on me. But it's a good case in point. We are building technologies and regulation catches up. It doesn't lead, and that's the way it should be in some respect. Now, this is a good example. Now, this isn't regulation, it's guidance. This is the OWAS Top 10. Now, this is the OWAS Top 10 from when it was first launched in 2003 and it's the OWAS Top 10 from 2021. And the sad thing about it and kind of a sad thing for my whole industry is they are almost exactly the same. Now, what does that tell us? It tells us that the wrong people are looking at security. That the OWAS community, we are full of security folk, but we're not the engineers. And for this to change, it has to be the engineers that drive security, not security people outside of your world. So, to protect us from what has never been seen, we have to think to the future. We cannot keep looking backwards and going, well, we used to build systems like this so security will work the same way. It really won't. Here's some of the challenges we are likely to face together. Increased architectural complexity. It's no longer the case that we have one big magic box that we've put all of our shiny software in and there's a nice border around it, we protect the border. In SafeStat we call this Armadillo security, where you have a nice hard exterior and a really tickly tummy in the middle. Doesn't exist. Every single architecture we build right now is fragmented. It is distributed in some way. It has integrations with third party components. It has integrations between teams in the same organisation. So we have to treat that security in that way. Little steps applied over entire architectures. Speaking of third party integrations, have any of you actually counted how many integrations you have into your products? Or how many different technologies that you're using you have? Well done, you. Did you count every day or just once? Just... The more third party stuff we use, and as a Drupal community we understand this better than most communities in the world, we inherit amazing code from other people and we do more stuff with it. And so those third party integrations impact our quality, they impact our security. We have a larger development community and it's wonderful. But the more people we have, the more complexity we have, so we have to deal with that. We have non-linear code pathways. Now, a security node, I love to take systems and go what could possibly go wrong with them. And that's fun. And you should try it sometime. Maybe with systems you built, not with other peoples. Now, one of the things about AI based systems or generated systems is the pathways through them are no longer linear. You cannot always predict if you put an apple in one side that an orange will come out the other if you follow steps one, two and three. Because steps one, two and three may be changing. They may be having different decisions made based on the data that is being put through the algorithm or through the model. Now, how do you predict what will happen in a system that's non-linear like that? Isn't that exciting? You should be excited about this because this is the code that you may be building one day. Continuous availability, when I started out, I worked for the Inland Revenue in the UK which is not very glamorous. But it meant that I could go home at five o'clock on an evening and not care about my software until 9am the next day because the one thing you can predict about tax systems in the late 1990s is everybody went home. There was no 24x7, there was no high availability except for one system which we did a load test on once a month and that was our business accounting system and it was a vax EMS in a basement. Nobody knew how it worked. And now that's not the case, right? Now we have uptime that's, you know, measured in as much availability as we can manage without breaking our people. And so we have to change our model. We can't just turn it off at the end of the day and hope it's okay while we sleep. Increased regulation, machine learning and AI, the world is changing and it is incredible, it's very exciting but also a little bit scary. And it's you lot that I want to inspire to fix it because I want to go and sleep on a beach somewhere. So, if you want some new categories of problems to solve I'm going to give you some things you can think about. So, how can you trust a predefined corpus of data that you picked off the internet? Great, I don't know. Nobody knows yet. How do you secure no-code and low-code solutions? What happens with IP theft and deepfakes? My husband is an artist and did a lot of digital work but now has weirdly picked up his paints again. And why do you think that is? Well, it turns out it's much, much easier to prove value and provenance in physically made art than it is in digital art now. And so the arts community is having a renaissance. People are sculpting again for the first time in decades. People are doing more paint than they've ever done. If you want to buy stocks I would presume spotlight is probably a good shout at this point. Now that's going to tell you something. If the artists who are non-technical realise they've got a problem with authenticity and with value and with protecting IP and they've shifted to mediums they know they can control more that's a big flag for what's coming for us. How do we verify? How do we value? How do we retain control in a world where everything is being mutated into other things? Your IoT devices, if you want to build the internet of things, stocks, great, go for it. I have questions about laundry but we can figure that out. But think about the consumability of technology. We shouldn't be throwing it away. We should have security built in for its lifetime. Not just for the six-week period where people remember. How do we do that? Whether you are in vineyards, whether you are looking after athletes, whether you're in logistics or whether you're in fashion, I do not care. These problems are going to apply. There are 30 million software developers in the world right now. Which is huge. And it grows at a rate of 1.2 million per year. Now I can't even imagine how many people that is. I genuinely can't. It's mind-blowing to me. There are so few security specialists in the world. We don't have a number for the number of APSEC people there are. I know there's probably less than 100 in New Zealand. Now, if I was to play the odds, and I was going to look at this incredible technology future and say, hey, when we're building all of these amazing things in every field, how can we protect it? It wouldn't be in buying shiny tools for the 100 APSEC people we have. It would be helping 30 million people globally find the skills they need to bring security to what they're already doing. I don't want more specialists. I want more engineers who think security is just part of day-to-day. And it's just what we do. And the world is not as mature as we think. Safe Stack is an interesting company. We are very purpose-driven. Since our launch, we now have 1,500 organisations in 76 countries, and I can categorically tell you that, firstly, amazing technology is being built everywhere in the world. From East Timor through to Papua New Guinea, we've got folks in Nigeria, Kenya, Ghana, Argentina, Brazil, and all the places you hear about a lot like the US. But those mature companies that we stand and we look up to as role models are a very vocal minority. The Netflix's of the world, the case studies we look at for the chaos monkeys and the tooling, they're less than 2% of what is actually being built. The rest of us are somewhere else. Either we started out doing some security work having a go, or we're on the cusp of beginning. And wherever you are, if you are somewhere less mature, don't worry about it. Most of the people in this room are. We are. We're a security company. I'm not going to claim we're in the cutting edge because the world is changing too quickly. So be where you are right now and do a little bit for whatever technology you're building, for the impact that it's going to have in the world. Because we're not all alone. We like to believe that I work for company A and you work for company B and actually we're completely independent and all of that we face is unique to us and it is not the case. All of our technologies are linked, whether it's by the third parties we use, the libraries, the frameworks, the CMSs we use. You lot might be familiar with some of those. If you've got shared components you have shared risk, you have shared responsibility. And so I want us to start thinking like that. Realising that we are not so much distinct items in a big landscape, that we are a big ecosystem, that in order to protect one of us, we have to protect all of us. Because if I'm able to attack one of these companies, then the risk from my relationships, from those filtering out through that ecosystem is huge. If our vineyard is attacked and they cannot trust the count of grapes coming off the vine, then people don't get employed this season or not enough. The box manufacturers make too many boxes or not enough and lose money and maybe next season they're not there. And maybe the software and the technology we're using in that space with all of the relationships out to our big names, supply chain players, MPI and mystery of primary industries, the transportation logistics companies, all of those become part of the risk. It doesn't start and end with the vineyard. It starts with a grape and it ends with every technology it connects to, which you'd be surprised at how many there are. So when one of us is breached, we are all breached, which sounds a bit doom and gloom, but I really am an optimist. That means our best defence is to work together. Because it's not the case that if you're breached, your business goes bust. I don't believe that either. That's the hype we put in the newspaper. But I do believe there's impact. I do believe it slows us down. I do believe it makes us change directions and sometimes react in ways that are not rational. I think we can use our collective power as engineers to build amazing technology and be more resilient, be more prepared for when bad things happen, because they will. We can't stop that. There will always be people who want to do harm. That's humans. That's what we do to each other. So I'm going to round up with my homework list for you. I want you to pick something that I've mentioned today, even just one thing. It could be looking at the third parties that you're using. It could be looking at the architectural complexity. It could be looking at your company and really mapping out where security lives. Spoilers, it's not just in payments. And I want you to have fun with it. I want you to think about the ripples that could have. I want you to prepare for a future that has non-linear code pathways where your code is unpredictable, where we are talking about an entire ecosystem at risk, where we are talking about regulation changing to adapt to it and what we need to do to be a voice in that regulation to make sure that regulation makes sense for the technology we're building. We're not just talking about writing good code here. We're building good systems. And that's everything from the people who use them, the data we put through them, the code we write and the regulation we operate underneath. You need to find the why of why security matters. For me it matters because I am a nerd. When I was growing up, I wanted the future I read about in books that I watched in movies and TV shows. I wanted a doctor to be able to scan me with a thing and tell me if I was sick. Spoilers, that's being built right now and it's pretty cool. I wanted to be able to move places quickly. I didn't want to go to space. That's probably the only one that I'm like, we could probably leave that one. But everything else is exciting. If you're not excited, you can make more money as a plumber. It's the same problem, you're still going to be shoveling waste. Now, find your excitement, find your why. Because that's what's going to change security. Not the old stop 10. Not you buying a fancy box with a little red light on it. But you, the future of security development doesn't belong to me anymore. It belongs to you lot. I give it to you. You are building the future as exciting as that may be. And I want to see what you are doing to secure it. Now, this looks like sales. It's not, I promise, I'm the CEO. I said we're for profit but with huge purpose and we do. We reinvest a lot of our revenue into giving free education to any organisation in the world who wants it. And you can train up to 50 engineers on essential courses, up to 250 staff for wider awareness with no charge, no tricks, no credit cards. So, if you need it, use it. If you know a company somewhere else who needs it, use it. If you know a friend who's in insert name of weird country here, spread the word. Because my job in the world is to make people like me redundant and to give what I do to you with the excitement that you need to have to build an amazing future. Thank you so much for having me today. I hope that you go about your day looking at technology a little bit differently. If you have any questions, I will be loitering around you. Welcome to come and say hello. Thank you.