 So first, I'm happy to introduce to you Carolyn Wong from Cobalt IO. Carolyn is going to provide context for the day by discussing the future of cloud native security. Over to Carolyn. Hi, my name is Carolyn Wong and I'm the Chief Strategy Officer at Cobalt. I started my DevSec Ops career 15 years ago, leading information security teams at eBay and Zynga. These were super cool places to be working in cybersecurity. In both cases, we were running online operations 24 by 7 with millions of simultaneous users daily. eBay had an uptime requirement of 99.94% and is one of the first major electronic commerce shops enabled strangers to transact with each other over the internet. Zynga was growing incredibly rapidly as an early adopter of Amazon AWS. In 2009, the Zynga game Farmville launched and in just a few weeks, the game went from zero to 10 million daily active users. A few months later, it rose to 80 million daily active users. At Cobalt, we build security software. Like many DevOps companies, we have data-driven, product-based teams. We value automation and failing fast. I'm going to talk about five interwoven themes today. Number one, modern software and internet security is not a zero-sum game. Number two, the hardest problems to solve in cybersecurity are not technical. Number three, the most powerful solutions that are required to address cybersecurity problems today will require people and process innovation. Number four, cybersecurity has many different facets and it can seem complicated, but it's not impossibly complex. There are fundamentals that we as industry professionals can rely on and we shouldn't allow ourselves to get too caught up in the myth that these problems are too hard to solve. Number five, protecting the world's digital value is not something that is just the job of security professionals or just the job of developers. Cybersecurity has always been an outcome, a result of behaviors and interactions and decisions and actions of many different people. This has never been more true than it is today and we really are all in this together. My hope is that if you're working in DevSecOps on a day-to-day basis as you're making decisions and solving problems and making things happen that these themes will be something that you can draw upon for inspiration. I do expect that these themes will continue to evolve, but when I ask myself, why am I excited about the future of Security Cloud Native? These are some of the answers that I have today. First and foremost, security is about protecting value. In today's modern world, a lot of the things that we value are shifting from the physical realm to the digital realm and that's why cybersecurity is so important. Security practitioners used to have this story that they would tell about how to think about cybersecurity. The story says that if Mark and I are running away from a bear, I don't have to outrun the bear, I just have to run faster than Mark. In this scenario, the underlying assumption is that I value myself and that I don't value Mark. My success doesn't depend on Mark and so as long as I get away from the bear, it doesn't matter to me if Mark becomes the bear's lunch. The problem with this analogy, and there are many, is that in reality, software companies and the digital value created by organizations, that doesn't exist in silos. We are not independent islands. I actually think that a more appropriate analogy for how things work in cybersecurity would be a three-legged race. Because in a three-legged race, my partner and I are dependent upon each other. In order to win, we have to work together in lockstep and I really think that is more of how it is today when it comes to software security. Every software company, including ours, is part of a tightly interwoven ecosystem of software companies that provide variety of products and services. Each of these companies use other software companies to help them do their work and so on. A perfect example of this dependency between software companies happened on Monday, January 4th. That morning, I woke up next to my five-year-old daughter on the bottom bunk of her bunk bed and I looked at my phone. It was my first day back at work after a two-week vacation and I had received this text message from my friend and colleague, Anna. It turned out that Slack was down and the outage lasted for six hours or so. This was not an ideal way to start the first working day of the new year. At Cobalt, we're a hypergrowth B2B SaaS company. Today, we serve nearly 1,000 customers and we use about 75 or so vendors. You can think about the company and any DevOps company, really, like a tree. The vendors we rely on are like the roots of the tree and the customers are like the branches. And if all goes well, those branches will bear fruit year after year. As you may guess, I have not one, but two young kids and we watch a lot of Disney movies in our house. As I was thinking about this particular theme, I couldn't help but think of this song lyric from the Disney movie Pocahontas. And we are all connected to each other in a circle and a hoop that never ends because this is how it is with modern software companies. And this means that security is not something we can care about in a vacuum. We must acknowledge the dependencies that we have on other software organizations for the state of our security. It is no longer enough just to care about the security of your own because your vendors insecurity, your partners insecurity affects your risk profile and your ability to protect the value that you create. I am the LinkedIn learning instructor for the master the OWASP top 10 learning path. What you may not know about me is that before I started creating the content for these instructional videos I actually didn't understand all the little details about the top 10. The first version of the OWASP top 10 came out in 2003 and I started my cybersecurity career in 2005. I became the chief of staff to the global information security team in eBay. And naturally, since eBay is an online marketplace web application security was and is of extremely high importance. The problem was that every once in a while I would download the OWASP top 10 document and I would try to read through it and I would get stuck. I would get bored or I would get confused or something more urgent would come up and I would put it back down. So I never really learned all the details until I had to teach it to other people. The current version of the OWASP top 10 was released in 2017 and the crazy thing about it is that despite having been through several iterations over the past 17 years, the types of issues found in web applications is pretty much the same. It's the same stuff that the best and the brightest in the industry have been talking about for 17 years. So why haven't these problems been fixed? We know how to find them, we know how to fix them and we know how to prevent them. This to me is super interesting and a little bit frustrating. The next thing that I wanna do is talk about this common misconception that the biggest and the baddest problems in software security are technical problems. Let's talk about the 2017 Equifax breach. More than 140 million people affected, a widely accepted theory that the attackers were state-sponsored spies from China, a CEO who stepped down three weeks after the breach became public, $1.4 billion to clean up the mess and an FTC settlement. How did the breach happen? It wasn't because of a super sophisticated zero day technical issue. It was because some software was found to be vulnerable, a patch was made available and Equifax failed to deploy the patch. This was not a crazy technical problem that lacked a solution. The technical solution was available. This was a lack of people and process innovation. More recently, threat actors managed to plant some malware in some monitoring software. This happened a couple of times in the last 12 months. This software happened to be in use by some hundreds or so of organizations. And when the news first broke, the breach was described as a highly sophisticated, targeted and manual supply chain attack by an outside nation state, which sounds really intense. And it is. But when you draw back the curtain, it seems as though maybe they had used the password SolarWinds123 to protect the company's update server. It's no wonder malicious threat actors took advantage and planted some malware. This is unfortunately a simple security misconfiguration. In this year's state of pentesting report, we at Cobalt reported that misconfiguration was the number one most commonly identified vulnerability type found across Cobalt pentests for the fourth year in a row. Theme number four, cybersecurity has many different facets and it can seem complicated, but it is not impossibly complex. There are fundamentals that we as industry professionals can rely on and we shouldn't allow ourselves to get too caught up in the myth that these problems are too hard to solve. In 2005, as a new college grad, I started my first ever full-time job as an information security engineer at eBay. I was handed a 50-page stack of information security policies and told that I was responsible for answering questions about it from technology teams and from the business. It was overwhelming. I thought to myself, how am I ever going to learn all this stuff? It seems so complex. I found out after a few months that by meeting with people who had questions about eBay's security policy, writing them down, asking my manager and then going back to the person to share with them my newly acquired answer, I found out that people were asking the same questions over and over again. Throughout my career, I've been on two security teams. As a practitioner, I've led a global product management team. I've done consulting and I'm currently at my first startup. This series of diverse experiences has helped me to see that cybersecurity is complicated, but it's not impossibly complex. Even though NIST 853 is nearly 500 pages long, PCI DSS is more than 130 pages long. The B-SIM is more than 100 pages long and the ASVS is more than 60 pages long. I really think that the fundamental principles of cybersecurity and application security for that matter can be boiled down to four basic building blocks. A couple of years ago, Julie Kurt and I worked together on a white paper called Practitioner's Guide to Application Security. It's a 20-page document that outlines how simple, not necessarily easy, but simple application security can be. It includes a one-page poster that we call the Modern AppSec framework. This framework has just four components. Number one, govern, aka know your assets. Number two, find. Number three, fix. And number four, prevent. Right now in cybersecurity land, there is a lot of emphasis on automation. The storyline says that because we have a lot of cybersecurity problems and we also have a talent shortage, you should try to automate as much as possible so that you are less dependent on people. I happen to strongly disagree that automation can solve all of the world's cybersecurity problems. As my friend and former colleague, Vanessa Sotter, eloquently shared in her B-Sides presentation last year, there are entire classes of security vulnerabilities that can only be discovered by humans. Finding things like race conditions, business logic flaws, and chained exploits cannot be automated. We need human creativity, human innovation, human judgment, human opinion, and human decisions to drive the right outcomes in this industry. It is true that software is being developed faster and faster, and some cybersecurity teams are using automation to manage some of the incredible volume of work that they're trying to tackle. However, I think that solving the most important cybersecurity problems have to include both automation and manual effort. Both DevOps and DevSecOps benefit by innovating when it comes to people in process. Security practitioners in particular need a better model for talent distribution. They need standardized, automated workflows that can take the friction out of working cross-functionally between security and engineering teams to find and fix security issues. Consider for a moment the following hypothetical scenario. Imagine that we're in the midst of a global pandemic and a highly infectious deadly virus is affecting millions of people around the world. It is so bad that in the world's richest country, more than half a million people have already died from this disease. If you think this is a technical problem, then you might think the most important thing to do is to develop a vaccine. That is a super hard scientific problem to solve and it's a scientist job to figure it out. But what happens when an effective vaccine, or three, is created, is created, are created. The technical issue is solved. So does a problem just disappear? Of course not. In some ways it might actually be easier to invent a completely new vaccine than it is to figure out how to do procurement and distribution and communication and actually getting people vaccinated. Just as we can know about the OWASP top 10 for 20 years doesn't mean that we can eliminate and forget about these types of problems. Just because you might have a vaccine doesn't mean you can vaccinate enough people to eliminate and forget about a global pandemic. I'm here to challenge where we are today as an industry and look forward to imagine where we are headed. It is time for us to examine the principles that we think about when it comes to cybersecurity and how the future of cloud native security is going to be because it will be what we make of it. I want to end this talk by describing something that I think is completely fundamental and yet it is not often acknowledged in the security industry. Security is not a vitamin or a band-aid. It's not something you can inject or do at the last minute or add on after the fact. It is not a feature. Security has always been the result of decisions and actions made by many different people. It's actually the outcome of an unpredictable dance between many people. For DevSecOps to be successful, we must build a collaborative approach that brings us together. If you know how to salsa or Lindy hop, you can extend a hand, invite a partner and step onto the dance floor. But security is not always invited to the party. Too often, development, security and operations dance alone. We must invent the dance style to sync our movements and create a beautiful partnership. I'm gonna end today's talk with some lyrics from High School Musical. We're all in this together. Once we know that we are, we're all stars and we see that we're all in this together. And it shows when we stand hand in hand make our dreams come true. I would love to hear from you. You can find me on LinkedIn or you can email directly at carolineedcobalt.io. Thank you.