 Well, thank you for inviting me to DevOps Days. I'm excited to be here. Almost didn't make it. Flight was delayed, so it was a chance that I wasn't gonna be here, but yeah, finally got in like 2.30 in the morning. So let's get this talk started. I like to start with something funny, because we never talk about unicorns. I saw something in a t-shirt one time and I thought it was hilarious, but yeah, we're all the unicorns at. So how this talk kinda came about? I go around to conferences. I speak on DevSecOps, and I'm speaking at a conference leading the session, very good session, interactive. I'm answering a lot of questions about things you can do to integrate security into your DevOps processes. And after the session, I'm talking to a guy. He was, I believe, a director of IT operations for a university healthcare system. And he had a lot of problems and a lot of things he wanted to do. I'm giving him ideas, and he said it's all great. I don't have one of you. And I was kind of taken aback by that. Like, what do you mean you don't have one of me? He kind of alluded to me being a unicorn. So I'm kind of oblivious. Like, what is a unicorn? Am I a unicorn? So I go back home, do some research, and I come up with this list of like, what is a unicorn? Well, a unicorn, they do what needs to be done. They have true grit. That's kind of like, that is me. I'm a person that perseveres. I have a dog and persistence. I get the job done. I do know my value. I'm also a person that has a mentality where I have the ability to see the big picture, but I'm also detail oriented. I'm definitely not limited by my job title. I feel like there's nothing I can't do. I wear many different hats. And usually I'm successful at wearing those and wearing different hats. But do you need a unicorn? From thinking about this, I was thinking what are the true skill sets needed for application security, in particular in DevSecOps? Because I don't view myself as a unicorn. I still view myself as this kid. I grew up as a puzzle solver. Always loved challenges. I've always been a curious learner. Always wanted to tinker with things. And I think that's why I've developed it as an adult that has a growth mindset. And as a Senate introduction, start programming at an early age, your basic code on TI-99. So my journey is kind of one that you may expect. You know, I have the technical degrees, so comp side. I did a standard software engineer for a while. It may transition into information security. And at some point, I kind of pivoted. I took my passion for software development and my passion for security, combined it into application security. So I've been involved in that for the last few years. But what I realized during my time in information security is that, I guess my background was unique. Most of my colleagues, most of my peers came from a different background. They came from an IT background. Or my background was in software. But looking back on it, that actually I think is more beneficial when it comes to application security. So I have that knowledge of how software is made, how to get it delivered, how to get it out the door, and the challenges of ingrained security into those processes. So as you see at the bottom of the screen, that really is my true mentality. I'd rather take a developer and teach some security versus a T-software process to a security person. I feel like developers have that knowledge of what it takes to get that software out the door. And I could train them up, or we could train them up on the security aspect of it. So what you're seeing here is a typical job listing. It's actually a real job listing that I found, searching the internet. And it has the things you always typically see. They want someone with a technical degree, typically computer science. X number of years of professional work experience, which to me I always feel like it's an arbitrary number. It doesn't always necessarily mean success in a role. And you're always looking for some certification. It's the same thing. Certification doesn't always necessarily translate to success in a role. I'm not saying certification is bad, I have several certifications, I believe in them, but it's not the end all to be all when you're looking for talent. Here's why I kind of get into some of the numbers, some of the metrics out there. So every single day, we hear about these new data breaches, and every time there's a new data breach, the need for cyber security talent increases. The demand only grows stronger, but our supply continues to remain low. So I saw this study, and the study is saying that by 2022, there will be a shortage of 1.8 million security workers. It's only gonna get worse. So how are we to find the cyber security talent that we need to fill these roles? So we need to start thinking outside of the box, thinking about other ways to increase the pool of candidates. The same study also kind of brought up the fact that millennials have become the largest living generation, so the people that are gonna fill these jobs are from the millennial generation, so what are the things that they need to be successful? How can we make sure that they have what they want in a job to build these roles? So something that I found interesting was that 35% of cyber security workers now come from non-IT engineering backgrounds, and I thought about my career path, and I think about a lot of people I worked with in the past and their backgrounds, and some of them did come from non-IT engineering backgrounds, and they were very good at their jobs. I think about one person in particular I worked with, very good cloud security architect has a fine arts degree. I worked with several individuals who had no degrees at all, but I felt they were at the top of their game, and they were very good people, very strong in cyber security, so I do believe that there are success stories out there. One of our speakers earlier, if you went to the other room, Chloe Condon, she's a prime example of that. Her background is in acting, and she transitioned into tech, self-taught coder, and now as a tech evangelist. She went very well in the tech space, so the success stories are there, and we can mine people from non-IT engineering backgrounds to help fill these roles. Other thing I wanted to point it out, I talked about millennials filling these roles, and those are gonna be the people that fill the jobs of the future. You look at what they need, they want training, and training is very important to them. A lot of companies don't wanna invest in the training, they wanna spend the time, or the money to train people, they want people to come in and be ready and prepared to go right away. But I think training is key, because they're not getting it. So our universities are filling our students now, are not educating them in security. So if you see one of the top 36 US computer science programs requires a security course for graduation, so they're not getting exposed to cyber security in the issues, or developing that cyber security mindset to think about it in their work. So we need to do a better job of educating, and we're also not telling them about opportunities in cyber security, so they don't know the job task of professionals or building those skill sets to make them successful. So we definitely have to educate, and educate is gonna have to take place in the workplace through training. So it's even more important now that we're involved in these DevOps processes. I've been around in a long time in this career, so I remember a picture on the left. I remember these large releases, we'd have one or two a year, very manual, and minimal security test points in those releases. Security basically was something that was at the end of the process. You might have some security testing before release, but that was it. But now with DevOps, our releases are more frequent, they're small, very automated, and they're low risk. So with having a DevOps and rapid development and delivery and deployment is even more important now that we integrate proper security thinking and controls into the process. You think about what we're delivering from the DevOps process, web applications. So according to the Verizon Data Breach investigation report, 40% of all data breaches occur from attacks on web applications. And we have a prime example of that from just last week with Equifax. Now all the facts are still coming out, but early indications are the attack came through a web application. But security wasn't always involved. Is there a reason I wasn't invited to the party? Security wasn't invited to the party. And we weren't invited to the party because our traditional tools and processes were seen as an inhibitor to the agility that DevOps promised. So security, we need to be better partners. We need to figure out ways that we can work within DevOps to not be the inhibitor. So we talked about DevSecOps, which is basically the automation of security tools and processes, controls within that DevOps workflow. So when I talk about security, I break it down into kind of three phases. People, processing tools. So we're identifying cybersecurity talent. And from the people perspective, you want to hire individuals that kind of have a mentality of collaboration. So just in security, we've been the organization of no. The function of security essentially is about managing risk. So anything that seems risky to us, immediately we're saying no. But now our product teams, our developers come with these new problems. And we can't be quick to say no. We have to figure out ways we can work with them to come up with proper security solutions. So instead of saying no, we want individuals that work with this security organization or be collaborative and work with those developers, work with those product teams. Not only that, you want people that have the ability to motivate and be mentors. Motivate those outside of the security organization to look at security as a shared responsibility. So no longer can security be the responsibility of a security organization has to be the responsibility of everyone. When we talk about security systems, the weak point of any security system is people. So you got to get people excited about security, excited about doing the right thing and taking part. So it can't just all be on a security organization. So you need to hire individuals that have the ability to motivate and mentor. And then kind of build security champions. People outside the organization that will carry the torch of security. I'll talk about processes. You need individuals that can help build processes, processes around how we do business now to make sure security is not that roadblock that I mentioned before. So they can think outside the box and be creative. And part of that is building out processes that allow teams to self-service. When you allow them to self-service, I think it increases adoption of security. Makes it easier to do the right thing. When we talk about the tools, the tools of the third phase. A lot of tools out there, a lot of ways you can implement security. You want these individuals to come into the organization and maybe have familiarity with these tools, but what you're really looking for is someone that can learn. Someone that can learn these tools and learn how to implement them into your pipeline. That's done through automation. We're talking about DevOps. And one of the tenets of DevOps is automation. So taking those tools and be able to integrate them in a fashion to automate those processes. So what the automation does allows your team to focus on more strategic tasks because you're gonna have probably a small security team. So you need to be able to utilize your resources to the fullest. So if you can eliminate some of the more manual tasks, allows them to focus on more strategic tasks. Also scales your team and allows you to shift left within the software development lifecycle. So you can take on more tasks such as design reviews or being involved in development of requirements and making sure that security requirements are built in to the process. So some of the examples, these things I've actually done myself. When it comes to testing some of our applications, sometimes you need to automatically log in for the test. So you need to write scripts to do that. Write scripts to automate scripts to create metrics because you wanna bubble up those metrics to the top to make sure they have visibility. So you can see what's going on within your processes. Automation to build out that security as a service, like I mentioned before. And you end up with something like this, like a DevSecOps pipeline like this. This is actually one that we built out at my organization. Taking those same tools and automated them into a DevSecOps pipeline. So when I talk about the skills that are needed, talk about having knowledge of the software development lifecycle. Know the points within that lifecycle that security should be implemented and how integrated and how. So I just talked about the ability to build automation and tooling solutions. I think that's very important. Be able to have that skill set. You don't have that skill set within your security team. Then you have to look outside the security organization, outside the security team and try to borrow those resources. Proficiency and security coding. I talked about mentoring your developers on security best practices. Some knowledge of those security, security coding best practices are very helpful and the ability to be able to communicate those to your development teams. Very important as well. One of the things we always talk about is having a builder breaker mentality. I think that's key for a good application security professional. So why I said that those with a development background will make good application security people. They already have that builder mentality because they know how to build the software. They know how it's structured, how it's put together. So then they'd be good at doing design reviews, doing code reviews. So be able to have that builder mentality. But from the other side, where they're lacking is probably that breaker mentality of how to cause chaos within the software, within the application. To kind of think like an attacker to figure out ways that it could be attacked or weaknesses that may exist within the software. And that's where you train up these individuals from the other side to get them to take on that aspect of thinking. So whether it's through the automated testing or manual penetration testing or developing misuse cases. Think about ways that the developer didn't intend for the software to be used and how an attacker might try to affect it and look for vulnerabilities. So how do you do that? You do it through training. Like I said before, organizations don't want to always invest in training, but there are ways to do it. And I think it's necessary. You can do it through computer-based training. There's packages out there that you can invest in that you can buy for your organization to actually train up the individuals on some of these issues that I talked about, some of these skills I talked about. Not my most favorite. What I prefer is the internal sessions. You have individuals already embedded within your organization that can teach. I think that is the best way to go. It provides a kind of hands-on, more personalized way of doing it. Something I actually do myself. I've taught like OWASP top 10. So OWASP is an open web application security project. Talks about security best practices for application security. And I've taught that to individuals in the organization. So it's a way for them to learn those best practices. And OWASP has actually a lot of resources to actually aid in that training. So to kind of like summarize it. Like I said before, automate all the things. Like I said, integrating security in the DevOps must automate. Be open to those from non-IT engineering fields. And also be open to providing training. Like I said, what to look for. Those with a software background. I think they actually make great application security people. Most of the successful application security people that I know, they have that software background. They look for that growth mindset. Those that constantly want to learn, constantly want to get better, stay up to date on the latest threats that are out there. Layers of tax. So maybe not looking for a unicorn, but a true team really is a mix of leaders, specialists, and support staff. So take everything I just said and put it into a better job listing. It's actually one, another one that I found that's out there. Like I said, the depth that's using scripting languages. It comes into play when I talked about automating all the things. So automating your security processes and creating those tools. Understanding modern web application architecture. How to secure it. Something that I added into this dial listing that wasn't there when I found it was the ability to mentor. I believe that's very critical, very crucial as well. Back to what I was saying about being able to get others outside the security team within the organization excited about security and wanting them to want to take responsibility. And I love this last one. Willing to learn by tinkering. And if you can see that last part, Google like a pro. Because let's be honest about it. A smart person is not one that knows the answers, but one who knows where to find them. That, thank you. Yeah, thank you, that was good. One thing we noticed is I think in the news, a lot of security people get really, a lot of things that's headlines and publishes these interesting zero day exploits. But a lot of the big attacks like Equifax and other things are mundane things like something that was patched six months ago and they just never patched. And a lot of the big incidents are just mundane simple things like misconfigurations and unpatched machines. Was that a question? Yeah, I'm trying to think what the question would be there. Yeah, just how do we get the right focus on these things is industry wide of just seems like just simple hygiene would solve or prevent a lot of these things. I believe it would. So you brought up Equifax. I don't understand why they did not pass that. That exploit was published in March of this year. And I remember when it was actually published we actually scrambled to do inventory of our applications to see if any of them used the struts framework and that particular version. So I think on their part that was maybe, like you said, laziness or maybe not having a true inventory of their applications to even know that they were affected or potentially vulnerable to it. So somebody dropped the ball there. Thanks for the talk. I think you raised a number of really important questions. I've helped build security teams at many organizations now and I think one of the constant challenges is working with recruiters to build the right funnel of people into the pipeline. And especially when you're opening it up to kind of non-traditional security backgrounds, which is great. But what are some signals that you can help recruiters identify of people that might be really good in the field of security? And they may not represent that on their LinkedIn profile or resume. I think it starts with actually giving them kind of that blueprint. I find that they work off of the blueprint that you give them. So a lot of recruiters don't know much about tech. They just know what you've told them to go do. And they see one keyword on the LinkedIn profile that matches something in the requirements you provided to them than they think that's a proper candidate. So it's really on you to be as specific as possible to tell them what your organization needs are. And then the other thing that we tell them is to give us as much as possible. Don't really limit the pool because they may be eliminating people that we think are qualified. So give us as much as possible and let us do the filtering. I know there's been a lot of studies out there that have said that oftentimes when it comes to men versus women, when women see a job description that they won't apply if they don't hit all of the different check boxes on there, but men often do more than not. What kind of efforts can people make in their job descriptions to make those more accessible? Because I mean, I guess there's certain ways to be like, hey, you don't have to check off all these boxes, but have you found any particular success doing that a certain way? Instead of saying required, maybe say desired. And I think then you may open it up a little bit more. I find that a lot of times there are two, black and white, the requirements. Well, you have to have this, you have to have that, where maybe you should really list those more as desired skills or desired requirements and not required. Then communicating that this is a nice to have, this is a must have, and then delineate it that way. So is there a decent way to keep older security tools and the people who are looking for them, like an older security department and still do DevSecOps as you expand? Mostly about SSL, TLS, a lot of the older tools are causing drama now, but you're seeing a lot of security departments try to get into DevSecOps, but want to cling to tools that just don't work anymore. Yeah, so we kind of ran into that a little bit when we started doing DevSecOps. Some of our tooling did not fit. It kind of just took that trial and error. We believed in failing fast, and we try them out and if they failed and they weren't really fitting, we had already kind of embraced that DevSecOps mentality of let's pivot from there, we saw it didn't work, let's move on. So it's about chaining, I think, the mentality of your security team to not maybe hang on to those older tools and be open to finding something that actually works at least the needs of the business. Hi, thank you for the talk. Just a simple question. So with so much shortage in the app's security, something in balancing the market sounds like the supply and demand somehow has to solve the problem. Is it because DevSecOps people are not compensated? I mean, what is the, in your experience, kind of the compensation between a typical developer that wants to move to AppSec, how does that work? I think the conversation is there. I just think that many don't know about the opportunities. I just encountered this actually this summer, had some interns and there would be college graduates for this upcoming school year and they were set on software development positions and didn't really know about the opportunities in cybersecurity and in application security in particular. But after exposing them to the needs that are there, some of the skills that they should acquire and that they already have for doing the position and kind of also letting them know about the conversation that was there, I've actually kind of converted them over into desiring application security positions once they graduate. I will say there are some compensation issues because some companies aren't really sure how to how to kind of slide those positions and they have the desire for obtaining that talent but are setting the wrong salary range because they're so unsure because it's such a new field. So some companies doing the right with a lot of them that maybe aren't buying the right salary base to get the talent in. My question is kind of based around startups. So I feel like there's two kinds, VC backed who has a ton of money and they can just hire a security team and they're like, yes, let's do it. And then there's the bootstrapped who are really focused on their product or whatever they're doing and they maybe don't have money for security so they say they're gonna pass on it and then they just kind of miss the boat. What would you recommend for the bootstrapped startup as far as making sure that you can integrate APSAC and DevSecOps? How do you convince the startup founders to spend the money on it and how do you recommend that they go about hiring? All right, so for them I would recommend starting small. You can't put all this in at once. That slide I showed you of our pipeline that took a long time but we just took little bitty pieces of it and implemented it at a time. So tackle the small tasks of things that you can maybe do well and do quickly and then just build it out over time. Don't try to tackle it all at once. And I think in the startup mentality, in the startup world, they're seeing these news stories just like everybody else, just like the big companies. They know how they could be affected just as easy as a bigger company and that could lead to the failure of the company just as much as the product is just not being applicable to the market. So I think they have to have that awareness, the importance of it as well just from all the things they're seeing out in the news. And it may not be a priority from a feature perspective but security should be looked at as a feature and not some additional functionality that needs to be put into the product. So yeah, this is a great topic. Thanks for doing this. Do you see a lot of people because of the shortage doing the build your own? You do hint at that a little bit and you did talk about the internship program but if you're trying to find somebody and you just can't are a lot of people bringing in interns? Are they turning to existing software engineers and sort of converting them over which I've done with DevOps people in the past? Yeah, no. I've seen it where you take software engineers, those who maybe have an aptitude or have an interest, maybe it's a small interest but some interest in security and I've seen your companies convert them into application security engineers. So that's definitely a real thing that's going on in some of these organizations. Thank you, this is great. So I do know, I'll just mention this, I'm not paid by this group at all but I do know universities are now, there's something called the threat within for college students coming out of like the University of Albany at SUNY and a couple others where they're learning about this framework because there is such a shortage. So I do think we're starting to see from an industry perspective, a bit of a shift for universities to include some type of, not necessarily formal coursework but capstone projects and other initiatives to get folks who are coming into the workforce to be trained and understand that there is a need. It takes all sorts of people and then it's a growing field. All right, well I think that's it. Thank you for having me and enjoy the rest of the conference.