DevSec For Scale Podcast Ep 1: Startup Security Best Practices

The DevSec For Scale Podcast and Meetup have arrived! We have a single mission with this community: “Making security a first-class citizen in young and growing companies.”

Our first podcast guest is one of our good friends, Dr. Chase Cunningham. Chase has been a great asset as an Advisory Board member and was also a keynote speaker at our KeyConf event in November 2021.

In this first episode of our podcast, I talk with Dr. Cunningham about all of his experience with security, not just for enterprise organizations, but with early stage companies as well. While the wisdom is generally the same for any size organization, there are important distinctions in how security is implemented. Enjoy the episode.

Watch the full episode below:

Transcript

Jeremy Hess: Our first-ever guest on the show is the one and only Dr. Chase Cunningham. He’s best known for his mod by his moniker Dr. Zero trust being the originator of forester’s Zero trust extended framework. I’m really happy we managed to catch chase from this first episode as he always has superb insights for us. So without further ado, let’s get into the episode! I’d like to give a very warm welcome to our first ever DevSec for startup’s guest Dr. Chase Cunningham also known as Dr. Zero trust. Chase, it’s great to see you again and talk to you. Can you go ahead and tell the audience a little bit about yourself?

Dr. Chase Cunningham: Yeah, well, thanks for having me. I think this is the first time I’ve ever been first at something, so I call that a win. Yeah, I’m retired military did a bunch of work for the government, worked at Forrester for a few years and just have been doing consulting and other things on the far end of that and meantime finished you know hopefully raising some relatively productive humans and wrote some books as well. So try to stay busy.

Jeremy Hess: Yeah, actually, we had you for our KeyConf event in New York City, and you gave a keynote talk there, and you also signed a few books for us. That was really cool. I think the audience really enjoyed that.

Dr. Chase Cunningham: So, yeah, that was a blast. Nice to get out of the house.

Jeremy Hess: Yeah, really cool idea for a book. Rather than just writing a general book about cyber or zero trust, you actually made it into like a novel. Right?

Dr. Chase Cunningham: Yeah, I’m working on the second version right now.

Jeremy Hess: Cool, all right, so a novelist, not just.

Dr. Chase Cunningham: Not that anybody reads ‘em, yeah.

Jeremy Hess: Hey, we’ll definitely read them, and we’ll get some hopefully reactions from the audience as well to whoever has read it. So with that, let’s go ahead and get into this a little bit. You know, of course, we’re a startup podcast, small business podcast, and what we’re trying to do is make sure that everyone understands that security is super important for even the smaller companies.

You know you only have a few developers, but you really got to make sure you bake security into what you’re building now because you never know in the future what’s going to happen, and as you’re growing, you might reach some really problematic walls that you can’t get through and you have to refactor and change everything. So you know, building on that, what do you think would be a top of mind for a small business in terms of organizational as well as developer security.

Dr. Chase Cunningham: Well, I think one of the things that occur most often is small businesses. Typically have this idea that they’re not a valuable target, that they’re not really worth an adversary’s time, and you’re creating valuable legal intellectual property. You’ve got something that’s of use, but on top of that, you have resources that you’ve spun up that someone would love to get their hands on for a whole bunch of reasons. I think I just read a report the other day that talked about one of the most prolific things for an adversary to do in the cloud. Now is crypto-jacking, you know to jump into your cloud? Use it for crypto mining and then they take that stolen crypto and go off and use it for whatever purposes.

And funny enough, if you go through that, I mean, you could inadvertently be helping supply Bitcoin or stolen crypto to like North Korea. How would you like to be the business that was tied to that when it comes on the far end? Not a good look. And then the other piece is if you’re doing development work which a lot of us you know write apps or create apps, especially nowadays because you have to have a computer science degree to create an app that could be extremely valuable.

You really need to make sure that you’re taking care to put security protocols in place before you run that thing to market, not after. That’s a way to introduce problems, and it really will degrade the value of your position in the market when you have to pull your app back to go fix security problems. Don’t be that bad developer!

Jeremy Hess: Yeah, well, let’s hope that it’s not Elon Musk and Dogecoin that has to deal with any problems like that.

Dr. Chase Cunningham: Yeah, those points there are so many coins now I can’t even keep up with them all, but I think the article I read said that Google was doing some research and they just spun up cloud resources and didn’t do a good job securing them. And I think, on average, it was about  27 to 30 minutes. Somebody was in there dropping crypto miners on those machines.

Jeremy Hess: Wow, okay, yeah, things are not looking up necessarily for security. I think we need to make sure that security is ahead of the curve when it comes to making sure that things are, you know, secured and from your organizational perspective because we really can’t have people and, you know, getting into a network moving laterally and you know who knows what’s going to happen to your data.

And actually, going back to what you mentioned with small businesses actually read that there’s a study by a company called bull guard where they found that 43 of SMB owners have no cyber security defense plan in place at all, right?

So going back to, you know, securing a small organization, what do you think you know from if you had to think about this question? What would be your first step as a small organization securing your company, like what would be the number one security issue that you think you would have to deal with and that business is in general facing today?

Dr. Chase Cunningham: Well, from I mean, I would say provided I know what I need to defend right what I’m responsible for would be. First, I need to know the space. I need to know my assets. I need to know what is required of me to take care of so that I can actually care and feed for that beast, and then second… There’s data that I did a study that validated this. I’d take care of identity and access management users’ passwords, you know, tokens, all those things secrets, whatever you want to call them.

Because you don’t take care of that, and I think the stats are staggering on that’s what’s used by the adversary. You’re not. You don’t have a chance. I mean that that other stuff comes later. It’s a more difficult problem to solve. Take care of usernames, passwords, and access management. I mean, other stuff comes later.

Jeremy Hess: Yeah, I mean that it’s interesting because, of course, working with Akeyless were very into talking about this idea of keeping your secrets and your credentials safe. So it really does seem to fit this gamut of everything around your organization has some sort of credential. Something is always able to be, you know, leaked, forgotten, misplaced – whatever it is – so it seems so difficult. So as a small organization, even if you only have, let’s say, 10 developers, I mean, you could probably still have some decent secret sprawl there, couldn’t you?

Dr. Chase Cunningham: Oh, I mean, it’s a factor. I mean, if you really think about it by the time it lets you know if you have 10 developers, just start doing the math in your head. 10 developers times how many machines times how many accesses… I mean, it just gets so big so fast that that’s the issue that you run into. You can’t do this haphazard, and you can’t do it piecemeal anymore. A spreadsheet is not an effective manner of controlling this stuff, and it will degrade your ability to get to market as well because developers get paid to ship code. They don’t get paid to do security. So you need to put security in front of them and make them more, make them operate securely without it being a problem for them.

Jeremy Hess: Yeah, we spoke about that actually before we started officially recording for the podcast where we said just. It’s just the way it is right. The first thing you want to do as a company these days is you say, well, we need an MVP, right. We need our product up l and running we need to get clients. We need to bring in money, and then we get investors, but you’re not thinking well.

What we need to do is we need an MVP, but we also need to make sure that we’re securely delivering and deploying it and offering that because we can’t have issues already from the beginning. So I think it really seems to be very imperative that even when you’re building a minimum viable product you know just to get to market, you really should still think about what are the holes what are the ways that an attacker could find to get into your system.

Dr. Chase Cunningham: Yeah, you should be. That’s the thing I try and get people to understand most often is this – if you really break it down, it’s not a defensive mindset. You need to wrap your head around an offensive mindset. If I was the adversary, what would I be looking for, you know? You’re never going to be perfect in your defense, so just be real about that, but you want to boil off the easy avenues, and you want to make it where. It’s not worth their time and effort to do bad things to you. You know, it’s running from the zombie horde, if you trip and fall, you know, it sucks for you, but I’m gonna keep on running. I don’t have to be perfect; I just gotta be faster than you.

Jeremy Hess: Absolutely, so going back a little bit to you know discussing issues with how we would, you know, what we would face, like what was what’s like a number top of a mind security issue that we’d be facing today? What would be the ways to already proactively think about fixing or dealing with these kinds of issues?

Dr. Chase Cunningham: Well, I mean the solutions are in the market now that can take care of a lot of the problems that people are going to face, you know, being able to do management of all these accesses being able to make it where it’s painless. You know the developers and the people writing and shipping code can just integrate it into their pipeline that makes it where it’s, I guess you could call it, production security instead of the add-on, and that’s the difference-maker.

You want this to be part of the pipeline, part of the process, part of the methodology, and to do that you’ve got to put a capability in play that is part of that pipeline, part of that methodology. So it’s got to be lightweight, it’s got to be an integrated and it’s got to be something where you don’t have to have a degree in security to use the technology. You know, I tell people all the time like I’m a bad developer. I write really crappy code. You would not want me writing anything for production.

But I understand the ability to integrate security into that pipeline, and if you’re a developer, be able to do it five or six or seven different ways because that’s what people like you know. I want to do it from the terminal. I want to do it from a UI. I want to do it from wherever. You know click, click, click bang, and make it go.

Jeremy Hess: Yeah, always got to be like the path of least resistance to be able to do all the work that I really want to get done but also don’t bog me down. Like, don’t make me, you know, build and you know to log into extra places and add extra applications on top that I have to configure and deal with myself. Put it in place have it be sort of seamless where I don’t even notice that it’s part of my regular flow.

Dr. Chase Cunningham: Yeah, the moment that you get in the way of people doing what they’re getting paid to do, which developers get paid to ship code, remember that your security control becomes less valuable, and that’s a hard thing for us to get our heads around because for the longest time security practitioners, we’ve wanted to say, you know, get in the way, make security where it is, you know gates, guards, dogs, etc. That’s not going to work. It slows business down. It causes degradation of capability. You will lose when I go up and have that conversation as a security person against someone that’s shipping code that brings in dollars. I’m a cost center, and if I’m a cost center, I lose. If they make money and I cost money that they win so that you need to make it where you are not a cost center, you are not degradation of service, and you’re not slowing speed to market. And you can do that if it is from the ground up and if it is part of that pipeline.

Jeremy Hess: Yeah, I think that was like the next segment is how do you make sure that you can actually integrate those things into, you know, early on? And also, what would the costs be if you really didn’t think about security until you were already, you know, a 500 strong developer company?

Dr. Chase Cunningham: Yeah, I mean it. I think the numbers I saw was I can’t remember who did the study. I want to say it was the Better Business Bureau or something like that, but they did a study that validated that people are more willing to work and put and give their money to companies that can say this is how they do security.

I think it was like 55 people, so it is a competitive differentiator, and it is something that you need to make as part of that process and even if you don’t understand that, if you just argue a way that you’ll say that that’s a stupid statistic, okay fine. If tell me that you would not cause loss of business if you put something out into prod and then you realize there’s a major security issue and you had to pull it back, how much time and how much business would you lose there?

Even if it’s not that you accept this reality of some of the other data. So it has to be from the ground up, and it has to be part of the plan and program, and you want this to be care and feeding. You don’t want to have the baby be out there and then go, oh we got to feed this monster.

You know, now we have to make it part of the process. It’s got to grow with the business grow with it you know it if you have 500 developers two years from now, it’s way better to make it where when you onboard them. They understand that this is how you do business rather than we have 500 developers. Oh crap, we should figure out security.

Jeremy Hess: Yeah, and that’s also when most companies seem to be, are only starting to really think about security because all of a sudden regulations you know, yeah compliance, exactly. And compliance is up. We could do another three episodes, probably on just compliance. I’m sure, but

Dr. Chase Cunningham: I’m probably not the person you want to have on those because I’m not a fan of compliance. Yeah, well, okay, so let me actually let me change it. I’m a fan of compliance because compliance sets the bar compliance is not the ceiling. So just you know, folks should remember that don’t…

Jeremy Hess: That’s interesting!

Dr. Chase Cunningham: Don’t strive to be compliant. You know compliance is necessary because it is the bar… do better.

Jeremy Hess: Well, okay, that’s a great thing. I didn’t actually ever think about it that way; I think I always had in my mind the idea of compliance being well. These people who you know built their system of compliance and how things need to be done that they’re just, they know so deeply technologically, they understand exactly what goes on in terms of all the architectures and infrastructures and systems that they know.

And if you’re going to build compliance procedures, you’re probably going to build it in the strongest manner, right. You’re probably going to have it be ready for anything, but what you’re saying is, “not necessarily, I guess from your background you’ve dealt with probably even compliance from the other side about like sort of being part of teams that maybe build compliance methodologies.”

Dr. Chase Cunningham: Yeah, I mean, I also remind people every organization that’s been breached was compliant. So compliance obviously is not the ceiling. And I think that it’s valuable to wrap your head around this statement too, is think of compliance like a seat belt on a jetliner, on a 737, right. I have to have it because the FAA says I have to have it to back away from the gate. I need to have it because if things go bad in the air, I don’t want to bash my skull on the ceiling of the plane. However, if everything goes to hell and the plane hits the ground at four or five hundred miles an hour, a three-inch strip of nylon does not save me. But you’re compliant.

Jeremy Hess: Exactly, but you’re compliant. That’s a tagline. Maybe we should, you know, have t-shirts, “but you’re compliant.”

Dr. Chase Cunningham: But I was compliant, right!

Jeremy Hess: But I was compiant, right? Solarwinds… but I was compliant.

Dr. Chase Cunningham: I was complying okay, good, congrats – so was everybody else. No bad guy has ever said, oh my god, a compliant environment… and stopped. Never!

Jeremy Hess: Yes, absolutely, that’s actually, well, I mean, that’s just the way of the world we live in, right? I mean, an attacker that really wants to get something done they don’t care what you have, how you have it. They’re going to find some way in and you know it’s up to the organizations to find ways.

And like you said, starting with security from a small organization and growing that as you know, organically with the organization, as it grows, means you already have that baseline of security, and yeah, whether you’re compliant or not, as long as you’re hardening your security properly. You know, and as long as you’re growing, your developers are all compliant with the rules in-house. You build a stronger product you know overall, right?

Dr. Chase Cunningham: Yeah, I mean, the technology is an enabler. We need to remember that security technology is an enabler if you use it correctly, and honestly, I don’t. I talk with some pretty big organizations all the time about this. I don’t want to make anyone else a security person that isn’t a security person.

I want you to do your job if you’re in HR, if you’re a developer if you’re financing, whatever do that because that’s what you’re good at. Don’t do that and be a security-ish person. That’s not going to work. I want to put technology in place that makes it where your experience is secure or secure by the nature of the technology you’re using. You don’t have to be an internal combustion engineer to know how to get in the car and buckle up and drive where you got to go.

Jeremy Hess: Right, but you got to learn how to be a safer driver of the vehicle, right. You got it, but the key is you’re able to get into the car and drive, right?

Dr. Chase Cunningham: And the car, yeah, the car is inherently safer than it was 20 years ago. Remember when airbags were optional?

Jeremy Hess: Yeah, hey, seatbelts weren’t necessarily a thing.

Dr. Chase Cunningham: I grew up in a world where seat belts were optional. You know it didn’t even ding when you didn’t have a seatbelt. My parents were like putting their arm across you as you were driving down the road.

Jeremy Hess: Yeah, I remember having a few close calls, my mom having to slam on the brakes and just putting her arm out and just holding me back.

Dr. Chase Cunningham: Yeah, I mean, I grew up on a ranch in Texas. We used to sit in the back of the pickup truck and go 50. You know, but I mean, we’ve realized that that was not a very safe manner of transportation and overtime. You know you’ve you know, and the other piece to is in that analogy around vehicles what not even five years ago you used to buy the Garmin GPS to put in your car. Right?

And that was an additional thing, but it was super useful, but it was another feature that you needed, and you had to know how to kind of click, click, click, and configure this and set it up and whatever you needed to put in the right place. Nowadays, modern vehicles it’s either in a console right in front of you. Or worst case, you take your phone, which has the GPS in it, you Bluetooth it to the car, and then you just stick it into a holder and go on about your way. So it’s become a lighter weight, but that feature that’s so valuable has been integrated into how you use the vehicle.

Jeremy Hess: Absolutely! Right, so again, all basically coming back to the same idea, you know. The more you’re thinking about safety and security earlier on, the better you are overall as you become larger, so I think you know it’s pretty clear not just from you know just from the security aspect of you know of attacks you know and things like that but also from an internal the amount of money what it costs to change security applications to add new extra things on top of what you’re building from the beginning. I mean, it seems like you know if you just had those bases covered at the beginning, you’re not going to be building a whole new, you know, a rocket ship.

Later you won’t be able to do it, or it will cost you way too much money, and so you’re talking about dealing with potential issues from attackers and data leakage, and key, and you know all that stuff. And then, at the same time, you’re talking about the cost of doing the business right, building the application, and shipping it, so a lot for everyone to think about. And the next time we talk, maybe we’ll talk a little bit about zero trust.

Dr. Chase Cunningham: We could do that, I’ve. I know a thing or two about it; I’ve heard about it.

Jeremy Hess: I’m sure you have and also how it’s connected to this whole idea of dealing with developers because developers also do have to securely access data and applications from their homes especially. And I know this is, you know, beating a dead horse already. We’re all working from home for the past bunch of years, so we really need to make sure that the way we’re getting into our systems is secured.

Dr. Chase Cunningham: Yeah, and again it’s it shouldn’t be difficult for you to do this. The technology to do this stuff is there, and it doesn’t have to be miserable, and if it is miserable, you need better tech.

Jeremy Hess: Yeah, absolutely well, Dr. Chase Cunningham. It was really great to have you as the first guest of the DevSec for Scale podcast. I really had a great time. Thank you so much for your time, and I look forward to being in touch again and having you on for another episode.

Dr. Chase Cunningham: That’s great, man. I appreciate your time, and you know, congrats on starting something new.

Jeremy Hess: Yeah, gotta do it, right? That’s the key – just gets started and see where it leads you, and hopefully, everyone finds some value in what we’re trying to do. And let’s make sure we keep our things secure and make sure we keep security as a first-class citizens.

Dr. Chase Cunningham: There you go! Jeremy Hess: Perfect, thanks so much. Have a great one!