contrast security’s influencers channel 1 live nation

Download Contrast security’s influencers channel 1 live nation

Post on 11-Nov-2014




1 download

Embed Size (px)




  • 1. CONTRAST SECURITYS INFLUENCERS CHANNEL Episode One: Jonathan Chow and Neeta Manier Live Nation Entertainment
  • 2. JEFF WILLIAMS Whats the one thing that deeply bothers you about the way people practice application security today?
  • 3. NEETA MANIER for me, its that were finding vulnerabilities that existed 10 years agowere still not getting good at fixing [them].
  • 4. JONATHAN CHOW Ive been involved in part of an applications program here for 12 years now, and were still having developers creating the same flawsso I think the education piece is whats missing. Weve got to stop making the same mistakes.
  • 5. JEFF WILLIAMS I couldnt agree moreI wrote the first version of the OWASP Top Ten in 2002, and its essentially the same stuff in there still after 12 years. Its really not changing, so thats a bit of a failure for the security industry.
  • 6. JEFF How do you stay on top of your portfolio of applications, the developers writing new code, and new vulnerabilities coming out?
  • 7. JONATHAN Its almost a job unto itself.I try and maintain good relationships with our business partnersbecause in some cases theyll go outside approved IT folks to get it done cheaper, faster, better. And thats a primary driver for rogue work happening.
  • 8. NEETA Weve just hired what we call Business Security Leaders so theyre our liaison.were just trying to make [security] more visible in those areas.were trying to empower the teams to do that better themselves.
  • 9. JEFF Interesting. I like that. Ive been studying the ways that industrial factories monitor their complex systems.What Im wonderingIt sounds like what youre doing is like a human instrumentation where youre gathering data through relationships with various teams.
  • 10. NEETA I think its really importantscanning technologyand its important for that to be well integrated into the tools we already use. Any SDLC process, whether youre doing QA or builds, trying to inject security into those particular tools is going to be important for any instrumentation.
  • 11. JONATHAN
  • 12. JEFF
  • 13. JEFF WILLIAMS How do you feel about your visibility into the apps and other systems that you run?...What do you do to fill in the gaps and make it look up-to- date?
  • 14. JONATHAN What Neeta said earlier was not enough bandwidth. Its true for every IT security shop that Ive ever talked to or been a part of.Youre always going to be overwhelmed. Youre always going to be outnumbered.
  • 15. JEFF That strikes me as exactly what needs to happenthe security experts really need to get out of the way and enable the development teams to do these things for themselves with automation and guidance and training.
  • 16. NEETA I remember working at GE and having that- youd have such a long time between when an application requirement came out and when it was releasedat an agile environment, if youre not there then you miss it and its kind of harder now to have that position.
  • 17. JONATHAN Its actually the worst of all worlds if you miss it becauseyou either slow them down and they wont come back, or you interrupt their process and they see you as incompetent.We risk becoming the proverbial dinosaur where we dont have a place in the new world.
  • 18. JEFF Do you feel thats the only pressure on security groups? The move to Agile and DevOps kinds of organizations? Or are there other things that are changing the way people do security or security information?
  • 19. NEETA I think theres also a positive change. I think that application security is a pretty hot topic now, more than it was years ago, its more visible. We joke that we use security breaches as our leverage to convince teams to do more.
  • 20. JEFF I know weve broken out of the echo chamber when my mom calls and says, Whats going on with this HeartBleed thing?
  • 21. JEFF I want to know: what are the key metrics that you want to know so you can sleep at night?
  • 22. JONATHAN A raw number of flaws in applications is a key metric for me.
  • 23. JONATHAN I would love to get down to the point where I can go to a specific developer and say, You know, youve been making cross-site scripting errors since 2006. Youve made it January here, you made it in March here, you made it in October here, I need to teach you something.
  • 24. JONATHAN If we can get to that point where the developers and development teams and outsourced development shops can accept the fact that security teams are here to make them better at their jobsthen I think it will gain more momentum.
  • 25. NEETA I think that any metrics that help us understand the progress, trending metrics, from point A to point BI think thats been really helpful for us to say to a team, Congratulations!
  • 26. NEETA On the educational side, vulnerabilities by technology so we can figure out, What should we be training our teams on?


View more >