Securing the Gaps: M Brennan on Integration, Context, and Developer Experience

Cole Cornford
Hi, I’m Cole Cornford and this is Secured, the podcast that dives deep into the world of application security. Today, I’m joined by M Brennan. M is an excellent engineer and has been heavily involved in the integration space in the past, which is particularly interesting in application security. I know a lot of people think that the plumbing doesn’t matter, but if you don’t do your plumbing right, then you’re going to have all sorts of problems when things aren’t connected to one another.

M and me also spoke about many topics related to leadership, about helping grow the community, about taking care of other people as you climb up the ladder and plenty more interesting parts of conversation. So have a listen, tell me your thoughts, and here is M Brennan.

How are you doing mate?

M Brennan
I’m doing well.

Cole Cornford
So M is an absolute superstar. I’m super excited to have you on to the podcast today. I think we’ve been talking for like, what, two or three years at this point, at Telstra?

M Brennan
Yeah, about two years. Yeah.

Cole Cornford
It’s nuts to think about that. We walked across the road and I think we just had an Aperol Spritz, and now here we are. Two years later, you’re on Secured. But obviously I know you quite well. Maybe you should tell everybody a bit about yourself and what your experience in the cybersecurity and just broader engineering spaces.

M Brennan
Yeah, cool. So I started out my career as a software developer actually starting in the mainframe space, but eventually moved into integration. And that was really where my exposure to security and cybersecurity started because integration is the connective tissue between everything, but it’s also therefore a vulnerability point, right? It’s a place where the attacks can happen, and thinking about how to secure communication and the necessary security can be different between different use cases.

I’d work for government, energy, and financial services, so really big security concerns in those spaces. But we also occasionally did work for smaller businesses that had much lighter needs. And then looking after integration for a long time, working with security and now moved into developer experience, so I look after the tools that developers use to build and deliver their applications. But that means it’s a critical point for coming together of the security concerns, the resilience concerns, and the business concerns delivering the software.

Now I’m working very closely with security engineers and cyber folk to make sure we’re delivering secure software rather than delivering software and then making it secure.

Cole Cornford
I do agree a lot about integration. And look, I’m also, I have a soft spot for mainframe because pretty early on, I started doing… I built like thing called, I called it the SITH when I was working at the ATO, the system integration test harness, but I just liked Star Wars. And it converted like webnet, like dotnet, C-sharp messages or dot-test data into Message Cube to put onto the like IBM M cube so they can then run through all that rubbish back then.

Anyway, it’s funny about 2023 or ’24, someone gave me a call from the ATO and they said, “Cole, your name’s been on the SITH for about nine years. It’s spread organically throughout the entire organization. We just wanted to let you know we’ve finally decided to deprecate it.” I’m just like, “I built this in two weeks, why has it become endemic?” It’s this cute dotnet thing. So as weird as it sounds, it’s like hard nostalgic whenever I have to log into a kicks terminal and I’m just like, “Oh, look at me, this is fun.” And then probably about 10 minutes later, I’m over it.

M Brennan
Yeah, I started out on Unisys mainframes in the financial services and pensions investment sector. So I was writing quite complex actuarial maths and projection algorithms using COBOL, really, really simple language, but we had really thorough test harnesses. We had really good practices. A lot of the things that now would be called DevOps or SRE and rolled into those practices, we did them because they were professional.

Cole Cornford
Well, that’s the thing. I honestly, I’ve read a lot of code over the years because I secure code reviewer, I do lots of code reading. And I have this fun thing I tell people is that code written before the 2000s is actually almost always genuinely excellent. I’ve very rarely encountered code that’s in Fortran or Delphi, COBOL, or I don’t know, even older languages like C or C++ that hasn’t had preconditions, post-conditions that they’ve actually fought through it. They have good unit tests, they’ve decomposed it, all of that kind of stuff.

And then it’s around 2000 when as soon as like dotnet MVC or Java Struts comes in, everything goes to shit. Beyond that point, nothing’s good. I’ve not seen good source code post 2000.

M Brennan
Not quite that. So I did my early professional programming was during the 2000s, so just into that, lots of amateur coding before that. But yeah.

Cole Cornford
That’s what I… I mean I’m just reading the code just because I didn’t write it at that point. I just got to read what’s been around for a long time. So I come across the Perl script and I’m like, “Yeah, this is good. This is well engineered, this is great.” And then I open up the next step, I have a look at this Struts app and I’m just like, “How is this powering what it is? I don’t understand how we even got here.”

But integrations is interesting to me because it’s like you have all of these different computer systems that need to talk to one another, and so how do you manage authentication authorization between all of these that’s messy? How do you make sure that the data is secured in transit between them? How do you make sure that they can actually communicate and be interoperable with one another because oftentimes they’re not? So there’s a lot of challenges that I see in that space as well.

M Brennan
Absolutely. And one of the things I’ve seen in that space is people really not understanding why they’re using a given control. And especially thinking about the confidentiality, integrity, non-repudiation aspects, the needs are very different use case. I did a lot of work at one point for New Zealand Racing Board. Now the odds that they broadcast out to their mobile app and the website when you’re on it, those don’t need to be confidential. They’re public information. They want customers to know them, but they have to be accurate. They have to know that they haven’t been tampered with.

And then the bets that are being submitted, you need to know that they’re exactly what the partner wanted to submit. Whereas I did work for Ministry of Justice and New Zealand Police, that’s really sensitive information about individual. So the confidentiality is obviously the primary concern there. So knowing why you’re using different controls and being able to choose the right controls for the concern is something that I learned in the interaction space.

Cole Cornford
I find that’s also really missing in a security space that people, they focus on the technical aspects. They don’t focus on understanding why they need to do something. A perfect example in my training course, I spend a heap of time on context just saying to people, “Yeah, look at this. It’s a cross-site scripting vulnerability. Now tell me, is this going to be an issue if it’s on HTML schools or JSFiddle?” And they’re like, “Oh, is it? Well, the whole purpose of those websites are to teach people how to use JavaScript and reflect it back to them. So I would anticipate that those domains would probably be okay.”

Or my other favorite one I talk about is input validation. So if any of the old guides was followed to the letter, you’d be blocking everybody. You had an Irish name because it has a freaking apostrophe in it, or no one would be able to submit source code to GitHub because source code contains special characters, funnily enough. So that context matters so much and people just don’t think about it.

And I think that that’s why I have a lot of fun in the application security space because especially as a business owner, I understand all the stuff. What’s your end-to-end value stream? What’s your cashflow? How do you make money? Where do you make, where are your revenue producing assets? What are existential risks and which are things that you can accept, and then drill it all the way down to techie stuff.

M Brennan
Yeah. So, CORS was the one that always used to come up in the integration space because right there on the OWASP Top 10. But when you are building an enterprise integration platform, the majority of your traffic isn’t from web frontends. It’s system to system, and the CORS headers are just wasted data on the wire when you’re doing that type of integration.

Cole Cornford
So for my audience, the CORS is cross-origin resource sharing. And basically what it does is it tells a browser to turn off same-origin policy. Now if you are not interacting using a browser, then same-origin policy is not relevant. So that’s what we’re trying to get at. But if you are a pen tester, please keep raising CORS stat findings all the time because I love having to go and talk to bad pen testing firms and saying, “Sorry guys.”

Now savagery aside, that’s probably another thing else. I’ve been talking to a lot of people recently, mostly developers funnily enough who we were extremely frustrated with the standard cybersecurity experience, because I feel like most security professionals just do not come from a development background. So they don’t understand. While this is meant to only be used for the test environment, so why do we have to worry about dev dependencies? Is this something I need to be patching and keeping up to date? Or oh, why would I use content security policy? I know it’s a missing security header, but we’re already using React to do output encoding.

And often, security people are saying, “Oh well, the finding is the finding. It’s up to you to accept it,” and then moving on. And I think that’s kind of a bad experience. But you are someone who’s in charge of developer experience, but what do you think security is falling over and messing up at the moment and what do we need to do to be better?

M Brennan
I think the falling over is in both directions. And you touched on it there around a lot of security folk are not developers. A lot of developers are not security folk. And the reality is there needs to be empathy and understanding in both directions. So I’ve spent a lot of my time doing tech for tech, the tools that other tech folk use to deliver for the customer or for the business. So understanding the needs of a developer and importantly understanding the energy.

I think a lot about time and energy when I’m looking at the developer experience. It’s like what am I asking this developer to do and how close is that to their primary concern? Because their primary concern is the thing their product owner or their boss is whipping them to get done and delivered by a deadline. So every decision they have to make that isn’t part of that core focus is mental energy. They’ve got to expend every activity that they’ve got to do is time that they’re drawn away from delivering on that primary focus.

And sometimes, that’s really important. So a developer should be thinking about the threats to the application they’re building. But if they’re also having to think which tool do I have to sign up to use? How do I get that set up? I’ve got to go through three forms and two extra approvals to just be able to use the thing I’m required to use. And so a lot of the thinking and conversations I’m having are about how can we make it really easy? How can we do the domino decision so when the developer starts writing code, things are ready for them when they need it.

If I choose to write in a particular language, then I need static code analysis, I need software composition analysis. These aren’t decisions I as a developer should have to make. They should be provisioned to me. If I decide that that code’s going to live in a container, well now I need container image scanning. If I’m going to push that to a cloud environment, I need to know the cloud environment is secure around me and that it’s easy for me to use it in the right way so that it remains secure. So it’s about how can we remove those decisions that are really not decisions, but we’re making the developers think of them in that way.

But then the flip side of that is we make the security, particularly I interact a fair amount with security architects or mentioned pen testers and we spent a lot of time asking them to analyze and understand what we are delivering the application without participating in things like threat modeling. And I think that when I have done threat modeling with application teams, it’s been really productive. They’ll think of the, they could do this.

You mentioned the vulnerability, what’s the consequence? What’s the worst that can happen if this gets compromised, and the websites that are designed to let code in and out and reflect it back on people. So therefore the worst that can happen is that whole experience gets corrupted and the person has to refresh their browser. You protect your backend in those scenario. But if a team have thought about the threats and they’re participating in the threat modeling, then the person on the security side can focus on what are they not thinking about? Are they properly thinking through those threats?

And in some conversations I’ve had, you go, well, actually the worst that can happen here is they flood this channel over here and I lose this piece of information for however long that denial of service is happening. It’s like, okay, is that information important to you? It’s like, yeah, it’s helpful, but it’s not essential to my business function. It’s not going to compromise my ability to support the application. So it’s not that big a deal.

That comes up for me a few times recently around a web app or mobile app telemetry. Necessarily, you’re sending signals from someone’s browser to a centralized place that inevitably becomes a bit of a potential details point. You could flood that endpoint. What does that do to you as a team if that endpoint gets flooded? And if the team have thought about it, then they’ll often then think about what are the compensating controls. How else could we get that information? Do we have a way to shut that channel off?

Cole Cornford
I do thinking about things in terms of time and energy, toil, abstractions. I preach for big enterprises less so because the amount of work to actually get anything to be consistent is nuts. When you go to, because they grow by accretion, right? You typically go out and say, I’m a 10 billion or a hundred billion dollar business, I’m going to go buy a bunch of tiny places and then munch them together. And then they’ve all got their own P&Ls, ways of working, engineering tech stacks. And eventually, that’s how you end up with the situations we have where people are like, I need a static analysis tool that covers everything from COBOL today to Node.js, Bun.

And so that can be quite frustrating. And whenever I hear about people aiming for secure by design or secure by default, I’m always taking a step back and saying, are you going to be putting the work in to be considerate that you have all of this brownfield estate that you need to be moving over here? And I don’t think that that’s going to be a conversation of business to be willing to foot up. So I like that focus on we’re going to provide you with the products and the tools and the pipelines, and that’s kind of the happy path. And if you get off the happy path, then you’ve got to use the machete and cut through things. And that machete usually looks like a pen test.

But by the same token, I didn’t really think about security experience and I know that we say DevX, but I don’t think we can say SecX without anyone laughing at us hysterically. But the ability to, I know there’s constant frustration when I meet infosec professionals internally, usually I’m on a conveyor belt and I don’t understand the ecosystems or products that I’m assessing. I just feel like I’m part of a factory line. I don’t get engagement when I need to get engagement. It takes me a long time to get credentials or environments provisioned or so on, so forth.

Do you think that there’s a lot of room to also be, if the bottleneck is just on improving developer experience, do you think that there’s also a chance that it might be worthwhile considering a security experience as well and improving that too?

M Brennan
Yeah. And I don’t think the two are necessarily that separate. The things you just described, can I get access to the things I need to have access to, quickly? Can I get an environment set up to start to do the things I need to get done? Those are exactly developer experience concerns as well. If I’m a new member of a team, the thing that stops me getting productive with that team is usually access. If I’m a new team wanting to build a new application, the thing that usually slows us down upfront is getting the environments provisioned, getting everything set up. So those exact concerns come up for developers as well as security folks.

So I think if you look at it like, I’m going to solve this for everyone, often teams necessarily, they’ll scope. They’ll go, “We have to focus, we have to get the MVP.” And a thing that I’d like to tell my teams is, if you can get a big value for a small extra investment, make the extra investment. If you can deliver something for free, free being it’s just there, then don’t spend time switching that thing off because it’s not part of your MVP. Just take it as a win and celebrate the extra value.

So if we can solve for fast provisioning of access and environment for everyone, then it benefits the security folks just as much as it benefits the application developers.

Cole Cornford
One of the common pushbacks I see is let’s get application whitelisting working across all the different devices. And almost I see it so often where there’s someone who has to do essential aid and they basically have corporate is all application allowlisted perfectly, and then you have all the developers just have local admin, can install whatever they want. And I’m just sitting there thinking to myself, what’s the purpose of when you have these media people have access to everything that they probably shouldn’t have access to, so the highest risk people, and then you just have all of the EAs and marketing people who just can’t do anything, which just doesn’t make sense to me.

So one of the things I actually push for is that we think it’s like VDEs, like virtual development environments. So where you can just effectively infrastructures co-provision instantly, some kind of environment with VS code or the repos already cloned locally onto the desktop that you need. So you don’t have to worry about setting up Git or figuring out how that works because surprisingly, I’ve met a lot of people who don’t know how Git works. And that’s okay.

M Brennan
Me too, and I work in developer experience.

Cole Cornford
So by doing so, you can actually segregate as far as I’m concerned, corporate from development. And so if development gets compromised, you can wipe it away and not have it have access to corporate. And so you can then maintain an app allowlisted environment, and that’s a good way of just thinking outside the box. Devs will complain about latency because this will be a little bit slower working in a virtual machine or whatever. But still from a security perspective, that’s pretty good, right?

M Brennan
Again, looking at how everyone benefits from the thing. In a few different organizations I’ve worked in, I’ve ended up running code for non-coders courses. And a lot of my day job involves spreadsheets and getting data out of systems and that sort of thing. So a lot of the code I write these days is Python code, reading spreadsheets, processing data from maybe an API call or two.

And I see people, my peers doing these exercises within Excel writing formulas and deleting rows and filtering stuff. Actually, if I give you just a little bit of coding skill, show you how to do it safely and something like a virtual developer environment, it’s really good for that, then they can automate as well. We often think about automation for things like operations and testing and that sort of thing, but it’s valuable to everyone.

Cole Cornford
Yeah, zero to one using automate. I’ve seen businesses that have run on an 800-page Excel spreadsheet and then they’re like, how do we turn this into a web app? And I’m just like, yeah, I am a security professional, so I’m just going to leave this conversation. You can go talk to someone else about that. But the amount of times it’s come up to someone that’s some small business and they’re just like, “Yeah, I just thought we’re using one Excel spreadsheet and it just does everything and we’ve just kept iterating on it for 20 years.” And it’s like, okay, I like this.

M Brennan
The mental threshold I have is if it accelerates you, so one individual, and maybe multiple people use it but in each case they only use it for themselves, then that’s a good use case for that end user developed solution. As soon as something supports a team, and particularly if it supports a business process, you probably want to move it into a properly managed asset and do all the diligence around that.

Cole Cornford
Yeah, because a common thing that I see is people building skunk works to just try to make things work, and then the skunk works becomes the strategic environment with no OPEX or funding to support it. When I was at Westpac, we built something like this called secure code as a service where people could submit. Now deprecated, thankfully very happy about that, but we were using modern technology like Docker which was just released amongst other things. And the idea was that we’d have a long polling HTTP thing where it would effectively, you’d upload your code whenever you wanted to and then it would tell you people could pull back about whether it was done and then it would notify grep through the results and email it out to people.

And so instead of people having to get outside of their development ecosystem, because honestly if you’re a developer and you’re asked to go log into a security product and then you have to go back, there’s a good chance that if you do this once a quarter or once a year, never going to remember what the product is or where it is or your login is going to be disabled or it’ll be too hard. So we did this, but because I didn’t actually get a business case up and running to actually operationalize it, it just kind of like when the main engineer left, so bless him, we always are big fans of the cutting edge engineers doing resume driven development.

M Brennan
But they move on.

Cole Cornford
They move on, and he did and then I was stuck with it and it was very frustrating. I eventually said, “No, we’re going back to the old ways of working,” which annoyed everybody who was used to this new way of working. Do you find that… That’s probably another good piece to tap on to. How do you manage change? Because I often find that people are quite reluctant to be switching things up even when presented with automation opportunities because it’s a little bit scary. It’s different to what they know.

M Brennan
And it’s the cognitive load, right? Change is non-trivial, and that’s where I try to bring it in a little at a time and I try to bring in why this is optimal for them. So a lot of the conversations I have with you, you mentioned having to go out to the security tool. That’s a big hurdle for people who are usually delivering things that are not security significant. There are little tweaks to application functionality, but it’s not really causing a big change in the security position.

So a lot of my conversations with the product vendors is how can we get these insights to the developers where they are? Can we put the results of this scanning in real-time or in that sort of feedback loop that you mentioned so that it’s there in their idea while they’re writing the code, because at the end of the day, that’s the best moment for them to fix it because they’re in there writing the code? How can we get it into builds and other things in the CICD pipeline so that they know as early as possible?

And then these tools are good, they often have lots of rich information and particularly about their sort of total set of scan results. They need to be there, they’re good for product owners, and I’m a group owner being able to see what does my estate look like. But a developer writing a line of code doesn’t want to have to go out to those places. So that can help as well is saying, “Hey, I’m not asking you to do something different, I’m asking you to do the thing you’re already doing. But hey, here’s this other thing that’s going to help you out there.”

Cole Cornford
It reminds me, do you remember the jam-jar experiment? Have you heard that one? So I think it was a product or marketing theory where they basically gave people, they went out and set up at a supermarket and they put down free jars to jam, and it was like good jam, bad jam, moderate jam or whatever. People would try to jam, they’d be like, “Yeah, I want to go buy that jam.” And then they repeated it about a month later, but they put down 40 jars of jam and they had every flavor levels of acidity, covered every single taste available. And what they found is that when presented with two or three options, people had a 70% conversion rate. When presented with 40, it was like 10 or 15.

And I think about that a lot when I’m considerate of the types of products that you would be introducing when we shift left because a developer who is presented with a bunch of static analysis and composition analysis and dynamic scanning and so on, just linting even, it’s a lot of jam jars to pick from.

M Brennan
You just reminded me of, I think when I was still at school, I worked at a store that sold stereos. Part of my job was trying to encourage people to buy stereos. And there were three in particular that I remember. One was really cheap, one was reasonably priced, and another one was really expensive. And what I did was I went and I adjusted the EQ settings on the middle one so that it sounded really good for Weather With You. That song, the beginning of that just came in and sounded perfect. And then I mess with the settings on the other two so that it sounded bad, because then what you’ve got is a really clear distinction between the cheap and the middle. The cheap one wasn’t very good, so I wasn’t doing anything dishonest. The expensive one was better, but it wasn’t so much better that for most people, they’re going to want to jump to that extra price tag.

And so what I’ve taken from that into my career is if you offer something really good and reasonably cheap, and cheap in this context is the cost of change, do I have to relearn stuff? Do I have to switch up the way I do things right now? You can make that reasonably cheap and you can demonstrate that extra value why it’s almost as good as the brilliant thing and much better than the cheap thing, and people get on board.

Cole Cornford
That’s how the real estate agent sold my house to me. He’s like, look at this $4 million house in Mary River. Isn’t it nice? I’m like, oh yeah, it’s very nice. I don’t know, $4 million. He is like, look at this house here. And I’m like, we’re living in Darrow land in the middle of a ghetto and the walls are falling off, and I feel like I can just breathe the asbestos. And they’re like, look at this house that’s halfway between the two. And I’m like, “Done. I’m going to buy this.” He’s like, “Ha-ha, this is the house I meant to sell you the entire time.” I thank you mate. So there you go.

Look, it’s very effective, but what was I going to say? I liked that you did that with stereo as well. You got to stick in the middle. You’ve got to buy the CX-5. Don’t go buy a Porsche Cayenne, they’re not that good compared to a CX-5. Don’t go buy a Corolla, they’re still pretty rubbish. It’s just here’s where you are.

So actually one of the things I’m excited about is artificial intelligence and how we could be using it to, I’ve always reduced toil for things that are just a little bit too hard for developers. And some of the concepts I’ve been playing with in my head are like, when we do threat modeling, for example, one of the biggest issues that we have is not having a security context for developers to be able to apply into the model. So they’d need to be bringing a security resource in to support that.

But before in a circumstance where that context can be ascertained by reading a knowledge base internally about security or looking at existing security incidents, then suddenly we’re making that easier for people to do on a regular basis, maybe even running or the relevance of the data flow diagram and assets that we have.

Well, if we can look at design documents, all of those pictures that we’ve painstakingly drawn in Miro and then thrown that to automatically create a model, I can see that being an activity that people start to regularly do because right now, it’s too hard because people don’t know the context. They don’t have the information, don’t know how to do it, they forget about it, but we can reduce the toil.

And I see this in a lot of those circumstances. A developer training is another example because if you are going out of your environment and then having to navigate to a webpage to go effectively play games for a little bit because most people I’ve spoken with who are devs feel like gamified platforms.

M Brennan
They feel abstract, right? They feel over there.

Cole Cornford
Yeah, I might do it. Is this really work? I don’t think I should be doing this. I feel guilty of the features to deliver. But if they’re writing code and it comes up with a Clippy every now and then saying like, “Hey, that’s sql.exec. Do you know that that’s quite likely to be something that results in a XSS is? Here’s some directly relevant information to you.” I can see so many opportunities for disrupting and improving toil.

M Brennan
I think what you called out there is a really good point that I think is sometimes getting missed in a lot of the hype about AI, though the things we do are in a spectrum of complexity and the sweet spot is in the middle for AI at the moment. Now, is it going to get better and better at the more complex things? Probably, almost certainly. But the sweet spot for me is in the middle because I see a lot of people thinking they’re doing wonderful things with AI and what they’re really doing is applying probabilistic solutions to deterministic problems, right? They’re getting low hanging bits of value, but actually they were just always the things that should have been automated. And we didn’t have time to do the automation. We didn’t have the funding to do the automation. But if you call it AI, you get the bit of funding.

But that’s not where I see the real value. The real value I see is in that middle ground of complexity. Your example of threat modeling is a really good one because a blank sheet is scary. What do I put in here? How do I even get started with this? And obviously, the frameworks and stuff help with the how. But having an AI generate a starter for 10, right? Here are first set of questions, set of things to consider, scenarios to play through. Once people have got a couple of examples, their creative juices kick in and they’ll come up with more. But getting from zero to one is much harder than getting from one to 10.

So that’s where I see generative AI in particular being really useful and not just in the security space as well. Looking at it in the resilience space, what are the resilience threats to the application? How can we look at problem management more productively by saying, “Hey, here are the first few problem actions of this incident that just happened. Think of more”?

Cole Cornford
Yeah. I’m excited to see where our future takes us in this space, honestly. I know a lot of my mates have went over to RSA and I think that they counted two vendors that didn’t have AI branding on their stalls.

M Brennan
You’ve got to do it these days.

Cole Cornford
Got to do it. Galah, like I can see Galah.ai, maybe I should register that, rename my company as Galah Group. But it’s something that I did a couple of years ago. I was treating it as Web3 in a way. One of the things that I’ve been very active about doing in my career is making intentional decisions to ignore a topic entirely and just pretend that it’s not relevant. And I’ve vindicated many times for doing so because that turns out to be a flavor of the month for like useless. I’ve only had myself fucked up with AI, but also not really.

And the general reason I wanted to do that is because if you spend all this time learning something like the things I skipped, I skipped Ansible, I skipped Angular, I skipped the entire Web3 ecosystem. I just assumed that they were never going to be relevant. And I guess when I skipped Ansible and everyone was learning Puppet and Chef, and nowadays, everyone just is like terraform and cloud formation and shell scripts really, so all of that kind of disappeared.

The Angular 2, well React one, I see React everywhere. I picked one of the two. With AI, my view is like, “Oh, I’m just going to just take a step back and just not learn anything AI.” And so it’s been vindicated in a different way in that the rate of change, if I learned what was there two years ago, it would have been fundamentally different from what today is with reasoning models and agentic AI.

And so we’ve seen the value, we’ve seen the people using it. I don’t think it’s going to be as good as everybody is making it out to be. Like Klarna the other day said that they are starting to hire customer success managers because the AI robots that were on taking phone calls started promising stupid things. So what was it? There was one about United Airlines or something being like, oh yeah, they had a chatbot on the internet and the chatbot said, “Hey, look, I understand your grandma died. So we have bereavement leave so you can have a bereavement flight, so here you go.”

Then he go out there and then the staff at the airline were just like, no, we’re not giving you a free flight. And he’s like, but the chatbot. And they said… So they tried to argue in court that the chatbot is an independent entity from the airline. And anyway, the court was just like, “No, no, a robot cannot be held accountable. This is your fault. You have to go pay this guy like $400 for his bereavement flight.”

M Brennan
The way I think about it is the difference between a kite and a sail, right? You’re holding a string of a kite, it’s whipping about all over the place in the wind. But when I look at tech trends, I’ve worked in finance before, so crypto and now AI, but other things like frameworks and stuff over the years, okay, I’m a sail. So I’m influenced by those winds, not going to take a fully straight course, but I’m not going to be run over there either. I might steer slightly towards it but I’m going to do it with a reserve manner. I’m going to see how it’s playing out, get enough understanding of it to decide what are the questions I want answered and the things I want to see before I go fully into this thing.

And AI is heavily in that space for me at the moment because no doubt that it’s going to be able to do more and more, but buzzword of the week is agentic AI. I was like, “Oh, so we’ve just built automation and given it to, allowed it to be triggered by an AI.” Okay, that’s good. We could have done that easy. We could have done the automation bit years ago.

Cole Cornford
I love the stuff I’m seeing that’s coming out from marketing teams. One I saw recently was DevSecOps is dead. We will no longer have a need for pipelines. AI is the pipeline. And I’m just like, oh my God. Can you imagine like irreproducible builds? Probabilistic builds is what you’re after. I do not want my software to be randomly picked apart. It needs to work the same way every time. Okay, we’ll tell the AI to make it do that. I’m sure that it will. You go do that. Enjoy your business and go enjoy your bereavement leaves, flights and stuff that it puts in.

M Brennan
I think of those things as like sci-fi, right? Somebody has to be describing the geosynchronous orbit before we’ve even launched the first satellite. Arthur C. Clarke calculated that and theorized about how that could be used while the engineers were still working on getting the rockets into space to be able to do it. Somebody’s got to have the wild idea or you’ve got nothing to shoot for.

Cole Cornford
That’s it. And that’s a, I mean I’m entrepreneur. I’ve got wild ideas. So otherwise, I wouldn’t be here doing this, right?

M Brennan
Yeah.

Cole Cornford
Absolute pleasure. Thank you so much for coming on Secured. Is there anything you’d like to wrap up with and say for all our guests?

M Brennan
Just love the podcast. I really enjoy the experience I’m getting of bringing together security and developers and helping create that empathy. So definitely say to all your listeners, talk to each other, learn each other’s stuff, right? Apply the curiosity across boundaries is how we all get better.

Cole Cornford
That’s it. And if you know any good engineer people, let’s get them on the pod.

M Brennan
I’ll reach out.

Cole Cornford
All right, thank you so much.

Thanks a lot for listening to this episode of Secured. If you’ve got any feedback at all, feel free to hit us up and let us know. If you’d like to learn more about how Galah Cyber can help keep your business secured, go to galahcyber.com.au.