From Cryptography to AppSec: Scott Contini on Building Practical Security

Cole Cornford 

Hi, I am Cole Cornford and this is Secured, the podcast that dives deep into the world of application security. Today, I’m joined on the podcast by Scott Contini. Scott’s old hands at application security has been around for a very, very long time. Sorry, Scott, I don’t want to call you out for being too old, but you are. You really are, but you’re beautiful.

So Scott’s awesome because he is one of the few people that I extremely respect for all of his knowledge in cryptography because that’s where he started. He was at university studying math and doing all sorts of crypto stuff with all the greats out there like Bruce Schneier and Ron Rivest and so on. Before, eventually he got sick of it and decided to move into application security because he realized a lot of crypto was quite theoretical in nature and not related to the breaches that were occurring because of SQL injection so on.

So we cover a lot of different parts about that history, and then the transition from early web application security to current day, as well as just stuff like running community groups, going to conferences, and how both crypto and AppSec have evolved over the last 20 to 30 years. So I hope you really love this conversation with Scott. He is an absolute pleasure to interview, and you should go catch up with him at AppSec Australia when we run our next event.

I’ve known Scott for many, many years. Was it AppSec forums back in 2016, ’17, or ’18, or something like that, right?

Scott Contini 

You’re probably right. I’m not good with dates, but yeah, it’s been a long time. Yeah.

Cole Cornford 

And I even remember reading reviews from old static analysis reports and being like, “Who is this S. Contini guy?” So one of my previous employers. So Scott’s got a little bit of a name for me. It’s like when you go into Wikipedia and you see who the previous edits were and you’re like, “Oh, it’s that guy? I know him.” So I’m really excited to have you on, mate.

Scott Contini 

Yeah, I’m really excited to be here. Thank you so much.

Cole Cornford 

So for all my guests, I’m excited to obviously talk to you but that’s because I think you’re really smart. Can you just tell everybody a little bit about your background and why you’re so awesome?

Scott Contini 

Yeah, thank you. I wouldn’t call myself awesome. But yeah, I started out as a researcher in cryptography. I think that was around the early ’90s when I started doing proper research. And I spent a lot of time in cryptography, but also a little bit in the industry going back and forth. And I managed to… I would call myself a mediocre cryptographer. I did enough that I could earn a living as a cryptographer.

But one thing that I was bothered by is when you’re in cryptography or if you’re in any specialized research area, you have to travel a lot and you have to find positions that might be anywhere around the world. And it becomes a little bit difficult moving around the world whenever you need to find a new job. And once I arrived Sydney, I found that this was the place I wanted to be. And the position I had there wasn’t really ideal, I would say, because the research I was being paid to do was not very real world and not what I wanted it to be doing. I wanted to have a real world influence.

So eventually, I left cryptography and I went into originally it was mostly embedded security and small hardware chips, but there aren’t a lot of jobs like that in Sydney either. So I moved to web security. And once I got into web security, I started seeing examples of how everybody was doing cryptography wrong. They knew the algorithms but they didn’t know how to use them. And sometimes they even got the algorithms wrong and sometimes they even invented their own thing. So that was becoming my niche area where I was trying to, I would say, fix the world on doing cryptography right. And little by little, I ended up publishing blogs and commenting on Stack Overflow and everything else. And eventually, I think writing much of OWASP 2021 area and cryptographic insecurity.

Cole Cornford 

It’s a really good. That lifestyle of having to travel around the world just to participate in your industry, I imagine it would’ve got quite difficult when you had kids and a family. So I can’t imagine having to do that with two daughters myself. So man, I’m glad that you decided to choose Sydney as the great place to be.

Scott Contini 

Or maybe Sydney chose me. Yeah, one way or another. But yeah, it was exactly when I was getting to the point of settling down and thinking about having a family when I decided to leave cryptography. And my advisor tried to keep me. He said, “Oh, I got a great job for you in Europe.” That was my PhD advisor. And I thought about it for a good couple of hours. I said, “I can’t. It’s not working out. I just want to stay where I’m at.”

Cole Cornford 

Did you go surfing back in the day? Were you just into the beaches and swimming and stuff, or what was it that attracted you to Sydney so much?

Scott Contini 

Oh yeah, the beaches, the weather. I tried surfing. I wasn’t very good at it, but the snorkeling is great. It’s a great place to get in the water. Nowadays, I don’t appreciate the summers as much. They’re too hot. But I guess it was less hot back then. And yeah, it was working as a young single person.

Cole Cornford 

And I guess that’s something you brought up just saying. You said theoretical versus practical is there’s a lot of distinction. I know that when I studied at university, I always enjoyed the data security course. That’s one of the things that got me excited about cybersecurity in general. And the things about old cryptographic algorithms, so just no one uses anymore because computers broken instantaneously. I found all that sexy and interesting and cool, but what I struggled a lot with was the things like understanding how to do the extended Euclidean algorithms or Chinese remain deferrable, getting Euler’s Totient sum. Did you see that meme that was coming around saying that RSA was broken if you find out what Euler’s Totient is?

Scott Contini 

I haven’t seen it, but I guess it’s true. If you know how to compute the Euler Totient function of the modulus thing, yes, it can break RSA. But nobody knows how to do that.

Cole Cornford 

Yeah, exactly. It was someone on one of the social media sites said RSA is fundamentally broken because someone, if they confuse your Euler’s Totient function, they’ll be able to figure out the secret key. And then all the cryptographers were jumping in being like, “You’re all idiots. We don’t know how to do that.”

Scott Contini 

That’s the correct summary, yes.

Cole Cornford 

But all of the cybersecurity people were just like, “Look, we need to look at new algorithms, guys. We’re screwed,” which probably segues quite well into getting cryptography right. I find it… So I’m a big fan of things like PASETO over JWT because it just constrains the scope of things that you can do and stops giving you so many guns to shoot yourself on the foot with. What do you typically see people mess up? I know you had a really fun one of a hard-coded IV that some bloke reached out to you 16 years later saying it was everywhere, but what other kinds of instances do you typically see people mess up?

Scott Contini 

The stuff I’ve been blogging about is really simple stuff. It’s not about how to do Chinese remainder theorem or compute inverses or something like that. It’s just here are the algorithms and here are the mistakes that we often see. And the simplest one, you don’t even have to be a cryptographer. You’ve seen it yourself if you’re in the industry. People hard-code keys, really dumb, really not good. It happens everywhere. But then it’s more stuff that you really have to understand a little bit about the industry, about the technology to understand the problem.

One of the things with encryption, the way we’ve done it historically is it doesn’t prevent tampering of data, meaning that I’ve encrypted the data, somebody can flip a bunch of bits of the ciphertext around. When it’s received, you decrypt it. Well, you’re going to decrypt it and it might have something that is meaningful to the computer that reads it, even though it’s not the original plain text. And sometimes that can seriously break systems. So this is called malleability is the term. And nowadays, we use so-called modes of operation to stop people from doing that. And that’s the method called GCM Galois/Counter mode. So if you’ve seen AES and GCM mode, yeah, that’s a good thing to be using. But often what we see is cipherblock chaining or electronic code book mode or something else where these ciphertexts are malleable.

Cole Cornford 

I remember one of the early cryptography pictures that they showed me was a picture of Tux, the Linux penguin, getting encrypted. And with ECB or CBC, I believe, that there was no ability… You could just immediately see that it was still Tux looking at the photo instantaneously. And that’s not particularly usable because the whole point of cryptography is to make it there’s no information available whatsoever for an adversary. But if they could still see the basic outline of the picture of some variation, then they’ve made a mistake, right?

Scott Contini 

Yeah, that’s another excellent example because that is ECB mode, but it’s also CBC mode if you’re using the same IV over and over. And one of the requirements that we have in cryptography is that when you use a mode like CBC, you always have to choose a new IV randomly, completely random. And the funny thing is in TLS, transport layer security, that’s not how it is. And that’s led to a number of hacks on TLS. Some people call it SSL. It was the same vulnerability back then but now it’s TLS, and patches to stop that, stop these attacks. So you might’ve heard of poodle attack or beast attack or stuff like that. It’s all because the protocol wasn’t built to choose this randomly, but instead of some defined way.

And hard-coded IVs is another example where we see it all the time or even fixed IVs like the reading it in from a config. And it’s, no, you cannot do that. And by the way, IV means initialization vector. It’s like the magic that you put into the cipher to start it so it’s secure going forward. So yeah, you always have to choose these things in a certain way. For CBC, it has to be random. For other ciphers, it just has to be a nonce, which means it doesn’t repeat. So when we’re doing GCM mode, it’s only a nonce. You just cannot repeat the IV. And a lot of times, we see people reusing the same value and it can completely break the security.

Cole Cornford 

I guess another thing that from your talk you did a little while ago that I remember was that people use strings as IVs. And if I recall, you’re supposed to be using a byte array, not a string. And I guess the difference between the two is that with cryptography, you’re working on individual bits and a string is a byte, and so you end up with a reasonably predictable amount of that information, especially if you’re using English characters that are going to be quite easy for people to brute force or try to predict future ones.

And the other thing I remember was using either previous iterations to work out future ones. So if you just did one iteration, you’re going to work out future parts of the chain as well. So there’s so many ways to mess it up. How do we even end up in this state?

Scott Contini 

Well, yeah. So to expand a little bit about what you’re saying is in the, especially for keys, cryptographic keys, people usually think of keys as passwords.

Cole Cornford 

Yeah, okay.

Scott Contini 

And, right, to the cryptographer, it’s a random set of 256 bits chosen from urandom or something like that. And to the developer, it’s like, “Oh, I’ll put in password123 and it’s secure.” And yeah, so suddenly it’s something you can brute force because they didn’t choose it randomly.

So how did we get into this state? Well, that’s a great one, and this is one that I want to blog about as well. And I’d like to look at the history, and let’s start out what was cryptography a long time ago when we didn’t have open source solutions. We bought it from a company called RSA. They sold a library called BSAFE which everybody used because there were risk of patents and risks of doing it wrong. So we buy it from the vendor we trust.

Well, something changed, and that was a language called Java, which made it all available to everybody. And it was built into the language part of the Java cryptographic architecture. And back then it was Sun Microsystems who built the Sun Microsystems cryptographic library, which plugged into the Java cryptographic architecture and gave everybody the ability to use it. And also at the same time, the RSA patent was expiring. So people were like, “Oh, let’s use this.” But Java made it available but they didn’t tell you how to do it. And there’s a big warning. If you look at the Java cryptographic architecture pages, it’s in bold. “We’ll give you the building blocks you need to build crypto securely, but we’re not going to teach you how to do it. It’s up to you to understand what you’re doing.”

So they put it all on the developer to learn how to use it. And combining that with how Java was designed, it’s really low level. People have to do a lot to encrypt in Java. It’s not just calling a simple API. You have to bring in IV parameters back and all these other things, and you have to really understand the API and cryptography. Nobody knew how to do that. That essentially was the path for somebody like me to come in and say, “Hey, you’re doing it all wrong,” because people did not know and they tried their best and a lot of mistakes were made.

And over time, APIs improved. But it’s only in the last four or five years, I would say, that there’s a good understanding that we need APIs that are easy to use and secure by default. And over time, it took a long time to understand what that looks like.

Cole Cornford 

Yeah, I know that a lot of web security is leaning towards that way as well because I think about bug classes, which still occur, but they occur significantly less. And that would be SQL injection or cross-site scripting. And the reason that they occur less nowadays than 20 years ago isn’t so much that developers have wisened up or that tools have got better at finding these. It’s that people are using ORMs that eradicate the potential of having a SQL injection vulnerability, or people are using a JavaScript front-end library that eradicates any non-control over output encoding.

And so I know that cryptography being quite a theoretical discipline, a lot of cryptographers would actually have close to zero interaction with software engineers a lot of the time. Are they starting to work with user experience people to think about what we need to do to just make these things more consumable? I think I saw a funny one like PolyChaCha 2020, which is designed to be easy to use, that kind of stuff. Is that really happening and going well nowadays or is that still early stages?

Scott Contini 

Cole, everything you said was 100% on the money. It’s the exact same problem. It’s about cryptography making easy and secure by default. And the ChaCha one was from Dan Bernstein, also known as DJB. I would say most people know Bruce Schneier, but DJB is the Bruce Schneier of today. And he came up… He was the guy that really drove this. And it was great because he made cryptographic API security important. And this is not just a very good cryptographer, but he’s a guy who’s been known for building secure solutions for a long time, if you’ve heard of QMail to replace SendMail. So he had everything. He was an engineer. He was a cryptographer. He was a researcher. Brilliant guy. He’s a friend of mine. I haven’t met him in a long time, but I used to. He was the first guy I ever met.

So a bit of a side story when I was young and arrogant and dumb, I thought I’m a great mathematician and I’m a great computer scientist, and there are people that are better than those than me, but they’re older than me. Nobody’s better that’s younger than me, until I met DJB. He was a better mathematician. He was a better cryptographer, and he was younger than me. So it was really humbling to meet him.

But yeah, so he was the guy that actually drove this improved APIs, and he made real-world security important in cryptography, or at least he was a big contributor. And nowadays, there are people doing the research on how to make cryptographic APIs better, how to make it more friendly. And I think we’re making great progress. But gee, I wish this was a topic when I was doing my research and I wish it was something I could have done because this is something I wanted, cryptography, real cryptography that has an impact. For a long time, the researchers were living in their own ivory towers and not helping the developers. Now, we’re starting to close the gap. So yes, we’re making good progress.

Cole Cornford 

But at the same time, you’ve been able to see this history and see how things unfold over the last 20 to 30 years. And that’s given you a wealth of knowledge and wisdom and lots of different people in the industry so you can have that perspective. Whereas a lot of people nowadays, I think of a developer coming out of university who has had no exposure to concepts like object-oriented. They’re like, “What is that? That’s some legacy dot net Java thing? What is MVC? What is DevOps?” We’ve got all of these different iterations, let alone systems teams back with COBOL in a day that they just had to skip right past the modern day. But I think you should be proud that you’ve been involved with so many of these breakthroughs. So what would you say your favorite? Because you’ve rubbed shoulders with many of the greats. The cryptographic industry is reasonably small. So what are you been your favorite experiences in there?

Scott Contini 

Oh, look, it’s been fun. I’ve always felt like I’m the outsider, and I suppose it’s a lot of imposter syndrome. So I’ve always felt like, “Oh, these guys are much smarter than me. I could never do it.” So yeah, I think it’s been great to get to know these people. I know a lot of the great cryptographers. Personally, I’ve met a lot of them. I even published a couple papers with Ron Rivest, names that people know. Jiffy and Hellman, I know them personally. I’m not good friends but I know them. A lot of the big names, I know.

So it’s been great to see these things. And I think one example is the AES, which was chosen as a competition. And everyone thought the team from RSA was going to win. And I was working with those people. It was an algorithm called RC6. They thought it was going to be the next… the new standard AES because it was a call for submissions from the community. So that was really fun. But it was a surprise to the world that NIST, National Institutes of Standards and Technology, chose an algorithm not from America, but written by Belgium researchers, two researchers from Belgium that were new hotshots in research but not known outside of that. And it was a beautiful algorithm. It’s called Rijndael. That’s what the AES has turned into. And getting to know those guys and meeting them and before they were famous or known to the world, that was cool. This was a good memory. And there was a lot of big names in cryptography where I met them before they were famous. So yeah, I was lucky to meet a lot of people.

Cole Cornford 

I wonder who the famous people in AppSec are going to be in the future, right? Because-

Scott Contini 

I think I’m talking to one of them.

Cole Cornford 

Ah. Nah, made an error on a podcast. I’m not famous yet. Just give me another 20 years and then people, “I know that Cole Cornford guy. He’s the one who wears pink.” So I did have someone at Wynyard train station point out to me one time and he says, “You look familiar.” And then instead of saying, “Are you Cole or are you Galah Cyber?” He said, “You are that guy on LinkedIn, aren’t you?” And I died inside because it means I’m infamous, not famous, so people don’t know what I look like. But anyway.

Scott Contini 

I could say similar stories for some of the famous people in cryptography, like when I was in the… I’m not going to give the name because I don’t want to embarrass anyone, but when I was in my, I don’t know, late twenties, going to the pub, having drinks, doing silly stuff in a pub where it’s all people in their twenties, then you see a man 30 or 40 years older that looks different with the young crowd. And then you’re like, “I know who that is. That person’s really famous.” So those things like that have happened. Yeah, that’s been quite amazing.

Cole Cornford 

Very famous people. I’m going to go look for you in all the pubs around Newcastle and Sydney, right? That maybe you’re one of the people that convinced Scott to stick around. So I know one of the things you also like doing in your spare time is writing a blog, and oftentimes it’s about cryptography but also quite often about AppSec. What have you been your favorite AppSec or web security topics to write in depth about?

Scott Contini 

Yeah, thank you for asking. I like to… OWASP is a great resource. We all love it, but it is written by a lot of different people and contains a mesh of information. And to me, what’s important is can we communicate things well that makes things easier for people to understand? There’s been a lot of topics on my blog that I’ve written about because I think OWASP maybe isn’t the best advice. Maybe we could do better. And I’ll mention one example, but I’m not going to say this is one of my favorites but it’s a good one, I think, is because I remember OWASP saying, “If you care about any security or privacy or anything like that, you better have certificate pinning in your mobile apps.”

And I didn’t agree with that and I think it was very short-sighted. I understand the value it provides and I wanted to make it more clear when it makes sense and when it does not and the problems with this concept in the long run. Because it was clear we were going to quicker, shorter, and shorter expiries for certificates. And changing a pen is not an easy problem because, for example, if you’re giving your app to the app store, it needs to be reviewed. It takes a few days, there’s a transition time, and you don’t want to be down for a few days because you’ve done something from security they said you absolutely have to do.

So I questioned, is it really as important as we’re saying it is? It makes sense in certain scenarios, but not in every case. And I posted that. I like to post on Reddit. I posted on the Reddit NetSec group, network security, and I knew I was going against popular opinion and I thought I’d get a bunch of downvotes. But they actually tend to do agree and everybody have voted it. And nowadays, it’s more commonly accepted that certificate pitting is a nice to have but not a requirement. That’s one example that went well. I can give you one example that didn’t go well. I said I thought I’d make some noise because everybody talks about Java being a secure programming language.

Cole Cornford 

Oh, did I? It’s so secure. I just love it.

Scott Contini 

Google it, right? Is Java secure? And I wrote a blog saying, “No, it’s maybe secure by standards of 30 years ago, 20, when you compare it to C, but not anymore.” And oh, the world did not like that. And Reddit dropped the post. Reddit NetSec said no. Of course, some of the guys that are moderators there work at PortSwigger and they use Java, and they said it was low quality. So in some cases they disagree, but I still believe we have to move on. And languages are being built better in a more secure, default way. It’s not just about memory safety. There’s so much more than that to be a secure programming language.

Cole Cornford 

Yeah. I think so I’ll comment on the language and then go back to OWASP. I’ve been speaking to a lot of different companies because I run a consultancy. And so there’s obviously tech companies that are quite modern, old, large institutions that have heaps and heaps of everything everywhere. And then you’ve got smaller startups that can be nimble and try all sorts of different things with no real consequence until they scale up and then they can’t find people to do that tech.

And one of the companies was having tried to trick me a little bit and they said, “Oh, we need a pen test of a code and slash code review of a PHP application.” And then the pen tester on my call, I could see his face smile. But my face didn’t smile because then my immediate question in him was, “Is this Symfony/Laravel PHP, WordPress PHP, or PHP5?” And they said, “Laravel.” And I’m like, “Cool. All right.” So what we know is that we have an extremely modern engineering environment with safe defaults and a good authentication process and output encoding, and the pen tester went from a smile to a sad. So because the fact is the word PHP to so many people just indicates incredibly insecure.

And even with Java, if you use just plain out the box Java spring or Java Struts, there’s so much features and so many things available over the last 20 to 30 years because they’ve got to maintain backwards compatibility that of course there’s going to be gaps in it. And I think the biggest issue I have is that we have 20 years of Java everywhere and you have to support all of it. So no wonder there’s going to be security gaps between versions or people can’t update it or their independency, well, light.

But on OWASP, I got a similar story. So I don’t really push people to OWASP much, if at all. And it’s not because I think OWASP as a community is bad. I actually think it’s really good to have the open web application. I think they changed it to worldwide application security because I wanted to move away from web to all software. But I think that the issue is that there’s a variation in the quality of what’s provided because they have to be open to the entire community. And if I am an expert in this discipline, anything that I write is going to be indistinguishable from an entry level like professionalist. And curating quality content is people just don’t have time to figure that out anymore. So I don’t write on OWASP specifically for that reason because even when you do it well, people don’t even notice it and they don’t really care that you did that.

I did three years ago, there was a cross-site scripting cheat sheet, and I had a read of it and I thought to myself, this advice is incredibly old. It’s mentioning nothing about frameworks. It just says use CSP, but it doesn’t talk about the limitations of CSP. It doesn’t explain sanitization like DOMPurify. We don’t talk about trusted types. It’s like the world has moved on and it was still talking about here’s the 50 different ways to output in code, depending on the context, which is a dev X problem, not a security one. But it was just written on professional stream from onto paper. It was dated. It was all advice. And the issue I had was it was used by hundreds of thousands of developers, potentially millions of developers globally as the artifact that this is how you stop XXS.

And so I took the entire thing and rewrote it. I modernized everything. I professionalized the entire thing. I simplified every single thing and was extremely explicit, and I gave practical examples about how to use it. And to this day, I haven’t had anyone messaged me about doing that. And so it’s interesting that you can go and spend effectively… I think I spent an entire month on this. It’s like 20 or 30 pages of content that I took 60 pages and turned it into 20, which just tells you just how important it is to get this stuff right, and no one actually knows I really did that kind of stuff.

And so if you have a community that doesn’t really give you any reward for hard work or recognition for what you’re doing, and then also there’s no ability to determine whether that’s good quality versus I saw some of the other top 10s have come out, the AI top 10 or the API security top 10. And I sit there thinking to myself, “Well, it’s good that those are aligned to specific vendors that solve those problems, right?” Anyway, shooting on OWASP. We’ll stop there. You’ve got a lot of things you could probably jump in on that about, so…

Scott Contini 

No, I think we’re aligned. Yeah, a lot of times I go to companies and they say, “We just point the developers to OWASP.” And to me it’s like, well, it’s okay to point them to OWASP but you better curate it. You better distinguish the good from the bad because not everything from OWASP is the answer is my view.

Cole Cornford 

Yeah. And even with Australia, we have, in my view, an incredibly immature market. So people still make decisions about application security based on coverage and capability and not on aligning business outcomes like engineering velocity, feature delivery, usability, these tools against security outcomes like preventing incidents or complying a regulatory standard. We don’t even have a regulatory standard that says if you go into the ISM, which is the government’s information security manual, Section 16 says, “Follow OWASP,” is their entire AppSec section. They don’t mention anything to do with like, “Oh, you should review first party code for vulnerabilities and not commit secrets or have push protection on brand.”

Just we don’t care about it because as a country, we don’t have too many companies that are too focused on product security overall. And I compare that to Europe and Israel and America, and it’s just night and day where so much of their economy is based on software security to the point that there’s heaps of regulatory standards around it. But do you have any idea what we should do to just besides running a cool community apps like Australia, get things going?

Scott Contini 

Yeah, I don’t know the answer to that, to be honest. And yeah, I used to live in the United States, and I suppose I didn’t get too much into that in those times because I’ve been around for a long time. So I don’t know what the state of the art there is so I’m probably not the best person to comment on that.

Cole Cornford 

That’s okay. So I know that you run a community apps like Australia, and there’s definitely need for more people to get involved in it. We do have a lot of meetups happening in Melbourne, and we’re looking at doing some more in Sydney. But if it’s other parts of the country that want to go and do it, they should have a chat to you and me about it, right? So…

Scott Contini 

Yeah, I hope everybody knows now. Cole is one of the organizers and he’s helping to drive this, and the whole point was more information sharing. And the goal is get the people that are technical who are on the ground working day to day solving problems, show us how it’s being done. And yeah, this is your time to learn, to present, to get to know the community better. We’ll support you. We’d love to have more speakers. Definitely call for more people to reach out.

Cole Cornford 

I’ve always told people that public speaking and writing were two of the things that made the most difference for me to really understand a topic and get really good at it. Because if you have to get words on paper and then think about how you’re conveying a message to other people, it turns out that it’s really hard to just speak at a topic because you’re not going to find all the ways that you’ve conveyed something stupidly or it doesn’t make sense when you read it later or you have gaps in your reasoning. And writing is a way to actually force you to do thinking. So I encourage you to all go out and write blog posts or come and present an AppSec Australia with Scott and us. We need more speakers.

Scott Contini 

Yeah, I second that. To me, I don’t trust my knowledge until I write it out. And then only once I can write it out and read it and review it over and over, then I think about speaking it. And that’s a whole new ballgame, is communication. And verbal communication, I don’t think I’m as good at is written because I’ve been writing for a long time but it’s something everybody should learn because this is going to take you the farthest in your career.

It’s one thing. When I was young, I was thinking, “Oh, I can do all these things. I can solve all problems. Why do I need to communicate?” That’s so naive and so wrong because you can have so much more influence, and we’re in the industry of scaling knowledge. This is what AppSec is. It’s not just problems. You need to get lots of people to do things the right way, and you cannot do it without strong communication skills. It’s one of the most important things in our field.

Cole Cornford 

I was having an earlier podcast this week and one of the people like, “Oh, so outside of software engineering, what do you think the other background for people to come into AppSec useful for?” And I was like, “Oh, I don’t know, political stuff.” And they’re like, “Oh, that makes sense. Yeah, politics and marketing.” And I’m dead serious about that because you don’t necessarily need to understand all the detailed software engineering stuff because you can hire someone like me or you to just come and talk about what’s the right thing to do. You just take that and then figure out how do I get everybody else to agree and be happy to do things that they don’t necessarily want to do, right?

Scott Contini 

Yeah. Look, I think diplomacy is very important part of the job, and I like to find solutions that’s going to make everybody happy. So it’s about getting everybody in the room, seeing what their requirements are, working through to find the solution that’s going to work for everybody. That’s how I like to look at it, looking for win-win-win for everybody.

Cole Cornford 

That’s it. What’s the win? So speaking of what’s the win, probably a question for people who are a little bit earlier in their career, what would you say is going to, besides, like we said, public speaking and communication, technically, what do you think people should be focusing on to develop themselves?

Scott Contini 

In application security?

Cole Cornford 

Yeah, let’s just go security more broadly.

Scott Contini 

There’s a lot of value in knowing how to attack systems, working on the attacker side, then you’ll have much better context when you’re working on the defender side. So to me, that was a big part of how I began to trust myself, is just learning as much pen testing as I could, practicing it, demonstrating it. And then once you can really explain to someone, “This is how I exploit something and these are the consequences,” then you can start to make them appreciate the defensive side. So to me, that’s at a lot of value. Don’t just be a defender without knowing how to attack. That’s my answer. What’s yours, Cole?

Cole Cornford 

Ooh. See, I’m someone who didn’t come from a pen testing background. I came from an engineering background, and so I think that my best thing is to just go meet more people, which I know this sounds corny, like I run a podcast so I can go talk to as many fun people as I want, but also it’s made a huge difference to my career knowing that I don’t know X. Who is good at X? Let me go talk to that person. And I have a breadth of knowledge because I’ve effectively got a tribe of mentors I can speak to. So if I’ve got a weird question about cryptographic libraries, I’ll come talk to you or come talk to Sarah or come talk to Dan Draper, people who would actually spend the time in the cryptographic ecosystem. But if my network is really tiny, I don’t know who I’d talk to. University professors? They probably don’t even know how the math works.

Scott Contini 

Yeah, that’s a good answer. To me, I learned a lot more from reading than from listening to people. And I think that’s just the way I learn. So to me, I read as much as I can. I follow, like I mentioned, Reddit NetSec. There’s a lot of Reddit groups I follow and just always trying to get up to date on knowledge. That’s a strong part of it.

But I’m also from an engineering background, and I think as application security, we have to wear lots of hats. We have to have lots of skills. We need to know the engineering. We need to know how it’s evolving. It’s a lot of work to keep up, but that’s why we get paid well, if we’re doing our job. And talking with something I didn’t know originally, I learned it as well. I learned to pen test in my spare time. So learning all these skills, it makes you very valuable and you can do a lot with it, but you have to be driven. It’s not, “Oh, I’m just going to learn it so I can get the job.” You have to really enjoy it, I think.

Cole Cornford 

Yeah. I meet a lot of people who say, “Oh, I want to get into product security or application security,” whatever. And I’m like, “Okay, cool. So what do you want to do in product security? Because it can be quite broad.” And eventually I tell them, “Oh, can you just go write a Django application for me?” And they’re like, “Oh, I don’t really want to be writing any software.” And I’m like, “Uh oh, red flag number one.” So then number two is like, “Oh, can you maybe just write up a post talking about Django for me, about why you’d use Django over say FastAPI or over Flask?” “No, I’m not really a writer. I’m more of a…”

And then I think that you have to be reading to get better at writing. I read a lot myself. I also try to make sure when I read books, that they’re completely unrelated to software security a lot of the time. I know my bookshelf over there has a bunch of nerdy software security books in it, but on my desk, I have a book about strategic thinking, a book about Amazon, and a book about calling bullshit. So look, it is, I like this one.

Scott Contini 

Oh, wow.

Cole Cornford 

The Art of Skepticism in the Data-Driven World. The reason I’m doing that is because for my next newsletter post, I’m going to be talking about how application security companies have a way of manipulating data that is difficult to debunk to make themselves look good. And giving examples about why it’s bad anonymously, of course, because I’m presidential like that. But I think if you spend any time looking at any marketing research blogs, you’d be able to work out which companies I’m targeting. But if you don’t read, it’s going to be really hard for you to keep up in the industry. And if you’re not interested in the content, it’s impossible to sit there and put yourself down.

My wife has to read about gardening at the moment because she’s doing gardening at TAFE and she’s telling me the difference between different types of petals and stamen and stems, and I’m sitting there thinking to myself, other than this one plant in my room, I have the smallest amount to give about plants possible. But I also understand that she tremendously cares about this and does not care about output encoding methods.

Scott Contini

Yeah, I think it’s a really good point though. Your job, you’ll do much better if it’s your passion, right? If you’re driven to learn more, that’s how it has to be. And yeah, I had a hire recently and it was amazing how many people I’d interviewed that just didn’t know the basics. But then when you see somebody, they might not have all the knowledge, but they’re going the right direction and you can see they want it. That’s the type of person I look for.

Cole Cornford

Cool. All right. Well, Scott, look, speaking of passion, look, this has been an absolutely amazing conversation with you. I’ve loved being able to cover everything from cryptography to application security and also life lessons for my listeners. So thank you so much for coming on the podcast, mate.

Scott Contini

Thank you so much. It was really awesome to be here. Always great to talk to you, Cole.

Cole Cornford

Thanks a lot for listening to this episode of Secured. If you’ve got any feedback at all, feel free to hit us up and let us know. If you’d like to learn more about how Galah Cyber can help keep your business secured, go to galahcyber.com.au.