Bridging the Divide: How Communication Can Unite Developers and AppSec with Jeanette Gill

Cole Cornford:

Hi, I’m Cole Cornford, and this is Secured, the podcast that dives deep into the world of application security. Today we’re joined by Jeanette Gill, principal customer success manager at Secure Code Warrior.

Jeanette Gill:

But I just remember this customer saying to me, “Jeanette, I went into the canteen the other day. I was in the lunchroom. There was a table of developers sitting in the corner. As soon as I walked in, they were like, shh, shh, here comes AppSec.” And he felt a little bit like, guys, I’m here to help you.

Cole Cornford:

Jeanette comes from a non-technical background, having worked in the aviation industry for over a decade. When she made the leap into AppSec, it was her great communication skills, her boundless enthusiasm, and focus on providing a great experience for customers which proved invaluable. We discussed some of the common misconceptions about application security, the uneasy relationship between developers and AppSec teams, the potential for AI to change our industry, being a champion Dragon Boat racer, and plenty more. So let’s jump right on in.

Hey, everybody. I’m here with Jeanette. Jeanette, how are you doing this beautiful Wednesday?

Jeanette Gill:

Hello, Cole. How are you? Great to see you. I wish we saw more of each other face-to-face and not virtually. We always have such a good time taking selfies together, with that great history of always reenacting our very first photo.

Cole Cornford:

Yeah. From OWASP New Zealand. Was that 2020?

Jeanette Gill:

2019.

Cole Cornford:

2019. It was at the end of 2019, was it?

Jeanette Gill:

Yep, it was. Yep, yep, yep, yep.

Cole Cornford:

It’s crazy to think about that. I’m pretty certain I came back from a holiday around Japan with my friend James, and then I just had a few weeks and I went to Auckland for [inaudible 00:01:47], came back and people started segregating on my flights back about whether they looked Chinese or not.

Jeanette Gill:

Right.

Cole Cornford:

And it was about that time, I think, yeah, because it was Covid. Yeah, seriously. That was at Sydney airport.

Jeanette Gill:

Wow. Okay.

Cole Cornford:

Crazy times, right?

Jeanette Gill:

Unbelievable. Hey look, I owe OWASP some gratitude there because that was just a great trip. That was just a great meetup. We had a great time, and just meeting everybody there, it was fabulous. We need more of that.

Cole Cornford:

I miss John [inaudible 00:02:19]. It’ll be good to catch up with him whenever he’s around. Next I think he’s, is he still with OWASP?

Jeanette Gill:

I have done some events for him at OWASP. I think we did Christchurch. We did Auckland. But I think he has moved, but he’s still very heavily involved, I believe, in OWASP. Yeah, he was actually at CyberCon 2023 in Melbourne, but I didn’t get a chance to meet up with him. It was a really busy event.

Cole Cornford:

Yeah. I didn’t get to go to CyberCon this year.

Jeanette Gill:

Oh, that was fabulous.

Cole Cornford:

Yeah, okay. Dig it in. Rub salt in the wound.

Jeanette Gill:

I’m sorry. Adding salt to the wound [inaudible 00:02:49].

Cole Cornford:

I had to take care of, my Mrs. was getting a runny nose and I don’t think it’s a good idea to just say, I’m going to go and have a high school reunion for four days while she’s starting to get sick with two kids. So I was like, nah, I’m just staying at home, taking care of the baby. Thankfully she didn’t get anything serious, but you’ve got to do the right thing as a dad, right?

Jeanette Gill:

Yep. Absolutely. Well done, Cole.

Cole Cornford:

Thank you. Thank you. I’m very, I feel ethically-

Jeanette Gill:

As a mother and a wife, well done.

Cole Cornford:

Oh, okay. I’ll take it. I’ll take this. You should see, I’ve got a lot of brownie points right now. I’ve done so many good things for her. So anyway, away from brownie points and onto birdie points. So the first question I ask everybody on my podcast is, what kind of bird are you and why?

Jeanette Gill:

All right, so what kind of bird am I? All right, so firstly I’d have to think about, okay, I’m not really a bird person, even though I’m very grateful. We should all be grateful to birds. I mean, they provide us with food, decorative feathers. For some people, they provide companionship.

Cole Cornford:

I’m just going to mark that down. Not a bird person.

Jeanette Gill:

That’s right. Not a bird person. But look, they do a bit of labor. We have the pigeons that carry the messages and the falcons that do the hunting. They even do a bit of pest control and-

Cole Cornford:

And the galahs that do AppSec.

Jeanette Gill:

Galahs that do AppSec. Oh, I must, yes, tick in the box. I must remember that. I love bees, but also birds pollinate. It’s not just the bees. But to answer your question, Cole, I would have to say, reviewing the entire bird world out there, I would be a peacock. I would have to say a peacock. I choose a peacock, and it’s not because I like to strut my stuff, and it’s not because I think I’m drop dead gorgeous. Hear me out on this one.

So peacocks with all their beautiful feathers, I see those feathers almost as strands of information. All this beautiful, from all the things I’ve done in my role in terms of experience and knowledge that I’ve gained, and having seen how organizations roll out AppSec programs, there’s a lot of information I want to share with them and give them to be successful and achieve their success criteria and their goals. And I believe each feather is an element in me providing an organization or a customer with the knowledge that I’ve gained. So here’s a feather, and I’m going to help you achieve your success criteria. It’s all about sharing and sharing the knowledge, and the knowledge is the beauty.

Cole Cornford:

So you collect feathers that the peacocks drop or you just have a lot of feathers that are in your tail? How far does this analogy go?

Jeanette Gill:

Yeah, if I’m a peacock, I’ve got a lot of feathers because there’s a lot of stuff that I’ve learned in the last couple of years and I really want to share that, get it out there. Because AppSec is not easy, Cole, right?

Cole Cornford:

Oh, no. AppSec is very easy. That’s why I run a business. It makes it even easier.

Jeanette Gill:

Oh, there you go.

Cole Cornford:

You just tell people, just fix the code. Done, solved.

Jeanette Gill:

Yeah, that’s it. That’s all you have to do. Yeah, just look at it, know how to remediate it immediately, without knowledge preferably.

Cole Cornford:

One of the things about peacocks is that the males have a bright plumage, but female peacocks are actually quite color neutral. They’re gray and elegant and beautiful, but they’re not outlandish and garish. So I think it makes sense to just have a lot of stories that you can talk to, but you don’t need to put a lot of color into them. Right?

Jeanette Gill:

Correct. Yeah. Very good.

Cole Cornford:

Ah, look at me following on with that metaphor. Real good [inaudible 00:06:27]. So Jeanette, could you tell my audience a bit about yourself and just, yeah, where’d you come from? How’d you get into application security? You’ve got a storied journey, I’m sure. Lots of feathers.

Jeanette Gill:

Oh my god, lots of feathers. I need two peacocks to tell the story, really. So my background is, so in terms of schooling, I went to school in the US and in Germany. So most of my life I spent in Germany going to American high schools because my dad was in the military. And in high school I did take a class in computer programming, and I was actually the only girl attending that class at the time.

So looking back or looking at some of my high school photos, I realized, gosh, I was the only girl in that class. And it was all Commodore 64, basic language, writing code, start line 10, then you do line 20 and you write something and then it goes back to line 20. So on and on and on and on. I mean, this was ages ago, and I just remember saving up all my money and buying programming books, and all it was really, have you ever seen these books before, Cole?

Cole Cornford:

Oh, they’re just reference bibles, right?

Jeanette Gill:

In the old days where you’d get this book, you’d go to the bookstore and it had thousands of pages and you had to copy every single line of code. And in the end, after five hours of sitting there hacking away, you would hope you’d get a really cool video game out of it. Obviously it never worked because somewhere in your line of code you got something wrong and it didn’t really turn out the way you wanted. So that was me going to school.

And then I ended up going to, my dad retired and I ended up going to German school, so I went to German school, graduated, and then I ended up going to, in Germany, I ended up going to German business school. So I am bilingual. I speak English and German fluently. My mom is German.

Cole Cornford:

Ya.

Jeanette Gill:

Ya. Ya, [German 00:08:19]. And I came out of German business school thinking, I really don’t want do this boring stuff. I really do not want to get into business. So what I did was one day I got into the car and I drove to Frankfurt Airport, and I picked up an arrival and departure schedule, and basically it was all the flights, when they arrived, when they left. And that was kind of how people knew which flight to book. Back then there was no internet, obviously.

And in that schedule, in that arrivals and departure schedule was every single airline that departed from Frankfurt or that had an office at Frankfurt Airport. So I applied to almost every airline in that book because I thought, oh, I want to work at the airport. That is so super cool.

Cole Cornford:

It’s funny how our perceptions change over time. I can’t think of anything else-

Jeanette Gill:

But I’m talking about 1992. I hope I haven’t given my age away there.

Cole Cornford:

21, always 21.

Jeanette Gill:

Thank you very much. I like that. And I applied, and I ended up at British Airways. And looking back, Cole, I have to say those were the best years of my life, being at British Airways, being at the airport. I loved going to work every single day checking in passengers, window or aisle, smoking or non, crazy that you would think that people used to smoke back then.

Cole Cornford:

Smoking or not. Wow.

Jeanette Gill:

And I’d have to deal with passengers that were like, “I would like non-smoking. Do I have non-smoking?” “Yes, you do. You’re in aisle 23.” And then they would be like, well, “Which aisle does smoking start in?” “24.” And they would not be so very happy. So it was like, oh [inaudible 00:09:57], those days. So I went on from checking in passengers, which I loved. I just loved talking with people, dealing with people. But my passion was actually being out on the ramp, being an aircraft load controller.

So the load controller is actually that individual that is doing the calculations of an aircraft before it departs. So you have cargo, you have fuel, you have catering, you have passengers, dangerous goods. You’re starting to calculate everything. The maximum takeoff weight of the aircraft needs to be correct. So when the pilot pulls back that the aircraft actually takes off and isn’t still running along the runway. So it’s a lot of calculation. Very, very interesting. Very demanding, very stressful. But I loved it. I loved it. I absolutely loved it.

Moving on from there, I thought, okay, what can I do next? So I became the PA to the airport manager at Frankfurt, British Airways airport manager. Then I moved on. In that role, I was faced with managing expenditure operations. And one of the things that is very heavy for airlines is tracking expenditure. Your expenditure, it’s always a big-

Cole Cornford:

Well, they’re very thin margin businesses and very-

Jeanette Gill:

Absolutely.

Cole Cornford:

It’s very hard. That’s why they try to make it a sardine can nowadays.

Jeanette Gill:

100%. And managing that, so British Airways built a system, their own in-house system that tracked airline expenditures. So the maximum landing weight, maximum takeoff weight, how much does it cost us to land an aircraft in Frankfurt, in Lisbon, in Vancouver, in Tokyo. So we managed all that. So I looked after that as well.

And after doing a bit of that, I thought, my husband’s English actually. So we thought, okay, what’s the next move? Let’s move to England. So I applied for a job, British Airways again, in-flight product and brand development manager. So this was a super cool job. And we basically looked after everything that had to do with Concord first class economy and looked after food and beverage.

So I did a lot of eating, I did a lot of drinking of everything, you can imagine. We looked after soft furnishings, from the pillow to the napkins, to the forks, to the cutlery, any type of cutlery, the overnight kits, the meal service, could the crew actually deliver? So lots of cool stuff. It was a dream job. I really enjoyed it. It was fabulous. And then I gave it all up, and I gave it all up to move to Australia.

Cole Cornford:

Oh, was that from your own volition or from your husband’s?

Jeanette Gill:

It was a joint decision that we made. We decided what do we want in life? Where do we want to grow up? Where do we want to continue evolving as individuals? More importantly, by that time we were married, and where do we want our children to grow up? I was not really keen on them growing up in the United States, and I thought there was more to offer than Germany.

And I just loved Australia because when I worked for British Airways, I traveled a lot to Australia and I did some work in Australia for British Airways as well. So we jointly decided we’ll go, and so we did. And it’s been great ever since. I’m very grateful, even though I have moved, this is now the third time we’ve lived in Australia, other job opportunities that were offered to me and to James, we took those in other countries and then we always came back. Something always brings you back to Australia, right? You’ve lived overseas, haven’t you?

Cole Cornford:

Yep, yep. Yes. And I came back, so.

Jeanette Gill:

Absolutely. Yeah, I think a lot of people do.

Cole Cornford:

I’m stuck here. I’ve got my two kids and my wife, so we’re settled here. But no, it makes sense. Australia’s a place to really raise a family. It’s a really good environment to do it in. It’s pristine, it’s clean. I’m not sure where about [inaudible 00:13:35] Gold Coast.

Jeanette Gill:

I’m on the Gold Coast, yes,

Cole Cornford:

Gold Coast.

Jeanette Gill:

Better known as, depending on who you are, paradise.

Cole Cornford:

Paradise, or they’re not Brisvegas, the other Vegas.

Jeanette Gill:

No, not, not Brisvegas. I always, Surfers Paradise, as long as you keep your back turned to Surfers Paradise and you look towards Burleigh, everything is paradise. For me, at least.

Cole Cornford:

Today must be, because you’re starting to get to the worst period because it’d be around Schoolies, right?

Jeanette Gill:

Oh, exactly. At school holidays it gets a bit nuts. It’s a bit nuts.

Cole Cornford:

Yeah, I remember those days.

Jeanette Gill:

Exactly.

Cole Cornford:

So moving forward on a little bit, so you said that working in an airline you would’ve had to develop a lot of skills around customer experience. I can totally see how you’d move into over time into your current role in basically customer success and developer relationships at SCW. Would you want to expand a bit more on what you do nowadays?

Jeanette Gill:

Yes. So being a customer success manager, customer success in general, it’s really, or how Pieter put it to me when he interviewed me many, many years ago, because when I saw the job description, I was like, I can’t do that. I don’t know how to do that. I know nothing about AppSec. What is OWASP? Threat modeling, is that a movie? I don’t know. Moving along. But the most important thing is that relationship that you have with the customer and wanting to achieve the best possible outcome for the customer, building a meaningful and trustworthy relationship and one where helping and guiding the customer when they really need it most is everything. Any customer success role covers that.

But particularly in AppSec, again, let’s face it, it’s not easy, AppSec. And again, I work with individuals that, I shouldn’t even use the word individuals. Quite often you have a large organization where one individual is helping to drive a secure program for thousands and thousands of developers. And those AppSec people, how do they get treated? I had a meeting last with a customer. I’m getting a bit sidetracked, but I just remember this customer saying to me, “Jeanette, I went into the canteen the other day. I was in the lunchroom. And there’s a table of developers sitting in the corner. And as soon as I walked in, they were like, shh, shh, here comes AppSec.” And he felt a little bit like, guys, I’m here to help you. I’m not here to rap you over the knuckles because of something.

So he actually shared that with me, and it’s a bit of a true misnomer, really. AppSec comes walking down the hallways and everybody’s like, “Don’t make eye contact. Hope he doesn’t come to my desk,” or, “Hope she doesn’t come to my desk.” So I think for me personally, customer success working with these individuals or with these teams that have multiple jobs and looking after multiple things, not just training, and helping them feel reassured and giving them enablers to success, to be successful, that’s a bit of the role that I’m in. And certainly a lot of things keep me awake at night on how to help them and achieve value out of the purchase that they made and the purchase they made at Secure Code Warrior. And by the way, it’s a great purchase.

Cole Cornford:

Well, there’s your product pitch for the day. That poor person. I see it a lot of the time, where you have a business and they tend to have their first security hire and they’re lumped with everything from, we need to comply with all of these different standards and obligations to, we need to source penetration testing to training engineers and endpoint and corporate security, data protection, so on and so forth. So I’ve been in that position when I was at change.org and had to do a bit of everything under the sun. So I know what it’s like to be the solo security engineer.

But the fact that they were truly ostracizing that individual is a bit sad to me because I understand why a lot of developers have an adversarial nature with security, and that’s usually from experiences of big enterprises in the past, or it’s a siloed function where you have a lot of InfoSec people who do assurance activities and they basically come back and say that everything’s terrible. Why’d you do all of this kind of stuff? I don’t see that those people don’t really end up in tech companies all that often, or smaller scale ups because it’s almost entirely about how do I as one person influence more broadly in an organization? And you can’t do that by enforcing policies and being really strict with people because then no one will, they’ll find ways around everything that you implement.

And the previous hire, it changed before me before he moved on, did that exact approach, is they did a very thorough audit and assessment, identified where all the gaps were, and then started hitting people with KPIs and measures, and everyone got upset and stopped working with him and found ways around everything. And then he got angry because no one was listening to him. So I don’t think that’s effective security, but that’s just me, just a bit of [inaudible 00:18:43].

Jeanette Gill:

Yeah. I think that also I’m very passionate about, especially when I’m doing events or I’ve run into developers, and I know firsthand from a previous role that I worked in that was a little bit more technical, developers, the type of constraints that they’re under, what’s actually being asked of them, big projects, deadlines, budgets, making it work because somebody in the organization has said it’s going to be released on this date regardless of what happens, and now it’s like instead of writing 12 lines of code to make it secure, I’ll cut corners and I’ll write just four lines of code and maybe I’ll just grab something from open source and because it’s already been written, I can save myself five minutes. And then not having that skill to actually identify in fact that those four lines of code have quite a lot of vulnerabilities in them, I shouldn’t be copying and pasting those into something that’s going to go out into production.

Cole Cornford:

I wouldn’t say that it’s a skill issue. I think that universally software engineers I encounter are smart people. One thing I drill into people’s, especially security professionals’ heads, is that they’re never malicious. Well, okay, sometimes they’re malicious, but it’s [inaudible 00:20:01] small. And if you’re dealing with malicious internal developers, then you’ve probably got some high level cultural issues you need to address first before you worry about security, in my view.

But anyway, move away from that. Most people don’t come to work and say, “I’m going to intentionally introduce security vulnerabilities,” or, “I’m going to make life hard for the security team.” They say, “How do I just get my job done?” And developers are measured on their ability to produce features and get it, like time to market, and make it good enough across a lot of different types of non-functional requirements where they need to [inaudible 00:20:37].

And you’ll find that each developer tends to have one or two areas that they really care about and a bunch that they just do not in the slightest. And I know for me, I care very much about security, I care about usability, I care about code maintainability, but I’m not at all interested in cutting edge bleeding technology, internationalization, performance of code. Those kinds of things just bore me. And I know that we can flip the exact same thing and say, there’s a lot of developers out there who put security right down the bottom in the things that they care about as well. So it’s not that we need to teach every single developer to implement security, it’s just that it’s hard to teach people when they don’t care about something.

Jeanette Gill:

For me, I would think that a developer, you’re right, security is not front of mind. So maybe that approach, Cole, educating developers, if you think more with a security mindset, you will have less vulnerable code coming through the pipeline. Your code will less likely come back to you to be fixed, to be reviewed because there is an issue. Start early, secure [inaudible 00:21:54], secure from the start, because then you’re going to have more time to innovate and build awesome, awesome things, awesome products.

Because no developer wants to be told, “Hey, your code is a little bit messy. You need to go back and review it.” And that code, you might’ve written that six months ago, 12 months ago, and they’re just getting around to it now, and it’s like, I don’t want to fix this. It’s like ancient old, I did this a year ago. No, but yes, you do have to do this and you have to stop what you’re doing now.

Cole Cornford:

Yeah, I think that a lot of security people, the queue just keeps increasing and they get overwhelmed because I’m anticipating that over time we’re going to see artificial intelligence really increase the cadence at which we are able to write code and make that code decent as well. But the activities that we’re traditionally invested in aren’t going to scale unless they leverage artificial intelligence as well.

So I’m interested to see, because I think that education’s a really good spot to be filling that in, and AI can really accelerate education too. So is SCW looking at doing anything with AI to make it good? I think I read an AFR article a while ago that Pieter’s investing in there.

Jeanette Gill:

Yes, having a look. But I think at the moment, so we have done some testing. We have looked at AI, writing code or asking ChatGPT to write a line of code, and up until now, every single time, it’s not been something that you want to put into production. So I think over time, yes, I think things will, it’ll probably get better. It’ll grow and it’ll evolve. But I think at the moment it’s still early days. Early days.

Cole Cornford:

It just occurred to me, I didn’t actually explain what SCW is. So would you just want to give a bit of a background for listeners who haven’t even heard of Secure Code Warrior, also known as SCW?

Jeanette Gill:

Yeah, so we call it, yeah, SCW, Secure Code Warrior. So it is Secure Code Warrior, not Secure Code Warriors. So my team, we are the Warriors, but the brand, I still come across people saying, “Oh, I really love Secure Code Warriors.” Are you talking about me and the people, or are you actually talking about the platform?

Cole Cornford:

Well, Secure Code Lawyers, is that enough? Look, I’m going to start a competitor business, like calling it Secure Code Lawyers, and it’s just going to cease and desist to [inaudible 00:24:14].

Jeanette Gill:

Funny. Okay, so Secure Code Warrior, what are we? We are a platform that you can implement in your organization to upskill your developers in secure coding practices. We’re a tool that integrates with the developer’s ecosystem, Jira and GitHub. It’s training, it’s skills uplift, it’s awareness, and what we provide, what Secure Code Warrior provides, is also a vast amount of content, different ways of learning. It’s not just videos, boring videos that kind of drone on, and we know how it works. People scroll the video ahead to get that tick in the box. I’ve seen it, I’ve done it.

Cole Cornford:

Oh, me too. It’s all the LMS stuff being like, you should know your obligations as an employee. Here’s the emergency evacuation procedures for this office that you use in another state that you’ve never been to. And I’m like, ah, yes. Let me just move this cursor to, oh, I can’t drag the cursor. Let me just type the JavaScript commands to get to that.

Jeanette Gill:

Exactly, exactly. Exactly. But we have the videos as well. That’s a way of learning. Some people like that. And it’s graphical. But we allow developers to uplift their skills in their language and their programming language and framework. So we’re up to about 60 languages, programming languages and frameworks in the platform, and it’s growing. So we’re always listening to customers. How can we evolve? How can we meet your needs? And looking at new evolving languages that we can add to the platform, and all the content that your heart desires really. And if we don’t have it, share with us what you’re looking for so that our team can look at it, investigate it, and possibly introduce that to the platform.

So really creating a robust and secure organization starts with people, and those people are the developers. That’s where it starts. So we really want to mitigate any of those known vulnerabilities, keep our organization safe and secure. And again, it starts with secure code and that’s what really we want to enforce. So we have many integrations and partnerships. I mean, I could go on and on, so I’m going to stop here and say www.securecodewarrior.com. Have a look.

Cole Cornford:

Not sponsored by SCW, by the way, guys. So just want it out there. But anyway, with your customers, what do you think the biggest challenge is to rolling out an education program is that you typically encounter? I think that you would have a lot more experience than most AppSec professionals with rolling out training programs, especially because let’s maybe push it into two categories. How about we’ll start with the single person, small to medium enterprise, what do they struggle with and what do you recommend people do?

Jeanette Gill:

They struggle with getting buy-in. We all want to be safe and secure, and it does take commitment and it takes support. So again, one application security person, 1000, 2000, 6,000, 10,000 developers, and nobody in the company, no developer is going to jump up and down and get excited when they’re told, “Hey, we’ve got a new training program and it’s called Secure Code Warrior. Yay.” No, there’s going to be a lot of eye rolling and, “Oh man, I don’t have time for this. I’m so busy already.” So really we need to look at getting that support from the leadership team.

So some of my most successful customers, and I’d love to rattle them all off right about now, but I’m not going to, but they’re very well known to everybody, especially here in Australia, have been very successful when senior leadership, when the chief information security officer, when the head of engineering, when the chief technology officer understands the value and what we want to get out of the program and what we’re trying to achieve and is supportive, and that comes from the top down.

So the C-suite, the SLT, senior leadership team, they really need to get involved and be passionate about what they’re trying to achieve. Now, when I talk about what to try to achieve or what we want to achieve, what is your measure of success? What are we trying to get to here? And these AppSec people, individuals and teams, they need help. I’ve come across organizations when we’re introduced and my first question, some of my basic first questions are, okay, so what programming languages do you use in your organization? And Cole, you know this because you and I went through this together not too long ago. Which program languages and frameworks do you use? Oh-

Cole Cornford:

Everything.

Jeanette Gill:

We use a bit of Java. Okay, there are like five, six, seven, eight different types. Which one? “Oh, not sure I’ll get back to you.” I love the question, I once asked a client, “Which languages do you use?” “Oh, Spanish, German. Oh, obviously English.” I’m like, yeah, no, that’s not what I’m talking about.

Cole Cornford:

And you’re like, duh.

Jeanette Gill:

Oh my goodness. Okay, so tell me what languages you’re using. Tell me what tools are you using? Are you scanning code? Pen testing? Do you have a bug bounty program? “I’m really not sure, Jeanette.” “Okay, well, those are things we need to find out.” “Okay, so what about your vulnerability management team? Have you spoken to them?” “Oh, I don’t even know who that is.” Well, you’re going to have to find out because my next question is what are your top three, top five vulnerabilities? Because let’s start targeting those and reducing those because that’s the pain right there. Let’s get rid of some of that pain. Let’s get a big dose of Panadol and reduce the pain.

And that’s a struggle. That is a struggle for a lot of organizations that have people that do need help. And that’s where we come in, Secure Code Warrior. Look, we’re there to help and alleviate some of that pain and ask the questions and guide individuals to identifying what’s the measure of success? Let’s remove the low barrier to accessing the platform. Hey, do you guys actually have single sign-on? Because your developers don’t want to do a thousand clicks to get to the platform. They want to just be able to get to it, do what they need to do, and then get back to work. Reporting, rest API, use our rest API, pull the data that’s important to your senior leadership team and start reporting back to them that what they’ve invested in is making a difference, is actually impacting the organization, because that’s what they want to know.

Secondly, and I feel very strongly, Cole, is recognize your developers. Recognize the ones that are doing the right thing, that are upskilling, that are improving, that are vocal, that are sharing their knowledge. Recognize these individuals, and that’s something you can do with the platform.

And integrate. One of the one things I love is look at the integration. The integration, instead of bringing the platform or bringing the learning and education to the developers, kicking and screaming, bringing them to it, bringing them to what you want them to do, why not embed it into their ecosystem? We integrate with Jira and GitHub. Give it to them when they need it most. A developer’s been given a ticket in cryptography, fixed mass assignment of vulnerability. Oh man, I don’t know nothing about that vulnerability. What do I do now? They go off and Google. Let me spend a half an hour just reading up on this. No, stay in your environment. You’re in the ticket, click on get training now. Be directed to Secure Code Warrior, and get the training when you need it most. Utilize your time.

Cole Cornford:

A lot of things to unpack there. I’ll start with probably my favorite one, which is a bit more helpful for everybody a bit more broadly, is the leadership team buy-in. I don’t think that you can have a successful security program unless you have a leadership team who not only recognize that security is important, but also can live the values that you’re trying to set. And as long as security is considered an IT problem instead of a business risk or business challenge, then it gets really difficult to get other people outside of the IT domain to start making decisions with that context.

I know today we had an incident in the morning with one of the big telcos in Australia, and one of the immediate questions I was asked, “Is this a cybersecurity thing? And why haven’t they learned from the incident 12 months ago?” That company is really aware that this is a business challenge that they need to be addressing the resilience of their software systems and resilience of their services.

And I think that it could have been significantly worse that it was, but yeah, even as a dad, one thing I know is that sometimes I’m guilty of this, I think every parent is, is that I just want to sit there and read the AFR on my phone while my baby just lays there just being like a baby, just being [inaudible 00:33:18]. What I’ve now been noticing is that the baby makes an effort to go to the phone, and that made me sad. So I’ve picked up the phone and I put it in a separate room and I just sit down and be present with her and stack. We’ve got these toys which are like these spindles that are made of plastic, and then we just stack them on top of each other, and she likes to give me one, and then she gets angry when I take it away from her.

So I don’t quite understand the baby mind. She’s like, here, take this. And then like, I didn’t give that to you, I just want to show it to you probably. But the main thing is that by just being there on my phone, I’m not present with the kids. And so the kids see that I’m not there and they want to do the same behaviors that I’m doing. Even with Sydney, she watches TV when we’re having dinner, and she asked me a very prudent question a few months ago, and she was like, “I don’t understand why you can sit there on your phone. I’m not allowed to watch television. Why can’t we both use screens?” And I said, “That is a very good thing. Daddy’s going to take his phone and put it away, and TV’s not going to be on during dinner,” and we’ve got a 50/50 success rate with that so far.

Because as a business owner, work doesn’t stop. But sometimes I do get the ability to go put the phone and just shove it in a different room. But yeah, like I said, the leadership team buy-in is really important. Measuring the success and rewarding people, that’s just table stakes. If you can’t say, “Hey, I’ve invested money in this program and this is the outcome,” and then reward people for doing the right thing, I don’t know. That just seems like good management to me.

Jeanette Gill:

100%. And coming back to what you said about yourself and your daughter, so basically what’s okay for dad is not okay for me, that doesn’t work. I don’t understand that. And really quickly, I’ll share with you a very successful customer, Secure Code Warrior customer, this just blew my mind. And when we tracked the metrics, it was very interesting because this organization decided to implement a program, but before they put it out to the developers, before the developers were asked to go through this program, the CISO and I think the head of engineering, they both took the training and the exam first. They were the first ones to take it.

Cole Cornford:

Oh, okay.

Jeanette Gill:

Yeah. I thought that was fabulous. And that was actually cascaded to the organization, within the organization, basically from the chief information security officer saying, “Everybody, if you’re a developer, if you are submitting code in our organization, I just took the training. I didn’t do fabulously, but I took it and I understand now where my strengths and I understand where my weaknesses are, and now I can target those. And I’m expecting the same of you. I’m taking this as at the same level as you are. I expect the same of you.”

And after that comms went out … So I work very closely with my AppSec person there. We monitored, I monitored it here, and I just saw the engagement level was like a rocket that just off the charts, everybody jumped on, wanted to know what he was talking about. He did it. He’s asking me to do it. Can I be better than him? It was great. That is senior leadership really leading by example and expressing why it’s important to ab organization, why you’re doing this training. Fabulous, fabulous. And I share that with a lot of my clients.

Cole Cornford:

If they’ve got time to take an exam, do a tournament, and listen to the material, there’s usually no excuse for a lot of the developers a little bit further down who say, “Oh, I’m too time poor,” or, “I’ve got to get these features pushed out.” It’s like, well, yeah, you’ve got two to three feature tickets that you’ve got to push in the next two weeks, but look at the guy like four rungs above you who’s managing catastrophic risk of all of these things, and he’s still finding time. Give the busiest person more work and it’ll get done. That’s a pretty common one I hear.

Jeanette Gill:

Yeah, and the other thing I think people need to keep in mind, especially in AppSec, and all the AppSec people I work with, phenomenal. There are fabulous people in AppSec that are doing just amazing things, but let’s be really open and honest and transparent here. Quite often, unfortunately, the developer community, they don’t want to see emails and comms coming from the AppSec team.

So if you’re in AppSec, if you’re driving the program, leverage individuals like the heads of engineering. You need to leverage and build a relationship with those individuals that developers really respect and look up to because when a message comes from them, you’re going to see a lot more engagement, a lot more willingness than when it comes from you, unfortunately. And I hope in future that does change because I think there’s a bit of education that needs to be done in terms of I’m AppSec, I’m here to help you, I’m here to assist you, but that’s not how it is right now.

Cole Cornford:

Yeah. One of the things I do with my consulting a lot of the time is to try to get people out of their technical area of expertise and start thinking about business challenges, business risk, and how you can support business functions while maintaining security. It’s a shift from working in the business to working on the business.

If your headspace is always about looking at triaging results from the static analysis tools, so I can send them to dev teams to go fix them, because I want to reduce the amount of false positives or false negatives, and that’s how I’m contributing to the business. If you think about on the business thing, what you’re actually doing is decreasing the velocity that engineers are doing and increasing the likelihood that a business owner’s going to risk accept that, right?

Jeanette Gill:

Yeah, yeah.

Cole Cornford:

And the AppSec person will say, “I’m doing my job. This is great.” And the business people will be like, “These people just keep throwing tickets in my queue and slowing down development.” So it’s a difficult conversation to have with people because it’s very outside their comfort zone to say, okay, all of this security and engineering knowledge and stuff that I’ve learned is all well and good, but now I need to go make friends everywhere and then get those friends to start respecting me. And it can be as much as actually committing code that can fix the vulnerabilities that they’ve identified. I know that I’m going to get some hate mail later by people saying, ah, but you got line one and line two and segregation of duties.

I think ApPSec is in a bit of a weird spot where in some institutions, that’s totally fine. You absolutely do need to do that. But in other places that, especially the smaller ones and the not regulated ones, then what the hell, just go out there and just write a couple of lines of code or build stuff that makes the life of developers easier. A few examples I can think of is Slack has the self-service questionnaire for being able to have end product managers make educated guesses to effectively come up with a security scorecard about what features they’re building, and based on that they can choose to do things.

Or the AppSec team has full-time software engineers dedicated to producing libraries that the rest of the organization consumes so that we don’t have 500 people importing all sorts of different open source dependencies to say, yep, this is how I’m going to be managing input validation or output and coding or whatever. As an AppSec person, I find it’s a lot easier to have these conversations with head of engineers and stuff, because most of these people are extremely competent software engineers who are balancing a lot of different requirements, and they have tremendous respect for security and understand its importance.

Jeanette Gill:

Agreed.

Cole Cornford:

So they’ll usually give you the time of day, just don’t go in there with a checklist that you need to be doing every pull request, regardless of size or risk or whatever, needs to have run static analysis, needs to have run an SCA tool. All your devs need to be trained at least biannually. Otherwise, they’ll run off and be like, yeah, this guy doesn’t know what he’s doing.

Jeanette Gill:

Exactly.

Cole Cornford:

It’s a challenge.

Jeanette Gill:

It is.

Cole Cornford:

To change the industry’s perception about how to approach these problems because most people in Australia have just been taught, here are the tools, go use them. And instead of, let’s think about how to build resilient systems, and that’s a very different mindset.

Jeanette Gill:

It is. It is. Agreed.

Cole Cornford:

So I wanted to shift gears a little bit to coming to Australia. How did you get integrated into the security community? What steps did you take? Because I know when I was going to Victoria, Canada, in advance was already just reaching out to everyone I knew from all the podcasts and stuff, being like, who’s here? Who’s the who who? I’m going to go meet everybody and say hello, going to learn all the meetup groups and so on. But what steps did you take to get in there?

Jeanette Gill:

Well, I guess the biggest step was when I joined Secure Code Warrior, obviously, getting into application security in the industry and getting to know people within each organization that I worked with, and then very basic, for me, it was basic. LinkedIn was probably one of the greatest tools that I had. Even though I have to say before Secure Code Warrior, my digital footprint out there in the world is very minimal. So I’m not a big advocate of Facebook and exposing myself and putting myself out there digitally.

But I realized very quickly that LinkedIn is a great place to get to know people. Once the LinkedIn algorithm is in place and you’re linked with all the right people in the industry, you start getting some really interesting feeds from people, and people are sharing information and where they’ve been, what they’ve done, what events are coming up, and you just haven’t, yeah, I learned a lot from LinkedIn and I do enjoy looking at it, and I really very much enjoy seeing people that I know or in the industry add information to LinkedIn.

The other is, as you would learn and grow in the industry, organizations like OWASP. So for anybody that doesn’t know, the Open Web Application Security Project, again, very grateful to the team in Auckland, because that’s how Cole and I know each other. That’s where we met. And Secure Code Warrior are a very big supporter of OWASP. So just getting involved and reading up, joining meetups, speaking to people at events. I love going to these meetups like CyberCon that we just had in Melbourne, 2023, any of the developer meetups events [inaudible 00:44:32]. It’s where you get to meet really interesting people and people that are really passionate, passionate about application security, making a difference, and just really wanting to know what you do, but also very giving in terms of the information and what they know. So I think that’s where I’ve gained a lot of my knowledge.

And also, gaining knowledge, I have to look inwardly as well. In terms of Secure Code Warrior, the team at Secure Code Warrior, there’s so many people coming from so many different backgrounds with so much knowledge and pen testing and threat modeling and having done CS and sales in an AppSec industry. And you just learn from your colleagues. And I also learn from my customers. I have some customers that are extremely smart and have educated me along the way, and I would never say no to somebody sharing their knowledge.

Cole Cornford:

That’s one of the things I like about consulting, is you get a variety of experiences and you meet a lot of different people and some people at different levels of maturity, but it’s refreshing when you encounter people who are just a lot better than you and you tell them that you’re doing a good job.

Jeanette Gill:

Oh, absolutely. Oh, definitely. Absolutely. Yeah. And things like this, Cole, honestly, webinars, when I see webinars pop up about really people that you’re interested in and that know their stuff and they’re giving a web. I love the podcasts. I’m a big fan of your podcast because a lot of the people that have already been on the show, I know them, or I have worked with them or people that I would like to get to know. And then it kind of prepares me for when I do meet them, I know a little bit about them.

Cole Cornford:

See, it’s a customer success tactic, to listen to the podcast.

Jeanette Gill:

Yes, absolutely. Absolutely. Definitely.

Cole Cornford:

So I know earlier you were mentioning that you really enjoyed the initial interview with Toby, and you also, you had a question you wanted to ask me. So did you want to expand on both of those?

Jeanette Gill:

Yes. Okay. I do have a question for you, Cole, and it is just really basic. Is it developers, programmers, or engineers?

Cole Cornford:

Yes. Okay. I’ll split this [inaudible 00:46:39] category. So I’d say that they’re in orders of maturity. So I’d say that a programmer just solves a problem without any kind of context about, you know, they just get it done. A developer builds a solution to solve a problem, and an engineer puts a lot more rigor around it for things like performance, scalability, maintainability, and so on. Everybody wants to label themselves as an engineer, but sometimes you just need a programmer.

And in fact, a lot of the pen testers and people who write short scripts to automate things, I’d consider them to be programmers because it’s just meant to solve a problem quickly and in an automated fashion. It’s not meant to be a system that lasts for 10 to 15 years. And a developer, yeah, you paid them to do a solution, but it’s not about, oftentimes the solution solves a business problem, but it doesn’t have the same level of constraints that you may need to consider.

Like you’d say, “This is a C# application and I’m going to use all of these technologies because I’m quite familiar with it, and this is why. It’s how I’m going to architect that to work for you.” An engineer might say, “Cool. We’re not going to use a relational database. We’re going to be using a graph based database for the reason that joins are logarithmically more complex over time. And we’re going to, since this is a file sharing application, we’re going to be looking at services where egress traffic is really cheap in the cloud to minimize cost.”

These kinds of things aren’t considered all that much by devs or by programmers because programmers just want to get stuff done. Devs, solution, they build something, but they’re not thinking about all of the rigor and other things that go around it. And an engineer is always really considering all of the different types of non-functional stuff to make systems robust and resilient performance and all of that into the future. I would want to have a bridge up to code that an engineer builds. I don’t want to have a bridge built by a programmer.

Jeanette Gill:

Got it.

Cole Cornford:

Unless I needed the bridge for five minutes. In which case, you know what? Just go get yourself two planks of wood, shove it across the creek. I’ll cross. I’m never going to look at these planks of wood again. It’s fine.

Jeanette Gill:

Once I’ve crossed, once I’ve gotten to the other side and it crumbles behind me as I’m taking each step, then I don’t care really.

Cole Cornford:

That’s it.

Jeanette Gill:

As long as I get across.

Cole Cornford:

The fairytale bridges that you think about, like a wooden one where things fall out and stuff, that’s how programmers work, so they solve the problem.

Jeanette Gill:

Okay. Okay. The reason I ask is because I have a client that said to me, “So Jeanette, heads up, we are going to move away from the terminology developers,” because naturally I use that terminology, right? Devs, devs, developers, devs, devs, or, gosh, who was it again? Steve Ballmer.

Cole Cornford:

Yeah, Steve Ballmer.

Jeanette Gill:

Yeah, Ballmer. Yeah, so he was the CEO of Microsoft.

Cole Cornford:

Yeah. Developers, developers developers.

Jeanette Gill:

Yeah, developers, developers, developers. Oh man, whenever I watch that video or that YouTube, I’m thinking, wow, this guy’s, I need some [inaudible 00:49:42].

Cole Cornford:

He had a lot. Have you ever heard of the Ballmer Peak as well?

Jeanette Gill:

No.

Cole Cornford:

So there was a period of time where they had a graph in a Microsoft office where it was [inaudible 00:49:51], and it was about the amount of whiskey that you consumed. And if you had a little bit of whiskey, then your productivity would increase by 10 times, but if you had no whiskey or you had too much whiskey, it would be terrible. So the idea is that there’s the Ballmer Peak, and that’s how early Microsoft got done. So go look it up. It’ll come up with a graph on Google straight away.

Jeanette Gill:

I’ll have a look. I will have a look.

Cole Cornford:

He’s a character. I think he owns a couple of baseball teams as well. So wish I did.

Jeanette Gill:

Yeah, this developers, developers, developers. Wow, okay, that was a new one for me, but it was fun to watch. But the thing is, so the thing is this, the customer says, “Jeanette, we’re going to move away from the terminology developer, and everybody’s going to be called engineer.” So whenever I have a call now, I have to be very mindful. I’m very respectful of being like, okay, I’m on a call with X, Y, Z, and I’m got this big post-it, engineers, on my screen. Be mindful. Because some people, programmers, developers. So I thought, who better to ask than Cole?

Cole Cornford:

Look, titles matter. And whoever, I guess back in the day, we’d have web masters and then CIS admins, and now you’d say you’re a DevOps engineer, but at the end of the day, you are just operational or site reliability engineer, SRE. That’s another common one. I think a lot of industry just recognizes if you use the terms programmer or developer, people see that as like, oh, this guy doesn’t really understand all of those other things. They want to elevate the title. But I can guarantee that there’s a lot of software engineers who are actually programmers out there. So based on the code I’ve read.

Jeanette Gill:

All right, got it.

Cole Cornford:

All right, so let’s move into the fast questions now. So are you ready? I hope that you tell me exactly what comes in your head. Here we go. First one, what’s the best book to give a developer for Christmas?

Jeanette Gill:

The best book to give a developer? Oh, man.

Cole Cornford:

I’m nasty.

Jeanette Gill:

Man, you caught me off guard because, okay, a developer, I don’t know.

Cole Cornford:

All right, let me change it. A software engineer. Yeah, how’s that sound?

Jeanette Gill:

It’s all the same to me, Cole.

Cole Cornford:

I know. It’s all the same.

Jeanette Gill:

Oh my God.

Cole Cornford:

I’m a shit stirrer.

Jeanette Gill:

Okay. If it was me, if you said, “Hey, Jeanette, if you want to give a book to somebody like yourself,” then I’m ready for your question.

Cole Cornford:

Well, how about that, Jeanette? You have to give yourself a book for Christmas. What book would that be?

Jeanette Gill:

I would want two books, Cole, not just one.

Cole Cornford:

Okay. All right. She’s got high standards.

Jeanette Gill:

The first book would be The Phoenix Project. So The Phoenix Project, I think it was written, it was Gene Kim, and the reason why I like this book is IT and DevOps, it’s all learning. Learning about a team that needs to transform the way they work to save their company, but it’s written in a story format. So for somebody like myself, or if someone’s getting into AppSec or somebody wants to understand how the whole business works, when something breaks down and how to solve it, all the people, all the personas that get involved, I thought that was a really great book, taking you through the whole journey from when the crap hits the fan to solving it and getting the right people involved. So I thought that was a great book.

The other book, I have to say, which has helped me understand the ecosystem, is from Tanya Janca, Alice and Bob LearnAppSec. It’s out there. When it came out, I thought, oh, and I’ve seen her speak, and I like what she says, and it’s really helped me in terms of learning. So anybody that’s looking to learn the beginnings of the SDLC, the function, software development lifecycle, best security practices, anything about threat modeling, I mean, I find that very interesting now and I’m surprised that organizations that don’t do it, because you can threaten model a peanut butter sandwich, you can go to town on almost anything.

Cole Cornford:

So many ways you can go wrong, like choosing the crunchy or the smooth and picking the one that’s-

Jeanette Gill:

Right.

Cole Cornford:

My wife really likes this one that’s called Simply Peanuts, and I always like getting the craft ones. And the difference between the two is that one’s full of sugar and one’s entirely peanuts, and I like the sugar one.

Jeanette Gill:

Yeah, okay. Well, I like my peanut butter crunchy, but then I’ve got to decide, oh man, I still, from my early days having braces, I do have … Anyway just, is it going to get caught in my teeth? Do I have to brush right away? Do I need to carry a toothpick around for the rest of my life? I don’t know. So I really do, I like those books. So if it was something I wanted to give to somebody like myself, yeah, I enjoyed reading those and it really put things into perspective for me.

Cole Cornford:

I think they’re both great books. I’ve seen The Phoenix Project recommended many times on this podcast.

Jeanette Gill:

Oh, awesome. Okay.

Cole Cornford:

Yeah, go back and listen to basically every other episode, and you’ll see that book pop up like four or five times, I reckon.

Jeanette Gill:

Oh, fabulous. Okay.

Cole Cornford:

Gene Kim was actually in Sydney a few weeks ago.

Jeanette Gill:

Oh, I did not know that. Oh, interesting.

Cole Cornford:

Talking to a few big institutions. So yeah, hopefully we’ll start seeing their resilience pop back in there.

Jeanette Gill:

That would be nice. I liked it.

Cole Cornford:

Cool. Next one. What’s the most interesting talk you’ve heard in the last year?

Jeanette Gill:

The most interesting talk that I’ve heard in the last year.

Cole Cornford:

Or just the best one that you’ve heard? It doesn’t have to be interesting.

Jeanette Gill:

There’s so many, Cole, I feel a little bit not prepared for this one. Look, this is going to sound, I’m really sorry for anybody out there listening, and I know this sounds a bit cheesy, but I actually really, really enjoy listening to, here it comes, our CEO, Pieter Danhieux. Pieter is so passionate about what we do, what he’s created, the importance of securing code, not understanding how SQL injection was created 20 plus years ago. And on the day it was found, it was fixed. And why is it still in the OWASP top 10? I mean, it’s now OWASP number three. It moved from one to three, right?

But when he talks, he’s very passionate, he’s very articulate. He’s just really a fun guy to listen to. And I know it’s a bit cheesy. He is my boss, he’s the CEO, but I don’t get to see him a lot. And I’m not always there in all the talks. He goes around, he’s global. So when I do get that opportunity, and I did have that opportunity in Melbourne a couple of weeks ago at CyberCon 2023, I thought, oh, I’m going to go see Pieter give a talk.

And it’s always great. And I always feel like I come away. I’ve learned something. So look, if anybody is ever out there, and Pieter Danhieux, regardless of Secure Code Warrior, but if you see a talk given by Pieter Danhieux and you often, he’s an ex [inaudible 00:56:40] instructor, so he knows his stuff. Go and have a listen. Go and have a listen. Yeah, so there you go.

Cole Cornford:

I always like people that are focused on doing really good public speaking and know the material very well. It’s pretty rare. There’s a lot of people who are excellent at pen testing or code reviews or whatever, but finding people who are, I guess that’s why he’s the chief exec of a good company.

Jeanette Gill:

There you go. Yeah.

Cole Cornford:

All right, last one. Best recipe for a Friday night when you’re lazy. This is a cooking podcast now.

Jeanette Gill:

All right, so cool. I’ll tell you this, a bit of context here, and you already know this. So I do a lot of Dragon Boat racing, so almost five times a week I’m on the water doing something, getting ready for big events. And to come to the cooking bit, sometimes I come back and it’s eight o’clock and I want to eat something really nice and tasty, but it’s got to be quick, it’s got to be efficient, and it’s got to be high in protein.

So I love peppered salmon that you can purchase. It’s cold. Some brown rice, a nice big ripe avocado. Put it all together, throw in a couple of tomatoes, throw in whatever you want. But I like salmon, brown rice, avocado. Fabulous. I’m actually salivating right now, Cole.

Cole Cornford:

Here I am thinking I’m remotely healthy by drinking bubbly water that’s got some lime in it. I cook paella because I just want to eat a lot of rice. It’s just full of fats and sugars.

Jeanette Gill:

And there you go.

Cole Cornford:

Oh, my wife loves it. I’m always about cooking paella. Well, Jeanette, thank you so much for coming on to … Oh yeah, yeah, go ahead.

Jeanette Gill:

One quick, I must mention one thing and then we can wrap up. So very, very important, I want to just call out if anybody has listened in to previous podcasts. The very first one that Cole interviewed was Toby Amodio, and Cole and Toby talked about giving an auditor a hug because you think they need a hug. I’m telling everybody on the call right now, please go and hug your AppSec team. Hug the entire team or the individual. They are the ones that need a hug. Give them some support. Cole, that’s it from me.

Cole Cornford:

Okay. So I’m going to go one further and say, give everybody hugs.

Jeanette Gill:

Yes.

Cole Cornford:

Get consent, but then give hugs. It’s okay.

Jeanette Gill:

Everybody, give them all hugs.

Cole Cornford:

Everyone. Everyone needs hugs. All right, well, Jeanette, thank you so much. It’s been an absolute pleasure to have you on the podcast and hopefully we’ll have you on again in the future.

Jeanette Gill:

Thank you so much, Cole. I’ve really, really enjoyed it. Thanks again.

Cole Cornford:

Thanks a lot for listening to this episode of Secured. If you’ve got any feedback at all, feel free to hit us up and let us know. If you’d like to learn more about how Galah Cyber can help keep your business secured, go to galahcyber.com.au.