From Software Developer to Cybersecurity Expert: Nina Juliadotter on the Importance of Application Security and Continuous Learning

Nina Juliadotter:

It’s comes down to good and evil. As far as I’m concerned, I’m fighting evil here. Damn those bad guys. You’re not going to get my data, my money, my transactions, my information. F you. I really feel like I’m helping build stronger applications that cannot be breached.

Cole Cornford:

Hi, I’m Cole Cornford, founder and CEO of Galah Cyber, and this is Secured, the podcast that dives deep into the world of application security. I’ll be chatting with Australia’s top software security experts about their unconventional career paths to uncover insights on the diverse approaches to AppSec. After years working as a software developer, Nina Juliadotter was reading headlines about data breaches at major companies and was horrified to think that devs like herself might be leaving vulnerabilities that made these breaches possible. This inspired Nina to study a Master’s in cybersecurity, and her career has focused on improving application security ever since. Today, she is Westpac’s principal information security consultant. In our conversation, we discuss cybersecurity education and training, the crucial role of software inventory management, the importance of not being afraid to ask dumb questions, and a whole lot more. Hope you’re excited. So, the first question I ask all my guests when they some on to the podcast is, as the head of Galah Cyber, the founding feather, as one would call it, I ask everybody, what bird are you most like and why?

Nina Juliadotter:

That’s a very good question, Cole. I believe I would be most like the bar-tailed godwit. The bar-tailed godwit, much like myself, likes to migrate between Northern Scandinavia and our terrain down here in down under. It likes to go between, and I find it very sympathetic. It’s amazing how it can fly for 1000ks without even stopping for a snack. I’m not saying I’m… Okay my endurance is pretty good, but perhaps not that good. But yes, that’s definitely the bird I would most identify with.

Cole Cornford:

Yeah, cool. So I like that one because it’s a bit of a unique bird. So I guess next question is we’re going to be basically focusing quite a lot, and at least in this podcast, on making sure that we elevate the profiles and background stories of people who are working in cybersecurity, and especially AppSec. AppSec is my area and I love bringing people on. I know that you’re one of the people I learned a lot from over at Westpac, so I’d be excited to hear about how you got into that role and where you came from.

Nina Juliadotter:

Yeah, that’s very interesting, isn’t it? Everyone has their story into AppSec. So I did computer science as an undergrad many moons ago, and I worked as a software developer for many years. Kind of enjoyed that. But then at one point or another, I was reflecting on these headlines in the media about data breaches and I was like, “Oh, who wonder about that is? How do they come about? What is this?” And I was horrified. I had that sinking feeling like, “Oh my God.” I felt like this is my fault. Because when I had developed all these web applications as I had, I’m ashamed now, but back in the day, I didn’t actually think what adversaries could do. I thought, “Well, you make a form. You’ll ask the user to put their name in. Of course they’re going to put their name in. What else are they going to do?” And then I was like, “Oh, right, you could put malicious code in there. Of course you can. And I’m not checking for that am I?”

Anyway, and I’ve always been a bit incensed by evil people doing evil deeds to good people. So I was like, “You know what? I can do something about this.” So yeah, I did a Master of cybersecurity to upskill and to learn more about security and that was incredibly interesting. I also did some online hacking courses, which is also very eye-opening. I come from the offensive side. And yeah. And then wiggled my way into AppSec from there with those two experiences. Yeah.

Cole Cornford:

That’s really cool. You’ve come from a software engineering background, you wanted to do better. Do you think it’s changed terribly much since when you moved into the field? Because you’re a bit of an old hand at this point. So do developers do security or consider it as part of their education now? Or how do you think?

Nina Juliadotter:

I think it’s slowly changing. I think I see both sides of that. I still see a lot of developers who have no idea about a security in a way that I just find mind-boggling how they cannot understand this in this day and age. So there’s a lot of people who don’t know what they’re doing and do not consider security. Having said that, when I had first finished my Master of cybersecurity and was all very excited, I rang back my old uni where I did my undergrad in computer science and said, “Hey, I can help you with security because you don’t have a curriculum in security and I can help you back it into your courses.” And they were like, “No, thanks.”

Cole Cornford:

That’s awful. That’s so bad.

Nina Juliadotter:

Yeah. I was like, “Oh.” But having said that, in these days I see all these grads now at work and they all seem to be learning quite a bit about security and building security. And they do, as far as I can understand, compulsive courses on security and I guess to an extent on application security. It’s definitely getting better, it’s just taking a very long time. So hopefully we’ll be in a better position, I don’t know, maybe 10 years or something.

Cole Cornford:

I mean, yeah, that’s all well and good for new entrants into the market, but what are we going to do about the existing developers? 95% of the workforce aren’t graduates, probably more than that. So what do you think we do to actually help move those people on their journey as well?

Nina Juliadotter:

Well, it’s a combination of carrot and stick. I would like to put my optimistic hat on and think that if you’re a software engineer, surely you want to do the best job you possibly can. And you could definitely say that security is one aspect of quality. So I would like to think that software developers want to do a good job and want to build security in… However, looking back at my experience as software developer, I was given requirements, “Hey, this app needs to do this, go and program it.” And I was like, “Yeah, sure thing, let’s do that.” And then I did that as fast as I could, and then I delivered it and everyone was happy.

Now, if there is no higher up management telling me that, “Hey, security really matters and you really need to build it in, and that’s going to be part of your performance review and this and that.” It’s never going to happen, ever. So I do feel like organizations are focusing so much time and money and effort on educating developers, and it’s like throwing money and effort into a black hole. Because if you don’t have the top down approach of going, “Hey,” Really seeing you in person, “Do you understand how important this is?” And then have that trickle down through the layers, it’s never going to happen. So it has to be a two-pronged approach, in my opinion.

Cole Cornford:

One of the key markers in people I see trying to get into is developer education, because there’s a lot of products and companies out there like Secure Code Warrior, SAFE Stack, Contra, Security Journey, and so on. And they’re all moving into… Even We Hack Purple, they always spout that if a developer understands security issues, then they’re going to go ahead and make sure they don’t introduce them. But do you think that maybe the market should instead be about educating CXOs or engineering managers? I don’t know where it is.

Nina Juliadotter:

100%. Yeah. It’s not going to happen just because the developer themselves wants to build it in, it has to be a two-pronged. It has to come from the management to incentivize them, say, “Hey.” I mean, I heard about one company where they had had quite a successful AppSec program and that was because some very high up senior manager had said, “Hey, either you code security or you don’t code at all.” It was really that simple, and that’s really what we need. So yeah, but how do we get there? Yeah, I suppose we have to educate those management people or something. I don’t know.

Cole Cornford:

How do you think a two-pronged attack would work then? Because dev education’s clearly something that you’re passionate about because it’s part of your personal upbringing. Moving into AppSec, you were a developer previously, so you understand all the competing concerns and that security’s not always a priority. So how do you think we go about tackling this problem?

Nina Juliadotter:

How do we convince the management that it matters?

Cole Cornford:

There’s a few ways of it. Right? It’s not so much convincing management why it’s important, and I don’t think just writing laws saying that, “Your developers need to write secure code.” Is going to help. What I’m talking more about is we seem to have a proliferation of just products that solve developer education by just trading time for content. What we tend to find, at least in my experience, is that the developers usually don’t have the time to actually look at the material in the first place.

Nina Juliadotter:

To find the time to do the training as such?

Cole Cornford:

Yeah. So if you’re an engineer and you are working 9:00 to 5:00, then you don’t want to be told that from 5:00 to 6:00 you need to do one hour of YouTube secure development training, right? Because if you do, you’re basically doing work on top of your work. And there’s also, I find a culture a lot of the time that if you’re sitting at your desk watching YouTube videos, are you actually working?

Nina Juliadotter:

Oh, okay. Right. Yeah. I think it comes down to measuring and testing. Let’s just say, “Hey, developer, you must develop secure code. You’re being measured on it and we do all this testing to make sure that the code you deliver is secure. We highly recommend you do this training. Go and do the training if you want to keep the job.” Okay, that might just sounds a little harsh, doesn’t it? But-

Cole Cornford:

Don’t worry about being savage. It’s all good.

Nina Juliadotter:

I really don’t think we’re asking too much. And I also don’t think secure development is rocket science, it’s computer science. And you can do so much with just the basics of input validation. If you just have the mindset of, “Hey, all the low hanging fruit can really be removed. Hey, just use that little security feature on this framework you’re already using. It’s there for you. Just set that property or disable that property or whatever it is you need to do.” It doesn’t take particularly long to kill off a lot of the low hanging vulnerabilities.

Cole Cornford:

You did bring up an interesting point about measuring, how do you measure basically the effectiveness of your developer training in an organization? Because usually when I’ve seen it, it’s in how many people have watched videos or how many people are engaging in the platform. But those two metrics don’t actually say, “How are we meaningfully improving security at this organization?” Right? So I’m just thinking, how would you go about approaching that problem?

Nina Juliadotter:

Well, I mean, traditionally, if you want to measure effectiveness of any or an AppSec program of the AppSec control, you look at number of new vulnerabilities introduced, so you do fast and new dust and your CA testing and make sure that you’re introducing fewer and fewer vulnerabilities, I suppose.

Cole Cornford:

Yeah, okay. So just say, “Yeah, this team’s in charge of this app. So from our bug bounty program or from our different tooling, we find this many vulnerabilities six months ago, Finn investing and doing dev training for them. Now at this point, we’re getting much less on all of those fronts.” Yeah?

Nina Juliadotter:

Yeah, why not? So we’re producing more secure software and we can measure that. I think that’s fantastic. Right?

Cole Cornford:

Yeah. Cool. So work. What’s makes you super excited about work at the moment? What’s super interesting in the AppSec space?

Nina Juliadotter:

I think it’s a few things. I mean, first of all, I actually believe that the work I do is meaningful and makes a difference, and I feel extremely privileged to have a job where I can feel that. So that’s exciting. It’s also very intellectually stimulating, to be honest. It’s very geeky in a way that very much suits me. I get to really geek down into things, which is really wonderful. And also, I mean, generally AppSec folk are really nice, funny people, to be honest. I have a lot of fun working with other AppSec people and other cybersecurity people more generally, to be honest. So yeah, I suppose that sums it up.

Cole Cornford:

You mentioned that it’s meaningful to you. So where do you derive meaning from AppSec? Because it all comes from different places for people.

Nina Juliadotter:

Sure. Yeah. No, I mean, I know that must sound bit… I don’t know, but it comes down to good and evil. For example, I said I’m fighting evil here. Damn those bad guys. You’re not going to get my data, my money, my transactions, my information. F you. I really feel like I’m helping build stronger applications that cannot be breached. And I’m a customer of the bank I work for as well, and I want to make sure that my data and my money is safe. So that’s meaning for me.

Cole Cornford:

Yeah. For me, one of the big things that I really find meaningful is that when you are working to secure applications, there’s a very real tangible thing that you can see. I’ve worked on products like Single Touch Payroll, which is a business owner now. I know that that’s how people do payroll and interact with the tax system, right? I’ve worked at the Westpac on large applications like St. George’s banking app, right? So it’s what people actively use every day and you know that you are part of a mission to keep those people safe. So I’ve always liked AppSec because it’s super tangible and fun and meaningful when you can talk to someone on the street when in general a lot of cybersecurity you can’t, right?

Nina Juliadotter:

Yeah. Today I segmented that network.

Cole Cornford:

Yeah. Today I did the test. I was able to audit against user access records for these free things. So it’s like, well, what does that mean to be just an everyday person on the street? So I love that AppSec is super tangible and that makes it really cool for me too. Because it’s just something I can just talk to anyone about really, right?

Nina Juliadotter:

Mm-hmm (affirmative).

Cole Cornford:

I’m helping secure the things that you use every day and you interact with every day. So I love that.

Nina Juliadotter:

Yeah, good point.

Cole Cornford:

So you mentioned that you did a Master’s of cybersecurity, could you tell me more about that experience? Because I haven’t gone through formal education in cyber at all, so I actually don’t really know what it even looks like, to be honest, so.

Nina Juliadotter:

Yeah, absolutely. This was a while ago, so it might have changed a little bit since then, but I suppose the basics would still be the same. Yeah. So it was really good because it was really broad in my work. Now I am very much a specialist and I only really look at my tiny, tiny little area of the cybersecurity space. But during the master, you’d cover really broad areas, network security. I remember I did a paper on security vulnerabilities in some particular network protocol and you look at nitty-gritty details like that. Oh, I did digital forensics. It’s very interesting to understand how all that works. Access management and how you can tamper with the cards that we use to beep in and out of different doors and transport system and whatever we use them for. That’s really interesting. A lot of SCADA security, which is the control systems we have in industrial systems and ladder logic and how all that works. Hacking, how do you really hack a traffic system? All that super geeky stuff that is just so interesting.

So yeah, I did a really interesting paper on how you could hack smart parking meters. So yeah, I suppose what I really enjoyed about the master was I learned so much and I learned quite a very broadly into security.

Cole Cornford:

I think that it really shows your depth of experience across a lot of areas because you can have conversations with so many different people at Westpac. My previous guest, Toby Amodio, he mentioned that cyber security is most effective when people have a mile of understanding that’s an inch deep and you just have a one area where maybe you’re two or three inches, right? Which is us and AppSec.

Nina Juliadotter:

Yeah, I was thinking, gosh, that’s not me. I feel so narrow and so highly specialized. It’s ridiculous sometimes. But yeah, I think you’ve got to have those specialist people too. But I can still understand and talk to the infrastructure guys and the networking guys and whatnot.

Cole Cornford:

I think you’re underselling yourself though in that case, to be honest, because you can talk to basically… That’s one of the underrated skills that I think application security professionals have over a lot of other cyber people is that they can really focus on communication, breaking down barriers because they have that background as a software engineer that lets them say, “Hey, this is what the business is trying to achieve. I have all of these different cross-cut concerns. Security is one of those, and I’ve just got to be able to talk about it.” Right? And I know a lot of pen testers who just focus exclusively on this is the thing. It’s really bad. I don’t know how this exists. It’s super bad.

Nina Juliadotter:

Yeah, I suppose we’re a bit broad within our niche then.

Cole Cornford:

Yeah. I don’t know about you, but me personally, I know enough about different AWS services and Azure at once. I know enough. I can talk about them. I kind of understand what they do. I know how to write some terraforms, spin them up. And I know that you shouldn’t leave your S3 buckets public if you don’t want people to download things from them, right?

Nina Juliadotter:

Mm-hmm (affirmative).

Cole Cornford:

But if you’re telling me to go fully analyze an AWS tenancy that’s just not on my wheelhouse. I don’t know how to do that effectively, I’d be much better of a code review, for example. So I think a lot of people have, in AppSec, broad range of experience and just one area that they’re really cool and into. So what’s that area that is super cool and interesting for you, within our niche?

Nina Juliadotter:

Yeah, okay. Good question. That’s a funny thing. I think I’m specialized because I’m in AppSec, but then I’m super specialized within that little thing as well, isn’t it? So yeah, I’ve shifted a bit here and there. At the moment, I’m very much into, this might sound crazy, but inventory damage, inventory management, it matters. I was very curious. I’ve heard Tanya Janca, who’s big profile in our industry, talk on another podcast the other day, and this is also mentioned in her excellent book on the questionnaire, where do you start with an AppSec program? And I was thinking, “Oh, she’s probably going to talk about developer education or whatever.” But no, she was like, “Inventory management. If you don’t know what you’ve got, you don’t know how to protect it.” And it’s really that simple. If you don’t know which applications you have in your bank and the profile of them, how on earth can you protect them?

If you don’t know which applications are internet facing, what kind of data they have, do they have PII, all these things, then you can’t do a proper risk assessment and a threat model around them and you don’t know what it is these apps needs and therefore you can’t protect them. So that’s my little passion project at the moment, really trying to drive better inventory management, and including in that is also vulnerability management. You can find all the vulnerabilities in the world. It doesn’t really matter if you can’t attribute them to the right application. Therefore, also the owner of that application and the right support group who can remediate or who can say, “Hey guys, you seems to be using this really old framework. How about we look at that from a security point of view?”

Cole Cornford:

Yeah, inventory I actually think is a fantastic place to start because it’s a bit easier with devices because usually, you have a person and a person that’s a device, or it could be a couple of devices, but generally it’s physical. But with inventory for software assets, suddenly it gets exponentially more complicated because you’re moving on from just, “Hey, I have my app.” To, “This app exists in a repository and uses this CI and this CD in this cloud environments and these are the libraries that we pull in and each of those libraries has other libraries.” And then it’s like, “Wait a second, how far does this rabbit hole go?”

Nina Juliadotter:

It’s a big, big rabbit hole. Yes, absolutely right.

Cole Cornford:

So I love that that’s one of your passion projects because right now our software bill and materials is a really, really big piece.

Nina Juliadotter:

For good reasons.

Cole Cornford:

But I feel like that’s probably too far down the rabbit hole. I think even bringing it back up and saying, “What is this business process and what applications do we have that meet that business process?” Is probably one of the best questions you can start with for an AppSec conversation, right?

Nina Juliadotter:

Yeah. Yeah, tart on that end because then you can actually do a bit of threat modeling and understand what the risk profile is, which is really fundamental, but often overlooked, funny enough. I think we’re quite keen on just go for the tool and go, “Hey, let’s scan it with our assess tool.” And then you go, come or get all these a hundred thousand findings and you’re like, “Now what do we do?” How are you going to prioritize those findings? Yeah, I agree with you there.

Cole Cornford:

Yeah, I like that conversation. I’d be keen to explore. So what are you… Inventory a bit more, to be honest, because asset management and asset inventories really does underpin a lot of what we need to be doing in cyber security. So how do you go about actually managing inventory in your role?

Nina Juliadotter:

Well, yeah, it depends whereabouts in the rabbit hole you are. So you alluded to it with the components and that because yeah, obviously software composition analysis and getting that SBOM is super important to understand what a application that is deployed in production is actually composed of. Because as we all know, only about 10 to 20% of what we think of as the app, which is the custom written source code that implements the business logic that we need is there. And the rest is ready-made components that you have likely grabbed from the internet one day 10 years ago when you were import Log4j.

Cole Cornford:

That’s a really big one to be bringing up, to be honest, because-

Nina Juliadotter:

Yeah, sorry. We’ll sweep it under the carpet for now.

Cole Cornford:

No, no, no. Like seriously, I imagine that because companies didn’t have a good inventory, it would’ve been extremely difficult to respond to something like Log4j, right?

Nina Juliadotter:

Or impossible, but if you’ve done your inventory, if you got your SBOM, you can go, “Hey, for this vulnerability, this CVA number, which apps are actually impacted?” Boom, it’s so powerful. It’s insane. So yeah, definitely a good software composition analysis tool, and integrating and implementing that right in your organization, are you going to put it in Bitbucket or are you going to put it in your pipeline, or where are you going to hook in? Little things like that can make a big difference. But just application inventory, it’s done by a different department who I’m just trying to influence and work with. So I’m not actually sure exactly how they’re doing it, but we have obviously systems with applications that are listed where we keep all the details about all the apps. And all I’m really trying to do is influence them to also keep the information pieces that I need about it. For example, which programming language is it written in? what type of application? Is it a SaaS application or a mainframe application, or is this custom written web application? In which case I find that more interesting for our apps purposes.

Cole Cornford:

Yeah. That data’s really important. But I think that going back to one of those earlier conversations we were having around developer education, if you know the apps that exist in your organization and then you understand which developers are building those apps and who’s the business owner accountable for, it means that you can actually measure the effectiveness of that business owner at reducing application risk, right?

Nina Juliadotter:

Spot on. Very powerful dutch. Yes.

Cole Cornford:

So I could see why you’d want to be moving to asset inventory because if there’s no owner, because you don’t know who the app’s actually tied to, then who’s actually going to be driving that conversation? And if the developers are rotating between projects, then they’re never going to be the same people working on the same apps anytime soon, right?

Nina Juliadotter:

Mm-hmm (affirmative). And so I’ve said developers will do what they’re told by their senior managers. You’re not going to go to the developer and say, “Hey, there’s this vulnerability, you got to fix it.” They’re going to say, “Dude, you know my boss.”

Cole Cornford:

Yeah. Cool. So okay. I love that. That was a great segue, Nina. Moving on to another piece. So my audience does lean towards younger people, so what’s one personal trait that has helped you for your career?

Nina Juliadotter:

Yeah, right. Good question. This might sound a little bit corny, but what’s really helped me is just working really hard. I was never one of those gifted kids who just got it. I come from the most untechnical family I’ve ever encountered. Back in the day, we couldn’t even understand how to use a VCR player. So when I started my undergrad in computer science, I had never programmed, I didn’t understand any of this. Which was fine because I really wanted to learn and really applied myself. So I think the combination of going into an area that you genuinely enjoy and then being prepared to work quite hard until you get it, and I think that’s fine because if you enjoy it’s not really a chore as such. But I did spend a ridiculous amount of time when I did both my uni degrees, to be honest.

Apart from that, something that I’ve learned later in life, always ask questions, don’t feel stupid. There are no dumb questions. I love it now when grads come or younger people come and I work with them and they ask questions which they may think is stupid, but I’m like, “No, it’s not stupid.” Someone came to me the other day and said, “Hey, what’s the CVE?” And I was like, “Oh, great question. Let’s talk about CVEs.” Because you can’t know everything. You really can’t. And I’ve also taken on that and I ask what might be considered dumb questions just because you know what? Why not? Life’s too short. Ask the questions, get support.

Cole Cornford:

It’s funny that you specifically bring up that answer because about a year and a few months ago, I went to a Newcastle developer trivia night and the question came up and it said, “What does CVE stand for?” And then as the sponsor of the event, literally everybody turns to me just the director of the Galah Cyber and I was sitting there thinking to myself, “I just say CVE, I don’t actually know what it stands.”

Nina Juliadotter:

Oh, it’s Common Vulnerabilities and Exposures or something.

Cole Cornford:

Yeah, there you go, Nina. So I need you on my trivia team, basically, right? Because I was so embarrassed at that point. I’m just like they’re like, “This is literally the one cyber thing you should know.” And I’m like, “Why didn’t they ask about 2FA or OTP or something like that. Yeah, I think that both those are really, really good answers. I think asking questions has really helped me throughout my career a lot as well. I think I’ve always been an inquisitive person, so I’ve always just not really cared about what people think and just put stuff out there, even if it sounds really dumb and just listens to what people say about it. So I think that maybe with a little bit of apropo and some tact, then you can ask the right questions, you can get some fantastic answers out of people, right?

Nina Juliadotter:

Yeah, exactly. And I think that’s what I’ve realized as I gotten older is that people don’t actually mind it if you ask questions. They don’t. Very few people get annoyed or whatever. I find it interesting when people ask questions. I love to chat.

Cole Cornford:

Yeah, I think it’s a lot of people just don’t want to appear stupid.

Nina Juliadotter:

Yeah. Which was me for long time. That’s why I’m saying now don’t make my mistake because there’s no point.

Cole Cornford:

And I think at the end of the day, we all got areas that we are stupid in any way.

Nina Juliadotter:

Everyone does, of course. Absolutely.

Cole Cornford:

It’s totally fine to ask questions and just learn from that, so.

Nina Juliadotter:

Yes, I still don’t get the stupid subnet masks damage. Anyway, don’t need to.

Cole Cornford:

Yeah. I only recently learned what the slash 26 vessel slash 32 means just the number from 24 to 32 means the number of IP addresses available, I think. Yeah. Where 32 is one and 24 is all of them. So I was just like, “Oh, okay. I get it now.” But also I remember just using subnet masks of two five five, two five five, two five five dot zero, and then never asking what it actually was until basically I started working in the cloud, which was eight years into my career, and people were asking me about security groups in AWS, and I’m just like, “I don’t know what subnet mask is. I’m dumb.”

Nina Juliadotter:

[inaudible] You’re not dumb. You’re not dumb. It’s just we can’t know everything all the time.

Cole Cornford:

Exactly. It’s impulsive.

Nina Juliadotter:

Okay. We can learn if we need to.

Cole Cornford:

That’s why I leverage other people who are much smarter than me in their domains so they can go do that stuff right?

Nina Juliadotter:

I know, right? Yes. Leverage other people. Yes.

Cole Cornford:

Yeah, yeah. And you said work hard, I agree. I think that this is something that’s come up a lot in my conversations with young people is there seems to be an extreme focus on work-life balance. And I’m just going to say that work-life balances for your mid-thirties to forties when you have kids. Just work hard.

Nina Juliadotter:

Yeah. I mean, you can choose not to, but it will have consequences as such. You can choose. Yeah.

Cole Cornford:

Yeah. I’ve always been someone who’s been quite motivated and disciplined to just work really hard early on in my life, and it’s basically led to me at 30 being able to found a company in a domain I love, right?

Nina Juliadotter:

Yeah.

Cole Cornford:

So I know that the other people I see who are focusing on just like, “Oh, I’m just going to go and just go watch the Netflix here and I’m going to pick up some hobbies here and I’m just going to cruise through life.” That’s totally fine. Just expect if you’re doing that, that won’t get you to that place that you want to be as quickly, right?

Nina Juliadotter:

Yeah, exactly. Right. That’s your choice.

Cole Cornford:

And people notice hard workers as well, so if you turn up at eight and you finish at five, or you turn up at 10 and you finish at free, like a lot of the people I saw in the public sector. Then the people are going to reward the ones who are actually put in the hours and the hard yakka. Yeah, I really recommend people look at that. All right, so moving on to our last few questions. So, all right, rapid fire. Here we go. Fun ones for you, Nina. So-

Nina Juliadotter:

Oh dear. Okay.

Cole Cornford:

All right. You ready?

Nina Juliadotter:

Yes. Yes, yes.

Cole Cornford:

So first one, first best purchase under a hundred dollars and why?

Nina Juliadotter:

Oh, too easy, a bottle of champagne. You cannot be sad and drink champagne at the same time, and you can get a bottle of champagne for under a hundred dollars.

Cole Cornford:

Really? Actual champas or fake champas?

Nina Juliadotter:

Yeah, absolutely. Yeah. Yeah. Moët & Chandon. Easy.

Cole Cornford:

Okay, cool. What’s the most common mistake people make when it comes to cybersecurity?

Nina Juliadotter:

Oh, too easy. They don’t build it in from the beginning. They bolt it on after the fact. Think, no, no, it’s never going to be as good and it’s going to be so much more expensive.

Cole Cornford:

Yeah. I see it all the time where they just do not consider it as part of project and then suddenly just goes crazy.

Nina Juliadotter:

Oh, I don’t understand how it’s possible. If you build a house, it’s not like you don’t think about security then and that… Imagine you build a house and then after you’re like, “Oh yeah, got to have locks and got to have windows and doors and everything.” Really? You don’t do that.

Cole Cornford:

Just imagine you architect a house and you’re like, “Oh yeah, it’d be really nice if we put bedrooms in here.”

Nina Juliadotter:

Yeah. It’s just so fundamental. I just don’t see how it’s possible to even… But anyway. Okay. Yeah, no, let’s bounce.

Cole Cornford:

Yeah. Cool. What’s the best resource you would recommend for someone who wants to learn more about app security?

Nina Juliadotter:

That’s actually Tanya Janca’s book, Alice and Bob Learn Application Security.

Cole Cornford:

Yeah. Cool, cool. Awesome. I like that book. It’s a good one. Makes it nice and digestible for people.

Nina Juliadotter:

Yes, exactly.

Cole Cornford:

All right. So Nina, we’ll finish up with one more question for you. So what’s the one piece of advice that you’d give to our listeners? That right now people wouldn’t normally think is security advice that they can help keep themselves and their businesses secured.

Nina Juliadotter:

Be very careful and mindful of what data you put out about yourself out there. It’s something that security people are quite mindful of, but not security people, if you know what I mean. And apart from that, obviously use a password manager, whatever you do.

Cole Cornford:

There’s a reason I’d have IBM pawned as being a successful service, right? So just if people will use passwords instead of use password managers. Then yeah, data proliferation. I shouted to think about the real estate agencies amongst other things. I’m sure that everybody fingers my password at this point, so it is what it is, right?

Nina Juliadotter:

Yeah.

Cole Cornford:

Well, hey Nina, thank you so much for coming on and sharing your insight to me. It was an absolutely amazing interview. I really loved having you here and I hope that we can speak some more in the future.

Nina Juliadotter:

Yeah, thanks so much for having me. It was so much fun. I can talk about AppSec until the cows come home, so yeah, anytime.

Cole Cornford:

All good.

Nina Juliadotter:

Thank you, Cole.