Diversity In DevSec And Cloud Security With Vandana Verma

[0:01:29.4] Guy Podjarny: Hello everyone, welcome back to the secure developer, thanks for tuning in. Today we have a great guest with us, Vandana Verma who is a member of the Global board of directors for OWASP. Thanks for coming on the show Vandy. 

[0:01:40.8] Vandana Verma: Hey, hi, how are you?  

[0:01:42.4] Guy Podjarny: Great to have you here. Vandy, before we dig in and we’re going to talk about cloud security, we’ll talk about developer involvements there, we’re going to talk a little bit about  India and women in security. Before we dig into all of that, tell us a little bit about yourself, what is it that you do and just a little bit of that journey. How did you even get into security? 

[0:02:02.9] Vandana Verma: Sure. Hi everyone, currently, I am working as a global board of director for OWASP and also working full-time with a multinational company. Apart from that, I am part of a few open source communities because I do a lot for pro-bono work or I tweet about that. I work with Infosec Girls who are women of security work with, as I said, OWASP, OWASP Women in AppSec which is a community started in India. 

There are few other communities that I work with. Apart from that, I started my career as a developer for one year and then moved to stock environment which is completely different. It was kind of an accidental wherein you shift the domain completely. 

It happened wherein I work for a couple of years, then started off with application security, moved to mobile security, cloud security. It’s like a mix and match of different domains. Whatever came my way, I just went ahead with that, learning, interacting with people. 

So the turnkey, actually, wherein I got more involved with a lot of different things and in the community by stepping into the community when I was introduced. 

[0:03:13.3] Guy Podjarny: Yeah, that’s awesome. Do you, like you mentioned – quite a few different entities that you're a part of and you also do like a decent chunk of public speaking and you know, sort of evangelism. Is that correct, about security? 

[0:03:26.5] Vandana Verma: That’s right.  When I started off with Infosec Girls, we were doing sessions, meet-ups but then we thought, “Can we have something which is –” like everyone talks about diversity but how about giving them the technical training? I came up with a web application security training. We have given the training at multiple conferences. We started off with NULLCON which happens in India. Then we gave it AppSec Europe, AppSec USA, Global AppSec Tel Aviv and many other places. 

Even locally, we have given that training. Apart from that, a lot of colleges, schools. We try and train on cyber security by providing training, sessions, the next discussions. 

[0:04:08.8] Guy Podjarny: Yeah, that’s excellent. How, I mean, did somebody sort of nudge you into that or like how did you make the leap of sort of doing the first sort of public speaking and venture into this world? 

[0:04:20.3] Vandana Verma: When I started going to the conferences, I started seeing people who are giving speeches and some were really impressive. One of the conferences wherein I was just discussing and said that I want to start speaking. 

One of my mentors guided me on how to write an abstract. Because to submit a presentation, it’s very important if you write a good abstract. Took that, submitted a couple of papers, got rejected, learned the way the things that go in the conference, understood from the past abstracts, how to write an abstract, what goes behind that. 

Started submitting. After a few failed attempts, got through it. It’s like, I try my luck everywhere where I want to go. Whether it goes in a positive direction or a negative direction. But yes, I seek feedback so that I can improve myself. That’s how my journey started first speaking and then training simultaneously. 

[0:05:19.2] Guy Podjarny: That’s awesome, I love the perseverance. First of all, very good point about the abstract. At the end of the day, you forget, like you think you know so much about yourself and what is it you have to say but the person reviewing it on the other side sees the abstract. They need to think about how good is that written, that’s worth investing but then also I love the perseverance over there. 

You started building an AppSec training. We were going to dig a little bit into cloud security but I guess, I don’t know if that’s sort of a segue into that or not but what would you define as sort of the scope of AppSec in today’s world? 

[0:05:52.2] Vandana Verma: Right, AppSec is application development with security, be it talking about using threat modeling in the initial phases then secure code development, talk about AppSec with the app end testing that we say. But now, everything is moving left which we call it as ‘shift left’. AppSec is not just AppSec but security has become part of the whole journey. 

From the training, if I have to say we co-work majorly app end testing, but right now, I’m working on something related to code reviews and integrating the whole pipeline, like creating a DevSecOps model training. We’ll have a training on secure code review, AppSec end testing is already going on which will be open soon for anyone who wants to give the training. 

I’ve asked many people to take up the details from me, I will be happy to share it. Then, making a model wherein we can define this is how DevSecOps for open source look like. You can replicate the model anywhere. That will be my perspective but I’ll be taking inputs from the people who are part of the industry so that we can do something meaningful and the training is meaningful for them. 

[0:07:04.8] Guy Podjarny: Got it. You know, you say sort of AppSec has kind of expanded to be this whole area, you know. I sometimes sort of say that it’s not about shift left because developers have expanded to the right, you know? It sounds like it’s kind of the same type narrative. 

When you talk about AppSec and kind of modern space, do you capture cloud security or in general, maybe like, what’s your view today about the scope of cloud security to differentiate that from AppSec? 

[0:07:30.6] Vandana Verma: I would say, this is not much differentiation, it just the perspective change and the environment change. Earlier we were doing it and we were performing the AppSec on the apps which were built in-house, infra, is inside, everything is inside the organization. But, as we are all expanding, we need to have a wider horizon and especially when cloud has so much to offer. 

Talk about scalability, availability and so many more things.  It’s just the infra change part. Cloud has given more perspective to AppSec in the terms of DevOps, it gives automation because it’s very important. Talk about the widened attacks that we have. If we don’t persist in or if we don’t avoid them then there are a lot of concerns that can be raised. The way we were doing AppSec in house, we are doing in-cloud, it’s almost as similar. 

It’s just that we have certain more measures to be taken in cloud from the infra point of view. But I would say, I am more incline towards cloud. It gives me so much of scalability. 

[0:08:35.5] Guy Podjarny: When you say you’re more inclined towards cloud. You know, we have people on the show from different security organizations and often times, cloud security still sits, you know, as a title in a team that is sort of separate from application security, right? Sometimes it’s like the DevSecOps teams, sometimes it’s the cloud security team and they deal with infrastructure security if you will but cloud infrastructure, you know? 

When you go off, when you train on AppSec and I guess in general, kind of the opinion, do you see the two as different, do you think they’re actually kind of you know, your code and whatever containers your cloud configuration. Is it the same kind of methodology in person that you’d been involved in? 

[0:09:16.4] Vandana Verma: I would say, think about AppSec wherein I’m talking about the old ages. We’ll start with the old ages wherein we had an application in the testing environment, we have been testing all of the prod and we have it in the production environment and we are then testing just getting your report. But now, in cloud, we just don’t have just the AppSec team working. 

Because majorly, when organizations move to cloud, they have infra to take care of in the cloud. Like configurations and so many more things. But, application also moves to cloud. If you don’t have proper rules configured, your application is in trouble. But think about pen testing in the cloud, it almost remains the same, except there are few attacks that play a different role. 

To give you an example, SSRF. Server side request forgery, which plays a different role. How? There was one attack which was recent one on capital one. Wherein attackers leveraged SSRF and they just serve through the normal loop back address for an application or for the AWS account and they got – they ran through the SSRF vulnerability. 

They could get the meta data and so many more details. Even the SSH keys they were able to get. Attacks sometimes are similar but there are some advance attacks which we have to learn which happens in cloud I would say. 

But the methodology remains the same, the perspective remains the same I would say. 

[0:10:49.4] Guy Podjarny: Got it, interesting, you’re basically saying, like your interpretation, when you talk about cloud security, you’re basically thinking about application security in the sense of like you're securing up the code of applications, maybe the libraries or the components that are inside of them but in the context of cloud as supposed to securing the cloud resources themselves? Is that sort of a fair statement of having the right identity in access management roles or the right provisioning? Is that about right? 

[0:11:18.2] Vandana Verma: I would say that in cloud, there is no separate team that’s working on it. As a cloud person, when I started working on cloud security, I was a completely AppSec person. But then, I got to know how an application is being developed in the cloud environment, how it would stay in the cloud environment.  

We sometimes have to work with the different teams and we get to learn different perspectives. It’s an extended arm. 

[0:11:42.5] Guy Podjarny: No, interesting. I think kind of very right from an application context perspective and we live in this world where it’s very blurry, you know? This sort of line between infrastructure and code or kind of the app in the context of the cloud because you know, for many intents and purposes, the infrastructure is a part of that application. 

From a pen testing perspective and vulnerability discovery, you know, do you really care if it’s a vulnerability in the application or the cloud configuration, it’s all the same. You just push through. 

[0:12:09.7] Vandana Verma: Right. 

[0:12:11.1] Guy Podjarny: You go off, you do these public speaking sessions and get involved in all these communities, maybe let’s sort of shift a little bit to talk about the communities, you know? You’re based in India, is that correct? 

[0:12:22.3] Vandana Verma: Right, I’m based in India, in Bangalore. 

[0:12:24.9] Guy Podjarny: What would you say? Like looking, you know, we talked about your journey but if you look a little bit at the ecosystem’s journey, you know, application security in Bangalore and indeed, you know, the creation or sort of the advent of cloud, what are your thoughts about any changes or growth as the security community that have been growing, has it been changing with cloud coming into the play? 

[0:12:46.4] Vandana Verma: Absolutely. I’ve seen a big shift. Bangalore is like in mini Silicon Valley and if you talk about the communities that specially in security that are growing, they’re growing at a massive pace. Because, if I have to talk about my journey, I was working in an environment wherein I am doing the day in and day out job like for my bread and butter. I was performing a few tasks, which were assigned to me but then you connect with more people as a community. It changes your perspective. You might learn something new. So in Bangalore when we host our annual meets, you will see at least close to a hundred people coming in every month.  

They take out time on a Saturday morning to come to the meets to learn and we also host a certain hands-on session. People do come and the technology is massively growing. There are so many amazing researchers here who are ready to share knowledge, be it AppSec lead, cloud lead, talkers feed, DevSecOps; talk about anything. Anything in security you will just share. You just have to shout that, “I want to learn this thing,” so it will be ready to help you out.  

[0:13:56.1] Guy Podjarny: It sounds like a lot of people around and you’re doing it – how much, I mean – do you feel like speaking opportunities and the likes that are local, have those grown or do you feel like to get your voice heard more globally you have to travel out? How do you feel local tech scene versus global what’s the change or if any on that front?  

[0:14:17.5] Vandana Verma: The speaking opportunities are growing like compared to the ones that we had in the past, there are new conferences coming up, there are new venues coming up but I get a lot of opportunities from the other part of the world. There are so many conference running every other week. I can see there is some conference coming up. Okay, people are talking about this conference, that conference, so many.  

In India we have a handful of conferences. If we have to talk about the conferences which are well known to people. So they are growing but it is a lot of effort so they are growing on their own pace.  

[0:14:51.8] Guy Podjarny: And specifically maybe the OWASP activities. So I think you mentioned here you’re doing the OWASP chapter. You are now a member of the global board of directors, how involved is OWASP in the local community?  

[0:15:03.6] Vandana Verma: It is very much involved. If I have to name the last year we started a free conference where there is no pass ticket, nothing. We would have talks and the sessions, the training sessions for free. If you go to OWASP Seasides because it happens in Goa near the sea, even the talks happen just right in front of the sea. So that is how the name came up and it is all free for anyone to attend. There are sessions starting in not just AppSec.  

So you will see the sessions on Docker containers, which is container security, threat hunting, we talk about car hacking, bug bounty or hunting and so many wide variety of sessions that we have at that conference. So it is very much involved and people are getting to know about it even we have it this year in March, 3rd to 5th of March. If you go to the website, you would be able to find so many more details and what kind of sessions we are going to conduct. So it is a huge contribution to the community, the Indian community specifically.  

[0:16:01.4] Guy Podjarny: And this is OWASP Seasides? 

[0:16:03.8] Vandana Verma: Yes, OWASP Seasides, which is OWASP and Sea, which is sea because it is near the sea, sides, by the sea yes.  

[0:16:14.3] Guy Podjarny: Excellent. Maybe – the local scene is growing and you’re a member of OWASP. You go off, you give your global talks. I know one of your recent keynotes has been about women in security and I know you are also involved, you mentioned quite a few different organizations that are doing it. Let’s dig into that a little bit. It is always a complicated topic. Before I dig into specific questions, what do you feel is kind of in the world of AppSec, is the current state of affairs around diversity and specific new gender diversity?  

[0:16:46.3] Vandana Verma: Right, so my keynote was about when we talk about diversity it is not gender diversity. It has to be different forms as well because we kind of only think about the gender diversity and it actually creates a lot of concerns for the other gender as well because when I started to digging more into the topic and I have been in the industry for quite some time and I can see that there are people which are less, that’s why we talk about diversity and it is very important.  

So if I have to talk about AppSec not just AppSec I would say the whole security. It is like the diversity is very less. I would say that is one of the reasons wherein we have a lot of constraints wherein people are less in security. If we start including people from diverse backgrounds, we will have diverse perspectives and the job, the concerns that are there wherein people say that, “We have so many jobs open but we are not able to find the right set of people.”  

I am sure that will also be reduced and there are so many researchers that are coming up that we have these many jobs coming up but we are not able to find the people. So I will give you an example, my perspective on it is – let’s say there is a person who is working as a psychologist. That person reads the mind and especially if it is a cybercrime, that person can be really helpful because they know what thought can go behind a person when they’re making that crime.  

So that can help and I will give you an example of my friend who was from a commerce background but he is one of the amazing bounty hunters I would say who find bugs. So when we were hiring in my past stint when we were hiring for people who are good at security, we did not look at the resume wherein the person has specified that he is from a commerce background but we looked at his skills and we found him to be the best match I would say.  

Like all the CV’s or the resumes that we screen and he actually excelled in his job but again when he was trying to switch, he again got the same concern wherein that he is from a commerce background whether he should be doing it or not. We should be hiring the beta candidates. So that’s again a blurry line.  

[0:19:04.6] Guy Podjarny: And this is – I am fully there with you around the fact that diversity is a broader topic you know? Whether it is location, whether it is background, whether it’s age, you know every perspective brings a new skill to the mix. You gave one tip there, which is maybe judge based on skills versus just the resume, what other techniques or methodologies have you seen to work well to help break through the fact that it is sometimes hard to find the diverse candidates?  

[0:19:32.9] Vandana Verma: So I would say that sometimes organizations target people to hire from the top schools, top business schools, top institutions. We can actually partner with some organizations to include engineers from different colleges, artists, mathematicians and other creative professionals from a broad set of experiences rather than only looking for bright millennials, how about hiring some veterans, older professionals who are highly skilled?  

Because when we say diversity, it goes far, far beyond education and gender. So if we hire those people I am sure we will have diverse perspective. So let us say you and I are working in the same thing, you will have a different perspective. I will have a different perspective and I am sure when there is a situation coming, we will put forward our own views rather than just going with the same flow.  

[0:20:27.9] Guy Podjarny: Again, sort of spot on and I think the value of diversity is great, specifically allowing me to stereotype a bit here and so still dig into that sort of the gender diversity bit, right? You work a lot with Infosec girls and all of that in this sort of white men dominated surrounding, sometimes I know like a common complaint like real concern is maybe surroundings. What have you seen in through these organizations to be sort of good best practices?  

If you’re an organization leader or security organization leader and you want to make sure that when you bring people that don’t look like everybody, they stay comfortable.  

[0:21:05.6] Vandana Verma: See I would tell you upfront that there are problems for sure. We have seen and heard the cases. Let’s say if I have to talk about gender diversity, as a woman there are a lot of concerns that everyone has seen in some or the other way but sometimes there are points or concerns which the other gender also has. So it is like there is a term called alienating or alienating men, right? Wherein the other gender also feels that they are trying to dominate them.  

Which is not the case because when I had a conversation with the friends who I have or the mentors, because I have a lot of male mentors, they also feel sometimes nervous or a bit concerned when the term diversity comes into picture, why? Because it’s like they think 100 times before saying anything because it might raise some concerns. So the diversity concerns are from both sides and both have to be worked upon and we have to talk it out.  

If there is a concern, we all have to talk it out and as a man, if they see if there is some hesitation the other gender has, they have to make the person comfortable that “This is my perspective. It is not bring you down or it’s not to bully you,” and the same goes for us also because I work with a lot of white men and I do a lot of discussions around diversity. I do a lot of discussions about technical topics especially for my keynote, I had discussions with a number of people.  

From all genders, from all colours, from everywhere so it is kind of a topic wherein if I say my perspective, somebody else might have a different perspective all together. So I would say it is a topic of discussion wherein if you feel that there is something which is not going right, talk it out. Raise your voice and people are hearing. It is not that people don’t here. People do here.  

[0:23:01.8] Guy Podjarny: Yeah well, I am always in favour of communication. It was interesting to hear about you know diversity and soliciting opinions about diversity over there as well, which is a good inception model there.  

[0:23:13.6] Vandana Verma: Yeah, I have to add something to it. I do support all the men and platforms but I don’t resonate to just the gender diversity to be honest even being a woman, I don’t just resonate to it. I have friends from different backgrounds. I know people who are definitely able so I wouldn’t just say that it is just gender diversity. I try and see that if there is a knowledge sharing platform it has to be for everyone not just for a specific gender diversity.  

So there is one person whom I really, really admire, Stephen Hawking, he is the real example wherein he has done so much for science, so much for the human kind so you can’t just differentiate. 

[0:23:55.1] Guy Podjarny: Yeah, well said. Personally I think one of the things we often discuss is location diversity as well, which is also adds different perspectives, different ecosystems, whether it is in our case, London, Tel Aviv then Boston, but of course, every opinion – at the end of the day it’s about bringing different opinions and different perspectives and helping them communicate or giving a platform for them to collaborate and good things happen.  

You have more powerful perspectives and less blind spots if you get that right. Vandana this was excellent, I think we covered a whole bunch of topics. Before I let you go, I like to ask every guest that comes on the show, if you have one tip, it could be a pet peeve or something that sort of annoys you, one piece of advice you want to tell a team looking to level up their security what would that be?  

[0:24:41.4] Vandana Verma: So I will say understanding your environment first. A lot of attacks happen because you don’t know your environment. So understand your environment first and then start off with the security if you have not started. So it is like better late than never. So start your security anywhere and understand your environment. I would say understand your environment, get started, get going, it is very, very important especially if I have to give examples.  

Think about the hacks that have happened recently, Equifax, Capital One and so many major hacks. Just the minute mistakes can lead to the big fall down.  

[0:25:19.5] Guy Podjarny: Yeah, that is sound advice. Well Vandana, thanks a lot for coming onto the show.  

[0:25:25.1] Vandana Verma: Thank you. Thank you so much for inviting me, I am glad to be here and talking to you.  

[0:25:29.7] Guy Podjarny: And thanks everybody for tuning in and I hope you join us for the next one.