Software Security Gurus Episode #25: Simon Cole

Matias Madou:
Welcome to the Software Security Gurus webcast. My name is Matias Madou, CTO and co-founder of Secure Code Warrior. With me today I have Simon Cole. Welcome, Simon.

Simon Cole:
Well, thank you. It's great to be here.

Matias Madou:
Fantastic. Simon, do you mind saying a few words about yourself?

Simon Cole:
Yeah, sure. I'm Simon Cole. I've worked for the last 10 years as a security architect, previously working in all sorts of coding spaces, from mainframes to web to data warehousing before getting into security. For today, yeah, the views I'm representing are my own. They're not affiliated to any company I work for or have previously worked for. But I'm really looking forward to talking.

Matias Madou:
Fantastic. Security architecture with some coding background. I love it. Good start. So Simon, I have two topics in mind for today, and the first one is a deep dive on security architecture, given that you're in this space for a long, long time. If my data is correct, then you've written your last proper code 15 years ago.

Simon Cole:
Yeah.

Matias Madou:
So first question to start with. What is secure by design for you? What do you consider secure by design as an architect?

Simon Cole:
As an architect, I'll try not to use the traditional architect phrase of, "It depends." But yeah, from my perspective, it's taking a holistic view of everything we're doing, and architecture has layers as within applications or solutions. So at an enterprise level, I think it's very much around the have we got the capabilities we need? Have we got the visibility we need? Looking at everything holistically, a solution will fit in? We've seen the rise of third-party supply chain attacks, so as an enterprise architect, does the company I work in have that capability to manage its third parties properly?

Simon Cole:
I think more appropriate for here is as we move down to solution architecture and what does it mean for solution architects? And it's a really good question, because we talk about it, but actually finding what secured by design is is really quite difficult.

Simon Cole:
Yeah. We have something in the UK called the NCSC. It's part of the government. It's the public face of our GCHQ, which is our cybersecurity protection company. So a bit like NSA in America. I don't know what the European equivalents are. I'm sure they are. And they produce some secure by design principles, which are really good, but they don't really help. So it's making sure that we look at all aspects of the application, how it works, and their principles start with understand the context of the solution, make compromise difficult, make disruption difficult, make detection easy, and reduce the impact of the compromise, which are five great principles, but they're very hard to give to someone and say, "Go do that." It doesn't make it real.

Simon Cole:
So that then leads on to other things like OWASP, and I think OWASP is brilliant for that sort of design thinking. They've got a number of artifacts, and there's a really good post by Darius. I've forgotten ... Well, to be honest, I have really difficulty pronouncing his surname, but I'll send a link.

Matias Madou:
[crosstalk 00:03:54].

Simon Cole:
And he has 10 things to do in practice, and I think that part of the architect's role, especially around solution architecture, because we can't spread ourselves across the whole of all the work being done by everybody, is to give people actionable things to do. So establishment of secure defaults, looking at the use of least privilege. And he's got these 10 things through, because [inaudible 00:04:20] does things in 10s. These 10 things that really you can pick up and say, "If I start to do this in the solution design and solution architecture, I'm starting to make it secure by design. I'm thinking of security upfront. And if I go through these 10 things at all of the phases, we're there."

Simon Cole:
I then think there's another layer down where you get into the detailed design and implementation, and then threat modeling really comes into it. So I'm a big fan of threat modeling. [crosstalk 00:04:55].

Matias Madou:
Just a quick question before we go there. So in an ideal world, we do that all before we start creating these products and pieces of codes, but how do you see that? Where does it fit? Because right now the 10 things, they seem to apply to code that already exists.

Simon Cole:
I think it can apply to both. I think if you have time to think about security through that design phase, when you're really starting at that initiation, yeah, and that's maybe where the security architecture really comes in, is starting to say, "These are the things we're going to do. This is the product we're building. What are the implications of that? What data will we hold? What regulations apply to that data, and what's that downstream impact?" And yeah, if it's not core to your business, do you want to start holding healthcare data in the US? Well, that depends whether that's core to your business, what the business case is. But without understanding all of those impacts, which say you've got to apply HIPAA controls and all of these other things, how do you know whether that's going to be profitable in the end? Because ultimately, the cost of the controls may outweigh and the risk of the data that you hold may undermine the business value and the sort of business case for the whole solution.

Simon Cole:
Yeah, but it's having that thought process up front and thinking what bad could happen? This links back to threat modeling, and how should we protect it? How should we stop that happening?

Matias Madou:
What does your day-to-day look like? If I hear you speak about all of that that needs to be done, that seems to be a lot. What does your day-to-day look like?

Simon Cole:
On a day-to-day basis, there's a lot of context, which it's finding support. So I think there are two schools of security architecture. One's almost like an audit, and there's a huge place for audits, but that's not where my passion is. And maybe it's because I coded. I like to help create, build, use imagination to create solutions that solve problems. So a lot of the time it's supporting business teams with, "I want to do this. Is there a way we can do this?" Answering those sorts of questions, being available.

Simon Cole:
And I run teams of solution architects and I have done for years. And what I say to them is that if you're working on a project or a program, you should be able to articulate the business benefits of what the goals are as well as anybody else there, because that goes back to understanding the context, because then you know that the security advice is tailored for what you're trying to achieve. And we then have skin in the game. We're not this team that turns up, says what's wrong, and then disappears and then comes back. We're there to be engaged all the time to support the company.

Matias Madou:
But you were a coder before, so you have empathy with these people, right?

Simon Cole:
Yes.

Matias Madou:
And that's the main difference, I think. If you have empathy, you want to help them. You understand how difficult it is and you just want to help them.

Simon Cole:
Yeah. And I think that's really important to understand what the drivers and the pressures are. So I've worked with graduates before. One of my strong recommendation is for graduate security, security graduates, as part of their scheme should go and work in a business delivery team. So understand the pressures about deploying code, understand the processes, understand why, because then you do understand when somebody comes back and says, "But I can't get this in in the sprint." You've got that context. It's sort of, yeah, you understand it.

Simon Cole:
The other benefit of that is to do a swap, which is generally what happens with the grads. So we'll bring one of the grad developers into security and they learn more about security. Then they go back, and then they're starting to think about security within that team. And they sort of start to populate and push out some of the security ideas within the teams. So I think that's a win-win, but yeah, having [crosstalk 00:09:09].

Matias Madou:
That's an excellent idea to scale yourself, because you can only do so much as one person. And bringing people in, educating them, transferring knowledge, and making sure they go back to their team and they do the transfer of knowledge, that's actually fantastic.

Simon Cole:
Yeah. And I think security champions is seen as another way of doing that, and I think that can really work well, as well. Yeah. You get people who are interested in security. You give them additional responsibility. You develop them. You support them, and you make it formal so it's recognized by their teams that they're doing this bit extra, because it is additional work. They still have to cut their code. They still have to make the product, but they're doing the security things as well. And that's probably one of the most, one of the best ways to scale out the security architecture capability and secure by design.

Matias Madou:
Is that the preferred way to clone yourself is working with these people, or do you prefer to have them in your team? Or what is your preferred way to clone and scale yourself?

Simon Cole:
So I definitely prefer the model where we have engineers and security engineers or people doing security work within the product teams. So they're fully aligned to the product. They're core to that team. I think you can very much become into a bubble if you sit in security about what's right and how things should be. By having all of these people in the teams, in the delivery teams, reporting into those delivery managers and delivering that product, I think is the best way to get it embedded, because they're part of the team.

Simon Cole:
And then what's really good is you get that feedback about the things that aren't working, the things that are slowing down, whereas you might not get that feedback so honestly if they're part of your team. And to be fair, most people are fairly open and honest about when security is not working. You don't have to go and find. They're not shy at telling you when it's not working well, which is great, because then you can make it better.

Matias Madou:
Yeah, I like that, because otherwise, if you're just a central team, you start to create a tunnel vision of what you think the world looks like. It's only by interacting actively with the security champions in the teams that you're able to really understand how they feel, how you can do better. So maybe another one. Can I call you an old school architect?

Simon Cole:
Yeah, I suppose so. I had a very traditional approach.

Matias Madou:
Okay.

Simon Cole:
Yeah.

Matias Madou:
And I would love to know, if you're an old school architect, what does the younger generation of architects look like? And what is the best interaction between these two worlds?

Simon Cole:
So the way I look at it, if I look back at my career, I started coding. I did lots of different types of coding, which was brilliant, but you got to a point as a developer or an engineer where you had two choices. You either became an architect or you became a project manager if you wanted to progress in an organization. Now you see what tends to get called individual contributor roles. So people who have become experts in their field and have thought leadership and all of these things, but they're not an architect and they're not a manager. And I think that opens up a lot more for people.

Simon Cole:
And now you see younger architects who have a real blend. They're still coding. They're trying to expand their knowledge into greater areas of design. And then what the architecture team knows to do is to support and build that knowledge. So every time you can grow somebody a bit in that security architecture space, it makes life easier for everybody. I think the individual contributor's been a real benefit, but it wasn't a career path when I was younger. Whether I'd still be coding now, I don't know. I still occasionally code. I would never show anybody my code. It's awful now. It's absolutely horrible.

Matias Madou:
Do you miss that skill?

Simon Cole:
I do a bit, and I only use it when I can't find a solution elsewhere. The joy of open source now is there's very few problems that haven't been solved by somebody. You go to GitHub and you search for something and somebody will have already solved the problem, whereas 10 years ago, that ecosystem and all of that source code wasn't there, so you had to write more.

Matias Madou:
Yeah. So open source is one, but as an architect, I would assume things like the cloud. Well, it's new and it's not new. It has been there for years, but there's more emphasis on moving pieces of software into the cloud. How does that change your world?

Simon Cole:
I think it's like any new technology. It changes it slightly. So when we were all coding on mainframes, we worked in one way. We then moved to client server, mobile. There's an iteration. And we have cloud now, but then even within cloud, you've got containers, serverless. So the cloud isn't consistent.

Simon Cole:
I think what it means is you can focus on different things. We're not having to worry about the physical infrastructure. We're not having to worry about is somebody going to steal the disks from our data center because we've not implemented physical security properly? If people are stealing disks from Amazon, Azure, GCP, well, that's what it is.

Matias Madou:
That's a different problem.

Simon Cole:
Yes. And the same with your infrastructure. That bit's been taken away, but then to get ... So you've got a really good firm foundation, but then to actually do business, you've got to then start poking holes through it and configuring it, and that's where the difference comes now. It's much more, to my mind, around configuration of the base infrastructure and then into pure application security. And the basics of that haven't changed probably, unfortunately. Sequel injection is still sequel injection. It's [inaudible 00:16:08]. Forms of injection, it's been in the top 10 for longer than I can remember, which is sad.

Matias Madou:
Yeah. And as an architect, you can change that by using a framework that avoids problems like that. But unfortunately, we're still building stuff on top off stuff, so we have to retrofit essentially everything.

Simon Cole:
Yeah. And I think you talked with Clint around AppSec and some of the work he was doing. He was talking about developing libraries and code components and capabilities, and I think that's a really, if you can get to that place, fantastic. Logging is always one that strikes me as cries out for let's just have a security logging library that everybody can import. And we can strip out the bits we don't want. We can keep the bits we want and everything moves. And I think that's a wonderful end state to get to, but it starts further to the, I would say, left, but it's not shifting left, because it's policies and standards. So people understanding what they have to do.

Simon Cole:
And I think education comes into it a lot as well. I never wanted to write bad code. Some of my code didn't work how I wanted it to work and I made it better, but it's only once I'd learned what was wrong with it I could make it better. And I think security is very much like that in the AppSec. I've never met anyone who wants to develop bad code. It's more about giving them the tools, giving them the knowledge, explaining why it's important, and then let them do what they do, which is write great code.

Matias Madou:
So interesting that you bring that up. So in the development world, I agree. Developers want to do the right thing. And my impression is today there's plenty of help that they can get to do the right thing in terms of training and tooling. For a security architect, and especially around the threat modeling, I know 10, 15 years ago, there was nothing, except for maybe you did it in Excel or Google Sheets these days. Has that evolved? Is it still heavily people focused and just on a whiteboard or are there tools already to help you? Because the same is true. If you do not know about the threats, if there's no tool that can guide you what the threats are or potential threats are, you want to do the right thing, but you do not know as a security architect.

Simon Cole:
Yeah. So I think is the whiteboard still there? Probably for most people in the last 18 months, no, because we've all had to work remotely, which makes it a lot more difficult. I very much [inaudible 00:18:56] there are tools and the tools are being developed and enhanced as with all tools, and they're growing and getting much, much better. The approach I've generally taken is very much that train the trainer. Let's do threat modeling. Let's threat model together and learn and moving security out of the threat modeling to be much more of a facilitator stroke sense check and technical expert to be brought in. And that works really well when you've got that committed group of people who want to do it.

Simon Cole:
I've always found that engagement becomes very easy once people get into threat modeling, because it's hypothetical pen testing. It's your chance to break something before it's being built. And you don't often get that in a work environment, spend a couple of hours trying to break things. Not if you're a developer engineer, because normally you're building.

Simon Cole:
So I haven't gone down the tooling approach yet. I think the tools will get there soon to enable that. So I'm taking very much the Adam Shostack, the four key questions, walking through. Yeah, it works brilliantly if you're in the same room, but you can adapt it across the to be remote. So then it goes back to Excel and all of those sorts of collaboration tools that we have.

Matias Madou:
Yeah, in terms of that, resources are scars. Essentially there's Adam Shostack, who has a fantastic book on threat modeling. There's a couple of other books out there and blog posts, but it's still a fairly new area, although it's 10, 15 years old, that area. Well, Microsoft did it 20 years ago, but [crosstalk 00:20:49].

Simon Cole:
But it's growing, which is really good. There's a number of companies that are producing really good tools. There was the threat modeling manifesto that was produced by a group. I think Adam was involved in that, and a few of the others that I know were involved there, but it's getting much, much more traction, which is brilliant. I think it's a real positive, and the more traction it gets the better.

Matias Madou:
Absolutely. And train the trainer. I love the idea, but I figured out myself years ago that it is not for everybody.

Simon Cole:
Yeah, and I think you have to adapt to how your company is. And people will also select the train the trainer. So a lot of it's working out who wants to do this, who wants to be involved. And if people don't, I don't think that's ... If they're using their skills in different ways, that's great. Let them focus on that. Find the people who want to engage. And I think security champions does that. A lot of that is around finding those people who are already interested in security. They're already looking at blog posts and trying to understand how things work and break them at home or in the office and giving those people a pathway to build on that in a way that's structured.

Matias Madou:
They have a natural interest.

Simon Cole:
Yes. Yeah.

Matias Madou:
That's good. Maybe to switch gears. I know that you're a big fan of diversity of thought in security teams. Tell me more.

Simon Cole:
I think it's just general diversity. I think I look back over my career and look at certain people, and diversity of thought definitely comes in there. So best person I ever saw write code, they had a degree in music, and there's a lot of similarities in structuring, but that was fantastic. They brought a completely different viewpoint, and they got things done that at times were hugely annoying, because it was problems I tried to solve for weeks and they could do it, it seemed like instantly. Another person I worked with as a facilitator had virtually no formal qualifications. Strangely, though, through the internal training program, they left our work with a doctorate.

Simon Cole:
And so finding those people, and like I say, it's all diversity. Making sure that we have everybody around the table contributing. It just makes life better. You get better solutions. You get more rounded solutions. And that includes gender, race, sexuality, all those sorts of things that the more diverse the better.

Matias Madou:
And do you specifically look for that if you're building your team out? So essentially what you're saying is different backgrounds, different experiences from the past. Do you explicitly look for that during the interview process, for example, like, "Hey, you know what? This is our group, and now we're looking for somebody with different thoughts than ourselves"?

Simon Cole:
Yes and no. I don't think it's a case of ... You're looking for the best person for the job. But what you're looking for is to have a pool of people to pick from that show all those different traits. So I mean, architecture tends to be a role that you get into later in your career. You've done-

Matias Madou:
You go through the stages. Yeah.

Simon Cole:
Yeah. And now one of the things is if you look at gender diversity, there's not many female architects. There are, but they're there and they're brilliant, but 10 years ago, we didn't have that many women coding. So how do you get ... So now when I think what's changing is when we go out to recruiters and things like that, it's like, no, it's just not acceptable to say these people aren't there. We know they're there. But also looking at what you're trying to recruit. I'm looking for somebody with the attributes, the skills, the ability to learn. Now, that doesn't mean you have to have 25 years' experience. Maybe you've only got three years' experience, and we can develop and grow. And I think having that different approach allows you to build that diversity over time, if that makes sense.

Matias Madou:
Absolutely. Absolutely. How big is your team?

Simon Cole:
Currently about eight people.

Matias Madou:
Okay. Fantastic. Maybe I have a final question for you, and I know you like Belgium.

Simon Cole:
Yes.

Matias Madou:
And I know you cycled Luc-Bastogne arc in Luc, or Liege-Bastogne-Liege, for example. But here's the really tricky question. What do you like most about Belgium? Is it the cycling or is it the beer?

Simon Cole:
I suppose I do both all of the time. So I do like Belgian beers. There are some fantastic, La Chouffe.

Matias Madou:
La Chouffe, yeah.

Simon Cole:
And some of the [inaudible 00:26:05]. The triple is just fantastic. Ideally is cycling in Belgium and then watching the professionals cycle whilst drinking a Belgium beer is a great way to spend a weekend.

Matias Madou:
Well, and actually, there's a lot of people in Belgium that do that on a Sunday morning. You wouldn't believe that. Sounds pretty bad, but yes, they do first a couple hours of cycling, and then as an aperitif, they actually drink a Belgian beer and then they go home for lunch.

Simon Cole:
That sounds wonderful.

Matias Madou:
So you would perfectly blend in here.

Simon Cole:
Yeah. I just have to get better at the cycling.

Matias Madou:
I don't think so. No, no. It's sometimes optional on the Sunday morning. No worry.

Simon Cole:
We have exactly the same thing here. It's cycle to the pub, have a drink.

Matias Madou:
I do think where you live, and there's more roads and it's even more suited than countryside than over here. Belgium is actually already pretty full of houses and a lot of traffic.

Simon Cole:
It is, but I think the big difference I've noticed is the attitude of drivers in Belgium. It's disconcerting if you're not used to it. You come up to a roundabout, and a car that's got right of way slows down. And it's the first time that happens, you think if I cycle across the roundabout, they're just going to accelerate and hit me and it's my fault, because that happens quite, well, sometimes in the UK. The UK is getting a lot, lot better at cycling. We've just had the Olympics and we've done quite well in cycling, so all of that raises the visibility of cycling. But there is a step change between cycling and Belgium. It's a lot more relaxing.

Matias Madou:
Oh yeah, it is, because pretty much everybody does it. So again, there's empathy from.

Simon Cole:
Indeed, and empathy gives you a lot.

Matias Madou:
Absolutely. Simon, thank you very, very much for accepting to come on the Software Security Gurus webcast. It was a fantastic chat.

Simon Cole:
Thank you very much. I really enjoyed it.

Matias Madou:
Thanks.