Soluble.ai Soluble

Soluble's Rich Seiersen interviews Clint Gibler, head of security research at r2c, co-founder at tl;dr sec. They discuss the popularity of the r2c open source tool Semgrep, which helps developers perform static testing of their code in CI.

Randy’s career includes leadership roles at pioneering companies, including WebEx back when it was a small startup through its IPO. He was CISO for the SaaS security leader Qualys, and he was head of product security and security operations for Zoom as its usage exploded over the last year with the pandemic. Now, he’s back to being a CISO at a highly regulated life sciences organization, InterVenn.

In this episode, we discuss the importance of shifting left for modern software development with the high velocity of code releases. Getting security implemented as early as possible, close to developers is key. The goal is to help them find and understand any vulnerabilities early so they can fix issues. Effective strategies include implementing tools for static and dynamic testing, giving developers security training, and working with pen testers that can interact directly with the developers.

He also discusses his approaches to securing what is becoming the new normal of a largely remote workforce. You may not know where team members are connecting from, how they’re connecting, whether there are others connecting on their same network, whether they are using personal devices, etc. There are opportunities to use security controls to enable this flexibility for employees while ensuring security.

We also discuss the importance of community participation. Randy participates and shares his knowledge with local chapters of information security groups, the cloud security alliance (CSA), and he works for companies that embrace working with other security professionals.

I can’t emphasize how important this is! A CISO can’t (and doesn’t) know everything. For example, the supply chain risk with Zoom is going to be entirely different than with precision medicine at InterVenn. It is so easy to think “I’m the CISO, I should know…” A better answer is, “I have a community, we have each other's backs. And while I may not have the answer right now, I will have feedback from several peers in real companies dealing with this very issue in real ways.”

When you stand in front of a board, they will ask, “How are others doing this...specifically companies x,y, and z…” I have heard this numerous times myself. And this is Randy’s chief point. Build and use your community – it’s arguably your strongest asset.

Perhaps this point of view comes from his military training, having started his career in the Marines (is it just me, or is there a growing cadre of security leaders with backgrounds in the military)? Surround yourself with great intel. We are fighting a digital war, we need our allies! As he points out, there are a lot of bad actors out there, so working independently, in silos, doesn’t work when you could be working together to fight the bad guys.

Security architect and open source contributor James Sörling talks about open source tools that make high velocity development more secure.
Sörling, currently security architect for Wireless Car, is an open source contributor for cfn-nag, which performs infrastructure as code (IaC) static analysis of AWS CloudFormation. He also wrote an open source module that integrated CFN-nag into SonarQube. Now, developers, DevOps, and SREs can get their CloudFormation scanned during development, to help them fix issues early. It also helps with audit and compliance to associate owners to IaC early in development.

Soluble's Rich Seiersen interviews Rick Howard. The SolarWinds Breach, Supply Chain Risk, Cloud Native Development, and security books we all must read.

Chad Kalmes talks about his security and risk management strategies for leading companies including Twilio and PagerDuty. He also discusses his career.