Imagine the bustling energy of DEF CON suddenly shifting from Caesars to the Las Vegas Convention Center. How will this change impact the magic of one of the world's most renowned cybersecurity events? Join us as we share personal experiences from past DEF CONs, consider the logistical hurdles, and discuss the potential financial implications for local resorts. Our guest, Rui Ribeiro, brings his invaluable insights into how such changes can alter the attendee experience, setting the stage for a deep dive into his impressive professional journey in cybersecurity.
As we navigate the realm of client-side security, we uncover the fascinating story behind the founding of Chase Prep. From the chaotic days of the early internet boom to a pivotal meeting with Cloudflare's CEO, we explore the transformative power of JavaScript and the intricate parallels between telecom and banking industries. Rui and I emphasize the critical need for clear communication of security requirements to decision-makers, particularly in emerging markets, highlighting the often-overlooked technical challenges and opportunities in this niche field.
Our conversation also tackles the evolving landscape of cybersecurity with a focus on balancing technical and soft skills. We discuss strategies for embedding security into everyday processes, the importance of adaptive security measures, and how rapid advancements like those during COVID-19 have reshaped business practices. From insurance risks and evolving security models to the joy of building a safer digital world, this episode covers the passion and practicalities that drive us in the field of cybersecurity. Join us for an enlightening discussion that promises to leave you with fresh insights and actionable takeaways.
Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today
Speaker 1: How's it going, Rui?
00:00:01
It's great to get you on the podcast.
00:00:04
I know we've been planning this thing for quite some time now
00:00:09
and my schedule has been so chaotic, so I apologize for the
00:00:14
delay, but I'm really excited for our conversation and it's a
00:00:17
great opportunity because we're almost coming up on Black Hat.
00:00:22
Speaker 2: I don't know when this is going to be broadcasted,
00:00:24
so these topics are as relevant as possible and we're coming so
00:00:29
close to such a big security event.
00:00:32
Speaker 1: Yeah, yeah, absolutely.
00:00:34
You know, typically I try to make it out to DEF CON, but last
00:00:40
year, like last year, I got so just from, just from meeting
00:00:45
with so many different vendors.
00:00:46
It was like all day, every single day, I'm meeting with
00:00:50
vendors, talking about the podcast, trying to get more
00:00:52
sponsors, and you know all that sort of thing.
00:00:55
It's just like it's so exhausting.
00:00:58
I told myself literally when I flew back home last year I was
00:01:01
like like yeah, next year, next year, I'm taking a break, I'm
00:01:04
not doing DEF CON.
00:01:07
Speaker 2: I've been doing DEF CON for maybe the past 10 years,
00:01:10
so I'm one of those guys that not from the start of DEF CON,
00:01:14
but every year, every year and this year I'm not also doing it
00:01:20
I'm going to blackout because of the company and Jay Stradler
00:01:23
and meeting with everyone.
00:01:25
Def CON for me was the fun part , like engaging with the peers
00:01:30
from a security perspective.
00:01:32
I won't have the opportunity this year because it becomes a
00:01:35
little bit overwhelming.
00:01:38
Speaker 1: Yeah, you know, and I mean maybe this is just for me,
00:01:42
but they changed the venue right Because Caesars kicked
00:01:48
them out right, and I mean it's kind of.
00:01:52
Speaker 2: Well, so you got a lot of security guys there and
00:01:54
breaking stuff and still not working.
00:01:57
Speaker 1: Go figure that out, yeah well you know, honestly, I
00:02:00
think it's kind of it's partly on Caesars or MGM's or MGM's
00:02:06
CISO, that kind of challenged all these hackers.
00:02:10
What was it?
00:02:11
Four or five years ago at this point I think it might have been
00:02:13
four years ago they challenged all these hackers saying, oh, we
00:02:17
have top-notch security, no one's going to get in and this
00:02:19
and that.
00:02:20
And I mean you know, you've been there, so you know, the
00:02:23
past couple years someone has blue-screened every slot machine
00:02:27
in a resort you know, for the entire week of DEF CON and it's
00:02:32
like, oh yeah, you're so secure that we blue-screened every slot
00:02:36
machine all at once.
00:02:37
It took them like 10 seconds last year, you know, and it's
00:02:42
kind of their own doing, but that was also a part of like the
00:02:46
, the extreme convenience of defcon.
00:02:48
You know like I can go to defcon right, be a, be a hacker,
00:02:55
degenerate and then stumble out into a, into a casino where I
00:03:00
can continue my my escapades.
00:03:04
I'm not hacking random people, I'm not hacking slot machines or
00:03:08
anything like that, but I can go and have a beer with someone
00:03:12
right, I can go and gamble if I want to.
00:03:14
My room is a 10-minute walk away.
00:03:17
That is a huge, giant convenience that was eliminated
00:03:23
when they were forced to move to the convention center.
00:03:26
Granted, I've never been there, I've never been on the tram in
00:03:29
Las Vegas, but as soon as I heard that I had to take the
00:03:32
tram, it's like, okay, there's 50 people that are going to
00:03:37
be in town for this conference.
00:03:39
We all now have to take the tram or an Uber or a taxi to get
00:03:45
to where we need to go.
00:03:47
That sounds like a really bad idea.
00:03:51
Speaker 2: And we already know that it was too many people
00:03:54
there.
00:03:55
And what's the effect of this escape?
00:03:59
It might be good, but I have my , like you, I have my doubts
00:04:06
that it's going to work as well in terms of your magic of the,
00:04:11
because there was a lot of mingling, a lot of yeah.
00:04:14
I think it might lose part of the magic of the event itself,
00:04:19
but it might not like yeah let's .
00:04:23
Speaker 1: Yeah, I could be wrong.
00:04:25
I mean, next year I'll more than likely go, regardless of
00:04:29
the venue.
00:04:29
But you know, I wonder if these resorts are going to be looking
00:04:35
at.
00:04:35
You know, last year how much money did they make during DEF
00:04:39
CON compared to this year?
00:04:41
Right, because for Caesars to kick them out, that's a pretty
00:04:46
big year.
00:04:46
Right, because for Caesars to kick them out, that's a pretty
00:04:49
big deal.
00:04:49
Right, if Caesars kicks you out , well, you have one other
00:04:51
organization you can go to for hosting you.
00:04:55
Right, that has the size and that's even kind of a stretch,
00:04:59
because it would be stretched out throughout the strip, like
00:05:02
we saw the past couple years.
00:05:03
You know, it's interesting because I think they're actually
00:05:08
going to lose a lot of money.
00:05:09
I think that they're going to lose a good amount of money and
00:05:12
gambling, because there isn't going to be that like hacking,
00:05:17
like I.
00:05:18
I call it degenerate, but it's, it's out of convenience, it is
00:05:21
truly.
00:05:21
It is so convenient to literally just walk out of a
00:05:25
talk and be like you know what?
00:05:26
I'm gonna go have a beer with my friends.
00:05:27
Yeah, right, and it's right.
00:05:29
There, the las vegas convention center will probably obviously
00:05:33
have that same sort of vibe and environment and whatnot.
00:05:36
But then you have vendors that are putting on parties that you
00:05:39
know town nightclub, right, and that's in caesars.
00:05:43
Well, my room is in the link or wherever, right Like now.
00:05:47
It is a huge conundrum that people have to work through.
00:05:51
Um, and it's, uh, it's frustrating, right, because if
00:05:56
it was, if it was at the same location right.
00:05:59
Like that spread across like Harrah's and Flamingo and
00:06:02
Lincoln and whatnot.
00:06:03
If it was the same location I would probably be there, but I
00:06:06
kind of want to see how it shakes out.
00:06:09
Speaker 2: Yeah, I understand.
00:06:10
Speaker 1: Yeah, definitely.
00:06:11
So you know why don't we start with your background, right?
00:06:15
What made you want to go down the route of IT and security?
00:06:20
And then let's talk about your journey into founding Jscrambler
00:06:25
.
00:06:27
Speaker 2: That's a very good question.
00:06:28
What made me go down the IT path not the security path, but
00:06:35
the IT path is because I am from the generation of Spectrum and
00:06:38
Amigas and all of that, and that was what got me into computing,
00:06:43
like the first PCs and 4P drives and that kind of stuff.
00:06:46
I went through all of it and, of course, I graduated in
00:06:53
computer sciences in the area of telecommunications engineering,
00:06:57
and then out of the university I went to work for banks,
00:07:02
because you had two options Either you worked for telcos or
00:07:09
for banks.
00:07:11
That was the fastest to work and you get there.
00:07:16
And now, looking back, I worked for a company where STL
00:07:21
injection was a feature.
00:07:23
It was their filtering capabilities and search
00:07:26
capabilities.
00:07:27
They were built over an STL injection for a banking app
00:07:31
internal banking app but still that was a feature.
00:07:34
So I always wanted to create a company.
00:07:36
I always wanted to build something.
00:07:38
We went through all the 2001, the hype of companies and the
00:07:43
internet booming, and I wanted to be part of it and I was lucky
00:07:50
to be friends with my co-founder.
00:07:54
So we have known each other since 16 or maybe earlier, I
00:08:00
don't know the precise date.
00:08:02
I challenged him let's do something together and that's
00:08:07
what created Chase Prep.
00:08:10
So we have been working together as a company, like
00:08:14
formally and publicly since 2014 .
00:08:17
So that makes us almost 10 years old, which in internet
00:08:22
time, is centuries, and we have been addressing a very neglected
00:08:29
part of security, which is the client-side security.
00:08:32
And even when I talk to you like client-side security, I
00:08:35
think that you must be like searching for a definition.
00:08:38
What is client-side security?
00:08:42
Is it like protecting the endpoint?
00:08:44
Is it what is endpoint?
00:08:45
What is it?
00:08:45
What are you talking about?
00:08:46
We focus on making sure that applications that are running on
00:08:51
a browser or using web technologies either a browser or
00:08:54
a mobile device that's why we call them web applications that
00:08:58
they are able to execute properly in an unsafe
00:09:02
environment, maintaining the data of their users private.
00:09:06
So we are not only making them doing integrative applications,
00:09:10
but also modifying the application.
00:09:12
And also the objective here is, when we create the company is,
00:09:20
let's focus on a market that is emerging, not crowded, and where
00:09:22
we is, let's focus on a market that is emerging, not crowded,
00:09:27
and where we could make a real impact in terms of security for
00:09:29
everyone.
00:09:29
And, of course, everyone knows about network security, everyone
00:09:35
knows about server security, but there wasn't that much in
00:09:39
terms of client-side security.
00:09:41
When we started and it's still an evolving topic I was just
00:09:47
listening like before me I was listening to the Cloudflare CISO
00:09:52
rant and he was talking about, like Cloudflare, the bastard
00:09:56
they took and I'm not comparing those to Cloudflare, I'm just
00:09:59
talking and sharing an anecdotal story.
00:10:01
Like in 2014, I was able to meet the CEO of Cloudflare and I
00:10:05
had like 15 minutes, like 30 minutes, talk with him and the
00:10:11
gist of it is he said Hui, you're great, love what you guys
00:10:17
are doing, but like JavaScript is technology.
00:10:20
That's really bad.
00:10:22
I think I should focus on something else.
00:10:24
Like JavaScript is crap and, to be honest, it was right, but
00:10:30
JavaScript became much bigger and today, even today, all of
00:10:35
their IPS technology is built on JavaScript.
00:10:38
So I can say I was right, but they still built the most
00:10:44
successful company that I wished I had built when compared to
00:10:48
them.
00:10:48
But that's to say that we are focusing on a very important
00:10:52
topic.
00:10:52
It's a big challenge, it's a very big technical challenge and
00:10:55
that's what makes it fun and everyone else is also coming and
00:11:03
understanding that client-side security and monitoring the
00:11:06
third parties and making sure that all the third parties that
00:11:08
are there are not accessing information that they shouldn't
00:11:12
be accessing.
00:11:13
It's becoming a much more relevant topic.
00:11:16
I understand, joe, that you also have a background and you
00:11:21
have worked a lot with banking or classified unions.
00:11:24
Yeah, so I think that we might have like very similar we must
00:11:29
have had very similar meetings in the past, where we go there
00:11:34
to talk about security and the guys that hold the keys to the
00:11:39
vaults, to the resources that we need to do our work they don't
00:11:44
understand most of what we are talking about.
00:11:47
Speaker 1: Yeah, that's a.
00:11:48
It's an interesting challenge, right, because the people that
00:11:55
hold the keys to what you need to do the work.
00:11:59
They're smart people, right.
00:12:01
They're very knowledgeable in whatever their area is right.
00:12:04
They're very knowledgeable in whatever their area is right,
00:12:05
they're very knowledgeable.
00:12:06
But it is very rare to find someone that understands
00:12:13
security and understands what you're requesting, right?
00:12:19
Architects, tenured architects that are very smart people that
00:12:26
do not understand the concept of having a security exception in
00:12:31
the environment.
00:12:31
They can't wrap their head around it.
00:12:33
They think that it's like something you know that you
00:12:35
shouldn't do, that's immediately bad and frowned upon and
00:12:38
whatnot.
00:12:39
And it's a.
00:12:41
It's an interesting dynamic, right, when you're in that room,
00:12:43
because you have to toe the line between explaining
00:12:49
something in a way that they will understand but not
00:12:52
insulting them.
00:12:53
Right, because they are very smart, they just may not know.
00:12:55
A nuance, right.
00:12:57
And I think I wonder with your telecom background, because so I
00:13:01
actually started my career on the help desk for a telecom
00:13:07
integrated solution, right, so we were heavily reliant upon our
00:13:12
solution integrating with PBXs from Cisco and Avaya and every
00:13:18
kind of PBX you know that you can name.
00:13:21
We integrated with it and of course, that meant that the
00:13:24
support team also had to be very familiar with these PBXs.
00:13:28
We had to be just as familiar with it as the engineers at
00:13:32
these Fortune 500 companies, you know, that would be deploying
00:13:36
it and engineering the solutions and whatnot.
00:13:38
We had to literally be able to walk them through these
00:13:43
management consoles that are extremely complicated and I, oh
00:13:50
man, like the amount of hours that I had spent just looking
00:13:56
through you know where different settings were is insane.
00:14:00
It's extremely complicated, right, and I bring that up
00:14:03
because it took me down a path of being able to think a certain
00:14:08
way.
00:14:08
Right, that kind of made me successful in the banking
00:14:12
industry.
00:14:12
Right, because you have to approach problems from a totally
00:14:15
different perspective.
00:14:17
Right, I feel like in the banking industry, knowing the
00:14:21
problem and knowing how to solve it is maybe 10% of the actual
00:14:26
issue.
00:14:26
The other 90% is getting to the right person, is talking to
00:14:32
them the the correct way, right, ensuring that they understand
00:14:35
what it is talking about.
00:14:37
The same thing, right, like that's probably more of the, the
00:14:43
, the problem that we face, than anything else.
00:14:46
And I feel like I learned all of those skills in the telecom
00:14:51
industry because it's very similar.
00:14:53
It's very interesting as to, like, you know how that
00:14:57
experience with telecom can relate so directly to banking.
00:15:01
Is that something that you found as well?
00:15:03
Or maybe I'm off target?
00:15:05
Speaker 2: No, no, no, and I found it.
00:15:08
And when we started to create the company, and as we message
00:15:12
the companies and we message what we do, I say it all the
00:15:16
time I don't want to create a company that they don't
00:15:21
understand what they are buying or not using it.
00:15:23
And even when reaching J Scrambler, I focus a lot on we
00:15:29
built this company to solve a very big security problem that
00:15:34
you have, but I don't want you to stop, I don't want you to die
00:15:38
.
00:15:38
For example and I'm going to give you examples because it's
00:15:42
this Everyone trying to understand You're a company.
00:15:45
You want to add the new AI chatbot.
00:15:48
You can just add it and have the compliance guys and the
00:16:01
people that are doing all is not accessing any information that
00:16:04
it shouldn't be accessing.
00:16:05
When you're logging into your bank, it's not an integer
00:16:08
statement or stuff like that and that's to say, our company
00:16:14
enables the banking to adopt those soft boxes and move faster
00:16:18
instead of.
00:16:19
My company told them not to have that AI chatbot there.
00:16:24
So we created the controls.
00:16:25
We allowed that AI chatbot there.
00:16:26
So we created the controls.
00:16:26
We allowed that AI chatbot to be there.
00:16:29
We sandboxed it.
00:16:30
We made sure that he was not able to access any information
00:16:33
that was classified as private, and in such a way, we are
00:16:39
creating security that enables new stuff, instead of creating a
00:16:44
template of security that just points the finger at you and
00:16:47
says you did a shitty job, I broke that, I tested that.
00:16:52
That's easy.
00:16:54
Breaking stuff is easy and moments ago we were talking
00:16:57
about Defcon.
00:16:58
I call it the Breaking Stuff Con, because everyone there is
00:16:59
showing off what they can break, not what they can.
00:16:59
It's easy, and moments ago we were talking about DEF CON.
00:17:00
I call it the breaking stuff CON, because everyone there is
00:17:02
showing off what they can break, not what they can protect, not
00:17:05
what they build Not everyone, but there are a lot of people
00:17:09
there.
00:17:09
That's the mindset that you go there.
00:17:12
But I think as an industry, the security industry, needs to
00:17:16
change that mindset, not into attacks or not only to attacks,
00:17:21
but also as how we become enablers for innovation on these
00:17:26
contacts.
00:17:27
And that's a very different mindset at Rockwell too.
00:17:31
And, as you correctly pointed out, if you don't talk to
00:17:35
business line of it, if you're just saying you're under 10%,
00:17:39
you're saying you have this problem.
00:17:40
You're not saying you're not finding the right person, you're
00:17:43
not explaining it properly so that they understand that they
00:17:46
have an advantage to solve that security problem, then you get
00:17:52
nowhere fast.
00:17:54
Speaker 1: Yeah, that's.
00:17:55
You know, it's really important what you bring up right, what
00:17:59
you just brought up, because it's interesting.
00:18:02
When you're training and going through different certifications
00:18:07
, I mean, no matter what the certification is, you are
00:18:09
learning how to break things.
00:18:10
You're learning the gaps and the holes and everything else
00:18:15
like that.
00:18:16
No matter what security book you pick up and read, you're
00:18:20
learning how to identify different gaps and holes, right,
00:18:23
but very rarely do they approach it from here's the gap
00:18:30
and this is how you vocalize it right.
00:18:33
They don't give you the soft skills and you only get the soft
00:18:36
skills through having really difficult roles and really
00:18:41
difficult situations where you have to break bad news to people
00:18:45
constantly.
00:18:46
Right, like, that's the only way that you really get it.
00:18:52
But I wonder if there might be, you know, a way to kind of
00:18:57
train people up in that area without spending the years in in
00:19:03
help desk, right, right, like.
00:19:05
Because you know, you, you bring up a very valid point,
00:19:09
right, like we're.
00:19:10
We're always coming at it from a from that angle of no, you, you
00:19:15
, you know you can't code in this library, you can't do this.
00:19:19
It's always no, no, no, right, and I've always tried to take
00:19:25
the approach of flipping it.
00:19:26
Well, how can we make this work ?
00:19:28
You know, and if it's something like hey, someone's using
00:19:33
something that is so insecure we just can't allow it in the
00:19:36
environment, you know, then I will come to that conversation
00:19:39
with such a good background on it, like you know, rock solid
00:19:43
evidence and whatnot saying like , hey, we just can't do this.
00:19:47
You know, we just can't have MFA not enabled on these admin
00:19:52
accounts, like that's just not something that we can do.
00:19:54
You know, you got to come prepared to that argument and I
00:19:59
feel like it's almost a part of you know, I don't even know why
00:20:03
this comes to my mind the Amazon leadership principles.
00:20:06
Right, and the leadership principles are.
00:20:08
They're crafted in a way you know, they really do apply to
00:20:12
like every business, you know, across like every function of
00:20:16
business, and it's customer obsession.
00:20:18
Customer obsession is one of them and I'm probably like maybe
00:20:21
the biggest proponent of that right when, when you're on help
00:20:26
desk and your company doesn't understand what your customer
00:20:29
needs, you're the only one that really knows what they need.
00:20:33
You have to be so obsessed with what they need that you
00:20:37
vocalize it internally to say we need to do this, this is why we
00:20:41
need to do it, and you're going about it like that and you're
00:20:44
making that case rather than having that customer make the
00:20:48
case, they only have to make it to you, you know, and you have
00:20:51
to then vocalize it internally and kind of champion that entire
00:20:56
process internally.
00:20:57
That was something that I learned, that kind of really
00:21:01
formed even how I address security situations now in the
00:21:06
present day.
00:21:06
Right, my customer to me is the business, it's the development
00:21:11
community.
00:21:11
Right, I'm not a developer, but I mean, man, if I could be a
00:21:15
developer, just by osmosis, I'd be like the greatest developer
00:21:18
in the world by now.
00:21:19
You know, because I spent so much time with these guys, I'm
00:21:21
basically speaking their language at this point.
00:21:23
But you know, when they come to me and they're saying I can't
00:21:27
do this, I'm not able to do this , or whatever it might be, it's
00:21:31
my job not to say, well, here's the reason why you can't do it.
00:21:34
It's my job to say, okay, this is a problem, let's go back to
00:21:38
the drawing board and figure out how we can enable you to do it.
00:21:41
You know, and even even in my current job, that is a fight
00:21:46
amongst other security professionals on the team.
00:21:49
You know, because they, they just want to say no to
00:21:51
everything, and I'm, I'm over here, I'm like we cannot just
00:21:54
say no, we have to progress.
00:21:57
Speaker 2: And that's that's exactly the mindset that we try
00:21:59
to put on everything that we build is how do we enable the
00:22:03
companies that we work with to do either more or faster, or
00:22:07
even do impossible things like providing technology that wasn't
00:22:10
previously available but allows them to do stuff that wasn't
00:22:14
possible before?
00:22:15
And that's really the mindset here.
00:22:18
And the problem is that there are two problems in how security
00:22:23
is done in the past.
00:22:25
The first strategy of and maybe more problems, but the first
00:22:29
strategy of breaking stuff and saying and way to developers and
00:22:32
say I broke your application instead of this is how we do it
00:22:35
better, and here is the tooling that will allow you to do it
00:22:40
better, but that requires a lot of not only social skills, but a
00:22:45
lot of knowledge of what the other person is doing.
00:22:48
The other thing is that we need to make sure that security is
00:22:55
not just defense against attacks .
00:22:58
Security is a strategy that you have on a day-to-day basis, on
00:23:04
everything that you build, deploy and also in every process
00:23:10
that you design.
00:23:12
Like you were saying, they might have bought the
00:23:15
multi-factor authentication product, but are they actually
00:23:19
using it?
00:23:19
Are the accounts that are important?
00:23:22
That's about the process itself , and there's also about the
00:23:25
limitations that not only people but also technology has.
00:23:29
We're doing today a lot of stuff on your browser.
00:23:34
That was impossible a few years ago.
00:23:38
In COVID time, which is I don't know that limbo of where we were
00:23:45
all doing stuff without being able to get out of our homes, I
00:23:51
was able to open bank accounts by showing my picture to a phone
00:23:56
and stuff like that, which was a rapid implementation that some
00:24:00
banks did.
00:24:01
But all of the sudden I say that wasn't the bank, that was a
00:24:05
third party doing this.
00:24:07
This was being done on the browser, did it was a need.
00:24:10
We had to do it, maybe after all.
00:24:12
Here's some of the way to check this.
00:24:14
It's not far as it didn't need to be implemented.
00:24:16
It's there now as part of the process and and um, and a lot of
00:24:23
things in companies are being done like this, like if there's
00:24:26
some urgency, there's the need to sell more, there's a the need
00:24:30
to cover that specific need that a competitor has.
00:24:33
So we put something out and we don't even ask about security.
00:24:37
The security teams just go around it and try to get it
00:24:43
deployed and then the security guys will complain later on.
00:24:46
But that's not a problem, that's what we are changing here
00:24:50
.
00:24:50
That's why we have always had an approach of embedding ourselves
00:24:54
into the apps, because then we are part of the process, like
00:24:59
the app gets delivered with our integrity verifications and with
00:25:02
our capabilities to monitor the search parties.
00:25:04
So it's not like security is a layer, security is part of the
00:25:08
process, security is part of the app.
00:25:11
These things are easy to understand but complex to
00:25:16
implement and you need mature companies to understand, like
00:25:22
okay we have developers, we have marketing, we have a lot of
00:25:26
different people interested in delivering a good experience,
00:25:33
but not all of them are going to understand what they are doing,
00:25:36
and we have been involved with a lot of anecdotal situations
00:25:42
where life additives have more power than security guys, even
00:25:48
on stuff that is easy to understand.
00:25:51
This is a no-no Business, the business mentality of we need to
00:25:57
move forward, we need to sell more.
00:25:59
If we don't have the controls in place, stuff is going to
00:26:03
happen for sure, and so I think that there is a lot of work for
00:26:09
us, as security guys, to be able to connect with the marketing
00:26:13
teams, talk their language, talk them.
00:26:16
There are many things that are very interesting in the industry
00:26:21
, for example, google Tag Manager.
00:26:24
What is a Google Tag Manager?
00:26:26
Google Tag Manager is a way for you to inject JavaScript from
00:26:31
multiple sources in production, based on multiple criteria,
00:26:36
which makes the client side as variable as me and you buying
00:26:41
the same stuff on Amazon.
00:26:43
I load a different set of JavaScript than you just because
00:26:48
of my computer, your location, whatever, which makes it
00:26:51
exponential the number of combinations of stuff that's
00:26:55
running on the client side and that could have access to your
00:26:59
own information.
00:26:59
We need really to work out processes and systems that
00:27:07
control how each of these elements is doing the work that
00:27:14
needs to be done.
00:27:15
Understanding, like this third party, this AI chatbot is here
00:27:21
only to provide answers on this, this, this and these questions.
00:27:25
It can never access your name, your social security number.
00:27:28
We cannot trust these third parties because down the road,
00:27:34
someone misconfigured it.
00:27:36
I have the example of the video player on the banking page.
00:27:37
Configured it.
00:27:38
I have the example of the video player on the banking page.
00:27:41
Most of the video players out there third-party solutions.
00:27:45
They were designed to be behind the paywall, like a Netflix or
00:27:50
some company like that.
00:27:51
When they are in a banking webpage, if they are incorrectly
00:27:55
configured, could they show right next to the login, their
00:27:59
own login, because they should be configured to the login,
00:28:00
their own login, because they should be configured to only
00:28:03
provide video behind a paywall?
00:28:04
All of these mistakes are just errors, but these errors have a
00:28:09
very big impact on a company as big as an attack, a
00:28:14
cybersecurity attack.
00:28:14
So that's why I say that security goes beyond just
00:28:18
attacks.
00:28:18
Security is a mindset that you need to put on.
00:28:22
Everything that you do, you have to verify, you have to
00:28:25
sandbox, you have to make sure that this individual, this
00:28:28
company is only doing exactly what you brought in here to do.
00:28:34
Speaker 1: Yeah, it's a really good point and you know, you
00:28:38
kind of brought up almost like the evolution of security
00:28:45
technology and how we address the problem right, and so the
00:28:51
cloud makes everything more complicated and I feel like
00:28:54
people don't understand that concept.
00:29:00
Yeah, you know, from time to time I look at, I look at the
00:29:03
job market as a whole, right, just because I want to stay up
00:29:06
to date on what kind of roles are being posted.
00:29:09
Maybe there's a skill set that I should pick up to make myself
00:29:12
more competitive and whatnot.
00:29:13
And it is surprising it's surprising right now at least,
00:29:20
right In 2024, how few cloud security roles there actually
00:29:26
are, and I think it's indicative of a broader issue going on,
00:29:30
you know, in the marketplace, right, but it also kind of makes
00:29:33
me feel like companies don't really understand the cloud.
00:29:37
They don't understand the skill set, they don't understand the
00:29:39
cloud, they don't understand the skill set, they don't
00:29:40
understand the need and I'll I'll, you know, I'll caveat it
00:29:44
with this, you know, prior years , right before the cloud, when
00:29:49
we're talking about cyber security, we're talking about
00:29:53
things that are in between you and the outside world, or things
00:29:58
that are between you and the application or whatnot.
00:30:01
Right, like a WAF.
00:30:02
I'm thinking about network firewalls, I'm thinking about
00:30:05
even endpoint detection, right, it's an agent that lives on a
00:30:10
machine that is supposed to be kind of on the outside, in its
00:30:14
own user space almost that separates you from everything
00:30:19
else, and space almost that separates you from everything
00:30:24
else.
00:30:24
And you know, recently I went through and I I went and
00:30:26
deployed Fastly's WAF application and this is probably
00:30:28
my only you know correlation right that I can, that I can
00:30:32
describe what you were talking about.
00:30:35
I went through and I deployed it.
00:30:36
It's a, it's a WAF right.
00:30:38
I assume this thing is going to take me six months to deploy
00:30:41
right, because WAFs are innately very difficult or historically
00:30:46
very difficult to deploy.
00:30:48
They're so difficult to deploy that companies will literally
00:30:54
buy those applications or those servers from Imperva or whatever
00:30:59
you know web vendor.
00:31:00
You will right, and they'll just sit there, they won't even
00:31:04
do anything, they'll sit in passive mode for forever, you
00:31:08
know, and they're not configured or anything like that right.
00:31:12
So I go and I, I deploy this fastly wav and you know it's
00:31:17
direct into the code, into the application.
00:31:20
You know you can deploy it basically anywhere.
00:31:23
It'll do a full WAF protection and you can deploy it anywhere.
00:31:28
It's right into the code.
00:31:31
And I deployed it, you know, 15 seconds, 30 seconds, and my
00:31:35
first question was well, what do I?
00:31:36
What do I do next?
00:31:37
Right, well, where, where do I go from here?
00:31:41
Their response was it's already deployed, just let it go, let
00:31:46
it do its thing, go, do something else.
00:31:48
And I bring this up because it's kind of the evolution of
00:31:52
where we're moving as a security industry overall.
00:31:56
Right industry, overall, right.
00:31:58
We're going from this, you know , outside this server, this
00:32:03
firewall, this, whatever it might be this, I guess it would
00:32:13
be like high code or high demand solution to something that's
00:32:14
like no, you just put these three lines of code into your
00:32:17
code there, into your application, and it does
00:32:20
everything else, like you don't have to worry about it, you
00:32:23
don't have to touch it.
00:32:24
That's the sort of, that's the sort of direction that we're
00:32:28
going.
00:32:28
And I mean it was very difficult for me to wrap my head
00:32:32
around it, like I did not trust it but it was so light and so
00:32:36
easy to deploy that I forgot that it was even there.
00:32:39
That's how it was.
00:32:39
And do you see that?
00:32:41
That's where everything is going now?
00:32:44
Because it kind of has to to some extent?
00:32:47
Right, Because the cloud is so expansive, it is so insanely
00:32:52
aggressive with how vast it can be in seconds.
00:32:56
Right, that the only way that you can really stay on top of
00:33:01
your security posture is if something is embedded with the
00:33:03
application that you can just, with the click of a button, say
00:33:08
this has to be embedded into every Lambda in AWS.
00:33:12
Right, Every Lambda includes these three lines of code.
00:33:15
Right, and those three lines authenticate you to a solution
00:33:19
and the solution does all the work.
00:33:22
Speaker 2: And you're going straight to the point, like it
00:33:24
needs to be embedded into the solutions.
00:33:27
That's one thing, because you have to understand.
00:33:30
It's not only that it's easier and you make sure that it's
00:33:34
everywhere, but also that if it's embedded into the solution
00:33:39
itself, it will be able to know what that application is
00:33:43
supposed to do.
00:33:44
What's the normal behavior, what's the abnormal behavior?
00:33:48
When you were talking, you were talking again about server-side
00:33:52
security, about the cloud.
00:33:53
We do exactly the same, but on the client-side.
00:33:57
The same, but on the client side.
00:33:59
Sometimes we have been branded as the firewall for the client
00:34:04
side, or the WAF for the client side, or the RAST for the client
00:34:06
side those the industry has too many acronyms.
00:34:11
But it's exactly that point that I was trying to push, and
00:34:16
thank you for connecting you to the server, because everyone
00:34:19
understands it much better.
00:34:21
We have this massive customer base or client base.
00:34:28
We have these massive servers and massive infrastructures and
00:34:32
it's not one size fits all, in a sense that if we are just on
00:34:37
the layers, we are continuing to build the layers on top.
00:34:41
It's like I'm building additional walls, walls, walls,
00:34:46
walls, but the problem is that the walls themselves don't know
00:34:49
what's inside.
00:34:51
What are they supposed to put there.
00:34:53
They are just like dumb walls.
00:34:55
They sit there and that's not the security that we want.
00:34:59
We want walls.
00:35:01
We don't even want walls.
00:35:02
We want agents that are there, that are able to understand what
00:35:09
is this business, what is the data that it is supposed to have
00:35:14
here, what is supposed to go out?
00:35:16
That kind of questions is talking the business language of
00:35:21
that company and we need to make sure that all of the
00:35:24
security products that we as an industry push out they talk the
00:35:29
business language, or else we will continue to lose power, as
00:35:34
we have seen.
00:35:35
We have seen the cycles of security was on the topic.
00:35:39
Security budgets went sky high and were unlimited, and now
00:35:44
security budgets are going down.
00:35:46
They're going down because the security teams say oh, you
00:35:51
cannot do that.
00:35:51
You cannot do that, you have to move slower.
00:35:54
You cannot.
00:35:54
That's not the option today.
00:35:56
The option today is I am the security team, I am working with
00:36:00
the development team, I am working with the development
00:36:01
team, I am working with the guys that make sure that the
00:36:04
solutions get delivered and I'm helping them build better Not
00:36:08
perfect Better solutions.
00:36:10
That's also the importance of setting the expectations to the
00:36:16
right level.
00:36:17
We are always going to have security problems.
00:36:19
If that company is alive, if that company is selling, if that
00:36:25
company is engaging with customers.
00:36:27
It's just a question of how well you're able to stop that
00:36:32
problem, how well are you able to react to that problem, how
00:36:36
fast and how you can contain it If you have a security.
00:36:42
For example, going to the PCI.
00:36:44
Pci is as you know and I've seen you mention PCI, so you
00:36:47
know that it's a security standard for accepting credit
00:36:50
cards and we are very much focused on that topic, like
00:36:55
avoiding credit cards being stolen from websites.
00:36:58
It's totally different when an employee says someone stole 100
00:36:59
credit cards from stolen from websites.
00:37:00
It's totally different when an employee says someone stole 100
00:37:02
credit cards from me or they stole half a billion credit
00:37:07
cards from me.
00:37:08
It's a totally different problem.
00:37:11
And that's what security is.
00:37:13
We stopped leaving 100 credit cards.
00:37:17
We were a success because we stopped that problem at the
00:37:22
$100, which is valid at maybe $20, $30, $50,
00:37:26
whatever problem for our company and say this problem
00:37:31
could have gone to half a billion if I wasn't here, and
00:37:37
kudos for the development team and for this team and for that
00:37:41
business unit for being smart enough to enable this design
00:37:45
process.
00:37:45
This is how I feel that we may fix this marriage Marriage that
00:37:51
is not it's kind of dysfunctional.
00:37:54
Security is not part of the development.
00:37:56
Yes, security is part of the development.
00:38:02
Speaker 1: Yeah, you bring up a lot of different facets right
00:38:07
there and I think one of the key things you know when I am
00:38:13
working with developers or really anyone right to make the
00:38:18
environment as a whole more secure, right, and in security,
00:38:22
how do we, how do we judge that?
00:38:23
Right, we judge it based on a rule set score and what is
00:38:27
included in the rule set and you know if we're compliant with it
00:38:31
and whatnot.
00:38:31
Right, that's like, that's probably like the best way that
00:38:35
we have to to judge it right now .
00:38:37
And you, when we make a lot of progress, when, when these teams
00:38:42
are, you know, really getting it done and knocking it out of
00:38:46
the park, we're meeting our benchmark requirements and
00:38:49
everything else like that, I always, always lead and finish
00:38:53
with good job.
00:38:54
You know, and I make it a mission in that call to to not
00:38:59
even bring up questions about stuff that they didn't get done,
00:39:03
stuff that they didn't do or whatever it might be, because
00:39:08
the target was hit technically right, we hit our goal of
00:39:12
hitting this percentage or whatever it might be.
00:39:14
They did a lot of work.
00:39:16
They need to know it's appreciated.
00:39:17
It's those soft skills right, because now it'll keep them
00:39:26
coming back for more.
00:39:27
It'll keep them coming at this problem with.
00:39:29
Well, I know it's appreciated.
00:39:30
I know the work that I'm doing is heavily appreciated by the
00:39:34
team that used to cause me a whole lot of issues and
00:39:38
heartache, and so I'll keep doing it right.
00:39:40
I'll keep on working.
00:39:47
And it's interesting, I have to be careful who I invite to those
00:39:48
calls, because there's some people that have that old
00:39:51
mindset of great job.
00:39:52
But what about this?
00:39:52
And it's like, hey, this isn't a but what about this phone call
00:39:55
?
00:39:55
Right, you could do that tomorrow.
00:39:58
Right, you could do that next week.
00:40:00
That's on your own time.
00:40:01
This call is to really thank them for doing their job, right.
00:40:06
I mean, I guess I shouldn't have to thank them for doing
00:40:11
their job right.
00:40:11
This probably shouldn't even be a part of their job.
00:40:12
In all honesty, it should be a part of my job.
00:40:15
But you know, you have to be able to recognize when someone
00:40:19
does good work, when they meet the goals that you set for them.
00:40:23
You have to be able to recognize that and be able to
00:40:26
congratulate and reward to some degree.
00:40:37
And I wonder if some of it has to play into also the insurance
00:40:45
side of cybersecurity that not a lot of people ever really talk
00:40:49
about.
00:40:49
I don't want to talk about it ever because it's so convoluted
00:40:54
and difficult to understand.
00:40:56
And with the insurance side, it's almost like companies buy
00:41:00
these solutions so that they can check the box and the insurance
00:41:03
.
00:41:03
I mean, I've literally had phone calls where it is asked on
00:41:07
the call well, do we have to buy it or do we have to deploy
00:41:12
it?
00:41:13
If we have to deploy it, does that mean it's in full blocking
00:41:24
mode?
00:41:24
Or if it's in passive mode, right, and I mean they will buy
00:41:25
something just to make their insurance premiums go down and
00:41:27
not even deploy it if they don't have to and whatnot.
00:41:28
And that tells you kind of that the security industry as a
00:41:32
whole is in a weird place where our solutions are so convoluted
00:41:38
and they're so difficult to deploy that this is a very real
00:41:42
conversation.
00:41:43
Right, when you have the insurance requirement, you're
00:41:46
saying, well, what kind of deployment does it have to be?
00:41:49
Rather than we need this piece of technology in our environment
00:41:53
, it's going to increase our security posture dramatically.
00:41:56
It will protect the user from itself, you know, or it'll even
00:42:00
protect the developer from itself and the company from
00:42:03
itself.
00:42:03
And rather than basing it off of an insurance premium, you
00:42:09
know, which is a very real thing , because these premiums are
00:42:12
tens of millions of dollars a year.
00:42:14
Like you know, I heard recently from a company that their
00:42:18
insurance premiums tripled just from last year.
00:42:22
It tripled.
00:42:23
I know it's going to become Now with CrowdStrike, with the
00:42:29
CrowdStrike issue oh my God, that is probably.
00:42:32
I mean these insurance providers.
00:42:34
You can imagine that these insurance providers are probably
00:42:37
at risk of going out of business if a large enough claim
00:42:41
occurs just from one customer.
00:42:44
You know like you look at, if you look at something like
00:42:47
CrowdStrike right, impacted pretty much every industry,
00:42:51
right, because they're they're touted as the top tier endpoint
00:42:55
security solution and you know, to this day they probably still
00:42:59
are right.
00:42:59
There's no doubt about it.
00:43:00
But the impact that they had and it plays into the narrative
00:43:07
that they have told for the past decade right Is that you can
00:43:11
deploy this agent on anything, anywhere, anytime, and it's
00:43:16
going to work.
00:43:17
It's going to work.
00:43:18
It's not going to hurt your workflow, it's not going to hurt
00:43:22
how your device is used or anything like that.
00:43:24
And come to find out it does impact it.
00:43:27
They have a solution to secure satellites.
00:43:34
Speaker 2: You're talking about, first, insurance companies.
00:43:36
They never go out of business because the next year they
00:43:41
increase the premiums.
00:43:42
You know your answer what's going to happen next year
00:43:44
because of CrowdStrike?
00:43:45
So the premiums are going to go up.
00:43:47
And then the other question is how does a reliable company that
00:43:55
has proven track record make such a mistake of being?
00:43:58
Let's imply this to all the world at the same time?
00:44:02
I'm not going to say that I didn't do that mistake one time
00:44:08
in my life, but that's kind of stupid.
00:44:11
Speaker 1: I mean, when you have billions of devices, you should
00:44:15
probably have a test pool of at least your company, like, hey,
00:44:18
let's deploy it to internal only .
00:44:21
Speaker 2: Or this country, first Drop that country out of
00:44:24
the map, but that's.
00:44:25
They add those options and everyone knows that they add
00:44:28
those options.
00:44:29
But there are many things that I from an industry perspective
00:44:33
that buy-and-buy checklist kind of problem, like I'm buying to a
00:44:37
last top 10, but I don't know what foul this face to my
00:44:41
company.
00:44:42
This is a problem.
00:44:43
This is a real problem of setting recipes that are
00:44:48
standard and apply to this one public place, to this company,
00:44:52
to this company, to this company , to that company.
00:44:54
I'm not sure, I'm even afraid to doing the claiming.
00:45:00
There might be a company that doesn't need a firewall, there
00:45:01
might be a company that doesn't need a firewall, there might be
00:45:04
a company that doesn't need a firewall.
00:45:06
And the insurance companies?
00:45:10
What they are saying is my work is I calculate risk?
00:45:14
I've learned that in the past, companies that use this type of
00:45:17
products have less claims.
00:45:21
So if you have this type of products well implemented,
00:45:27
because most of the time those companies that they have from
00:45:31
previous history, they are the ones that are the ones that
00:45:35
implemented them properly, not the ones that are just, oh, and
00:45:40
I have to put it, the moment that they put it on the
00:45:42
checklist for the insurance company.
00:45:45
They just burned out the old premises that justified that
00:45:50
product to be there.
00:45:51
So people start putting those products on these companies, but
00:45:54
they are not configuring them properly, they are not using
00:45:57
them properly, they don't even want them.
00:45:59
They just want to lower their premium.
00:46:02
Then they've just destroyed the whole logic of why they asked
00:46:08
them to have this.
00:46:09
So maybe insurance companies should be asking more how many
00:46:14
incidents you actually have, security incidents?
00:46:17
How many users were impacted?
00:46:18
Not how many incidents, but how many users were impacted.
00:46:20
How many naked leakages you have?
00:46:22
What was the extent of it?
00:46:23
Those are the proper questions.
00:46:26
If you go to, you see those signs on construction site like
00:46:32
10 days without incidents without someone breaking a layer
00:46:39
or something like that.
00:46:39
This is the metric that they need to have in terms of
00:46:44
business of that company that they are insuring, not the.
00:46:48
Are they all wearing helmets?
00:46:50
Yes, it's pretty obvious that in the construction space,
00:46:54
wearing a helmet is important.
00:46:56
But having helmets what they are asking is do you have a
00:47:00
helmet?
00:47:01
Not if you're wearing the helmet.
00:47:02
Have you bought 100 helmets for 100 employees?
00:47:06
And the company say, of course, yes, they are there on the
00:47:09
basement, they're brand new, they are really good, no one is
00:47:12
wearing them, and that's the kind of analogy that makes sense
00:47:16
.
00:47:16
And for IT, it's pretty easy for us to hide this.
00:47:22
You were talking about the WAFs .
00:47:25
Like they just stay there.
00:47:27
Speaker 1: Oh yeah, they are.
00:47:27
Speaker 2: They're still in the learning process for like two
00:47:31
years or whatever.
00:47:32
They stay there, but they are mandatory, like if you don't
00:47:36
have a WAF, the premium goes up.
00:47:39
Speaker 1: Yeah, I have seen it where quickly, quickly, left,
00:47:43
right.
00:47:44
I've seen it where a company would.
00:47:47
They had the full security stack.
00:47:50
You know every top tier solution out there and every
00:47:55
time an audit would come around, they would turn everything on.
00:47:57
It would be considered a blackout period for the company
00:48:00
and they would consider that, because everything would break
00:48:02
everything on, it would be considered a blackout period for
00:48:03
the company and they would consider that, because
00:48:04
everything would break right, they would turn everything on
00:48:06
for this audit.
00:48:07
The auditors would see that everything is hey, everything's
00:48:10
enabled, configured, everything's good to go.
00:48:13
You know who cares if the business is able to operate for
00:48:16
that week or two, they'll pass the audit, they'll turn
00:48:19
everything off and then it'll be back to business as usual.
00:48:21
Right, that is something is probably illegal and very, very
00:48:28
questionable.
00:48:29
Um, but it is.
00:48:30
It's something that they, that they started doing because they
00:48:33
had a security team of two people, you know, and across the
00:48:38
cloud, across network security security, across IAM, you know,
00:48:42
encryption, data security, like everything.
00:48:44
Right, two people and they refuse to spend any more money.
00:48:48
And so you know, you have companies that are going down
00:48:52
that path.
00:48:52
But you bring up an interesting question.
00:48:56
You know that, I think, kind of ties into where the industry is
00:49:00
going.
00:49:00
And you said do we really need a firewall?
00:49:05
Well, we're going to a place where we may not need a firewall
00:49:10
at the perimeter anymore.
00:49:11
The firewall might be built in everything, so to speak, like
00:49:17
this firewall, like Jscramblerler, may be built into
00:49:20
your application, your browser, your whatever it might be right
00:49:25
.
00:49:25
And so I think we're going into a place where it's less about
00:49:31
deploying controls around everything and allowing certain
00:49:35
actions through.
00:49:36
It's more of deploying the right serverless agent, right,
00:49:41
or those those three lines of code that I talked about before,
00:49:45
deploying those three lines of code to everything and letting
00:49:50
it do its job while your developers and your business and
00:49:53
everything else can continue running as expected.
00:49:57
Is that where you see it going as well?
00:50:00
I would assume so right.
00:50:04
Speaker 2: I would add that if you're buying a product and
00:50:10
there is no business champion saying I need this, there's only
00:50:16
the security guy, then you're already buying the wrong product
00:50:20
.
00:50:20
You're already you already buying the wrong product.
00:50:22
You're already Because, like the thing is not because the
00:50:27
business knows more than the security guy.
00:50:31
It's not that.
00:50:31
It clearly shows that the two are not communicating and the
00:50:37
other one doesn't see the value.
00:50:38
So if it doesn't see the value, it's not going to use it
00:50:40
properly or implement it properly.
00:50:42
Today, I open every website and everything is encrypted.
00:50:46
10 years ago, you'd only have bigger websites and only the
00:50:52
checkout page would be encrypted and stuff like that.
00:50:54
So we have been able to do this continuous process where the
00:50:59
business doesn't even think do I need to have every page
00:51:03
encrypted?
00:51:03
We said we can put it everywhere, so let's put it
00:51:07
everywhere.
00:51:08
And because there is an effect in terms of for the company, in
00:51:12
terms of and also in terms of privacy and overall security
00:51:15
posture with the company and its users, I can relax.
00:51:21
Every security solution must have a value for the business
00:51:26
that we clearly map, which is going to be like how are you
00:51:30
going to sell?
00:51:31
I need a firewall from a security perspective.
00:51:35
But there is ways that we understand that metric and the
00:51:39
impact for that business, because I've made the effort to
00:51:44
understand that the company that I work for sells whatever
00:51:49
product.
00:51:50
I can really understand.
00:51:51
Like that firewall is needed because if we don't do that,
00:51:55
that product might have this or that, or our customer list is
00:51:58
going to be easily accessible or if we can talk the business
00:52:02
language of them without just talking about when we get taxed.
00:52:07
That's the other thing.
00:52:09
We have to sell business value on a day-to-day basis without
00:52:13
the guy in the basement that's going to attack us, because we
00:52:17
also know that security today is not the guy in the business.
00:52:21
It's big organizations, governments.
00:52:24
It's also the kind of basement it's still there, but it's a
00:52:32
very big industry that has loads of money being thrown at it
00:52:37
from governments and whatever being strongly from government
00:52:41
and whatever.
00:52:42
So, again, what the company does must be the thing that the
00:52:46
security team remembers every day.
00:52:47
We build cars.
00:52:48
They need to remember themselves.
00:52:51
That's what you guys are doing and that's what security you are
00:52:54
providing.
00:52:55
You are providing security for a company that builds cars and
00:52:59
that's how I need to justify the value.
00:53:02
Or, if you're talking with a banking banking is interesting
00:53:06
because the banking industry works a lot to buy security
00:53:09
because of compliance.
00:53:10
That's the main reason I need to comply with this regulation.
00:53:16
I need to comply with that so they end up buying a lot of
00:53:18
stuff and they invest heavily on security because they know that
00:53:22
it a lot of stuff and they invest heavily on security
00:53:21
because they know that it's a trust relationship.
00:53:24
Like a bank knows that they are selling trust.
00:53:28
You trust your money to me, so they accept buying everything
00:53:34
that keeps that trust level as high as possible.
00:53:39
That's not to say, like a company that sells shoes.
00:53:44
They don't have that many compliance requirements.
00:53:47
So they need to understand that they are under security because
00:53:53
if they don't have security, one day they won't be able to
00:53:57
sell shoes online just because their website is down or because
00:54:03
they have been known to leak all their users stuff.
00:54:08
That really has an impact on the organization and you have to go
00:54:13
to explain to the CISO or the CEO of that company.
00:54:17
Yes, I know that you're worried about shoes and rubber and
00:54:20
leather and whatever, but if you don't do this, then you're not
00:54:24
selling shoes, you're just building them and they will stay
00:54:28
there in the factory.
00:54:28
It's not a business.
00:54:30
The business is about the full flow for the company from
00:54:35
building to selling, to delivering and customer support
00:54:39
and whatever.
00:54:40
That's the full business and that's what we are there to to
00:54:42
make sure that's up and running everywhere.
00:54:45
I see it always as a continuous process.
00:54:48
That's why we say as a company, we secure every user of that
00:54:55
company on every direction that they are doing with it and we
00:55:02
know that user is running on an unsafe environment on a browser
00:55:07
that's on their computer.
00:55:08
That's not what they did.
00:55:09
That has all of these external plugins that will try to get a
00:55:13
lot of information.
00:55:14
We assume that we cannot control anything on the
00:55:19
environment and we say let's do the best that we can do on that
00:55:24
environment.
00:55:24
And that's really cool Because we have enabled companies to do
00:55:31
a lot of stuff that you would say it is impossible unless you
00:55:35
are able to install endpoint security on that customer.
00:55:38
And you are able to do that.
00:55:40
That could make it podcasting possible altogether and we
00:55:43
wouldn't have the innovation of me opening a bank account using
00:55:47
a phone.
00:55:48
We wouldn't have that kind of stuff.
00:55:50
We wouldn't be able to even do this.
00:55:51
We are recording this, we are live streaming from a browser to
00:55:57
each other we are talking and recording.
00:55:59
This wasn't possible a few years back.
00:56:02
It's possible because it's a browser, it's JavaScript.
00:56:06
You have invested a lot on this type of technology.
00:56:09
It has encryption, it has communications, it has
00:56:11
compression of video.
00:56:12
This is all happening in real time and we are part of it in
00:56:17
some way.
00:56:18
So I really get a lot of ratification from when building
00:56:23
an event.
00:56:23
And now, moving from the aspect of how I am a geek about
00:56:27
security but into the aspect of time, I'm a geek about building
00:56:31
stuff, and building an event is part of building stuff.
00:56:33
That's where I get the motivation to wake up every day,
00:56:36
and this is helping make the world a little bit more secure,
00:56:43
and that's a very positive aspect that we, as security guys
00:56:48
, need to try to incorporate in our day-to-day life.
00:56:52
It's not about yeah, I show those developer guys that they
00:56:56
are done.
00:56:57
They invested a month developing this and I broke
00:57:00
their application in one day.
00:57:02
That's not the right stance.
00:57:04
That's totally the opposite of what we should get our kicks out
00:57:08
of.
00:57:10
Speaker 1: Yeah, absolutely, and you know, with that I think
00:57:15
we've come to the top of our time, unfortunately.
00:57:17
But you know, rui, we had a fantastic conversation.
00:57:21
I'm definitely going to have to have you back on and you know
00:57:24
we'll talk more and whatnot, but you know I appreciate you
00:57:27
coming on.
00:57:28
Speaker 2: Yeah, thank you.
00:57:29
Thank you for this.
00:57:29
I was afraid that we wouldn't have enough topics to discuss,
00:57:34
but yeah, I think we still have a lot more to come back.
00:57:38
Speaker 1: Yeah, absolutely so.
00:57:39
Before I let you go, how about you tell my audience where they
00:57:42
can find you if they want to reach out and where they can
00:57:44
find Jscrambler?
00:57:46
Speaker 2: Yeah, just go to our website, jscramblercom, and
00:57:50
we'll be out there to help you guys, to assist you guys in any
00:57:54
of those client-side security risks that you guys are facing
00:57:57
on a day-to-day basis.