In episode 23 of the Software Security Gurus webcast, Matias sits down with Tanvi Bali, a security expert and DevSecOps specialist. They discuss her background in engineering, and the state of DevSecOps in the APAC region (including why it trails behind Europe and US). She also treats us to her personal five steps to building a positive security culture within an organization.
Want to nominate a guru? Get in touch! Don't forget, you can also leave us a voice message: www.anchor.fm/softwaresecuritygurus
The State of DevSecOps in APAC: 01:22
Building Security Culture in Five Steps: 06:48
What DevSecOps means to Tanvi: 13:06
Matias Madou:
Hey, and welcome to the Software Security Gurus webcast. My name is Matias Madou. I'm the CTO and co-founder of Secure Code Warrior. And today with me I have Tanvi Bali. Welcome, Tanvi.
Tanvi Bali:
Hello, how are you?
Matias Madou:
I'm fine. I'm actually really good. So, Tanvi, do you mind sharing a few words about yourself?
Tanvi Bali:
For sure. So, hello everybody. I'm Tanvi Bali, I'm DevSecOps strategist, so I draft strategies for the organizations who are going through DevOps transformations. I worked in, and I think I was just talking to Matias two minutes back, literally changed my industries and my security careers every two years, which is also very much fun fact about myself. I was a developer once upon a time. And then, out of nowhere, I got this lightning: "Tanvi, get into cybersecurity". And then I joined cyber, but then you always go where home is, or I've always been writing strategies for DevSecOps, literally enjoy it. That's my bread and butter and my passion as well.
Matias Madou:
Fantastic. And so I have a couple of topics in mind for today and the first one goes straight into what you've just mentioned. You are changing industries all the time. And I would really like to hear what is your feeling about Europe versus US, versus Asia, and especially versus Asia, do you think in Asia and Asia-Pac, you're front running or you're in the back seat of the application security bus? What do you think?
Tanvi Bali:
That's a great question. So, one of the things that I've seen, because I changed my industry so often, so I think I can't comment on this part, but one of the things that I'm literally seeing in Asia-Pac is, is not getting the basics right, right? So in the application security world as well we are wanting to do a bit too much, run very, very fast, but when you start getting into, what do you say, the actual hoods of things, you start understanding that there are many gaps out there, and this is not what I'm seeing in one industry over there. Another it's across industries.
Tanvi Bali:
I would say it's an Asia-Pac thing where we need to get the basics really right. Just to put some context into it. Think about what do we think when we start thinking about DevSecOps, right? The first thing in this area of the world, what we think about is, it is all about SAS scanning, okay, get a tool stack running this scanning, and you're actually done. But then the questions start coming up is that scanning actually optimized for usage? Are you doing what you're supposed to do as well? So what I'm thinking is, and this is what I've seen in all my gaps, gap assessments that I've done in the strategies that I've built in the past as well, that we really need to get the basics right before getting on a tool much from a DevSecOps perspective as well. I think there is enthusiasm, but there needs to be that calmness in place as well to set the things right.
Matias Madou:
And especially if you're talking about SAS solutions, do we also fix the problems? It's not only about finding, but also do we fix them?
Tanvi Bali:
Oh, yes. And I'm spot on there. So do we actually fix that problem is something that I will really hold myself before commenting on that part as well. But one of the very important things is that we get all these tools and other point is, is that tool actually good for the developers as well? Do they actually want to use it? Do they actually know how to use it as well? And that's where I say, get the basics, right? The tools need to be used usable by the consumers. So the consumers are the devs and whatever strategies are we building is that actually friendly to our consumers at the end of the day? Is the most important bit as well, which we're not exactly getting right. So, again, a lot of work to be done in the Asia-Pac region.
Matias Madou:
Well, I think that's a global thing, right? Are we close to devs? I would love to hear from you. I remember back in the day it was only making tools for AppSec, the SAS tools were for AppSec and now there's this movement like: "Hey, let's get closer to devs". Are we getting there? And maybe what's lacking, what should we do?
Tanvi Bali:
One of the things that has worked very well in the past, because there are so many vendors out there who are providers of the tools. And I would say every tool is good in some way, but not napping in certain ways as well. But a simple thing to do is whenever the organizations are going ahead with a certain set of tools, right? We follow a certain set of criteria. What does the coverage look like? Are the languages supported? And things like that. But what we don't actually look at is what about the self-sufficiency model? So we think about, okay, that we'll have 10 applications, security people who will be running the tool at the end of the day. And the developers would be just scanning, looking at results, and then eventually going and remedying things. What we should be doing is giving those tools in the hands of the dev, think about your software factories.
Tanvi Bali:
That's how they run, right? So get a tool, but then give it in the hands of the developers and create a software factory out of it as the best way. But then when all these discussions and strategies are being built, you should not only have the AppSec team sitting in that panel, you should actually have the devs and the tech teams to be that decision as well. Let them use it, do a POC with them, let them see, is that actually running for me? What is the gap? Because they are the users and their advice is God's advice, right? That is the best advice you can actually get. And that is how it should be working. But I don't think that is actually being happening at this point in time. So, that would be a good addition in my opinion.
Matias Madou:
I love the way you talk about this. It's scaling application security in the organization. It's embracing everybody and making sure they're all on the same journey and it's no longer us versus them. It's no longer a security versus developers, but you bring them all on the same journey.
Tanvi Bali:
Right.
Matias Madou:
And that actually needlessly flows into my second topic that I have, which is around culture, because I saw you were up in Melbourne with a talk "Building Security Culture in Five Steps", very interesting title for the people who have not seen it. What are the five steps I would love to know?
Tanvi Bali:
Oh, that's a good one. You want the answer straight away?
Matias Madou:
Yep, absolutely.
Tanvi Bali:
So, but one of the things that I've always loved with my career in DevSecOps is literally building that culture piece. So are most of the people who would have heard me, they actually see me not talking about tools at all. It's always about the people and the processes, but very important is having that people aspect at the core of anything we do. So, most of my talks are culture based talks as well. And the silver bullet there is first have that empathy. So, I'm a security person. And I was a very traditional security person when I transitioned into my security career as well. I was like: "I know everything, okay?. I will do this and I will do that." And zero lack of trust in there as well. But the most important bit is to have that empathy. And like I said, right during this talk as well that make them the partners in crime.
Tanvi Bali:
So have the tech actually working with you as well, but embrace it. So have that trust, have that empathy to be working together, but on the strategic end, what exactly is important is don't make the dev teams really think about security as well. So what that means is start having those patents. Now, one thing insecurity field that we don't do is build repeatability. What we focus on is whatever comes in front of us, peer review it, we look at it. We have a very reactive approach because we have zero trust, right? So we want to honor our eyes over every single thing that comes away. But the simple thing is for that repeatability and that culture growth as well, to give the silver bullet back to the tech teams, what does good security actually mean, right? Most of the tech teams don't always understand that, but then that becomes our accountability to explain them, what does good security mean now when you're explaining what good security means, you give them maturity models, you build repeatable patterns.
Tanvi Bali:
One of the things that I really love is building reusable design patterns, right? That starts taking away a manual bits and pieces as well, but start explaining them even you could take a simple example of your security controls, tech team doesn't understand what does good security mean? Even when they're coding or developing. And that is also a knowledge set, a pattern that can be given to the tech teams in terms of requirements. So that is what really builds the culture as well. But then very important piece is the people in all of this, right? So start uplifting and empowering them. One of the ways of empowerment is what I just demonstrated, right? So give them the good patterns so that they can follow it and trust me that they will. But very important is also to take the people through that transition pathway as well.
Tanvi Bali:
So it's not about checking each and everything. Security should really be a governance job and not a day in day out operational job as well. Let tech do that. But then for that, you need empowerment and how the companies are structured, there's a lot of restructure that needs to be done in our industry. I'm yet to see a organization where we have cross-functional teams. So we have security teams and we have dev teams and we have ops teams, and then we have a variety of other teams in the company, but then you don't actually have a squad where you have the dev and the ops and the security all working in one squad. So yeah, this was my talk that I gave in Melbourne as well, but it's all around breaking that silo, building that trust and building that empowerment piece together strategically and then, and actually doing a DevOps transformation that way. But that's the only way you can actually do that as well.
Matias Madou:
So, somewhere, I think you have the perfect background for that because you were a developer. So moving into security, you have empathy with the developers because you were there back in the day and you also have the skill what development is. So I think for people in security or in ops who do not know about development, do you think they should learn about development or what's your stance on that?
Tanvi Bali:
Yeah, very much. Half tech convert security people, right? I'm myself, a tech converted into cybersecurity. And that's how I've made my career transition as well. But it's really hard to have that empathy if you're not there. This was actually my RSA talk because I've literally, and I know it was a very negative talk, but I've literally had those frustrations from both the sides, right? As a developer, someone just wanting to review every single thing that I've done again and again, and again is frustrating. And as a security person, it is very hard to trust as well.
Tanvi Bali:
But I do feel that anyone who's coming into, particularly this niche area of DevSecOps, they really need to be, have seen both worlds. It cannot be a security architect mentioning or creating a strategy that does not really relate to tech, or it just can't be a tech person creating a security strategy. It needs to be an amalgamation of the two. But I think our industry is changing that because of the skills gap and most of the people that I see coming in DevSecOps field primarily are tech converted into security as well. I think that's the only way you can do it else will not be effective in your job.
Matias Madou:
So let's take one step back. What is DevSecOps in your mind?
Tanvi Bali:
Very much software engineering, complete DevOps with security built in. So it is a very much tech field itself. Be security, like to proclaim everything for sales, but it is just software engineering. At the end of the day, simple. You build security into it, you might build different things into it, but it is software engineering, simple. But a very important part of DevSecOps is the culture. And that is what dev ops is as well. It's a primarily culture transformations. How we understand it at this point in time is just tool automation. But definitely not that. It is how the different teams actually interact and work together in a cross-functional way to deliver value as fast as possible. Now security can be an enabler and help the business deliver value faster. That's how DevSecOps even started, so that's what it is.
Matias Madou:
I really like that definition. You start with the people, tools will automatically follow, you'll find the tools that will work in your environment. And I really like the developers, they become stronger, more powerful and also empowered, but they become also more responsible for the code that they're doing and that they're working on and that they're shipping into productions.
Tanvi Bali:
And they're wanting to know the only gap is that we don't help them that way. So, if you do, they will be very painful too.
Matias Madou:
And that was actually my last question. So how do you remove these bottlenecks? Where can you find the bottlenecks? How do you remove this bottleneck so you can go faster?
Tanvi Bali:
Good question. So from a business perspective, think about it. If you have a release cycle and you have multiple dependency of teams operating in a complete siloed environment, right? So think about it. You would have a security architecture team, or you could have a pen testing team or operating in an engagement model completely from the outside. First, you need to pay those people for even providing their services because security is provided as a service. Second is imagine there is one person but 1000 people in the tech team. So imagine the time they will take the turnaround time. So what exactly is happening is the release cycle for the business is even growing. So even though you might have a DevOps transformation, if the value is still getting released in two months, while you want it to get there in two weeks, the way to break that entire cycle of siloed departments and the huge turnaround time, and still not a complete assessment is the DevSecOps part, right?
Tanvi Bali:
So the easy idea is to create a security scrum of scrum and start empowering and enabling the tech people to be able to take those roles. And when they create a scrum, they become the word tool counterparts of your security teams working within the tech teams. But what that cross-functionality actually does is saves money for the business, removes operational costs, and actually helps you go faster. So this is from the people side, I think tools, perspective, we are very much sorted because there's so much, what do you say? Reliance on the tools at this point in time, from an identification perspective, from a remediation perspective, I think automation, pieces, we have pretty much nailed it, but this people part is the one that always blocks any kind of DevOps transformations as well. So this is very important, but the third bit is the process.
Tanvi Bali:
So once you've placed your people very important to have a very strong process, but a process that is fluid enough. Now tech teams are very fluid. They will change today and they might want to do anything and everything tomorrow. So the process should be created in such a way. So it's fluid and very easy to adapt, but even for that, you cannot do it if tech team is not your partner in crime. Again, you need the tech to define the security processes for them and you help them enable. But that is a very simple, it's not simple, but a very simple silver bullet to going faster, but that will help any organization, but saving that cost for leasing value in two weeks that you're wanting to.
Matias Madou:
I was already wondering like, how do you do that in a huge organization? You've worked in big organizations. So I was wondering, how do you imagine doing that from a people perspective? What is the central team doing? What are the people in the teams doing? Who's responsible for what kind of activities?
Tanvi Bali:
So, when you have a DevOps transformation, you would always have a ways of working team as well. The best way would be to create an operating model for the company. So one of the things that I've done in the past is to create a target operating model for the company building on the top of a security champions program. So what that actually does is you enable one or two people coming from your tech teams to become that security person, but then you train and empower and enable them in terms of security, skillsets, processes, and tech as well. But very important is that these people have an accountability defined for them as well within the team. So think about a security software engineer coming from the different squads within your own teams. Now, the best part of that is when you align it to a operating model and you make that role as a mandatory role within the company as well, that's where every squad would need to have that security person within their teams.
Tanvi Bali:
The only difference is that they are not getting hired from the outside, they're your own reusable people, assets within the company. We are just enabling them, giving them a different role, and defining their accountabilities, and putting them in the operating model. I think that works very well if you're wanting to do it on a very low cost as well. It definitely saves costs rather than putting a thousand security people in scrum of scrums and hiring them on the outside that we literally don't even have in the industry. So it's the best way to do it aligned to the company.
Matias Madou:
Love that. But that was wondering, well, doesn't that feel for these people that they need to take home another job on top of their job? So how do you align that? Or how do you make sure that the people want to do that? That they say: "Yes, I want to be the security champion". How do you make sure that they do not feel pushed or do they feel pushed? What is your view on that?
Tanvi Bali:
Yes, this is true that when you align a role, and specifically when you're not hiring from the outside, they are virtual roles that you're creating. That means that you're asking for certain bits and pieces of their capacities in the existing sprints and allocating a security accountability to that. Now some of them would be very excited because it's a different role in the team that they're taking an accountability for specifically from a people culture perspective, it is a good career transition because first you're upskilling them. And secondly, you're allocating a role that other people in the team do not really have. So it's an accountability and a responsibility on you. But some people in that mix would be like: "Why am I doing this? Because I don't want to do this. And my manager's got a nominated it, I hate security." Right? That could also be a thing.
Tanvi Bali:
And for that, it's very important when you have certain strategies built in. Your people, culture aspects of very critical. What I mean by that is, think about creating a community for them, think about your rewards and recognitions. Think about their eagerly goals as well. So one of the things that works is, align a goal for these people in your performance reviews. And that is exactly what they're working towards. Now very important bit is what exactly are the people culture aspects from the other bit? That means your monetary awards, and I wouldn't even want to go there. Don't have monetary awards. I will take my words back, but non-monetary awards, your recognitions, they work a really long way.
Tanvi Bali:
But then that community helps a lot. The best part that helps is your career growth. So it's a new role that people get. And that career transition that the people get along with it is the biggest selling point back for the tech teams. And, really, when it's driven, top-down, it becomes even more easier because at the end of the day, these people are helping the business go faster and they are the key in it as well, but a hundred percent, they will be people would want to kill me after that. And for that, it's very important that the top-down approach helps as well in driving that buy-in with the people.
Matias Madou:
So I really like the fact that you're, again, focusing on the people and the people aspect, why they should do it. And that aspect, while from a business perspective, there's just a long-term benefit for the business, the way you just pictured it to work with the security champions and have them intimately involved with the team, even be in the team, they are actually part of the team. They were in the team. They're always been in the team and help the team uplift and produce better software.
Tanvi Bali:
A hundred percent. It's very important, right? If I give you something, you will be thinking: "What is there for me?". So it's very important to really have that bit sorted on what is exactly for the people who you're wanting to take up such a huge task out of nowhere, right? Very critical aspect of it.
Matias Madou:
Maybe one final question. I know you have two dogs, Astro and Bella, and I also know that a puppy becomes a dog when it does $500 in damages. So my question to you is: hen did your puppy became a dog? When did you realize: " Oh my God, it's no longer a puppy. These are the damages done". And what was the damage?
Tanvi Bali:
How did you find this information? I'm intrigued now.
Matias Madou:
I have my sources.
Tanvi Bali:
Oh my God. So Astro and Bella are the love of my life, my babies. And my elder baby, who's Astro, he has created not a $500 damage, but a damage bigger than that.
Matias Madou:
Oh, okay.
Tanvi Bali:
Well, I left him alone one day at home and I had a huge deck at that point in time. So decks are wooden, right? And he started eating the stairs. And when I got home, he had literally chewed on every single stair on my deck. And that did not cost $500. Yes, my baby, it was very destructive in the start. And Bella is very destructive at this point in time, but she's learning she's in that teething stage, if you don't get things. So she's ate beds and sofas and things like that. So, yeah. Getting, getting better, but my damages have skyrocketed off the roof deck areas.
Matias Madou:
Fantastic. They're both dogs now. Congratulations. They're no longer puppies.
Tanvi Bali:
No longer puppies, they're just dog babies.
Matias Madou:
Sounds good. Tanvi, thank you very, very much for coming on. This was a very interesting chat. Thank you very much to come on The Software Security Gurus Webcast.
Tanvi Bali:
Thank you so much. The pleasure was all mine. Thank you for inviting.
Matias Madou:
Thank you.