Secure by design with Vanessa Villa === ​[00:00:00] Hi there, and welcome to PodRocket, a web development podcast brought to you by LogRocket. LogRocket helps software teams improve user experience with session replay, error tracking, and product analytics. Try it for free at logrocket. com today. My name is Paul and joined with us is Vanessa Villa. Vanessa is a developer advocate, technology enthusiast, and we're here to discuss the development process and how we can bake security in from the get go, all the way in. Welcome to the show, Vanessa. Excited to have you. Thank you for having me, Paul. This is a grand topic. We could stab at it from a million different angles. But one thing we were talking about before we started recording was like this king term that, that sits at the top secure by design. ~And I think this is a great spot to start.~ ~I was actually asking Vanessa, did you make that up? It's in caps on the show notes. So maybe it's Vanessa saying, yeah, Vanessa shaking her head saying no. ~So Vanessa, what is secure by design and what got you personally interested in what you were about to define for us? Sure. Okay, so secure by design was a term coined by [00:01:00] CISA, not the singer, the Cyber Security and Infrastructure Security Agency. They are an agency that is under the Department of Homeland Security here in the United States, and they were founded in 2018. Their entire goal is to bring security up to the forefront as a major issue here in the United States, especially with respect to code and web development and app development. So in 2023, They released a large scale paper called Shifting the Balance of Cybersecurity Risk Principles and Approaches for Secure by Design Software. So that's where this term ~cam~ comes from. And the CISA and partners is like other nations, other cybersecurity agencies, the European Council of Cybersecurity. So it's just a broad sweeping paper that covers, the topic from multiple angles. And are you a security researcher yourself? Are you a developer? How did you [00:02:00] get interested in the things that the DOJ is putting out? Sorry, wrong department. You said Homeland Security. Homeland Yes. Yeah. It's a weird entryway. So I was like in the white hat club in college. So tinkering around with web security there. And then I moved more into the IoT framework. And so when GDPR came out, and we were talking about data partitioning, in order to support the European Union's data partitioning constraints with that, it was a huge issue. And it hit my team in particular in the product I was working on at the time really hard because most of our clientele was in Europe at that point. And so I was there, I was, seeing the ramifications on our engineering team and all of the things like having to read through that paper and figure out exactly what we needed to do about data retention. And data partitioning. It was insane. It was such a huge undertaking. It stopped all feature work because we had to get this out. [00:03:00] So that's my entry point into cyber security and figuring out, all of these compliance issues are going to start hitting software development in big and major ways going forward. So secure by design. It's something from the Department of Homeland Security and these organizations that you mentioned, and you kind of got into it from being in the hacker space, security space, IOT space. Let's hop right into what Secure by design is, and this is one of those things where, as somebody who's not privy to it myself already, I would love to know what it's not. So could you maybe give us an example of something that everybody would think, Oh, this is a secure application, or this is a way that I have traditionally wrote software with my team or my sprints that we think is secure. We're implementing all the right protocols, but it doesn't exactly fit. The secure by design or completely misses the secure by design I think the big one is People think that software development cycle, [00:04:00] at least, is you design it, you develop it. You do your integration, and then you don't even start really thinking about security until testing. And at that point, you're doing static code scans to check to see if there's any secrets or tokens in your code, or you're checking to see if packages maybe need to be updated during your testing and staging phases. This is not Secure by design, because you are already what, four steps into your software lifecycle, you designed it, you developed it, you integrated it, and now you're testing it. Secure by design is bringing all of that thought process all the way to the beginning. So as we're designing and we're choosing what technologies to use for our software development lifecycle, we need to do that with security in mind. Hey, I want to use this package. This package hasn't been updated since 2012. Do we think it might have some vulnerabilities in it at this point? Almost a decade [00:05:00] later or more than a decade later? Probably. So that's what being secured by design is. It's like at the design stage, we're already thinking about the tool sets and the ramifications of our choices. How does this fit into the. Test driven development world for you because that's another sort of term that's thrown out that people like to move towards or try to move towards. Is this the same thing? Is it different? Do they happen in parallel? You need to have test driven development, but your test driven development usually tests functionalities, right? If this backend flow works, your test driven development doesn't usually check to see, Oh, is my user login susceptible to SQL injection? Does it, my test driven development at least doesn't cover that kind of concept. And yeah, maybe you can expand on test driven development and. Add a little bit of penetration testing. It's very different. It's about making all of those security choices at the very beginning, so you don't really have to consider [00:06:00] them way down the road if we're doing things. And we're choosing options in our software, in our web development process. We should add a little security check in mind. It's like, hey, is this thing compliant? Is this thing going to be secure five months from now? Have they had any major exploits in the past three years? Was there any kind of security breaches? That sort of thing. You brought up shipping compliant code. So my next question would be like for the majority of people who don't always ship Compliant code, why does that happen? And the obvious reason is maybe we need to think more about security by design, but in terms of like the culture and the way that software currently moves, why do you think people don't think about it? And what is some classic examples of something that is considered fine typically, but you look at it from a security researchers point of view, and you're like, that's probably not compliant. They don't even know. This is [00:07:00] a great question. Oddly enough, I think we co ran a study over at Pangea we hunkered down with a couple of user researchers and we ran a massive study, and they said that 80 percent of software developers ship insecure or uncompliant code here in the United States, either knowingly or unknowingly, it's 80 percent that are shipping code in this manner, and If you look at other countries, or if you look at other demographics that have high volumes of software developers, we looked at the UK, that number was radically reduced. And the big question is why? Why is it such an issue here in the United States? And personally and statistically, it's because we don't prioritize security in our business models. We're not making it a top level priority and we don't have as Rigorous a tooling set as other countries do it's not a [00:08:00] priority for our tooling set It's not federally regulated as a tooling set. So if it's not federally regulated, why would a business want to invest in it? It's like why would we make this a business standard~ if it~ if there's no, you know What's the likelihood of a small bank in middle of America getting hacked? ~What's the~~, ~what's the risk of a local government getting hacked? What's the risk of your Etsy shop getting hacked? It's not the risk to reward there. It's appears to be like it's Negligible, right? Like, why would I ship secure code when it's much faster to ship features with insecure code? Yeah, purely from a business point of view. We could look at the stock market to, to see how regulation was needed there, because it's like, why would I do this? If it slows down innovation, if that's what you want to call it, you need the government to have a word or some governing body to have a word, which kind of like leads me to my next question, how do you see governing bodies, whether that be the US [00:09:00] government, a local state government, federal government, maybe even a larger body for talking on the UN. Sort of scale. I don't know. They're, they probably wouldn't be the people to do this, but like some international body being more aggressive about enforcing these standards. I think a lot of people could agree. Like it's definitely necessary when you compare it against some, somewhere like the EU, but where in your mind does that sit? Do you remember the MGM hack that happened recently? course that was huge. Yeah, this was, in the news. You heard about pretty recently. Yeah. So the MGM hack cost MGM them as a company about a hundred million dollars. They had to pay the ransom, right? They paid the ransom. Then they went and. Vulnerabilities in order to prevent this from happening again which was like an alpha V attack. It stopped their business just for a week and a half or something like that. And that was 100, 000, 000. Okay, great. [00:10:00] That costs them 100, 000, 000. But they also lost consumer trust. They lost, Why would I go to MGM over a different hotel in Las Vegas? They just had a big hack. I don't even know if I'm going to be able to gamble there as a consumer. Their engineers, I'm sure were under pressure during that entire time that was happening. They're like, why can't you fix this? How come this happened? How did we allow this to happen? And now you're adding in another governing body of Hey, you knew you were shipping incompliant code, insecure code, that would allow something like this to happen. Now there may be an additional fine because you did this, and because it was able to be exploited. So I think now you're getting attacked from three sides, right? You're getting attacked internally from your developers. You're getting attacked from your consumers on the business side and now you're also going to be attacked or at least taxed and fined from this [00:11:00] security body. Now you're getting hit from three sides. I think it was manageable of okay, 100 million, it's nothing kind of thing. It's 100 million plus a bad reputation plus an additional fine now. So we're hoping that additional pressure will start changing the practices. Do you feel like there's going to be some sort of gate keeping that is naturally born until the culture changes over the course of a decade or two into the trade. If we think about buildings and how buildings are made, like you can't sign off on an electrical circuit in a new construction unless you've worked under a master electrician, I think it's for 8000 hours at least. Here in Massachusetts, where I'm broadcasting from. So are we, could there be some stratification to the practice and what types of code people can actually contribute to, I think that the heavy players that currently exist in CyberSec, you're talking like your CrowdStrikes, your Versing Labs they [00:12:00] definitely already see this coming. The people that are in the know are already in the know, and that's why you start seeing These companies starting to pop up of Hey, you can use this software component from us, and we're making sure that it's compliant for you. So I think it's just the people who see the opportunity now are starting now. And once the regulation starts hitting, people will realize, Oh, great. There's already players here. It's going to cost us money to pay these people. But. Then we don't have to worry about it. So I think it's that question of do we build it in house? Do we build that ourselves? Do we have to, onboard onto security and spend, that months and months? Of getting our engineers up on the latest security tech and compliance tech, or do we just pay an outside service? but definitely some weight is coming. Like you said, it's coming. There's nothing you can really do about it because there's weight to having certifications, having the knowledge and [00:13:00] knowing how to run something compliantly Yes. awesome. So actually running software, actually writing software, when you're down in the weeds, I want to get into that a little bit. Before we do that, I just want to remind our listeners that this show is brought to you by LogRocket. So if you're building an application and you want to spend less time in the console, Debugging and scrolling through those logs. You can use LogRocket to get things like heatmaps, AI powered features to surface, like user sessions, where they're clicking, what errors are popping up in one. So head over to LogRocket. com today and you can spend more time actually building the app and less time figuring out what's going wrong on testing that you probably don't have. Because let's be honest, we don't like to test that much. So Without further ado, let's get into actually practicing this stuff. So one thing that I have written down that I want to ask you about Vanessa is audit logs and yeah. Love it. Love Yeah, I'm really curious about this one because everybody [00:14:00] logs. If you don't log like you need help, so let's just, the given is you log, you collect some things about your software. And to me, I'm like, okay, I'm doing some security stuff, like security by design. I'm designing an audit log into my thing. know I'm off the mark here. So Vanessa, can you talk to me a little bit about how roles audit logs play into Security by design and how you see them enhance the security of applications software running in practice. Sure. Okay, so just a quick question. When you log something into your log, are you able to delete it? I'm pausing with my answer because I genuinely don't know if I've ever been able to do that. If you're just logging stuff into a database, right? Usually there's a delete function. Like you can say delete, certain event or delete certain input. So if you're doing a secure log, that delete functionality is essentially non existent. Like delete does not exist when you're talking about a secure audit log. Something else that doesn't exist when we're [00:15:00] talking about secure audit logs is. Basically every log has an identification that tells you that it is part of this log. And at least at Pangaea, we accomplish that via Merkel trees and you can verify it with a blockchain. But that's a different thing, right? So we're talking about it being tamperproof. You cannot delete it. You cannot edit the log. And if you do, it does change that identification. So those are the kind of two components with respect to audit logs. You can't delete any logs that go in if you. If you do delete or you edit a log your identification now has been changed on that log. And that's to ensure basically like, the chain of events, right? A lot of people who log something and you're like, Oh, that's not a big deal. I'm going to delete that log. It may be a big deal in about a month. It may be a big deal in about. 90 days. If you're going in and editing logs, you're deleting logs, [00:16:00] that history is no longer valid. And it's also no longer compliant because of that. And deleting logs is one of those things that everybody does willy nilly because it costs companies a lot of money to keep logs. So it can be really easy to hover over that delete button and say I'm going to slash my bill in half. I'm, I, half of the retention or whatever what type of solutions do you see in practice for people storing this stuff? Is glacial storage something they use to drive down costs and still keep everything? Or are there secure logging services that you would reach for? There's secure logging services. So there's I know of like BoxyHQ, they're like up and coming in the market now. Pangea also has a secure audit log service. And by default, I think you get 30 days of retention, but then if you say, Hey, I want to make this FDIC compliant that they'll automatically update that retention to 90 days. And then you also talk about like hot and cold storage, right? So it's okay, great. [00:17:00] You have 90 days here in this storage category or in cold storage, but we're only going to keep the last 30 days in hot storage or in like easily accessible storage. So it's just managing, how quickly does your. Logging system move from hot to cold. Another foundational piece that I would like to ask about is authentication because this is something that has changed so much in the past 10 years. And I love that you Brought a blockchain because as somebody who has worked with some of those systems myself, we have dynamic XYZ, which you can log in with any wallet you want. There's the anonymous people crowd out there who like never want KYC tied to your address. And there are systems I've myself have worked on a system that has anonymous address login. So why is authentication a foundational security? And how do you see this model of identification and linking of These foundations playing a role in this modern landscape where we have [00:18:00] crypto login OAuth login. There's still people who want a classic username and password login, like you have on the 2005 forum. So do these all belong in the same world? Do they work towards the same goal? work towards the same goal and it's all about what's behind that login page. Like how secure do you need to be? All depends on what's behind it. If we're talking about, Hey, I want to get into my plant monitoring dashboard that may not need anything more than just a username and password. Or just enabling social off. Cool. If you're talking about, Hey, I need to log in and see my crypto wallet. Okay, now we're talking about 2FA, we're talking about, or at least multi FA using a secondary what's it called the authentication app, where you can thing. yeah the code you get the code thing, and then you type in the code thing, and it refreshes every 30 seconds, yeah, there you go. That's the most secure you're ever gonna be [00:19:00] or at least nowadays, until we get into quantum computing kind of thing, but that's Yeah. Yeah. Hopefully a couple years out. But yeah, authentication all depends on what it's protecting and the more sensitive that data, the more sensitive that information, the more security you should have in practice there. Now, speaking of quantum computing, this is, this was not on the agenda, but I'm generally just curious when you have large bodies of money who have the ability to actually run a device that can break SHA 256. What happens to the power dynamic on the internet? All hell breaks loose. Then you start talking about okay, the people who have like multi factor authentications might have a bit more time. The people who have a username and password, whoops, like We're in the weeds there. And that's where we're going to have to start talking about Hey, is it on the auth providers to be like, Hey, we have this easily configurable. Now that we have quantum computing, if you want to add multi levels of [00:20:00] configuration here, cool. If you want to prevent, impossible travel attacks. Awesome. Because that's one easy way that even with quantum computing, we're going to be able to stop that attack surface. On a similar note you mentioned it depends what is behind the login wall for when we're talking about OAuth, username and password, multi factor. Does it also depend what's behind that wall? Could there be some sort of regulation or standard that's set forth for the Facebooks of the world? Because we're you're posting into a public forum and we just had that hearing. Last week where , they got grilled on what are they actually allowing people to post and transmit through their wires? Colloquially their wires, They're wires, yeah. servers, So there could be some KYC tied behind a simple username and password and some folks will say the username and password Just not going to exist Because we're having all these new legislations come out about your behavior on the internet needs to be tied to the person. Curious on your thoughts on that. Being [00:21:00] anonymous on the internet, right? That's most people's bread and butter. That's how the internet exists Yeah. in perpetuity. I think GDPR or some other ANISA body has two policies on this already. They have the policy of the right to be forgotten. If you were to disable your Facebook account or whatever, or delete your Facebook account, they must delete every spec. Of data that you have ever given them. That means your comments, your Facebook posts, etc. That means you are gone. The other thing is that they do have a policy on, you have to be able to track them. And that doesn't mean that they need to track your IP address. your name, but you have to have a consistent identification across these internets or across these places. , I don't know if you're familiar with the Google security and cookies thing that just happened or Oh, am I? Yeah,[00:22:00] that's crazy. So it's like you, you now have lost all anonymity. It's in a sense, you have lost all anonymity. Depending on the browser you use, depending on the browser you use, yeah, yes. but what Microsoft Edge is on Chromium, you have the Google Chrome, and those are your two most popular browsers that at least I'm aware of that most people use. So if you choose to go with something like Brave, or if you choose to go with something like Arc, that's your choice, but then the apps themselves may use a different kind of identification system. That's where that's going. I know it doesn't quite answer your question, but I don't know until we get there, right? Like, how fast is our regulatory systems going to get there? How fast are tech companies going to get there? It's also just interesting because the speed at which we are getting there shows some colors about priorities. And like you mentioned, when we entered this podcast, the U S is we're at 80%, right? Non compliant code. It's,[00:23:00] we are prioritizing moving fast But we're prioritizing moving fast with our feature development and our AI tooling and our augmented reality and metaspaces. We're not moving as fast in the security space. So last question I have, this is less like about the paradigms and ethos of what you're talking about. More like. In the field, do you see intelligent tools aiding the secure by design process, and if not specifically secure by design, do you see intelligence tools that people are using, maybe they're already down the road a little bit, like you said, they're four steps in, that actually do a good job that you would recommend? Ooh, that's a great question. I'm really scared of intelligence tools. You can do threat intel, IP intel, domain intel. And luckily, Pangea already has that partnership. We're partnered with Reversing Labs, CrowdStrike, Team Kumri, all of these [00:24:00] major players in The threat intelligence space that cover anything from detecting whether and a user is coming in via a VPN or a proxy service, whether they were logged in from Columbia, University, and now they're like logged in from Estonia. So tracking those, impossible travel attacks that whether an IP coming in is part of a botnet. So all of that Is part of threat intelligence. All of that data set already exists, but it is owned by the key players. It's owned by, large enterprises that specialize in enterprise contracts. So being able to do that on a smaller scale for your everyday developer, that's what. Pangea's model is like we're targeting mid to small size companies, giving them access to those data sets and then only charging them. per call. So if you only [00:25:00] have 200 website visitors, great. You only have to make 200 of those calls. And I think it's like on the cents order. So we're trying to democratize that space and not limit it to be like, Hey, if you don't have a 5, 000 contract with one of these users, that's okay. So that's on the threat intelligence space with respect to artificial intelligence. Crossing over with threat intelligence that's pretty scary to me, because at least with respect to AI, I haven't seen people using it securely or responsibly yet, like I, my friend this like last week, he went on like the BMW site and they had integrated AI into their chat bot and he got it to respond with an essay for him for his English class. There, there's no barriers there yet. Gotcha. So we're still in the timeline of curated modeled [00:26:00] data over the past 10 or 15 years and making intelligent use of that data in terms of AI tools, TBD. Yeah. In terms of AI tools, very much TBD. The day that I see AI models where they can't be as easily influenced, maybe I'll change my mind. I feel like it's a very common theme when we talk about the professional applications of AI today, at least in this What is it? February of 2024. So we'll, yeah, we'll see. Vanessa, we are getting closer to the end of the podcast here. So I'm sure there's some great resources that you could recommend to people because I'm sure people listening are going to say, are going to say, I'd like to learn more about. Designing for security from the gecko security by design. Would you recommend books? Would you recommend podcasts? And would you recommend people like just get into the security field? If you're not in security, a lot of things can feel confusing. You're like, I don't [00:27:00] even know what, like a what's it called? A, a origin, a travel blocking the path. travel Yeah, impossible travel, right? Yeah, so where do you recommend folks start if they are truly a beginner? Oof. Okay. That's a great question. I'm going to give you three places that I go to at least for what's the new, what's the latest? One would be Anisa, which is the European cybersecurity agency. They post four or five bullet points per topic, and then some recommended like best practices and tooling. So they're great. They're if you want to see what's specific here to the United States, I would recommend the CISA site. They do something similar where they'll give you like three or four bullet points. They even link out to different certification exams. So after you're done reading through the guidelines or best security practices, you can add that to your LinkedIn profile. Like, Hey, I am a cybersecurity expert in this specific thing. The last thing is that, nobody wants to read the full 25 pages [00:28:00] of cyber security best practices. Pangea actually has a blog where we write blog posts about this. We'll write Hey, it means that you need to have authorization, authentication, and this should be top of mind or multi. Factor authentication as a minimum kind of thing. And so we'll go through and we'll say, Hey, this is what this guideline specifically means with respect to your software application. And how do you spell Anissa in CESA? Alright. Anisa is E-N-I-S-A. So Anisa and Cisa is CISA. Awesome, and that sounds very enticing. Anything you can add to your LinkedIn trophy set is great. So you can go to CESA, read up, and you can take an online exam and get a certification. That's pretty neat. It's pretty neat. And Vanessa, do you blog yourself anywhere? Whether that be on the Pangea blog, a personal blog, Yes. So I've been blogging on the [00:29:00] Pangea blog. Usually I'm more about a specific topic rather than up in general guidelines. I've tried to read through the 34 page something guideline. And last time I did it for GDPR, I was like, I'm gonna find someone who's already read it and summarized it up. That's probably the best way to get it. The most bang for your buck or, the most out of my time, at least nowadays. And then just looking at tooling and seeing which is secure and which is not. Vanessa, this has been an illuminating conversation. It's we're in an interesting time seeing the law and the programmers start to merge into this subset of skills that is becoming ever more pertinent definitely going to go check out the Pangea blog. Hopefully find some of your posts, but thank you so much for your time coming on. It was a great conversation and a pleasure having you. It was great chatting with you too, Paul.