Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:08
[Music]
0:28
so
0:35
[Music]
0:58
welcome to we hack purple podcasts where
1:00
each week
1:01
we meet with a different person from the
1:03
information security industry
1:05
to ask them all about their job how they
1:08
got that job their career progression
1:10
and how
1:10
you could potentially one day get a job
1:13
just like theirs
1:14
and this week we are talking to leif
1:16
dreisler and he is going to tell us all
1:18
about his awesome work at
1:20
segment this week's podcast is sponsored
1:23
by 10
1:23
security the gentleman who created
1:25
defect dojo
1:27
but without further ado i know what
1:28
everyone wants let's meet leif
1:31
[Music]
1:32
hi hey thanks for having me on the
1:35
podcast i really appreciate it
1:38
thanks for being on the podcast i've
1:39
been excited to have you especially
1:41
after uh reading your blog
1:43
for a little while yeah uh
1:46
i love hearing that i feel like uh
1:48
you're kind of a
1:49
infosec celebrity and somebody that i've
1:51
watched a lot of talks and
1:53
read blogs from from so it's amazing to
1:55
hear that from uh
1:56
somebody that's been inspiring to me
1:58
throughout my career
2:00
oh feeling the love on the we have
2:03
a podcast can you tell
2:07
our audience a little bit about like
2:09
maybe the title
2:11
of your job and i think you're allowed
2:12
to say where you work since you share
2:14
the blog so it's like not very good op
2:16
tech if you were to
2:17
hide that and i feel like it's probably
2:19
okay
2:20
yeah my opsec is inherently bad because
2:24
i'm the only leaf drizzler and so uh
2:27
it's very easy to find me uh fortunately
2:30
or unfortunately
2:31
um but yeah if you ever want to find me
2:34
on twitter leaf drysler
2:35
only one same thing on linkedin very
2:37
very easy to find but
2:38
uh yeah i work at segment and i'm the
2:42
engineering manager for the product
2:44
security team
2:45
um the product security team at segment
2:48
is a little bit different than
2:49
a lot of other product security teams in
2:51
the sense that we function more like an
2:53
engineering team and actually partner
2:55
with
2:55
engineering teams to design and build
2:58
security related features
2:59
that are customer facing so segment
3:02
isn't a security company
3:04
but we do a lot of b2b
3:07
business like we have a lot of business
3:10
customers that care deeply about
3:12
security
3:12
and so they care about things like
3:15
single sign-on 2fa
3:17
scim and so we work with engineering
3:20
teams to design and implement these
3:22
types of features and i know prosec is a
3:24
little bit of an
3:25
overloaded term and many orgs use it
3:28
synonymously with
3:29
application security we actually have a
3:31
separate application security team
3:34
that's focused on tooling training
3:37
internal consulting uh to help our
3:40
engineers write secure
3:41
code on their own and this includes
3:43
things like
3:44
bug bounty programs uh managing tooling
3:47
like snick
3:49
teaching other engineers to do their own
3:51
threat modeling
3:52
um and that's actually something that
3:53
was recently blogged about by my
3:55
coworker
3:56
chief and i just dropped a link to that
3:58
in the chat for if people want to check that
4:00
out on their own time it's a really good
4:01
blog cool
4:04
yes um oh and let's copy it to the chat
4:08
too
4:08
so um yeah we actually just realized
4:11
that we both know g van
4:12
and that he's totally awesome and he is
4:14
one of the leaders of the oas vancouver
4:17
chapter with farshad
4:19
yeah jeevan's awesome i uh referred
4:22
jeevan and then i got two hockey assists
4:24
because he referred two people
4:26
um and so it's like a nice little tree
4:29
of referrals
4:30
uh and he's responsible for all of our
4:34
vancouver hires
4:35
uh in security which is great oh that's
4:38
amazing
4:39
that's awesome we're all friends a lot
4:42
of good people know a lot of other good
4:44
people
4:44
that's a thing i've seen cool
4:48
okay so we shared uh your blog post and
4:50
or we shared
4:51
a link to one of your blog posts in
4:54
there which everyone obviously is going
4:55
to read as soon as this episode's over
4:57
so
4:58
open it so you have the link but then
4:59
stay with us so
5:02
so first of all i have to of course ask
5:05
questions about product security
5:07
so stuff like multi-factor
5:09
authentication etc so
5:11
i logged into one of my banks today and
5:13
they asked for
5:15
uh my password and then they asked for a
5:17
security question
5:18
and they're like it's a two-step
5:20
verification and i was like don't you
5:22
dare call that don't you dare
5:28
i wouldn't say there are two factors but
5:30
there are two steps i guess
5:32
i feel like it's dirty yeah because
5:35
because the average person's like oh
5:36
yeah i do
5:37
i do two-factor then i'm like no you
5:39
don't your bank is tricking you with
5:41
crappy security it's two of the same
5:43
factor
5:44
yeah it's uh you know what
5:48
high school did you go to what was the
5:50
mascot or whatever it's like okay that's
5:52
pretty easy to find for many many people
5:55
luckily for those types of things like
5:57
if i do get asked
5:59
i always just save some random string of
6:01
characters
6:02
like it just becomes another password
6:04
and i throw that into one password and
6:06
you know don't really worry about it but
6:09
yeah for the average person they're definitely
6:11
picking like whatever their actual high
6:13
school mascot was
6:15
since your company does b2b i feel like
6:19
if you're
6:20
selling so first of all like your team
6:22
is making security
6:24
features for businesses they're not
6:27
going to put up with that crap
6:28
right if you're like oh we added
6:30
security questions so now it's two-step
6:31
verification they'd be like no that's
6:33
not mfa go back to the drawing board do
6:35
you think that business
6:37
customers are potentially like a lot
6:38
more savvy than the average consumer
6:40
definitely and they also have the
6:42
ability to
6:43
like lobby on their own behalf because
6:46
they're like hey we're giving you a lot
6:47
of money
6:48
and so we expect you to to have sso or
6:52
we expect you to have scim
6:54
um and like features like that like it's
6:56
you know i would say
6:58
businesses are generally like okay with
7:00
paying more for like whatever that
7:02
enterprise level of feature set is like
7:05
whether it's security or not um but yeah
7:08
they definitely have demands
7:10
across the business and i think it's
7:12
fine because security is really just
7:14
one part of our engineering organization
7:17
and they have demands across all sorts
7:20
of engineering requests and i think that
7:22
it's totally fair that they would have
7:24
some that are within the realm of
7:25
security as well
7:28
would you say that so like if you don't
7:30
know the answer it's okay
7:31
but would you say that they're motivated
7:33
because they want to protect their own
7:34
business or they're motivated because
7:35
they want to protect their customers or
7:37
they're motivated because they're like
7:38
if our products more secure that's a
7:40
selling feature or is it like a whole
7:42
mishmash
7:43
i think it's all those and it really
7:45
just depends on the specific customer
7:47
like i would say that in many cases we
7:50
are b to b to c so something like
7:53
nike or etsy and so in that case like
7:56
i'm sure they do care about their own
7:57
employees data that's within our systems
7:59
but i'd say they probably care more
8:01
about their customers data
8:03
um but then it you know it's probably
8:05
the i
8:06
i guess yeah if you're b to b to b then
8:08
it's probably the same thing like you
8:09
probably generally care more about your
8:11
customers data than your own employees
8:13
data
8:13
and so i think that it it's probably a
8:16
combination of all those things that you
8:18
said but yeah i'd say
8:19
the biggest motivation is probably
8:20
making sure that their own customer data
8:23
that's going through segment is safe
8:26
i was actually doing research last night
8:28
for a pitch i had to do today
8:30
and apparently in 2020
8:34
almost one percent of the entire gdp
8:37
of the entire world went to cyber crime
8:40
oh so just like straight up ransomware
8:42
or like
8:43
i guess other things like every single
8:46
type of
8:46
nefarious related cyber like cyber crime
8:50
which is like absolutely mind-blowing so
8:53
yeah i've
8:53
not heard that that's pretty interesting
8:55
though i guess they're probably all like
8:57
bitcoin theft that like falls into that
9:00
bucket um like ransomware i'm not sure
9:03
like what else would
9:04
would fall into that offhand but yeah
9:07
those two are probably pretty big
9:09
yeah they are would you say like that
9:12
business customers are becoming way more
9:14
security savvy
9:16
i know these are off script but i'm just
9:17
like superheroes
9:19
sounds cool i think the the like
9:23
more you swim up the like enterprise
9:25
chain
9:26
like it's very it's very
9:28
security-centric like they'll send you
9:30
whole questionnaires
9:31
um that i don't totally understand why
9:35
they send so many questionnaires while
9:37
also asking for compliance stuff
9:39
because i feel like if you say like hey
9:41
we have sock too
9:43
like that shouldn't get you out of all
9:44
the questions but it should at least get
9:46
you out of
9:47
answering the questions that sock 2 is
9:49
meant to cover
9:50
like we will share our sock to report
9:52
with customers
9:54
and i feel like they should share the
9:57
burden
9:58
and like they're not incentivized at all
9:59
because they're just like whatever we're
10:00
paying you money like
10:01
fill out the spreadsheet that you
10:04
already have
10:04
the answers to in the sock 2 report but
10:07
i do feel like
10:09
they should if they were being
10:10
friendlier to the ecosystem
10:12
have an augmented questionnaire that's
10:14
like hey we'll check out your sock to
10:16
report
10:16
we still have these other questions you
10:18
know that that aren't covered by sock
10:20
too
10:20
to augment that but um yeah
10:24
customers really do dig into security
10:26
pretty heavily
10:28
especially as you you get to like the
10:29
larger customers were you surprised by
10:32
just how many
10:34
checklists that you had to fill out as
10:36
part of your job
10:37
so luckily i don't have to fill out too
10:40
many of those
10:41
we have an awesome governance risk and
10:43
compliance team
10:44
that also serves as our uh
10:47
defenses for sales enablement and so
10:50
they
10:51
do like a first and second and maybe
10:54
even a third pass to try to answer these
10:56
questions before
10:57
uh giving them to the rest of the
10:59
security org
11:00
and then we've also invested in a tool
11:03
called
11:04
lupio which is actually a canadian
11:06
company
11:07
um that helps automate the responses and
11:10
so it
11:10
serves as like a library of answers and
11:13
then sales engineers can
11:14
upload the spreadsheet and it'll go
11:17
through the spreadsheet and find
11:19
similar questions that you've answered
11:20
before to be like hey
11:22
like maybe you want to use this answer
11:24
that you've provided and so
11:25
the sales engineers do the first pass
11:27
and then the grc team does like
11:29
the second and third pass and then if
11:31
there's anything that's left over that's
11:33
like a new question or like
11:35
a question that we answered but it was a
11:36
long time ago uh
11:38
then we'll we'll uh take a look at it
11:41
but yeah
11:42
we we try not to have the engineering
11:44
teams look at those too frequently
11:48
okay so now i'm going to ask questions
11:50
that are on script just for a bit
11:52
and then i'll probably get interrupted
11:54
with your
11:55
yeah can you just can you describe your
11:58
job and maybe describe like what a day
12:01
is like in the life of
12:04
like do you know what i mean like yeah
12:05
sometimes people's
12:07
meet like jobs are just like all
12:09
meetings or sometimes it's like
12:11
lots of spending time with i don't know
12:13
i'll shut up now
12:16
no i get what you mean so um i'm
12:19
as i mentioned i'm the product security
12:21
manager at segment
12:22
and i manage a group of individual
12:24
contributor
12:25
software engineers and so i do have a
12:28
decent amount
12:29
of meetings i think that's pretty
12:32
similar to a lot of
12:33
other engineering managers um but i
12:35
don't
12:36
manage any other managers and so a lot
12:39
of what i
12:40
spend my time doing is trying to help uh
12:43
the individual contributors on my team
12:46
uh with their work and be able to grow
12:48
autonomously
12:49
and so we have a couple people that have
12:52
joined in the last couple of weeks
12:54
we have uh an intern for the summer
12:57
and so i try to spend at least a little
12:59
bit of each day helping
13:00
um one of those two people uh work on
13:03
whatever they're working on and
13:04
sometimes it's writing up a guide in
13:06
advance
13:07
that has some intentionally missing
13:08
pieces it's like hey
13:10
you know check out this part of the code
13:12
base uh try to trace
13:14
what's happening you know back to this
13:16
other service or something like that
13:18
and then you know generally here's what
13:20
you're trying to accomplish and so it's
13:21
a combination of
13:23
like pointing them in the right
13:24
direction uh
13:26
you know putting some bread bread crumbs
13:28
along the way but also
13:29
uh making sure that they're doing a
13:31
decent amount of research on their own
13:34
um and so yeah i would say it's a good
13:37
mixture of like things that are like
13:39
planning related
13:41
meeting with other teams meeting with
13:42
people on my own team and just making
13:44
sure that
13:45
uh the teams that we interact with and
13:47
the people on my team
13:48
are successful um but we're also hiring
13:52
more people so we have a senior and a
13:53
staff role open and so if you're
13:56
a software engineer that's interested in
13:58
security features
13:59
uh we have a really modern tech stack
14:01
you'd mostly be working with typescript
14:03
and
14:03
react uh i'd love to chat
14:07
you can just give me a dm on on twitter
14:10
and linkedin
14:12
cool good we want people to have jobs so
14:14
this is awesome and
14:15
lee's really nice and so is gvan so you
14:18
get to work with at least two awesome
14:20
humans
14:21
so it's a good deal jeevan is the the
14:23
manager on the appsx side so he's
14:25
uh like one of the teams that we work
14:27
with super closely so he's also under
14:29
the security engineering umbrella
14:32
nice what
14:35
types of so like it takes a
14:39
certain type of person that can do this
14:42
job
14:42
right what types of personality traits
14:45
or maybe i don't know sometimes people
14:47
might say like aptitudes
14:49
would you say that someone needs so that
14:50
they could be good at this job
14:53
yeah so i don't think that there's like
14:54
a specific
14:56
like pattern or like set of buckets that
14:58
somebody needs to fall into to be
15:00
successful
15:01
at my job like i think that there's a
15:04
lot of different
15:05
uh like personality types or traits that
15:08
somebody could possess and be
15:10
successful i do think that all managers
15:12
need to be
15:13
empathetic uh regardless of whether it's
15:16
like an engineering manager or just like
15:19
i don't know just some somebody who's
15:20
managing something else but uh
15:22
your team is always going to be composed
15:24
of different people that think about
15:26
and react to things differently and so
15:28
and same thing with other teams like
15:30
other teams are gonna have different
15:32
priorities they may be understaffed they
15:34
may not
15:34
have a focused mission and you need to
15:36
try to be understanding of
15:38
what the people and teams you work with
15:40
are going through even if it's
15:41
something that you don't fully
15:42
understand or like you know maybe it's
15:44
something that you've never done
15:46
but uh on top of that i would say you
15:49
need to be good at prioritization
15:51
uh i think this applies to most
15:53
leadership roles like there's really no
15:55
shortage of good ideas at segment
15:57
but you have to focus on a couple of
15:58
things um
16:00
to make sure that you're what you're
16:02
building is high quality
16:04
and kind of uh in that's in that same
16:08
vein uh having a good system to keep
16:10
track
16:11
of all the things that you need to do is
16:13
important i think that
16:14
uh once you've been at a company for a
16:18
while you're probably gonna get tagged
16:19
into docs all the time
16:20
have people messaging you on slack like
16:22
once you know things like people
16:24
need things from you uh and it's easy to
16:27
get distracted and forget to reply to
16:29
somebody's question or whatever and so
16:31
you need to have a good system in place
16:32
to make sure that you're
16:33
staying on top of everything
16:37
how do you choose like for prioritizing
16:40
i i teach this course
16:44
for we hack purple and i go in and like
16:47
we build appsec
16:48
program together and it's the toughest
16:51
part
16:51
of the course is the team will come up
16:53
with like well we have 20 apps at goals
16:56
and i'm like you get three to five
16:57
and then you know we need at least 10
16:59
and i'm like if you have
17:01
10 things you're all you're never going
17:02
to finish any of them
17:04
and so three three to five guys and it's
17:07
like
17:07
constant battle or you've got to be
17:09
really good at convincing managers
17:12
people above you that you need more
17:14
people uh
17:15
that will increase what you can work on
17:17
but yeah uh
17:18
i think luckily one thing that is nice
17:21
about the way that our team's set up is
17:23
we are similar to a
17:24
like a product engineering team and so
17:26
you can fall back on some of the things
17:28
that
17:28
uh like other product facing teams um
17:33
use as part of their prioritization is
17:34
like is this something that customers
17:36
are asking for
17:37
is this something that we've already
17:39
built that's broken that customers
17:41
have told us about um is there
17:44
is this something that uh you know we've
17:47
started to see show up in security
17:48
questionnaires even if it isn't
17:50
something that's really
17:51
getting in the way of deals like you can
17:53
kind of get a sense from reading those
17:55
here and there that like maybe there's
17:57
this new thing that that customers are
17:59
going to be
17:59
expecting over the next like six to 12
18:01
months and so
18:02
i think that it's a little bit easier
18:04
than you know maybe an appsec team that
18:06
isn't tied so
18:07
closely to the the goals of the business
18:09
but i think what we do across security
18:12
engineering regardless of if it's my
18:14
team or one of our partner teams is we
18:16
try to rate things on like a combination
18:18
of
18:19
like business slash security value
18:22
and then effort and we try to pick
18:24
things that have like a good ratio
18:26
and sometimes it's like this is actually
18:27
a ton of work but the value is going to
18:29
be really high
18:30
and so it's worth it um and it's you
18:33
know i think
18:34
it using something like that it's easy
18:36
to just pick off a bunch of stuff that
18:38
it's like okay this is easy and it's
18:40
going to have a big difference uh
18:42
eventually if you're doing a good job i
18:44
think you'll probably run out of those
18:46
at some point like
18:47
your org will have just done enough of
18:49
those easy ones with big
18:50
impact but you should always keep an eye
18:52
out for something like that and then
18:54
from there yeah you just got to figure
18:56
out like what's going to be a good ratio of
18:58
effort to security and or business value
19:02
and i think that's easier at a b2b
19:03
company because
19:05
your customers inherently care way more
19:08
uh consumers on average i would say
19:10
don't really care about security
19:12
maybe there's a couple of things that
19:14
they use like if it's like medical
19:15
related or financial related but
19:18
uh there's a lot of the apps that i use
19:20
it's like if they got hacked like
19:22
i would be kind of upset but i'd
19:24
probably still keep using them
19:26
and then it's like at the end of the day
19:28
it's like if your customers aren't gonna
19:30
leave
19:31
like why should your business really
19:33
care about security and like
19:34
obviously it's the right thing to do and
19:36
there's regulations that you can
19:38
run afoul of if you just don't care at
19:40
all but it's very different in the b2b
19:43
space where your customers will just
19:44
straight up cancel contracts that might
19:46
be worth
19:47
you know hundreds of thousands or
19:48
millions of dollars whereas at the
19:50
individual consumer level it's like
19:52
uh if that like athletic brand that i
19:55
buy clothes from gets hacked it's like
19:57
well i'm probably still gonna buy shorts
19:58
from you so it's it's okay
20:01
[Laughter]
20:03
it's like i still like those shorts yeah
20:05
it's like i still want the shorts
20:06
it's like you already lost my info you
20:08
can't really lose it again
20:09
and probably already out there anyway
20:11
and so it's just not the same as like
20:13
when you're
20:14
selling to another business that uh
20:16
cares and has a lot more weight that
20:18
they can throw behind
20:19
an event like that would you say too
20:22
that business customers are more likely
20:24
to give you
20:25
direct actionable feedback than the
20:27
average consumer
20:30
uh i would say most i assume most
20:32
consumers give no feedback
20:34
to like any of the brands that they
20:35
interact with it's like maybe there's a
20:37
small percentage of people that like
20:39
will write a review or like
20:40
send in a complaint or say like oh i
20:43
really like this thing but i'd say
20:44
you know that's probably in the very
20:46
very small minority
20:48
whereas businesses they'll just be like
20:50
hey like you don't have a way to force
20:52
everyone in our workspace to use sso
20:54
it's like all right that's a great idea
20:56
let's build that
20:57
um i think the businesses are definitely
20:59
more vocal and i think it's because they
21:01
know they can be
21:02
like if one customer is like i wish the
21:04
pocket on this pant was a little bit
21:06
bigger you'd be like all right well
21:07
we're not doing that
21:09
uh but if a business customer is like
21:10
hey we've spent two mil a year with you
21:13
uh we'd really like this thing it's like
21:16
well we should take a look at that and
21:18
see if we want to build that
21:21
i wonder if too like if an individual
21:24
um so for instance like i ordered some
21:28
food from a restaurant i ordered a
21:29
vegetarian meal and i
21:31
eat meat but i go vegetarian some days
21:34
to the environment blah blah and then i
21:37
got it and there was shrimp in it
21:40
and i was like oh what
21:43
and i was like oh maybe i should call
21:45
and tell them and i'm like i don't
21:46
really care though like i eat shrimp
21:48
it's fine like i was trying to be
21:50
vegetarian today but like i also don't
21:52
care and i'm like
21:52
and but then i thought about well i used
21:54
to be a vegetarian and i would be
21:56
furious yeah if they had put me in my
21:59
meal i'm excited maybe i should tell them
22:00
and then guess what i did i did nothing
22:02
and so they got no feedback
22:04
like if you're flexible it's almost
22:05
worse not to eat the shrimp because it's like
22:07
otherwise you're just gonna toss it of
22:09
course i'm gonna eat the shrimp yeah
22:11
right did i get
22:12
less cheese that's the real question
22:14
because that's what you should call about
22:15
is you need to figure out in lieu of
22:18
this shrimp
22:18
would i have gotten more cheese paneer
22:21
is like
22:22
one of my favorites anyway yes
22:26
it's so good yeah it's like that i feel
22:28
like if i were to go
22:30
vegetarian i would eat indian food even
22:32
more than i do now
22:33
because there's so many same thing with
22:35
like a lot of stuff like asian
22:37
dishes in general like there's so many
22:39
good meals that are like oh this is not
22:41
just something where we took the meat
22:42
out
22:43
and put in a lame replacement it was
22:45
like oh this meal was just good without
22:47
meat
22:48
yeah it's just awesome yeah oh my gosh
22:52
i love indian food anyway okay so i'm
22:54
glad we agree
22:55
asian food's the best um so
22:58
someone in that comment is like very
23:00
true 100
23:03
so so like your job i feel like
23:07
there's some skills that a person's
23:08
gonna need to
23:10
to do that type of work so what types of
23:14
technical skills do you or maybe like
23:16
technical experiences
23:18
would they need to be able to one day do
23:20
a job like yours because you can't just
23:22
like
23:23
walk out of college and do your job
23:25
probably there's probably
23:26
nothing that they need woefully
23:28
unqualified to do my current job my
23:30
as my first job out of college um
23:33
yeah i think you know similar to like
23:35
the traits and like
23:37
aptitudes like i don't think that
23:38
there's like a you know a firm set of
23:41
requirements like i think that you could
23:42
probably come from
23:43
a variety of different backgrounds and
23:45
be successful if it's something that you
23:47
were really focused and motivated to be
23:49
successful in but
23:50
at least for me i have been served
23:53
incredibly well by having a background
23:56
and experience writing software
23:58
especially security features
24:00
i think for me as somebody who manages
24:03
individual contributors it's
24:04
really important that i can be there to
24:07
help give feedback for the types of
24:09
things that they're working on
24:11
uh i'm familiar with the code base that
24:14
they're they're working in and that you
24:15
know i can frequently point them in the
24:17
right direction
24:18
uh if they're stuck on something like i
24:21
can help them debug
24:22
whatever they're working on and that's
24:26
just
24:27
like some of the things that's made me
24:28
successful but i really think that that
24:30
provides a lot of value for the team
24:31
especially because as of a month ago
24:34
there were just two of us and so i spent
24:36
a decent amount of my time working on
24:38
individual contributor type engineering
24:41
uh
24:42
tasks um i also think that having some
24:45
sort of like
24:46
product sense is pretty important i've
24:48
never been like a product manager or
24:50
anything like that but
24:52
um even though we're building security
24:54
features
24:55
usability is incredibly important if
24:57
your sso
24:58
process is annoying people are just not
25:00
going to use it which means they're
25:01
probably just going to use the username
25:03
and password and like maybe turn on mfa
25:06
um i'm far from a product expert like
25:08
i'm really lucky to work with
25:10
our enterprise software engineering team
25:12
was an amazing product manager rachel
25:14
but i think that having at least some of
25:16
that
25:17
sense to be like hey this flow is just
25:19
not very good or like what can we do
25:21
to make this easier for people like you
25:24
really want to make security stuff easy
25:26
because
25:27
generally it's something that is making
25:30
somebody's life more annoying
25:32
and you want to make it as
25:35
easy as possible and like the gold the
25:37
golden
25:38
goal is just like is it easy and secure
25:41
and that's why i feel like
25:42
sso is a good example of this is once
25:45
you get it set up
25:46
like you just click octa and you click
25:48
one button and you're logged into
25:50
segment
25:51
it's easier than entering in a username
25:53
a password a 2fa code and it's preferred
25:56
from like a security and i.t side
25:58
and so i think that designing things to
26:01
be like that
26:02
is uh really important but it it's
26:04
something where you're going to need
26:05
good designers you're going to need good
26:07
product people and like
26:08
i don't think you need to be all of
26:09
those but at least being able to
26:12
work with those other groups to come up
26:14
with something and kind of show them like
26:16
hey here are a couple other apps that do
26:18
this really well or really poorly i
26:20
think having
26:21
like a list in your mind of apps that
26:23
you've used
26:24
that do this uh at varying degrees of
26:27
good or bad is really helpful
26:31
i have almost never got to have a
26:33
manager where they could actually help
26:35
me with my technical stuff
26:37
that is awesome like at microsoft for
26:40
i had three different managers and there
26:41
was one where i remember he got into the
26:43
code with me and i was like this is
26:45
amazing yeah but the
26:48
other two had never coded as far as i
26:51
know
26:52
and so it's it's helpful i think it can
26:56
be augmented by like if you have
26:58
more senior people on the team that can
27:00
kind of serve as that like technical
27:02
leadership
27:03
it probably reduces the importance of
27:05
like having a manager that can do those
27:07
things but
27:09
um our team's pretty small and
27:12
uh i i think that it still serves you
27:14
pretty well even
27:15
even as the team grows just to like have
27:17
built some amount of production quality
27:19
software like
27:20
when you're reviewing your team's design
27:23
docs and things like that like you're
27:24
just gonna kind of have a sense for like
27:26
i've kind of seen something like this
27:28
either work well or like
27:30
not work so well before and i think just
27:31
having a manager that can
27:33
uh provide input into those decisions
27:36
and
27:36
uh help their team avoid mistakes or do
27:38
things more efficiently
27:40
is pretty helpful yeah it's fantastic
27:44
okay i want to take a brief second to
27:46
thank our sponsor 10
27:48
security do you want help with defect
27:51
dojo well why not hire the guys that
27:53
built it that's 10 security
27:55
greg and matt for the win two thumbs up
27:58
i also want to mention that we are still
28:01
doing book streams once a month for
28:03
all of 2021 for alice and bob learn
28:06
application security and if you want an
28:09
invite go to aliceandboblearn.com
28:13
and you can get automatic calendar
28:14
invites and all that fancy jazz to your
28:17
inbox
28:18
and lastly but most excitedly the secure
28:21
coding course from we have purple is
28:23
actually a thing
28:25
so if you are on the advanced list which
28:28
you can get at
28:32
wehackpurple.orgnewsletter.wehacpurple.com
28:35
secure dash coding dash course
28:38
uh you can get 20 off and you get
28:40
invited friday instead of
28:42
everyone else who has to wait until june
28:43
30th so
28:45
saving 50 bucks is pretty sweet and
28:47
getting a week early access is also
28:49
even sweeter but no matter what please
28:52
go check out the course
28:53
and i feel that that is enough marketing
28:55
for now
28:57
let's go back to leaf so
29:01
you might have imagined i have more
29:02
questions for you
29:05
so i get that you don't have to have
29:08
lots of programming experience in order
29:11
to do this job but it's like a really
29:13
nice bonus
29:14
if you've had that experience but
29:17
imagine you could design like the best
29:19
background ever or things that you could
29:21
learn
29:23
to try to work towards having a job like
29:25
yours someday
29:26
so uh we had someone on the show mary
29:29
galloway
29:29
she's awesome and she's a security
29:31
architect and she said yeah i just like
29:33
looked at jobs i wanted and all the
29:36
experience they said and i went
29:37
and i made a checklist and did it like
29:39
you're awesome
29:43
right she is badass um she's episode
29:46
three you should totally check it out
29:47
but anyway
29:48
imagine you could like
29:51
make a a list of work experience that
29:53
would make like that would have helped
29:55
you become
29:56
the person you are today like what types
29:57
of things would be on it if someone
29:59
wants to try to like kind of steer over
30:01
there
30:02
yeah so as you mentioned like
30:05
coding is pretty important um i studied
30:09
computer science in college
30:10
uh i don't think that that's a
30:12
requirement like whatever path you you
30:15
take to learn how to code is great like
30:17
if you're self-taught if you go to a
30:18
boot camp if you do a computer science
30:20
degree like whatever
30:22
works works uh i know that i definitely
30:24
would not have been able to like
30:26
have the self-discipline to like teach
30:28
myself how to program at 18 years old
30:30
and so going to college and having
30:32
somebody like give me assignments and
30:34
stuff like that was definitely
30:36
the way to go for me but uh you know not
30:39
for everybody and
30:40
um i think there's there are a lot of
30:42
like great trainings out there
30:44
i don't really have too many to
30:45
recommend for
30:47
like intro to software development but
30:50
there was a training that we brought in
30:54
uh about a year and a half ago uh
30:57
reacttraining.com
30:58
um that was specifically like a two-day
31:01
react
31:02
course that i took as well as a bunch of
31:04
other people at segment and we found it
31:06
to be
31:06
pretty useful um that was like a private
31:10
training just for segment but they also
31:11
do paid workshops so if react is
31:13
something that your org uses or like
31:15
that you're interested in learning more
31:17
about i would i would definitely
31:18
recommend them
31:19
um and then cover security too
31:22
or was it more just how to be awesome at
31:24
react it was just react stuff
31:26
so it was really just like hey you know
31:29
we're expecting that coming into this
31:31
you know javascript
31:32
you know how to write code you just
31:33
don't know how to use react
31:35
and uh so it was all it was all focused
31:37
on like using react hooks and
31:40
um like all the latest best practices
31:41
and things like that so
31:43
yeah it was really helpful from like a
31:45
react specific standpoint
31:47
um but i mean my background like
31:51
my path is definitely not the path you
31:53
need to take like i started
31:54
out as a computer science major uh while
31:57
i was still in school i started working
31:59
as a security consultant so i did a
32:01
couple years of pen testing
32:03
mostly appsec stuff which was pretty fun
32:06
got to see a bunch of different
32:08
organizations some doing a good job
32:10
others not so much
32:13
and then from there i went and i was a
32:15
sales engineer at bug crowd
32:16
for about two and a half years so
32:19
getting some of that customer
32:21
uh facing experience like very different
32:23
from what i was doing
32:24
uh as a consultant very different from
32:27
what i'm doing now at segment
32:29
um but i think that one of the things to
32:31
think about is like if you're trying to
32:33
move around within your career
32:36
i think that you just need to get good
32:38
at
32:39
uh like drawing parallels between
32:42
what you're doing now and what you're
32:44
trying to do next
32:45
and there's a lot of jobs that like you
32:47
know seem
32:49
not very similar but
32:52
if you're able to draw those connections
32:56
you can convince somebody how similar
32:58
they are
32:59
um you know people will be like oh wow
33:01
you've really like jumped around it's
33:02
like yeah
33:03
kind of but before segment i was a sales
33:06
engineer
33:06
and in sales you spend a lot of time
33:08
educating people and persuading people
33:10
you do this a lot in appsec uh i also
33:13
blended my experience with the consultant
33:15
with my experience at bug crowd to
33:16
demonstrate like hey i know the basics
33:18
of apsec
33:19
while being honest about where my gaps
33:22
are
33:23
um and so i think that you need to just
33:25
be able to
33:26
uh like help people connect those dots
33:29
the other thing is
33:31
involvement in the community like that's
33:33
probably the other most important thing
33:34
is
33:35
uh people are much more likely to
33:37
interview or refer to somebody that
33:38
doesn't have like whatever the perfect
33:40
background is
33:41
if they have a personal personal
33:43
connection uh
33:44
every job i've gotten has originally
33:46
been through somebody that i met at like
33:47
a conference or work or meetup or
33:50
whatever so yeah that that's definitely
33:53
like a couple pieces of advice there and
33:55
then
33:55
for on the management side uh
33:58
there's a training from laura hogan
34:01
uh that i've worked
34:04
part of the way through i haven't
34:06
completed it but uh they have a
34:08
background
34:09
as at a variety of different like
34:11
engineering leadership roles and i found
34:13
the training to be really
34:15
helpful so far it's great to kind of get
34:17
you in the mindset of
34:18
trying to be more reflective and like
34:20
thoughtful in the way that you approach
34:22
certain conversations and uh tips for
34:25
one-on-ones tips for planning tips for
34:28
uh
34:29
like helping your team succeed like
34:30
there's a lot of
34:32
there's years of experience that she has
34:34
uh condensed into
34:35
into this course so um if you're looking
34:38
specifically to make the jump from
34:40
uh like an individual contributor role
34:43
to like a manager role i think that
34:44
that's worth checking out for sure or if
34:46
you're already in a manager role
34:48
that's awesome leaf because you would
34:51
not believe how many awful managers i've
34:53
had and they might be a really nice
34:55
person or a brilliant engineer
34:58
but they're an awful manager and they're
35:02
certainly not a leader
35:04
yeah i mean it's a different set of
35:06
skills like
35:08
so i think a lot of people you know they
35:10
reach a certain level of engineering
35:12
and they get pushed into this new role
35:14
or they see it as like
35:16
this is the next thing that i need to do
35:17
in my career and so i think that it's
35:19
important for organizations to really
35:21
show engineers like hey you don't have
35:23
to be a manager like you could be
35:25
a staff engineer or principal engineer
35:26
an architect or you know
35:28
whatever is about that like they're you
35:30
need to create a path for people
35:32
to excel at what they're good at and not
35:35
everybody is going to be good at being a
35:36
manager like being a manager
35:39
yes yes they're not some people aren't
35:41
very good at and some people are awesome
35:43
at it but they don't like it
35:46
i'm actually um i downloaded like this
35:48
parenting app so i am a step mama
35:51
and i was like i like to be the best at
35:54
everything so i'm like i'm gonna learn
35:56
everything about parenting
35:58
i'm that person so i'm like i'm gonna
36:00
read 100 books
36:02
um well it's an important thing to be
36:04
prepared for like you're shaping
36:05
somebody's life in a pretty significant
36:07
way so
36:08
exactly and you want to be like the most
36:10
positive you can be and not only just be
36:13
like a disney mama
36:14
where like everything's perfect like
36:16
sometimes they cry and you have to like
36:18
comfort them and so
36:19
i was like doing a little lesson on this
36:21
app and it was explaining like
36:23
when they cry how to comfort them in a
36:25
way so that like they feel safe and
36:27
because like i was like i just kind of
36:28
hug them i'm like do you want to hug and
36:30
i like kind of listen but there's like a
36:31
whole bunch of things you can do
36:33
so they feel even more safe and i'm like
36:35
why no one tell me this before
36:37
this is just stuff like you can learn in
36:39
a book like this is amazing
36:41
until like the idea of a marketing or
36:44
sorry a management course that like
36:45
tells you how to be reflective and tells
36:47
you how to
36:48
kind of like hear your employees
36:51
actually hear what they're saying
36:53
actually respond in a way so that they
36:55
get what they want and you get what they
36:57
want persuasion
36:59
i think that persuasion is probably the
37:02
number one skill that security people
37:04
need if they want to get their jobs done
37:06
yeah you got to convince other people to
37:08
help you like security is really a
37:09
cross-cutting discipline
37:11
it's not something that the security
37:13
team can just keep
37:14
the company safe uh it's something where
37:17
you need everybody
37:18
to help keep the company safe and it's
37:20
really something where it's like it's
37:22
kind of a failed model if the security
37:24
team has to do all the work because
37:26
they're never going to be as familiar
37:27
with all these different technologies
37:29
and frameworks and
37:31
processes like you have a whole company
37:34
of
37:34
engineers and other people working on
37:36
important stuff is like
37:37
the security team can't understand all
37:39
these things like there's just not
37:41
enough
37:41
room in the human brain for them to be
37:43
an expert on all of the different
37:45
things and so that's why our appsec team
37:49
at segment has
37:50
it really security as a whole but like
37:52
uh kind of
37:54
the main charter of appsec is to really
37:55
like empower engineers to make
37:57
good security decisions on their own and
38:00
we're obviously here if they want to
38:01
talk about stuff and like work through
38:03
things
38:04
but really it's like okay you need to
38:06
figure out
38:07
when it's safe to patch this system you
38:10
need to be the one who's identifying
38:11
threats
38:12
as part of your design and like sure if
38:14
it's like a bigger project like
38:15
we'll collab on like whatever that
38:18
process is
38:19
but for the day-to-day stuff it's like
38:21
you need to be able to make a good
38:22
decision on your own because there's way
38:24
more of you than there are of us
38:25
and it's also just it's not really our
38:28
responsibility it's like you wrote this
38:29
code you
38:30
you maintain the service security is
38:32
just a part of
38:33
good software it's not something where
38:36
the security team can swoop in and like
38:37
fix all this stuff for you it's like you
38:39
need to be
38:41
keeping this thing in a secure state the
38:43
way that you keep it in a reliable state
38:46
we have a comment in the chat that i
38:48
feel totally applies to security so
38:50
kellen's saying
38:51
the thing about parenting is there's
38:53
always more to do and more to improve
38:56
so so true with security yeah being a
38:59
good
39:00
security professional seems like a
39:02
direction that we go in rather than
39:04
something we just achieved
39:05
we don't just achieve security in like
39:08
one step it's a thing
39:09
like it's a practice like you know how
39:10
you don't do yoga one time
39:12
you have to keep doing yoga and that's
39:14
why they call it a practice
39:16
i feel like what you're saying like so
39:19
you support
39:20
everyone through the thing but they're
39:22
the ones that
39:23
have to do a lot of the work and
39:27
i like it when my guests agree with my
39:29
philosophies on security and
39:31
it happens rather often i have to say
39:33
because i get to select my guests
39:35
and so that's awesome i get to research
39:39
them but
39:39
it's good when you say things that i say
39:41
a lot so then i can
39:43
point to clients and be like listen to
39:44
leave listen to
39:46
me yeah i think it's it's really just
39:49
the way that like
39:50
modern security orgs are running it's
39:53
like
39:54
i think people have figured out that
39:56
just like telling people no
39:58
and like telling people that stuff's
40:00
broken and like not helping them fix it
40:02
and not giving them tools to like fix
40:05
things easily
40:06
i think we've kind of just seen that
40:08
that model didn't really work like a
40:10
perfect example of segments like
40:12
hey you need to patch your docker
40:14
containers we will provide you with a
40:16
set of images that get updated regularly
40:18
and as long as when you restart your
40:20
builds it'll pull in the new stuff for
40:22
you automatically you just need to go
40:24
in and like restart things and like not
40:25
to trivialize the effort of like hey
40:27
well what happens if you restart
40:29
something and it breaks or whatever but
40:30
like
40:31
you can't just tell all these different
40:33
engineering teams like
40:34
hey go figure out patching independently
40:37
and like we're just going to scan it and
40:38
tell you that it's bad
40:40
like you need to give them some sort of
40:42
uh you know paved path
40:44
as netflix says to like do the right
40:46
thing and like make the right thing
40:47
easy and if people want to go off the
40:50
paved path into the jungle it's like
40:52
okay maybe they need to
40:54
figure out how to do patching but if
40:55
you're following the normal ways that
40:57
your company builds software
40:59
the security team should be either doing
41:02
this on their own or partnering with
41:03
other teams to help
41:04
build something to like make the right
41:07
thing
41:08
easy we have another comment in the chat
41:12
it's encouraging to see so many of your
41:14
guests have a good mindset
41:16
i don't know so many security-minded and
41:18
empathetic focused people
41:20
or i didn't know that so many
41:22
security-minded and
41:23
empathy-focused people existed in this
41:25
profession
41:28
yeah very nice compliment i think that
41:31
a lot of those people probably know each
41:33
other
41:34
and so if they're on tonya's podcast
41:37
then
41:38
uh that might be nice i think it's a
41:40
little bit of like a bias towards the
41:42
people that
41:42
that she knows but like i think that it
41:45
is like a wave that is like coming
41:47
across the industry like it's not like it's
41:49
just me like there's plenty of people
41:52
at working at companies that like feel
41:55
similarly to this and
41:57
are are successful because of it
42:00
my second last dev job i remember i used
42:03
to call
42:04
the lead of the security team dr no
42:06
because he would just come to meetings
42:07
and say no
42:08
all he would do is say no his name was
42:10
bruce and he would just say no all the
42:11
time and he would never say no
42:14
but you can do this it's just no you
42:16
can't do that what can we do you're a dev
42:18
you should know and it was like a lot of
42:19
blaming a lot of finger pointing
42:22
and so one day i i just told his manager
42:25
i'm like i just can't
42:27
like i have a job to get done and like
42:29
it's just a wall of no with him
42:32
if you want to tell me you can't do
42:33
something you have to give me a solution
42:35
of what i can do
42:36
all i hear is know and how much my team
42:39
sucks
42:40
and my team literally wants to go around
42:42
him and we're software developers we can
42:44
go to proud whenever we damn well want
42:46
we're following the processes out of
42:47
respect for you and so
42:49
we need to work here and so i remember
42:51
we he came to a meeting like a month or
42:53
two later
42:54
and he's like yeah so i have to say yes
42:57
in this meeting
42:58
and we have to compromise so
43:01
let's do this and then it was so much
43:03
better
43:04
like yeah i mean at first it was a bit
43:06
not awesome
43:08
but he would be like no and he's like
43:10
but
43:12
we can find a way to you for you to
43:14
accomplish your business
43:16
goal and i'm like great and then we
43:19
started like
43:20
coming up with things so if if we have
43:22
to do a big search and they're like okay
43:24
you can't use inline sql
43:26
like great but i have like a 50
43:28
different search
43:29
thing that i have to create so i need
43:31
some help because
43:33
my junior dev made an inline sql
43:35
statement
43:36
we can't have that we have to use a
43:38
parameterized query or something safer
43:40
can we brainstorm this together instead
43:42
of you just telling me i suck
43:44
and to go back to my desk with my head
43:46
down right like there's got to be a
43:48
conversation
43:49
i think it's because a lot of security
43:51
people just don't know enough
43:52
about the stuff that they're trying to
43:54
defend and if you don't know
43:56
how to make a workable solution you're
43:59
just going to be like no
44:00
because you don't know what to suggest
44:02
and so i think that that's another
44:04
attribute of like
44:05
a lot of modern security engineers is
44:08
they actually do know the systems they
44:10
actually you know they know aws they
44:12
know how to write code
44:13
and not to say that like everybody in
44:15
the security industry like needs to be a
44:17
software developer
44:18
but if you're working on a security
44:19
engineering team as an individual
44:21
contributor
44:22
it's going to be a lot easier to get
44:24
stuff done
44:25
in a way that works for your company if
44:28
you understand how stuff gets built
44:30
and can build things yourself um like
44:33
when our cloudsec team goes to a team
44:35
they're like
44:36
hey we need you to do this like they
44:38
know enough about what that team does
44:41
to give them something that's practical
44:43
and teams are way more down to do your
44:45
security asks when it's clear that
44:47
you've put thought into
44:49
what you've asked them to do and you
44:50
have tried to make it as easy as
44:52
possible and you're just coming to them
44:53
with like
44:54
you know the final 15 or 20 of
44:57
the work rather than like hey you need
44:59
to do all this and we don't know
45:01
how to do it so you need to also figure
45:03
it out
45:04
like that's not
45:07
good luck losers bye
45:12
okay so before um ben in the chat
45:16
asks i'm going to ask the cheese
45:19
question so
45:20
this do you already know what the cheese
45:22
question is
45:23
no no okay so in the first
45:26
episode i i wanted to ask so does your
45:30
position pay well
45:31
so not like exactly how much money you
45:33
make but is this a good
45:34
paying position versus because some of
45:36
the jobs we have been quite surprised to
45:38
find out they really don't pay very well
45:40
so for instance
45:41
startup founder does not pay well for
45:44
the first year or two
45:46
i know but i can't afford paneer now so
45:49
life is going
45:50
really good at we have purple but that
45:52
said
45:54
um so it turned into the cheese question
45:56
because i realized one day as
45:59
when i was a software developer like i
46:00
went to the grocery store i was looking
46:02
at two different types of cheese trying
46:03
to decide which one i could get because
46:05
previously i could only afford to get
46:07
one type of cheese per week
46:09
and i really like cheese as pre so i
46:11
discussed cheese i'm talking a lot like
46:14
way more than i
46:15
should um but so then i realized i could
46:18
afford both and i'm like i've
46:19
made it i'm a software developer now
46:22
like i have
46:23
full-time work and like i can just buy
46:26
both cheap i can buy cheese and
46:28
yeah right and it was like really
46:30
exciting i realized i didn't have to
46:31
count every penny at the grocery store
46:33
and i could just kind of buy the things
46:34
i wanted and it was all gonna be okay
46:36
and so i think a lot of people don't
46:38
understand how much
46:40
each different job actually does so does
46:43
being
46:44
like like a manager of a security
46:48
product team pay well
46:49
is it like a good paying job for how
46:51
hard you work and
46:52
how much you need to know yeah i think
46:55
so i mean a lot of it is dependent on
46:57
the stock price of twilio which is our
46:59
parent company because there is a you
47:01
know decent amount like equity-based
47:02
compensation but yeah
47:04
i think that the the pay is pretty good
47:06
and i think that
47:07
engineering manager jobs at successful
47:10
software companies
47:11
generally paid pretty well like
47:15
like having successful engineers in a
47:18
company that that build
47:19
software like you need to pay
47:21
competitively and because
47:22
you know there's google and netflix and
47:25
amazon and
47:25
you know plenty of other bigger
47:27
companies than you that are going to pay
47:29
more and so yeah i think you need to pay
47:32
competitive at like most
47:33
uh successful software companies if you
47:36
want engineering managers that
47:38
are decent or better are you saying that
47:41
if you wanted to you could eat paneer
47:43
once
47:44
every week definitely yeah so definitely
47:48
one or more times a week have you all
47:50
the cheese humble
47:52
fog that's one of my favorite cheeses
47:55
what i need to link to this after just
47:57
yeah
47:58
it's humble like humble california and
48:01
then fog
48:03
it's a good one i'm on it i'm on it i
48:06
really like buffalo mozzarella
48:08
because i'm growing tomatoes and i grow
48:10
a basil as well
48:11
and you put but it's just like oh my
48:13
gosh
48:14
um good combo cheese is so good
48:18
okay so i have a really tough question
48:21
for you now that is a two-parter so it's
48:23
very difficult leaf
48:24
yeah what is your favorite part
48:28
of your job and what is the least
48:31
favorite part of your job or the part
48:33
you like the best and the part you like
48:35
the least
48:36
it's hard yeah so the the part that i
48:38
like the best about my job is
48:40
i like that it really is a blend of
48:44
security work and things that are
48:45
customer facing
48:47
and that really combines like aspects of
48:49
my two previous jobs
48:50
obviously this is like a little bit
48:52
different than both of them but um
48:54
our team really has the opportunity to
48:56
shape how customers think about our
48:57
security program
48:59
um and what i mean by that is
49:00
unfortunately most users of the segment
49:03
application
49:03
have no idea how much work goes into
49:05
corporate security
49:06
incident response uh governance risk and
49:09
compliance
49:10
you know maybe like a couple people at
49:12
the company will look at the salk 2
49:14
report but
49:14
generally like most of the people
49:16
logging into the app won't see it
49:18
but they do get exposed to the security
49:20
features of our product
49:22
which is how we show them that we're
49:24
investing in security and this is
49:25
something that we care enough about
49:27
to have people build features that like
49:29
relate to this part of our business into
49:31
our
49:31
uh like what we bring to customers
49:34
very cool and then yeah for the least
49:38
favorite
49:39
i think this one's pretty tough because
49:41
generally i really like my job
49:43
i would say it's mostly there's like
49:44
specific parts
49:47
that i don't like of work that i do like
49:50
so i really like interviewing and
49:52
recruiting people but i don't really
49:54
like sourcing candidates
49:56
uh like there's aspects of like our
49:58
quarterly planning and tracking that i
50:00
don't really like
50:00
but when it gets down to like actually
50:02
working with people to plan an
50:04
individual project or multiple projects
50:07
uh i really like helping people come up
50:10
with a successful design
50:12
you know circulate it incorporate
50:13
feedback and then actually deliver on
50:15
like whatever they're doing so i'd say
50:17
you know there's usually like some
50:19
aspects of something that i generally
50:20
like
50:21
another example like outside of work is
50:23
i love connecting great speakers to
50:25
conferences and meetups
50:27
but i don't like having to follow up to
50:28
confirm their details making sure that
50:30
they can still present
50:31
like you know reviewing stuff like i'm
50:34
sure you
50:35
know what that's like as somebody that's
50:37
helped organize a lot of stuff and
50:38
running your own podcast like the whole
50:40
speaker concierge thing
50:42
is actually kind of a nightmare yeah
50:45
it really is it really is um twice this
50:49
year
50:50
uh we had our guest just not show up and
50:52
i got five minutes notice
50:55
and so that was stressful
50:58
and it's not like it happened it's like
51:00
at a conference this is you know if
51:01
you've never organized a conference
51:03
that's great uh here's a conference
51:06
organizer secret there's always at least
51:07
one organizer that has a talk ready to
51:09
go
51:10
and it's not something that it's like
51:12
maybe something they gave somewhere a
51:13
year ago and it's gonna be a little bit
51:14
rusty but if there's somebody who
51:16
literally just like
51:17
doesn't show up to their segment like
51:19
you're just gonna get an organizer
51:21
who's just gonna go up there and just do
51:23
whatever for
51:24
40 minutes or whatever so yeah if you
51:26
are somebody who speaks it stuff like
51:28
please please please tell people that
51:30
you can't make it or whatever
51:32
like i know that that can be an awkward
51:34
conversation
51:35
and you might want to avoid it but there
51:38
are a lot of people that are depending
51:39
on you showing up
51:40
and so please tell us we won't be that
51:44
mad
51:44
as long as you tell us early but if you
51:46
just straight up
51:47
ghost like we're not going to invite you
51:50
to stuff again like if somebody goes to
51:52
me for a conference like i just wouldn't
51:54
invite them or like
51:55
and i would have reservations about
51:56
accepting another talk from them and
51:58
it's like
51:58
maybe that isn't fair but it's like i
52:00
don't want to get burnt twice by the
52:02
same person it's like if you tell me a
52:03
week in advance
52:04
hey this thing happened or if you tell
52:06
me afterwards like
52:08
oh like this thing came up like my my
52:10
kid got sick or whatever it's like okay
52:12
cool like that's
52:13
totally understandable like life happens
52:14
but if you just don't show up and you
52:16
just act like you never got invited
52:18
and never confirmed i'm gonna be upset
52:21
not acceptable at all yeah
52:24
i've been the backup speaker a lot of
52:27
times
52:28
like i'm like i got my laptop i got like
52:30
five top i actually went to see a
52:32
a conference like a little ottawa
52:34
conference and they only had six
52:35
speakers the whole day
52:37
and they got up and they're like yeah so
52:40
the guy after this guy like just didn't
52:42
show so i guess and it turned out like
52:44
he broke in his arm he'd been in a
52:46
fender bender and broken his arm and
52:47
they're like he just texted him totally
52:49
understandable
52:50
yeah so i just went up and i was like hi
52:53
i can speak and they're like oh my gosh
52:55
seriously i'm like yeah i have a talk
52:57
ready and i have my thing and they're
52:58
like we know you get up there and so i
53:00
was like hi everyone everyone's like oh
53:03
and i was just like i yeah there's one
53:05
of my like maybe like
53:07
for like fifth talk or third talk ever
53:10
and i was just like i am so scared
53:12
shitless i am
53:13
so scared and i was like what if they
53:16
say like
53:16
no and they're like you suck go away no
53:18
one want and they're just like oh this
53:20
is so great like now because they're
53:22
really worried people would like
53:23
go off and it's like summer and it's
53:24
like beautiful out and they're like oh
53:26
we're worried everyone's going to go out
53:27
on an hour break and just never come
53:29
back
53:30
and so they're like yes that's the fear
53:32
of absolute california and locomotive
53:34
sect it's like
53:35
the venue is almost nice
53:39
yeah i do i really love those two events
53:42
i really do
53:44
okay so we have six minutes left and so
53:46
i'm theoretically not supposed to just
53:48
talk to you all night this is the hard
53:49
part where i
53:50
attempt to wrap up so i want to ask you
53:54
two more questions and so one of them so
53:57
i'm going to tell you both of them so
53:58
that you can like segue from one to the
54:00
other so the first one is
54:02
what is actionable advice that you would
54:05
or like any advice that you would give
54:06
to someone that wants to get
54:08
into a job like yours and then if
54:11
someone wants to know more
54:13
about leaf drysler where can they find
54:15
out more
54:17
yeah sure you can cover those so
54:20
i think that uh one thing that's really
54:24
helpful is just like
54:25
if you want to get into product security
54:27
and you want to be building security
54:28
features
54:29
every time you log into an app check out
54:32
its security features
54:33
are they well implemented what do they
54:35
offer were they easy to find
54:37
were they easy to turn on um having a
54:40
list of examples
54:41
is gonna make it a lot easier when you
54:42
need to go to your design team and your
54:44
product team and be like
54:45
hey we need to build this um a perfect
54:48
example is single sign-on it's like you
54:50
might just think okay hey we just offer
54:52
single sign-on and
54:53
people use it and they're good to go um
54:56
but there's actually a lot of nuances
54:58
one of them is like
54:59
does the app allow you to force single
55:02
sign-on so like everyone in the
55:03
organization has to do it
55:05
does it allow for exemptions maybe
55:07
somebody hired a contractor and they
55:08
don't have an account with octo
55:10
one login or azure uh how do you get
55:13
those people into the app
55:14
does the app have a tile that's
55:17
pre-built
55:17
in all these different identity
55:19
providers those aren't things that you
55:21
would necessarily like know
55:22
to to build or to think about unless you
55:24
just looked at this in a decent number
55:26
of apps and like
55:27
actually turned on this feature and so i
55:30
think that that is a pretty actionable
55:31
step
55:32
that you know people can can take is
55:35
like you know
55:36
everyone uses pieces of software like
55:38
how well
55:39
implemented are these features and then
55:42
if people want to know more about me uh
55:45
i have a website it is leaf.pizza
55:49
um it's really just a collection of
55:52
all the like blogs and conferences like
55:54
i i don't blog
55:56
or present anything on the site directly
55:58
it's just like links to everything
56:00
but if you want to like read stuff that
56:02
i've written or
56:03
check out podcasts or whatever uh it's
56:05
on there and then
56:06
as i mentioned like i am the only leaf
56:08
dreistler
56:09
if you look me up on twitter and
56:11
linkedin you will find me
56:13
uh and that is really it
56:18
awesome i so it was funny because
56:21
a bunch of the team that we hacked
56:23
purple was like that
56:24
pizza and we thought
56:30
yeah there's a new tld coming out pizza
56:33
i was like i'm buying leaf dot pizza and
56:35
so i just logged in in the first week
56:37
and
56:37
i guess no other leafs out there wanted
56:39
leaked out pizza and
56:41
it's pretty easy oh and so also someone
56:45
wants to have a shout out to your shirt
56:47
so when leaf and i met was in hawaii and
56:49
of course he was wearing hawaiian shirt
56:51
and if you see his image
56:53
on twitter she's wearing this super
56:55
bright colored shirt so i wear a super
56:56
bright colored dress
56:58
in hopes that he would wear an awesome
56:59
shirt and he did
57:01
those are paired yeah two cans
57:05
it's kind of become like a trademark of
57:07
mine i guess if
57:08
you can really call it that but um yeah
57:11
we
57:12
uh like i just always wear like fun
57:14
shirts
57:15
to to conferences and
57:18
it all started there was a shirt the
57:20
first conference i presented at it was a
57:22
lobster shirt it just had like lobsters
57:24
on it
57:25
and since then i've always made a point
57:26
to wear a hawaiian shirt for
57:29
um for the conference and so
57:33
yeah i guess the the final shout i'll
57:34
put is i have
57:36
two jobs uh a staff and a senior
57:40
that i'm hiring for the ones i linked
57:43
say
57:43
remote us it's also totally fine if you
57:47
live
57:47
in british columbia we have an office in
57:49
vancouver
57:50
you don't have to work out of it but uh
57:53
i don't
57:54
know that we can hire in the other
57:57
uh parts of canada but we can definitely
57:59
do bc and anywhere in the us
58:01
is good nice that is very close to where
58:05
i live i am on the little beautiful
58:07
island just off the coast i can like
58:09
wave to you
58:10
yeah well if you ever want to go grab
58:12
lunch with the uh
58:14
segment security team if you're in uh
58:17
vancouver just hit up jeevan and there's
58:19
three of three of the security team is
58:21
is out of that office so
58:24
i usually hassle g-van if i go to
58:26
vancouver and far chad because the
58:28
lost people are my are my people yeah
58:30
they're our people
58:31
i should say so yeah they have been
58:34
wonderful to me on many many
58:36
occasions and the b-sides people in
58:38
vancouver also
58:39
a plus awesome sauce but
58:43
i'll just keep talking so thank you so
58:46
much for coming on the show this was
58:48
really great and thank you for all the
58:49
resources you shared i'm going to link
58:51
them all in the show notes so
58:52
if you are listening to this later go to
58:56
wehatpurple.com and then click on
58:57
podcasts and then go to
58:59
like previous podcasts and this is i
59:02
believe episode 43
59:04
and so just scroll on down to leaf you
59:06
should be near the top
59:08
and um and check out all the awesome
59:09
links he shared thank you so much again
59:12
for being on the show
59:13
yeah thanks so much for having me it's
59:14
great awesome
59:18
you were just listening or watching to
59:20
the we hack purple podcast where each
59:22
week we meet someone
59:24
awesome like leaf drysler who tells us
59:27
about how they got their awesome job
59:28
what their jobs like to do
59:30
if the job pays well if there's lots of
59:32
opportunity if this is something that
59:33
might be right
59:34
for you thank you so much for tuning in
59:37
thank you for listening
59:38
thank you to 10 security for sponsoring
59:40
us again
59:42
they also sponsored a whole handful
59:45
of diversity scholarships and i really
59:47
appreciate those guys
59:49
um thank you for leave for being on that
59:51
was super great and all the resources he
59:54
shared were super awesome sauce
59:55
if you want to work with leaf you should
59:57
look up segment um so segment.com
1:00:00
and then go to their careers page
1:00:02
there's going to be probably jobs
1:00:04
going on there as like you could
1:00:06
probably keep checking
1:00:08
and with that i'm going to say goodbye
1:00:10
oh and i forgot to introduce myself i'm
1:00:12
tanya janka but hopefully you all know
1:00:13
that by now
1:00:14
have a great night
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More