We Hack Purple Podcast Episode 43 with Leif Dreizler
We Hack Purple Podcast Episode 43 with Leif Dreizler
We Hack Purple Podcast Episode 43 with Leif Dreizler
Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:08
[Music]
0:28
so
0:35
[Music]
0:58
welcome to we hack purple podcasts where
1:00
each week
1:01
we meet with a different person from the
1:03
information security industry
1:05
to ask them all about their job how they
1:08
got that job their career progression
1:10
and how
1:10
you could potentially one day get a job
1:13
just like theirs
1:14
and this week we are talking to leif
1:16
dreisler and he is going to tell us all
1:18
about his awesome work at
1:20
segment this week's podcast is sponsored
1:23
by 10
1:23
security the gentleman who created
1:25
defect dojo
1:27
but without further ado i know what
1:28
everyone wants let's meet leif
1:31
[Music]
1:32
hi hey thanks for having me on the
1:35
podcast i really appreciate it
1:38
thanks for being on the podcast i've
1:39
been excited to have you especially
1:41
after uh reading your blog
1:43
for a little while yeah uh
1:46
i love hearing that i feel like uh
1:48
you're kind of a
1:49
infosec celebrity and somebody that i've
1:51
watched a lot of talks and
1:53
read blogs from from so it's amazing to
1:55
hear that from uh
1:56
somebody that's been inspiring to me
1:58
throughout my career
2:00
oh feeling the love on the we have
2:03
a podcast can you tell
2:07
our audience a little bit about like
2:09
maybe the title
2:11
of your job and i think you're allowed
2:12
to say where you work since you share
2:14
the blog so it's like not very good op
2:16
tech if you were to
2:17
hide that and i feel like it's probably
2:19
okay
2:20
yeah my opsec is inherently bad because
2:24
i'm the only leaf drizzler and so uh
2:27
it's very easy to find me uh fortunately
2:30
or unfortunately
2:31
um but yeah if you ever want to find me
2:34
on twitter leaf drysler
2:35
only one same thing on linkedin very
2:37
very easy to find but
2:38
uh yeah i work at segment and i'm the
2:42
engineering manager for the product
2:44
security team
2:45
um the product security team at segment
2:48
is a little bit different than
2:49
a lot of other product security teams in
2:51
the sense that we function more like an
2:53
engineering team and actually partner
2:55
with
2:55
engineering teams to design and build
2:58
security related features
2:59
that are customer facing so segment
3:02
isn't a security company
3:04
but we do a lot of b2b
3:07
business like we have a lot of business
3:10
customers that care deeply about
3:12
security
3:12
and so they care about things like
3:15
single sign-on 2fa
3:17
scim and so we work with engineering
3:20
teams to design and implement these
3:22
types of features and i know prosec is a
3:24
little bit of an
3:25
overloaded term and many orgs use it
3:28
synonymously with
3:29
application security we actually have a
3:31
separate application security team
3:34
that's focused on tooling training
3:37
internal consulting uh to help our
3:40
engineers write secure
3:41
code on their own and this includes
3:43
things like
3:44
bug bounty programs uh managing tooling
3:47
like snick
3:49
teaching other engineers to do their own
3:51
threat modeling
3:52
um and that's actually something that
3:53
was recently blogged about by my
3:55
coworker
3:56
chief and i just dropped a link to that
3:58
in the chat for if people want to check that
4:00
out on their own time it's a really good
4:01
blog cool
4:04
yes um oh and let's copy it to the chat
4:08
too
4:08
so um yeah we actually just realized
4:11
that we both know g van
4:12
and that he's totally awesome and he is
4:14
one of the leaders of the oas vancouver
4:17
chapter with farshad
4:19
yeah jeevan's awesome i uh referred
4:22
jeevan and then i got two hockey assists
4:24
because he referred two people
4:26
um and so it's like a nice little tree
4:29
of referrals
4:30
uh and he's responsible for all of our
4:34
vancouver hires
4:35
uh in security which is great oh that's
4:38
amazing
4:39
that's awesome we're all friends a lot
4:42
of good people know a lot of other good
4:44
people
4:44
that's a thing i've seen cool
4:48
okay so we shared uh your blog post and
4:50
or we shared
4:51
a link to one of your blog posts in
4:54
there which everyone obviously is going
4:55
to read as soon as this episode's over
4:57
so
4:58
open it so you have the link but then
4:59
stay with us so
5:02
so first of all i have to of course ask
5:05
questions about product security
5:07
so stuff like multi-factor
5:09
authentication etc so
5:11
i logged into one of my banks today and
5:13
they asked for
5:15
uh my password and then they asked for a
5:17
security question
5:18
and they're like it's a two-step
5:20
verification and i was like don't you
5:22
dare call that don't you dare
5:28
i wouldn't say there are two factors but
5:30
there are two steps i guess
5:32
i feel like it's dirty yeah because
5:35
because the average person's like oh
5:36
yeah i do
5:37
i do two-factor then i'm like no you
5:39
don't your bank is tricking you with
5:41
crappy security it's two of the same
5:43
factor
5:44
yeah it's uh you know what
5:48
high school did you go to what was the
5:50
mascot or whatever it's like okay that's
5:52
pretty easy to find for many many people
5:55
luckily for those types of things like
5:57
if i do get asked
5:59
i always just save some random string of
6:01
characters
6:02
like it just becomes another password
6:04
and i throw that into one password and
6:06
you know don't really worry about it but
6:09
yeah for the average person they're definitely
6:11
picking like whatever their actual high
6:13
school mascot was
6:15
since your company does b2b i feel like
6:19
if you're
6:20
selling so first of all like your team
6:22
is making security
6:24
features for businesses they're not
6:27
going to put up with that crap
6:28
right if you're like oh we added
6:30
security questions so now it's two-step
6:31
verification they'd be like no that's
6:33
not mfa go back to the drawing board do
6:35
you think that business
6:37
customers are potentially like a lot
6:38
more savvy than the average consumer
6:40
definitely and they also have the
6:42
ability to
6:43
like lobby on their own behalf because
6:46
they're like hey we're giving you a lot
6:47
of money
6:48
and so we expect you to to have sso or
6:52
we expect you to have scim
6:54
um and like features like that like it's
6:56
you know i would say
6:58
businesses are generally like okay with
7:00
paying more for like whatever that
7:02
enterprise level of feature set is like
7:05
whether it's security or not um but yeah
7:08
they definitely have demands
7:10
across the business and i think it's
7:12
fine because security is really just
7:14
one part of our engineering organization
7:17
and they have demands across all sorts
7:20
of engineering requests and i think that
7:22
it's totally fair that they would have
7:24
some that are within the realm of
7:25
security as well
7:28
would you say that so like if you don't
7:30
know the answer it's okay
7:31
but would you say that they're motivated
7:33
because they want to protect their own
7:34
business or they're motivated because
7:35
they want to protect their customers or
7:37
they're motivated because they're like
7:38
if our products more secure that's a
7:40
selling feature or is it like a whole
7:42
mishmash
7:43
i think it's all those and it really
7:45
just depends on the specific customer
7:47
like i would say that in many cases we
7:50
are b to b to c so something like
7:53
nike or etsy and so in that case like
7:56
i'm sure they do care about their own
7:57
employees data that's within our systems
7:59
but i'd say they probably care more
8:01
about their customers data
8:03
um but then it you know it's probably
8:05
the i
8:06
i guess yeah if you're b to b to b then
8:08
it's probably the same thing like you
8:09
probably generally care more about your
8:11
customers data than your own employees
8:13
data
8:13
and so i think that it it's probably a
8:16
combination of all those things that you
8:18
said but yeah i'd say
8:19
the biggest motivation is probably
8:20
making sure that their own customer data
8:23
that's going through segment is safe
8:26
i was actually doing research last night
8:28
for a pitch i had to do today
8:30
and apparently in 2020
8:34
almost one percent of the entire gdp
8:37
of the entire world went to cyber crime
8:40
oh so just like straight up ransomware
8:42
or like
8:43
i guess other things like every single
8:46
type of
8:46
nefarious related cyber like cyber crime
8:50
which is like absolutely mind-blowing so
8:53
yeah i've
8:53
not heard that that's pretty interesting
8:55
though i guess they're probably all like
8:57
bitcoin theft that like falls into that
9:00
bucket um like ransomware i'm not sure
9:03
like what else would
9:04
would fall into that offhand but yeah
9:07
those two are probably pretty big
9:09
yeah they are would you say like that
9:12
business customers are becoming way more
9:14
security savvy
9:16
i know these are off script but i'm just
9:17
like superheroes
9:19
sounds cool i think the the like
9:23
more you swim up the like enterprise
9:25
chain
9:26
like it's very it's very
9:28
security-centric like they'll send you
9:30
whole questionnaires
9:31
um that i don't totally understand why
9:35
they send so many questionnaires while
9:37
also asking for compliance stuff
9:39
because i feel like if you say like hey
9:41
we have sock too
9:43
like that shouldn't get you out of all
9:44
the questions but it should at least get
9:46
you out of
9:47
answering the questions that sock 2 is
9:49
meant to cover
9:50
like we will share our sock to report
9:52
with customers
9:54
and i feel like they should share the
9:57
burden
9:58
and like they're not incentivized at all
9:59
because they're just like whatever we're
10:00
paying you money like
10:01
fill out the spreadsheet that you
10:04
already have
10:04
the answers to in the sock 2 report but
10:07
i do feel like
10:09
they should if they were being
10:10
friendlier to the ecosystem
10:12
have an augmented questionnaire that's
10:14
like hey we'll check out your sock to
10:16
report
10:16
we still have these other questions you
10:18
know that that aren't covered by sock
10:20
too
10:20
to augment that but um yeah
10:24
customers really do dig into security
10:26
pretty heavily
10:28
especially as you you get to like the
10:29
larger customers were you surprised by
10:32
just how many
10:34
checklists that you had to fill out as
10:36
part of your job
10:37
so luckily i don't have to fill out too
10:40
many of those
10:41
we have an awesome governance risk and
10:43
compliance team
10:44
that also serves as our uh
10:47
defenses for sales enablement and so
10:50
they
10:51
do like a first and second and maybe
10:54
even a third pass to try to answer these
10:56
questions before
10:57
uh giving them to the rest of the
10:59
security org
11:00
and then we've also invested in a tool
11:03
called
11:04
lupio which is actually a canadian
11:06
company
11:07
um that helps automate the responses and
11:10
so it
11:10
serves as like a library of answers and
11:13
then sales engineers can
11:14
upload the spreadsheet and it'll go
11:17
through the spreadsheet and find
11:19
similar questions that you've answered
11:20
before to be like hey
11:22
like maybe you want to use this answer
11:24
that you've provided and so
11:25
the sales engineers do the first pass
11:27
and then the grc team does like
11:29
the second and third pass and then if
11:31
there's anything that's left over that's
11:33
like a new question or like
11:35
a question that we answered but it was a
11:36
long time ago uh
11:38
then we'll we'll uh take a look at it
11:41
but yeah
11:42
we we try not to have the engineering
11:44
teams look at those too frequently
11:48
okay so now i'm going to ask questions
11:50
that are on script just for a bit
11:52
and then i'll probably get interrupted
11:54
with your
11:55
yeah can you just can you describe your
11:58
job and maybe describe like what a day
12:01
is like in the life of
12:04
like do you know what i mean like yeah
12:05
sometimes people's
12:07
meet like jobs are just like all
12:09
meetings or sometimes it's like
12:11
lots of spending time with i don't know
12:13
i'll shut up now
12:16
no i get what you mean so um i'm
12:19
as i mentioned i'm the product security
12:21
manager at segment
12:22
and i manage a group of individual
12:24
contributor
12:25
software engineers and so i do have a
12:28
decent amount
12:29
of meetings i think that's pretty
12:32
similar to a lot of
12:33
other engineering managers um but i
12:35
don't
12:36
manage any other managers and so a lot
12:39
of what i
12:40
spend my time doing is trying to help uh
12:43
the individual contributors on my team
12:46
uh with their work and be able to grow
12:48
autonomously
12:49
and so we have a couple people that have
12:52
joined in the last couple of weeks
12:54
we have uh an intern for the summer
12:57
and so i try to spend at least a little
12:59
bit of each day helping
13:00
um one of those two people uh work on
13:03
whatever they're working on and
13:04
sometimes it's writing up a guide in
13:06
advance
13:07
that has some intentionally missing
13:08
pieces it's like hey
13:10
you know check out this part of the code
13:12
base uh try to trace
13:14
what's happening you know back to this
13:16
other service or something like that
13:18
and then you know generally here's what
13:20
you're trying to accomplish and so it's
13:21
a combination of
13:23
like pointing them in the right
13:24
direction uh
13:26
you know putting some bread bread crumbs
13:28
along the way but also
13:29
uh making sure that they're doing a
13:31
decent amount of research on their own
13:34
um and so yeah i would say it's a good
13:37
mixture of like things that are like
13:39
planning related
13:41
meeting with other teams meeting with
13:42
people on my own team and just making
13:44
sure that
13:45
uh the teams that we interact with and
13:47
the people on my team
13:48
are successful um but we're also hiring
13:52
more people so we have a senior and a
13:53
staff role open and so if you're
13:56
a software engineer that's interested in
13:58
security features
13:59
uh we have a really modern tech stack
14:01
you'd mostly be working with typescript
14:03
and
14:03
react uh i'd love to chat
14:07
you can just give me a dm on on twitter
14:10
and linkedin
14:12
cool good we want people to have jobs so
14:14
this is awesome and
14:15
lee's really nice and so is gvan so you
14:18
get to work with at least two awesome
14:20
humans
14:21
so it's a good deal jeevan is the the
14:23
manager on the appsx side so he's
14:25
uh like one of the teams that we work
14:27
with super closely so he's also under
14:29
the security engineering umbrella
14:32
nice what
14:35
types of so like it takes a
14:39
certain type of person that can do this
14:42
job
14:42
right what types of personality traits
14:45
or maybe i don't know sometimes people
14:47
might say like aptitudes
14:49
would you say that someone needs so that
14:50
they could be good at this job
14:53
yeah so i don't think that there's like
14:54
a specific
14:56
like pattern or like set of buckets that
14:58
somebody needs to fall into to be
15:00
successful
15:01
at my job like i think that there's a
15:04
lot of different
15:05
uh like personality types or traits that
15:08
somebody could possess and be
15:10
successful i do think that all managers
15:12
need to be
15:13
empathetic uh regardless of whether it's
15:16
like an engineering manager or just like
15:19
i don't know just some somebody who's
15:20
managing something else but uh
15:22
your team is always going to be composed
15:24
of different people that think about
15:26
and react to things differently and so
15:28
and same thing with other teams like
15:30
other teams are gonna have different
15:32
priorities they may be understaffed they
15:34
may not
15:34
have a focused mission and you need to
15:36
try to be understanding of
15:38
what the people and teams you work with
15:40
are going through even if it's
15:41
something that you don't fully
15:42
understand or like you know maybe it's
15:44
something that you've never done
15:46
but uh on top of that i would say you
15:49
need to be good at prioritization
15:51
uh i think this applies to most
15:53
leadership roles like there's really no
15:55
shortage of good ideas at segment
15:57
but you have to focus on a couple of
15:58
things um
16:00
to make sure that you're what you're
16:02
building is high quality
16:04
and kind of uh in that's in that same
16:08
vein uh having a good system to keep
16:10
track
16:11
of all the things that you need to do is
16:13
important i think that
16:14
uh once you've been at a company for a
16:18
while you're probably gonna get tagged
16:19
into docs all the time
16:20
have people messaging you on slack like
16:22
once you know things like people
16:24
need things from you uh and it's easy to
16:27
get distracted and forget to reply to
16:29
somebody's question or whatever and so
16:31
you need to have a good system in place
16:32
to make sure that you're
16:33
staying on top of everything
16:37
how do you choose like for prioritizing
16:40
i i teach this course
16:44
for we hack purple and i go in and like
16:47
we build appsec
16:48
program together and it's the toughest
16:51
part
16:51
of the course is the team will come up
16:53
with like well we have 20 apps at goals
16:56
and i'm like you get three to five
16:57
and then you know we need at least 10
16:59
and i'm like if you have
17:01
10 things you're all you're never going
17:02
to finish any of them
17:04
and so three three to five guys and it's
17:07
like
17:07
constant battle or you've got to be
17:09
really good at convincing managers
17:12
people above you that you need more
17:14
people uh
17:15
that will increase what you can work on
17:17
but yeah uh
17:18
i think luckily one thing that is nice
17:21
about the way that our team's set up is
17:23
we are similar to a
17:24
like a product engineering team and so
17:26
you can fall back on some of the things
17:28
that
17:28
uh like other product facing teams um
17:33
use as part of their prioritization is
17:34
like is this something that customers
17:36
are asking for
17:37
is this something that we've already
17:39
built that's broken that customers
17:41
have told us about um is there
17:44
is this something that uh you know we've
17:47
started to see show up in security
17:48
questionnaires even if it isn't
17:50
something that's really
17:51
getting in the way of deals like you can
17:53
kind of get a sense from reading those
17:55
here and there that like maybe there's
17:57
this new thing that that customers are
17:59
going to be
17:59
expecting over the next like six to 12
18:01
months and so
18:02
i think that it's a little bit easier
18:04
than you know maybe an appsec team that
18:06
isn't tied so
18:07
closely to the the goals of the business
18:09
but i think what we do across security
18:12
engineering regardless of if it's my
18:14
team or one of our partner teams is we
18:16
try to rate things on like a combination
18:18
of
18:19
like business slash security value
18:22
and then effort and we try to pick
18:24
things that have like a good ratio
18:26
and sometimes it's like this is actually
18:27
a ton of work but the value is going to
18:29
be really high
18:30
and so it's worth it um and it's you
18:33
know i think
18:34
it using something like that it's easy
18:36
to just pick off a bunch of stuff that
18:38
it's like okay this is easy and it's
18:40
going to have a big difference uh
18:42
eventually if you're doing a good job i
18:44
think you'll probably run out of those
18:46
at some point like
18:47
your org will have just done enough of
18:49
those easy ones with big
18:50
impact but you should always keep an eye
18:52
out for something like that and then
18:54
from there yeah you just got to figure
18:56
out like what's going to be a good ratio of
18:58
effort to security and or business value
19:02
and i think that's easier at a b2b
19:03
company because
19:05
your customers inherently care way more
19:08
uh consumers on average i would say
19:10
don't really care about security
19:12
maybe there's a couple of things that
19:14
they use like if it's like medical
19:15
related or financial related but
19:18
uh there's a lot of the apps that i use
19:20
it's like if they got hacked like
19:22
i would be kind of upset but i'd
19:24
probably still keep using them
19:26
and then it's like at the end of the day
19:28
it's like if your customers aren't gonna
19:30
leave
19:31
like why should your business really
19:33
care about security and like
19:34
obviously it's the right thing to do and
19:36
there's regulations that you can
19:38
run afoul of if you just don't care at
19:40
all but it's very different in the b2b
19:43
space where your customers will just
19:44
straight up cancel contracts that might
19:46
be worth
19:47
you know hundreds of thousands or
19:48
millions of dollars whereas at the
19:50
individual consumer level it's like
19:52
uh if that like athletic brand that i
19:55
buy clothes from gets hacked it's like
19:57
well i'm probably still gonna buy shorts
19:58
from you so it's it's okay
20:01
[Laughter]
20:03
it's like i still like those shorts yeah
20:05
it's like i still want the shorts
20:06
it's like you already lost my info you
20:08
can't really lose it again
20:09
and probably already out there anyway
20:11
and so it's just not the same as like
20:13
when you're
20:14
selling to another business that uh
20:16
cares and has a lot more weight that
20:18
they can throw behind
20:19
an event like that would you say too
20:22
that business customers are more likely
20:24
to give you
20:25
direct actionable feedback than the
20:27
average consumer
20:30
uh i would say most i assume most
20:32
consumers give no feedback
20:34
to like any of the brands that they
20:35
interact with it's like maybe there's a
20:37
small percentage of people that like
20:39
will write a review or like
20:40
send in a complaint or say like oh i
20:43
really like this thing but i'd say
20:44
you know that's probably in the very
20:46
very small minority
20:48
whereas businesses they'll just be like
20:50
hey like you don't have a way to force
20:52
everyone in our workspace to use sso
20:54
it's like all right that's a great idea
20:56
let's build that
20:57
um i think the businesses are definitely
20:59
more vocal and i think it's because they
21:01
know they can be
21:02
like if one customer is like i wish the
21:04
pocket on this pant was a little bit
21:06
bigger you'd be like all right well
21:07
we're not doing that
21:09
uh but if a business customer is like
21:10
hey we've spent two mil a year with you
21:13
uh we'd really like this thing it's like
21:16
well we should take a look at that and
21:18
see if we want to build that
21:21
i wonder if too like if an individual
21:24
um so for instance like i ordered some
21:28
food from a restaurant i ordered a
21:29
vegetarian meal and i
21:31
eat meat but i go vegetarian some days
21:34
to the environment blah blah and then i
21:37
got it and there was shrimp in it
21:40
and i was like oh what
21:43
and i was like oh maybe i should call
21:45
and tell them and i'm like i don't
21:46
really care though like i eat shrimp
21:48
it's fine like i was trying to be
21:50
vegetarian today but like i also don't
21:52
care and i'm like
21:52
and but then i thought about well i used
21:54
to be a vegetarian and i would be
21:56
furious yeah if they had put me in my
21:59
meal i'm excited maybe i should tell them
22:00
and then guess what i did i did nothing
22:02
and so they got no feedback
22:04
like if you're flexible it's almost
22:05
worse not to eat the shrimp because it's like
22:07
otherwise you're just gonna toss it of
22:09
course i'm gonna eat the shrimp yeah
22:11
right did i get
22:12
less cheese that's the real question
22:14
because that's what you should call about
22:15
is you need to figure out in lieu of
22:18
this shrimp
22:18
would i have gotten more cheese paneer
22:21
is like
22:22
one of my favorites anyway yes
22:26
it's so good yeah it's like that i feel
22:28
like if i were to go
22:30
vegetarian i would eat indian food even
22:32
more than i do now
22:33
because there's so many same thing with
22:35
like a lot of stuff like asian
22:37
dishes in general like there's so many
22:39
good meals that are like oh this is not
22:41
just something where we took the meat
22:42
out
22:43
and put in a lame replacement it was
22:45
like oh this meal was just good without
22:47
meat
22:48
yeah it's just awesome yeah oh my gosh
22:52
i love indian food anyway okay so i'm
22:54
glad we agree
22:55
asian food's the best um so
22:58
someone in that comment is like very
23:00
true 100
23:03
so so like your job i feel like
23:07
there's some skills that a person's
23:08
gonna need to
23:10
to do that type of work so what types of
23:14
technical skills do you or maybe like
23:16
technical experiences
23:18
would they need to be able to one day do
23:20
a job like yours because you can't just
23:22
like
23:23
walk out of college and do your job
23:25
probably there's probably
23:26
nothing that they need woefully
23:28
unqualified to do my current job my
23:30
as my first job out of college um
23:33
yeah i think you know similar to like
23:35
the traits and like
23:37
aptitudes like i don't think that
23:38
there's like a you know a firm set of
23:41
requirements like i think that you could
23:42
probably come from
23:43
a variety of different backgrounds and
23:45
be successful if it's something that you
23:47
were really focused and motivated to be
23:49
successful in but
23:50
at least for me i have been served
23:53
incredibly well by having a background
23:56
and experience writing software
23:58
especially security features
24:00
i think for me as somebody who manages
24:03
individual contributors it's
24:04
really important that i can be there to
24:07
help give feedback for the types of
24:09
things that they're working on
24:11
uh i'm familiar with the code base that
24:14
they're they're working in and that you
24:15
know i can frequently point them in the
24:17
right direction
24:18
uh if they're stuck on something like i
24:21
can help them debug
24:22
whatever they're working on and that's
24:26
just
24:27
like some of the things that's made me
24:28
successful but i really think that that
24:30
provides a lot of value for the team
24:31
especially because as of a month ago
24:34
there were just two of us and so i spent
24:36
a decent amount of my time working on
24:38
individual contributor type engineering
24:41
uh
24:42
tasks um i also think that having some
24:45
sort of like
24:46
product sense is pretty important i've
24:48
never been like a product manager or
24:50
anything like that but
24:52
um even though we're building security
24:54
features
24:55
usability is incredibly important if
24:57
your sso
24:58
process is annoying people are just not
25:00
going to use it which means they're
25:01
probably just going to use the username
25:03
and password and like maybe turn on mfa
25:06
um i'm far from a product expert like
25:08
i'm really lucky to work with
25:10
our enterprise software engineering team
25:12
was an amazing product manager rachel
25:14
but i think that having at least some of
25:16
that
25:17
sense to be like hey this flow is just
25:19
not very good or like what can we do
25:21
to make this easier for people like you
25:24
really want to make security stuff easy
25:26
because
25:27
generally it's something that is making
25:30
somebody's life more annoying
25:32
and you want to make it as
25:35
easy as possible and like the gold the
25:37
golden
25:38
goal is just like is it easy and secure
25:41
and that's why i feel like
25:42
sso is a good example of this is once
25:45
you get it set up
25:46
like you just click octa and you click
25:48
one button and you're logged into
25:50
segment
25:51
it's easier than entering in a username
25:53
a password a 2fa code and it's preferred
25:56
from like a security and i.t side
25:58
and so i think that designing things to
26:01
be like that
26:02
is uh really important but it it's
26:04
something where you're going to need
26:05
good designers you're going to need good
26:07
product people and like
26:08
i don't think you need to be all of
26:09
those but at least being able to
26:12
work with those other groups to come up
26:14
with something and kind of show them like
26:16
hey here are a couple other apps that do
26:18
this really well or really poorly i
26:20
think having
26:21
like a list in your mind of apps that
26:23
you've used
26:24
that do this uh at varying degrees of
26:27
good or bad is really helpful
26:31
i have almost never got to have a
26:33
manager where they could actually help
26:35
me with my technical stuff
26:37
that is awesome like at microsoft for
26:40
i had three different managers and there
26:41
was one where i remember he got into the
26:43
code with me and i was like this is
26:45
amazing yeah but the
26:48
other two had never coded as far as i
26:51
know
26:52
and so it's it's helpful i think it can
26:56
be augmented by like if you have
26:58
more senior people on the team that can
27:00
kind of serve as that like technical
27:02
leadership
27:03
it probably reduces the importance of
27:05
like having a manager that can do those
27:07
things but
27:09
um our team's pretty small and
27:12
uh i i think that it still serves you
27:14
pretty well even
27:15
even as the team grows just to like have
27:17
built some amount of production quality
27:19
software like
27:20
when you're reviewing your team's design
27:23
docs and things like that like you're
27:24
just gonna kind of have a sense for like
27:26
i've kind of seen something like this
27:28
either work well or like
27:30
not work so well before and i think just
27:31
having a manager that can
27:33
uh provide input into those decisions
27:36
and
27:36
uh help their team avoid mistakes or do
27:38
things more efficiently
27:40
is pretty helpful yeah it's fantastic
27:44
okay i want to take a brief second to
27:46
thank our sponsor 10
27:48
security do you want help with defect
27:51
dojo well why not hire the guys that
27:53
built it that's 10 security
27:55
greg and matt for the win two thumbs up
27:58
i also want to mention that we are still
28:01
doing book streams once a month for
28:03
all of 2021 for alice and bob learn
28:06
application security and if you want an
28:09
invite go to aliceandboblearn.com
28:13
and you can get automatic calendar
28:14
invites and all that fancy jazz to your
28:17
inbox
28:18
and lastly but most excitedly the secure
28:21
coding course from we have purple is
28:23
actually a thing
28:25
so if you are on the advanced list which
28:28
you can get at
28:32
wehackpurple.orgnewsletter.wehacpurple.com
28:35
secure dash coding dash course
28:38
uh you can get 20 off and you get
28:40
invited friday instead of
28:42
everyone else who has to wait until june
28:43
30th so
28:45
saving 50 bucks is pretty sweet and
28:47
getting a week early access is also
28:49
even sweeter but no matter what please
28:52
go check out the course
28:53
and i feel that that is enough marketing
28:55
for now
28:57
let's go back to leaf so
29:01
you might have imagined i have more
29:02
questions for you
29:05
so i get that you don't have to have
29:08
lots of programming experience in order
29:11
to do this job but it's like a really
29:13
nice bonus
29:14
if you've had that experience but
29:17
imagine you could design like the best
29:19
background ever or things that you could
29:21
learn
29:23
to try to work towards having a job like
29:25
yours someday
29:26
so uh we had someone on the show mary
29:29
galloway
29:29
she's awesome and she's a security
29:31
architect and she said yeah i just like
29:33
looked at jobs i wanted and all the
29:36
experience they said and i went
29:37
and i made a checklist and did it like
29:39
you're awesome
29:43
right she is badass um she's episode
29:46
three you should totally check it out
29:47
but anyway
29:48
imagine you could like
29:51
make a a list of work experience that
29:53
would make like that would have helped
29:55
you become
29:56
the person you are today like what types
29:57
of things would be on it if someone
29:59
wants to try to like kind of steer over
30:01
there
30:02
yeah so as you mentioned like
30:05
coding is pretty important um i studied
30:09
computer science in college
30:10
uh i don't think that that's a
30:12
requirement like whatever path you you
30:15
take to learn how to code is great like
30:17
if you're self-taught if you go to a
30:18
boot camp if you do a computer science
30:20
degree like whatever
30:22
works works uh i know that i definitely
30:24
would not have been able to like
30:26
have the self-discipline to like teach
30:28
myself how to program at 18 years old
30:30
and so going to college and having
30:32
somebody like give me assignments and
30:34
stuff like that was definitely
30:36
the way to go for me but uh you know not
30:39
for everybody and
30:40
um i think there's there are a lot of
30:42
like great trainings out there
30:44
i don't really have too many to
30:45
recommend for
30:47
like intro to software development but
30:50
there was a training that we brought in
30:54
uh about a year and a half ago uh
30:57
reacttraining.com
30:58
um that was specifically like a two-day
31:01
react
31:02
course that i took as well as a bunch of
31:04
other people at segment and we found it
31:06
to be
31:06
pretty useful um that was like a private
31:10
training just for segment but they also
31:11
do paid workshops so if react is
31:13
something that your org uses or like
31:15
that you're interested in learning more
31:17
about i would i would definitely
31:18
recommend them
31:19
um and then cover security too
31:22
or was it more just how to be awesome at
31:24
react it was just react stuff
31:26
so it was really just like hey you know
31:29
we're expecting that coming into this
31:31
you know javascript
31:32
you know how to write code you just
31:33
don't know how to use react
31:35
and uh so it was all it was all focused
31:37
on like using react hooks and
31:40
um like all the latest best practices
31:41
and things like that so
31:43
yeah it was really helpful from like a
31:45
react specific standpoint
31:47
um but i mean my background like
31:51
my path is definitely not the path you
31:53
need to take like i started
31:54
out as a computer science major uh while
31:57
i was still in school i started working
31:59
as a security consultant so i did a
32:01
couple years of pen testing
32:03
mostly appsec stuff which was pretty fun
32:06
got to see a bunch of different
32:08
organizations some doing a good job
32:10
others not so much
32:13
and then from there i went and i was a
32:15
sales engineer at bug crowd
32:16
for about two and a half years so
32:19
getting some of that customer
32:21
uh facing experience like very different
32:23
from what i was doing
32:24
uh as a consultant very different from
32:27
what i'm doing now at segment
32:29
um but i think that one of the things to
32:31
think about is like if you're trying to
32:33
move around within your career
32:36
i think that you just need to get good
32:38
at
32:39
uh like drawing parallels between
32:42
what you're doing now and what you're
32:44
trying to do next
32:45
and there's a lot of jobs that like you
32:47
know seem
32:49
not very similar but
32:52
if you're able to draw those connections
32:56
you can convince somebody how similar
32:58
they are
32:59
um you know people will be like oh wow
33:01
you've really like jumped around it's
33:02
like yeah
33:03
kind of but before segment i was a sales
33:06
engineer
33:06
and in sales you spend a lot of time
33:08
educating people and persuading people
33:10
you do this a lot in appsec uh i also
33:13
blended my experience with the consultant
33:15
with my experience at bug crowd to
33:16
demonstrate like hey i know the basics
33:18
of apsec
33:19
while being honest about where my gaps
33:22
are
33:23
um and so i think that you need to just
33:25
be able to
33:26
uh like help people connect those dots
33:29
the other thing is
33:31
involvement in the community like that's
33:33
probably the other most important thing
33:34
is
33:35
uh people are much more likely to
33:37
interview or refer to somebody that
33:38
doesn't have like whatever the perfect
33:40
background is
33:41
if they have a personal personal
33:43
connection uh
33:44
every job i've gotten has originally
33:46
been through somebody that i met at like
33:47
a conference or work or meetup or
33:50
whatever so yeah that that's definitely
33:53
like a couple pieces of advice there and
33:55
then
33:55
for on the management side uh
33:58
there's a training from laura hogan
34:01
uh that i've worked
34:04
part of the way through i haven't
34:06
completed it but uh they have a
34:08
background
34:09
as at a variety of different like
34:11
engineering leadership roles and i found
34:13
the training to be really
34:15
helpful so far it's great to kind of get
34:17
you in the mindset of
34:18
trying to be more reflective and like
34:20
thoughtful in the way that you approach
34:22
certain conversations and uh tips for
34:25
one-on-ones tips for planning tips for
34:28
uh
34:29
like helping your team succeed like
34:30
there's a lot of
34:32
there's years of experience that she has
34:34
uh condensed into
34:35
into this course so um if you're looking
34:38
specifically to make the jump from
34:40
uh like an individual contributor role
34:43
to like a manager role i think that
34:44
that's worth checking out for sure or if
34:46
you're already in a manager role
34:48
that's awesome leaf because you would
34:51
not believe how many awful managers i've
34:53
had and they might be a really nice
34:55
person or a brilliant engineer
34:58
but they're an awful manager and they're
35:02
certainly not a leader
35:04
yeah i mean it's a different set of
35:06
skills like
35:08
so i think a lot of people you know they
35:10
reach a certain level of engineering
35:12
and they get pushed into this new role
35:14
or they see it as like
35:16
this is the next thing that i need to do
35:17
in my career and so i think that it's
35:19
important for organizations to really
35:21
show engineers like hey you don't have
35:23
to be a manager like you could be
35:25
a staff engineer or principal engineer
35:26
an architect or you know
35:28
whatever is about that like they're you
35:30
need to create a path for people
35:32
to excel at what they're good at and not
35:35
everybody is going to be good at being a
35:36
manager like being a manager
35:39
yes yes they're not some people aren't
35:41
very good at and some people are awesome
35:43
at it but they don't like it
35:46
i'm actually um i downloaded like this
35:48
parenting app so i am a step mama
35:51
and i was like i like to be the best at
35:54
everything so i'm like i'm gonna learn
35:56
everything about parenting
35:58
i'm that person so i'm like i'm gonna
36:00
read 100 books
36:02
um well it's an important thing to be
36:04
prepared for like you're shaping
36:05
somebody's life in a pretty significant
36:07
way so
36:08
exactly and you want to be like the most
36:10
positive you can be and not only just be
36:13
like a disney mama
36:14
where like everything's perfect like
36:16
sometimes they cry and you have to like
36:18
comfort them and so
36:19
i was like doing a little lesson on this
36:21
app and it was explaining like
36:23
when they cry how to comfort them in a
36:25
way so that like they feel safe and
36:27
because like i was like i just kind of
36:28
hug them i'm like do you want to hug and
36:30
i like kind of listen but there's like a
36:31
whole bunch of things you can do
36:33
so they feel even more safe and i'm like
36:35
why no one tell me this before
36:37
this is just stuff like you can learn in
36:39
a book like this is amazing
36:41
until like the idea of a marketing or
36:44
sorry a management course that like
36:45
tells you how to be reflective and tells
36:47
you how to
36:48
kind of like hear your employees
36:51
actually hear what they're saying
36:53
actually respond in a way so that they
36:55
get what they want and you get what they
36:57
want persuasion
36:59
i think that persuasion is probably the
37:02
number one skill that security people
37:04
need if they want to get their jobs done
37:06
yeah you got to convince other people to
37:08
help you like security is really a
37:09
cross-cutting discipline
37:11
it's not something that the security
37:13
team can just keep
37:14
the company safe uh it's something where
37:17
you need everybody
37:18
to help keep the company safe and it's
37:20
really something where it's like it's
37:22
kind of a failed model if the security
37:24
team has to do all the work because
37:26
they're never going to be as familiar
37:27
with all these different technologies
37:29
and frameworks and
37:31
processes like you have a whole company
37:34
of
37:34
engineers and other people working on
37:36
important stuff is like
37:37
the security team can't understand all
37:39
these things like there's just not
37:41
enough
37:41
room in the human brain for them to be
37:43
an expert on all of the different
37:45
things and so that's why our appsec team
37:49
at segment has
37:50
it really security as a whole but like
37:52
uh kind of
37:54
the main charter of appsec is to really
37:55
like empower engineers to make
37:57
good security decisions on their own and
38:00
we're obviously here if they want to
38:01
talk about stuff and like work through
38:03
things
38:04
but really it's like okay you need to
38:06
figure out
38:07
when it's safe to patch this system you
38:10
need to be the one who's identifying
38:11
threats
38:12
as part of your design and like sure if
38:14
it's like a bigger project like
38:15
we'll collab on like whatever that
38:18
process is
38:19
but for the day-to-day stuff it's like
38:21
you need to be able to make a good
38:22
decision on your own because there's way
38:24
more of you than there are of us
38:25
and it's also just it's not really our
38:28
responsibility it's like you wrote this
38:29
code you
38:30
you maintain the service security is
38:32
just a part of
38:33
good software it's not something where
38:36
the security team can swoop in and like
38:37
fix all this stuff for you it's like you
38:39
need to be
38:41
keeping this thing in a secure state the
38:43
way that you keep it in a reliable state
38:46
we have a comment in the chat that i
38:48
feel totally applies to security so
38:50
kellen's saying
38:51
the thing about parenting is there's
38:53
always more to do and more to improve
38:56
so so true with security yeah being a
38:59
good
39:00
security professional seems like a
39:02
direction that we go in rather than
39:04
something we just achieved
39:05
we don't just achieve security in like
39:08
one step it's a thing
39:09
like it's a practice like you know how
39:10
you don't do yoga one time
39:12
you have to keep doing yoga and that's
39:14
why they call it a practice
39:16
i feel like what you're saying like so
39:19
you support
39:20
everyone through the thing but they're
39:22
the ones that
39:23
have to do a lot of the work and
39:27
i like it when my guests agree with my
39:29
philosophies on security and
39:31
it happens rather often i have to say
39:33
because i get to select my guests
39:35
and so that's awesome i get to research
39:39
them but
39:39
it's good when you say things that i say
39:41
a lot so then i can
39:43
point to clients and be like listen to
39:44
leave listen to
39:46
me yeah i think it's it's really just
39:49
the way that like
39:50
modern security orgs are running it's
39:53
like
39:54
i think people have figured out that
39:56
just like telling people no
39:58
and like telling people that stuff's
40:00
broken and like not helping them fix it
40:02
and not giving them tools to like fix
40:05
things easily
40:06
i think we've kind of just seen that
40:08
that model didn't really work like a
40:10
perfect example of segments like
40:12
hey you need to patch your docker
40:14
containers we will provide you with a
40:16
set of images that get updated regularly
40:18
and as long as when you restart your
40:20
builds it'll pull in the new stuff for
40:22
you automatically you just need to go
40:24
in and like restart things and like not
40:25
to trivialize the effort of like hey
40:27
well what happens if you restart
40:29
something and it breaks or whatever but
40:30
like
40:31
you can't just tell all these different
40:33
engineering teams like
40:34
hey go figure out patching independently
40:37
and like we're just going to scan it and
40:38
tell you that it's bad
40:40
like you need to give them some sort of
40:42
uh you know paved path
40:44
as netflix says to like do the right
40:46
thing and like make the right thing
40:47
easy and if people want to go off the
40:50
paved path into the jungle it's like
40:52
okay maybe they need to
40:54
figure out how to do patching but if
40:55
you're following the normal ways that
40:57
your company builds software
40:59
the security team should be either doing
41:02
this on their own or partnering with
41:03
other teams to help
41:04
build something to like make the right
41:07
thing
41:08
easy we have another comment in the chat
41:12
it's encouraging to see so many of your
41:14
guests have a good mindset
41:16
i don't know so many security-minded and
41:18
empathetic focused people
41:20
or i didn't know that so many
41:22
security-minded and
41:23
empathy-focused people existed in this
41:25
profession
41:28
yeah very nice compliment i think that
41:31
a lot of those people probably know each
41:33
other
41:34
and so if they're on tonya's podcast
41:37
then
41:38
uh that might be nice i think it's a
41:40
little bit of like a bias towards the
41:42
people that
41:42
that she knows but like i think that it
41:45
is like a wave that is like coming
41:47
across the industry like it's not like it's
41:49
just me like there's plenty of people
41:52
at working at companies that like feel
41:55
similarly to this and
41:57
are are successful because of it
42:00
my second last dev job i remember i used
42:03
to call
42:04
the lead of the security team dr no
42:06
because he would just come to meetings
42:07
and say no
42:08
all he would do is say no his name was
42:10
bruce and he would just say no all the
42:11
time and he would never say no
42:14
but you can do this it's just no you
42:16
can't do that what can we do you're a dev
42:18
you should know and it was like a lot of
42:19
blaming a lot of finger pointing
42:22
and so one day i i just told his manager
42:25
i'm like i just can't
42:27
like i have a job to get done and like
42:29
it's just a wall of no with him
42:32
if you want to tell me you can't do
42:33
something you have to give me a solution
42:35
of what i can do
42:36
all i hear is know and how much my team
42:39
sucks
42:40
and my team literally wants to go around
42:42
him and we're software developers we can
42:44
go to proud whenever we damn well want
42:46
we're following the processes out of
42:47
respect for you and so
42:49
we need to work here and so i remember
42:51
we he came to a meeting like a month or
42:53
two later
42:54
and he's like yeah so i have to say yes
42:57
in this meeting
42:58
and we have to compromise so
43:01
let's do this and then it was so much
43:03
better
43:04
like yeah i mean at first it was a bit
43:06
not awesome
43:08
but he would be like no and he's like
43:10
but
43:12
we can find a way to you for you to
43:14
accomplish your business
43:16
goal and i'm like great and then we
43:19
started like
43:20
coming up with things so if if we have
43:22
to do a big search and they're like okay
43:24
you can't use inline sql
43:26
like great but i have like a 50
43:28
different search
43:29
thing that i have to create so i need
43:31
some help because
43:33
my junior dev made an inline sql
43:35
statement
43:36
we can't have that we have to use a
43:38
parameterized query or something safer
43:40
can we brainstorm this together instead
43:42
of you just telling me i suck
43:44
and to go back to my desk with my head
43:46
down right like there's got to be a
43:48
conversation
43:49
i think it's because a lot of security
43:51
people just don't know enough
43:52
about the stuff that they're trying to
43:54
defend and if you don't know
43:56
how to make a workable solution you're
43:59
just going to be like no
44:00
because you don't know what to suggest
44:02
and so i think that that's another
44:04
attribute of like
44:05
a lot of modern security engineers is
44:08
they actually do know the systems they
44:10
actually you know they know aws they
44:12
know how to write code
44:13
and not to say that like everybody in
44:15
the security industry like needs to be a
44:17
software developer
44:18
but if you're working on a security
44:19
engineering team as an individual
44:21
contributor
44:22
it's going to be a lot easier to get
44:24
stuff done
44:25
in a way that works for your company if
44:28
you understand how stuff gets built
44:30
and can build things yourself um like
44:33
when our cloudsec team goes to a team
44:35
they're like
44:36
hey we need you to do this like they
44:38
know enough about what that team does
44:41
to give them something that's practical
44:43
and teams are way more down to do your
44:45
security asks when it's clear that
44:47
you've put thought into
44:49
what you've asked them to do and you
44:50
have tried to make it as easy as
44:52
possible and you're just coming to them
44:53
with like
44:54
you know the final 15 or 20 of
44:57
the work rather than like hey you need
44:59
to do all this and we don't know
45:01
how to do it so you need to also figure
45:03
it out
45:04
like that's not
45:07
good luck losers bye
45:12
okay so before um ben in the chat
45:16
asks i'm going to ask the cheese
45:19
question so
45:20
this do you already know what the cheese
45:22
question is
45:23
no no okay so in the first
45:26
episode i i wanted to ask so does your
45:30
position pay well
45:31
so not like exactly how much money you
45:33
make but is this a good
45:34
paying position versus because some of
45:36
the jobs we have been quite surprised to
45:38
find out they really don't pay very well
45:40
so for instance
45:41
startup founder does not pay well for
45:44
the first year or two
45:46
i know but i can't afford paneer now so
45:49
life is going
45:50
really good at we have purple but that
45:52
said
45:54
um so it turned into the cheese question
45:56
because i realized one day as
45:59
when i was a software developer like i
46:00
went to the grocery store i was looking
46:02
at two different types of cheese trying
46:03
to decide which one i could get because
46:05
previously i could only afford to get
46:07
one type of cheese per week
46:09
and i really like cheese as pre so i
46:11
discussed cheese i'm talking a lot like
46:14
way more than i
46:15
should um but so then i realized i could
46:18
afford both and i'm like i've
46:19
made it i'm a software developer now
46:22
like i have
46:23
full-time work and like i can just buy
46:26
both cheap i can buy cheese and
46:28
yeah right and it was like really
46:30
exciting i realized i didn't have to
46:31
count every penny at the grocery store
46:33
and i could just kind of buy the things
46:34
i wanted and it was all gonna be okay
46:36
and so i think a lot of people don't
46:38
understand how much
46:40
each different job actually does so does
46:43
being
46:44
like like a manager of a security
46:48
product team pay well
46:49
is it like a good paying job for how
46:51
hard you work and
46:52
how much you need to know yeah i think
46:55
so i mean a lot of it is dependent on
46:57
the stock price of twilio which is our
46:59
parent company because there is a you
47:01
know decent amount like equity-based
47:02
compensation but yeah
47:04
i think that the the pay is pretty good
47:06
and i think that
47:07
engineering manager jobs at successful
47:10
software companies
47:11
generally paid pretty well like
47:15
like having successful engineers in a
47:18
company that that build
47:19
software like you need to pay
47:21
competitively and because
47:22
you know there's google and netflix and
47:25
amazon and
47:25
you know plenty of other bigger
47:27
companies than you that are going to pay
47:29
more and so yeah i think you need to pay
47:32
competitive at like most
47:33
uh successful software companies if you
47:36
want engineering managers that
47:38
are decent or better are you saying that
47:41
if you wanted to you could eat paneer
47:43
once
47:44
every week definitely yeah so definitely
47:48
one or more times a week have you all
47:50
the cheese humble
47:52
fog that's one of my favorite cheeses
47:55
what i need to link to this after just
47:57
yeah
47:58
it's humble like humble california and
48:01
then fog
48:03
it's a good one i'm on it i'm on it i
48:06
really like buffalo mozzarella
48:08
because i'm growing tomatoes and i grow
48:10
a basil as well
48:11
and you put but it's just like oh my
48:13
gosh
48:14
um good combo cheese is so good
48:18
okay so i have a really tough question
48:21
for you now that is a two-parter so it's
48:23
very difficult leaf
48:24
yeah what is your favorite part
48:28
of your job and what is the least
48:31
favorite part of your job or the part
48:33
you like the best and the part you like
48:35
the least
48:36
it's hard yeah so the the part that i
48:38
like the best about my job is
48:40
i like that it really is a blend of
48:44
security work and things that are
48:45
customer facing
48:47
and that really combines like aspects of
48:49
my two previous jobs
48:50
obviously this is like a little bit
48:52
different than both of them but um
48:54
our team really has the opportunity to
48:56
shape how customers think about our
48:57
security program
48:59
um and what i mean by that is
49:00
unfortunately most users of the segment
49:03
application
49:03
have no idea how much work goes into
49:05
corporate security
49:06
incident response uh governance risk and
49:09
compliance
49:10
you know maybe like a couple people at
49:12
the company will look at the salk 2
49:14
report but
49:14
generally like most of the people
49:16
logging into the app won't see it
49:18
but they do get exposed to the security
49:20
features of our product
49:22
which is how we show them that we're
49:24
investing in security and this is
49:25
something that we care enough about
49:27
to have people build features that like
49:29
relate to this part of our business into
49:31
our
49:31
uh like what we bring to customers
49:34
very cool and then yeah for the least
49:38
favorite
49:39
i think this one's pretty tough because
49:41
generally i really like my job
49:43
i would say it's mostly there's like
49:44
specific parts
49:47
that i don't like of work that i do like
49:50
so i really like interviewing and
49:52
recruiting people but i don't really
49:54
like sourcing candidates
49:56
uh like there's aspects of like our
49:58
quarterly planning and tracking that i
50:00
don't really like
50:00
but when it gets down to like actually
50:02
working with people to plan an
50:04
individual project or multiple projects
50:07
uh i really like helping people come up
50:10
with a successful design
50:12
you know circulate it incorporate
50:13
feedback and then actually deliver on
50:15
like whatever they're doing so i'd say
50:17
you know there's usually like some
50:19
aspects of something that i generally
50:20
like
50:21
another example like outside of work is
50:23
i love connecting great speakers to
50:25
conferences and meetups
50:27
but i don't like having to follow up to
50:28
confirm their details making sure that
50:30
they can still present
50:31
like you know reviewing stuff like i'm
50:34
sure you
50:35
know what that's like as somebody that's
50:37
helped organize a lot of stuff and
50:38
running your own podcast like the whole
50:40
speaker concierge thing
50:42
is actually kind of a nightmare yeah
50:45
it really is it really is um twice this
50:49
year
50:50
uh we had our guest just not show up and
50:52
i got five minutes notice
50:55
and so that was stressful
50:58
and it's not like it happened it's like
51:00
at a conference this is you know if
51:01
you've never organized a conference
51:03
that's great uh here's a conference
51:06
organizer secret there's always at least
51:07
one organizer that has a talk ready to
51:09
go
51:10
and it's not something that it's like
51:12
maybe something they gave somewhere a
51:13
year ago and it's gonna be a little bit
51:14
rusty but if there's somebody who
51:16
literally just like
51:17
doesn't show up to their segment like
51:19
you're just gonna get an organizer
51:21
who's just gonna go up there and just do
51:23
whatever for
51:24
40 minutes or whatever so yeah if you
51:26
are somebody who speaks it stuff like
51:28
please please please tell people that
51:30
you can't make it or whatever
51:32
like i know that that can be an awkward
51:34
conversation
51:35
and you might want to avoid it but there
51:38
are a lot of people that are depending
51:39
on you showing up
51:40
and so please tell us we won't be that
51:44
mad
51:44
as long as you tell us early but if you
51:46
just straight up
51:47
ghost like we're not going to invite you
51:50
to stuff again like if somebody goes to
51:52
me for a conference like i just wouldn't
51:54
invite them or like
51:55
and i would have reservations about
51:56
accepting another talk from them and
51:58
it's like
51:58
maybe that isn't fair but it's like i
52:00
don't want to get burnt twice by the
52:02
same person it's like if you tell me a
52:03
week in advance
52:04
hey this thing happened or if you tell
52:06
me afterwards like
52:08
oh like this thing came up like my my
52:10
kid got sick or whatever it's like okay
52:12
cool like that's
52:13
totally understandable like life happens
52:14
but if you just don't show up and you
52:16
just act like you never got invited
52:18
and never confirmed i'm gonna be upset
52:21
not acceptable at all yeah
52:24
i've been the backup speaker a lot of
52:27
times
52:28
like i'm like i got my laptop i got like
52:30
five top i actually went to see a
52:32
a conference like a little ottawa
52:34
conference and they only had six
52:35
speakers the whole day
52:37
and they got up and they're like yeah so
52:40
the guy after this guy like just didn't
52:42
show so i guess and it turned out like
52:44
he broke in his arm he'd been in a
52:46
fender bender and broken his arm and
52:47
they're like he just texted him totally
52:49
understandable
52:50
yeah so i just went up and i was like hi
52:53
i can speak and they're like oh my gosh
52:55
seriously i'm like yeah i have a talk
52:57
ready and i have my thing and they're
52:58
like we know you get up there and so i
53:00
was like hi everyone everyone's like oh
53:03
and i was just like i yeah there's one
53:05
of my like maybe like
53:07
for like fifth talk or third talk ever
53:10
and i was just like i am so scared
53:12
shitless i am
53:13
so scared and i was like what if they
53:16
say like
53:16
no and they're like you suck go away no
53:18
one want and they're just like oh this
53:20
is so great like now because they're
53:22
really worried people would like
53:23
go off and it's like summer and it's
53:24
like beautiful out and they're like oh
53:26
we're worried everyone's going to go out
53:27
on an hour break and just never come
53:29
back
53:30
and so they're like yes that's the fear
53:32
of absolute california and locomotive
53:34
sect it's like
53:35
the venue is almost nice
53:39
yeah i do i really love those two events
53:42
i really do
53:44
okay so we have six minutes left and so
53:46
i'm theoretically not supposed to just
53:48
talk to you all night this is the hard
53:49
part where i
53:50
attempt to wrap up so i want to ask you
53:54
two more questions and so one of them so
53:57
i'm going to tell you both of them so
53:58
that you can like segue from one to the
54:00
other so the first one is
54:02
what is actionable advice that you would
54:05
or like any advice that you would give
54:06
to someone that wants to get
54:08
into a job like yours and then if
54:11
someone wants to know more
54:13
about leaf drysler where can they find
54:15
out more
54:17
yeah sure you can cover those so
54:20
i think that uh one thing that's really
54:24
helpful is just like
54:25
if you want to get into product security
54:27
and you want to be building security
54:28
features
54:29
every time you log into an app check out
54:32
its security features
54:33
are they well implemented what do they
54:35
offer were they easy to find
54:37
were they easy to turn on um having a
54:40
list of examples
54:41
is gonna make it a lot easier when you
54:42
need to go to your design team and your
54:44
product team and be like
54:45
hey we need to build this um a perfect
54:48
example is single sign-on it's like you
54:50
might just think okay hey we just offer
54:52
single sign-on and
54:53
people use it and they're good to go um
54:56
but there's actually a lot of nuances
54:58
one of them is like
54:59
does the app allow you to force single
55:02
sign-on so like everyone in the
55:03
organization has to do it
55:05
does it allow for exemptions maybe
55:07
somebody hired a contractor and they
55:08
don't have an account with octo
55:10
one login or azure uh how do you get
55:13
those people into the app
55:14
does the app have a tile that's
55:17
pre-built
55:17
in all these different identity
55:19
providers those aren't things that you
55:21
would necessarily like know
55:22
to to build or to think about unless you
55:24
just looked at this in a decent number
55:26
of apps and like
55:27
actually turned on this feature and so i
55:30
think that that is a pretty actionable
55:31
step
55:32
that you know people can can take is
55:35
like you know
55:36
everyone uses pieces of software like
55:38
how well
55:39
implemented are these features and then
55:42
if people want to know more about me uh
55:45
i have a website it is leaf.pizza
55:49
um it's really just a collection of
55:52
all the like blogs and conferences like
55:54
i i don't blog
55:56
or present anything on the site directly
55:58
it's just like links to everything
56:00
but if you want to like read stuff that
56:02
i've written or
56:03
check out podcasts or whatever uh it's
56:05
on there and then
56:06
as i mentioned like i am the only leaf
56:08
dreistler
56:09
if you look me up on twitter and
56:11
linkedin you will find me
56:13
uh and that is really it
56:18
awesome i so it was funny because
56:21
a bunch of the team that we hacked
56:23
purple was like that
56:24
pizza and we thought
56:30
yeah there's a new tld coming out pizza
56:33
i was like i'm buying leaf dot pizza and
56:35
so i just logged in in the first week
56:37
and
56:37
i guess no other leafs out there wanted
56:39
leaked out pizza and
56:41
it's pretty easy oh and so also someone
56:45
wants to have a shout out to your shirt
56:47
so when leaf and i met was in hawaii and
56:49
of course he was wearing hawaiian shirt
56:51
and if you see his image
56:53
on twitter she's wearing this super
56:55
bright colored shirt so i wear a super
56:56
bright colored dress
56:58
in hopes that he would wear an awesome
56:59
shirt and he did
57:01
those are paired yeah two cans
57:05
it's kind of become like a trademark of
57:07
mine i guess if
57:08
you can really call it that but um yeah
57:11
we
57:12
uh like i just always wear like fun
57:14
shirts
57:15
to to conferences and
57:18
it all started there was a shirt the
57:20
first conference i presented at it was a
57:22
lobster shirt it just had like lobsters
57:24
on it
57:25
and since then i've always made a point
57:26
to wear a hawaiian shirt for
57:29
um for the conference and so
57:33
yeah i guess the the final shout i'll
57:34
put is i have
57:36
two jobs uh a staff and a senior
57:40
that i'm hiring for the ones i linked
57:43
say
57:43
remote us it's also totally fine if you
57:47
live
57:47
in british columbia we have an office in
57:49
vancouver
57:50
you don't have to work out of it but uh
57:53
i don't
57:54
know that we can hire in the other
57:57
uh parts of canada but we can definitely
57:59
do bc and anywhere in the us
58:01
is good nice that is very close to where
58:05
i live i am on the little beautiful
58:07
island just off the coast i can like
58:09
wave to you
58:10
yeah well if you ever want to go grab
58:12
lunch with the uh
58:14
segment security team if you're in uh
58:17
vancouver just hit up jeevan and there's
58:19
three of three of the security team is
58:21
is out of that office so
58:24
i usually hassle g-van if i go to
58:26
vancouver and far chad because the
58:28
lost people are my are my people yeah
58:30
they're our people
58:31
i should say so yeah they have been
58:34
wonderful to me on many many
58:36
occasions and the b-sides people in
58:38
vancouver also
58:39
a plus awesome sauce but
58:43
i'll just keep talking so thank you so
58:46
much for coming on the show this was
58:48
really great and thank you for all the
58:49
resources you shared i'm going to link
58:51
them all in the show notes so
58:52
if you are listening to this later go to
58:56
wehatpurple.com and then click on
58:57
podcasts and then go to
58:59
like previous podcasts and this is i
59:02
believe episode 43
59:04
and so just scroll on down to leaf you
59:06
should be near the top
59:08
and um and check out all the awesome
59:09
links he shared thank you so much again
59:12
for being on the show
59:13
yeah thanks so much for having me it's
59:14
great awesome
59:18
you were just listening or watching to
59:20
the we hack purple podcast where each
59:22
week we meet someone
59:24
awesome like leaf drysler who tells us
59:27
about how they got their awesome job
59:28
what their jobs like to do
59:30
if the job pays well if there's lots of
59:32
opportunity if this is something that
59:33
might be right
59:34
for you thank you so much for tuning in
59:37
thank you for listening
59:38
thank you to 10 security for sponsoring
59:40
us again
59:42
they also sponsored a whole handful
59:45
of diversity scholarships and i really
59:47
appreciate those guys
59:49
um thank you for leave for being on that
59:51
was super great and all the resources he
59:54
shared were super awesome sauce
59:55
if you want to work with leaf you should
59:57
look up segment um so segment.com
1:00:00
and then go to their careers page
1:00:02
there's going to be probably jobs
1:00:04
going on there as like you could
1:00:06
probably keep checking
1:00:08
and with that i'm going to say goodbye
1:00:10
oh and i forgot to introduce myself i'm
1:00:12
tanya janka but hopefully you all know
1:00:13
that by now
1:00:14
have a great night
From The Podcast
We Hack Purple Podcast
The We Hack Purple Podcast will help you find your career in Information Security via interviews with our host, Tanya Janca, and our guests from all different backgrounds and experiences. From CISOs and security architects, to incident responders and CEOs of security companies, we have it all. Learn how they got to where they are today! www.WeHackPurple.comJoin Podchaser to...
- Rate podcasts and episodes
- Follow podcasts and creators
- Create podcast and episode lists
- & much more
Episode Tags
Claim and edit this page to your liking.
Unlock more with Podchaser Pro
- Audience Insights
- Contact Information
- Demographics
- Charts
- Sponsor History
- and More!
- Account
- Register
- Log In
- Find Friends
- Resources
- Help Center
- Blog
- API
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More
- © 2024 Podchaser, Inc.
- Privacy Policy
- Terms of Service
- Contact Us