#JIM MANICO CODE#
Everything is becoming code, and the people writing that code need to secure it. This "Everything is becoming software." Your clouds are becoming software, your servers, your network, your infrastructure. On the flip side, what you have is you have this accelerated development. Just more and more security problems that occur and the implications of not doing or making it a big deal. On one hand, maybe once again the stick or the external one, which is breaches. Maybe tell me if you agree with this, there's two trends driving this. Guy: We've seen this shift a little bit, which I relate to, and maybe there's two trends. Then alongside all of those having the browser start marking you as not secure.
Guy: I know it is very much carrot and stick, on one hand making your rank higher on Google or things like that and advocating for security on the outside, making it easier, with less encrypted likes. I love those comments in general about adoption of security, specifically HTTPS is one of the big wins of the world of security. It's now a core part of development, at least among the teams that I interact with. This is the golden era of application security for me, because we have a mature toolset for assessments, we have good books and literature on assessment, and we have a plethora of intelligent people thinking about building securely. Like, "We are entering a new era of: everything you say must be more precise and taken to a new level of rigor because of how much people care about this topic now." I've had people call me and say "We just earmarked 30 million so we can turn our entire infrastructure to internal HTTPS and stronger transport security inside of our network." When I first heard that, that was about three years ago, my jaw hit the floor. Jim: Today, 10 years later where every little slide you talk about is going to affect their policy, it's a whole different level of responsibility. Guy: They didn't care about the results, they wanted to check the box that they've done the training. I've always taken it seriously, but ten years ago when people took to training and didn't think about it for a year. Today training is something that I have to take seriously. It was something to do on the side because they had some extra budget lying around, or because compliance told them to do it so they did it and moved on with their life. When I was brought in to do training, say, 10 years ago it was a quirky thing. It's a whole collection of activities around being able to be a good educator, and I just love doing it. It's participating in the conversation of application security and trying to contribute something, it's working at OWASP as a volunteer helping with standards. It's studying, it's doing sample coding, it's reading other people's research. I was in that classroom over 100 days last year, and I love it. This is the first time in my life where training is 100 % of my job. I used to work for SANS, I did training for them. In other jobs I've had over the last 10 years, I used to work for WhiteHat, I did training for them. Jim: I started my firm about four years ago and I've been doing 100% developer training for a little more than- For almost five years. Has that always been the case? How long has it been security education versus the developer, and what was that tipping point going from doing the coding to doing the training? Guy: You've lived and you've evolved, you're doing the security education for a good while now. Today it's a slightly more well-known fact that security is key. Also 20 years ago, that was some forward thinking there. You need to be a developer who studies security, and it will be a great benefit to your career." I listened to him, and I'm grateful that Stephen Northcutt dragged me into the security industry, and now I'm doing secure coding for a living and I love doing it.
I was brought into security by Stephen Northcutt, who is a fellow resident on the island of Hawaii where I live. I've been a developer since I was a kid, with 30 years of writing code I started as a Commodore 64 assembly developer and I've been coding ever since.
#JIM MANICO SOFTWARE#
I am a security educator, I travel around the world, I teach software developers to write secure code with a team of different trainers as p art of my company. We've got a lot of great things to talk about here, but for the three people in the audience that might not know who you are Jim, can you tell us a little bit about who you are, what you do, maybe a little bit about how you got into this world of security AppSec? Jim Manico: Thanks so much for having me on your show, Guy. Today we have an awesome guest, one of the- Maybe the most well-known figure in the world of application security, or definitely one of the more noise-making ones of it.
0 kommentar(er)
