Building AppSec from Existing Practices with Andrew Wheatley (Tayko)

Hello everybody and welcome back to this episode of Build Amazing Things Securely. My name is Laura Bell Main and as well as Running Safe Stack. I am your host and guide for this and All Bats episodes today. We have a great guest with us. We have Andrew here from. Tayko. Now I, I am seeing that in the, that little way. 'cause I saw it written down and my brain went, how do I pronounce this? You'll know this from previous episodes. I'm bad at names. So it's like Tao, but not Tao. So there we go. You can always say in that kind of name if you want in that kind of tone. But jokes aside, welcome Andrew. It is lovely to have you here today.

It's good to have you. So just letting you know, Laura it's Teko. Do you wanna start again?

I'm truly terrible with names. No, we're just gonna leave it Soko. There we go. No, we, we on this show. We own our mistakes.

I was trying to help you with the taco

just, yeah, no, and no. And then I

have gone down the Tokyo route.

Yeah, I did. My brain just liked going there. All right. Okay, so

We just like the sound of it and we like the look of it. So

Takyo, like ko. Wait, we got it. Okay. So thank you Andrew. We've already learned things. I've already learned things today. So who are you? The human.

Who am I? The human. Okay. Oh, that, that's a very deep question. how long do we have? We've got 25 minutes. 25 minutes.

yeah. I'll steer you if you end up on laying on a couch and talking about your parents. We'll be fine though.

Good, good. I tend to do that. Me as a person. I'm someone that, likes to, I've always been very technical. I've been a data-driven kind of person. I love data analytics. I love finding behavioral patterns in data. And, it was, there was a point in around 2020 when we were going through an acquisition and I was helping around that company and I burnt myself out. I. I took some time off. I was, and I started to really think about, my approach. And I think that's what who I am now as a person is I changed my attitude and my way of thinking about things. And I like still like to use data, but I also love people. And I love helping people and I've always loved helping people and I I've started like this security journey now about helping and relating to people rather than letting technology dictate and letting processes and rigid things dictate. As a person, that's who I am. I love to help. And where I've come from a careers perspective I've done about 10 to 15 years of software development. Came from the good old days of, that net drive went through all the perils of ASP version one.

Ooh.

and and I think I was very lucky 'cause at that era of working inside companies, we got to see a lot of change in the attitudes of maybe the old guard and the new guard that was coming through, which is this agile process that, had, has been around for, 50 plus years. But finally getting into those teams and progressing away from the waterfall techniques and having those epiphany moments, in when it was all coming out, I think was a very unique position to be in, and I've carried that out as well. So yeah, developer, then I decided to create a really nice portal for everyone to, to log into, so for some volunteers, and I made it vulnerable and it got hacked.

Oh no.

all know about those kind of things, it never feels good. And, I left it for a couple of months, but then I started to really get intrigued in it. And I've met a couple of really good people. They weren't, dictating, they helped me. They gave me some books to read about the OS top 10. There was a book about it and how to do it in net. So I read that. And. So I started to get my journey in security through Alcorn Group with Wade Alcorn. And he gave me the confidence that I wanted to have to start working in security and naturally led me into my AppSec career that I am, like I'm journeying on now and. Now my company that I'm trying to show and help the industry change in the way that I felt back in 2000 2010. That's a long time ago now, isn't it?

Yeah, it's all right. We're all old. We'll just bypass that. Don't worry.

But yeah, that, that's me at the moment. And I've got my business par partner, Isaac. We've got a similar mindset about helping our clients predominantly, rather than just doing the everyday sort of consultancy work. And yeah, that, that's sort of me where I am at the moment. I love my family. I put them above everything else since that burnout period. And I'm, I try and make sure that I. Our employees have that sort of sane mentality and hopefully we won't go down the way that, traditionally happens with burnout for certain consultants in our industry.

Look there, there's many things to unpick here. I'm just gonna call out a few things. Firstly, hat tip to the OG Wade Alcorn, who, if you haven't met him, folks at home is genuinely a nice human. Do reach out and have a look at what he's up to and what he's done. It is an impressive career path he's built for himself, and I know he's impacted a lot of people, not just the lovely Andrew. He's today. It's a big step to, to build your own company, Andrew. So that's really amazing. And congratulations. Burnout is a terrible thing and I'm sure many of the audience have been around that in some way, but to come back from that and choose to build something of your own is huge. So fantastic. Really excited. And that's why I wanted to have you on today because some of the ways you think Andrew are a little bit unusual. And when we've been talking in the past, there are ways you bringing security to software. That we haven't thought about before, or at least I haven't thought about. So I wanted to dig in today of, with the breadth of experience you have with all of the things you've seen what is it you do in AppSec that's a bit weird and different, and what can we learn from you?

Look it is a bit weird and a bit different and it's probably a weird and different to maybe our, like our fellow folks in security. But if you were to talk to an engineer and to a product manager, these kind of ways of thinking are actually fairly straightforward and what they do every day and how they do things and. I definitely felt that way when I first was introduced to most of these processes that I like to like, that I like to do with companies when I go in and have a look around. And, I didn't necessarily start thinking this way. I've made a lot of mistakes along the way, and I think that's something that, you know. I hope your viewers and listeners like get to listen to that and say, I don't wanna make mistakes make as many mistakes as you can, because if I didn't make those mistakes, I wouldn't have the mental like thinking that I have right now. And, don't be arrogant about it. Differently, generally that's a. And I can encourage my children always think differently and don't worry about if people say that it's wrong. You personally know if you are on the right track and you think positively, so give it a go and it's okay to make those mistakes.

All right. You've got us all intrigued, Andrew. Okay we've got permission to make mistakes. It's all gonna feel a bit weird. I feel like we're being briefed on some kind of crazy adventure here. So what are these processes that you are borrowing from the existing software world, from the existing product world and where do they fit into security?

Generally with application security, we want to fit into the lifecycle of a product or, S-S-D-L-C. So the software development lifecycle is something that we, where we always start with when we talk about AppSec and where we're going to inject security. I've tried that before, and when I've come in with, threat modeling processes of different maturities of different things, I've started from, asking those three key questions, what can go wrong, all those kind of things to full on blowing spreadsheets with, questions that would generally help us, but maybe not help an engineer who's too busy doing work. The very first one that I got to be involved in is the Rose Budd Thorn. And it was part of a retro session with one of the teams. And it was basically trying to get what they had done wrong, what they'd done right, and what do they want to actually do further in the future. And I've taken that sort of approach to how I come into companies. I. And evaluate like where everything is because if you get a bunch of, very intelligent, smart people in a room and you ask them a few questions and you break up those sessions into smaller sessions with smaller groups of people, I. You really start to get how they're feeling and where security truly actually is. 'cause you can sit in a room and talk about it as we all have done and through auditors and all that kind of stuff. But if you don't truly believe that what you're doing is actually going to make a difference, then you generally don't want to. And I found that get, letting everyone get it out. And generally you do find there's a lot of thorns. And then

Hank, I'm gonna have to stop you, Andrew. 'cause you believe it or not, I don't know what Rosebud Thorn is. Can you just step us backwards and what is a rose and what is a bird and what is a thorn? 'cause I don't think we're in the garden right now.

Yeah. So when you think about a, like a rose it generally goes through the phases of growth. And so you've got the thorn, which hurts you. So that's the bad, the things that you know, you're not generally happy with and what you're going and how you're progressing. You got the bud, which is your growth. So what do you want to do and how do you wanna do it? What do you think you can do better? And then you got your flour, which is the thing that you are doing well. And that's probably one of the most important things to 'cause. It's usually the one that isn't filled out the most when you have these kind of sessions. And it's that process of taking those thorns and actually talking and digesting some of those things together that they actually do turn out to be flowers. That's pretty much the gist,

today I.

and, yeah I just found it like it's, anyone that hasn't done it, even going through that process that we just went through a little bit before, it makes you break out of the normal mundane routines of what's going on. And allows people to relax and do things. And the more session sessions you do. Something that I've, that I wasn't doing in the past, but I'm starting to do now is keep a track of each one and to show, and maybe we might talk about it a bit more, but we've gotta show, when you talk about these kind of processes, it's hard to measure. And that's one of the experiments I'm going with right now with seeing how I can measure like company's growth and culture. Through this process by showing them like, this was a thorn four quarters ago and now it's a, it's turned into a rose and things like that, and it helps teams show that they actually are growing in security

I love this. I love this because, we talk a lot about return on investment and you'll see lots of marketers who, say, Hey, do this thing and you will get, a hundred million dollars return on this. Or, 93% of bugs are stopped in their tracks. But in reality, most of that's just made up hype. I love the idea that while this is quite a, it's a cultural exercise, it's, we're not talking about how many bugs were on Tuesday versus Wednesday. The way you're structuring this and coming back to it is giving you those reference points to see growth over time. And I think taking that extra time to make sure you've recorded it and can see and take a moment to look back and see that is something we can all remember to do more of. It's really easy to keep going forward and not take stock and remind ourselves how far we've come.

Yeah, no, definitely. And just, as keeping to, who I am as a human, I do not to the point of practicing it by writing it down, I. I do that with my partner. I do that with my parents and, it does grow a sense of communal and that kind of thing to, 'cause we all live busy lives and, being able to reflect and act don't generally do much.

Okay, so I'm loving this. We are borrowing processes that are already established. They already work. We know that, and we're applying them into our space. Now, what's the benefit of using a process that people are already familiar with instead of bringing in a new one, you think?

There's lots of process, like lots of benefits I always go back to that mistake that I made when I came in with all these processes that I thought were amazing. And, I said before I'm a data person, so I love writing up processes, how it's gonna work and everything. And, the concept of build shock, they get process shock. And you are working in these highly scalable, highly moving teams. They've already had their velocity measured, they're working very well, and then all of a sudden, the security consultant comes in and disrupts it. And there are techniques, inside agile that help disruption. But ultimately you don't want to disrupt. The thing that I do like to do is like the Rosebud Thorn, I do introduce people to, because it helps me understand what's going on, but then sitting and watching how they do their things. And then, using how I, like how we do things in security and trans, like trans translating it into their way of thinking. There was a company that I was consulting for and. They were heavy in the design aspect they brought up their mirror. They started to do the, show me the gooey design, and then they had these little cards and it was like Joe blogs such and such likes to use the platform for doing X, Y, z. He is a family man. He's the age of this. And, the design personas that everyone uses. And this is, this, it's probably not a new concept, but it was a new one for me. So I went to the design team and shout out to, to Damien if he's actually gonna listen to this. But he went and drew me up. Part of my role was to do a threat profile. We learned about it, built up a threat profile, built up all the things that could possibly be a threat to this company. And then we went and made personas. So hang on. I can't remember the names of them, but hopefully I will be able to. So we had Ida Impersonator. Ida is the master of deception. She's stolen and forged credentials to gain unauthorized access to systems, always keeping with a true identity and secret. And then we we put traits so deceptive opportunistic, and then we put in some defense strategies around it. So the ways that we can mitigate those those threats. Ap API, key rotation. Token validation, all that kind of stuff that as we, we know as security people will help you prevent the threats and mitigate them, but trying to do it in a different way. So then when they went and designed their system team, they had not only Joe Blogs, but they had IDA sitting there. So that, and then the product manager would be like, okay, how are we going to deal with ida? And then people would start to talk about it. And it's that kind of like looking at how people work already

I think this is a really interesting shift for us as an industry. It's very hard an a sign of maturity for a group to be able to go from being, Hey, we are the authority on this thing. Here's the thing, you should be doing it to bringing all of your skills and techniques and your experience, but in a subtle, non-ego way, we go, cool, you are doing this thing. How can I help? Weave something new into that. It's security stops being the main event and it starts being a gentle thread through an existing developer workflow workflow even. So in this process of borrowing these processes and bringing them into teams, have there been any other kind of things that if you, somebody was listening at home and they were gonna start on this themselves, any recommendations you'd make for them? I love this. That's great advice. And I love the idea of just going to a tool that, other roles and software are using and just go look at what their templates are. Go see what their processes are, what tools they use, because the closer you get to them, the less cognitive load that they have to join you on your adventure. 'cause they already know there's tools, these techniques. So if you were gonna pick, if you're gonna put on your like psychic hat and look forwards in AppSec Andrew, where did you think it's headed? Where are the big problems and challenges that we're gonna be looking at in the next five years? Oh, absolutely. I'm here with my thorns. My thorns for you. I really love this the future of application security instead of being a blocker as a coach and an enabler and as an inspiration, but then ultimately no longer needed in the way that it currently is. What an ideal dream that would be. And perhaps, but folks who are listening can, take some of the guidance from this. Go move a little closer to their dev teams. Work in ways they're already familiar with and see how many people you can inspire, like Andrew to get their little light bulb moments. If we were to follow along with your adventures after this, Andrew and Tako, look at me. I can say it learning. We can do it too. If we would follow along with your adventures, what's the best way to catch up with you and what you're up to? That's incredible and what a generous offer there. It's absolutely fine and there are many of us not on the social medias, but what a lovely offer. Do reach out to myself, reach out to Andrew, reach out to others in your community because, sometimes sitting down and having a chat, even if it's recorded for the internet, like this can be really helpful for everyone involved. Right Andrew, it has been an absolute delight to have you here. I'm sure we are going to catch up again at some point in the future as you explore further into how to make application security part of everyone's world. So thank you for coming on and being a guest. I'd never call it that. I literally have a unicorn in my background team. Airy fairy is all good with me. Right team at home, you know the drill at this point. Now I've been reading books about podcasts and apparently I'm not supposed to tell you to like, and subscribe. I'm supposed to tell you to go and recommend this podcast to a friend. So off you go. Go find a friend. Make friends, give them cake, possibly a podcast. Who knows? That's apparently how this works. If you are gonna be wonderfully brave like Andrew and wanna share what you are working on with whatever you are building in the world, come and have a chat to us. If you visit www.buildamazingthingssecurely.com, we've got a fancy domain now you can sign up to a guest and you can check out our previous episodes. So thank you for your ears. We look forward to seeing you on the internet again soon. And thank you, Andrew, one more time for being such a wonderful guest today.