Jeff Williams DTX 2019 Interview
NATALIE TURNER [00:00:15] Hello and welcome to day one of the Digital Transformation Expo. You’re with me, Natalie Turner and my fabulous co-host, David Savage. How are you doing?
DAVID SAVAGE [00:00:23] I’m good. Thank you. How are you this morning?
NATALIE TURNER [00:00:25] I am wonderful thank you for asking. But before we forget, obviously, we are joined by Jeff Williams, who is here to my right. Jeff is the Co-Founder and Chief Technology Officer of Contrast Security. How are you today?
JEFF WILLIAMS [00:00:38] Great, how are you?
NATALIE TURNER [00:00:38] I’m really well. Thank you for joining us today. So Jeff could you just start by telling our audience what you do a bit about your company and why you’re here today?
JEFF WILLIAMS [00:00:48] Yes, so I specialise in what’s called application security. It’s the code that drives the websites that you use. You know, all the APIs that are out there that other companies use to drive modern Internet. And unfortunately, we’re not very good at securing web apps and web APIs. It’s the leading cause of breaches by far. And I I’ve been working in this field for almost 20 years. And unfortunately, we haven’t gotten much better at it during that time. And I started Contrast five years ago to try to bring new and better technology to this space to help.
NATALIE TURNER [00:01:23] Fantastic. Well, look, we will come back to that. But what does digital transformation mean to you?
JEFF WILLIAMS [00:01:29] So I think at the core, digital transformation is about businesses taking processes and businesses, they used to be kind of manual and transforming them into a digital environment. So they’re turning those businesses into software. And Marc Andreessen said softwares eating the world. And I think that’s what he meant, is that companies are really turning their company into software. And it’s happening to different industries at different rates and speeds. But ultimately, I think most industries end up being largely software, which means every sort, every company is a software company. And it really means that software security is is the most important piece of security that’s that’s out there.
DAVID SAVAGE [00:02:13] That’s a bit of a worry, given that you said we’re not very good at it at the moment when it comes to apps and web apps, and yet more and more and more data is being created and we still don’t have the tools to cope with that situation.
JEFF WILLIAMS [00:02:24] It’s a really, I think, dangerous situation. Well, as I mentioned before, the average Web application has twenty six point seven serious vulnerabilities in it. That’s a crazy amount of vulnerabilities. And the analogy I always use is the airline industry. Imagine if every time you do a safety check on an aeroplane, it had twenty six point seven safety problems. That wouldn’t be acceptable. And we’ve got to raise the bar in the whole software industry to improve our ability to reliably produce safe software.
NATALIE TURNER [00:02:57] Why do you think people aren’t as concerned about it as they should be?
JEFF WILLIAMS [00:03:01] Well, you know, to a certain extent, these problems are invisible. Like you don’t know they’re there until you look really hard with good tools and so some companies just don’t know really how exposed they are, and that’s a big risk with digital transformation. You rush in, you turn a business into software and you don’t realize that you’ve now introduced new risks that weren’t possible in the old brick and mortar world. You know, if you’re dealing with paper on desks, it’s very difficult to steal all of that paper for an attacker. But in the digital worlds break in takeover a host, you could steal everything. So the risks change dramatically in the digital world.
DAVID SAVAGE [00:03:44] Out of interest, you talk about the fact that security is kind of not kept up with the industry. The security is still quite immature in itself. I suppose you’re going into organizations and having to have conversations with people who know it’s…really got a huge amount of experience themselves, maybe they haven’t been through an attack, and I suppose framing that conversation must be quite difficult in itself.
JEFF WILLIAMS [00:04:06] Well, there’s nothing more motivating than being successfully attacked. So that usually gets people off the dime really quickly. But you’re right that most organizations say they take this kind of what’s barely good enough approach to security. Right. They’re really not doing really all that they should. They’re doing just enough so that either they don’t get fired or they, you know, they kick the can down the road. But I know many organizations that have databases of vulnerabilities that they’re not fixing. And so there’s this weird difference between what I think normal people expect. I mean, like people like my mom or the board of directors or parliament, they expect a level of security that’s nowhere near what’s really being achieved in the field. And you can see this outrage when there’s a big public breach. And people are like how could this company have not updated that library in four months? It’s ridiculous. It’s negligence and so on. But every single company has those problems. You know, hundreds or thousands of times over.
NATALIE TURNER [00:05:06] So someone like myself, who isn’t I don’t know a huge a lot about cybersecurity, but you talk about vulnerabilities, risks, threats. What is the difference between those three things?
JEFF WILLIAMS [00:05:17] Yeah. And so when I think about it, a threat is like a bad actor. You could be anywhere from a kid at home on weekends up to all the way, you know, to like a nation state spying on foreign countries and so on. That’s a threat. Now a threat uses vulnerabilities to exploit organizations. So a vulnerability is like an open window, right? It’s just a vulnerability until some threat crossed through it and steals your stuff. And an exploit is what they do. That’s when they actually harm your business in some way by exploiting a vulnerability. So like those terms get thrown around a lot. So a lot of people, you know, they get mixed up, but it’s not really very complicated. At the end of the day, you know, companies need to know their threats. They need to understand where they’re vulnerable. They need to put defences in place to make sure that those vulnerabilities don’t get exploited. And then they also need to have assurance that those defences are good. And a lot of folks, they sort of stop at well, we have a defence, but they don’t really know how good it is. And it’s really important to understand that that the defence is correct and effective for the kinds of threats you’re trying to stop.
DAVID SAVAGE [00:06:27] I find it really interesting that you talk about the vulnerability being an open window, because I suppose most people think of threats, they probably think of state actors, or they think of a group specifically targeting an organization. I suppose it’s far more like someone opportunistic walking down the street looking for an open window. They’re not necessarily targeting any given organization. They’re just looking for someone who’s made a mistake. And I suppose that adds that level of paranoia to the organizations that you’re talking to.
JEFF WILLIAMS [00:06:51] A lot threats are really like that, if you remember when Equifax got breached a year and a half ago, they had a vulnerability that came from one of the frameworks that they were using. And immediately after that breach, we saw a massive increase in scans for that specific vulnerability across all of our customers. So it’s people just writing tools to just carpet bomb the Internet and try to find companies that are vulnerable to a particular flaw.
NATALIE TURNER [00:07:19] So, you’re talking later on, you’ve got a speech. Could you tell us a little bit more about that?
JEFF WILLIAMS [00:07:25] Yes. So I’m doing a talk about the future of penetration testing and pen-testing is really I spent many years doing this. It’s actually it’s very fun work. It’s, you know, pretending you’re an adversary going in and trying to break into applications. But it’s changing and it has to change because as software accelerates like as digital transformation efforts accelerate as dev ops increases the speed of software development. The rate that software is being produced is increasing dramatically and pen-testing is relatively slow process. It’s more like being in a crime lab. You have to be very systematic. And so we have to automate most of the work that pen testers do and focus our limited security resources on the really hard parts of the problem. Right. The custom security controls the authentication, the business logic, that kind of stuff. And we’ve got to automate the the basic blocking and tackling. We have to automate it or it just simply can’t scale.
DAVID SAVAGE [00:08:29] Automation is an interesting point as well I suppose, because that’s the only way we’re going to cope with the skills crisis. What, 600,000 jobs left unfulfilled in the states at the minute within the cybersecurity industry. Yet nowhere near that amount of people. So I suppose people have to accept that automation is this thing that’s going to help them plug that gap.
JEFF WILLIAMS [00:08:46] Yeah. There’s something like twenty one million developers in the world writing code every day. So they’re they’re checking out insecure code really fast rate. And the number of security folks that can deal with that is really pretty limited. So you’re right, we have to automate that. In my opinion, the only sane approach is to empower development teams to do their own security. So we’ve got to use the big machinery of those 21 million developers. They have to be empowered to write secure code themselves. That’s the automation we need. We don’t need tools for experts. We need tools that allow regular developers, ordinary people to get notified about vulnerabilities right away and tell them what to do to fix it and allow them to test themselves.
DAVID SAVAGE [00:09:33] Which is I guess why we’re getting this convergence of dev ops and sec. Kind of dev sec ops increasingly talked about.
JEFF WILLIAMS [00:09:38] That’s right. And you started the conversation by saying that security has to transform itself and dev sec ops really to me is that there are a lot of folks that will say dev sec ops is just shifting left. Like taking traditional security tools and dumping them on to development teams. That’s not going to work because those tools, those teams don’t have the expertise to use those legacy tools like static analysis, dynamic scanners and things like that. We need a new breed of tools that’s designed for developers that works the way that they work.
NATALIE TURNER [00:10:11] So you work within application systems that’s what you do. I mean, there must be some cons other than the pros that you’ve spoken about. Can you identify a few things for us?
JEFF WILLIAMS [00:10:20] Cons to security?
NATALIE TURNER [00:10:21] Yeah.
JEFF WILLIAMS [00:10:27] Well that’s interesting. I think some people might trade off something like speed to market versus security and say, like, if we spend all this time on security, we can’t get to market fast enough. And I actually think that’s well common. I think it’s sort of a false dichotomy. I think security is an enabler that helps companies bring their products to market faster because they have freedom to innovate. If you’ve got security well established, then you can do crazy things like you can put a kiosk in a public square and let people use it. You can have, you know, phone calls across countries and, you know, transactions that happen any time, any place like security allows you to innovate. So well, I think that’s the con that most people might point to. It’s really not real. In my mind, I think security’s net net of awesome investment for a company too. So maybe you’re not going to get me on that one.
NATALIE TURNER [00:11:25] OK. All right. Well look, that’s fantastic. Thank you so much for joining us.
JEFF WILLIAMS [00:11:28] My pleasure, thank you very much.
DAVID SAVAGE [00:11:29] Enjoy your talks.
JEFF WILLIAMS [00:11:30] Thank you.
NATALIE TURNER [00:11:31] Unfortunately that is all we have time for, however don’t go away. We’ll be back after a very short break. See you in a bit.