Security Trends 2022 Panel Discussion @Women In DevOps

December 2, 2021

3 min read

JFrog Security experts, Moran Ashkenazi, VP Security Engineering, CSO @ JFrog, Nitzan Gotlib, Security Lead Engineer, collaborate with other DevOps industry leaders and discussed the execution of cyber security tasks alongside new technological advancements. Stefania Chaplin interesting spoke about how ‘25% of all breaches are caused by human error,’ adding that we must be empathetic with ourselves. Moran A. echoed this and added we must try to empower our employees. By giving people the opportunity to run systems and developments, great responsibility and accountability will follow. Moreover, in 2021 cybersecurity saw a global spike in Ransomware activity. Nitzan Gotlib spoke about how organizations are becoming more aware of these attacks, and Jaki Hsieh Wojan predicted that hackers will elevate their sophistication by targeting users on social media to uncover rich information.

During the evening, we discovered that 20% of our audience believe their organization does not have an inclusive hiring process. We explored ways to combat this, such as amending job descriptions, creating a reasonable list of ‘required’ and ‘desired’ attributes, as well as initiating an inclusive onboarding process and mentoring others.

Moran Ashkenazi
Moran Ashkenazi has extensive experience of over 20 years in cyber security, including as a CISO, in product management, cloud security, and managing large, security projects. Her experience reflects a solid track record in strategy, design, and product advisory. Her skill set includes an extended knowledge of cyber security, threat analysis, along with cloud-native and container security.
Moran has spent her time in the security operations business managing security architecture, identity and access management, cyber intelligence, and governance. She has designed and engineered security solutions for numerous companies from the top down and bottom up – a critical aspect for many growing businesses. Recently, she joined JFrog as their VP security engineer, CISO. Moran holds a B.A. in Computer Science from the Open University.

Nitzan Gotlib
Nitzan Gotlib is a security lead and engineer with vast experience in monitoring and incident response. In his current position, Nitzan is leading the Incident Response and SecOps team at JFrog. Prior to JFrog, Nitzan was at Wix specializing in security monitoring, incident response and threat intelligence. In the last decade, Nitzan has worked in various sectors, from finance and healthcare to tech and startups.

Stefania Chaplin
Stefania is UK&I’s Solutions Architect at GitLab. Her experience within Cybersecurity, DevSecOps, and OSS governance mean she’s helped countless organisations understand and implement security throughout their SDLC. As a python developer at heart, Stefania is always improving efficiency wherever she goes by scripting and automating processes and creating integrations. Stefania is passionate about DevSecOps and cybersecurity, having spoken at many conferences across; RSA Conference, ADDO, JavaZone, JFokus, ESOC MENA, Mauritius Virtual Developers Conference, Women of Silicon Roundabout, Women in DevOps, DZone, and on the Secure Code Warrior Brighttalk.

Jaki Hsieh Wojan
Jaki Hsieh Wojan has spent the last 10 years working in the FinTech space. She started out as a product manager for a secure instant issuance product and has now become the CISO overseeing the corporate security program. She has years of experience is in secure development, solution design, payment card security, cryptography, and EMV. Her most recent accomplishment is completing a large project for Payment Cards Industry Card Production Compliance, a larger hurdle than the standard PCI-DSS known to most.

Speakers

Moran Ashkenazi

Moran Ashkenazi

VP Security Engineering , CSO at JFrog / Advisory Board

Moran Ashkenazi has extensive experience of over 20 years in cyber security, including as a CISO, in product management, cloud security, and managing large, security projects. Her experience reflects a solid track record in strategy, design, and product advisory. Her skill set includes an extended knowledge of cyber security, threat analysis, along with cloud-native and container security. Moran has spent her time in the security operations business managing security architecture, identity and access management, cyber intelligence, and governance. She has designed and engineered security solutions for numerous companies from the top down and bottom up – a critical aspect for many growing businesses. Recently, she joined JFrog as their VP security engineer, CISO. Moran holds a B.A. in Computer Science from the Open University.
Nitzan Gotlib

Nitzan Gotlib

Security Operations Team Lead

Nitzan Gotlib is a security lead and engineer with vast experience in monitoring and incident response. In his current position, Nitzan is leading the Incident Response and SecOps team at JFrog. Prior to JFrog, Nitzan was at Wix specializing in security monitoring, incident response and threat intelligence. In the last decade, Nitzan has worked in various sectors, from finance and healthcare to tech and startups.

Related Resources

Video

June 30, 2021 | 2 min read min read

DevSecOps is a practice. Make it visible [swampUP 2021]

In this session hear about the ways tech-enabled enterprises approach a DevSecOps practice, how they make it visible, and how Splunk + JFrog can accelerate…

Shownote

April 5, 2021 | < 1 min read

Security and DevOps: “Go get an approval for this library usage. Or not?” @ DevOps Toronto Meetup

Security and DevOps. Go get an approval for this library usage. Or not? To be good at security, you need to think like a CISO;…

Video

September 19, 2021 | 2 min read min read

Solarwinds Hack – Executive Order of Cybersecurity – and Now?

It is essential to know that the SolarWinds company produces software that is used to manage network infrastructure. With the name “Orion Platform, ” this…

Shownote

April 14, 2021 | < 1 min read

Cloud Security Alliance (CSA) West Michigan Chapter: “Not Another Demo” with JFrog

Sven Ruppert, Developer Advocate at JFrog, dives right in with the experts at the Cloud Security Alliance. If you are interested in learning more about…

Video Transcript

hi everyone thank you so much for
joining women in devops today um we’ve
got five minutes until kickoff time and
there’s a little bit of a sign up
process
um so we just let a few people
um come on through get all signed up um
and then we’ve got really good lineup
today
we have jfrog here who are global
platinum sponsors which is really
exciting and as usual we are joined by
ahri for a fantastic giveaway um i
always
love hearing what they’re going to be
and i’ve managed to
sneak a few extras in the past so i hope
you’re all excited for that and then
we’ve got an amazing security panel
lined up for you um which jacob simmons
head of security at wargate search is
going to chair um with some amazing
leaders in the security space
globally we have a global panel today
which is really exciting too so
we’ll give it a few more minutes and
we’ll kick off that half past
should we see what time of day is for
everyone that’s a fun little
icebreaker um for me it’s 5 30 p.m and
it’s pitch black outside and quite cold
and you’re in london aren’t you i’m in
oh yes sir and i’m in london uk
it’s uh half past seven here in israel
um
it’s also dark and rainy
uh not that cold but uh i guess
cold compared to israel weather
it’s a summer in comparison to london
for sure
i meant this indoors so yeah
i’m with you stephanie
i probably sound a little bit spoiled
but uh
we’re talking out here in l.a it’s uh
it’s a little bit misty and foggy um
it’s saying 56 degrees which i think
fahrenheit which i think uh
for a lot of people is not something to
complain about but
uh for myself who’s well acclimatized
now to the uh
uh to the la temperatures i’m not
enjoying it it’s a little bit too cold
for me
i have a confession that i actually put
my heating on last night for the first
time in two years since moving to los
angeles it was that cold
wow and then i looked and it was 15
degrees it was 15 degrees celsius
heating up i was like i’m officially
climatized at this point
wow
literally
um welcome if you have just joined us
um i’m in uh northern california not bad
i think we lost you
i am here looks like my internet’s kind
of going in and out i’m going to plug in
a little bit differently so sorry about
that
no you don’t absolutely
no worries at all
ari where are you you’re you’re on i was
actually joining us from vacation as
well so absolute dedication to the
course
yep yeah we are in uh i’m actually in
uh pigeon forge tennessee right we’re in
the home of bollywood if you ever heard
of bollywood we haven’t gone to
dollywood because with a family of as
big as mine i could also put a down
payment on a car which i decided i might
do instead
but now we’re doing a lot of fun rides
and uh just having a blast with all the
kids so it’s been a lot of fun
sounds amazing
yeah real real global
a real global um
presence here i think
actually stefano how many well how many
women develop
panels have you done this must be
awesome
um i think this is my second this year
because i did the pride one um which was
um in summer and then i used to come to
the face-to-face meetups um and i think
i’ve spoken at two of those um so yeah i
think this is my fourth women in devops
event maybe
we’re very very lucky to have you so
thank you thanks
very much i’m lucky to have such an
amazing um
such an amazing panel today global some
real senior leaders real thought leaders
in the security space so
we’ll give it a few more minutes
hi anthony hi ben hi emily
hi elsie alfie used to work with women
and developed really closely
university we love that you’ve joined
a few more minutes to get signed up and
then
we will kick off with today’s panel
discussion
also can anybody else cope it’s the 2nd
of december
i’ve been unwell this week since
thanksgiving um so today was my first
day back at work and i’m like what it’s
the 2nd of december
so a hundred percent it’s very short
week this week
not only is it second to second december
in 2021 i feel like last time i looked
at my watch it was like
2014.
i thought you’re about to say 2022 like
that’s what i was expecting to hear so i
don’t know what that says about me
no not at all
that was still okay
okay perfect so let’s kick off um
welcome everybody to women in devops
whether you’re watching us live whether
you’re joining us from linkedin
streaming whether you’re joining us from
youtube a huge huge warm welcome to
every single one of you and thank you
again for supporting women in devops
so this month we’re going to be talking
about security trends for 2022. we have
an amazing lineup um from across the
world which i can’t wait to introduce
you to today we have jacob simmons
holding um the chair
that particular discussion and he’s head
of security at broad gate search part of
chinovo group um who power women and
devops
and uh he’s well embedded and very
excited for today’s very raw honest and
hopefully very informative conversation
around what we can expect next year to
look like
um and what we can prepare ourselves for
before we dive in every single woman in
devops webinar and in person event we
are so lucky to be joined by our
platinum sponsor
jay frog um they’ve been on sponsor now
for for two years and does some
incredible work for the women in devops
community supporting junior engineers
with workshops being inspiration for
more senior engineers um and obviously
being a major player in their space and
on top of all that we are so lucky that
every single time they give up give away
an amazing prize um to one lucky winner
if you are watching on youtube i’m sorry
the competition has now closed um but
hopefully i encourage you encourage you
to join us live next time
so without hesitation um
i’ll hand over to you
okay hey thank you so much lauren let me
go ahead and do the most difficult thing
i do today and that is share my screen
and
see here we are can everyone see my
screen okay now
yes thumbs up
okay awesome perhaps
that’s always a big relief when that
when when when we get that done
uh
you just
switch one thing over here and so i can
see what i’m doing
here we go and i’ll start over thank you
everybody my name is ari waller and i am
the meetup event manager for jfrog and
we are so excited to uh really have
completed our second year as a platinum
sponsor for women and devops such an
awesome community and we’re just so
privileged to be part of it so we’re so
thankful for that i’ll share just a
little bit about who we are
jfrog is the devops software company
known best for artifactory which is
considered by many as the gold standard
for managing your artifacts and
dependencies
and tonight i’m very excited to report
to you that our
cloud days 22 2022 conference is coming
in january and jfrog wants women and
devops members to get in for free as you
can see on the slide there uh devops
cloud days is a three-day virtual event
showcasing content from jfrog as well as
the three biggest cloud providers azure
aws and google cloud and demonstrate how
developers can simplify and accelerate
deployment of their applications so you
can see the agenda when when you go
there with the qr code and register
i’ll also drop the registration link in
here in just a moment as well
and if i can hit the second slide here
which i think what lauren was referring
to
is uh we have an exciting giveaway
tonight jfrog has a raffle for one
meetup attendee to win a pair of these
awesome beats studio
buds you can enter with the qr code or
the bitly that you see
and i will also drop that in the chat a
winner will be selected within two
business days and then we’ll share the
name of the lucky winner with your whole
community once they formally accept the
prize but uh very much looking forward
to today’s panel thank you so much for
putting this together lauren and we’re
again we’re so excited uh to be part of
the women in devops community thank you
for everything you do
no thank thank you so much if you
haven’t been to a winning devops event
before you haven’t heard of us and
probably should mention this at the
start women in devops was originally
founded in 2017
to be a platform for
women in the devops space
however we’ve really matured now as a
group as a community as an organization
and we now invest all of our efforts
into advocating for all voices from all
underrepresented groups globally within
the devops and sre space but also the
tech world as a whole um so but we want
we love bringing them together by far
online and our offline community
um to connect to mentor
to support everyone in this space and
bringing together some incredible people
and incredible stories
and really driving forward
policies
diverse recruitment
inclusivity um across a multitude of
areas
so i’ll hand over to the amazing jacob
simmons um he’s been doing some
incredible work building diverse teams
in security space
um for the last few years and he’ll
introduce our our panel for today um
jacob as well as a bit of a side note
i’d love if we could introduce the panel
with pronouns
and name pronunciations and also a fun
fact just to kick us off before we dive
into some incredible questions that we
have planned today
absolutely
thanks lauren it’s an absolute pleasure
to be here this morning um yep so again
my name is jacob simmons uh i’m a
ambassador for women in devops um i
suppose before we kick off then yeah
let’s uh let’s go around so
uh i’m really honored to be joined by uh
the folks on our panel today and i’ll
hand across to you all to go through uh
in no particular order um to introduce
yourselves um obviously as laura
mentioned give us a bit of uh
information around uh well firstly how
to pronounce your name as well and your
pronouns but also
a little fun fact about yourself as well
to get us started today
ryan’s
oh yeah sure yeah i’ll kick this off
i’ll go myself um so again my name is
jacob simmons uh pronouns are he and him
um pronounced jacob so nothing uh
nothing hidden in there um fun facts
about myself i’ve actually lived in
uh
probably four countries in my life now
so
as well as the uk where i was born and
raised um now based in the us with our
los angeles team
on the west coast i’ve also lived in
south of france and nice i was lucky
enough to study and live in lisbon as
well so um had a great chance to soak up
some some culture in those areas too
um
no particular order i guess uh stefania
i’m looking at you you at the moment so
did you want to
i was thinking of my fun fact i was like
okay no pressure um so hi everyone i’m
stefania or stefania depending on where
you’re from uh so i’m from london um
i’ve been in the devsecop space about
five years before that i was a python
developer and my fun fact before that so
it would have been about i think it was
2012 maybe 2013 i had a youtube video
that went viral
and got 11 000 views wow
wow i know which felt like a lot then
obviously you know pre-ticked i think i
don’t know i think instagram existed but
yeah for the you know uni student me i
was very happy
that is impressive
um i’ll go ahead and go next my name is
jackie chailogen i work for matica which
is a fintech company that provides
development solutions for
financial institutions and
secure hardware i am the chief
information security officer there
and i am based in northern california
near sacramento and a town called davis
uc davis is here if you guys are
familiar with that university
um fun fact about me had to think about
it for a while too um i guess i’m gonna
go with i love karaoke and you don’t
need to give me any liquid courage to
get up there and sing i’ll just do it
live for the party excellent
yeah i’ll just jump in hi everyone i’m
moan ashkenazi
and i’m tic information security and vp
security engineering jfrog i live in tel
aviv and i’m doing cyber security for
almost 22 years
quite a lot
and i don’t know if it’s fun but
some hobbies that i have is just i love
running and i wish i could do that more
very fun definitely uh
definitely useful in terms of health
exam
yeah go next hi everyone um my name is
nitsan
uh also from the j frog security team uh
i’m leading the secops and incident
response team here at jfrog
i’ve been doing security for the last
10 years i guess
i try to think of
something fun but i guess that in the
last uh
this kobe days um
not not
on my area so
i’ll need to get back with that
we’ll circle back you’re not the only
one it’s uh it’s been
probably a not not too eventful a couple
of years in terms of uh travel or
anything like that you know try to think
what hobbies
like two years ago but uh
yeah it’s been so long
we’ll uh we’ll circle back with you on
that one but um let’s uh i suppose let’s
jump straight in then really so again
you know honored to be here with you all
and uh
you know a number of questions that i’m
really keen to get your insight you know
on uh before going into you know new
trends i suppose for security moving
into 2022 um was really keen to kind of
take stock in terms of where we are now
so you know if we look at recent history
uh jumping straight with question number
number one how how commonplace do you
think it will be to see
um you know all the tax being carried
out successfully due to things like you
know logging and monitoring
ie you know current cyber security best
practices being being missed out on i
suppose generally and that’s open open
to the panel
i’ve heard a really fun statistic that
25 of all breaches are caused by human
error
um so i think with that um you know
unfortunately we are humans we’re not
robots so whether that’s accidentally
making a true or false or you know
forgetting to add an integer um i i
dated someone who worked in finance in
tech and one day he accidentally lost 72
million pounds um because of a simple
thing like that
i know he found it but then you know
stuff couldn’t happen it wasn’t a good
day in the office but um
i i think it’s we have to be a bit more
empathetic with ourselves sometimes
because a lot of these things are um
just human error um so it’s really about
making sure that when we are working
we’re present so we’re not making those
kind of mistakes i have another good
example i had a whole i read this whole
forbes article and one of them as well
was someone in japan um instead of one
stock for 225 000 yen they did the other
way around 225 000 stopped for one yen
which had about a 10 effect on the on
the nikkei which is their stock exchange
and so you know human error happens
everywhere but especially when it comes
to security um that’s when it can have
some really big consequences
definitely so maybe taking stock on yeah
like you say there’s just the simple
things of
uh you know i suppose staff education
if some things are unavoidable so
perhaps maybe working in some kind of
margin in error to allow for those you
know those types of things
um i wonder if the panel had any any
thoughts in terms of you know i suppose
things again that are
you would perhaps take for granted in
terms of security best practice you know
again so things like um you know so for
instance monitoring logging keeping
track of activities that have happened
within the business so that you you know
what to refer to um or simple things
like storing secure information in a
secure place or or you know
two-factor authentication for instance
is there anything that you would say
that’s probably
you would think is is obvious or perhaps
common knowledge that that most
companies should be um you know should
be doing on a day-to-day almost but
perhaps are still missing out on that
might be a current factor that we’ll see
sort of carry off into you know 2022 in
terms of really impacting uh you know
the security space moving forward
i think it’s um
from my experience
it’s nothing new i think that we still
see a lot of um
like bad practices like uh the
organization
don’t invest enough in patching and and
making sure that vulnerabilities
are being handled properly and we still
see like very old version of of software
being
publicly exposed and being um and then
exposing an organization to
very easy uh kind of attacks uh like
working with exploits that are can be
five or six or seven years old
uh which i guess like by scanning the
internet like very easy task today and
you can know exactly like
what version is running and publicly
exposing like finding an exploit on
github even uh can let you write in
um
so it’s it’s not like you know a new
trend but definitely something
sorry that need to be considered more
often by security teams
i think on that as well you know don’t
believe everything you read in stack
overflow some people sometimes say
malicious things um so that
um you know to your point you just have
to be very careful you know what
information you’re getting where you’re
getting from and how you’re using it
jackie any thoughts on that yeah i kind
of wanted to go off of what stefania was
saying is the
the
the biggest vulnerability is human error
right that’s the biggest one across the
board and whether you’re talking about
um
people making simple mistakes uh or
exposing you know their password because
they wrote it down on a post-it note or
something silly like that or ignoring
vulnerabilities and not patching
properly you know it all rolls up to
human mistake pretty much
so um i think what we’re going to see
maybe a little bit more with the old
vulnerabilities is those smaller
companies that maybe don’t have a proper
security team in place
and uh they haven’t properly patched and
they’re going to be more exposed to
these kinds of attacks you you you would
assume that the larger companies are
getting their act together and starting
to address these things more
more proactively right so now it’s time
let’s start looking at the smaller ones
and see what we can take advantage of
there
i would add to that and so agree with
you all and i think that one of the
things that we’re trying to do so hard
today is empower our employees yeah give
them you know the power to do stuff to
run fast to develop fast and with that
with those you know that great power
comes great responsibility and not
necessary everyone truly understand
what they can what happened what can
happen if they will just run the docker
image and just just start you know a new
new
new container and immediately uh crypto
miner can just
start and and i think
those situations when we need to just
put the boundaries on the right places
and keep our employees from from cyber
attacks it’s not just a human’s mistakes
not necessarily there they actually know
what’s going on all those boundaries all
those layers behind you know the the
software the simple software that we are
delivering
so
on top of that
yeah i truly think that we need to take
care of the cloud hygiene so much and
help them
to just do what they need to
yeah a point well made they’re so
simplistic cloud hygiene as well as you
mentioned and um that kind of your point
there leads quite nicely onto our next
question i will um
you know open back out to the panel
did anyone have any other points to add
or perhaps any thoughts on uh on moyan’s
comments there
i talk about cloud security a lot and to
quote moran um with great power comes
great security vulnerabilities so i talk
about that a lot because it’s true
because you’re like oh yeah it’s in the
cloud it’s fine
it’s not fine just because aw aws is
okay will handle you if their data
center catches on fire but in terms of
authentication you know people hacking
in crypto miners that you’re on your own
for that one or you know there are
people that can help
absolutely
um we’ll definitely circle back to that
uh on a couple of our questions to
follow but i suppose just uh upon the
point of um you know what i’m mentioning
in terms of uh vulnerability with
attacks so you know after seeing 2021’s
global spike in ransomware activity um
what you know what trends would you
would you say that you’d expect to see
with with those specific types of
attacks you know moving forward when it
comes to discussing you know ransomware
and the market at the moment in terms of
where we’re heading
so i think there will be two things
around the around summer activity first
it’s the even the ransom developed it’s
not just a ransom anymore it’s a double
and triple ransom something so
complicated it’s not enough just to
encrypt
your accounts or or you know um
workloads
i think that
one of the outcome of the ransom is how
to get into a random situation right so
so organization need to focus on their
products and in order to do that you can
see the digital transformation
so you know running so fast
so we’re adopting more and more software
within that
we are open to the supply chain attacks
and it depends on the cloud yeah it’s a
software it’s probably super safe
because it’s x and or why you know
company behind that and they’re very
strong so we are depending on others and
that dependency is something that needs
to be managed because
mistaking the dependency can lead to
ransom ransom is it it will come right
after either it’s gonna be like
vulnerability in their code the supply
chain attacks or a data you know
exposure they can just get access
you pull off the data and then you have
the triple or
outcome of a different ransom when you
have like not just encryption but
they’re actually stole the data and keep
it and you need to pay off to take it
take it back so i think that involvement
with the digital
transformation will take us to
complicated situation or a single uh or
triple run some activities
with digital transformation will come
more more complex forms of attack to
pick at those
those gaps being created yeah it’s not
like access to the data center anymore
it’s it’s so distributed the data is so
distributed so it’s not just that you
know go to the data center hack it crypt
it encrypt it and that’s it you have the
key it’s not that the data is all over
it’s so complex today
and it’s going to be more and more um
involved
so i think that ransom will be outcome
but the different
attack chain will be in place definitely
it will be more complicated
yeah absolutely
stefania thoughts um i was gonna say
because i i’m gonna i’m actually
stealing someone else’s point of view
because i was a really interesting talk
and i was like you know what you’re
right and it’s great for this
conversation because if we look back a
couple of years ago what used to happen
like equifax marriott hotels where they
used to empty the database they used to
go in like we’ve got 500 million
personal records we’ve got birthdays
we’ve got emails and sometimes obviously
credit cards all the pai
yeah yeah all the pii exactly but what
would happen to some extent is the
people that you know obviously there’s a
big new scandal and it’s you know bad
bad pr but actually it’s like so okay so
you’ve got all this data it’s on a
secret database on the dark web so
so then what would happen with the
hackers is that now it’s at a point
where they’re like okay so stealing
personal data obviously it’s bad i’m not
i’m not saying it’s just so but now with
the rants somewhere it’s like oh you’re
now locked out of your system you cannot
do anything you are totally i’ll just
i’ll just say f’d um so it’s a lot more
like instead of so what it’s like okay
this is mission critical so i think
there’s been a transition where now
hackers are really out for the jugular
so you know to rand’s point about
digital transformation it will get more
complex but it’s definitely going to be
about stopping the business
um you know versus before when it was
just about you know stealing pii
absolutely
yeah i can definitely agree and want to
add um i think that
um as
this kind of attacks um getting more
traction and you know um i think that
today ransomware is probably one of the
top
type of attacks we see
um going on and i think that that
organization understand that and start
uh you know building like plans how to
um
i guess handle ransomware which makes
attackers be much more sophisticated and
and like if organization like if
ransomware attacks was you know only
encrypting files then now organization
knows that they need to back up and you
know export their backups out and i
think that attackers will be
uh understand that and will be
uh try to
um you know find like new ways to do
that like
not just target organizations probably
target also like other victims and we
saw that sometimes uh data like
sensitive data is being uh
steal from the organization and then
like customers of the organization are
being targeted so now uh someone can you
know get an email saying uh we stole
your credit card we stole your uh
personal information like
um health records stuff like that and
and if you
want us not publishing it
um then pay up
definitely raise an interesting point
there as well in terms of the complexity
again of how that can
fall back not just on the organization
but on their customers as well
um
jackie
i think what i i’m expecting to see is a
targeted attacks towards individuals
over social engineering um trying to
find those vulnerabilities in in people
like we were just talking about a few
minutes ago and marantz absolutely right
education and empowerment uh and
training people on how to identify those
uh you know catfishing at a kind of
another another level whole another
level um and being able to avoid those
kind of attacks
and
trying to glean information out of
people is going to become extremely
important proper training
i definitely see social media as
becoming a way that hackers will use to
try to get more and more information out
of people and exploit them
definitely and and interestingly enough
i actually recently had um some
conjecture that perhaps moving into next
year there might even be a case of
uh you know even simulated ransomware
attacks where perhaps even the threat of
you know data being released or perhaps
somebody being compromised because it’s
now so much more commonplace perhaps in
some cases leads to
less actual
um you know support behind that threat
so even the threat of itself might might
become you know in terms of social
engineering might become a pressure
point um i just wondered if anyone had
any any thoughts on that in terms of
you know
ransomware gaining steam as a thing well
you know as an entity rather than a you
know tangible um
you know malware as well
i was going to play devil’s advocate
just as you were talking because um so
you know if it becomes commonplace as it
is um i’m not sure if everyone is
familiar with netflix’s uh chaos monkeys
or chaos engineering so i’ll just give a
quick a quick description which is if
your bike went flat you know would you
know how to change the wheel what about
if you changed it every sunday and the
same applies to tech so netflix is like
let’s just wipe out that data center
let’s just like turn off all the
security so maybe we need to start you
know having more you know testing you
know chaos monkeys full stuff like
ransomware like okay let’s get on
tuesday the 3rd of december oh no second
i don’t know what day it is but anyway
next tuesday we’re gonna do a a practice
ransomware and see what happens and we
we might not tell anyone i don’t know
but i think maybe that kind of thing
needs to be um you know brought more
into the main stage because it is it is
growing um so it definitely needs to be
protected against
so agree with you so those uh ransom
drills
and stimulate it’s definitely something
that i can tell that we’re investing in
that on our daily and it’s one of the
biggest plan for 2022 is actually do the
drill and do a live drill and then also
like round table around it and then
learn let’s learn from that and super
super important
because it’s not it’s not a ransom you
know prevention or
be able to um protect your organization
or recovery fast it’s not just backup
and
plan it’s different two different things
becca plan and bcp plan it’s one thing
and it’s great and it’s super important
for availability but it’s when it goes
to random it’s a different use case you
need uh you need to have like
vault accounts that will keep and and
store all the data in an interface it’s
a different approach because you don’t
want
the backup to be encrypted as well so so
you’ll be like you’ll be dead and that’s
not a purpose and i think it’s different
approach the bcp will involve and you’re
to see a lot of i think organization
developer organization that will put an
invest time and effort to think about
how to recover from ransom and not just
have backup yeah it’s cloud native it’s
all backup all cool great it’s not in
case of random they will back up and
encrypted your backup as well
it’s not going to help you so yeah i’m
totally agree with stefania that
this is a super important drill to run
in organizations
thanks
um just i mean adding small i guess uh
thing to that is also making sure to
[Music]
make
making sure your team is ready for that
uh do drills with with like the with the
people with the teams uh make sure your
instant response team
uh know how to handle that um it’s not
just as mentioned it’s not just
uh backing up or doing drill on your
infrastructure or making sure you can
you know move from that one data center
to another it’s making the team know
um
tweaks i’m not sure if expect the right
uh way to do that but
i know like how to handle
uh this kind of incident
absolutely as they say uh you know
prevention is the best cure so yeah
having those you know those those
processes in place to be able to
make sure that everyone’s positioned and
um you know preemptively have some kind
of pre-approved you know process in
place would be ideal um you know failing
that i suppose and that leads us fairly
neatly onto our next question um in
terms of the you know the regulations
that are in place now for for when you
know
ransomware does for ransomware attacks
do occur and businesses do find
themselves vulnerable um you know and
targeted to make payments through
cryptocurrency recent regulations were
put in place with uh you know sanctions
on payments through cryptocurrency and
um you know ways to to perhaps um deter
these types of attacks and ways in which
they can be remunerated but will you
know
how do you think that the trends of
uh combating these types of attacks in
2022 will start to evolve you know when
they do occur
so i have a it’s not funny but i have a
funny personal story i was at the gym
there’s a guy that i sometimes talk to
he works in finance i said i worked in
cyber security and he’s like oh yeah my
friend’s business got hacked they you
know they said 200 million euros oh but
it was okay you know the insurers paid
it off they only paid off 50 million
euros and i’m there like
because i think a lot of the time we
think about this obviously we’re all you
know the the white hats you know
security with good guys you have the
hacker the bad guys but we’re all very
technical so we know that to do a
sophisticated attack isn’t that
expensive and if you’re gonna give a
nefarious group 50 million they’re gonna
that’s that’s gonna really power them so
i think a lot of the time um you know
you see in all the films it’s like we do
not negotiate with terrorists but i
think that we have to strike a balance
between okay if you’ve got a ransomware
and your business is incapacitated but
they want a lot of money you know how
much are you willing to give because any
money you give them it’s just you know
funding their future so i think and i
think that’s a kind of a disconnect as
well because like i said we all know
hacks aren’t that expensive and there’s
stuff on the internet you can buy for
almost free um but you know like i said
this guy was about my age and we were
just in him and he’s like no no it’s
fine he only had to pay 50 million and
like my face was shocked he didn’t get
it and i didn’t get how he hid so i
think that’s definitely when we look at
like the insurers um and you know the
regulations coming into place you need
to also bear in mind that perspective as
well as security
from a selfish perspective working in
security having it in the news a lot
about the ransomware i have family
asking me which is rare because no one
ever knew what cyber security was before
so i think as an industry you know i
think businesses are going to catch on
because they realize oh it’s great we’re
all digital but then you obviously have
to secure it you know you would have
security if you had a building so why
don’t you have it for your cloud
environment etc
very good point and jackie it looked
like you were gonna you know
i kind of wanted to go off of what
stefani was saying about insurance
companies this is where i think it’s
going to kind of trickle down from we’re
starting with regulations insurance
companies are going to look at these
regulations and then
they’re you know the insurance company’s
goal is to not pay out you know they
don’t want to pay out so they’re going
to start putting in um rules in place
themselves that say you need to be
having these kinds of
uh policies and procedures in place you
need to have ransomware drills that
you’re doing on a regular basis
um and that’s it’s gonna start kind of
start from there and kind of go down
from there that’s that’s how i see it
envision it anyway
yeah i’ve been reading there was an
article in reuters a few weeks ago about
specifically ransomware and insurers and
as a trend what you’re seeing is 10
million used to be standard now it’s 5
million so half the amount but it’s
double the price because as you said the
insurers don’t want to pay out so all of
a sudden cyber insurance is really
expensive i don’t i don’t work in
finance so i don’t quite understand the
numbers but a hundred percent is you
break even and i think what they’re at
95 so all of a sudden it’s not a
profitable market and as you said we’re
going to see that trickling through in
requirements for organizations
that’s interesting so from the insurance
perspective in terms of what marginal
gains are available from even successful
ransom being paid doesn’t sustain the
operation in terms of longevity or
encourage them to even continue that
trend that’s a that’s really interesting
i think key notes take from that as well
um
more andy you were
yeah i just wanted to say that
eventually with all the regulations and
you know legislations and how you want
to really be
you know the pioneer and fight against
the attacker eventually um when the
business shut down
the ceo need to make a decision in its
financial decision eventually so
it’s it’s really great that it has like
cyber security insurance and
that the insurance company want or don’t
want to pay
it doesn’t matter and or there is
legislation of the cryptocurrency
payment et cetera you can kill the
passengers and it’s great it’s okay
everything is is great it’s it’s
improvement over the process
and i think it should be in place and
it’s super important but eventually
it’s cfo
and ceo decisions either to pay or not
and that’s something that will
definitely you know that’s the action
item that will come out of when a crisis
like that will happen
and and i think it will you know people
still will will pay for the bet they
will pay for that because they want the
business up and running
and sometimes it’s even cheaper than you
know
against that and then you know stop and
fight find and be evangelist and then
just uh
this is something that
most of the ceos will need to
to make the right decision for them for
the company
that’s why i’m thinking about it
tough to strike that balance definitely
um next time you uh you’re gonna
chime in there
i think that uh also i mean in terms of
you mentioned the sanctions i think it’s
something that should be
globally adopted
uh if it’s something that we really want
to see slowing down as attackers
because if it will be only you know only
one place i think that
uh hackers will know like where to push
in order to hope to get paid like if for
for example the us decide to to put on
sanctions but other com other countries
won’t then you see more and more uh
accurate targeting companies that don’t
uh do that
and all companies that will decide to i
know pay from
from not the u.s companies but other
companies that don’t have
any sanction in place
and also i guess that’s um
putting the pressure on the companies or
other companies that are involved in
paying to
to these attackers i think that
if the countries won’t help organization
because as mentioned it’s a financial
decision and and i don’t want to be in a
place that uh the company is getting
attacked and the pressure you
you have uh to get your data back or
getting back on your feet
then you can do a point that you
probably uh pay as a last resort so
[Music]
so you need to find solution in order
like solution for companies or to feel
safe or to
if you don’t deal with terror terrorists
at least have like uh the backup
yeah that’s a that’s an important point
i’ve seen some against you know some
some conjecture in terms of uh you know
regulation for next year outside of just
those kind of sanctions that perhaps
more
organizations will be added you know for
instance in the u.s to what’s considered
a terrorist organization and therefore
there are extra regulations in place
that will support the business and you
know they can feel you know safer there
there will also be um
you know i suppose perhaps even in the
in the sense to encourage which decision
the business choose to make um that
there might be more sort of regulations
strictly on not just what the business
chooses to um you know to uh how they’ve
responded all the time in which they’ve
taken them to respond but you know how
transparent they’ve been with what you
know what has occurred
and in that sense encouraging them to
perhaps
you know to choose the course of action
that’s going to be a little bit more you
know prevalent to avoiding enabling um
you know ransomware and perhaps you know
quelling the uh
the hunger for uh you know organizations
to target companies a bit more widely um
just before we move on to our next
question then were there any other uh
points that anyone wanted to add to what
uh
um what was just mentioned a moment ago
bye crypto mining
yes invest in crypto i think it’s a good
thing to do
as a nice side note there yeah perfect
well i mean moving you know into the
next one so and keeping on the theme of
regulation slightly um really i think it
is kind of over to you know
over to the folks on the panel i suppose
to to each of you individually what
would you what kind of legislation would
you like to see coming into effect that
would help you know make your jobs and
your tasks in terms of protecting your
organization i suppose easier and more
simple
i can just go first because i
technically work for a vendor so any
legislation which is like you must buy
this vendor that would be great for me
but i’ll leave it to everyone else
because i know you’ve got a much better
customer perspective
um
i think that
maybe
um
[Music]
i’m not sure if it’s it’s uh like a and
like defining a standard but i think
that um
um
asking organization or
um
telling organization to be better
prepared to this kind of attacks
um
like
not not ransomware specifically but um
like
asking organization to be better
prepared to instant response or better
prepared to um um
like
to deal with catastrophe whether if it’s
uh from cyber or even from from an
infrastructure point of view
will definitely allow um
um
organization to to to deal with it
better to deal with uh with catastrophic
cyber catastrophe uh better uh and we
also like if regulation would stay uh
that uh organizations need to be better
prepared to cyber attack then um like
the
cyber security leads in the organization
have the backup of the from from the
management to to do this kind of things
to making sure that we have drills in
place uh and and and stefania mentioned
that to do this uh
uh like what netflix i forgot the name
netflix are doing so if it will be like
something that every organization is
doing then definitely will help the
teams to handle the security to handle
these issues
in my particular space um pci is is kink
so
i would like to see pci
kind of catch up with the technology
that’s going around right now
um some of the standards that are in
place
are very they’re very sweeping and large
uh requirements that
smaller companies are or you know the
small app developer is trying to adhere
to
and it just hasn’t got quite caught up
with the and it probably never will but
at least maybe get a little closer to
what’s been going on without stifling um
ingenuity right that’s part of the
problem that regulations always have um
but i think if you get granular enough
not too granular but a little bit more
granular on
the
roads that people are taking in their
ingenuity it can certainly help
keep them from being stifled with what
they’re trying to build or what they’re
trying to create so that’s kind of what
i’m hoping for we’re expecting some pci
changes next year so i’m hoping that
we’ll see some stuff that will go along
with where where the technology is going
i’m curious about two new
let’s call it uh practices
right the first one is around the the
the one that they adobe you know they
made on i’m around the
white house executive order supply chain
something that i can’t i can’t wait you
know to see and i’m sure it’s going to
be like miss best practices in the
industry standard around the supply
chain it’s something super important in
my perspective because it will take us
to
you know practices around product
security not necessarily all the
companies adopting that today
from you know code review tools and
static and dynamic code analyses
software composition skills that should
be in place and and you know mutable
around the apis and
um pen testing tools those kind of area
is something that i think that is
and it’s lead me to the second the
second one is around
uh
vendor vetting
today it’s super complex
every new vendor you need to have their
questionnaires try to understand and
they’re secure enough how to make the
decisions and there is no standards
where i keep getting tons of
questionnaires and asking tons of
different questionnaires and there is no
standard around that and i want to have
a
you know a baseline
of tools which kind of maturity security
level you are and then to make a
decision what kind of data you are you
know keeping on my environment it says
it’s a stats that i should adopt if it’s
you know keep secrets or something that
is super insensitive or you know reduce
the risk and it’s something that i can i
can handle if his maturity security will
be like
um
it’s good it’s good enough then we can
go it has nothing to do with my secret
sauce or stuff like that so something
like that that need to have like
practices in place
and automated tools that will make
organization that not necessarily have
like compliance team in place or
security ops that can actually vetting
and understand if it’s good or not for
the organization and make
the decision easier and and much more
faster i think those kind of not
non-standard everyone they were doing
ssdlc by their own everyone are doing
you know um
vetting of third-party vendors by their
own there is no standard around that and
i think it’s super it will i can say
that i can’t say that it will make my
life easier but i think it’s a practice
that the industry should should adopt
and on that point as well of visibility
into you know vendor selection and i
think a little bit more of a streamlined
process in terms of what you know
what compliance and regulation
points have to be considered i was
wondering stefania from the you know
from the vendor side are there any
uh outside of just a regulation that
says yes you should be using these
vendors to you know to enable xyz is
there anything that more practicably
could be in place that would help to to
streamline you know any sort of um
partnership or integration or from you
know from the outsiders perspective
looking in
um so yeah and just on a side note when
you start talking about these
questionnaires that at my last place
that was a big part of my job because i
would have to speak to say the bank like
oh please fill in the questionnaire and
be like okay another one one time i got
about i think it was 7 000 questions in
two weeks and then that was really and
that was also in q4 so that was fun
um but anyway back to the um original
question um so i think it can be quite
complicated you know a cso or a b so or
anyone working in security you know your
life’s not getting any easier you know
we’ve obviously got cloud that we’ve
mentioned you know i think the first
iphone was 2007. i do all my shopping on
mobile i don’t know what i did before um
so i think it can be um very kind of as
i said if you are working in apsec
you’re probably you know overworked and
i think you know to moran’s point if we
could have like a kind of more of a
standard like what do we want from our
vendors okay we want data integrity uh
we want to make sure that everyone’s
using 2fa on their laptops from the
vendor perspective having almost like a
standard
a secure standard for vendors you know
having something a bit more yes
standardized would obviously um kind of
really help
i’ve worked with a couple of different
vendors so you know in a few different
security spaces and i think a lot of the
time and this is a personal preference i
like to work for places where it’s you
know up and coming and it’s it’s a new
space and all this so i end up being
more of a
you know
um and kind of explaining um so um you
know say for example open source
software about five years ago uh people
were like no no we don’t really use open
source and then it kind of the next
conversation was okay yeah we have a bit
but i’m sure it’s fine and then you
start doing all the open source scans
and you’re coming up with vulnerable
versions of libraries that haven’t been
you know updated um so i think a lot of
the time at least from my perspective
customers look to vendors to um you know
for advice because vendors are dealing
with this you know i do dev suck ups all
day every day uh but it’s really about i
mean tomorrow’s point making sure that
you know the vendors you’re working for
are reputable they take security
seriously and you know they’re there to
help they want to build the relationship
rather than someone who’s just going to
be like yeah yeah give me you know a
couple of thousands and i’ll protect you
from ransomwares
okay but how you know what i mean so i
think it’s very much about um you know
trusting your vendors working together
um and yes staying secure
fantastic point and obviously addressed
uh um some of the you know comments that
we had there from from jessica chapel
thanks for your
input there with regards to open source
as well and i hadn’t even
was raised as well moving towards uh
towards open source but again uh you
know quite rightly as jessica’s
mentioned obviously a huge security
concern beginning but over time you know
it will evolve and things will become
more standardized you know as a common
practice
um
were there any other points to add on to
that just before we moved on there as
well
are the panelists uh welcome well just
in between before we move on to our next
question as well had the feedback from
our first poll
um to which eighty percent of people
felt that uh do you feel that you have
an inclusive hiring process eighty
percent yes
um
none for no but uh another twenty
percent for we’re getting there but it’s
slow progress so just before we do you
know moving to our next question as a
general point in terms of you know
inclusive hiring processes i don’t know
whether um
anyone on our panel might have any sort
of tips or you know or um
you know comments as to what perhaps
some of the you know our attendees that
are
trying but perhaps finding some
difficulty in working inclusivity into
their hiring process what they could do
to account for that perhaps from what
you’ve experienced if at
all so this is actually before i worked
in tech but i was interviews and then i
went on site and had a series of
interviews in a row and after the third
guy he was quite senior he was a
director he was like hey you know you’ve
only met men so far i’m going to bring
some women in which okay now we look
back this is about seven years ago and
it’s a bit of a weird thing to say but
actually at the time i was like oh great
cool i’m gonna you know have female
friends so i think having you know
diversity as part of the interview
process can only help candidates also i
used to work in recruitment for a few
years as well it was actually a
recruitment job i was just talking about
and i think job descriptions are a
massive one because i personally
probably gonna offend a lot of people in
the audience but i’m not a jedi
and you know i i know i can’t admit it
because it’s recorded but um i don’t
know that much about sci-fi trivia i
know a bit about marvel but anyway with
the job descriptions you want to you
know have literally have um
have a have a non-white male look over
it and just see if there are any tweaks
um even stuff like jd’s because that’s
often you know top of the funnel if you
have 10 requirements i speak from
experience i coached a lot of my female
friends through this if the effort of a
woman and this is a massive stereotype
and i’m talking in general with younger
females because i know a lot of them or
knew them if a woman can’t do
ten she can only do eight or nine she’s
probably not gonna apply and if a guy
can do one or two he’s like yeah i’ve
got it so even just breaking your jd
into like five bullet points and five
nice to have that can have a massive um
improvement on diversity but i’ll stop
talking now i’ll leave it to the rest of
the panel to chime in
i think it’s very interesting that it’s
still like that and i i can tell from my
own experience that i was like that when
i was younger like a couple of years ago
and and it’s really shocking that it’s
still like that and and
the way i see it and because we’re
interviewing like on a daily right it’s
our second job is like recruiting and
interviewing and try to uh bring more
great people into our um
great team and i think that one of the
things that we should involve and show
them you know
invest
is to do the onboarding right because
there is no perfect candidate
uh if a security engineer is becoming
expert after two years in jfrog
for sure we’re not going to have like
another great guy like him and we always
try to compare and oh we cannot be like
that because we invest two years within
him and he evolved and he developed
himself etc and he’s familiar with the
jfrog or the company uh so um
and
at that point of view i truly think that
we need to
change
the way we are onboarding employees and
try to give them the path to becoming
awesome
even though we don’t have the perfect
candidate but he has like strong
baseline and passion
to do what needs to be done the
expectations should should be also
something that we’re really aligned on
and we need to take him to the path to
become you know what we are looking
forward and put all those great you know
um
terms from the beginning you have to do
this and that and then troll totally
agree with stephania like put all those
10
great
engineer super engineering in the front
for sure we’re not going to have it uh
that’s a 100 it’s not going to happen so
be realistic and try to find the
baseline identify them within the tech
interviews and then try to take him to
the next level by yourself and it’s it’s
it’s not easy fast by the way we’re also
we are every everyday thinking about
academy uh our own academy and how to do
it right it’s something that we need to
invest in order to
to to do better recruiting in our
boarding processes
that’s an excellent point in terms of uh
understanding the you know the
individualism in the particular
candidate and then not standardizing and
working with that to evolve and
investing the time where it needs to be
in each individual case i think is
probably the
real key point to take from that as well
but some excellent points overall um and
jackie you you uh
you looked like you were going to jeff
there as well
uh just a few things that have come
across my mind in the last uh few years
that we especially when we’ve done some
hiring and you’ve already kind of said
this to fania um
when we have
candidates who apply and it the
confidence um
just i don’t see it in the female
candidates as much as i see it in the
male candidates and i think uh what we
need to do as people as women or you
know underrepresented
underrepresented people in positions of
hiring power
is to
mentor and make sure that
people younger than us people entering
the workforce
um can build up that confidence within
themselves you know and and make sure
that they
enter the workforce with with um
somebody that’s kind of got their back
that that would would have been
incredibly empowering for me as i was
coming up um
and um i’ve said this a lot to my teams
as you know when we’re in the positions
that we’re we’re in
you always talk about climbing the
corporate ladder well when we’re when
you’re at the top it’s your job to reach
down and pull people up and that’s what
we need to think um so um
mentoring and starting those internships
that
people can enter in get confident in a
job and using their skills and then take
that whether it’s somewhere else or into
a permanent position in your company
either way
those things are critically important
and and i would have loved to have that
when i was coming up many many years ago
yeah just on that you’ve made me think
of a little happy story but i had a
similar experience when i first started
um in tech um there were i remember the
first friday afternoon call when i was
going to meet the rest of the team and i
was the only woman and and everyone was
was white there was actually one indian
guy in america but i was the only woman
and then there were no women in senior
leadership and i didn’t know any women
in tech and there were no female role
models and i was like in my mid-20s and
i remember sitting there and like okay i
need to be the role model i want to see
so that way one day i will inspire
future generations and then a couple of
months ago i had a meet-up at 6 00 a.m
because it was with australia
because my australian hq my next company
was australian hq so i was up bright and
early doing this talk and then i got
these linkedin messages from these you
know women who had just graduated and
they’re like wow i really loved your
session it was so great so cool and now
i’ve got two little mentees and that’s
the thing little differences that we can
make as women with either hiring power
or you know women you know that are
visible can make a big difference for
the future generation because that’s my
whole drive with public speaking is
because i’m not your average security
techie person and i hope that if i’m you
know out there talking about stuff and
that hopefully i’ll inspire other people
to join so never underestimate the
effect that you personally can have on
other people you know butterfly effect
etc
going on with that yeah creating that
safe space is so important and yeah
that’s what you’re doing and that’s
that’s awesome
some excellent points there and uh
you know i think that’s really
invaluable um you know context from
um especially from everyone that’s kind
of been there and done it and it is on
the inside the other side of the fence
it can i suppose for people when they’re
seeking an opportunity from the other
side of the fence seem a little bit like
it’s
you know just a sort of
you know like a logo almost like a you
know faceless entity that they’re
applying to but these are you know real
people that are um you know you are all
the others the folks on the other side
that have been there and are really keen
to kind of uh
you know to enable that change as well
so it’s really encouraging to hear and
you know really exciting to see um you
know certainly from from my side it
really mimics everything that i see both
in terms of what you know our candidates
want to see and also on the client side
as well with working with you know folks
like yourself that are really engaged uh
in that space so um that’s really
helpful appreciate your your uh your
input there so um we’ve got
quite a few uh questions on our q a that
we’ll uh circle back to perhaps before
we move on any further as well just to
just to address some of the topics that
have been covered so
um we have the most recent ones from
andreas mueller on the points we’re
discussing uh with regards to kind of
regulation and change as well that um
asks do you think with regards to 2022
that most developers are aware that the
usage of container technologies adds new
layers for security vulnerabilities
looking forward to see the results
say it depends on the developer
developer out there
there’s probably one one want to see
more regulations around
i i from from my developer team i think
i can say that they’re probably not
aware of it as much as i would like them
to be so it’s kind of my job to make
sure that they’re getting their secure
coding training um every year and
and informing them of what
you know what things are out there that
could trip them up as they’re coding
i agree with you i think
we’re investing so much on the champion
you know
program internally i still see and
educate them and create some you know
great talk for security talk
heck and show our results get into you
know the developer find it and make him
really understand that and like it and
then be passionate about that and i
think that’s the that’s the thing behind
it because if it’s not relevant
they won’t don’t they won’t join but if
it’s something that they will educate
from and they will learn something new i
would like to learn something new i love
learning you know and educate myself
it’s so selfish but i do
and i think it’s a very it’s a great
point of view you know
get into their mindset and understand
what they love to hear
and and that’s something that we should
drive with you know
so i would vote for the third
and i have something to say about the
first as well
but let’s see the voting
interesting to see uh mit sanders while
that’s coming in any uh
any thoughts to add there finally
um
it’s it’s a tough question i guess i
mean um i’m not sure i think that
uh it’s kind of
still
uh pretty much on the security security
team responsibility to make sure that
like
i guess it’s
containers also consider as an
infrastructure
in my opinion and i think that if our
job was to make sure that that
the infrastructure for developers stay
safe i think that even like now um with
with containers in place
something that the security team needs
to make sure that it’s uh like
being more secured
yes definitely
we need to add like
extra training and explaining like what
are what are the security concerns and
what issues it can bring
but it’s still kind of our
responsibility to make sure it’s um
they don’t do mistakes
appreciate it well i appreciate that
also uh i’m conscious of uh folks in our
panel’s time so i know that we are at
the uh the 10 30 mark now just over um
what we will do is because we’ve still
obviously we’ve had some excellent
dialogue this morning and we’ve still
got quite a few points that we haven’t
gone through there are a number of
people that have uh that have chimed in
on the q a as well so what we can do is
host a blog for some of the unanswered
questions to see if we can kind of get
some some continued discussion around
that um
before we we kind of go into our
you know the networking session
afterwards um i wonder if we had any
closing questions or closing comments
from our panel um what i’m seeing just
as if this was of interest i know that
uh more you’ve seen that uh the poll go
around there uh what trend are you most
interested to see develop next year
we’ve got 48 have said improved threat
intelligence 20 improved regulations
around incident reporting and then 32
that have said more internal company
education for non-security personnel so
it’s a very close race but it looks like
it’s between improved threat
intelligence is the overall winner but
perhaps some education for non-security
personnel um
just uh i don’t know whether there was
any comments regarding that specifically
but just in general before we wrap up
here and go on to our
you know our networking session were
there any closing comments from everyone
that we’ve got here today
just a quick one from me not much to do
with what we talked about i touched it a
bit at the beginning but we are all
humans most of us work in security um
you know i’m sure there are people in
the audience from all you know walks of
text shall i say but um it’s really
important to bear in mind that you know
we’re trying to be a team um so when
security fails your builds we’re not
doing it out of spite we’re doing it
because we don’t want to be on the front
page so it’s really about you know
taking a step back
less friction less finger pointing
thinking you know more pragmatically
okay let’s stay safe let’s stay secure
let’s just be nice to each other so i’m
all about you know let’s be empathetic
and treat each other as people and with
respect uh rather than um you know being
mean to security because we’re just
doing our jobs
i i definitely agree and i think that um
like empowering the security brand in
organization is super important i think
that um
uh it’s very um um
clear in jfrog that we really try to
make uh security more approachable uh
and and make people like uh giving them
um
the idea that security can be uh nice
and not just a blocker uh definitely
with you know production and devops
teams and infrastructure team but also
with like non-technical people
uh giving them more tools giving them
more uh training even more ability to to
do security right
uh and not just you know um doing those
uh early annually uh monthly or whatever
uh training saying that fishing is bad
and
doing and do nots
do it in a fun way i mean it’s it’s as
you mentioned it’s definitely um
something we don’t want to be in the
news
yeah we don’t want to be on the front
page for the wrong reasons and likewise
tapping into stefania’s point we are all
human so why not make it fun and
something that people want to invest
their time and energy into learning more
about you know becoming a part of as
well um jackie your final final comments
yeah
that’s an excellent point you know we’re
not we’re not we’re not the enemy we’re
your friends we’re trying to
protect you and the company um but i
think that’s one thing that’s really
important
is we’re also trying to protect you
right yes the company might be a target
and brought this up earlier but
you might also be the target and
any education that we give you
and
any rules we put in place that you learn
why those rules exist can help you in
your personal life not just in your
career
you start with your personal life then
it goes to your code it’s it’s it’s a
matter of maturity you know and your
care
basically yeah
can’t think anymore
lovely
i think that’s uh that’s the perfect
point and um i’m looking forward to
seeing uh our or everyone from our
audience who can make it in our
networking session now um we’d love to
pick this up as well i don’t know
panelists are you available to join
perhaps i think i’ll hand over to lauren
to to deal with the uh the interim
hi thank you jacob and thank you and to
all of our panelists um
that was a very very interesting
conversation a ton of learning points
there i’ve taken a ton of notes myself
um and i really hope that every single
person that does love on either live
or
um later in the life has learned
something and just want to say thank you
all of you for being so honest and
engaging and raw with your comments and
discussion and and as jacob mentioned
what we do is a bit of follow-up vlogs
there’s a ton of questions then i want
to make sure that um
you know everyone can
can participate if you are still free
please join us over on the live
networking um i’ve also popped a link
into the box for the jfree giveaway um
and the conference tickets and i just
want to say yeah again a huge thank you
to all of our panelists thank you for
your time and support and all of your
insight and i hope to see you all again
very soon just a quick note on the
panelists if any of our attendees today
did want to you know connect with you on
linkedin or reach out or
drop you follow on twitter are you
comfortable for them to do so
perfect excellent okay well we’ll grab
those details and we’ll include those in
the blogs and we’ll go from there and
just a huge thank you again for everyone
i’ll see you over in the networking and
the link’s just gone in the box again
and wherever you are in the world have a
great morning afternoon or evening and
thank you again for joining us today
we’re going to develop security trends
2022 bye thanks

Read More
Read Less