Summary

After years of working as a software developer, Nina Juliadotter was reading headlines about data breaches at major companies. She was horrified to think developers like herself might be leaving vulnerabilities that made these breaches possible. This inspired Nina to study for a Masters in Cybersecurity, and has focused on improving application security ever since. Today, Nina is Westpac’s Principal Information Security Consultant. 

In her conversation with Cole, Nina discusses cybersecurity education and training, the crucial role of software inventory management, the importance of not being afraid to ask “dumb” questions, and more.

Secured is brought to you by Galah Cyber.

Secured by Galah Cyber website

Timestamps

3:13 - Nina’s path to getting into cybersecurity.

3:37 - “I was horrified” - Nina felt responsible for data breaches.

4:50 - Cole: Are developers taught about AppSec today?

7:00 - Need for higher-up management to appreciate the importance of AppSec.

9:00 - Cole: How do we tackle the problem of not having enough respect for AppSec?

10:30 - Nina: I don’t think secure development is rocket science.

12:10 - Nina: I believe the work is meaningful.

13:00 - Nina: It comes down to good and evil.

13:30 - Cole: AppSec is working with real, tangible things.

15:00 - Cole: What does formal cybersecurity education look like?

16:30 - Nina: Considers her work very specialised and narrow-focused.

17:00 - Cole: Believes most AppSec professionals are generalists.

18:30 - Nina: currently focusing on inventory management.

19:00 - Nina: Where do you start with an AppSec program?

21:45 - Cole: How does a large organisation tackle inventory management?

22:40 - Nina: how inventory management works at Westpack.

24:50 - Cole: What’s one personal trait that’s helped in your career?

25:00 - Nina: I was never one of the gifted kids.

25:45 - Nina: Important to always ask questions.

29:30 - Cole: Importance of hard work.

30:40 - Rapid fire questions.

Mentioned in this episode:

Call for Feedback

It comes down to kind of good and evil. Like for example, said, I'm fighting evil here. Damn those bad guys, you're not going to get my data, my money, my transactions, my information F you. I really feel like I'm helping build stronger applications that cannot be breached.

Hi, I'm Cole Cornford, founder, and CEO of Galah Cyber. And this is Secured, the podcast that dives deep into the world of application security. I'll be chatting with Australia's top software security experts about their unconventional career paths to uncover insights into the diverse approaches to AppSec. After years of working as a software developer, Nina, Juliadotter was reading headlines about data breaches of major companies and was horrified to think that devs like herself might be leading vulnerabilities that made these breaches possible. This inspired Nina to study a master's in cybersecurity and her career has focused on improving application security ever since. Today she is Westpac's principal information security consultant. In our conversation, we discussed cybersecurity education and training. The crucial role of software inventory management, the importance of not being afraid to ask dumb questions, and a whole lot more. Hope you're excited. So first question I ask all my guests when they come to the podcast is, as the head of Galah Cyber, the founding feather, as one would call it, I ask everybody, what bird are you most like and why?

Ah, that's a very good question, Cole. I believe I would be most like the bar-tailed godwits, the bar-tailed godwits much like myself, like to migrate between Northern Scandinavia and our terror down here in Dan under, it's like the go-between. And I find it very sympathetic. It's amazing how it can fly for a thousand Ks without even stopping for a snack. I'm not saying I'm okay. My endurance is pretty good, but perhaps not that good. But, yes, it's definitely the bird I would most identify with.

Yeah. Cool. So I like that one because this is a bit of a unique bird. So, I guess next question is, we're going to be basically focusing quite a lot in, at least in this podcast, on making sure that we elevate the profiles and background and stories of people who are working in cybersecurity and especially Apsec, Apsec my area. And I love bringing people on and I know that you are one of the people I learned a lot from over at Westpac, so I'd be excited to hear about how you got into that role and where you came from.

Yeah, that's very interesting and isn't it, everyone has their story into Apsec. So I did computer science as an undergrad, many moons ago, and I worked as a software developer for many years. Kind of enjoyed that. But then at one point or another, I was reflecting on the headlines in the media about data breaches and I was like, oh, no wonder what that is. How, do they come about? What is this? And I was horrified. I had that thinking, feeling like, oh my God, I felt like this is my fault. You know? Because when I had developed all these web applications as I had, I'd never, I'm, ashamed now, but you know, back in the day I didn't actually think what adversaries could do. I thought, well, you make a form, you're asked the user to put their name in, of course, they're going to put their name in.

What else are they going to do? Right? And then I was like, oh, right, you could put malicious code in there. Of course, you can. And I'm not checking for that am I? Anyway, so, I've always been a bit incensed by evil people doing evil deeds to good people. So I was like, you know what? I can do something about this. So yeah, I did a master of cybersecurity to upskill and to learn more about security and that was incredibly interesting. I also did, some online hacking courses, which is also very eye-opening. I come from the offensive side and yeah. And then, wiggled my way into Apsec from there with those two experiences yeah.

That's really cool that you've come from a software engineering background. You wanted to do better. Do you think it's changed terribly much since when you moved into the field? Because you're a bit of an old hand at this point. So do developers do security or consider it as part of their education now? Or how do you think?

I think it's slowly changing. I think I see both sides of that. I still see a lot of developers who have no idea about security in a way that I just find mind-boggling how they cannot understand this in this day and age. So there are a lot of, people who don't know what they're doing and do not consider security. Having said that, when I had first finished my master of cybersecurity and was all very excited, I rang back my old uni where I did my undergrad in computer sciences that, hey, I can help you, with security because you don't have a curriculum in security and I can help you back it into your, courses. And they were like, no thanks

That's awful. That's so bad.

Yeah. I was like, oh, but having said that in these days I see all these grads now at work, and they all seem to be learning quite a bit about security and building security. And then they do, as far as I can understand, compulsive courses on security and I guess to an extent on application security, it's definitely getting better. It's just taking a very long time. So hopefully we'll be in a better position not now, but maybe 10 years or something.

Oh, I mean, yeah, that's all well and good for a new entrance into the market, but what are we going to do about the existing developers? Like 95% of the workforce aren't graduates, probably more than that. So what do you think we do to actually help move those people on a journey as well?

Well it's always, I mean, it's a combination of keratin stick. I would like to put my optimistic hat on and think that if you're a software engineer, surely you want to do the best job you possibly can. And you could definitely say that security is one aspect of quality. So I would like to think that software developers want to do a good job and want to build security in. However, looking back at my experience as a software developer, I was given requirements, Hey, this app needs to do this, go and program it. And I was like, yep, sure thing, let's do that. And then I did that as fast as I could and then I delivered it and everyone was happy. Now if there is no, you know, higher-up management telling me that, hey, security really matters and you really need to build it in and that's going to be part of your performance review and, this and that, it's never going to happen, ever. So I do feel like organizations are focusing so much time and money and effort on educating developers and it's like throwing money and effort into a black hole because if you don't have the top-down approach of going, Hey, really seeing your person, do you understand how important this is? And then have that trickle down through the layers, it's never going to happen. So it has to be a two-pronged approach in my opinion.

One of the key markets and people I, see trying to get into is developer education. Because there are a lot of products and companies out there like Secure Code Warrior, Safe Stack, Contra, Security Journey, and so on. And they're all moving into, even we Hack Purple. They all think they always spout that if a developer understands security issues, then they're going to go ahead and make sure they don't introduce them. But do you think that maybe the market should instead be about educating CXOs or like, engineering managers? I don't know where it is.

A hundred percent. Yeah. It's not going to happen just because the developer themselves wants to build it in. It has to be two-pronged. It has to come from the management to center vise them, say, Hey, I mean, I heard about one company that where they had had a quite a successful Apsec program and that was because of somebody high up senior manager had said, Hey, either you code security or you don't code at all. It was really that simple. And that's really what we need. So Yeah. But how do we get there? Yeah. I suppose we have to educate those management people or something they know.

How do you think a two-pronged attack would work then? Because like, dev education is clearly something that you're passionate about cause it's part of your personal, upbringing moving into Apsec. You were a developer previously, so you understand all the competing concerns and that security's not always a priority. So how do you think we go about tackling this problem?

How do we convince the management that it matters?

Well, let's just say it's like there's a few ways of it, right? It's not so much convincing management why it's important, and I don't think just writing laws saying that your developers need to write secure code is going to help. And what I'm talking more about is we seem to have a proliferation of just products that solve developer education by just trading time for content. What we tend to find, at least in my experience, is that the developers usually don't have the time to actually look at the material in the first place.

Ah, to find the time to do the training as such.

Yeah. So if you're an engineer and you are working nine to five, then you don't want to be told that from five to six you need to do one hour of YouTube secure development training, right? Because if you do, you're basically doing work on top of your work. And there's also, I find a culture all the time that if you're sitting at your desk watching YouTube videos, are you actually working?

Ah, okay. Right. Yeah. I think it comes down to measuring and testing. Like, let's just say, Hey, developer, you must develop secure code. You're being measured on edge and we do all this testing to make sure that the code you deliver is secure. We highly recommend you do this training, go and do the training if you want to keep the job. Okay. That might just sounds a little harsh, doesn't it? but,

Don't worry about being savage. It's all good.

I really don't think we're asking too much. And I also don't think secure development is rocket science. It's computer science. And you can do so much with just the basics of input validation. If you just have the mindset of, hey, all the low-hanging fruit can really be removed, hey, just use the little security feature on this framework you're already using. It's there for you, you know, just set that property or disable that property or whatever it is you need to do. It doesn't take particularly long to kill off a lot of the lower hanging, vulnerabilities.

You did bring up an interesting point about measuring, how do you measure the effectiveness of your developer training in an organization? Because usually when I've seen it, it's in how many people have watched videos or how many people are engaging in the platform. But those two metrics don't actually say how are we meaningfully improving security at this organization. Right? So I'm just thinking how would you go about approaching that problem?

Well, I'm traditional if you want to measure the effectiveness of any Apsec program you, you know, of the Apsec control, you look at a number of new vulnerabilities introduced, so you do testing and new dusting [Inaudible] testing and make sure that you're introducing fewer and fewer, vulnerabilities, I suppose.

Yeah. Okay. So just say like, yeah, this team is in charge of this app. So from our bug bounty program or from our different tooling, we find as many vulnerabilities six months ago. Finn investing and doing dev training for them. Now at this point, we're getting much less on all of those fronts. Yeah.

Yeah. Why not? You know? We're producing more secure software and we can measure that. I think that's fantastic. Right.

Yeah. Cool. So work, what makes you super excited about working at no matter what's, super interesting in the have Appsec space?

I think there are a few things. I mean, first of all, I actually believe that the work I do is meaningful and makes a difference. And I feel extremely privileged to have a job where I can feel that. So that's exciting. It's also very intellectually stimulating, to be honest. It's very geeky, in a way that very much suits me. I get to really geek down into things, which is really wonderful. And also, I mean, generally Appsec folk are really nice, funny people, to be honest. I have a lot of fun working with other AppSec people and other cybersecurity people more generally, to be honest. So yeah. Suppose that thumbs it up.

You mentioned that it's meaningful to you, so, where do you derive meaning from AppSec? Because it all comes from, different places for people, you know?

Sure, yeah. No, I mean I know that must sound with, I don't know, but it comes down to kind of good and evil. Like for example said, I'm fighting evil here than those bad guys. You're not going to get my data, my money, my transactions, my information. F you, I really feel like I'm helping build stronger applications that cannot be breached. And, I'm a customer of the bank I, work for as well and I want to make sure that my data and my money is safe. Yeah. So that's, meaning for me.

Yeah. For me, one of the big things that I really find meaningful is that when you are working to secure applications, there's a very real tangible thing that you can see. I've worked on products like single touch payroll, which is a business owner now. I know that that's how people do payroll and interact with the tax system. Right? I've worked at, Westpac on large applications like St. George's banking app. Right? So it's what people actively use every day. And you know that you are part of a mission to keep those people safe. So I've always liked AppSec because it's super tangible and fun and meaningful when you can talk to someone on the street when in general a lot of cybersecurity you can't. Right.

Yeah. Today I segmented that network.

Yeah. Today I did the test. I was able to order against user access records for these three things. So it's like, well what does that mean to like just an everyday person on the street? So I love that AppSec is super tangible and that, meet makes it really cool for me too. Cause it's just something I can just talk to anyone about really. Right? It's, I'm helping secure the things that you use every day and you interact with every day. So I love that.

Yeah, good point.

So you mentioned that you did a master's of cybersecurity. Could you tell me more about that experience? Because I haven't gone through formal education in cyber at all, so I actually don't really know what it even looks like, to be honest. So

Yeah, absolutely. This was a while ago, so it might have changed a little bit since then, but I suppose the basics would still be the same. Yeah, it was really good because it was really broad in my work now I'm very much a specialist and I only really look at my tiny, tiny little area of the cybersecurity space. But during the master you'd cover really broad area network security. I remember I did a paper on security vulnerabilities in some particular network protocol and you look at nitty gritty details like that or digital forensics, it's very interesting to understand how all that works. Access management and how you can tamper with, the cards that we use to beep in and out of different doors and transport system and whatever, we use them for. That's really interesting. A lot of SCADA security, which is, the control systems we have in industrial systems and ladder logic and how all that works. Hacking, how do you really hack a traffic system? Like all that super geeky stuff that is just so interesting. So yeah, I did a really interesting paper on how you could hack smart parking meters. So yeah, I suppose what I really enjoyed about the master was I learned so much and I learned quite a broad Yeah. Very broadly into cyber security.

I think that it really shows that your depth of experience across a lot of areas because you can have conversations with so many different people at Westpac.

Yeah. I know.

My previous guest, Toby Imorio, he mentioned that cybersecurity is most effective when people have a mile of understanding that's an inch deep and some and you just have a one area where maybe a two or three inches. Right. So, which is us an AppSec.

Yeah. I was thinking, gosh, that's not me. I feel so narrow and so highly specialized. It's ridiculous sometimes, but, yeah, I think you've got to have those specialist people too. But I can still understand and talk to the infrastructure guys and the networking guys and whatnot.

I think you're underselling yourself though in that case, to be honest. Because you can talk to, basically that's one of the underrated skills that I think application security professionals have over a lot of other I cyber people, is that they can really focus on communication, breaking down barriers because they have that background as a software engineer. That lets them say, Hey, this is what the business is trying to achieve. I have all of these different cross cutting concerns. Security is one of those and I've just got to be able to talk about it. Right? And I know a lot of pen testers who just focus exclusively on this thing, it's really bad. I don't know how this exists. It's super bad

Yeah. I suppose we're a bit like broad within our niche then.

Yeah. I don't know about you, but me personally, I know enough about different AWS services and Azure, once I know enough I can talk about them. I kind of understand what they do. I know how to write some terraforms, and spin them up. And I know that you shouldn't leave your S3 buckets public if you don't want people to download things from them, right? But if you're telling me to go fully analyze an AWS tenancy that's just not on my wheelhouse. I don't know how to do that effectively, I'd be much better of a code review for example. So I think a lot of people have in AppSec broad range of experience and just like one area that they're kind of like really cool and into. So what's, what's that area that is super cool and interesting for you? Within our niche? Yeah.

Yeah. Okay. Good question. That's a funny thing. I think I'm specialized because I'm in AppSec but then I'm super specialized within that little thing as well, isn't it? So yeah, I've, shifted a bit here and there at the moment. I'm very much into it, this might sound crazy, but inventory damage, inventory management, it matters. I was very curious, I heard Tanya Janka who's sort of a big profile in our industry talk on another podcast the other day and she and this is also mentioned in her excellent book on the questionnaire of where do you start with an AppSec program? And I was thinking, oh she's probably going totalk about, developer education or whatever. But no, she was like inventory management, if you don't know what you've got, you don't know how to protect it.

And it's really that simple. If you don't know which applications you have in your bank and the profile of them, how on earth can you protect them? If you don't know which applications are internet facing, what kind of data they have, do they have pii, all these things, then you can't do a proper risk assessment and a threat model around them. And you don't know what it is these apps needs and therefore you can't protect them. So that's my little passion product at the moment really trying to drive better inventory management and including in that is also vulnerability management. You can find all the vulnerabilities in the world. It doesn't really matter if you can't attribute them to the right application. Therefore also, the owner of that application and the right support group who can remediate or who can say, Hey guys, you seems to be using this really old framework. How about we look at that from a security point of view?

Yeah. Inventory I actually think is a fantastic place to start because it's a bit easier with devices because you usually you have a person and a person that's a device or there could be a couple of devices, but generally, there it's physical. But with inventory, for software assets, suddenly it gets exponentially more complicated. Because you're moving on from just like, hey I have my app to this app exists in a repository. And uses the CI and ECD in these cloud environments. And these are the libraries that we pull in and each of those libraries has other libraries and then it's like, wait a second. How far does this rabbit hole go?

Oh it's a big, big rabbit hole. Yes. Absolutely right.

So I love that that's one of your passion projects. Because right now our software bill of materials is a really, really big piece.

For good reasons.

But I feel like that's probably too far down the rabbit hole. I think even bringing it back up and saying what is this business process and what applications do we have that meet that business process is probably one of the best questions you can start with for an AppSec conversation. Right?

Yeah. Start on that end because then you can actually do a bit of threat modeling and understand what the risk profile is, which is kind of really fundamental but often overlooked funny enough, I think we're quite keen on just go for the tool than going, hey, let's get it with our search tool. And then you got to come to get all these, a hundred thousand findings and you're like, now what do we do? How are you going to prioritize those findings? Yeah, I agree with you there.

Yeah, it's, so I like that conversation. I'd be keen to explore. So what are you like inventory a bit more, to be honest, because like asset management and asset inventories really does underpin a lot of what we need to be doing in cybersecurity. So how do you go about actually managing inventory in your role?

Well, yeah, it depends on whereabouts and the rabbit hole you are in. So you alluded to it with the components and that because yeah, obviously software composition analysis, and getting that asbo is super important to understand, what an application that is deployed in production is actually composed of. Because as we all know, only about 10 to 20% of what we think of as the app, which is the custom-written source code that implements the business logic that we need is there. And the rest is red mite components that you have, likely grabbed from the internet one day 10 years ago when you were, importing log for J

That's a really big one to be bringing up to be honest, because

Yeah, sorry, we'll sweep that under the carpet for now.

No, no. We'll, like seriously, I imagine that because companies didn't have a good inventory, it would've been extremely difficult to respond to something like log for J right?

Or impossible. Like, but if you've done your inventory, if you got your SBO, you can go, hey, for this vulnerability, this the CVA number, which apps are actually impacted? Boom. It's so powerful. It's insane. So you're definitely a good software composition analysis tool and integrated and implementing that right in your organization. Are you going to put it in the bit bucket or are you going to put it in your pipeline or where are you going to hook in? Little things like that can make a big difference, but yeah. But just application inventory, it's kind of done by a different department who I'm just trying to influence and work with. So not actually sure exactly how they're doing it, but we have obviously systems with applications that are listed where we keep all the details about all the apps and all I'm really trying to do is influence them to also keep the information pieces that I need about it. For example, which programming language is it written in, and is this the kind of what of a purple application? Like is it a SaS application or a mainframe application or is this custom written web application? In which case I find that, more interesting for our website purposes.

Yeah, that data's really important. But, I think that going back to one of those earlier conversations we were having around developer education if you know the apps that exist in your organization and then you understand which developers are building those apps and who's the business owner accountable for it, it means that you can actually measure the effectiveness of that business owner at reducing application risk. Right?

Spot on. Very powerful latch. Yes

So I could see why you'd want to be moving to asset inventory because if there's no owner because you don't know who the apps actually tied to. Then who's actually going to be driving that conversation? And if the developers are rotating between projects, then they're never going to be the same people working on the same apps anytime soon, right?

And, so I've said developers will do what they're told by their senior managers. You're not going to go to the developer and say, Hey, there's this vulnerability, you got to fix it. They're going to say, dude, you are not my boss, you know,

Yeah. Cool. So, okay. I love that. That was a great sequel, Nina. Moving on to another piece. So my audience does lean towards younger people, so what's one personal trait that has helped you for your career?

Yeah, right. Good question. This might sound a little bit corny, but what's really helped me is just working really hard. I was never one of those gifted kids who just got it. I come from the most untechnical family I've ever encountered. Back in the day, we couldn't even understand how to use a VCR player. So when I started my undergrad in computer science, I had never programmed, I didn't understand any of this, which was fine because I really wanted to learn and really applied myself. So I think the combination of going into an area that you genuinely enjoy and then being prepared, to work quite hard until you get it. And I think that's fine because if you enjoy it, it's not really, a chore as such. But I did spend a ridiculous amount of time when I did both my uni degrees, to be honest.

Apart from that, something that I've learned later in life, is always ask, always ask questions, don't feel stupid. There are no dumb questions. I love it. Now when grads come or younger people come and I work with them and they ask questions, which they may think is stupid, but I'm like, no, it's not stupid. Someone came to me the other day and said, Hey, what's the CVE? And I was oh, great question. Let's talk about CVEs. Because you can't know everything. You really can't. And I've also taken on that and I ask what might be considered dumb questions just because, what, why not life's too short. Ask the questions, and get support.

It's funny that you specifically bring up that answer because about a year and a few months ago I went to a Newcastle developer trivia night and the question came up and it said, what does CVE stand for? And then as the sponsor of the event, literally everybody turns to me just the director of the Galah Cyber. And I was sitting there thinking to myself, I just say CVE. I don't actually know what it stands for.

Oh, it's common vulnerabilities and or something.

Yeah. There you go Nina. So I need you on my trivia team basically, right? Because I was so embarrassed at that point. I'm just like, they're like, this is literally the one cyber thing you should know. And I'm like, why didn't they ask about 2FA or OTP or something like that? Yeah. I think that both those are really, really good answers. I think asking questions has really helped me throughout my career a lot as well. I think I've always been an inquisitive person so I've always just not really cared about, what people think and just like put stuff out there even if it sounds really dumb, and just listen to what people say about it. So I think that maybe with a little bit of apropos and, some tact. You can ask the right questions, you can get some fantastic answers out of people, right?

Yeah, exactly. And I think that's what's what I've realized as I have gotten older is that people don't actually mind it if you ask questions. They don't, very few people get annoyed or whatever. I find it interesting when people ask questions. I love to chat.

Yeah. I think it's a lot of people just don't want to appear stupid.

Yeah. Which was me for a long time. That's why I'm saying now like, don't make my mistake because there's no point

And I guess I think at the end of the day we've all got areas that we are stupid in any way.

Everyone does. Of course. Absolutely.

It's totally fine to ask like questions and just learn from that. So

Yes, I still don't get the stupid subnet masks to damage. Anyway don't need to

Yeah. I only recently learned what /26 vs /32 means just like the number of from 24 to 32 means like the number of IP addresses available I think. Where 32 is one and 24 is all of them. So I was just like, Oh okay. I get it now. But also I remember just using sub masks of 255, 255, 255.0 and then never asking what it actually was until I started working in the cloud. So, which was eight years into my career and people were asking me about security groups and AWS and I just I don't know what a subnet mask is. I'm dumb.

No you're not dumb, you're not dumb. It's just we can't know everything all the time.

Exactly. It's impossible.

People learn if we need to.

That's why I leverage, other people who are much smarter than me in their domains so they can go do that stuff. Right?

I know, right? Yes. Leverage other people. Yes.

Yeah. And you said to work hard. I agree. I think that this is something that's come up a lot in my conversations with young people is there seems to be an extreme focus on work-life balance. And I'm just going to say it at work-life balance is for your mid-thirties to forties when you have kids. Just work hard.

Yeah I mean you can choose not to but it will have consequences and such, you can choose. Yeah.

Yeah. I've always been someone who's been quite motivated and disciplined to just work really hard early on in my life and it's led to me at 30 being able to found a company and a domain I love. Right? So I know that the other people I see who are focusing on just like, oh, I'm just going to go and just like go watch the Netflix here and I'm going to pick up some hobbies here and I'm just going to cruise through life that's totally fine. Just expect if you're doing that, won't get you to that place that you want to be as quickly. Right?

Yeah, exactly. Right. That's your choice.

And people notice hard workers as well. So if you turn up at eight and you finish at five or you turn up at 10 and you finish at three like a lot of the people I saw in the public sector. Then their people are going to reward the ones who actually put in the hours and the hard worker. Yeah. I really recommend people look at that. Alright, so, moving on to our last few questions. So, all right. Rapid fire. Here we go. Fun ones for you Nina. So,

Oh dear. Okay.

Alright. Are you ready?

Yes,

So first one, first best purchase under a hundred dollars in why?

Oh, too easy Bottle of champagne. You cannot be sad and drink champagne at the same time and you can get a bottle of champagne for under a hundred dollars.

Really? Like champagne or like fake champagne

Yeah, absolutely. Yeah. Yeah. [Inaudible] Easy.

Okay, cool. What's the most common mistake people make when it comes to cybersecurity?

Ah, too easy. They don't build it in from the beginning. They bolted on after the fact and think, no, no, it's never going to be as good and it's going to be so much more expensive.

Yeah. I see it all the time where they just do not consider it as part of projects and then suddenly just goes crazy.

Oh, I don't understand how it's possible. Like if you build a house, it's not like you don't think about, security then. And then imagine you build a house and then after you're like, oh yeah, got to have locks and got to have windows and doors and everything. It's like, really? You don't do that.

Just imagine architect the house and you're like, oh yeah, it'd be really nice if we put bedrooms in here. Like.

Yeah. Like, it's just so fundamental. I just don't see how it's possible even. But anyway. Okay. Yeah, no, that sounds...

Yeah. Cool. What's the best resource you would recommend for someone who wants to learn more about app security?

That's actually Tanya Janka's book. Alison Bob Learn application security.

Yeah cool. Awesome. I like that book. It's a good one. Makes it nice and digestible for people.

Yes, exactly.

All right, so Nina, we'll finish up with one more question for you. So what's the one piece of advice that you'd give to our listeners? That right now people wouldn't normally think is security advice that they can help keep themselves and their businesses secured.

Be very careful and mindful of what data you put out about yourself out there. It's something that security people are quite mindful of, but not security people if you know what I mean. And apart from that, obviously use the password manager or whatever you do.

There's a reason that'd have been phoned as being successful as a service. Right? So just if people use passwords instead of use password managers, ah, then yeah, data proliferation. I shouted to think about the real estate agencies. Amongst other things. I'm sure that everybody fingers my passport at this point, so it is what it is. Right? Well, hey Nina, thank you so much for coming on and sharing your insight to me. It was an absolutely amazing interview. I really loved having you here and I hope that we can speak some more in the future.

Yeah, thanks so much for having me. There's so much fun. I can talk about uptake until the cows come home, so yeah, anytime.

Okay.

Thank you, Cole.