In this episode of "Build Amazing Things Securely," host Laura Bell Main sits down with Andrew from Teko. Andrew shares his journey from software development to application security, highlighting his burnout experience and subsequent career pivot. He discusses the importance of understanding and integrating into teams' existing processes, using techniques like Rosebud Thorn for cultural and security growth. Andrew emphasizes learning from mistakes, the value of different perspectives in AppSec, and the future direction of the field.

Key Points:

1. Andrew's Background: Transition from software development to a focus on data analytics and application security.
2. Burnout and Recovery: Andrew's experience with burnout and how it reshaped his career focus towards people and helping others.
3. Integrating Security into Development: Strategies for seamlessly integrating security measures into existing software development processes.
4. Rose Bud Thorn Technique: Utilizing this method for understanding team dynamics and improving security culture.
5. Future of AppSec: Andrew's insights into the evolving role of application security as a facilitator and enabler within development teams.

Homework (Recommended Actions):

1. Reflect on Team Processes: Use the Rosebud Thorn technique to identify areas of strength, growth, and challenges within your team.
2. Learn from Mistakes: Encourage a culture where making and learning from mistakes is valued.
3. Adopt User-Centric Security: Consider how security measures impact the end user and integrate them thoughtfully into your development process.
4. Stay Informed: Keep up with the evolving trends in application security to remain effective and relevant in your field.

Relevant Links:

• https://easyretro.io/templates/rose-bud-thorn/
• https://tayko.io/
• https://www.linkedin.com/in/andrew-wheatley-55247225/

DYjSn56zeT31N17Upavk

laura-bell-main--she-her-_1_11-22-2023_130012:

Hello everybody and welcome back to this

2

episode of Build Amazing Things Securely.

3

My name is Laura Bell Main and

as well as Running Safe Stack.

4

I am your host and guide for

this and All Bats episodes today.

5

We have a great guest with us.

6

We have Andrew here from.

7

Tayko.

8

Now I, I am seeing that

in the, that little way.

9

'cause I saw it written down and my

brain went, how do I pronounce this?

10

You'll know this from previous episodes.

11

I'm bad at names.

12

So it's like Tao, but not Tao.

13

So there we go.

14

You can always say in that kind of

name if you want in that kind of tone.

15

But jokes aside, welcome Andrew.

16

It is lovely to have you here today.

17

Track 1: It's good to have you.

18

So just letting you know, Laura it's Teko.

19

Do you wanna start again?

20

laura-bell-main--she-her-_1_11-22-2023_130012:

I'm truly terrible with names.

21

No, we're just gonna leave it Soko.

22

There we go.

23

No, we, we on this show.

24

We own our mistakes.

25

Track 1: I was trying to

help you with the taco

26

laura-bell-main--she-her-_1_11-22-2023_130012:

just, yeah, no, and no.

27

And then I

28

Track 1: have gone down the Tokyo route.

29

laura-bell-main--she-her-_1_11-22-2023_130012:

Yeah, I did.

30

My brain just liked going there.

31

All right.

32

Okay, so

33

Track 1: We just like the sound

of it and we like the look of it.

34

So

35

laura-bell-main--she-her-_1_11-22-2023_130012:

Takyo, like ko.

36

Wait, we got it.

37

Okay.

38

So thank you Andrew.

39

We've already learned things.

40

I've already learned things today.

41

So who are you?

42

The human.

43

Track 1: Who am I?

44

The human.

45

Okay.

46

Oh, that, that's a very deep question.

47

, how long do we have?

48

We've got 25 minutes.

49

25 minutes.

50

laura-bell-main--she-her-_1_11-22-2023_130012:

yeah.

51

I'll steer you if you end up on laying on

a couch and talking about your parents.

52

We'll be fine though.

53

Track 1: Good, good.

54

. I tend to do that.

55

Me as a person.

56

I'm someone that, likes to,

I've always been very technical.

57

I've been a data-driven kind of person.

58

I love data analytics.

59

I love finding behavioral

patterns in data.

60

And, it was, there was a point in around

61

acquisition and I was helping around

that company and I burnt myself out.

62

I.

63

I took some time off.

64

I was, and I started to really

think about, my approach.

65

And I think that's what who I am now

as a person is I changed my attitude

66

and my way of thinking about things.

67

And I like still like to use

data, but I also love people.

68

And I love helping people and I've always

loved helping people and I I've started

69

like this security journey now about

helping and relating to people rather than

70

letting technology dictate and letting

processes and rigid things dictate.

71

As a person, that's who I am.

72

I love to help.

73

And where I've come from a careers

perspective I've done about 10 to

74

15 years of software development.

75

Came from the good old days of,

that net drive went through all

76

the perils of ASP version one.

77

laura-bell-main--she-her-_1_11-22-2023_130012:

Ooh.

78

Track 1: and and I think I was very lucky

'cause at that era of working inside

79

companies, we got to see a lot of change

in the attitudes of maybe the old guard

80

and the new guard that was coming through,

which is this agile process that, had,

81

has been around for, 50 plus years.

82

But finally getting into those teams

and progressing away from the waterfall

83

techniques and having those epiphany

moments, in when it was all coming out,

84

I think was a very unique position to be

in, and I've carried that out as well.

85

So yeah, developer, then I decided

to create a really nice portal

86

for everyone to, to log into, so

for some volunteers, and I made

87

it vulnerable and it got hacked.

88

laura-bell-main--she-her-_1_11-22-2023_130012:

Oh no.

89

Track 1: all know about those kind

of things, it never feels good.

90

And, I left it for a couple

of months, but then I started

91

to really get intrigued in it.

92

And I've met a couple

of really good people.

93

They weren't, dictating, they helped me.

94

They gave me some books to

read about the OS top 10.

95

There was a book about it

and how to do it in net.

96

So I read that.

97

And.

98

So I started to get my journey in security

through Alcorn Group with Wade Alcorn.

99

And he gave me the confidence that

I wanted to have to start working

100

in security and naturally led me

into my AppSec career that I am,

101

like I'm journeying on now and.

102

Now my company that I'm trying to show

and help the industry change in the

103

way that I felt back in 2000 2010.

104

That's a long time ago now, isn't it?

105

laura-bell-main--she-her-_1_11-22-2023_130012:

Yeah, it's all right.

106

We're all old.

107

We'll just bypass that.

108

Don't worry.

109

Track 1: But yeah, that,

that's me at the moment.

110

And I've got my business

par partner, Isaac.

111

We've got a similar mindset about

helping our clients predominantly,

112

rather than just doing the

everyday sort of consultancy work.

113

And yeah, that, that's sort of

me where I am at the moment.

114

I love my family.

115

I put them above everything

else since that burnout period.

116

And I'm, I try and make sure that I.

117

Our employees have that sort of sane

mentality and hopefully we won't

118

go down the way that, traditionally

happens with burnout for certain

119

consultants in our industry.

120

laura-bell-main--she-her-_1_11-22-2023_130012:

Look there, there's many

121

things to unpick here.

122

I'm just gonna call out a few things.

123

Firstly, hat tip to the OG Wade Alcorn,

who, if you haven't met him, folks

124

at home is genuinely a nice human.

125

Do reach out and have a look at

what he's up to and what he's done.

126

It is an impressive career path he's built

for himself, and I know he's impacted a

127

lot of people, not just the lovely Andrew.

128

He's today.

129

It's a big step to, to build

your own company, Andrew.

130

So that's really amazing.

131

And congratulations.

132

Burnout is a terrible thing and I'm

sure many of the audience have been

133

around that in some way, but to

come back from that and choose to

134

build something of your own is huge.

135

So fantastic.

136

Really excited.

137

And that's why I wanted to have you

on today because some of the ways you

138

think Andrew are a little bit unusual.

139

And when we've been talking in

the past, there are ways you

140

bringing security to software.

141

That we haven't thought about before,

or at least I haven't thought about.

142

So I wanted to dig in today of, with

the breadth of experience you have with

143

all of the things you've seen what is it

you do in AppSec that's a bit weird and

144

different, and what can we learn from you?

145

Track 1: Look it is a bit weird and

a bit different and it's probably

146

a weird and different to maybe our,

like our fellow folks in security.

147

But if you were to talk to an engineer

and to a product manager, these kind

148

of ways of thinking are actually

fairly straightforward and what they do

149

every day and how they do things and.

150

I definitely felt that way when

I first was introduced to most of

151

these processes that I like to like,

that I like to do with companies

152

when I go in and have a look around.

153

And, I didn't necessarily

start thinking this way.

154

I've made a lot of mistakes

along the way, and I think

155

that's something that, you know.

156

I hope your viewers and listeners like get

to listen to that and say, I don't wanna

157

make mistakes make as many mistakes as

you can, because if I didn't make those

158

mistakes, I wouldn't have the mental

like thinking that I have right now.

159

And, don't be arrogant about it.

160

Differently, generally that's a.

161

And I can encourage my children always

think differently and don't worry

162

about if people say that it's wrong.

163

You personally know if you are

on the right track and you think

164

positively, so give it a go and

it's okay to make those mistakes.

165

laura-bell-main--she-her-_1_11-22-2023_130012:

All right.

166

You've got us all intrigued, Andrew.

167

Okay we've got permission

to make mistakes.

168

It's all gonna feel a bit weird.

169

I feel like we're being briefed on

some kind of crazy adventure here.

170

So what are these processes that you

are borrowing from the existing software

171

world, from the existing product world

and where do they fit into security?

172

Track 1: Generally with application

security, we want to fit into the

173

lifecycle of a product or, S-S-D-L-C.

174

So the software development lifecycle

is something that we, where we always

175

start with when we talk about AppSec and

where we're going to inject security.

176

I've tried that before, and when I've

come in with, threat modeling processes of

177

different maturities of different things,

I've started from, asking those three

178

key questions, what can go wrong, all

those kind of things to full on blowing

179

spreadsheets with, questions that would

generally help us, but maybe not help

180

an engineer who's too busy doing work.

181

The very first one that I got to be

involved in is the Rose Budd Thorn.

182

And it was part of a retro

session with one of the teams.

183

And it was basically trying to get

what they had done wrong, what they'd

184

done right, and what do they want to

actually do further in the future.

185

And I've taken that sort of approach

to how I come into companies.

186

I.

187

And evaluate like where everything is

because if you get a bunch of, very

188

intelligent, smart people in a room and

you ask them a few questions and you

189

break up those sessions into smaller

sessions with smaller groups of people, I.

190

You really start to get how

they're feeling and where

191

security truly actually is.

192

'cause you can sit in a room and talk

about it as we all have done and through

193

auditors and all that kind of stuff.

194

But if you don't truly believe

that what you're doing is actually

195

going to make a difference, then

you generally don't want to.

196

And I found that get,

letting everyone get it out.

197

And generally you do find

there's a lot of thorns.

198

And then

199

laura-bell-main--she-her-_1_11-22-2023_130012:

Hank, I'm gonna have to stop you, Andrew.

200

'cause you believe it or not, I

don't know what Rosebud Thorn is.

201

Can you just step us backwards

and what is a rose and what

202

is a bird and what is a thorn?

203

'cause I don't think we're

in the garden right now.

204

Track 1: Yeah.

205

So when you think about a,

like a rose it generally goes

206

through the phases of growth.

207

And so you've got the

thorn, which hurts you.

208

So that's the bad, the things that

you know, you're not generally

209

happy with and what you're going

and how you're progressing.

210

You got the bud, which is your growth.

211

So what do you want to do

and how do you wanna do it?

212

What do you think you can do better?

213

And then you got your flour, which

is the thing that you are doing well.

214

And that's probably one of the

most important things to 'cause.

215

It's usually the one that isn't

filled out the most when you

216

have these kind of sessions.

217

And it's that process of taking those

thorns and actually talking and digesting

218

some of those things together that they

actually do turn out to be flowers.

219

That's pretty much the gist,

220

laura-bell-main--she-her-_1_11-22-2023_130012:

today I.

221

Track 1: and, yeah I just found it

like it's, anyone that hasn't done it,

222

even going through that process that we

just went through a little bit before,

223

it makes you break out of the normal

mundane routines of what's going on.

224

And allows people to relax and do things.

225

And the more session sessions you do.

226

Something that I've, that I wasn't

doing in the past, but I'm starting

227

to do now is keep a track of each one

and to show, and maybe we might talk

228

about it a bit more, but we've gotta

show, when you talk about these kind

229

of processes, it's hard to measure.

230

And that's one of the experiments I'm

going with right now with seeing how I can

231

measure like company's growth and culture.

232

Through this process by showing them like,

this was a thorn four quarters ago and

233

now it's a, it's turned into a rose and

things like that, and it helps teams show

234

that they actually are growing in security

235

laura-bell-main--she-her-_1_11-22-2023_130012:

I love this.

236

I love this because, we talk a lot

about return on investment and you'll

237

see lots of marketers who, say, Hey,

do this thing and you will get, a

238

hundred million dollars return on this.

239

Or, 93% of bugs are

stopped in their tracks.

240

But in reality, most of

that's just made up hype.

241

I love the idea that while this is

quite a, it's a cultural exercise,

242

it's, we're not talking about how many

bugs were on Tuesday versus Wednesday.

243

The way you're structuring this and

coming back to it is giving you those

244

reference points to see growth over time.

245

And I think taking that extra time

to make sure you've recorded it and

246

can see and take a moment to look

back and see that is something we

247

can all remember to do more of.

248

It's really easy to keep going

forward and not take stock and

249

remind ourselves how far we've come.

250

Track 1: Yeah, no, definitely.

251

And just, as keeping to, who I am

as a human, I do not to the point of

252

practicing it by writing it down, I.

253

I do that with my partner.

254

I do that with my parents and, it

does grow a sense of communal and that

255

kind of thing to, 'cause we all live

busy lives and, being able to reflect

256

and act don't generally do much.

257

laura-bell-main--she-her-_1_11-22-2023_130012:

Okay, so I'm loving this.

258

We are borrowing processes

that are already established.

259

They already work.

260

We know that, and we're

applying them into our space.

261

Now, what's the benefit of

using a process that people are

262

already familiar with instead of

bringing in a new one, you think?

263

Track 1: There's lots of process,

like lots of benefits I always go

264

back to that mistake that I made

when I came in with all these

265

processes that I thought were amazing.

266

And, I said before I'm a data person,

so I love writing up processes,

267

how it's gonna work and everything.

268

And, the concept of build

shock, they get process shock.

269

And you are working in these highly

scalable, highly moving teams.

270

They've already had their velocity

measured, they're working very well,

271

and then all of a sudden, the security

consultant comes in and disrupts it.

272

And there are techniques, inside

agile that help disruption.

273

But ultimately you don't want to disrupt.

274

The thing that I do like to do is like

the Rosebud Thorn, I do introduce people

275

to, because it helps me understand

what's going on, but then sitting and

276

watching how they do their things.

277

And then, using how I, like how we do

things in security and trans, like trans

278

translating it into their way of thinking.

279

There was a company that

I was consulting for and.

280

They were heavy in the design

aspect they brought up their mirror.

281

They started to do the, show me

the gooey design, and then they had

282

these little cards and it was like

Joe blogs such and such likes to

283

use the platform for doing X, Y, z.

284

He is a family man.

285

He's the age of this.

286

And, the design personas

that everyone uses.

287

And this is, this, it's probably not a

new concept, but it was a new one for me.

288

So I went to the design team and

shout out to, to Damien if he's

289

actually gonna listen to this.

290

But he went and drew me up.

291

Part of my role was to

do a threat profile.

292

We learned about it, built up

a threat profile, built up all

293

the things that could possibly

be a threat to this company.

294

And then we went and made personas.

295

So hang on.

296

I can't remember the names of them,

but hopefully I will be able to.

297

So we had Ida Impersonator.

298

Ida is the master of deception.

299

She's stolen and forged credentials

to gain unauthorized access to

300

systems, always keeping with

a true identity and secret.

301

And then we we put traits so deceptive

opportunistic, and then we put in

302

some defense strategies around it.

303

So the ways that we can

mitigate those those threats.

304

Ap API, key rotation.

305

Token validation, all that kind

of stuff that as we, we know as

306

security people will help you prevent

the threats and mitigate them, but

307

trying to do it in a different way.

308

So then when they went and designed

their system team, they had not only Joe

309

Blogs, but they had IDA sitting there.

310

So that, and then the product

manager would be like, okay, how

311

are we going to deal with ida?

312

And then people would

start to talk about it.

313

And it's that kind of like

looking at how people work already

314

laura-bell-main--she-her-_1_11-22-2023_130012:

I think this is a really interesting

315

shift for us as an industry.

316

It's very hard an a sign of maturity

for a group to be able to go from being,

317

Hey, we are the authority on this thing.

318

Here's the thing, you should be doing

it to bringing all of your skills

319

and techniques and your experience,

but in a subtle, non-ego way, we

320

go, cool, you are doing this thing.

321

How can I help?

322

Weave something new into that.

323

It's security stops being the

main event and it starts being a

324

gentle thread through an existing

developer workflow workflow even.

325

So in this process of borrowing these

processes and bringing them into

326

teams, have there been any other

kind of things that if you, somebody

327

was listening at home and they were

gonna start on this themselves, any

328

recommendations you'd make for them?

329

I love this.

330

That's great advice.

331

And I love the idea of just going

to a tool that, other roles and

332

software are using and just go

look at what their templates are.

333

Go see what their processes are, what

tools they use, because the closer you

334

get to them, the less cognitive load that

they have to join you on your adventure.

335

'cause they already know

there's tools, these techniques.

336

So if you were gonna pick, if you're

gonna put on your like psychic hat

337

and look forwards in AppSec Andrew,

where did you think it's headed?

338

Where are the big problems and

challenges that we're gonna be

339

looking at in the next five years?

340

Oh, absolutely.

341

I'm here with my thorns.

342

My thorns for you.

343

I really love this the future of

application security instead of

344

being a blocker as a coach and an

enabler and as an inspiration, but

345

then ultimately no longer needed

in the way that it currently is.

346

What an ideal dream that would be.

347

And perhaps, but folks who are listening

can, take some of the guidance from this.

348

Go move a little closer

to their dev teams.

349

Work in ways they're already familiar

with and see how many people you

350

can inspire, like Andrew to get

their little light bulb moments.

351

If we were to follow along with

your adventures after this,

352

Andrew and Tako, look at me.

353

I can say it learning.

354

We can do it too.

355

If we would follow along with your

adventures, what's the best way to

356

catch up with you and what you're up to?

357

That's incredible and what

a generous offer there.

358

It's absolutely fine and there

are many of us not on the social

359

medias, but what a lovely offer.

360

Do reach out to myself, reach out to

Andrew, reach out to others in your

361

community because, sometimes sitting

down and having a chat, even if it's

362

recorded for the internet, like this can

be really helpful for everyone involved.

363

Right Andrew, it has been an

absolute delight to have you here.

364

I'm sure we are going to catch up again

at some point in the future as you explore

365

further into how to make application

security part of everyone's world.

366

So thank you for coming

on and being a guest.

367

I'd never call it that.

368

I literally have a unicorn

in my background team.

369

Airy fairy is all good with me.

370

Right team at home, you know

the drill at this point.

371

Now I've been reading books about

podcasts and apparently I'm not supposed

372

to tell you to like, and subscribe.

373

I'm supposed to tell you to go and

recommend this podcast to a friend.

374

So off you go.

375

Go find a friend.

376

Make friends, give them

cake, possibly a podcast.

377

Who knows?

378

That's apparently how this works.

379

If you are gonna be wonderfully brave

like Andrew and wanna share what you are

380

working on with whatever you are building

in the world, come and have a chat to us.

381

If you visit

www.buildamazingthingssecurely.com,

382

we've got a fancy domain now you

can sign up to a guest and you can

383

check out our previous episodes.

384

So thank you for your ears.

385

We look forward to seeing you

on the internet again soon.

386

And thank you, Andrew, one more time

for being such a wonderful guest today.