Podcast-Ep-7 #Shifting Left at Roblox — A conversation with Julie Tsai

Podcast-Ep-7 #Shifting Left at Roblox — A conversation with Julie Tsai

This article was initially published here

A conversation with Julie Tsai on her initiative of #ShiftLeft at Roblox. Julie is the Head of Information Security at Roblox — a wildly successful online gaming company.

Julie talks about the practice of Shifting Left in cybersecurity, centrality of empowering developers through code analysis, interactions between red/blue teams and as a bonus — security leaders she admires and could be role models to increase diversity in cybersecurity.

Julie Tsai

This podcast has been reproduced below in an interview format

Alok — Hello, Julie, how do you practice this entire concept of moving security to the left or as it popularly called — ShiftLeft?

Julie — Well, it comes back to the idea that security can only be done in its most efficient and most pure form when you’re doing it at the root. So it comes back to the understanding that it has to get into the hearts and minds of all of your practitioners at the company in terms of engineers, as well as other people in their day to day actions.

And inserting that mindset into how do I incorporate a secure way of thinking at every step in the process, from product inception to design and architecture to when do we actually discover that there are vulnerabilities in code and then being able to fix it quickly.

Alok — So what are your KPIs to judge the success of this process of moving security to the left?

Julie — I would look at two important metrics. And these things usually tend to be work in progress for for every company but, you know, depending on the level of visibility and telemetry you have, I would look at the overall number of security issues that you’re having, whether they’re active incidents or potential vulnerabilities.

And then secondly, I would look at the level of vulnerability coverage that you have. There’s a concept of, you know, when programs are first bootstrapping in the innocence, you know, groups that are sort of blissfully ignorant of what is underneath the covers. But as you get deeper in terms of your understanding of your stack, and your entire operations, you might see something in an increase in issues and remediations because now you have more knowledge. As you start coming around that curve, improving your practices, moving the thinking and the culture into a more embedded place, you should see an improvement in the overall number of issues, as well as an increasing understanding of security status of the company.

Alok — Okay, so now, in terms of shifting left of security, static analysis of code is coming across as a prominent choice of tool for empowering developers. Why do you think that is the case?

Julie — I think that there’s two major components to it.

One is the obvious aspect of coverage you can’t really know or manage things that you don’t, that you’re not aware of. You may unintentionally create good outcomes or bad outcomes. But unless you know, it’s not intentional.

I think the second piece to it is the control. If the developers have the capability to know as they’re programming they have more capability of internalizing that knowledge as well as correcting it up front. So I think that’s a major reason that your that static analysis and source code analysis matters.

Alok — Okay, so let’s move to a different topic. I think what I understood so far in my conversations with you that you have a very nuanced view on managing the relationship between the blue teams and the red teams, as in the case of how we manage the security. So how do you manage the security games, these two teams play for optimizing security.

Julie — In early stage companies, you have the luxury of being all in the same mindset. You have effectively purple teams, they’re not necessarily organized into the functional silos of red team and blue team. People are both in the business of creating and detecting issues as they work and as well fixing them. As an organization starts to get more more efficient they begin to accept that not any one single person or any one single team can understand the full stack. It’s essential to have it very intentional and proficient, offensive security endeavor as well as the blue team defensive work.

In that case, I would say that it’s important that the leaders of both functions be very well aligned both in values as well as how things are going to happen. And there needs to be a very deep level of trust in order to have them operate at the level that you want them to. In some organizations, there is a positive competitive mindset. Each team, the offensive and the defensive security are going to do their best and then let it play out and let the execs determine where it lands.

I think that there is probably a positive competition aspect to it. It may not always be the strongest for building trust or for efficiency.

Coming back to the concept of shifting left as opposed to having to externalize things very, very late downstream- you want to get your inputs as early as possible so that people can both fix the problems as well as get it into that mindset.

Alok — So on the same topic, and slightly extending it, I recently had a chance to record a podcast with Shannon Lietz at Intuit. She talks a lot about adversary management. So what’s your take on managing an adversary that knows a lot about you? How do you deal with such an adversary in terms of your security strategy?

Julie — Yes, I think that you have to take the same mindset as theirs. If you have a committed, intentional and skilled adversary, who is studying you, and understands your workloads and how you operate, you must bring the same level of knowledge to your own internal testing, it needs to be rigorous.

So you need to bring in your own mindset of the people that you know in the org that understand how things work, the best where the corner cases are, where the vulnerabilities are, and have them collaborate on establishing your offensive security, your offensive security test. In that way, you’re using your own self knowledge to your advantage in that way. It is absolutely true that if you know there is a committed, intentional adversary, you must be equally committed intentionally.

Alok — Okay. And this is my final question. There has been an observed increase in number of female engineers in the security industry, both at leadership level as well as on the frontline level. In both of the cases, there is a very healthy increase in diversity. Of course, there’s a long way to go. My question to you is, what’s your take on that and which female security leaders you admire and could be role models for upcoming talent?

Julie — Absolutely. While we are seeing a somewhat of an uptick in some of the entry and that entry level as well as along through the ranks in terms of people’s progression, the overall proportion or percentage in the security field as well as technical operations still continues to be fairly lopsided for a lot of reasons. There’s a huge benefit to adding diversity in terms of the ways of thinking and the styles of doing things into a company, you get a lot more creativity and a lot more building of that balance of empathy and reason that’s essential for the good functioning of the team.

I think that these upticks are encouraging. But there’s what we’ve seen over the years, I think, is that sometimes there’ll be a bit of an uptick and then a little bit of a sliding back. And I think it’s going to be a committed progression issue for us as a society to really value everyone’s contributions, no matter their gender, to really value how they’re contributing. And know that there is something essential that we’re missing if we lose out on that.

When I look at other leaders in the industry that I really admire — does includes Shannon Lietz who is leading the red team effort at Intuit. Carolyn Wong, who does a lot of great things for security, security, evangelism and metrics in her role over at cobalt. I would also recommend that when people look for mentors or for role models in their career path, to think outside the box a little bit. I have a great deal of admiration for Michelle Dennedy who’s done a lot in the privacy engineering and awareness space.

There is a tremendous amount to be learned from people in other industries as well. I look at some of the folks who’ve been working in AI. Also folks like Mellody Hobson, who works in the finance industry or even leaders who just have a different style of doing things you know, I look at examples of people in the industry who are introverted, but also great leaders, and that’s across the across the gender spectrum as well.

Alok — Thanks, Julie, for your time on the podcast, you really have some great insights and I’m sure the listeners of this podcast would absolutely appreciate that. Thank you.

Julie — Thank you for having me here!


Podcast-Ep-7 #Shifting Left at Roblox — A conversation with Julie Tsai was originally published in ShiftLeft Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.


*** This is a Security Bloggers Network syndicated blog from ShiftLeft Blog - Medium authored by Alok Shukla. Read the original post at: https://blog.shiftleft.io/podcast-ep-7-shifting-left-at-roblox-a-conversation-with-julie-tsai-90434133b42c?source=rss----86a4f941c7da---4