Security Superfriends Episode 8: Randy Barr
Security Superfriends | Randy Barr, CISO, InterVenn Biosciences
Randy Barr’s favorite superhero is Batman because he builds tools, and with the right knowledge and tools, you can solve any challenge. This is an excellent approach for security!
Randy’s career includes leadership roles at pioneering companies, including WebEx back when it was a small startup through its IPO. He was CISO for the SaaS security leader Qualys, and he was head of product security and security operations for Zoom as its usage exploded over the last year with the pandemic. Now, he’s back to being a CISO at a highly regulated life sciences organization, InterVenn.
In this episode, we discuss the importance of shifting left for modern software development with the high velocity of code releases. Getting security implemented as early as possible, close to developers is key. The goal is to help them find and understand any vulnerabilities early so they can fix issues. Effective strategies include implementing tools for static and dynamic testing, giving developers security training, and working with pen testers that can interact directly with the developers.
He also discusses his approaches to securing what is becoming the new normal of a largely remote workforce. You may not know where team members are connecting from, how they’re connecting, whether there are others connecting on their same network, whether they are using personal devices, etc. There are opportunities to use security controls to enable this flexibility for employees while ensuring security.
We also discuss the importance of community participation. Randy participates and shares his knowledge with local chapters of information security groups, the cloud security alliance (CSA), and he works for companies that embrace working with other security professionals.
I can’t emphasize how important this is! A CISO can’t (and doesn’t) know everything. For example, the supply chain risk with Zoom is going to be entirely different than with precision medicine at InterVenn. It is so easy to think “I’m the CISO, I should know…” A better answer is, “I have a community, we have each other’s backs. And while I may not have the answer right now, I will have feedback from several peers in real companies dealing with this very issue in real ways.”
When you stand in front of a board, they will ask, “How are others doing this…specifically companies x,y, and z…” I have heard this numerous times myself. And this is Randy’s chief point. Build and use your community – it’s arguably your strongest asset.
Perhaps this point of view comes from his military training, having started his career in the Marines (is it just me, or is there a growing cadre of security leaders with backgrounds in the military)? Surround yourself with great intel. We are fighting a digital war, we need our allies! As he points out, there are a lot of bad actors out there, so working independently, in silos, doesn’t work when you could be working together to fight the bad guys.
I hope you enjoy this installment of Security Superfriends! Check out some edited highlights below, and be sure to watch the video or tune in via podcasts on our Soluble channels on Apple Podcasts, Spotify, Soundcloud, and Stitcher.
Rich Seiersen: When you think of shifting left - we have to find a way to enable development, devops, SRE, enable development to have some responsibility of security because we’re a small team, there’s one security engineer to 100 developers, right. It can be an even worse ratio than that. So we have to find a way to allow these teams who are moving really fast, hundreds if not thousands, if not tens of thousands of deployments a day, enabling them to do security. Can you talk about how you’ve done that at Zoom or otherwise?
Randy Barr: Developers are focused on development work. That’s their primary responsibility. Some of them have some security experience, but they’re focused on delivering what the product team needs for them to deliver on.
So one of the things that I’ve seen work well is making sure we involve them in the security side of the house. There are tools today that allow for some training of those developers, actually share code and show them here’s where some of the vulnerabilities - you may want to look in these lines of code to be able to identify the vulnerabilities, and then work through that training that allows for them at the end to do some testing to go in and find this vulnerability.
There’s different types of modules available to developers to be able to go through that. So if you introduce that piece of it, training’s going to be important. Another part that I’ve adopted way early on in my security career is when I did assisted source code review for other companies. One of the things I did was to leverage a pen testing firm to build out a training module.
The closer you can get to the code allows for a developer to understand why certain things exist. Also putting the pen testers and the individuals that found that code to be able to have that conversation with the developers also is very important.
Developers are only focused on certain areas, they have some security experience, but allow them the ability to ask the right questions so that they could learn from it is another important step. Shifting left is very important.
You’ve got to be able to make sure that we identify vulnerabilities as early as possible, and some of those include implementing many tools, and those tools would allow for any static, dynamic code testing but more importantly, when you start releasing or having major releases, should you start having either third party or your offensive security team, depending on how big your organization is, to get involved in that, to be able to have access to that source code, to be able to do some of those tests quickly.
Having a process in place, making sure that you have enough information that gives developers an idea of what it is that you’ve found, is also important. So training those folks is important, you can add a bunch of tools and automate those tools, which is also very important too, but I think the connection back to developers is key.
RS: Thinking about unknown unknowns and keeping up with the velocity of development, and talking about your experience at Zoom in the pandemic, how did you manage what was a high velocity, highly distributed software development, cloud native environment? How did you keep up with the speed of development?
RB: Sure, so I can’t speak to directly what we did or all the details at Zoom. What I can share are some of the experiences that I learned over the years, and that is that there are certain environments where you have to build out your security program.
When you build out your security program, the idea there is to apply the right tools at the right time, and make sure that you have the right resources when you grow as a company. And as fast as some of my experiences have been, you need to make sure that you have a strong collaboration with other team members.
So there was a strong team dynamic that I’ve experienced in a couple of other companies that is pretty crucial to making sure that you’re growing the organization, or growing the team, right alongside the organization. There’s a lot of things that you have to look out for.
One, are there tools that exist today that can scale to the size that you’re growing into. Two, are there policies, the policies that you have - is it something you need to revisit now, or is it something you can revisit later in regards to the regulatory compliance you need to adhere to.
What are some of the commitments that you already have for some of your customers, some of the compliance requirements that your customers that you’ve agreed to, whether or not that’s strong or that will continue to grow with the company.
There’s also the culture within the team that you need to maintain. I’ve experienced certain growth at other companies where team members thought that losing some of the responsibility, handing them off to a new team, means that they’re no longer needed, which is not true.
Communication, transparency, letting them know that they’re needed, letting them know, “Trust me, there’s plenty of work for us to do.”
RS: How do you make sure that security keeps up or stays ahead of trends, and in particular, I would say, with the advent of what you probably saw at Zoom, where you’re talking about volumetric scale. How has security been able to keep up?
RB: Well, there’s a lot of community. The security community is pretty strong out there. If you work closely with the security community, there’s an opportunity to learn more about what people are doing. That’s something that I’ve recognized early on from local chapters, participating in the Cloud Security Alliance, working for companies that embrace working with other security professionals.
Setting up security council meetings, working directly with folks that have been in the industry for some time. Security leaders presenting some of the things that you need to look at how do you address it, what you’re thinking of doing and getting feedback from them. It also helps to get different security leaders from different verticals to participate in some of these conversations as well.
Qualys did that early on - they pulled in a lot of security members, pulled together a security council and talked about the different approach that they’re taking when it comes to security. Leveraging that relationship to understand some of the challenges that they’re faced with and how it mirrors some of the challenges that you’re having too.
But there’s a large team of bad actors out there. And working in a siloed environment doesn’t make sense for security professionals, as you’re probably aware. We need to work together and understand what skillset other people have that might benefit you, and there’s a lot of security people that are willing to help.
Want to catch the latest and greatest in Security Superfriends? Subscribe to our Youtube channel for past shows and updates, and listen on Apple Podcasts, Spotify, Soundcloud, Stitcher, or wherever else you get your podcasts.