As part of our cyber security interview series, we had the pleasure of interviewing Alyssa Miller. Alyssa is a member of the Developer Relations and Community group at Snyk, and is responsible for providing industry and thought leadership on application security and open-source software security topics.
Your role at Snyk must involve communicating security ideas and initiatives to various management roles in organizations. What level in a company would you say is most receptive to potentially changing their strategies, and which poses the most objections?
I’ve seen different messaging resonate at differing levels of the organizations, as you would expect. Development managers appreciate the developer-centric approach to how our tools are designed and the problems they seek to solve.
From a security leadership perspective, providing tools that enable developers to code more securely without creating friction for them is crucial to bringing security into the DevSecOps culture. As we begin to address senior and executive levels of management, being able to show how we address supply-chain security by cataloging, assessing, and monitoring software dependencies is a really important topic right now that they care about.
Being able to shed light on the unknowns and provide tangible and effective countermeasures to reduce overall business risk is of major value at those higher levels of the organization.
Has there been a particular event or meeting that was an “eye-opener” for you in terms of new ideas/approaches in development security?
I think for me a recent eye-opener was taking some time to really research the culture that Netflix has designed around their Paved Road concept. The idea of enabling developers to be creative and make tactical decisions but that enablement comes attached to a responsibility to maintain security and stability. From the security and operations side, the developers are provided with tools and processes that support this enablement. All of this is formalized in documented expectations for all disciplines within the DevSecOps pipeline. It addresses a key characteristic of what DevOps and DevSecOps are meant to drive in terms of a shared-responsibility culture.
“It is crucial in any organization, large or small, to win support and adoption from the developer community”
It’s clear that Snyk does an amazing job in vulnerability checking, and must increase productivity significantly for developers? Can you please outline how important this is for smaller development groups as well as larger groups?
As I mentioned before, the crucial piece here is enabling security development without causing friction or creating slow feedback cycles that bottleneck development.
Security has struggled for decades trying to get developers to adopt tools and practices that address security flaws in code. Snyk is focused on addressing security from the developer perspective. The product plugs into all phases of a DevSecOps pipeline from the IDE through post deployment in cloud environments. The feedback from the toolset is immediate and enables developers to address issues quickly and easily rather than having to go back and fix vulnerabilities that were found in later assessment phases by a security team. This is crucial in any organization, large or small, to win support and adoption from the developer community.
As a speaker at February 2020 RSA, did you have many opportunities to discuss the needs/worries of developers with them?
RSA was terrific. I had a number of opportunities to interact with developers and managers to understand the challenges that are top-of-mind for them and help them explore possible ways to address them. As an advocate that is a crucial part of my role – being an active member of the community and working with my peers and counterparts to bring that context back to our product teams. I was pleasantly surprised how even following my session on the RSAC Sandbox stage, how many people came up to me not to discuss what I had just talked about in terms of threats from #deepfakes, but rather to share what they knew of Snyk and to get more questions answered.
“In our most recent surveys we see that developers are largely looked at as the primary responsibility holders for security”
What do you consider as the most significant threat to developers in 2020?
It’s the same threat we’ve been dealing with for years, how do we meet the needs of an ever increasing pace of bringing products to market, while addressing security threats that are constantly evolving as a result of the new technologies we’re leveraging.
The industry is asking developers to be responsible for not only their code but now infrastructure that they’re building via code as well. On top of this they’re asked to keep it all secure. Even in our most recent surveys we see that developers are largely looked at as the primary responsibility holders for security. From a security industry perspective, we need to provide them with greater enablement toward that end.
Earlier in your career, you worked as tech support at Frontier Technologies. As one of the first rungs on the ladder for most in the technology sphere, most people say that this is a valuable learning opportunity. Do you have any “tales from tech support” that stayed with you?
I think anyone who has worked in a help desk/tech support capacity has a few of those stories of frustrating or confusing users. But honestly the story that sticks with me most is one of a very poorly conceived business strategy. It taught me the difference between being visionary and being able to execute in business.
Now keep in mind, this is early 1996 and the internet is still very much in its infancy. Our founder had the vision that corporate intranets would be a very useful and powerful tool for the enterprise. As such he directed a lot of R&D into developing a turn-key intranet solution, much of which centered around a web-server component we developed and the supporting development and deployment tools. It was a huge business initiative, one that was meant to set the direction of our company for years to come. However, in the months leading up to our launch, Microsoft released Windows NT 4.0. Anyone who was around back then remembers that Windows NT 4.0 Server came with the first iterations of IIS and MS FrontPage. It completely pulled the rug out from under us and while I can’t say for sure, I believe it was truly the beginning of a major decline and the eventual death of that organization.
That whole situation gave me a very good view into just how risky business strategy shifts can be, how tenuous product R&D can be, and how important speed to market is for any major product launch.
As an ethical hacker, what was your most significant achievement in protecting the company from threats?
There are a lot of steps our Security Test Team was responsible for that I believe were crucial. For me personally, I’ll never forget the time I discovered a web application vulnerability that gave me emulated console access to a Windows server with Domain Admin privileges. It literally took three minutes of testing the application for me to find and exploit the vulnerability. Given the lack of network segregation we had at the time, this a particularly critical risk to many of our systems.
However, I think some of the other great things we did in my time there might have been even more crucial. We began building out a program of working with development teams on security. This included our team providing training and educational materials as well as rolling out a source code analysis toolset. Those were beginning steps into what that organization has since matured. While I can’t point definitely to a threat that they stopped, I can only speculate that many potential threats were stopped early in the SDLC thanks to our efforts.
Ransomware is stealing headlines in many cyber security bulletins right now. Have you ever had first hand experience with ransomware, either developing strategies or post-incident at a company?
I’ve worked with a few companies on how to develop strategies within their overall incident response plan for handling ransomware attacks. The crucial element though with Ransomware of course is preventing it in the first place. Solid end-point security and email security strategies along with a well crafted awareness program provide a good initial defense in depth approach. However, I think the industry has also come to realize that the Human Element will always be a factor and we have to be prepared for the worst. So understanding your environment and the capability you have to detect an outbreak early is very important. Having skilled individuals and the necessary technology to understand and identify threats using strong intelligence can reduce the impact significantly.
My team was working with one organization in particular on a small threat hunting exercise. Over the course of our engagement, we identified multiple emotet infections. By identifying and isolating the systems quickly, they prevented a massive scale ransomware outbreak that would have been delivered via emotet to their systems.
“The value of honeypots has been significantly reduced by the Human Factor”
What is your view of honeypots and honeynets? Are they as effective as the once were?
I think the value of honeypots has been significantly reduced by that same Human Factor. Attackers tend to go for the path of least resistance which is all too often the users in this day and age. Malware, ransomware, misconfigured containers or S3 buckets are all easier routes than trying to hack into a network from the internet.
Honeypots and Honeynets aren’t totally without value but I think the breadth of the threats they address has significantly decreased.
Do you feel that there is enough education for organizations to protect themselves in the post-quantum era?
I don’t think there is much if any real education in this space yet. There are a lot of unknowns about the technology, a lot of concepts being shared, but as far as actual analysis of what Quantum Computing will bring and how that impacts threats within the business space, I’ve not seen much, if any of that.
Aside from the academic community, most of what I’ve seen thus far has been marketing of products. Unfortunately there have been a few vendors that have made claims and promises that they cannot backup with demonstrable results. That just exacerbates the issue.
On a more personal note, what do you enjoy most about your career right now?
I think what I’m enjoying most in my career right now is that I’ve been fortunate enough to develop a platform for sharing and discussing ideas with the security community. Social media, public speaking, my blogs, my role as an advocate, the podcast I co-host, all of these and more are outlets I’m able to use to share my ideas, hear others’ ideas and really work for the betterment of our world as a whole.
What is the one aspect of your career that you wish you could devote more time to?
Honestly, I’d love to be able to devote more time to doing technical research. I have a few projects that keep me sharp but I’d love to get back to my pentesting roots. But I’ve come to accept that those days are behind me. My research is a little higher level now and I’ve also committed much of my time to helping build our community overall. Trying to leave behind a better road for the future resources to join this community easily.
You can find out more about Alyssa Miller and her work with Snyk below: –
Alyssa’s Website: https://alyssasec.com
Giving developers a security tool they use and love.
Powerful fix advice and automation that enables security at scale and speed.
Leading vulnerability database
Hand-curated, enriched and first to publish vulnerability content.
Visit Snyk: https://snyk.io/