Since software has eaten the world, should software engineers have already inherited cybersecurity? It’s easy to see this as an ideal transition. But given the pressures to ship, can we expect these engineers to prioritize security from day one, even if it risks delaying a product?
This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Joining us is our sponsored guest Jeremy Epling, chief product officer, Vanta.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Vanta
Vanta automates evidence collection needed for audits with over 350 integrations—giving you continuous visibility into your compliance status. And with cross-mapped controls across 30 frameworks, you’ll streamline compliance— and never duplicate your efforts. Learn more at Vanta.com
Full Transcript
Intro
0:00.000
[Voiceover] Best advice I ever got in security. Go!
[Jeremy Epling] Security is a team sport. I think so often everyone thinks the security team’s responsible for doing all the security work at a company, but you really need product, design, engineering, HR, legal, sales, everyone to achieve the customer outcomes you want.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark, I am the producer of the CISO Series. And joining me as my cohost for this episode, if you’ve been listening to the show for quite some time, you’ve heard his voice before. It’s none other than the CISO of Rivian, Mike Johnson.
Mike, say hello to the audience.
[Mike Johnson] Hello, audience, for the many, many times that we’ve been together, good to be with you again.
[David Spark] Actually, this episode marks six and a half years you and I have been recording this show.
[Mike Johnson] Excellent. Six and a half.
[David Spark] That is astonishing to me. [Laughter]
[Mike Johnson] It is very astonishing to stop and think.
[David Spark] Astonishing.
[Mike Johnson] I still remember sitting down for lunch and you were like…
[David Spark] And me suggesting, “Let’s do a podcast together,” and you don’t know who the heck I am. [Laughter]
[Mike Johnson] I was like, “All right, let’s do this. Let’s see where it goes,” and here we are six and a half years later.
[David Spark] Six and a half years later. It’s doing very well. Our sponsor for today’s episode, our sponsors are the ones who keep us going all this time, and this sponsor has been absolutely spectacular. They’ve been just a true supportive sponsor for, I guess, I think about a year and a half of that, actually.
It is none other than Vanta. Thank you so much, Vanta, for sponsoring the CISO Series. We greatly, greatly appreciate your sponsorship, and we’ll be talking more about them later in the show. In fact, our guest comes from Vanta. I’ll introduce him in just a second. But first, Mike, I want to mention that next week, exactly this time next week, I will be in Philadelphia at the CyberMarketingCon, which is growing like mad.
And by the way, I made a bet, a $5 bet with the co-founder of CyberMarketingCon because I was convinced she was, I believe the number was 500 attendees, and she was at like, when we were talking like a few weeks ago, this is November when we’re recording, she says, “Oh, I’m at like 420.” She goes, “Oh, I don’t know if I’m going to get to 500.” I’m like, “Oh yeah, you’re going to get to 500.”
[Crosstalk 00:02:27]
[Laughter]
[Mike Johnson] Yeah. Yeah.
[David Spark] …500, no problem.
[Mike Johnson] That’s not a big delta, especially for a group like that.
[David Spark] Yeah. So, she’s going to happily hand me over that $5 because she will make way more than that.
[Crosstalk 00:02:38]
[Mike Johnson] Yes.
[David Spark] …over 500.
[Mike Johnson] I always like taking bets that I’m happy to lose.
[David Spark] Yes. That one, she’s going to be super happy to lose.
[Mike Johnson] She’s very happy to lose that bet.
[David Spark] Yeah. But we are going to be at the conference. We’re going to be shooting video at the conference. We’re going to be doing game show at the conference. So, if you are there and you’re hearing this, please come say hello. We’d love to do that. And we sponsor the conference too. I should’ve mentioned that.
We’re sponsors.
[Mike Johnson] I do have one question, David, sir. Are you going to run up The Rocky stairs and get a picture of that?
[David Spark] That is as hackneyed as they get. You know what? The locals probably see people doing that again and again, and they just shake their head and they’re like, “Oh, this buffoon.” All right. They’re running up the stairs. They’re doing The Rocky run. I got it. And then they got their hands over their head.
[Mike Johnson] [Laughter] Here goes another one. It’s kind of like holding up the Leaning Tower of Pisa.
[David Spark] Oh, yes.
[Mike Johnson] They’re just used to it at this point and it’s just, “Oh, there’s another one.”
[David Spark] Oh, there’s another tourist throwing a coin into the Trevi Fountain. All right.
[Laughter]
[David Spark] Taking a photograph. We’ve seen this before. All right. Let’s bring on our guest. Thrilled to have him on board and thrilled just Vanta. They absolutely rock. We’re so thrilled they support us. Actually, all their guests they’ve always brought on have been fantastic, by the way. We’ve had many people from Vanta.
So, no pressure, by the way, guest, before I’m about to introduce you.
[Laughter]
[David Spark] The chief product officer over at Vanta, our sponsor guest, Jeremy Epling. Jeremy, thank you so much for joining us.
[Jeremy Epling] Yeah. Thanks for having me, and I appreciate that intro. Hopefully I live up to the hype.
[David Spark] You will.
What’s the future for a CISO?
4:14.013
[David Spark] “Security is just one of many aspects of code quality, and I think it should be treated as such,” said Ross Haleliuk in his blog, Venture in Security. He postulates that software engineers are poised to inherit cybersecurity. This is definitely what the security community wants, but is it realistic?
So, Ross makes the case that security’s already an inherent aspect of high-quality code, that engineers by building cybersecurity products themselves are shaping the future. We can say this is desirable, but is this shift happening now? Given the current business pressures, where getting a product out the door often takes precedence over making it secure before it goes out the door, can we really expect engineers to prioritize security from the start?
Won’t that just delay product releases? Mike, I will say this whole theory that Ross brings out, I’m sure you’re all gung-ho about it. Yes?
[Mike Johnson] Yeah. It’s something, the way that I think about security vulnerabilities is they’re just bugs. It’s just another aspect of something that has a negative outcome.
[David Spark] Mm-hmm.
[Mike Johnson] That’s really the slightly different aspect to security vulnerabilities. But again, the application is acting in an unintended way. It’s not the way you want the application to act. We should expect engineers to focus on quality code, very much agreeing with Ross here, that security is one aspect of quality.
And ultimately, we should think of security vulnerabilities as a class of bugs that have negative outcomes, just like performance bugs, UI bugs.
[David Spark] But is that seen, just I’m playing a little devil’s advocate here, is that seen to get the product out the door? Because I’m agreeing, but often those security issues may not be seen until later, or that is something that, you have a list of bugs, well, these are bugs that we can deal with later, but this product needs to go out the door now, and we can release it with these kinds of bugs.
I mean, I don’t know, you tell me. Is that doable?
[Mike Johnson] So, what you highlighted there that I think folks should really focus on is the time in the cycle in which security vulnerabilities are typically discovered. Quite often, they’re discovered just as the thing is about to ship, or maybe even after it has shipped. And what Ross is stressing, and I think a lot of us agree with, is we need to find them earlier.
We need to help engineers find those vulnerabilities earlier, so they don’t end up in this situation of, “Are we going to ship something insecure, or are we going to pause the release?” If we find it earlier, that can all be factored in. And that’s back into automated tooling, Secure by Design, all those capabilities that bring it earlier in the process, so you don’t find yourself having to make that trade-off between security and timeliness.
[David Spark] All right, Jeremy, it is the classic philosophy of push product out the door. I guess, what Mike says, how do we find problems earlier? So, they’re not literally the moment we’re releasing or just after it’s released.
[Jeremy Epling] Yeah, definitely. I mean, I think that there’s the big shift left happening overall with quality and engineering is getting responsible for more. I still think there’s a key place for security and security engineering plus “classic” engineering, if you will. I think have to have a really deep partnership.
Like I think about my team, I lead our product engineering and design teams, and I spent a ton of time with JD, who’s our CISO. And we work very, very closely all the way at the design phase of like, “Hey, we are thinking about going into this space. How should we think about security for this space?
What should we be prioritizing from risks and different vulnerabilities that can come up? How do we then partner together in the design process and the RFC from the engineering team, from the product team, and then driving that all the way through?” So, I think there’s a lot that we can go do to do more together.
I think when you’re an early-stage startup, you’re just trying to get product market fit. So, I think there’s a security maturity journey as well. Like smaller companies that are just trying to survive and determine, like, can we ship our first feature, and will we even be able to feed ourselves in a couple months, are going to probably put less emphasis on the security level that a really big company can.
But I think there’s a right-sized approach for each of these companies. I think vulnerabilities is one too, where it’s gets to be a spicy topic, at least I’d say for me. Like I look at it as like there’s vulnerabilities that are actually reachable, and I feel like can be exploited, and then there’s just like fix everything.
[David Spark] Yeah.
[Jeremy Epling] And then you get into a lot of what feels like make work and documentation there. So, I think there’s a lot of shift left happening. I mean, I think even in Vanta, like in our product, when we pop up issues around compliance and security, we now include Terraform instructions and AWS CLI commands and everything like that to empower the engineering team to go ahead and make that fix, and that makes that fix long term for them as well, and bake that into their CI/CD system.
So, I think there’s definitely engineering doing more and partnering more closely. I don’t think engineering’s taking over all of security.
Could this possibly work?
9:31.606
[David Spark] CISA and FBI recently released a Secure by Design alert on eliminating cross-site scripting, XSS, you know, those vulnerabilities. It’s less of an alert and more of a call to action for software manufacturers to just get on board with some basic security hygiene. So, does a government promotional push/alert for Secure by Design get others on board?
I mean, it’s not a regulation, which definitely does move the needle. But is this just another “every little bit helps” call to action? So, the President’s office made a push for zero-trust architecture. So, this is kind of in line with that. So, as long as CISA wants to try to solve old problems, what “alert” would be most helpful for the industry next?
What do you think, Jeremy?
[Jeremy Epling] Yeah, I mean, I’m a fan of what we’re doing with Secure by Design. We signed on initially as like a company, JD and I did, and we posted a recent post about the work we’ve done and the progress we’ve made. I think these individual ones, it does feel a little bit like just do a little bit more and make it better.
I think this kind of gets back to the other conversation we had about vulnerabilities. Like, I care about cross-site scripting, and I want to go solve it. But depending on your app, is that actually the top risk for your company? And I think that’s the approach I would be taking when I look into these is like, yes, I want to go make progress on this, I want to go do better.
But I also need to prioritize that against all the different risks that we have as a company, and determine is this specific one with cross-site scripting the thing I need to be focused on next.
[David Spark] All right, Mike, your thoughts. What is the value of this? I mean, it’s a lot of like, “Duh, yeah, we have to fix this. This is basic security hygiene. But hey, thank you, CISA, for mentioning it.”
[Mike Johnson] There’s a few things that come out of this. One, companies who are already very security aware probably aren’t dealing with a whole lot of cross-site scripting vulnerabilities. That’s not something that is endemic in their environment. CISA’s broadcasting this to everyone though, like this is every organization, every company.
It could be some company that makes a very unique piece of hardware, and they write a unique piece of software for that, and there are five big customers who use that who could benefit if that company, who is this tiny software producer, actually was really considering cross-site scripting vulnerabilities.
So, it’s very much what Jeremy said, of you need to prioritize and look within your environment. These call to actions actually might reach those people who aren’t doing that prioritization effort. They’re not thinking holistically because that’s not front of mind for them. When you’ve got CISA looking at, well, cross-site scripting should be not a problem anymore, but we’re still seeing it.
This guidance is all based entirely off of their commonly exploited vulnerabilities list. They’re seeing it in the wild, so they’re focusing on it, and that’s where their call to action comes from. So, it’s a data driven approach. They’re not just picking randomly XSS and saying, “Hey, everyone should care about XSS.” What they’re saying is we’re seeing it.
We need to turn up the heat a little bit and really highlight it to folks.
Sponsor – Vanta
13:00.642
[David Spark] Before we go on any further, I do want to tell you about our spectacular sponsor, and that would be Vanta. And we’re going to be talking about your trust centers. Now, let me ask you a question. Do you know the status of your compliance controls right now? I mean like this very moment, this very moment in time.
Because we know that real time visibility is critical for security, but when it comes to our GRC programs, we have traditionally relied on point-in-time checks.
But get this – more than 8,000 companies like Atlassian, like Quora, have continuous visibility into their controls with Vanta. And here’s the gist – Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting, and helps you get, you’re going to like this, security questionnaires done five times faster with AI.
Now that’s a new way to GRC. You want this. I know you want this. So, go check out what Vanta is doing. Just go to vanta.com/CISO. Go there and know how you can do just-in-time GRC at your fingertips.
It’s time to play “What’s Worse?”
14:25.243
[David Spark] Jeremy, you’re familiar with this game?
[Jeremy Epling] Yes, I’ve heard it before on here.
[David Spark] Two crappy situations. You got to decide which one’s worse. Now, I have a feeling I know where you’re going to go with this, Mike, but I may be wrong. All right?
[Mike Johnson] Should we have a $5 bet on it?
[David Spark] No, we’re not going to have a $5 bet.
[Laughter]
[David Spark] Because they’re crappy for two very, very different reasons. Okay? It’s from Erik Bloch with Arbiter, and Erik has these two “What’s Worse?” scenarios. Scenario number one – you have 20 different agents installed onto all of your endpoints. That’s a lot of endpoints and that’s a lot of agents.
One would say too many.
[Mike Johnson] Yes. One could definitely say that 20 is too many agents.
[David Spark] Twenty is too many.
[Mike Johnson] Yeah.
[David Spark] Or the complete opposite, having no agents installed on any of your endpoints at all. Which one’s worse?
[Mike Johnson] [Laughter] Really good question and obviously extremes, Erik.
[David Spark] Thank you. [Laughter]
[Mike Johnson] I think ultimately, this day and age, you have to have endpoint visibility. Everything on the wire is TLS. There’s no real way just from network telemetry, especially in a distributed workforce, that you can know what’s going on without agents. I agree that 20 agents is too much. But on the flip side, again, two bad outcomes.
Having no agents, having no endpoint visibility, I think that’s basically reckless at this point. So, as much as it would suck to have 20 agents, I don’t see how you can operate in a modern world with zero endpoint agents. So, that’s worse.
[David Spark] Now, this is what I thought you were going to say, but I’m just going to throw this out. Wouldn’t 20 agents and managing 20 agents and setting up 20 agents bury your security team?
[Mike Johnson] Oh, like I said, it’s going to suck. But Erik did a really good job of picking two extremes that suck. If you were to say 5 agents, eh, no big deal; 10 agents, getting a little uncomfortable; 20 is terrible.
[David Spark] There you go.
[Mike Johnson] But on the other hand, having zero agents and zero endpoint visibility, zero endpoint controls, is still worse.
[David Spark] All right. Erik, he likes the challenge. Jeremy, are you going to agree or disagree here?
[Jeremy Epling] Wow. Neither one of these feel good.
[Laughter]
[David Spark] No, I know that.
[Jeremy Epling] I think I’m going to go with the agree. I think I would rather be living with alert fatigue and being overwhelmed, just because I’ve been in that scenario for engineering for other things that aren’t just security as well.
[Laughter]
[Jeremy Epling] Where you just end up having way too many alerting and logging things coming through all the different platforms. So, I feel like that’s at least a problem where I know there’s something in there, and I can look for it and start to build some queries and some discipline around it and can work my way back.
[David Spark] Yeah, but you won’t even have time for that because you’re dealing with the other 19 agents.
[Laughter]
[Jeremy Epling] It is true. I think I’d just get so scared of having no idea what’s going on because you end up with that one rogue endpoint and you just have no clue. It could be anything. Where at least there is some needle in the haystack with the 20 agents, as terrible as that haystack’ll be to sift through.
[David Spark] Let me ask both of you. Let’s say you had a no-agent situation, no agents on endpoints.
[Jeremy Epling] Yeah.
[David Spark] What would be your security program, Mike?
[Mike Johnson] If you were to say, “Hey, you can have no agents.”
[David Spark] Yes.
[Mike Johnson] What I’m doing is I’m giving you I’m giving you a Chromebook.
[David Spark] Mm-hmm.
[Mike Johnson] Chrome OS with a managed browser, there’s no agents, it’s all built in, and it puts us in a good place.
[David Spark] Not a bad point. Jeremy?
[Jeremy Epling] Wow. Yeah. I mean, I guess for end users, I would be looking for just the most out-of-the box locked-down environment I could have. Like I could see a Chromebook or just something where I have IT’s at least configured and locked down, your Mac or Windows device or whatever, ahead of time when we send it out to you.
I get really scared about the cloud endpoints. You know what I mean? Like my cloud infrastructure, not having any EDR out there on AWS or Azure GCP. I guess for those, I don’t know if this is me cheating, but I’m starting to dig through Datadog logs or other things that might not be classic security tools, just to have some insight into what’s going on there.
[Mike Johnson] I like what you said there, Jeremy, of there can be other agents that are not necessarily security agents that you can get security value out of. I think that’s something that we as an industry need to think more of.
[David Spark] Good point.
[Jeremy Epling] Yeah, definitely. And I think that’s also one of the things that contributes to the overwhelming nature of incidents and logging and observability today, is we do have so many streams. And I think the more you’re able to coalesce and prioritize that information, the better and easier it is for people to actually have the right security outcomes and for engineering and security to collaborate together in a better, easier way.
Please, enough! No, more!
19:28.335
[David Spark] Today’s topic is the intersection of AI and security. So, AI is being hailed as both the solution and the problem when it comes to cybersecurity. It’s either going to help us predict and prevent threats with unprecedented accuracy, or it’s going to be leveraged by attackers in ways to push custom attacks at scale and other ways we’ve yet to even anticipate.
It feels like we’re on the edge of a new paradigm, yet there are still so many unanswered questions about risk. Mike, I’m going to start with you. What have you heard enough about with the intersection of AI and security, and what would you like to hear a lot more?
[Mike Johnson] I’ve really heard enough of the doom and gloom FUD about AI. Like we get it, it’s new, it’s scary, but it really does have an opportunity to really accelerate business. And that’s also where I’d like to hear more of is how can it accelerate security. I think there’s so many ways that security teams can embrace AI for positive security outcomes, and that’s an opportunity that we really should hear more about.
Ultimately, what I’d like to hear more about is how can AI help us be better.
[David Spark] Yes. And actually, well, by the way, there are more and more inventors doing just that these days, which is great. Because I mean, we’ve just seen… Two things we’ve seen. New vendors enter the field that literally wouldn’t have existed before AI, and then vendors have been on the market a long time adding AI to their solutions.
In fact, I assume almost every vendor is doing something with it. But let me ask you, Jeremy, the same thing. What have you heard enough about with the intersection of AI and security, and what would you like to hear a lot more?
[Jeremy Epling] Yeah, I agree with Mike, the doom and gloom. I’m definitely kind of over the robot apocalypse narrative. I think the other thing that I’ve heard is just all these empty promises on quality. [Laughter] It’s like, “Don’t worry, we’re just going to like rub a little AI on it,” and every product has 1000 AI features.
And then I actually get in and use them, and they just don’t really work. Like there are things that really work, and there’s things that not.
And I think what I want to hear more about is more around the metrics and the proof point of how this actually works and is actually a high-quality experience. To me, that’s been the big thing we focused on internally with Vanta AI. When I look at questionnaire automation or vendor security reviews, from a product perspective, I look at is like we have a new tool in the toolbox and not it needs to be shoved into every experience.
Like there’s plenty of times where it’s just like just make the basic SaaS tool better than the way we have for the last 10 or 15 years, and that is actually the right solution. So, where are the places where AI can really differentiate, where you’re dealing with a lot of unstructured data, when you’re trying to kind of generate natural language?
And so that’s gravitated us because we’re in security and compliance and looking through SOC 2 reports and pentest reports and everything, of what can we go do to help pull those insights that you care about, use that to compare to other things you have in your program? Like risks that you’ve written out, and your controls you’ve written out, to help highlight and give you those actionable insights, so you’re not spending a bunch of time reading these documents and kind of digging through them.
So, I think that focus on the quality of really being able to back it up is the big thing I want to see more people go do and I’m looking forward to in the products I want to go buy from security or any vendor.
[David Spark] Well, and you’re doing this with Vanta, and the thing that’s quite unique about AI is how much it’s growing at, I swear, like a weekly, monthly basis these days. So, let me ask you, first of all, how long have you been at Vanta?
[Jeremy Epling] A little over a year now. Before that, I was at GitHub and then we were working on Copilot and everything like that before. Yeah.
[David Spark] Okay. So, you’ve plenty of experience here. So, think about when you first came in, think about just six months ago, last month, and today. What are some sort of unique leaps you’ve seen in those times?
[Jeremy Epling] Yeah. I mean, I think we all felt the original ChatGPT leap of just kind of how shocking it was, of just being able to answer all these questions with high accuracy.
[David Spark] Mm-hmm.
[Jeremy Epling] I think the more recent ones for me have been dealing with structured data and analytics. So, being able to kind of dump in just CSV files and more structured data and being able to ask for insights and predictions and seeing the quality grow there. I feel like the march for text quality and answering better questions requires a little less prompt engineering, like each turn of the crank of these models.
So, more recently, code generation, I think especially with the anthropic models, has really moved forward in a big way that we’ve noticed internally.
And so when I look at engineering efficiency or even like security engineering, everything we can do to help, especially with the boilerplate code problem, it’s just so nice. There’s so much that you have to kind of write in each of these languages and frameworks that’s just easy to be auto-completed there.
I know people have seen, and we have too, big productivity gains from that, of just getting the team to focus on the harder problems and not all the kind of boilerplate code generation.
[David Spark] What have you learned from your customers as to, like maybe you weren’t looking at it, and they said, “Oh, no, no. This is what we want you to pay attention to”?
[Jeremy Epling] Yeah. I mean, I think when it comes to AI, the big conversation we end up always having with customers and that we hear is around, “Are you training on my data?” And it feels like people are so overwhelmed with how many products are adding AI. A lot of them can only get to that question [Laughter] and not much more.
And so if you’re not training on their data, then they’re like, “Okay, great. I can just assume you’re fine, and I’m going to move on to the next vendor that is training on our data.” JD, our CISO, and I at Vanta co-authored a post, like, “We’re not training on any customer data, and we feel like we can do a lot through synthetic data, approved golden datasets, and just prompt engineering to make the experience a lot better.” And so that’s been a big decision for us and that I’ve seen really resonate with customers and really streamlines that process.
But because we do questionnaire automation and we do vendor risk automation with Vanta AI, we know a lot of the questions that are kind of like getting asked there, and when I talk to customers, “Are you training on my data?” seems to be the top-of-mind thing for all of them.
What’s the motivation to do this?
25:41.855
[David Spark] “The community model of just trusting the code because it’s open source was never a great model. You should trust it because you trust the people who wrote it or who reviewed it.” Now that quote came from CISA’s open-source security lead, Aeva Black, in the aftermath of an incident which saw the compression utility XZ Utils updated by a new maintainer who introduced a backdoor.
That potentially impacted millions of systems. Other open-source foundations such as OpenJS saw similar attack attempts. Open-source maintainers are critical, often doing thankless work out of pure passion. Mike, what’s to stop a truly malicious person from being an open-source maintainer and really causing havoc here?
So, how do we keep these software packages secure when the point of failure could be a single developer, Mike?
[Mike Johnson] So, first I want to call out that Aeva’s making a really interesting point here. In the past, there is this idea of you should trust open source because of the many eyes that are looking at it.
[David Spark] This is the common theory.
[Mike Johnson] And that is accurate and potentially true for a handful of projects. Like the Linux kernel. There’s so many people who look at that and so much review, and you as a company can take a look at that. But I really like Aeva’s point that it’s the who reviewed it. And when you look at a malicious maintainer, who’s reviewing their code, and do you trust that person?
That really is the interesting addition that I think Aeva added to it, is it’s not just who wrote it. Trusting because it’s some random maintainer, that’s a little bit rough. Who reviewed it, I think, is your opportunity, and that “who reviewed it” can be your own company.
[David Spark] Is the maintainer and who reviewed it not often the same person? I mean, asking out of ignorance here.
[Mike Johnson] On extremely small projects, it can be the same person. Usually what you want is the author and the person who approves the change to be two different people. That’s an ideal scenario. Small projects, and I think in the case of XZ, it really was they gave themself the ability to approve their own code, and that was part of the problem.
And maybe a good place to start might be don’t use code that only has just one author associated with it, unless you’re actually going to review it yourself.
[David Spark] Mm-hmm. All right. Jeremy, I throw this to you. How do we secure these codebases? Because by the way, this has become a very, very hot topic.
[Jeremy Epling] Oh, definitely. And it’s critical because so much of the world’s code is all built on open source. I mean, I’ve spent a bunch of time with open-source maintainers. They are doing kind of God’s work for all of us out there. [Laughter]
[Mike Johnson] Yes.
[David Spark] Yes.
[Jeremy Epling] They are not really getting compensated in a way that’s commensurate for the impact that they’re having. And so I think we actually have…
[David Spark] That is a very good point right there, by the way. I want to highlight that. Definitely not compensated for the impact they’re delivering.
[Jeremy Epling] Yeah. And I’ve talked to maintainers – I mean, I spent four years at GitHub – that are maintaining literally 180, 200 node packages that are…
[David Spark] Holy moly.
[Jeremy Epling] Yeah, it’s crazy. And they’re doing this and sometimes they have a company backing them, sometimes they don’t. Sometimes it’s in their spare time. So, I think there’s a systemic problem here we need to address in the supply chain that is the people. I think there’s another part of it where we’ve just seen people use their maintainership to kind of take stances on things that then hurt everyone else, right?
I think about, if you remember, colors and faker that happened in like 2022, where the maintainer was very upset and made changes that then broke a whole bunch of other people in the node ecosystem and then that fled into other things. I was working on NPM because that was after the GitHub acquisition.
It was on my team, and I was dealing with that. Like Event Stream was another one, I think in like 2018 or around then. And so where the maintainer switched and they handed off to a new maintainer, and that person was malicious and someone that shouldn’t be trusted.
So, I definitely think getting more oversight and helping these maintainers, the way companies or other people can contribute to making sure we have high quality maintainers. And the vast, I want to be clear, the vast, vast, vast majority of them are amazing and great. But I think helping them be successful and being rewarded for the impact that they’re having and giving them the right tools is really important.
Because not all of them are doing it, or even if they are doing it for the right reasons, it’s so easy for an attacker to come in and try to buy them out for something, right? And convince them to go take a pull request that they shouldn’t take or to add someone else to be a maintainer who they think is doing good work and it turns out that they’re not.
Closing
30:40.000
[David Spark] Well, that brings us to the very end of this episode. Thank you very much, Jeremy. Thank you very much, Mike. And I want to thank your company, Vanta, for sponsoring this very episode. Remember, go to vanta.com/CISO, critical that you add that “CISO,” so they know we sent you there, vanta.com/CISO, to get just-in-time information about your compliance environment, your GRC environment, and also to see what they’re doing with AI, which we were talking about earlier today.
Mike, any last thoughts?
[Mike Johnson] Jeremy, thank you for joining. I’ve said before and I’ll say it again, I always love it when we have product leaders on the show. Your perspectives and the way that you look at problems and challenges, especially when you’re bringing engineering approaches to things, it’s always great to hear from that mindset.
Specifically, I wanted to call out what you’d mentioned in the “What’s Worse?” about the idea of using engineering tools to help security. I really think that’s a great nugget for people to think about. They may already have all the tools that they need, or they have more tools than they realize they do, if they look at the engineering tools that exist in their environment.
So, thank you for that tip. And in general, thank you for joining us and thank you for bringing your mindset.
[David Spark] Jeremy, your last thoughts? And are you hiring over at Vanta?
[Jeremy Epling] Yeah, happy to. Yes, we are hiring. So, if you are interested in all disciplines and all areas on our security team, on our engineering team, product design, everything, we are growing a ton and would love to talk to you about where we’re going. Yeah, I mean, this has been a great conversation.
I mean, I think the final thoughts for me would really be around where AI’s going with security. I really like that conversation that we had. I think there’s a huge opportunity, especially in vendor risk management and in questionnaire automation, to really turn these questionnaires that I think everyone in the security team hates doing and dealing with, and really turning that into kind of a zero-click automatic process that’s continuous and not just…
[David Spark] Oh. Everyone would be happy with that.
[Jeremy Epling] Yeah, I mean, no one wants to go through these. They’re like 300, 400 questions. It’s pure pain. You’ve got to go do it. It is important to get this information, but it’s so repetitive and monotonous. So, this is an area where we’ve really leaned in and being like, “Hey, how can we automate this document gathering?
How can we automate whether you’re receiving the questionnaires or you’re the one sending them, this process, to really pull out these actionable security insights?” Because if you’re already using Vanta for your GRC program, we know your controls, we know your risks, we know what you care about, and we can go ahead and streamline that effort.
Because I think there’s so many great security professionals that are kind of spending too much of their time doing this mundane work and would much rather be on these high value problems and more exciting creative problems. And so the more we can automate, the more we can let you spend time on the more creative, fun aspects of your job.
[David Spark] Excellent. Thank you so much, Jeremy. And thank you, Michael. And thank you, Vanta. And thank you, audience. Let me stress, I need more “What’s Worse?” scenarios. Send them my way. I want a lot of good ones. Challenge Mike. This one, by the way, from Erik Bloch was quite good.
[Mike Johnson] It was a great one.
[David Spark] Thank you, everybody. We greatly appreciate you contributing and listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meetup, and Cyber Security Headlines Week in Review. This show thrives on your input.
Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.