In episode 1, “Think Different,” we talk about the podcast’s aim and the need to include a range of voices in any software quality and security discussion.
Fault Injection is a podcast from Synopsys that digs into software quality and security issues. Hosts Chris Clark, Principal Security Engineer at Synopsys, and Robert Vamosi, CISSP and Security Strategist at Synopsys, provide a forum for industry experts to talk about software security topics and their intersection with specific verticals such as medical, automotive, and finance.
In this inaugural episode, “Think Different,” Robert and Chris discuss the goals of the podcast as well as the need to include as many voices as possible in any software quality and security discussion as we all bring different experiences and knowledge to the table.
Or read the transcript for Fault Injection, Episode .000: “Think Different” below:
Robert Vamosi: I’m Robert Vamosi, CISSP and Security Strategist at Synopsys.
Chris Clark: Hello, my name is Chris Clark. I’m Principal Security Engineer at Synopsys.
Robert: Welcome to “Fault Injection.” Now you’re probably thinking, “Why do I need another security podcast?”
Chris: That’s a great question. There’s so many of them out there, so many podcasts that talk about different technologies, new and upcoming events, but we’re going to do something a little different this time.
Robert: Yeah, we’re going to dig a little deeper. We’re going to take some topics and really open them up and talk to experts, and also draw upon our own experience. I bring to the table nearly 20 years of security experience. Chris?
Chris: Twenty years also. We’ve been in the industry for quite a while, and know quite a few people that are out there. That’s one of the things that we’re going to do differently. We want to bring these industry experts in and really dig deep into the topics we’re going to be talking about. We’re not going to just scratch the surface this time.
Robert: Yeah, a really broad range, so we’re not going to focus on any one thing. If anything, we want to start addressing what does it mean to think and act with security in your life. What does that mean? Bruce Schneier talks about this concept of once you see the world through a security lens, you see it very, very differently. How does that work?
Chris: There’s lot of different views. When we look at the psychology of hacking, and hackers in this particular industry, there’s a lot of different factors that come into play. What are they? Why are they important? Really, at the end of the day, what’s the psychology behind that?
Robert: You bring up an interesting point. You use the word “hacker.” I think that word has been misappropriated over the years. I like to think of hacking as taking something apart, and it’s either good or bad. There are people who do it for the benefit of research and for knowledge, and there are people that do it for criminal enterprises and financial gain. I just want to be clear that we’ll probably talk about both.
Chris: I agree. When we talk about the white hats, the black hats, the grey hats, what is that? Many people in the industry, even some security professionals have differing opinions on this. Let’s dig into that. Let’s make sure we understand what we’re really focusing on, what the real challenges are.
Robert: You bring up the psychology as well. Just as I said that there was a psychology around security, there’s also a mentality around a hacker, how they look at things and how they start to deconstruct things the minute they see it. If it’s a new piece of technology, how am I going to extract something from that that maybe was unintended?
Chris: What you’re talking about is really important because these type of people, “hackers” for lack of a better term, for now until we dig into this think differently. It’s a very different process that they go through. What are the ideas that are driving that? How do we take a look and understand what the impact is to thinking differently, and how can you think different?
Robert: You mentioned thinking differently. When you walk into a meeting with somebody you mentioned it, because I’ve heard you say it what are some of the steps that you helped them go through?
Chris: There’s a wide range of things. When we look at what the software development practices are, what type of components they bring into their products, how they use their products in many different ways, ultimately, what we start talking about is a supply chain. I know we’re going to talk about that a lot more later. There are so many things that we want to focus on, in that respect, and tear each one of those apart and get a better idea at what that environment really looks like.
Robert: You’re right. You stole my thunder because one of the things we want to do is do an overarching theme for a couple episodes, digging into what’s called the “cyber supply chain.” What does that mean? And individually, how does it affect specific verticals? We can play that out because I think people have a concept of cyber supply chain, but maybe they don’t see it in the way that we see it, or the way they might want to see it in the future.
Chris: Or understand the importance.
Chris: When we really start digging into what surrounds us in our world, when we look at a TV, when we look at a car, when we look at our cell phones, what really makes up that component? Is it a system of systems? Is it software from many different manufacturers? What are the implications of tying those together? When we talked about hackers earlier, that’s what they really get excited about. How do I get into that system and break it apart and take advantage of those individual components within?
Robert: Right. The other thing that we really want to do is start a dialogue. There’s an email address and there’s also a comment section, feel free to use that. We want to incorporate your ideas, and in future episodes, we want to bring some of those into the show. We might even end up interviewing you.
Chris: That’s actually what I think makes this podcast exciting. There are so many different views out there, so many different activities happening in the market, and we only bring two viewpoints to this. We want to get more and we want to bring all that in. We want to talk about what those challenges are, what other people are experiencing, so ultimately, everybody can learn. One of the greatest challenges we face from addressing cyber security is education. It’s one of the things we have to take a look at and dig in much deeper.
Robert: To continue your point about different points of view, one of my mantras this year is “security is subjective.” We all bring to the table different experience and we can learn from that, so that gets to the education component as well. If we just talk more about what we’re experiencing and what we’re seeing, we improve the baseline for security all around.
Chris: That drives to another point, which is getting to the core of the problem. Everything that we look at is based off software. How do we communicate those challenges around software? Many of you that may be out there may not even know what a CWE is, or a CVE is. How do we share that information in a meaningful manner? That’s going to be one of the important factors that we focus on in some of these discussions in the future.
Robert: Right. I hope you join us on this journey and look for our next episode.
Chris: Thanks for joining us.