Gary McGraw: This is a Silver Bullet Security Podcast with Gary McGraw. I’m your host, Gary McGraw, Vice President of Security Technology at Synopsys and author of “Software Security.” This podcast series is cosponsored by Synopsys and IEEE Security and Privacy Magazine. For more, see www.computer.org/security and www.cigital.com/silverbullet. This is the 132nd in a series of monthly interviews with security gurus. And I’m super pleased to have today Chenxi Wang. Hi, Chenxi.
Chenxi Wang: Hi, Gary. How are you?
McGraw: I’m good. Chenxi Wang is founder of the Jane Bond Project. Previous positions include security-related work at Twistlock, Forrester Research, Intel Security, and CipherCloud. Dr. Wang has also been an academic faculty member at Carnegie Mellon University. Chenxi holds a PhD in computer science from the University of Virginia, and she lives in Silicon Valley with her family. So thanks for joining us today.
Wang: Thank you for having me.
McGraw: So what does the Jane Bond Project do, and how did you get away with using that name?
Wang: Well, don’t you love the name? I love it.
McGraw: Sure. It’s a great name. It reminds me of the “G.I. Jane” movie though, a little bit.
Wang: Well, that’s not quite the association I want to draw, but Jane Bond is here to save the world. What can I say? Well, the Jane Bond Project is an attempt to look at different organizations and how they structure their culture and innovation to include diversity and speak to the concept of inclusion. So we’re doing studies. We’re going to be working with different companies to promote diversity inclusion, as well as doing some cyber security consulting work.
McGraw: Cool. And so how do you spend your time these days? I know you’re also a mom of a second-grader, and that’s plenty of work to do.
Wang: Yes. What I love about what I do now is I have a lot of time to do thinking. I’m reading a lot. I’m looking at different companies, different approaches, including technical approaches. And I’m doing lots of writing and thinking on how innovation and culture impact technical approaches as well as how we tackle sort of the human aspect of cyber security. I just gave a talk recently at the Singularity University, which is all about what happens when we live in the abundant future—information is abundant, resource is abundant. What happens to cyber security was the topic that I gave a talk about. And now I have time to think about those things, which is very interesting.
McGraw: That’s cool. I think what happens after singularity is Skynet almost immediately.
So you’ve been in computer security for over 20 years, and so have I. And boy, have things changed in that time. What got you started in computer security originally?
Wang: It was purely by accident, really. You know, I was at UVA, which you were at some time ago as well, right?
McGraw: Yeah, but I didn’t get my Ph.D. there. I got a lucrative degree in the field of philosophy there.
Wang: You were undergraduate, right?
McGraw: That’s right, yeah.
Wang: That was a little bit more of a happy time, I guess. I mean, I was in graduate school. So my study when I started at UVA, it was—I had the choice of going into computer architecture or computer security because of my advisor. And I looked at computer architecture, and I was like, “Oh, that’s kind of boring. I don’t want to deal with memory and page tables and stuff.” And so security at the time had an encryption project, which was really more math, and I always loved math, so I went into that project thinking, “Oh, I’ll do this project and see what happens.” And the rest is history.
McGraw: Mm-hmm. That’s cool. And did you study any computer security stuff in undergrad, or did you focus on math and other things?
Wang: I studied computer science as an undergrad but didn’t specialize in computer security, and back then there wasn’t really any program that specialized in security, right?
McGraw: Yep. Even when I got my Ph.D., there was like one crypto class, and that was it that was offered at Indiana at the time. So, you know, the field’s come a long way. I mean, what is your view of the relationship between, say, real academic research and what’s going on in the commercial marketplace, since you’ve watched both unfold over the last 20 years?
Wang: Yeah. I think the two are converging, which is very, very interesting. And I’ve seen lots of my friends who are academics are doing tech transfer in various ways and shape and form to the industry. I have friends who are doing research, pen testing, and now their technology is being used in startups offering commercial solutions. And that happens a lot, which led me to believe that the problems that we face in the industry are similar to the problems that, you know, academic researchers are tackling, which is a really great thing to see.
McGraw: Yeah, that means that pure research can, in some sense, be applied with the right amount of tech transfer. Of course, tech transfer actually takes a decade, it turns out, so...
Wang: Well, in general, yes. But we have, perhaps, some specific instances that are more successful than that.
McGraw: Yeah, quicker. But, I mean, if I think about static analysis for software security, for example, that took 10 years, even though it was pretty obvious that it was going to be a helpful technology. Let’s talk about that for a minute. So when you were a VP at Forrester, part of your coverage was in software security. And so I’m wondering what your current view of the state of software security is right now.
Wang: You know, I am almost giddy at how much attention is on software and application security, and it wasn’t the case when I was at Forrester. And I think we almost had to—I mean, I almost had to scream on top of my lungs, say, “Hey, look we’ve got application security mechanisms. Please deploy them.” And now, the field has changed, the awareness has changed, and you see some of the, maybe, the recent exits in application security companies that were a little better than the previous ones, which indicates that the market is more ready, I guess, for application security mechanism innovations. And technologies such as RASP are being looked at by all kinds of companies, even though it may not be completely mature, but people are willing to try them out and understanding the impact, which is good to see. And I think partially it’s driven by...everybody is under attack, right? I mean, we’ve been saying this for years, and now it’s actually happening on everybody’s radar screens, and that drives the more proactive thinking, which is what’s needed for application security to become more popular.
McGraw: Mm-hmm. I agree with that for the most part. I think that also there’s a realization that network technology, though useful, can’t stop all these attacks. So we have to do something more. We have to get proactive.
Wang: Right, right. And network security, to be honest, is becoming more and more blind, right, Gary? Everything’s getting encrypted. What do you do? I mean, you see the metadata, and that’s about it.
McGraw: Right. So, you know, there have been changes in software development, and I’m interested to know what impact you think DevOps has—and containerization and micro-services and all that stuff—on how the world approaches software security now.
Wang: Yeah, I think that’s a huge change and has a long-reaching impact in security—how we look at application security, that is. So when I was at Twistlock, I looked at how DevOps organizations embrace security, and it’s very, very different than how an IT security organization embraces security mechanisms such as firewalls or IPS, right? So one of the things you see very visibly is DevOps organizations move very fast. They don’t sit around and test things in labs and throw out different test cases, say, “What if this happens? What if that happens?” What they do is they want to...time to market is of the essence to them.
Now, that could be good and bad for security, but what we have observed was that they’re a lot more willing to try things even in a production environment. I mean, Twistlock was one of those solutions that they put in their test environment and the next week they put us in production. I didn’t even know about it. We were like, “What? We were in production? How come?” And that’s how fast things have to move within the DevOps world. And what that means is security has to move as fast or the security mechanisms have to sort of accommodate that, right? When you get to that kind of speed, what that means is you have very much an API-driven design. You can’t be too proprietary or too closed. Everything has to be API-driven, standards-driven, so you can plug-and-play into existing environments very quickly. And that demands a certain kind of application security approach, if you will.
McGraw: Yeah. I think I agree with most of what you said. In particular, automating aspects of software security has got to be done. That’s very clear. But I worry about architecture. I mean, from what I’ve seen, you know, the DevOps people just pretend that architectural flaws don’t exist. So they’ll automate the heck out of bug finding and automate the heck out of black box pen testing and whatever, but that leaves architecture behind. What do you think about that?
Wang: So maybe you can clarify for me a little bit what you mean by “architecture” in this context.
McGraw: So what I mean is the design is not the code and anybody who says that it is is slightly insane. The design is the design. So when you have, say, a protocol between your client or your multiple clients and your server—which is supposed to not have much state but still ends up having some—you have to design that protocol carefully. And it’s not really about bugs that you’re looking at. It’s about, say, communication between nodes and about things like playback attacks and stuff that’s just architectural-level problems, not really code problems. That’s what I mean.
Wang: Right, I agree with you to a certain extent. I think on a code level, flaws are easier to be dealt with in the DevOps world. You can very easily kill a micro-service component and start a new one or kill a container, start a new one with the bug fixes in it. And, you know, we have seen this being deployed at scale in production environments. For architectural design flaws, the micro-services architecture doesn’t quite make it easier, but it doesn’t make it more difficult than traditional environments either. What I have seen is you’re right: People have more of a focus on sort of a production environment and code-flaw fixes and less of a focus on designing things right, which isn’t necessarily good in itself. But what micro-services and containers allow you to do is think of things in sort of a little bit more agile kind of way, right? So if you really have to go back and redesign the protocols between two components, perhaps the rest of the applications do not need to be affected, the rest of the components. So you do have to go back and redesign, retool, and recode, if you will, but the effort hopefully is less than you have to deal with in the traditional monolithic application way.
McGraw: I think that’s wildly optimistic.
McGraw: But we’ll go with wild optimism, why not?
Wang: Hey, I’m always an optimist.
McGraw: I know, I know, I know. So wildly optimistic. And you’re always wild too. We’ll give you both of those things.
Wang: Hey, hey, hey.
McGraw: So your thesis advisor and my friend, John Knight, died last month, on February 23 this year.
Wang: Yeah, he passed away, yeah.
McGraw: Which is sort of a bummer because John was an interesting fella. So tell us a fond memory that you have of John and his work and what it was like to work with him when you were in your 20s.
Wang: John was a very interesting guy. I would say, you know, his passing really made the entire...it reduced significantly the dry-wit level of the department. And that’s to say it lightly, really, right? Obviously, he had a tremendous impact on my career and also had a tremendous impact in the field of software reliability and dependability. Can I tell an interesting anecdote about John?
McGraw: Please, please do, yeah.
Wang: He’s a very interesting guy and likable, but, you know, he has this sort of serious facade about him. But he told me that the first time he came to the U.S.—which was a long time ago, I guess—he and his wife landed in this small town in, I think it was, Virginia or West Virginia, I don’t remember. So it was late, they checked into a hotel, and nothing was open but a pizza place, and he had never had pizza in his life. So he went to the pizza place, and he ordered a pizza, and they gave it to him in a box, and he had to walk back to the hotel. And instead of carrying the box, you know, level, he carried it under his arm.
Wang: Yes, he didn’t know how he was supposed to carry it, right? And when he got to the hotel, of course, everything was like bunched together, and you can imagine. And it’s just a classic John story. So yeah, and it’s very sad that he passed at such a young age. John was the editor-in-chief for the ACM Transactions on Software Engineering, right? And through that role, as well as his research, he’s contributed quite a bit to the field of formal methods used for software engineering and methodologies used for reliability testing. My thesis, which I worked on with him, was on obfuscation for source code. And there’s actually a term for—the technique that ultimately became the core of my thesis was “flattening control flows.” So you give me any piece of code, I have an automated compiler that takes the code and flattens all the control flows so that the whole program looks like a data-dependent loop, and that obfuscates, you know, how the structure of the program is. And that technique is now called “chenxification.”
McGraw: That’s funny. Did John coin that term, or did somebody else coin it?
Wang: So John didn’t coin that term. It was Christian Collberg from the University of Arizona.
McGraw: Yeah, Christian was a guest previously on Silver Bullet.
Wang: Right, and he’s a great guy. But John was the one directed that piece of research.
McGraw: Yeah, interesting. So I was going to actually ask you about your thesis, and you told us about it, which is great. And people should know that it was awarded the ACM Samuel Alexander Award for Excellence in Research. I think the first time I met you, you were still a grad student of John’s, and it was at some DARPA meeting, probably under the catchphrase “survivability.”
Wang: That’s right. I remember “survivability.”
McGraw: Yeah, I think it was even in your thesis title, wasn’t it?
Wang: Gosh, Gary, it’s been a long time since I looked at my thesis.
McGraw: I’ll bet you 10 bucks it says “survivability” on it.
Wang: OK, I will check when I get home.
McGraw: We’ll be right back after this message.
If you like what you’re hearing on Silver Bullet, make sure to check out my other projects on garymcgraw.com. There, you can find writings, videos, and even original music.
So let’s turn to something else. You’ve been very active in promoting diversity in technology, which you talked about a little bit when you were talking about the Jane Bond Project at the top. In particular, you’ve been really active promoting women in security. So last year you were the chair of security and privacy for the Grace Hopper Conference. And—oh, by the way, I met Grace Hopper in 1989, and she was super awesome. So what is the mission of the Grace Hopper Conference?
Wang: I’m still the program cochair this year for the Security and Privacy Track. The Grace Hopper Conference is the largest gathering of women in computing in the world. Last year the conference had 15,000 attendees, and we expect more this year. But beyond its sheer scale, it’s a conference of not only networking but mentorship, and also a conference of celebration of how far women have come in the field of computing. So what I liked about Grace Hopper—and very similar to its mission statement—is we’re here to celebrate how far we’ve come, to look at where we’re going to go, and to help each other and help the community in general to become more diverse and inclusive. And so there are many, many technical tracks in Grace Hopper. It’s all computing technology. So security/privacy is a track. There’s a track on software engineering. There’s a track on artificial intelligence. There’s a track on, I think, like compiler technologies and others. So, typical computer science tracks you would expect at the conference. Another thing that is very unique about the conference is many high-tech companies would go there and set up on-site interviews with attendees of the conference. So anything…
McGraw: So they can up their own diversity.
Wang: Right. Right. And Facebook, for instance, last year they ran an interview-training workshop at the conference. So, you know, you can go and they’ll tape you, you do a mock interview, they’ll tape you, and then they have a coach work with you on how you answer the questions and all that stuff. It was very, very interesting. And for me, Gary—you probably didn’t know this—I went to the very first Grace Hopper Conference when it was…
McGraw: That was what? Five years ago or something like that?
Wang: Try 1994 or 1995.
McGraw: Holy cow! Really? Wow. So you were there when you were a grad student.
Wang: Yeah, I was…I think I was a first-year grad student. And it was the very first one. And my advisor at the time, Bill Wolfe, he was a big supporter, and he basically sent all his female students to attend the conference.
McGraw: That’s great.
Wang: And it was in D.C., so pretty easy for us to get there.
McGraw: I bet Anita made him do it.
Wang: Yes. Both Anitas. Anita Borg and Anita Jones.
McGraw: Right. I was thinking of Anita Jones, of course.
Wang: Yeah, and that was, I have to say, a big inspirational moment in my life, and to come back, you know, 20 years later to serve as the chair was a proud moment of my life.
McGraw: That’s really cool. What’s the most interesting and inspiring thing that happened at the conference itself last year?
Wang: So last year, the biggest thing that I remember was one of the keynotes. Marc Benioff came up on stage as the closing keynote. He talked about his efforts inside his companies for equal pay as well as for equality. What he said—which completely resonated with me—he said, “As the CEO,” he said, “I am white, I am black, I am Asian, I am Middle Eastern because I have to represent every single group of employees as well as customers.” And the realization that diversity is so core to business today, I think many people can talk the talk, but really walking the walk, few CEOs can do that. And Marc is an example of that. It was really inspirational.
McGraw: That’s really cool. So something different now. You’re a big fan of gadgets, just like I am. So here’s a question: Where does your Google Glass live these days?
Wang: In a drawer in my house.
McGraw: Mine’s hanging on my bar.
Wang: OK. Well, I have Google Home now. So that’s one of my latest gadgets, which talks to my Nest thermostat and camera. So yeah, I mean, you and I both—like sometimes we go a little bit too first-generation adopter.
McGraw: Well, look, I don’t have a Tesla, so at least you’ve got one of those. That’s pretty cool.
Wang: Yeah, and I’m—you know, this is kind of weird to say, but I bought my Tesla so early that it didn’t...until today, it couldn’t even have self-driving capability because it was so early, too early to have.
McGraw: Right. That’s interesting. Did it have insanity mode when you bought it, or was that a new thing too?
Wang: That’s a new thing.
McGraw: You’ve got to become a slightly less early adopter.
Wang: I have a...I don’t know if you’ve heard this story before, but I bought my house on my Tesla. Do you know that?
McGraw: No, I didn’t know that.
Wang: So we were bidding on the house, but after we put in the bid, we actually had to go out of town. And we were in the car driving to the airport, and my agent called to say, “Hey, you know, you’re in the top three or something. Do you want to put in a newer bid?” And we’re like, “OK.” And she’s like, “Oh, I’m going to send you DocuSign. You have to sign it.” And I was like, “Whoa, we’re in the car,” and, you know, phones are just not very good for...small screen for that. And we were like, “Oh, I’ve got a 17-inch screen in my car.” So, I mean, literally we logged in on our email in the car, in a Tesla, and my husband and I signed it and sent back, and by the time we got to the airport, we had the house.
McGraw: That’s awesome. I love that story. Really nice.
Wang: It doesn’t get more Silicon Valley than that.
McGraw: No, it doesn’t. It’s really good, and it’s also really sort of sad.
Wang: It is sad. And to think back, right? I probably sent the signed document over unsecure SSL.
McGraw: I love it. It wasn’t even encrypted. So you said before something that I thought was interesting, which is, you know, you’ve got to fix the diversity problem, not just talk about it. So what’s the number one thing that you can do as an Asian woman to fix the diversity problem we have in technology?
Wang: Huh, I’m not sure being an Asian woman really makes a difference one way or another, right?
McGraw: Fair enough.
Wang: I think of, you know, being a woman maybe. So just bringing awareness to the issue, and also I’m working with organizations like WISP, which is Women in Security and Privacy. We’re trying to start...we are starting a women’s speakers bureau. So we’re going to compile a database of women experts in different aspects of computing, and we’re going to open source it. So next time you’re doing a conference and you’re doing an all-male panel or all-male speaker roster, please take a look at that. And don’t complain that “Oh, I don’t know where to find good women speakers,” because we will have a database of high-profile and accomplished women speakers for different events.
McGraw: Cool. That’s a great idea.
Wang: Yeah, that’s just one of the things we’re doing. And we also are compiling practices of different organizations, what works, and trying to publicize that for other companies to take away. A lot of CEOs today, for instance, are afraid of doing salary reviews to erase the gender pay gap because they don’t know how much they’ll have to put down to raise it, right? Like, one gap...
McGraw: I heard Benioff had to put down 3 million bucks for the Delta.
Wang: Yeah, $3 million and more, a little more, I think. But, you know, once you ask the question, you cannot unask it, right?
Wang: So how do you make sure that they are not afraid of asking the question? And then they have the arsenals in place to help their organizations erase the gender gap over time.
McGraw: Yeah, that’s great. Well, thanks. So you said at the very, very beginning of our conversation that you had more time for reading, so what book are you reading at the moment, and is it any good?
Wang: Well, so I’m reading this book, which I am now blanking on the author’s name, but it’s “Fast Thinking, Slow Thinking” [“Thinking, Fast and Slow”].
McGraw: I think that’s Tversky, isn’t it? Or Kahneman?
Wang: It’s a little bit about diversity, but it’s also about...so how—
McGraw: No, no, not diversity, I said Danny Kahneman and Tversky are psychologists, and I think they wrote that book, but maybe not.
Wang: May be. So I just got that book. I’m just starting to read, and I’m really bad on names. So it’s really about how culture impacts the way humans think of problems and problem-solving approaches. And so it kind of puts things in a very macro view for me, right? And so that’s interesting because I sort of felt like when I was working, every day you’re kind of in the middle of something, you have to solve that problem, you don’t have time—
McGraw: Self-reflection is difficult, right?
Wang: Yes, absolutely. And especially self-reflection over a longer period of time, which is what this book’s trying to focus at, which really gives me some healthy perspective. Like, you know, one of the things people kept talking about is the advent of AI, how that will impact low-skilled workers, and to me, in thinking about the macro view of this, to me it’s just a blip on the progress, right?
McGraw: Yeah. It’s kind of an important blip though, if it changed the politics of the United States. So I actually think that one big impact is going to be when truck drivers don’t have a job because all the trucks drive themselves. It’s going to be a massive impact to the Midwest.
Wang: Right, and how does a society deal with that, right?
Wang: So where can we put these truck drivers, and should we go with something like universal income? Which is one of the very, very interesting things for us as a society to think about.
McGraw: Yeah, cool. Well, thanks for your time today. It’s been an interesting conversation.
Wang: Thank you, Gary. It’s always a pleasure.
McGraw: This has been a Silver Bullet Security Podcast with Gary McGraw. Silver Bullet is cosponsored by Synopsys and IEEE Security and Privacy Magazine and syndicated by Search Security. The January/February issue of IEEE S&P Magazine includes our interview with Marie Moe, a Norwegian security researcher who hacks her own pacemaker. Show links, notes, and an online discussion can be found on the Silver Bullet Web page at www.cigital.com/silverbullet. This is Gary McGraw.