Gary McGraw: This is a Silver Bullet Security Podcast with Gary McGraw. I’m your host, Gary McGraw, vice president of security technology at Synopsys and author of Software Security. This podcast series is co-sponsored by Synopsys and IEEE Security & Privacy magazine, where a portion of this interview will appear in print. For more, see www.computer.org/security and www.synopsys.com/silverbullet. This is the 151st in a series of interviews with security gurus, and I’m super pleased to have today with me Meera Rao. Hi, Meera.
Meera Rao: Hey, Gary. How are you?
Gary: I’m good. Thanks for joining us. Meera Rao is a senior principal consultant and the director of the secure development practice at Synopsys Software Integrity Group. She has over 20 years of experience in software development in a variety of roles, including lead developer, architect, project manager, and security architect. Before joining Synopsys through acquisition two years ago, Meera worked as a consultant at Cigital for over 10 years. Meera knows software security intimately and specializes in many touchpoints, including code review, static analysis implementation, architectural risk analysis, secure design, and threat modeling. Lately, she’s turned her attention to DevOps and is leading efforts to tame that technology at Synopsys. Meera lives in Burtonsville, Maryland, with her husband and daughter. Her daughter is an aspiring orthopedic surgeon in her fourth year of med school at Duke. (Wow, that’s pretty cool.)
So you’ve been a software security practitioner for over a decade.
Gary: It’s amazing, isn’t it? What got you into software security from development?
Meera: I think it’s an interesting story. So I was actually working as a continuous integration practitioner with an earlier company. This was the time when the economy was going down. And then one fine day, I came to know that I had no job starting Monday.
I interviewed at Cigital on Saturday. They asked me to join on a Monday—this is in 2008—after an interview. So by the end of the day, I had a job and an offer letter at Cigital. I didn’t know anything about software security. I learned everything from scratch at Cigital.
Gary: I love it. And quite a bit you learned, too. But this is interesting. I think that it’s easier to come to software security with a strong development background than it is to come with a background in, say, network security. Do you agree? Did you find it pretty straightforward?
Meera: I think it was challenging. But I think, like you mentioned, since I had done a lot of software development, I had a lot of knowledge about architecture and a lot of the languages. So I was able to immediately get into code reviews. And then slowly—I think this is where Cigital took a risk—they put me on a lot of architectural risk analysis gigs. I started learning threat modeling.
Also, since I had already done CI/CD, once CI/CD and DevSecOps took flight, if you may say, there was no stopping me, because I had all the security background which I gained within Cigital (now Synopsys). I had a lot of expertise and exposure to tools and automation, especially with DevSecOps. I think I was able to bring together my development experience because we could customize a lot of the tools and a lot of the scripts. I could bring in my developer hat and work with the developers closely. I understood their pain points. So all three together—my development experience, my experience with CI/CD, and then the security experience that I gained—was key to bridge all of those gaps.
Gary: So in your view, over the last 10 years, do you think we’ve made progress in software security as a field?
Meera: It’s really so funny, because when I started, the very first question they asked me was, “What is SQL [sequel] injection?” I had to ask them like 10 times, “What do you mean, SQL injection?” No, I think they said “S-Q-L injection.” I was like, “What do you mean, S-Q-L injection?” And then even now, when we do all of these activities, whether it’s CI/CD or just static analysis or even code review, we still see that kind of stuff in the code. So, have we made progress in automation and changing the culture? Yes, but then I think we still have a long way to go.
Gary: It’s kind of hard to see progress when you’re sitting at the top of the mountain, I know. You’re like, “Where is everybody? Get over here.”
As you well know, software defects come in two flavors: bugs and flaws. And in some ways we’re much better equipped to deal with bugs in the code than we are with design flaws. In particular, architecture analysis turns out to be hard. So you said you learned how to do that. We sort of threw you into that. How did you learn?
Meera: I think the initial challenge was that I used to look only at all of the frameworks. I never looked into the architecture from a security perspective. My main goal was, “How have they built this application? What technologies have they used? What languages are they using?” I usually focused on the framework level because that’s what I knew best. Then I was able to say, “Oh, OK, they are using the Spring Framework in the wrong way here.” That’s how I was able to understand.
Then slowly I started gaining knowledge about what we mean by “an attacker.” What do we mean by “an asset”? What do we mean when we say, “Hey, this control is there, but it is not sufficient to protect this asset”?
It took time. I could do it initially, but then it took time for me to understand all these issues related to security, and then put on my architect hat, and then say, “OK, now I understand both of these things.” So I was able to succeed in doing architecture risk analysis and threat modeling.
Then at this point, when we build the DevSecOps pipeline—I call it a DevSecOps pipeline, even though it’s a CI/CD pipeline, because we make sure that the pipeline that we build is dynamic in nature. So it’s able to look at your artifacts from risk analysis, from threat modeling, and so on. Again, everything we need in the pipeline has to be, in some way or form, in a digital format. All of us love pictures, but if your threat model is in a nice picture, it’s not going to help us in our DevSecOps pipeline.
I’m able to bring in all of that knowledge that I have, that I gained in my early years in Cigital, to my DevSecOps pipelines.
Gary: I think that makes sense. I mean, one of the things to emphasize is that you brought your own understanding of how software is constructed and frameworks and libraries and things like that, in the beginning. And you leveraged that expertise to gain some experience to learn other stuff. I think it’s important to note that that previous experience was super important. But I have a question about this whole process: How do you think we can scale something as expertise- and experience-driven or experience-intense as architecture risk analysis? Do you have any ideas?
Meera: I think the main challenge is, we bring a lot of people with security background but who haven’t even written a single line of code in their entire life. So I think we need to make sure that we bring more people from the development side. Make sure you bring in people who have led some project, who have worked as either lead developers or who have worked as architects. And then training them, especially to do risk analysis, is easy because they understand the entire architecture of their application.
Gary: I think it’s easier, but I don’t think it’s easy, and I also don’t think it scales. It’s one thing to say, “Well, we can train more people how to do it.” And I think we’ve shown that we can do that. But we need not five times more or 10 times more people doing this out there in the world than we have today. We need more like a million times more. So I think scalability is still an open question. But don’t worry—it’s open because it’s hard.
So let’s approach it from a different angle. Automation has always been an important aspect of software development, from the days of the very first assembler. Remember they built this thing called EDSAC, or Electronic Delay Storage Automatic Calculator, in 1948. That was the first automation. Tell us about your opinion on the most important aspects of software development automation going on today—doesn’t have to be security, but just software development automation in general.
Meera: I think one of the key things when we talk about automation is, most of the tools, whether you’re using them for security or you’re using them for quality, have some command line interface for you to automate. But the challenge is, with automation, you have more and more information or things which come out of these processes. So the more you automate your entire SDLC process, the more processes do you need to have in place in your SDLC.
Gary: To handle all of the “information stuff.”
Meera: Yes. Whether you automate for unit tests or whether you automate your static analysis, there are issues which come out of that. What are you going to do with those issues? Do you have a process in place to automate simple things, as simple as defect tracking?
Meera: Do you have a process in place to gather all the metrics that come out of your automation? Do you have a process in place to do some kind of governance based on the issues that are coming out of your automation? I don’t see industry focusing in that area. So yes, everyone wants to automate. “Yes, I want to automate static analysis. I want to automate software composition analysis, dynamic analysis.” But what are you going to do with the results, right?
Meera: I think that is where I keep telling all of my clients, or anyone whom I work with, “Hey, we need to make sure that you bring together not just automation but even people, as well as your process in place, on top of automation. Then you are able to scale whatever you are doing. You are able to mature your automation to the next level.” I think that is where I see most clients fall flat.
Gary: That’s interesting. I mean, there is also the fact that some people try to automate a process that they can’t do by hand yet, which is even before this problem that you’re mentioning. But yeah, having a place for all that information to go is critical.
You were, for many years, the go-to person on CI/CD at Cigital before this whole DevOps flavor-of-the-day thing caught on. So I wanted to ask you, what is CI/CD, and how did it influence DevOps and DevSecOps?
Meera: It’s interesting because when you talk about CI/CD, everyone assumes, yes, when I talk about continuous integration, continuous delivery, continuous deployment, the key here is to understand that when you’re building continuous integration, it’s the very early stages. You still are checking in your code. You want to make sure that when a developer checks in all their code, you are able to run your automation scripts. You highlight a lot of the tools.
So CI/CD is mainly about automation. What do you do in continuous integration, what do you do in continuous delivery? So you’re going towards the right of your SDLC when you do continuous delivery, where you have a staging environment. You can constantly run your integration tests, functional tests. And once you want to move even further, continuous deployment: Every change that the developer checks in goes to production.
So yes, CI/CD is something which is required for DevOps. But then, in DevOps, it’s mainly the culture. You want to emphasize responsiveness. You found an incident in production: How quickly can you change your code, push it through your CI/CD pipeline, and push this new change or this new fix to production? And then in some cases, you push something to production, it goes completely wrong: How do I go back to the previous version?
Gary: Roll back.
Meera: Yes, roll back.
Gary: Run away, retreat.
Meera: Yes. So I think CI/CD is all about automation. Then you go to the next level and bring in the culture, after you put the processes in place. I think that’s what we strive, especially within Synopsys, when we work with our clients. We want to make sure that if you have risk management in place and then you say, “Hey, this critical vulnerability needs to be fixed in seven days,” the pipeline needs to have access to that risk management tool. Because it wants to query that and say, “Hey, do you have anything which has crossed seven days, the threshold?” No one has anything like that.
So I think it’s very important. Everyone has this risk management in some spreadsheet or a Word document, all of the metrics in nice PowerPoint presentations. That’s not going to help you build a DevSecOps pipeline.
Gary: So in your view on software security, do you think DevOps has been good for software security, bad for software security, or that’s a dumb question?
Meera: No, I think it’s not just good; it’s amazing. Because most organizations are trying to automate things like static analysis and software composition analysis now, because they know the problems that they are facing, especially with open source security issues and open source frameworks. Most of the organizations we work with right now are trying to shift left. So they’re trying to find out, “OK, what tools do I need to install on the developers’ IDE so that they are able to find all of these issues as they are actually developing code?” So I think it has been amazing. DevOps has been amazing for software security.
Gary: OK, so you’re obviously a cheerleader, and that’s good. But what’s the biggest danger of DevOps in your view?
Meera: I think the biggest danger is to assume that with tools, that they are a catch-all solution. Just because you automated a tool in your pipeline, you are not done. You have all of the tools for static analysis, dynamic analysis, software composition analysis, fuzz testing. You automate all of these tools and then (incorrectly) say, “I am done.” I think that’s the mistake a lot of the organizations make. Because like we all know, tools suffer from false positives, false negatives, spotty analysis. You need to make sure that you do have automation but then, at the right time and place, you also have touchpoints where you trigger manual activities.
Gary: Like, let’s say, architecture risk analysis, for example?
Meera: Yeah. Like threat modeling. Someone changed an authentication and authorization API all of a sudden. You need to make sure that your threat model is updated. Now you ran your static analysis, and it found all of this and tens of SQL injection issues too. Someone needs to do a manual code review. So even though you have built this pipeline, it needs to be dynamic in nature. It needs to know, “When do I trigger all of these out-of-band activities? When do I make sure that all of these activities, like a threat model or even the security requirements, are actually handled?” So I think we need to make sure that we build these pipelines. I think that’s where we strive a lot within Synopsys, is to help clients build this dynamic model which is able to help them scale. Because you want to make sure that you don’t run all of the activities all the time.
Gary: We’ll be right back after this message.
If you like what you’re hearing on Silver Bullet, make sure to check out my other projects on garymcgraw.com. There, you can find writings, videos, and even original music.
This year for BSIMM9, we added three new activities to the BSIMM that are related to this idea of CI/CD and DevOps we’ve been talking about. One of them, SE3.5, is about orchestration for containers and virtualized environments. In your experience, how does orchestration technology—like, say, Kubernetes as one example—impact security?
Meera: I think it does a lot. Because whether you are using all of these orchestration tools for deploying your end application or for testing, that’s where we are seeing a lot of organizations move. Most of the companies we talk to are saying, “Hey, we are using Docker containers to deploy, and then we are trying to build all of the infrastructure all the way from start.”
Gary: “Turns out we have a million Docker containers.”
Meera: Yes, but I mean along with all of those containers come new challenges. Even for testing, that’s where we are seeing a lot of clients gain a lot of benefit using these Docker containers. Just an example: Because you want to scale your application security from 10 applications today to maybe 100 applications next year. Even like three years back, we used to run to the IT department and say, “Hey, we need this beefy VM in order to scale.” Now, it’s just a Docker container. You have a Docker container. Today you have 10 applications; you can spin up 10 Docker containers, run your scans for static analysis, dynamic or software composition analysis, then discard the containers. And next year if you have 100 applications, you can scale it to 100 applications.
So I think we are seeing many, many of our clients use all of these orchestration tools in order to scale both to deploy their end application as well as to do a lot of the testing in their DevSecOps pipelines.
Gary: Interesting. All right, let’s switch gears and talk about mentorship a little. Your mentors at Cigital, Girish and Kabir, have been credited by you with helping you along in your career. So how did they help? And what have you applied to your own mentees that you learned from those people?
Meera: I think one of the key things that I learned from both Kabir and Girish is speaking up. A lot of the times when I used to go to Kabir, as well as Girish, and ask them or talk to them about some of the challenges I was facing, they used to ask me, “Why did you not go talk to that person?” I was like, “I don’t know.” That’s how I used to talk to them. “I don’t know. I don’t want to talk to them.” They were like, “No, Meera. When you have an issue, you need to go talk to that person and get feedback.” And then even all of the challenges that I used to face, rather than just going to my mentors and talking to them about the challenges, one of the things they forced me to do was to bring them some solution.
Meera: Not just going to them and keep complaining on and on and on. But then the solution might not be the one which is finally what we are going to implement. But they were like, “You need to come up with solutions.”
Gary: At least start thinking about the solution, not just whining.
Meera: Yes. And then the next thing they taught to me was to think in terms of not only a technical solution but what is best for the client. So start thinking from the client’s perspective. So is this going to scale for them? Is it going to help them? How is it going to also benefit us all in the long run? I think that is where they were able to push me to think in a completely different direction.
And I now do those same things. I am very, very passionate about getting more women especially in DevSecOps. Almost 90% of my team is made up of women. That’s exactly what I talk to them about. I am very honest with them. If we are facing any challenge—we do many times—I make sure that I talk to them. I work with them. I share everything that I know. This has been a winning philosophy from day one, since I joined Cigital. I don’t like to be the only one who knows everything.
Gary: You become a real single point of failure in that case. That’s for sure.
Meera: Yes. So I want to make sure that I spread my knowledge. I think having those two people like Kabir and Girish as my mentors completely changed the way I look at working. Yes, it was my passion—CI/CD, DevSecOps—but then you always need a cheerleader to cheer you. So I think they did that. I used to go to them with all of the new ideas, and then they were able to take those ideas and then grow them.
Gary: That’s great. So let’s talk about women in tech a little bit. Your own approach—recently featured in a Synopsys piece published in USA Today, by the way, cool—seems to involve being a very strong person and standing your ground. Which you just sort of talked about a little bit. But is that accurate? Can you talk about that a little bit more and why standing your ground might be a challenge for women in tech?
Meera: Yeah, I think it is. For me, I grew up in a household where women were very strong. My mom, in India, in her age, did a hunger strike, which she learned from Mahatma Gandhi, because she wanted to go to college. And she did! She was the biggest cheerleader. She was like, “I don’t care. My daughters have to study.” So from the beginning, I was very independent, I was very passionate, and I knew what I wanted to do. I always knew I wanted to be an engineer, a software engineer. And then, especially when I came here in the U.S., I had a lot of challenges. Even though we speak a lot of English in India, the accent itself was very hard to understand.
Gary: [in a southern accent] “I don’t know what you’re talkin’ ’bout.”
Meera: Yes! And then I think I focused a lot on learning, especially in my early years here in the U.S. Writing a lot of blogs, especially to Javalobby, which is now called DZone. So I was able to build my visibility even before I became part of Cigital. Then I think that the challenge is, especially in the software world, things change every single day. You need to keep up to that change. If you are not able to keep up with the change, you lose the train. Ultimately, I was able to keep up with the change.
One of the biggest challenges for women is family. And for me at least, yes, family is first. But then I’m very honest even within Synopsys now. If there is a challenge in my family, someone is sick, I am very honest, “Hey, I need to go home today because this is what is happening.”
I think the company understands that women have way more challenges than men—let’s be honest. But then I think that is where the company where you work really helps you or builds you up. I think Cigital did that, and now we are in the same position even with Synopsys, where they are able to understand women’s unique challenges, where they are able to help you grow. They help me travel around the world to speak.
Gary: Even accidentally going to Nice, for example.
Meera: I know, I know, right?
Gary: I love that story. I want to ask you one really quick last question: How do you think we can encourage more women and minorities to get into software security? In one minute or less.
Meera: I think the biggest thing would be to spread the message how this industry can help them grow, all the benefits that they can reap from the cyber security industry. I think that would really help them, because everyone has the opinion that “especially when I’m working in this industry, I need to travel a lot” and things like that. We need to educate them that no, this is the place where many times, you can work from home, you can work remotely. You will always be in demand. And then you are never out of a job.
Gary: Constant state of employment. I’m with you. I think that’s a great piece of advice. So one other question: In April, you visited your 101-year-old grandmother in India. She’s very proud of your accomplishments, and rightfully so. When you’re 101 yourself, how do you think the world will have changed?
Meera: Wow. I think it should change. I think we, men as well as women, should encourage that change. I hope that when I see my grandkids or great-grandkids, like my grandmother did, I will not see all of the issues that women face right now and that finally there is no difference between a man and a woman when I am 101 years old. That’s what I want to see.
Gary: I love it. That sounds like a great way to go. Last question: It’s a tennis flyer. Why do you think Federer is better than Nadal anyway?
Meera: OK, yeah, that’s a … I think … so let me be honest here. I don’t know, if Federer listens to this, would he be upset? Any time Federer is not playing, I cheer on Nadal.
Gary: So he’s number two in your book, a good solid number two.
Meera: Yes, it’s the sportsmanship.
Gary: What about Djokovic? Is he just left right out?
Meera: Yeah. I better not talk about Djokovic because my husband will come running. He’s a Djokovic fan, and we have huge fights when we watch tennis at home.
Gary: I love it. OK, we better stop before this gets out of hand. Thanks, Meera. It’s been really fun to chat with you.
Meera: Thank you, Gary. Thank you so much.
Gary: This has been a Silver Bullet Security Podcast with Gary McGraw. Silver Bullet is co-sponsored by Synopsys and IEEE Security & Privacy magazine and syndicated by Search Security. The July/August issue of IEEE S&P magazine is a special issue devoted to blockchain security and privacy. The issue highlights our interview with Nicholas Weaver from ICSI, who has just a thing or two to say about cryptocurrencies and blockchain, none of them very nice. Check it out. Show links, notes, and an online discussion can be found on the Silver Bullet webpage at www.synopsys.com/silverbullet. This is Gary McGraw.