Global CISO Forum 2020 – Martin Knobloch, Global AppSec Strategist at Micro Focus
Host Amber Pedroncelli sits down with Martin Knobloch, Global AppSec Strategist at Micro Focus, to talk software security, DevOps, keeping CISOs in the loop, and how to manage developers so security is prioritized.
Martin Knobloch is a long-time information security leader with more than 15 years of experience in the field. With a background in software development and architecture, his focus is on software security. Martin is actively involved in OWASP where he is a frequent contributor to various projects and initiatives, as well as a member of the Board of Directors. During his career, Martin has been a recognized teacher, guest lecturer at various universities and invited speaker and trainer at local and international software development, testing and security conferences throughout the world.
Speaker 1: Welcome to the Global CISO forum, the podcast for information security executives.
Amber Pedroncelli: From Podcast, I’m your host, Amber Pedroncelli. With me today, is Martin Knobloch. He is the Global App Sec Strategist at Micro Focus and, he’s a long time information security leader. He has more than 15 years of experience in the field. His background is in software development and architecture, but his focus now is on software security. He’s actively involved in OWASP in the Netherlands, where he’s a frequent contributor to various projects and initiatives. And, he is a member of the Board of Directors for OWASP. Welcome to the show Martin.
Martin Knobloch: Thanks for having it.
Amber Pedroncelli: Absolutely. You have a really interesting background. You started in software development and architecture.
Martin Knobloch: During the late 90’s, development requests, going to the law office, programming, travel programming, is how I rolled into software development.
Amber Pedroncelli: Wow, been at this a while, I like it. So from software development, you moved into architecture?
Martin Knobloch: Yes. I’m kind of a stubborn, I think I know things better. That’s how in development, she would take a program, I thought it could be better. Yeah, interests. There had to be quite a little bit of architecture. So I asked myself one the thing… When you’re young and stubborn, you think “I can do it better.” Which was architecture.
Amber Pedroncelli: Yeah. You’ve done a lot of learning and growing in your career. It sounds like you’ve moved into new and exciting fields and now you’re in AppSec, but you’ve actually been doing AppSec for a while, tell me about that.
Martin Knobloch: Yeah. As from my background from industry, there was a very fiscal understanding of security. So I could do that for software development, and back in the early 2000s, everyone says, “Nothing was wrong.” Everybody goes into software as required, the humans that had to be trained, they wouldn’t do that. All the statements. We know that in the fiscal world we can rely on, but in the digital book, people have thought that is how it should work. So when I moved to the software architecture department, I was like, “Hey guys, what happens if? What would be if?” and they were like, “Nobody will do that.”
So I was looking for resources there to try for the company. Back then, I found the security task force. In terms of safety, it was the oldest conference in Belgium, but it’s very close by for me. So I visited the Old West Conference. I went there and I just put all the resource and material. I needed other six people who save interest where they’re sharing no matter where they come from, no matter what is your experience level. Everybody has the same interest, secure software development.
Amber Pedroncelli: Yeah. I did some research on your profile before we started talking and it seems like, OWASP has been part of your life for a very long time. And you were the president for a while, of your chapter or was that the International Board?
Martin Knobloch: So when I come back from that project in Belgium, I thought they had a chapter in there, then nothing. So I was able to revive those. In attempt the Board of Netherlands ever since 2007-2008, the metaphors almost Global Summits 2008 and 2011. So I got involved in the Global Committees and finally 2011, we started to have only elected board members and I got elected the last time. It wasn’t 2018, but actually it was a runner up in 2016 elections, because the one who got elected had to step down to health issues, so, they asked me to step in. And, I have been the chair for the board for certain 2018 and 2019, indeed.
Amber Pedroncelli: Wow, yeah. You’ve really done a lot there. They helped you learn and now you’re helping others learn is what it sounds like. So let’s get into software security. With software security, how do you keep a CISO at ease? Do you have to deal a lot with CISOs and, and explain to them where their flaws might be and then calm them down?
Martin Knobloch: Yeah, that’s kind of what the development currently is. So in the past, participant CISOs think about risk and we look in the high level risk of a CISO, the software is not a high target because of the extended risk. CISO is about risk and mitigating risk and not every CISO understands that you stay at the risk in software it’s really extra high. So that, you have a different immaturity of the companies if they have a CISO. Most of them, I believe had the CIO, just like CTO, running, everything that has to do with the pizza world and operations and the CEO that says, “So you see the development and actually has a CISO is not required.” Definitely the compliance, and that, when you have a good CISO the modern taxi, is that they understand the importance of the risk with glass as it is in software.
So end up traditional CISO. And, make them understand the basics, to actually lift bachelors. So you have missionary work in explaining more up-to-date CISO. We understand software development requirements and risks in software. Then it’s very easy to, it’s much. You have to convince them, but then you have to give them the right tools. We see currently a lot of tools come from detecting vulnerabilities, but it seems like it’s about risks. So how can we not detect newbies, but how do we mitigate one of those is how you find them. That’s much different variable. First of all, when you saw the CISO, what is the application landscape? Where are my surface? That’s the first thing you have to understand. They have to find them shutting down the sources far away. So they don’t want to be involved in self-assessment, but they wanted to see control and monitor the software development cost in the right direction.
Amber Pedroncelli: Right. So zooming out a little bit. How do you start getting in control of software security in general, at a new organization, for example?
Martin Knobloch: Most of the times it can be taken by compliancy. A lot of tech-business compliance is not security. Yes. But if you use compliancy right, it can be a trifle for security. You have to start somewhere. The first thing, as a stock, is just quality. I would try to learn to hide something I would put apart, not because it’s an unachievable goal for me. So the first thing is to look at the bar, what is the chief risk or what is my current state? And from there, actually look and rattle. I want to spend my time on and race it boss slowly. So the first thing, where am I? But even security because not everything has a security level on it. This is my quality to have everything in place to understand what my security is, what my quality level is for my requirements and from there, you slowly raise the bar, become more mature, more corners, driven, deeper, more security with them.
Amber Pedroncelli: And is that where the developers come in or are training the developers? Is it, you focus more on quality than security? How much responsibility for security should be put on the development teams?
Martin Knobloch: Maybe just look at it. The development operations, have teams that have to create this to crave responsibility of the applications. So direct, responsible to prove the in production and keep it running. But that also has another inheritance with responsibility for keeping it secure. But it means, one side that you need mature and seasoned experienced developers. You need craftsmen. And in craftsman-ship, you understand what the risk is. And the other side when they have the responsibility, you also have to be using the APLT, how to measure. So once I was training, but we don’t stay up for training. We tried to train people for many years and we failed because we could get much more developers and security people. So we cannot keep up training them. When they’re in the job in the company, this training pop must come to their educations, when you have school, examples, universities and stuff.
What we can do is, show them better a security thing. But not a sprint late of what you had in the past, prior to dev ops, you had the security target. You wrote a code to check in, and from development to test, you’re required a steady code analysis. From test to user acceptance, you need a dynamic scan. This is too late. It’s two months, three months later. It’s four sprints after that. So when I ask you, what did you do on Wednesday, two weeks ago? You have to think, how can we understand? And we kept him from what he did back then. So when I come to you, “Hey, there’s a security falling two sprints ago.” They have no idea where they have to fix. If 10 is on a different logic, you’re basically the current sprint. Then, when you have to change, those changes are also impactful if it’s already developed or in development. So the early feedback is very essential.
Amber Pedroncelli: So does the acceleration of the adoption to dev op hurt or help organizations as far as security is concerned in general?
Martin Knobloch: There are two sides I think. Definitely is step up when you look in the XR that this day is, I think the big advance is automation. They can automate forever. I think that’s bigger punch for security because of bins. They are trained in automated security testing. Nothing is more suited for automation than a static code analysis. They have one environment better by the source code and that’s this days, to a corporate policy of bill tool of choice is kit and the environments. Those are made already for automated testing, automated into-patient tests. So yes, that’s a big advantage to stay on to CISO and an expense in this security test automation and the feedback loop. But it says, put putting your path, where are you and raising the path for arrows when you cannot adjust, allow automated path through, but you have to fix stuff.
Amber Pedroncelli: So do you have any incentives that you’ve used for developers to prize security? Or incentivize them to treat security appropriately?
Martin Knobloch: Instead of it? So in the past, people tried to use the stick, but it doesn’t have, I cannot go to somebody saying, “Hey, you have a happy child because the blood, sweat and tears of developers, isn’t the source code.” The applications, the software, if I told you, they build that’s on the Testament in it, and you have to develop us. So a prosecutor came in, and said, “Oh, your kid has actually been expecting the open discussion because we’re not.” It’s a big change now to say, “Okay, we have to support you.” So we don’t based on the security risks, portability is to have to fill up and we have to appreciate when they come early and appreciate the ideas. It doesn’t to be an incentive by money, because you cannot pay them by what they’re not doing, but you can encourage them and hear them and support them, make their life easier to security. And then the appreciation, of course, they’re conditioned to what it did well.
Amber Pedroncelli: Is training secure code development part of your overall strategy for your developers?
Martin Knobloch: Yes of course. There’s a new type of project… You don’t want to make the developers security specialists, but they have to understand security. So they don’t have to understand all the first aspect of February. So the training, yes, but not training then abstract global, a universal application three that will not help. You cannot put six 60 people offered the favorite team for one big in the classroom and say, “Okay, now we speak security training almost up to 10 and you can get solid trading whereby they are, don’t net or Ruby on rails developers’ that we’re not. So the question is, where can we give them the training on spot where the data is and all in context that they need. Good tools for that are already out there. So it’s my secure code barriers that you cannot just abstract about anything to do with security, but what’s your business, what’s your developing? What is your source code and have examples related to that context. And it takes what you’ve written on right now.
Amber Pedroncelli: Right? That sounds like the way to do it. So tell us about your work at Micro Focus. What does Micro Focus do and what’s your role there?
Martin Knobloch: So many folks notice a big portfolio myself, I’m part of the 45 project product management team. My role is application security strategies to see how we can leverage and engage to be cutting edge technology solutions for our customers to improve security. Everybody can send license, but to print them, have them get more mature in application security, not only on the take part, but also internally is their application security postures that roadmaps and the growth process to increase of case security. What does 10 15..? But it’s not just a product. It’s how our mentality can fit and leverage most ideally endeavor and bring the feedback from the field back to our development teams, to go to Weiss and function, to live out the functionality to digital customers, to self requesting us.
Amber Pedroncelli: That sounds fascinating. You must do this all the time, but what are one or two of your top suggestions for organizations, if they want to start or improve their AppSec program?
Martin Knobloch: The first thing is look where you are. This is the same. So don’t try to stop everything and say, “Okay, we cannot do anything.” Fix all the issues that we have to realize that something maybe you could all learned on the pre-ahead, I sent you. Nothing has to be changed once. Of course, everything that is exploitable high-risk issues has effects, but then you come with some security tools, whatever they have, the first scan is the situation SS. So the first thing is like, the baseline scan is it dynamic or steady? I don’t care. It’s like this information is already out there in production to look at it. And don’t pinpoint all the people who built these, but look on the building types. Do you want to focus on this? The biggest way Crispin? So not just looking all higher or medium, full credit, high credit and abilities has to be fixed, but one a fixed code. It’s something I heard about a lot in the blocks and the video cost.
How can I develop a secure veil on doing this functionality? So not, especially from, “Oh, you shouldn’t have done this differently,” but deliver securely and maybe not only looking for the filters you have, but look at, can we measure what secure pass your teeth on this used the default use less insecure with efficient developers. Look at the technology stack from what you do and look for the how to enable developers, to why the code by making security defaults to make it easier to write secure code, secure functionality.
Amber Pedroncelli: Is that the major gap you see between security and development?
Martin Knobloch: Yeah, I think one of the major gaps is people are quite in our time to say technology appreciated. So we think we have a problem. We look for technology to solve our problem. I think that the biggest thing is what we should do is we should focus on the people side. So the security people go to the clubs in the past. I have seen so many talks with the developers, security people are talking about it. They are motoring advice to enrollments accepted, blaming, bashing them about how they did. Most of the security people are not able to develop. And I think that’s a pickup sponsors I have in my lockers have been a developer means I can talk to developers.
So when I go there, they looked at me and when I was in my career in security, some of them say, “Oh, you do security?” And I said, no, of course not. They looked at me like, “What?” No, I come here for maybe a week assignment, two week assignment. I cannot do security. So I look in the security of your application and look together we will find a way how to improve it. That’s it. So I think that the human aspect and the outgoing into acting as developers and the same height in the eye height, right. That’s important.
Amber Pedroncelli: We have a lot of CISO listeners on this show. It seems like a lot of what CISOs do has to come down to collaborating as opposed to imposing security rules or coming down with a heavy hand that doesn’t seem to work. It’s always about getting buy-in. And the same thing should be done with development teams is, is your point.
Martin Knobloch: Yes. I’ve seen passport check for that, approximately a CISO. He hoped that needs to be on the table. And I stopped yes. From the board to develop tests, which is at the top of everybody’s I guess. I think it’s just the creating one season. It’s not just one level. You should be like everybody in the CISO office, not by yourself as CISO, but hopefully you have a team. So everybody should know you. You have to only see sort of this hidden somewhere in the ivory tower, USP in the tree.
In the past, we had a CISO, with the minutia of no in the city. That’s something that doesn’t right. I have many times referred to a talk necessarily. Do you want us to have somebody set up and listen, it’s a great Ted talk where he says, how can you engage with people in the first to listen? So for developer means like, what is the new framing? We want to use new technology building on. And first about what they’re doing, don’t kill it by saying no, but listen to it, ask the right questions. So they think about security. What would be, if I hadn’t thought about that, that’s helping.
Amber Pedroncelli: Yeah. Right. Yeah. There’s no reason for it to be an adversarial relationship, but it seems like that can happen.
Martin Knobloch: I have seen customers where the CISO and the development team departments that don’t talk to each other anymore. Then you lost.
Amber Pedroncelli: Hopefully that’s not a current trend. Do you see any trends in software development that impacts security going on right now?
Martin Knobloch: Yeah, a lot. I think the season also turned up at the top 10 security risks and it’s 13 with the risk of liberties in a third party component. I think that’s going to pick and pick up with more external, even open source components in our doctor’s office space. So we have to look at what is our sick call it supply chain, cleaners. Well, of course, developers’ dev ops sometimes trying to be West and saying, “Okay, after this new framework is version 0.7 0.8 better. Let’s use it because this great functionality.” But yes, when you develop these applications, we need a bit more maturity. So don’t worry about looking more mature, how secure hound them and are those open source libraries that you import. And this is even if they’re vulnerable. Yes. Supplements. I say no, but it’s a problem in the context of how we use this component. And then of course, these days of biggest APIs. So also it’s not an eight. I took 10 for security because now it is in the connecting applications gets bigger and bigger.
Amber Pedroncelli: Right? Yeah. I had an interview with the CISO who’s going to present at the Global CISO Forum and his whole talk is about APIs and he was on a small team and he had to really dive in and learn about him. And he was kind of shocked about how many vulnerabilities that could be and how widespread they are. And it was as if, he learned this thing and he really wanted to tell other CISOs about it. And I’m sure you’re very familiar with that problem.
Martin Knobloch: Oh yeah. Sometimes I hear people remember that in the world to speak monoliths and people are like, “Oh, despair.” Maybe it’s not that bad because if anything, everything is in your jurisdiction, your responsibilities, they may start in this mix of, who is doing the covalence, who’s doing the orchestration. Who’s responsible where you keep all the secrets, you have to start at different applications. So they have their own right of existence. But you have to think about the new risks, your input important, your problems you put in your plate.
Amber Pedroncelli: Yeah. And I think a lot of times CISOs may not be thinking about all this. So a good thing. There’s people like you out there helping them.
Martin Knobloch: Yes. And I think a CISO can’t know everything about everything, they’re are humans too, but they need a team. And how we have this time to the security architects, people who are in between the seasonal and the enterprise, it is radical to think about the security concerns, but the CISO wants to have an insurance about what is the status? What is the maturity? So these should deliver them, not only the list of vulnerabilities, but team, what was the global risk and might affect that? What’s my global holistic overview of my software environment in my company.
Amber Pedroncelli: Wow. This is fascinating stuff. I hope that our audience got a lot out of it and we’ll think more about their AppSec programs and maybe people will reach out to you on LinkedIn if they have questions. It seems like you’re pretty active on that platform. Is there anything else you want to add before we wrap up?
Martin Knobloch: Yeah. I think general joint venture and the human aspect, are the most important things that… We all work in a company for the same goal. And then we make our lives easier, not harder share and care.
Amber Pedroncelli: Yeah. Great points. And I think, there’s so much resonance with that and the rest of the CISOs role as they work with other departments and get buy in. So a great reminder to apply that same thing to development teams and their software security programs. Well, I really appreciate you coming on Martin and thank you so much for sharing your wisdom with all the questions. And I hope to have you on again, and we can maybe can talk about a specific incident or something. If something happens, I’d love to pick your brain.
Martin Knobloch: Thanks for having me.
Speaker 1: Thank you for tuning into another edition of the Global CISO Forum, the podcast for information security executives.
The EC-Council CCISO Body of Knowledge covers all five of the CCISO Information Security Management Domains in depth and was written by seasoned CISOs for current and aspiring CISOs.Get your copy today