Vandana: And the best part is that if you're learning, you'll keep getting information. You don't have to strive for it, you'll automatically get it, and people will start respecting you for your work.
Caroline: From Cobalt at home, this is "Humans of InfoSec," a show about real people, their work, and its impact on the information security industry. Today, I am so pleased to welcome my guest, Vandana Verma, Security Solutions Architect at Snyk. Vandana is also the chair of the OWASP Global Board of Directors, and she leads initiatives like InfosecGirls and WoSec. She is also the founder of InfosecKids. She has broad technical experience, including application security, infrastructure security, and product security. She is an internationally recognized keynote speaker, including many OWASP events, BlackHat events, Bsides, and I'm just thrilled to have someone with me today who has had such global and far-reaching impact. Vandana, welcome.
Vandana: Thank you so much, Caroline. I'm so honored and glad to be on the podcast. It's an honor to be speaking with you.
Caroline: You know, there was an OWASP event. Now, it was many years ago, and I remember getting to see you in person, getting to hug you, getting to be with you, and I hope sincerely, that we'll be able to do that again sometime soon.
Vandana: I'm really looking forward to that day again.
Caroline: So, let's start by talking about InfosecGirls and InfosecKids. How did these start, and what is the mission of these initiatives?
Vandana: InfosecGirls and InfosecKids are the initiative, which we actually took to bring more people into cybersecurity. So, if I start with InfosecGirls, the first mission was to bring women to the cybersecurity field. And we were all collaborating, we were all meeting at one place, but over the years, it matured to a place where we started hosting new dubs where we started giving workshops. We went live multiple times even before pandemic hit. So, we had a platform where if you can't meet over the weekend, you can actually connect over online sessions. And we got a chance to host you as well there. We didn't stop there. We started collaborating with colleges so that we can have more students and women coming from there. We started training professors, teachers, and at the same time, we started giving free workshops at the conferences.
So, we grew over the years. In 2020, we thought that it is important to host things for kids as well. So we started sharing knowledge at the schools, connecting with the teachers, connecting with the parents, and the people around so that they understand what is cybersecurity, and why is it so important to understand the basics of it. When our kids have smartphones, smart devices at home, how exactly they can take care of the things, and what are my neatest things. And especially my friends as parents, they have always been scared about how exactly they can take care of the devices, or how they can train their own kids to be very alert because there have been lot of not-so-good cases which have come. So, we started with the intent to educate, share the information with kids and their parents for InfosecKids.
Caroline: I love it. I think that the kids, they are our future, and if we can empower them with this information, then, hopefully, they will be able to do better than we are. Vandana, I wanna ask you a very personal question. Of course, today you are an internationally renowned expert in our field, and at one point in time, you yourself were a little girl. I wonder if you would tell me about yourself as a young person, and as you thought about what to study and how to develop in your career, what was your start like, and how did your journey begin?
Vandana: My start was all a serendipity. I came from a place in Delhi, but that was, like, a small, tiny mining place. I never thought that I would ever move out of that place. That was my thinking. But I just wanted to have one thing in my life, that I wanted to support my parents, and that was it. Where I could be more like a son to them rather than just being a daughter where they have to marry off. And that's how it all started, started working towards different things. And people say they have big dreams. I just had a very, very small dream to make sure that my parents are being supported, they're being taken care of. Even if there's anything comes, I'm there for them. And that's how it all started. Did my graduation, did my masters.
And when I did my masters, I did it with my first job. And my first job being in the tech world, I didn't have a choice, what to choose, whether I want to be a developer, I want to be a tester, what I want to be. But maybe it was God's blessing that I was put into the cybersecurity project. And that's how my journey in cybersecurity started. And over the years, I started liking, I started learning new things, connecting with new people. And when I happened to be in this third company that I was at that time, they asked me to switch from network to application security. And I was given three months to prep for it and get into a project. That was the most challenging and a wonderful time. And I think that was one of the blessings for me because I was introduced to OWASP during that time, and I realized that there's a top 10, there is a testing guide which exists, and that was my world for OWASP.
But just the very next year, I was told that OWASP was not just top 10 or testing guide, but it's a huge community, and we have it in Bangalore as well. So, I joined that, used to go on and off to the monthly meetings. And in 2016, I was asked to be a chapter leader for OWASP Bangalore. That's when I think a lot of things changed. I became a chapter leader and became a lead for women in AppSec for OWASP while they were building up. And in 2019, I was given an opportunity to keynote at OWASP AppSec DC conference, and the same year I applied to be on the global board where it was the first time an Asian applied to be on the global board. And I got through, like, from India and from Asia Pacific region. So, that was a wonderful opportunity for me.
And I served as a treasurer for the first year. Second year, I served as a vice chair. And the fun fact, they had to change the title from vice chairman to vice chair because I was the first woman to be a vice chair for them. And they changed the title for chair as well. And this year, I had so many notions that whether I should be a chair or not, whether I should apply for it or not. And a lot of things were going on, but then when I said that I want to be a chair, nobody else raised their hand and they were asked why nobody wanted to be a chair, they said we wanted you to be the chair. It was the most amazing opportunity. And sometimes what I feel is that we feel so underconfident about ourselves that we forget that people trust us, we forget that we've worked hard for it, we've earned it. So, that's my little journey in cyber security. A little struggle, little learning, but got to meet wonderful people in the cybersecurity world, which has made me who I am today.
Caroline: It's extraordinary. You know, when I look at the places that you have been, from Wipro, to IBM, to Accenture, to all the various leadership roles you have, and founding roles, and advisor roles, it is a very admirable journey. And I think one of the special things that you bring to the table is that you understand this field of application security from top to bottom. You know, you have, yourself, been involved in SOC security monitoring, in vulnerability management, in web app vulnerability management, just in all of these different arenas. You know, you have such a depth of understanding. And with that, I wonder if you might provide us with some reflections. You know, now you have more than 15 years of both hands-on as well as leadership experience in the application security and product security field. And I wonder if you have anything to reflect on that you'd like to share with us.
Vandana: I would say a lot, because, over the years, there is one thing that has happened is that there are opportunities that have come my way, and I never said no to them. I've always taken risks, I've always pushed myself to do different things. I wanted to understand things about cyber law. I was thinking of it for, like, over four years. But then when the pandemic hit, we were all with family. We were all thinking, like, what more we can learn. So, being with the family, it gave me an opportunity to think that, "Yes, I can apply for it now." And last year, I cleared my cyber laws master's, and similarly, in every job that I've been, there was something new to learn, be it network security, be it SOC monitoring, be it application security, be it cloud security. And that all stitched together and gave me a perspective that I might be a champion of one thing, but I can learn other things as well.
I can discuss about those things. Now, if you discuss with me about how cyber threat intel is growing up right now or picking up, or how Zero Trust is picking up, I can talk about it. And that gave me a habit of reading a lot of blogs to articles. I watch a lot of videos as well. And if a topic is of my interest, I would give it all. It took me good six months to understand the Zero Trust concept and clicking all together and bringing up what more I can learn from it. Now I can discuss about it at any forum. And at the same time, I keep picking up new things in it. I keep learning more about it. Similarly with app security. There's so much to learn. One thing I have picked up in this industry is that there's ocean to learn, and you should always keep yourself updated. And nobody can stop you from learning new things. And the best part is that if you're learning, you'll keep getting recognition. You don't have to strive for it, you'll automatically get it, and people will start respecting you for your work.
Caroline: Vandana, I have to take advantage of our situation. Specifically, I have to ask you if you would take a few minutes and teach us about Zero Trust and about cyber threat intelligence. Let's start with Zero Trust. What do you think is important for our listeners to know and to understand and to be thinking about with regards to Zero Trust?
Vandana: Absolutely. Now, what we call it as Zero Trust is never trust, always verify. What the conventional things have always been is that trust but verify. And anyone who's working in the organization is all good, but anyone from outside is not a good person. But over the years, those boundaries have been vanished. Now we all are sitting at home. How about a phishing attack? Even though you are sitting in the office and there's a phishing attack that has happened, what will you do? There have been many cases of breaches, which are big breaches of the history. They have happened, and that's when Zero Trust is picking up. Zero Trust is not new, but not old as well. Earlier, we were talking about we need to have firewalls, we need to have IDS, IPS, we need to have layered security. But all that has gone when we talk about identities.
So, people have started to talk about identity as the first perimeter, but that is not just Zero Trust. Because I've heard people saying that identities are new way of thinking of a Zero Trust. No, they're not just that. But if we talk about constructing a Zero Trust model, there are multiple perspectives that we need to understand. We need to have proper identities being managed. At the same time, we need to make sure that when we are setting up the architecture, we understand our own infrastructure. What are the assets we have? What are optimized under my service, cloud-based virtual machines, containers, microservices, what we have in our environment. That's first and foremost thing. Till the time we don't know what we have in our house, we would never be able to secure. For example, we have windows, we have doors, we have so many things, incoming points at our house.
When we go out for vacation, we lock all our doors. But then there are certain windows which are still open because we missed it because we did not have it noted down that, yes, this is what we have closed. There's a thief that comes in, steals everything, and goes away. What can we do in that case? So, it talks about, let's understand our architecture. And it's more of a concept, not a tool. It's a framework. It's a mindset which helps us to understand our things in detail. It talks about identity, authentication, authorization, even before providing access. How about having advanced stress protection, understanding micro-segmentation, having small chunk data wherein if something happens to one network, we can just shut it down. We can just halt it for some time so that other networks are not impacted. We monitor the internet-bound activities, traffic, we log and monitor the right assets.
I have seen many cases where, and people are not monitoring their crown jewels, but there are some non-restricted areas, they're being managed because they don't have the right categorization there. And people say it's not a fit for the cloud, but it's a perfect fit for the cloud because clouds start off where you understand the basics of it. You start with getting the access to it, and the new parameter is gonna be an identity. But then there's one thing to remember. If we don't pick up the small, small things, it's gonna be big thing. And that's when breach happens. Zero Trust doesn't say that you'll be fully secured, but we are moving towards it. And organizations already have all these things, it's just that they need to stitch it together.
And trust is a dangerous vulnerability which can be exploited by anyone. Even when we talk about secrets when we say duck your secrets with your friends also, because if you can't keep it yourself, how can somebody else do it? Similarly, with Zero Trust, never ever trust even the CEO of the organization. Their emails can also be breached. So, if it's a policy for everyone, it has to be for everyone. If authorization has to be for people, yes, it has to be done. And it also says that smooth access needs to be given to the people so that the work and the business can run smoothly. That's my two cents on it.
Caroline: Fantastic. Thank you so much. I particularly like your analogy to the home and with regards to asset inventory, understanding the governance and the identity, and the tracking of all of your assets. Thank you so much for sharing your perspective on that. Vandana, what about cyber threat intelligence? What do you think that our listeners should be thinking about? What do they need to know with regards to this concept?
Vandana: So, cyber threat intel is basically evidence-based knowledge which talks about what exactly can go wrong in an environment. It talks about, what are the data that can support us? Could be threat feed, could be figuring out an attack before it even happens. Now, there are so many attacks which are happening in the industry by using techniques and procedures, which people call it as TTPs. And there are certain indicators of compromise which are there. Could be an IP, could be a domain. Now, getting that information from the right sources and make it actionable. This one thing, what I've seen, that you get to know from someone that this is not good for you. You have got that information, but you don't use that, you don't apply it on time. And that's what happens, there are some things happen. To give you an example which is related to our daily lives. Smoking is injurious to health, but still, people smoke.
And at the same time, when you drive, you shouldn't be speaking over phone, but still, people speak over phone, and accidents happen. Now, when we talk about phone, if we don't use it when you are driving, it can save a lot of accidents because we are using it timely, we are providing a context to it, people understand it, and then make decisions. So, threat intel talks about let's gather the information which is widely available and process it for our best based on domain, based on the right information, based on the right kind of data available. And then threat intelligence is treated as a proper function and understanding that it is important for an organization can actually help big time.
And we have proper process for it like collecting, planning, correlating, analyzing, and even sharing it with the right people in the organization. So, if, let's say, I'm part of the security operations team and I work on the cyber threat intel data, so I process it, whether it's relevant for us or not. Can we block the IPs? Can we work on it? Can we share it with the right team who can work and process that data? So, that's about threat intel. That it's meaningful information so that you can leverage it and secure yourself.
Caroline: Thank you so much. I think, you know, we have a few minutes left, and I wanna ask you about something which I think is very interesting because you gave us this analogy of, we kind of know that smoking's not good for us, you know, and sometimes we choose to smoke anyway. We kind of know that, you know, it's safer if you're not talking on the phone while you're driving, and sometimes we choose to do this anyway. I wonder about your reflections with regards to the humans and the people and the decisions that are involved in the industry. And then we have this technology, right? We have more and more amazing tools that can help us. And I wonder if you have any thoughts on what is the job of the humans, and what is the job of the tools, and are the tools gonna get to a point where, you know, the humans, we don't have jobs anymore? What is your thought on sort of this interaction between humans and tools and how they must interact for us to create security?
Vandana: Yeah. When we talk about tools, there's a fun fact that if we have got the best of tools, but not the people, not the right process, it would never work. For example, when we have a lot of budget for security now, I've seen people find the tool, but not using it. Why? Because they don't have the bandwidth to use it. At the same time, there's another analogy that there are beautiful tools which can support us in a lot of aspects, but they're not good for us because they don't suit our technologies. So, while we are talking about tools, it is important to have, it is good to have. Why? Because we are moving towards automation.
We are talking about getting things early, we are talking about doing things in the right way and in a fine tune way. And tools really help us in doing that. But the most important aspect is to have the right tune. For example, if you are talking about development environment, what are the kind of tools we would need for our development environments? And when we talk about those development environments, if I'm using certain languages, I might be able to use it, or I might not be able to use it. So, guess whether it's important or not. And similarly, only buy the things that is needed that are relevant. That's my information on that. Hope this helps.
Caroline: Absolutely. Vandana, in the first half, perhaps, of your career, you have done so much for the industry and you have done so much good work on securing our digital infrastructure for the world. What's next for you? What do you see happening in your future?
Vandana: I'll be very candid. That's one question I keep asking myself. The one aspect that comes my way is that keep learning. If I have to talk in a couple of years, I want to be a better person. I want to be better at technology. I wanna keep supporting the community. That's what I feel. But I don't wanna have a tagline that I wanna be a CTO, I wanna be a CSO or a CISO [SP]. No, that's not what I have in mind. But, yes, I wanna be the better person from what I am today, and at the same time, contributing to what I love and enjoy what I'm doing because it is very, very important to feel content in what you are doing. And keep learning. I think that's what make me grow and that has made me who I am as well today because I've always taken up challenges. I've always taken up new initiatives. I've always taken up new opportunities that has come my way. I've really said no to things. And that could be a bad thing, but, yes, that's what make me grow in the industry.
Caroline: I think it's a wonderful thing. I think that none of us can predict the future. We do not know what opportunities will come, but I think if we look at it with an open mind and with good intention and with the intention to learn and to grow, then only good things will happen. Vandana, thank you so much for joining me today, for your generosity of time, for everything that you give to us in the industry. Thank you so much.
Vandana: Thank you so much, Caroline. I'm so glad to be on a podcast with you. It's an honor to be here and speaking with you.
Caroline: "Humans of Infosec" is brought to you by Cobalt, a Pentest as a Service company. You can find us on Twitter at Humans of InfoSec.
