If you don’t fix your security vulnerabilities, attackers will exploit them, it’s simply a matter of who finds them first. If you fail to prove that your software is secure, your sales are at risk too. To defend against hackers, you have to think like them. As a leader of ethical hackers, Ted Harrington helps the world’s foremost companies secure their technology.
His new book, Hackable, teaches you exactly how. You’ll learn how to eradicate security vulnerabilities, establish a threat model, and build better, more secure products, gaining you a competitive edge to earning trust and winning sales.
Drew Appelbaum: Hey listeners, my name is Drew Applebaum and I’m excited to be here today with Ted Harrington, author of Hackable: How to Do Application Security Right. Ted, thank you for joining, welcome to the Author Hour podcast.
Ted Harrington: So excited to be here, thanks for having me.
Drew Appelbaum: Let’s kick this off. Can you give us a rundown of your professional background?
Ted Harrington: Yeah, I’m a leader of ethical hackers. We’re the good guy hackers and essentially, companies who need to understand how attackers might exploit their system so that they can improve it and make it more secure and make it better, those are the companies essentially that I’ve been serving for a long time. I wrote a book that captures all of the things that I’ve learned over the many years of doing this. That’s my background–helping to serve companies who want to build better, more secure technology.
Drew Appelbaum: Now, why was now the time to write the book? Did you have an ‘aha’ moment, was there some inspiration out there or was it that there’s some downtime because of COVID?
Ted Harrington: It’s always been on my bucket list. I always wanted to write a book and as my career went on and I accumulated all this knowledge about how to solve these security challenges that I see my customers face–the sort of lightbulb moment was when I found myself in a meeting with a chief technology officer, and he says this colloquial phrase to me or the way he said it was very informal, and it really stuck with me. He said, “You know Ted, I don’t like monsters and I don’t like getting bitten in the butt. But I don’t even know what the monsters look like or why they jump up and bite me in the butt.”
Retelling that story, it always brings a smile to my face. Partly because it’s ridiculous phrasing but it’s also a really good encapsulation of a problem that so many people face. The “I don’t know what I don’t know,” challenge. After that meeting, I really started thinking about that and it stuck with me, even though it was kind of a whimsical moment in an otherwise serious meeting. I really realized two things–two conditions.
The first condition was, I noticed that many people seem to have the same problems. I mean, every single day, I’m having meetings and conversations with people where they all say one or more of essentially 10 primary themes. As I started writing it down, I realized, every meeting, one or more of those things came up and that was sort of an ‘aha’ moment for me. I’m having the same conversations over and over again where these leaders in technology are struggling with the same thing.
Then the second a-ha’ moment, as I was thinking about that, as I started thinking about well, “How do you solve those things?” I realized, every single one of those problems, there is widespread misunderstanding and misconceptions about how to solve them. You take those two things together and you have these people who have these really big problems.
The advice out there, the conventional wisdom about how to solve those problems is not just wrong, it’s like 180 degrees wrong. That was the moment that I knew, “I need to write this book,” when I realized the combination of those two things exist in the world and this book addresses them. It tells you, “Here’s how you solve these primary challenges, and here is the lie or the misconception that’s holding you back, and here’s what to replace it with.”
A Transformative Process
Drew Appelbaum: You clearly have a lot of knowledge in the space, but were there any learnings or major breakthroughs that you found while writing the book? Maybe while doing research or just by going through an introspective journey while you were writing?
Ted Harrington: Yeah, definitely. I noticed, the process of writing a book itself is transformative and I don’t know, maybe that sounds trite to someone who hasn’t gone through it, but I mean that word in every sense of the word. I’m a different person now than when I started it. It definitely changed me in terms of how I think about things and ideas and even how I think about other books. But a couple of the real specific things within my profession and area of expertise that were different that I noticed is that I understand the ideas so much better now–the ideas that I thought I already understood.
What prompted me to go write this book, was when I said, “I totally know this, I have to write a book about it.” But hammering the same idea and refining it and polishing it and smoothing it over and over and over again, I guess a metaphor for this would be like sandpaper, right? There’s that really gritty sandpaper and you smooth that and it’s like, “This isn’t going to smooth anymore,” and then you use the next layer and you’re like, “It’s actually getting smoother,” and you use the next layer and it’s getting smoother.
By the end, it doesn’t even seem like the sandpaper has any grit to it but it’s still smoothing. That’s how I feel about my understanding of the ideas, and not just the ideas themselves, but my ability to communicate the ideas to our customers, to the many people who work at my consulting company. I didn’t expect that part and that is and was an amazing, wonderful thing to have received as a result.
Drew Appelbaum: Now, did you have a specific audience in mind when you wrote the book, is this book just for software engineers?
Ted Harrington: There are basically three groups that I wrote this for. The primary group is for the person or group of people who are responsible for the security of the technology that they’re building. That’s the core person I wrote it for, that’s usually the chief technology officer, or the vice president of engineering, people like that.
The second group would be the developers themselves. So, software developers, they’re the ones who the business looks to and says, “Okay, make the app do this thing, and also, you better make it secure, which you haven’t been trained on but you better do it anyway “Oh and also, you have a deadline coming and you can’t delay.” I feel their pain, right? How are they going to deal with that?
The third group is other security professionals who want to understand these ideas better, want to be able to communicate them better, maybe they focus on other disciplines, and less about the ethical hacking side, which is where I focus. So, it’s in that order that I wrote the book for but the book serves all three of them.
Drew Appelbaum: What can readers expect from reading the book?
Ted Harrington: Well, they can expect that I pulled no punches for sure. This is the same as what it takes to be successful even as a security consultant, which is, you have to tell people how it is, even when it’s not what they want to hear.
That was something that at first I grappled with a little bit. I struggled with wondering, “This is the truth, is someone going to reject this because this is such a departure from the norm?” And I was working with my editor on that, she gave me really great council and she said, “You’re writing this book to tell people what they need to do so you have to tell them how to do it.”
That felt like the green light to me to say all right, well, then my instincts are right, we have to just say it how it is. Frank truth is, the first thing, I call out a lot of nonsense. I try to do it in a way that’s professional and fair and balanced and objective, you know, not injecting any sort of emotion or bias into it, but there’s so much nonsense that happens in security and I try to call it all out.
You’re going to get the real truth and some people who are the subject of that are not going to like that, unfortunately. I won’t name any names, it’s not like I say any individual person or company, but someone who believes in a certain approach that’s fundamentally flawed, they might not like that.
Then the final thing would be, people are going to leave being able to think differently. I’m going to change their mind and they’re going to know exactly what to do. This isn’t just lofty abstract concepts, it is–here’s the concept, here’s the principle, and here’s how to apply it, and here’s what you need to go do.
Drew Appelbaum: Now, on the flip side, is there something you want readers to know that is not in the book?
Ted Harrington: Yeah, there are several things that are not in the book. The first one worth mentioning is maybe even an extension of what I just mentioned about harsh truths, but what’s not in this book, is that there is no silver bullet, there’s no easy button, there’s no magic solution, there’s no get-secure-quick scheme, that just doesn’t exist.
That’s actually one of the pieces of nonsense that exist in security today is that so many approaches try to say, “Buy the solution and your problem completely goes away,” and unfortunately, as beautiful as a promise as that is, it’s just not true. Someone’s not going to read this book and be able to walk away and say, “Well, if I just go buy a license to a product or if I just go spend this certain money, then two weeks later, my problem is completely gone.” That’s just not the way security works.
Then the other thing that’s not really in here, that people might expect to be in there is I’ve really focused on application security, which is essentially having to do with any sort of system running software, cloud services, all the different elements to application security I talk about, but I don’t talk too much about other domains like network security or any elements of defending against humans, any mistakes that human people make.
We touch on those things and a lot of the principles apply, but this is really about applications.
Security Is Not Simple
Drew Appelbaum: Now, I think we hear about in the news all the time that big sites get hacked, small sites get hacked, there are cybercriminals out there. Can you give us a general overview, how is the security of our apps right now in general?
Ted Harrington: Well, I’d say really, like anything in the world, it’s on a spectrum. There are companies that definitely do it well, and I’m in a privileged position that I actually know a lot of them, most of the companies that I get to serve in our consulting business, fall into that category or they’re on their way to it.
They might not fully have transformed their thinking yet, but they’re in the process. But I think that companies like that are more in the minority of the world. Where the rest of the world sits, if you think of it on a bell curve, one end of the bell curve is companies who are doing it right, the other end of the bell curve is companies who know better and are intentionally doing it wrong and are really trying to skirt the rules and effectively trying to misrepresent their security, there’s definitely a lot of companies like that out there, but they’re not the majority either.
What’s in the middle of the bell curve is the companies who are really struggling, who want to do this right but, first of all, they don’t even know how to do it and they’re stressed, not because they’re not intelligent and not filled with intelligent people, but because no one has laid out for them, “Here’s what you have to do.”
You can try to read a whole bunch of articles and white papers and things that are confusing, and Ted Talks and all that stuff, but it’s just not simple. That’s where I’d say the majority of applications are today where they genuinely want to be secure, but they don’t know how to do it, they don’t know where to start, they have all kinds of technical restraints, they have business constraints like the CEO doesn’t understand it, and the CFO doesn’t understand why to fund it appropriately. That’s where most applications sit today.
Drew Appelbaum: Yeah, let’s dig a little deeper in there, what are some of the most common problems that companies face when they are approaching their own security?
Ted Harrington: I mean, that’s the common thread that I weave throughout the whole book. How many hours do we have here? I’ll just pick out a few highlights.
One of the real challenges is that people–when I’m saying people, I’m talking about people who work at companies that are building software or building applications–they don’t necessarily know how to secure their solution or maybe they have ideas on it, but they don’t know everything. Their focus is building the solutions so they can serve their customers, they don’t spend every waking moment thinking about the attacker.
That’s difficult because this profession, this area of expertise does require a relentless amount of dedication to understand it all. You take that and then you pair it with the fact that pretty much any company that builds anything has these intense deadline pressures. They set a time when they’re going to release the product and that’s when money’s going to be rolling in, or if they already have a product out, they need to release the next version.
Those deadlines often force certain decisions like, “Well, I guess we’ll defer security to the next release.” That’s something that happens perpetually. Another challenge is that companies really struggle to understand how to even prove the return on investment and by that, they mean security is often measured as a lack of a bad thing. We didn’t get breached, we didn’t have a security incident, but how do you measure that. Not getting a bad thing–you can’t really measure that.
They just don’t know how to even talk about it as a business advantage, and then of course the people who have to do the work, the developers like I was alluding to before, they’re the ones who it’s now being put on their plate. They are told, “Hey, make sure you build this thing securely, and also you don’t have any time, money, or resource to do it. So good luck.”
That’s pretty hard for any company, even a company that says, “Hey, I got money. I’ve got interest, I’m motivated. I’ve got the right people.” There are still a lot of problems to deal with.
So, one by one in the book I try to attack–not attack, that’s the wrong word. That’s sounds, I don’t know, adversarial, I try to address each one and reverse the thinking on it and give ideas for what to do about it.
Security is a Team Sport
Drew Appelbaum: Now let’s say it is on your whiteboard, right? “We are going to make our app more secure.” Do you suggest bringing in external partners or should you rely solely on your internal team to build these security measures?
Ted Harrington: Yeah, that’s a really good question because that’s another area of a really common misconception is that people often think one or the other. They either think security is something that you’re supposed to entirely outsource–you don’t hire any security people at your company, outsource it. And some people think, well you don’t outsource security at all, you build your own team in house. Actually, both of those are wrong.
Security is a team sport. It really requires both, in-house even if it is just fractional in-house. For example, you might have a person who, security is not their primary job, but they are responsible for ensuring positive and effective collaboration with the external security partner. You’ve got some internal resources, or even if it is just a partial resource and then you work with an external expert or consulting firm, who can help you think through your challenges.
Then those two have to work in really close collaboration, which is something that’s also itself often overlooked, and that’s the way that you do it, even at small companies who don’t have many people. So, for example, one of our customers has eight people. So, they just can’t afford to hire a full-time security person nor would that be what I recommend, but what they do, is that they look at one of their people and they say, “Okay, you, of course, have responsibilities X, Y, and Z but you’re also the person who makes sure that Ted’s team has everything that they need. They have all of the access and that they’re able to translate the results for us so that we can improve, that’s part of your job.”
Then on the other end of the spectrum, we have Fortune 10 enterprise customers who have entire departments whose job is to work with us, and companies like us. So, it really is a team sport, it requires both.
Drew Appelbaum: I love what you bring up towards the end of the book, which is security is actually a competitive advantage and you can make money off of your investment into security, which makes it a much easier sell to your CEO. Can you talk to us about that competitive advantage?
Ted Harrington: Yeah, you asked me before about some of the things that I learned–I can’t remember how you phrased it, but let’s use the word revelation. What was something that was revealed to me? This was one of those areas that as I was thinking about it, this was always in the back of my mind, how do you justify the investment in security?
Because as much as I, as someone who is on this mission, I am so overly obsessively passionate about why technology should be secure, I am also able to realize and recognize that security in of itself, while it’s an ideal and it is something worth pursuing, it doesn’t on its own make a business justification.
So, that begets the question, well what does beget the business justification? And as I started looking at all of the people that I knew, our customers, people that aren’t our customers, my friends in the industry, I realized it really comes to this–we play a part in an ecosystem that we are almost tangential to, but we play an important role too, which is that organizations who buy applications, whether that’s they pay for license or they pay for more of like a subscription through a sass model or whatever the model is, they are paying money in order to be able to use some sort of system that someone built. Their expectation, their demand, they want those solutions to be secure, and at the same time, those companies are now selling their service or their solutions, they both struggle to actually secure their solutions, for all of the reasons that we talked about here today, they struggle to actually do it and then they struggle to be able to communicate it.
One of the things that I did in the course of writing a book, I did a mini little study that was, I won’t even call it research, it was just more of curiosity, and I looked at, I think it was 200 enterprise-class application websites to see how they talk about security.
The ideas that are reflected in my book, only about 4% of all of those companies actually talk about security in the way that this book recommends. So that tells us two things. Number one, the buyer is demanding security, and number two, 96% of the people selling things to them don’t know how to talk about it, don’t know how to secure it, and don’t know how to prove it. That’s an enormous opportunity for a company to be able to do the right thing.
First of all, we’re talking about the right thing out the gate, which is building better, more secure solutions, and that it is inherently a good thing in itself. It doesn’t even need a business justification, but we’ll obviously extend it to one. So, you start with an inherently good thing and then you gain this ridiculously powerful competitive advantage. So, when other companies are saying these really hollow nonsensical claims like, “Oh, we use bank-level security.” That doesn’t actually mean anything.
You’re able to say, “Well, here’s what we do, here is how we do it, here is what it means to you, and here’s how you can make a decision.” The recipient of that is able to say, “Wow. First of all, no one talks to me like that. I now have the insight to make a decision, which I’ve rarely seen.” And it makes them trust in it and it gets rid of that fear. When all of that happens, it leads to sales.
Now if you are on the selling side, you still have to build a solution that your buyer wants, it doesn’t matter how secure it is if it doesn’t solve a problem. What happens is security as the blocker, security as the thing that prevents the sale is now removed and instead of it being in your way, it is now actually in the way of your competitors because your competitors, have to clear that bar. They can’t clear that bar, you have cleared that bar, which means your bar is now in front of them.
And that’s really, really powerful and that’s how it leads to sales. It’s how it helps you make money. It is actually a really positive marketing investment and in the last chapter in the book, I teach people exactly how to do that.
A Mindset Shift
Drew Appelbaum: Now Ted, let’s take a step back and say that you are forming a company today and you want to create this ultra-secure app. Tell me, what does doing security right look like?
Ted Harrington: Well, starting from the very beginning, building security in from the outset–that is a real mindset shift that many, many companies, first of all, aren’t even aware that they should think that way. Then once they are aware of that, it’s like changing culture at an organization to try to make that happen, which is astronomically difficult.
So, the way you are framing the question is, of course, well I don’t have to deal with that legacy problem. I can start out of the gate saying security is a priority, it’s going to be a part of our mission and our vision. Now what we do is we have the right mindset, and we know how to work with this sort of team sport idea, and we can start building security in from the beginning. When we do that, what that does is it has this super powerful domino cascading effect where each decision that we make as we’re building the solution, because security is baked into it, we have just saved ourselves headache and heartache down the road later in terms of remediating issues because we are getting rid of the issues at the moment they are being introduced. That’s hugely powerful. So not only does it make it hurt less later, but it also makes it easier and it is more effective, and it is absolutely the right way to do it.
Drew Appelbaum: You also give the reader exercises and real-world examples on your website. Can you talk about some of the resources that are available there?
Ted Harrington: Yes, there are a couple of things. This podcast is the first place that I have talked about this. I will start with the one that’s pretty cool. Nobody knows this yet but I am now telling people, I am telling you.
Drew Appelbaum: All right, world exclusive right here.
Ted Harrington: Yeah, this is the breaking news. There is actually an Easter egg hidden in the cover and it is a code that can be deciphered. One of the resources that I give away is actually walking you through how to decipher the code. So, you have to go find the code, and then one of the resources that I give people is how to actually break it, how to reverse it. Not only do you get a fun exercise, a fun experience, but it actually is not just step-by-step like, “Do this, do this, do this,” it is, “Do this, now this is what you might be experiencing if you are actually an ethical hacker trying to reverse engineer something.” So, no matter how technical you are or you’re not, it gives you that sort of firsthand experience of the thought process of how you work through breaking something apart that seems indecipherable. That is definitely one of the things that I give away and it’s right there, hiding in plain sight.
Drew Appelbaum: This is a very old reference but do hackers still run around in rogue places and wear rollerblades?
Ted Harrington: I don’t know. Did hackers ever wear rollerblades?
Drew Appelbaum: From the movie Hackers in the 90s.
Ted Harrington: Oh from Hackers, yeah. Okay, yes. So, I do reference rollerblades in the book. No, the more common stereotype for hackers right now, which is oh man it is so bad, and you have seen it in every single piece of stock art of every security breach headline you have ever seen, it is a hacker wearing a black hoodie, you can’t really see their face, they’re hunched over a keyboard, the keyboard has some green screen, you know green code on it, and none of that at all is right.
I mean well, everyone in the security committee likes wearing hoodies and a lot of them are black. But the whole black hoodie archetype is a little ridiculous because the truth is that both the good guy hackers and the bad guy hackers, they’re just like you and me and your parents and your siblings and your cousins. They are just people out trying to get better and make a living and solve problems and a lot of them don’t have the same moral compass that the rest of us do. And that’s really the main difference is that they don’t see evil the same way we do but otherwise they’re just like you and I.
Drew Appelbaum: Well, thank you for tolerating my obscure reference. I appreciate that and Ted, writing a book, especially like this one, which is going to help a lot of business professionals is no small feat. So, congratulations on publishing.
Ted Harrington: Thank you.
Do Security Right
Drew Appelbaum: And my final question for you is if readers could take away only one thing from the book, what would you want it to be?
Ted Harrington: It’s that this is a chaotic mess, security is a chaotic mess. It’s hard, it’s difficult, it’s complicated, it seems expensive, it just seems like a nightmare, but it can be handled. That’s the positive I want people to leave with is that if you read my book–but what I am about to say I believe this about really anything that any credible security person could teach you.
If you come with a mindset of you are here to learn and to change your mind and to keep getting better and to apply and learn new techniques, then you are going to leave having read this book seeing a brighter future. You are going to know what to do and you will be able to do security right.
A lot of security people, they sort of stick to the doom and gloom and more of, “Oh, the sky is falling,” and maybe in some cases that is true, but that’s not what I want you to leave with. I want people to leave feeling inspired, feeling equipped.
If you know what to do, you know why to do it, you know how to do it, I will have achieved my goal. If even one person can go solve their problems because they’ve read this book, that’s my hope is that eventually, I give that really positive feeling to somebody of, “I had this problem I was trying to solve. I read a book, I’ve now solved the problem and I feel good about it.” That’s what I hope everybody will get out of it, but at least one person is the goal.
Drew Appelbaum: Well, I think you will achieve that goal tenfold. Ted, this has been a pleasure and I am excited for people to check out this book. Everyone, the book is called Hackable and you can find it on Amazon. Ted besides checking out the book, where can people find you?
Ted Harrington: Yeah, I’d recommend the easiest thing is just go to my book’s website. It is hackablebook.com and obviously, all of the information about the book itself is there. You will link to the Amazon page to buy it but also if you want to connect with me on LinkedIn or on Twitter, or if you want to email me and just talk about these ideas, or if you think that you want to hire me or our company for any services, literally anything that you would need to do in relation to this podcast, you will find it at hackablebook.com.
Drew Appelbaum: Awesome Ted, thank you so much for coming on the show today.
Ted Harrington: Thank you for having me.