If you dont fix your security vulnerabilities, attackers will exploit them, its simply a matter of who finds them first. If you fail to prove that your software is secure, your sales are at risk too. To defend against hackers, you have to think like them. As a leader of ethical hackers, Ted Harrington helps the worlds foremost companies secure their technology.

His new book, Hackable, teaches you exactly how. Youll learn how to eradicate security vulnerabilities, establish a threat model, and build better, more secure products, gaining you a competitive edge to earning trust and winning sales.

Drew Appelbaum: Hey listeners, my name is Drew Applebaum and Im excited to be here today with Ted Harrington, author of Hackable: How to Do Application Security Right. Ted, thank you for joining, welcome to the Author Hour podcast.

Ted Harrington: So excited to be here, thanks for having me.

Drew Appelbaum: Lets kick this off. Can you give us a rundown of your professional background?

Ted Harrington: Yeah, Im a leader of ethical hackers. Were the good guy hackers and essentially, companies who need to understand how attackers might exploit their system so that they can improve it and make it more secure and make it better, those are the companies essentially that Ive been serving for a long time. I wrote a book that captures all of the things that Ive learned over the many years of doing this. Thats my background–helping to serve companies who want to build better, more secure technology.

Drew Appelbaum: Now, why was now the time to write the book? Did you have an ahamoment, was there some inspiration out there or was it that theres some downtime because of COVID?

Ted Harrington: Its always been on my bucket list. I always wanted to write a book and as my career went on and I accumulated all this knowledge about how to solve these security challenges that I see my customers face–the sort of lightbulb moment was when I found myself in a meeting with a chief technology officer, and he says this colloquial phrase to me or the way he said it was very informal, and it really stuck with me. He said, You know Ted, I dont like monsters and I dont like getting bitten in the butt. But I dont even know what the monsters look like or why they jump up and bite me in the butt.”

Retelling that story, it always brings a smile to my face. Partly because its ridiculous phrasing but its also a really good encapsulation of a problem that so many people face. The I dont know what I dont know,” challenge. After that meeting, I really started thinking about that and it stuck with me, even though it was kind of a whimsical moment in an otherwise serious meeting. I really realized two things–two conditions.

The first condition was, I noticed that many people seem to have the same problems. I mean, every single day, Im having meetings and conversations with people where they all say one or more of essentially 10 primary themes. As I started writing it down, I realized, every meeting, one or more of those things came up and that was sort of an ahamoment for me. Im having the same conversations over and over again where these leaders in technology are struggling with the same thing.

Then the second a-hamoment, as I was thinking about that, as I started thinking about well, How do you solve those things?” I realized, every single one of those problems, there is widespread misunderstanding and misconceptions about how to solve them. You take those two things together and you have these people who have these really big problems.

The advice out there, the conventional wisdom about how to solve those problems is not just wrong, its like 180 degrees wrong. That was the moment that I knew, I need to write this book,” when I realized the combination of those two things exist in the world and this book addresses them. It tells you, Heres how you solve these primary challenges, and here is the lie or the misconception thats holding you back, and heres what to replace it with.”

A Transformative Process

Drew Appelbaum: You clearly have a lot of knowledge in the space, but were there any learnings or major breakthroughs that you found while writing the book? Maybe while doing research or just by going through an introspective journey while you were writing?

Ted Harrington: Yeah, definitely. I noticed, the process of writing a book itself is transformative and I dont know, maybe that sounds trite to someone who hasnt gone through it, but I mean that word in every sense of the word. Im a different person now than when I started it. It definitely changed me in terms of how I think about things and ideas and even how I think about other books. But a couple of the real specific things within my profession and area of expertise that were different that I noticed is that I understand the ideas so much better now–the ideas that I thought I already understood.

What prompted me to go write this book, was when I said, I totally know this, I have to write a book about it.” But hammering the same idea and refining it and polishing it and smoothing it over and over and over again, I guess a metaphor for this would be like sandpaper, right? Theres that really gritty sandpaper and you smooth that and its like, This isnt going to smooth anymore,” and then you use the next layer and youre like, Its actually getting smoother,” and you use the next layer and its getting smoother.

By the end, it doesnt even seem like the sandpaper has any grit to it but its still smoothing. Thats how I feel about my understanding of the ideas, and not just the ideas themselves, but my ability to communicate the ideas to our customers, to the many people who work at my consulting company. I didnt expect that part and that is and was an amazing, wonderful thing to have received as a result.

Drew Appelbaum: Now, did you have a specific audience in mind when you wrote the book, is this book just for software engineers?

Ted Harrington: There are basically three groups that I wrote this for. The primary group is for the person or group of people who are responsible for the security of the technology that theyre building. Thats the core person I wrote it for, thats usually the chief technology officer, or the vice president of engineering, people like that.

The second group would be the developers themselves. So, software developers, theyre the ones who the business looks to and says, Okay, make the app do this thing, and also, you better make it secure, which you havent been trained on but you better do it anyway Oh and also, you have a deadline coming and you cant delay.” I feel their pain, right? How are they going to deal with that?

The third group is other security professionals who want to understand these ideas better, want to be able to communicate them better, maybe they focus on other disciplines, and less about the ethical hacking side, which is where I focus. So, its in that order that I wrote the book for but the book serves all three of them.

Drew Appelbaum: What can readers expect from reading the book?

Ted Harrington: Well, they can expect that I pulled no punches for sure. This is the same as what it takes to be successful even as a security consultant, which is, you have to tell people how it is, even when its not what they want to hear.

That was something that at first I grappled with a little bit. I struggled with wondering, This is the truth, is someone going to reject this because this is such a departure from the norm?” And I was working with my editor on that, she gave me really great council and she said, Youre writing this book to tell people what they need to do so you have to tell them how to do it.”

That felt like the green light to me to say all right, well, then my instincts are right, we have to just say it how it is. Frank truth is, the first thing, I call out a lot of nonsense. I try to do it in a way thats professional and fair and balanced and objective, you know, not injecting any sort of emotion or bias into it, but theres so much nonsense that happens in security and I try to call it all out.

Youre going to get the real truth and some people who are the subject of that are not going to like that, unfortunately. I won’t name any names, its not like I say any individual person or company, but someone who believes in a certain approach thats fundamentally flawed, they might not like that.

Then the final thing would be, people are going to leave being able to think differently. Im going to change their mind and theyre going to know exactly what to do. This isnt just lofty abstract concepts, it is–heres the concept, heres the principle, and heres how to apply it, and heres what you need to go do.

Drew Appelbaum: Now, on the flip side, is there something you want readers to know that is not in the book?

Ted Harrington: Yeah, there are several things that are not in the book. The first one worth mentioning is maybe even an extension of what I just mentioned about harsh truths, but whats not in this book, is that there is no silver bullet, theres no easy button, theres no magic solution, theres no get-secure-quick scheme, that just doesnt exist.

Thats actually one of the pieces of nonsense that exist in security today is that so many approaches try to say, “Buy the solution and your problem completely goes away,” and unfortunately, as beautiful as a promise as that is, its just not true. Someones not going to read this book and be able to walk away and say, Well, if I just go buy a license to a product or if I just go spend this certain money, then two weeks later, my problem is completely gone.” Thats just not the way security works.

Then the other thing thats not really in here, that people might expect to be in there is Ive really focused on application security, which is essentially having to do with any sort of system running software, cloud services, all the different elements to application security I talk about, but I dont talk too much about other domains like network security or any elements of defending against humans, any mistakes that human people make.

We touch on those things and a lot of the principles apply, but this is really about applications.

Security Is Not Simple

Drew Appelbaum: Now, I think we hear about in the news all the time that big sites get hacked, small sites get hacked, there are cybercriminals out there. Can you give us a general overview, how is the security of our apps right now in general?

Ted Harrington: Well, Id say really, like anything in the world, its on a spectrum. There are companies that definitely do it well, and Im in a privileged position that I actually know a lot of them, most of the companies that I get to serve in our consulting business, fall into that category or theyre on their way to it.

They might not fully have transformed their thinking yet, but theyre in the process. But I think that companies like that are more in the minority of the world. Where the rest of the world sits, if you think of it on a bell curve, one end of the bell curve is companies who are doing it right, the other end of the bell curve is companies who know better and are intentionally doing it wrong and are really trying to skirt the rules and effectively trying to misrepresent their security, theres definitely a lot of companies like that out there, but theyre not the majority either.

Whats in the middle of the bell curve is the companies who are really struggling, who want to do this right but, first of all, they dont even know how to do it and theyre stressed, not because theyre not intelligent and not filled with intelligent people, but because no one has laid out for them, Heres what you have to do.”

You can try to read a whole bunch of articles and white papers and things that are confusing, and Ted Talks and all that stuff, but its just not simple. Thats where Id say the majority of applications are today where they genuinely want to be secure, but they dont know how to do it, they dont know where to start, they have all kinds of technical restraints, they have business constraints like the CEO doesnt understand it, and the CFO doesnt understand why to fund it appropriately. Thats where most applications sit today.

Drew Appelbaum: Yeah, lets dig a little deeper in there, what are some of the most common problems that companies face when they are approaching their own security?

Ted Harrington: I mean, thats the common thread that I weave throughout the whole book. How many hours do we have here? Ill just pick out a few highlights.

One of the real challenges is that people–when Im saying people, Im talking about people who work at companies that are building software or building applications–they dont necessarily know how to secure their solution or maybe they have ideas on it, but they dont know everything. Their focus is building the solutions so they can serve their customers, they dont spend every waking moment thinking about the attacker.

Thats difficult because this profession, this area of expertise does require a relentless amount of dedication to understand it all. You take that and then you pair it with the fact that pretty much any company that builds anything has these intense deadline pressures. They set a time when theyre going to release the product and thats when moneys going to be rolling in, or if they already have a product out, they need to release the next version.

Those deadlines often force certain decisions like, Well, I guess well defer security to the next release.” Thats something that happens perpetually. Another challenge is that companies really struggle to understand how to even prove the return on investment and by that, they mean security is often measured as a lack of a bad thing. We didnt get breached, we didnt have a security incident, but how do you measure that. Not getting a bad thing–you cant really measure that.

They just dont know how to even talk about it as a business advantage, and then of course the people who have to do the work, the developers like I was alluding to before, theyre the ones who its now being put on their plate. They are told, Hey, make sure you build this thing securely, and also you dont have any time, money, or resource to do it. So good luck.”

That’s pretty hard for any company, even a company that says, Hey, I got money. Ive got interest, Im motivated. Ive got the right people.” There are still a lot of problems to deal with.

So, one by one in the book I try to attack–not attack, thats the wrong word. Thats sounds, I dont know, adversarial, I try to address each one and reverse the thinking on it and give ideas for what to do about it.

Security is a Team Sport

Drew Appelbaum: Now lets say it is on your whiteboard, right? We are going to make our app more secure.” Do you suggest bringing in external partners or should you rely solely on your internal team to build these security measures?

Ted Harrington: Yeah, thats a really good question because thats another area of a really common misconception is that people often think one or the other. They either think security is something that youre supposed to entirely outsource–you dont hire any security people at your company, outsource it. And some people think, well you dont outsource security at all, you build your own team in house. Actually, both of those are wrong.

Security is a team sport. It really requires both, in-house even if it is just fractional in-house. For example, you might have a person who, security is not their primary job, but they are responsible for ensuring positive and effective collaboration with the external security partner. Youve got some internal resources, or even if it is just a partial resource and then you work with an external expert or consulting firm, who can help you think through your challenges.

Then those two have to work in really close collaboration, which is something thats also itself often overlooked, and thats the way that you do it, even at small companies who dont have many people. So, for example, one of our customers has eight people. So, they just cant afford to hire a full-time security person nor would that be what I recommend, but what they do, is that they look at one of their people and they say, Okay, you, of course, have responsibilities X, Y, and Z but youre also the person who makes sure that Teds team has everything that they need. They have all of the access and that theyre able to translate the results for us so that we can improve, thats part of your job.”

Then on the other end of the spectrum, we have Fortune 10 enterprise customers who have entire departments whose job is to work with us, and companies like us. So, it really is a team sport, it requires both.

Drew Appelbaum: I love what you bring up towards the end of the book, which is security is actually a competitive advantage and you can make money off of your investment into security, which makes it a much easier sell to your CEO. Can you talk to us about that competitive advantage?

Ted Harrington: Yeah, you asked me before about some of the things that I learned–I cant remember how you phrased it, but lets use the word revelation. What was something that was revealed to me? This was one of those areas that as I was thinking about it, this was always in the back of my mind, how do you justify the investment in security?

Because as much as I, as someone who is on this mission, I am so overly obsessively passionate about why technology should be secure, I am also able to realize and recognize that security in of itself, while its an ideal and it is something worth pursuing, it doesnt on its own make a business justification.

So, that begets the question, well what does beget the business justification? And as I started looking at all of the people that I knew, our customers, people that arent our customers, my friends in the industry, I realized it really comes to this–we play a part in an ecosystem that we are almost tangential to, but we play an important role too, which is that organizations who buy applications, whether thats they pay for license or they pay for more of like a subscription through a sass model or whatever the model is, they are paying money in order to be able to use some sort of system that someone built. Their expectation, their demand, they want those solutions to be secure, and at the same time, those companies are now selling their service or their solutions, they both struggle to actually secure their solutions, for all of the reasons that we talked about here today, they struggle to actually do it and then they struggle to be able to communicate it.

One of the things that I did in the course of writing a book, I did a mini little study that was, I wont even call it research, it was just more of curiosity, and I looked at, I think it was 200 enterprise-class application websites to see how they talk about security.

The ideas that are reflected in my book, only about 4% of all of those companies actually talk about security in the way that this book recommends. So that tells us two things. Number one, the buyer is demanding security, and number two, 96% of the people selling things to them dont know how to talk about it, dont know how to secure it, and dont know how to prove it. Thats an enormous opportunity for a company to be able to do the right thing.

First of all, were talking about the right thing out the gate, which is building better, more secure solutions, and that it is inherently a good thing in itself. It doesnt even need a business justification, but well obviously extend it to one. So, you start with an inherently good thing and then you gain this ridiculously powerful competitive advantage. So, when other companies are saying these really hollow nonsensical claims like, Oh, we use bank-level security.”  That doesnt actually mean anything.

Youre able to say, Well, heres what we do, here is how we do it, here is what it means to you, and heres how you can make a decision.” The recipient of that is able to say, Wow. First of all, no one talks to me like that. I now have the insight to make a decision, which Ive rarely seen.” And it makes them trust in it and it gets rid of that fear. When all of that happens, it leads to sales.

Now if you are on the selling side, you still have to build a solution that your buyer wants, it doesnt matter how secure it is if it doesnt solve a problem. What happens is security as the blocker, security as the thing that prevents the sale is now removed and instead of it being in your way, it is now actually in the way of your competitors because your competitors, have to clear that bar. They cant clear that bar, you have cleared that bar, which means your bar is now in front of them.

And thats really, really powerful and thats how it leads to sales. Its how it helps you make money. It is actually a really positive marketing investment and in the last chapter in the book, I teach people exactly how to do that.

A Mindset Shift

Drew Appelbaum: Now Ted, lets take a step back and say that you are forming a company today and you want to create this ultra-secure app. Tell me, what does doing security right look like?

Ted Harrington: Well, starting from the very beginning, building security in from the outset–that is a real mindset shift that many, many companies, first of all, arent even aware that they should think that way. Then once they are aware of that, its like changing culture at an organization to try to make that happen, which is astronomically difficult.

So, the way you are framing the question is, of course, well I dont have to deal with that legacy problem. I can start out of the gate saying security is a priority, its going to be a part of our mission and our vision. Now what we do is we have the right mindset, and we know how to work with this sort of team sport idea, and we can start building security in from the beginning. When we do that, what that does is it has this super powerful domino cascading effect where each decision that we make as were building the solution, because security is baked into it, we have just saved ourselves headache and heartache down the road later in terms of remediating issues because we are getting rid of the issues at the moment they are being introduced. Thats hugely powerful. So not only does it make it hurt less later, but it also makes it easier and it is more effective, and it is absolutely the right way to do it.

Drew Appelbaum: You also give the reader exercises and real-world examples on your website. Can you talk about some of the resources that are available there?

Ted Harrington: Yes, there are a couple of things. This podcast is the first place that I have talked about this. I will start with the one thats pretty cool. Nobody knows this yet but I am now telling people, I am telling you.

Drew Appelbaum: All right, world exclusive right here.

Ted Harrington: Yeah, this is the breaking news. There is actually an Easter egg hidden in the cover and it is a code that can be deciphered. One of the resources that I give away is actually walking you through how to decipher the code. So, you have to go find the code, and then one of the resources that I give people is how to actually break it, how to reverse it. Not only do you get a fun exercise, a fun experience, but it actually is not just step-by-step like, Do this, do this, do this,” it is, Do this, now this is what you might be experiencing if you are actually an ethical hacker trying to reverse engineer something.” So, no matter how technical you are or youre not, it gives you that sort of firsthand experience of the thought process of how you work through breaking something apart that seems indecipherable. That is definitely one of the things that I give away and its right there, hiding in plain sight.

Drew Appelbaum: This is a very old reference but do hackers still run around in rogue places and wear rollerblades?

Ted Harrington: I dont know. Did hackers ever wear rollerblades?

Drew Appelbaum: From the movie Hackers in the 90s.

Ted Harrington: Oh from Hackers, yeah. Okay, yes. So, I do reference rollerblades in the book. No, the more common stereotype for hackers right now, which is oh man it is so bad, and you have seen it in every single piece of stock art of every security breach headline you have ever seen, it is a hacker wearing a black hoodie, you cant really see their face, theyre hunched over a keyboard, the keyboard has some green screen, you know green code on it, and none of that at all is right.

I mean well, everyone in the security committee likes wearing hoodies and a lot of them are black. But the whole black hoodie archetype is a little ridiculous because the truth is that both the good guy hackers and the bad guy hackers, theyre just like you and me and your parents and your siblings and your cousins. They are just people out trying to get better and make a living and solve problems and a lot of them dont have the same moral compass that the rest of us do. And thats really the main difference is that they dont see evil the same way we do but otherwise theyre just like you and I.

Drew Appelbaum: Well, thank you for tolerating my obscure reference. I appreciate that and Ted, writing a book, especially like this one, which is going to help a lot of business professionals is no small feat. So, congratulations on publishing.

Ted Harrington: Thank you.

Do Security Right

Drew Appelbaum: And my final question for you is if readers could take away only one thing from the book, what would you want it to be?

Ted Harrington: Its that this is a chaotic mess, security is a chaotic mess. Its hard, its difficult, its complicated, it seems expensive, it just seems like a nightmare, but it can be handled. Thats the positive I want people to leave with is that if you read my book–but what I am about to say I believe this about really anything that any credible security person could teach you.

If you come with a mindset of you are here to learn and to change your mind and to keep getting better and to apply and learn new techniques, then you are going to leave having read this book seeing a brighter future. You are going to know what to do and you will be able to do security right.

A lot of security people, they sort of stick to the doom and gloom and more of, Oh, the sky is falling,” and maybe in some cases that is true, but thats not what I want you to leave with. I want people to leave feeling inspired, feeling equipped.

If you know what to do, you know why to do it, you know how to do it, I will have achieved my goal. If even one person can go solve their problems because theyve read this book, thats my hope is that eventually, I give that really positive feeling to somebody of, I had this problem I was trying to solve. I read a book, Ive now solved the problem and I feel good about it.” Thats what I hope everybody will get out of it, but at least one person is the goal.

Drew Appelbaum: Well, I think you will achieve that goal tenfold. Ted, this has been a pleasure and I am excited for people to check out this book. Everyone, the book is called Hackable and you can find it on Amazon. Ted besides checking out the book, where can people find you?

Ted Harrington: Yeah, Id recommend the easiest thing is just go to my books website. It is hackablebook.com and obviously, all of the information about the book itself is there. You will link to the Amazon page to buy it but also if you want to connect with me on LinkedIn or on Twitter, or if you want to email me and just talk about these ideas, or if you think that you want to hire me or our company for any services, literally anything that you would need to do in relation to this podcast, you will find it at hackablebook.com.

Drew Appelbaum: Awesome Ted, thank you so much for coming on the show today.

Ted Harrington: Thank you for having me.