1 00:00:02,939 --> 00:00:05,789 Narrator: You're listening to the humans of DevOps podcast, a 2 00:00:05,789 --> 00:00:09,449 podcast focused on advancing the humans of DevOps through skills, 3 00:00:09,479 --> 00:00:13,829 knowledge, ideas and learning, or the SK il framework. 4 00:00:16,529 --> 00:00:18,749 Jamal Walsh: I think what's hard in when it comes to software 5 00:00:18,749 --> 00:00:22,529 development and security is thinking like someone who wants 6 00:00:22,529 --> 00:00:26,219 to attack kill your system, your services. And I think working 7 00:00:26,219 --> 00:00:29,789 out how you embed that into your engineering teams is kind of the 8 00:00:29,789 --> 00:00:31,919 big challenge around dev SEC ops. 9 00:00:34,080 --> 00:00:36,720 Jason Baum: Hey, everyone, it's Jason Baum, Director of Member 10 00:00:36,720 --> 00:00:40,830 experience at DevOps Institute, and this is the humans of DevOps 11 00:00:40,830 --> 00:00:46,050 podcast. Welcome back. Hope you had a great week. Last Tuesday, 12 00:00:46,050 --> 00:00:49,830 February 8, we actually celebrated safer internet day. 13 00:00:50,100 --> 00:00:53,190 Never heard of it. I actually heard hadn't heard of it either. 14 00:00:53,970 --> 00:00:57,330 But safer internet Day was celebrated for the first time in 15 00:00:57,360 --> 00:01:02,940 2005. And the goal is to spread awareness about online privacy 16 00:01:02,940 --> 00:01:07,380 and security. This year, its theme was together for a better 17 00:01:07,410 --> 00:01:10,530 internet and called upon stakeholders to join together to 18 00:01:10,530 --> 00:01:14,010 make the internet a safer and better place for all sounds 19 00:01:14,010 --> 00:01:20,250 pretty great to me. And so with that in mind, we we found our 20 00:01:20,250 --> 00:01:25,410 next guest and and begged him to come back to the show. Jamal 21 00:01:25,410 --> 00:01:29,160 Walsh is here with me to discuss online security and more 22 00:01:29,160 --> 00:01:34,170 specifically, def SEC ops. Jamal is a passionate agile and DevOps 23 00:01:34,170 --> 00:01:37,020 practitioner with a keen interest in the human side of 24 00:01:37,020 --> 00:01:40,740 agile and DevOps practices. He also happens to be a DevOps 25 00:01:40,740 --> 00:01:44,520 Institute ambassador, and was a guest of this podcast back on 26 00:01:44,520 --> 00:01:48,210 episode 36. So if you'd like to learn more about Jamal, I 27 00:01:48,210 --> 00:01:51,030 definitely encourage you to have a listen to that episode. We 28 00:01:51,030 --> 00:01:53,760 discussed everything from applying DevOps practices to 29 00:01:53,760 --> 00:01:59,700 legacy platforms, to airline hangars, to mountain biking, and 30 00:01:59,700 --> 00:02:02,850 more. So definitely have a listen to that you'll learn a 31 00:02:02,850 --> 00:02:06,090 whole lot about Jamal. It's a lot of fun. And that description 32 00:02:06,090 --> 00:02:09,990 sounds about right for this podcast. So Jamal, welcome back 33 00:02:09,990 --> 00:02:12,090 to the podcast. Thanks so much for coming. 34 00:02:12,960 --> 00:02:15,870 Jamal Walsh: Thanks, Jason. Great to be here. Again, always 35 00:02:15,870 --> 00:02:20,610 a fun conversation. I think this one today is probably front and 36 00:02:20,610 --> 00:02:22,770 center of everything I'm doing at the moment. So I'm really 37 00:02:22,770 --> 00:02:24,510 looking forward to having a chat with you. 38 00:02:24,810 --> 00:02:27,150 Jason Baum: Awesome. Well, we're excited to have you and are you 39 00:02:27,150 --> 00:02:30,180 ready to get human again? Oh, yes. 40 00:02:30,330 --> 00:02:31,020 Jamal Walsh: 100%. 41 00:02:32,340 --> 00:02:36,150 Jason Baum: Excellent. So dev SEC ops. So there's DevOps, I 42 00:02:36,150 --> 00:02:40,560 know of all the ops, there's a ton of ops. Yeah. So dev SEC 43 00:02:40,560 --> 00:02:44,760 ops, I know, applying DevOps principles to security 44 00:02:44,760 --> 00:02:47,670 practices, I'm assuming, and then what? 45 00:02:48,389 --> 00:02:50,639 Jamal Walsh: Yeah, I guess I guess it. So it's always an 46 00:02:50,639 --> 00:02:54,029 interesting one, right. I think I think when people see dev SEC 47 00:02:54,029 --> 00:02:59,099 ops and wonder what it means, for me personally, I think it's 48 00:02:59,099 --> 00:03:03,689 about ensuring you apply security thinking, to you know, 49 00:03:03,689 --> 00:03:08,309 every step of your kind of software lifecycle. You know, 50 00:03:08,309 --> 00:03:12,329 and that can be from really early on when you're actually 51 00:03:12,329 --> 00:03:15,029 discussing and designing things that you're going to implement 52 00:03:15,449 --> 00:03:20,849 to the actual kind of operation and support and monitoring of 53 00:03:20,849 --> 00:03:25,739 the stuff that you build. So it's kind of all encompassing, 54 00:03:25,739 --> 00:03:29,219 in my view, you know, it's about thinking about security every 55 00:03:29,219 --> 00:03:33,149 step of the way. And obviously, embedding that within your 56 00:03:33,149 --> 00:03:36,239 development teams, and ensuring you know, the things that you 57 00:03:36,239 --> 00:03:39,299 build a secure, and you do it in a way that doesn't slow you 58 00:03:39,299 --> 00:03:42,659 down, because I think a lot of the old security practices can 59 00:03:42,659 --> 00:03:44,939 sometimes get in the way of being, you know, agile and 60 00:03:44,939 --> 00:03:48,239 delivering things quickly to customers. So yeah, that's 61 00:03:48,239 --> 00:03:50,669 that's my personal view on it anyway. Yeah. 62 00:03:50,669 --> 00:03:53,789 Jason Baum: When you say the security practices, I mean, I 63 00:03:53,789 --> 00:03:56,939 think of I mean, on the front end side of using something like 64 00:03:56,939 --> 00:04:01,679 two factor are often often, often often taken. Ah, gosh, I 65 00:04:01,679 --> 00:04:06,209 can't say the word. So hard. Yeah. Thank you. It's so hard to 66 00:04:06,209 --> 00:04:09,059 even say the word, let alone then have to do it and get the 67 00:04:09,059 --> 00:04:11,759 text message or the email. And so yeah, I mean, it becomes 68 00:04:11,759 --> 00:04:16,529 cumbersome. When you're applying it to software development, is 69 00:04:16,529 --> 00:04:18,419 it kind of like when you're testing something you like build 70 00:04:18,419 --> 00:04:21,209 it to break it? And just so you're building something to 71 00:04:21,209 --> 00:04:24,629 kind of get around it? Is that Is that what you mean by that? 72 00:04:24,629 --> 00:04:24,929 Or 73 00:04:25,140 --> 00:04:28,050 Jamal Walsh: I think, I think, I think what's hard in when it 74 00:04:28,050 --> 00:04:32,790 comes to software development, and security is thinking like a 75 00:04:32,790 --> 00:04:36,450 malicious actor, someone who wants to, he wants to attack 76 00:04:36,450 --> 00:04:39,480 your, your system, your services. And I think, I think, 77 00:04:39,960 --> 00:04:42,480 you know, a lot of a lot of software engineers kind of find 78 00:04:42,480 --> 00:04:45,000 that hard because essentially, they want to build, you know, 79 00:04:45,000 --> 00:04:47,790 they want to build great products, great features. And I 80 00:04:47,790 --> 00:04:50,820 guess it's hard to actually think about how could someone 81 00:04:51,000 --> 00:04:53,580 take advantage of what I'm building? What can they do, how 82 00:04:53,580 --> 00:04:56,220 could they access it and what could they do if they if they 83 00:04:56,220 --> 00:04:59,280 actually access it? What kind of information can they get and 84 00:04:59,280 --> 00:05:03,930 what kind of problems causes as an organization. So yeah, I 85 00:05:03,930 --> 00:05:06,990 think it's the mindset and the way of thinking is very 86 00:05:06,990 --> 00:05:09,570 different to kind of your standard engineering practices, 87 00:05:09,810 --> 00:05:13,110 and kind of working out how you embed that into your engineering 88 00:05:13,110 --> 00:05:16,380 teams is kind of the big challenge around DevStack. Ops. 89 00:05:16,500 --> 00:05:16,830 Yeah, it's 90 00:05:16,830 --> 00:05:18,900 Jason Baum: interesting, because it's not really a bug, right? 91 00:05:18,930 --> 00:05:24,330 It's working, it's working fine. But how would someone circumvent 92 00:05:24,660 --> 00:05:29,370 yesterday, the rules that exist, I guess, the logic that exists? 93 00:05:29,760 --> 00:05:32,190 Jamal Walsh: Yeah, yeah. And you have to, you know, you really 94 00:05:32,190 --> 00:05:36,360 have to think about it every step of the way. Because, you 95 00:05:36,360 --> 00:05:39,510 know, even from the point, you start thinking about what you're 96 00:05:39,510 --> 00:05:42,150 going to build and how you're going to build it, it's a we do 97 00:05:42,150 --> 00:05:45,870 something called threat modeling, a very group. And that 98 00:05:45,870 --> 00:05:50,490 means we will take a design, before we even code anything, 99 00:05:50,490 --> 00:05:53,010 we'll design the system, and then we'll do something called 100 00:05:53,010 --> 00:05:56,670 Threat Modeling before we even write a line of code. And that 101 00:05:56,670 --> 00:06:02,940 will allow us to think, like a malicious actor. And think about 102 00:06:02,940 --> 00:06:05,880 the, you know, the attack vectors of the application, 103 00:06:06,480 --> 00:06:09,420 where someone where there might be some exploits and things like 104 00:06:09,420 --> 00:06:13,320 that. And then, as we design and implement the system, we'll take 105 00:06:13,320 --> 00:06:15,990 those risks. And we'll make sure we put security controls in 106 00:06:15,990 --> 00:06:19,710 place to mitigate anything we've identified really early on. 107 00:06:20,040 --> 00:06:24,120 Because the last point you want to find a problem with security 108 00:06:24,450 --> 00:06:28,320 is in production. So you know, there's lots of different steps 109 00:06:28,320 --> 00:06:30,510 you can take, right? Through your software development 110 00:06:30,510 --> 00:06:33,750 lifecycle workflow, you know, it's this whole, this whole old 111 00:06:33,750 --> 00:06:37,500 concept of shifting stuff left, security is the same, right? 112 00:06:37,500 --> 00:06:42,120 The, the sooner the, if you move it more towards the left, then 113 00:06:42,120 --> 00:06:45,270 you can find these problems sooner, fix them sooner, and the 114 00:06:45,270 --> 00:06:49,110 impact of those things is much less. So this 115 00:06:49,110 --> 00:06:52,980 Jason Baum: is the humans of DevOps. And so I find it 116 00:06:52,980 --> 00:06:56,370 interesting to get in the head of a malicious actor, what does 117 00:06:56,370 --> 00:07:00,930 that look like? How does it how do how does one channel that 118 00:07:01,410 --> 00:07:04,860 that malicious actor rather than just, you know, looking at the 119 00:07:04,860 --> 00:07:08,100 code, and where one might, I think, I'm assuming you have to 120 00:07:08,100 --> 00:07:10,530 get in their their brain a little bit, right? 121 00:07:10,830 --> 00:07:14,550 Jamal Walsh: Absolutely. I mean, we have, we have security 122 00:07:14,550 --> 00:07:18,840 experts working in the business, and we also have partners who 123 00:07:18,840 --> 00:07:25,650 will speak to as well. It's, I think, it's, it's really hard to 124 00:07:25,650 --> 00:07:28,470 put yourself in that mindset, because it's not a natural 125 00:07:28,470 --> 00:07:32,970 mindset. You know, you know, it's not a day to day you don't 126 00:07:32,970 --> 00:07:35,910 think on it, you know, a good engineer is not thinking about 127 00:07:35,910 --> 00:07:40,260 how, how they can take advantage of a software system. So I 128 00:07:40,260 --> 00:07:43,410 think, yeah, I think, I think helping people get in that 129 00:07:43,410 --> 00:07:46,680 mindset, you need to help people with experience of that. And, 130 00:07:46,680 --> 00:07:50,130 you know, I've worked with some great security consultants, pen 131 00:07:50,130 --> 00:07:54,660 testers, and, you know, there's these concepts of red and blue 132 00:07:54,660 --> 00:07:58,770 teams and purple teams in the security space. And it's purely 133 00:07:58,770 --> 00:08:02,130 their job to think in that way. But I think it's really 134 00:08:02,130 --> 00:08:06,450 important that they don't just do that alone, that they sit 135 00:08:06,450 --> 00:08:09,750 with other engineers, and, you know, your QA engineers, your 136 00:08:09,750 --> 00:08:14,460 software engineers, and impart that knowledge in that way of 137 00:08:14,460 --> 00:08:18,120 thinking on to the engineer, so they can think about those 138 00:08:18,120 --> 00:08:20,250 things when developing software. 139 00:08:20,880 --> 00:08:23,250 Jason Baum: So it's pretty safe to say that security should be 140 00:08:23,250 --> 00:08:25,980 more of a consideration for all dev SEC ops teams. 141 00:08:26,040 --> 00:08:29,430 Jamal Walsh: Yes, absolutely. 100%. I mean, you know, you just 142 00:08:29,430 --> 00:08:32,310 have to look at the, you know, I think there was a the lock for J 143 00:08:32,310 --> 00:08:37,260 incident recently, where, you know, the logging package had 144 00:08:37,260 --> 00:08:40,230 been activated, there was an extra zero day vulnerability in 145 00:08:40,440 --> 00:08:44,250 log for J. And, you know, instantly people are scrambling 146 00:08:44,250 --> 00:08:46,890 around trying to patch that. And, you know, some companies 147 00:08:46,890 --> 00:08:50,100 were, you know, fell foul of that, because they, they weren't 148 00:08:50,100 --> 00:08:53,130 able to patch their systems quick enough, or they were 149 00:08:53,130 --> 00:08:55,920 unlucky enough to have someone take advantage of that, that 150 00:08:55,950 --> 00:09:00,570 that vulnerability. And then there's so many ransomware 151 00:09:00,570 --> 00:09:04,080 attacks happening these days, I mean, that, that, that for me at 152 00:09:04,080 --> 00:09:07,290 the moment that the kind of plural proliferation of the 153 00:09:07,320 --> 00:09:11,250 ransomware attacks at the moment, is staggering. And that 154 00:09:11,340 --> 00:09:14,070 that for me and for the company I'm working with at the moment 155 00:09:14,070 --> 00:09:16,560 and probably most companies is probably the scariest thing 156 00:09:16,560 --> 00:09:20,010 right now from a security point of view. You know, if, if one of 157 00:09:20,010 --> 00:09:23,730 these bad actors gets in and can get this ransomware on your on 158 00:09:23,730 --> 00:09:26,700 your machines, you know, they can completely encrypt your 159 00:09:26,700 --> 00:09:31,050 entire data. I mean, there's a company in the UK called KP 160 00:09:31,050 --> 00:09:34,500 snacks. They actually make my favorite brand of crisps be 161 00:09:34,500 --> 00:09:38,340 fooled hoops. And they were attacked with ransomware just 162 00:09:38,550 --> 00:09:41,880 last month, and that's completely affected their supply 163 00:09:41,880 --> 00:09:45,360 chain massively. So none of their crisps are in the shops at 164 00:09:45,360 --> 00:09:50,070 the moment. And while you're pretty angry, I'm an unhappy 165 00:09:50,070 --> 00:09:51,060 customer. Yeah, that 166 00:09:51,060 --> 00:09:51,930 Jason Baum: would drive me crazy. 167 00:09:53,340 --> 00:09:55,380 Jamal Walsh: You know, this is this is you know, this is the 168 00:09:55,380 --> 00:09:59,220 kind of the fallout from you know, not, you know, be having 169 00:09:59,220 --> 00:10:02,010 those exploits. How In your systems, they can they can cause 170 00:10:02,010 --> 00:10:05,790 real problems. You know, from a, from a, from a brand point of 171 00:10:05,790 --> 00:10:08,070 view and just from a trainer trying to fix these kinds of 172 00:10:08,070 --> 00:10:09,300 things is real. 173 00:10:09,690 --> 00:10:12,090 Jason Baum: Yeah, I mean, let's talk about that. So it's it's 174 00:10:13,140 --> 00:10:17,580 safer internet day and just talking about security and or 175 00:10:17,580 --> 00:10:20,220 last week was safer internet day. And we're talking about 176 00:10:20,220 --> 00:10:22,830 security. And we're not talking about just safer internet for 177 00:10:22,830 --> 00:10:24,960 our children to go on to I mean, obviously, that's very 178 00:10:24,960 --> 00:10:28,980 important. And, and all that. But we're also talking about 179 00:10:28,980 --> 00:10:34,650 safer internet as far as practices to keep your data safe 180 00:10:34,650 --> 00:10:37,950 and companies safe and their data safe. More importantly, 181 00:10:37,950 --> 00:10:42,210 because your data's their data. So where it How does that all 182 00:10:42,210 --> 00:10:44,940 fit in? We talked about the ransomware attack, what what are 183 00:10:44,940 --> 00:10:48,480 they after? What are they looking to exploit? And why 184 00:10:48,480 --> 00:10:51,540 should that become more of a priority for businesses? Or why 185 00:10:51,540 --> 00:10:53,580 is that a priority for businesses? Right? 186 00:10:54,600 --> 00:10:57,810 Jamal Walsh: So I think ransomware is, I think, one of 187 00:10:57,810 --> 00:11:00,690 the things as well as I don't think, I don't think we actually 188 00:11:00,690 --> 00:11:05,430 know how rife is because I think a lot of companies just pay the 189 00:11:05,430 --> 00:11:13,110 ransom, and get the concept. Yeah, and so. So you know, a lot 190 00:11:13,110 --> 00:11:15,360 of these things we're not we're not aware of even happen, 191 00:11:15,360 --> 00:11:18,270 because the companies don't want to publicize the fact that this 192 00:11:18,270 --> 00:11:21,000 has happened in a lot of cases, because it affects their brand. 193 00:11:21,270 --> 00:11:23,790 And in some in some scenarios they do, and they have to 194 00:11:23,790 --> 00:11:28,140 because they're just impacted so badly. But from a, you know, a 195 00:11:28,140 --> 00:11:30,840 mitigation point of view, there are so many things you need to 196 00:11:30,840 --> 00:11:34,560 think about, you know, you know, encrypting your data at rest, 197 00:11:35,460 --> 00:11:38,820 making sure you have regular backups, and your backups are 198 00:11:38,820 --> 00:11:41,220 stored completely separate from everything else that you're 199 00:11:41,220 --> 00:11:46,800 doing. You know, and just being able to practicing the disaster 200 00:11:46,800 --> 00:11:50,490 recovery side of things to ensure that if, you know, if 201 00:11:50,490 --> 00:11:55,140 something like that does happen, how quickly can you restore? How 202 00:11:55,140 --> 00:12:01,110 much is it going to impact you. And, you know, sometimes, with 203 00:12:01,110 --> 00:12:03,540 these attacks, you just don't know, you know, if you're, if 204 00:12:03,540 --> 00:12:06,840 you're a large enterprise, and they've managed to infiltrate a 205 00:12:06,840 --> 00:12:10,770 large portion of your network, then you know, recovering from 206 00:12:10,770 --> 00:12:14,640 that can be a hell of a, you know, a hell of a job. And, you 207 00:12:14,640 --> 00:12:18,000 know, sometimes the cost of trying to recover from that, 208 00:12:18,030 --> 00:12:21,660 versus the ransom demands, you know, this is why a lot of 209 00:12:21,660 --> 00:12:23,760 companies kind of, you know, weighing those things up, and 210 00:12:23,910 --> 00:12:27,180 obviously, just some of them are settling, without even, you 211 00:12:27,180 --> 00:12:29,430 know, telling anyone or letting anyone know that something's 212 00:12:29,430 --> 00:12:32,910 happened. But you know, the there are, there are lots of 213 00:12:32,940 --> 00:12:36,780 things you can do to mitigate it. But again, I think it's more 214 00:12:36,780 --> 00:12:40,500 about planning, planning for it to happen, I think is the most 215 00:12:40,500 --> 00:12:44,610 important thing, and making sure you've got the right processes 216 00:12:44,610 --> 00:12:48,600 and tools and steps in place to and you practice, you know, what 217 00:12:48,600 --> 00:12:50,880 you would do in that kind of scenario, I think is really 218 00:12:50,880 --> 00:12:51,420 important. 219 00:12:51,840 --> 00:12:53,400 Jason Baum: Well, it kind of goes back to what you said, 220 00:12:53,400 --> 00:12:56,850 catching it in production, right? I mean, those earlier 221 00:12:56,850 --> 00:13:00,720 phases, so that you don't get to that point where you're working 222 00:13:00,750 --> 00:13:01,560 too far. 223 00:13:01,979 --> 00:13:04,859 Jamal Walsh: Yeah, so there's the there's the kind of the 224 00:13:04,859 --> 00:13:09,089 processes you take between during your development 225 00:13:09,089 --> 00:13:12,029 lifecycle. So you've got things like Threat Modeling really 226 00:13:12,029 --> 00:13:16,049 early on to identify any potential gaps in your security 227 00:13:16,079 --> 00:13:19,529 and the design of your system and its architecture. And then 228 00:13:19,529 --> 00:13:23,159 next, you've got kind of checking your code to ensure 229 00:13:23,159 --> 00:13:25,769 that there's no vulnerabilities being developed within the 230 00:13:25,769 --> 00:13:30,029 source code itself. And then the big one at the moment is kind of 231 00:13:30,209 --> 00:13:32,969 the dependencies that a lot of you know, organizations pull 232 00:13:32,969 --> 00:13:35,909 into the software that they're developing. So you know, you're 233 00:13:35,909 --> 00:13:39,779 pulling in packages from external sources, and you want 234 00:13:39,779 --> 00:13:42,239 to be you want to be checking, you know, scanning those 235 00:13:42,239 --> 00:13:44,969 dependencies and ensuring there's no vulnerabilities in 236 00:13:44,969 --> 00:13:49,109 the software that you're pulling in from other people. You know, 237 00:13:49,109 --> 00:13:53,399 and then there's obviously, load lots of other stuff you can do 238 00:13:53,399 --> 00:13:56,069 in the in the development part, if you're using containers, you 239 00:13:56,069 --> 00:13:59,099 can have scanning, you can scan the images of your operating 240 00:13:59,099 --> 00:14:02,609 systems in those containers, and then all the way down to kind of 241 00:14:02,699 --> 00:14:06,389 securely monitoring your, your, your website and applications 242 00:14:06,569 --> 00:14:10,259 from, you know, putting web application firewalls in place. 243 00:14:11,039 --> 00:14:14,249 And there's tons of, you know, kind of bought detection 244 00:14:14,279 --> 00:14:16,949 software that will detect if people are trying to do 245 00:14:16,979 --> 00:14:19,139 credential stuffing on your website and things like that. So 246 00:14:19,139 --> 00:14:21,689 there's, there's a vast amount of things you can do as an 247 00:14:21,689 --> 00:14:24,479 organization to kind of protect yourself. 248 00:14:25,049 --> 00:14:27,539 Jason Baum: We're investing a lot in security, and I would 249 00:14:27,539 --> 00:14:30,929 assume that businesses, you know, obviously they see this 250 00:14:30,929 --> 00:14:36,119 threat. We've we talked about that, but how has that kind of 251 00:14:36,119 --> 00:14:41,459 changed or the the landscape of the role of US security 252 00:14:41,459 --> 00:14:45,209 specialists, you know, the type of people that companies are 253 00:14:45,209 --> 00:14:48,569 looking to, to hire bring in to solve this? 254 00:14:48,809 --> 00:14:51,599 Jamal Walsh: Yeah, I think I think there are different types 255 00:14:51,599 --> 00:14:55,049 of security specialists. So there, you get your consultant 256 00:14:55,049 --> 00:14:58,499 types, you'll come in and consult around a large, you 257 00:14:58,499 --> 00:15:01,889 know, security in you especially in an enterprise organized 258 00:15:01,889 --> 00:15:05,459 organization is vast. I mean, you've got you've got the, you 259 00:15:05,459 --> 00:15:09,929 know, from from, you know, uses laptops, and the networks and 260 00:15:09,959 --> 00:15:13,379 all of that, that they use to the software they're developing. 261 00:15:13,589 --> 00:15:17,999 I mean, security as a subject matter in a large organization 262 00:15:18,029 --> 00:15:20,819 is enormous. And generally, that's where you'll have 263 00:15:20,819 --> 00:15:26,579 security consultants, and, and C ISO type people who kind of 264 00:15:26,759 --> 00:15:30,419 manage the whole scope of that. But from a software development 265 00:15:30,419 --> 00:15:35,969 point of view, I think it's always good to have someone who 266 00:15:35,969 --> 00:15:39,329 deals with the security having a software development background, 267 00:15:39,359 --> 00:15:43,349 because I think that allows you to have a conversation about 268 00:15:43,349 --> 00:15:45,899 security and software development at a level that 269 00:15:45,899 --> 00:15:50,099 really helps your engineers understand, you know, the 270 00:15:50,099 --> 00:15:53,489 implications and the cost of not doing security properly. 271 00:15:54,630 --> 00:15:57,570 Jason Baum: Today's episode of the humans of DevOps podcast is 272 00:15:57,570 --> 00:16:01,590 sponsored by collide collide is an endpoint security solution 273 00:16:01,590 --> 00:16:04,740 that sends your employees important and timely security 274 00:16:04,740 --> 00:16:08,550 recommendations for their Linux, Mac and Windows devices, right 275 00:16:08,550 --> 00:16:12,480 inside Slack collide is perfect for organizations that care 276 00:16:12,510 --> 00:16:16,470 deeply about compliance and security, but don't want to get 277 00:16:16,470 --> 00:16:19,230 there by locking down devices to the point where they become 278 00:16:19,260 --> 00:16:23,460 unusable, instead of frustrating your employees collide educates 279 00:16:23,460 --> 00:16:27,150 them about security, and device management while directing them 280 00:16:27,150 --> 00:16:30,990 to fix important problems. You can try collide with all its 281 00:16:30,990 --> 00:16:36,330 features on an unlimited number of devices, free for 14 days, no 282 00:16:36,330 --> 00:16:42,690 credit card required. Visit callide.com/h o DEP to sign up 283 00:16:42,690 --> 00:16:51,780 today. That's callide k olid.com/h. O DEP enter your 284 00:16:51,780 --> 00:16:54,990 email when prompted to receive your free collide gift bundle 285 00:16:55,020 --> 00:17:01,890 after trial activation. Yeah, and I'd be remiss to mention 286 00:17:01,890 --> 00:17:08,310 that our sponsor collide, we had Jason Miller, the CEO of collide 287 00:17:08,310 --> 00:17:12,210 on and talked about, he's the author of honor security. And we 288 00:17:12,210 --> 00:17:18,330 talked about how, you know, all these threats are becoming more 289 00:17:18,330 --> 00:17:20,970 sophisticated, the steps to prevent them are becoming more 290 00:17:20,970 --> 00:17:24,450 sophisticated. But then you have a whole line of all the people 291 00:17:24,450 --> 00:17:27,420 who who are employed by you, and you need to take steps to make 292 00:17:27,420 --> 00:17:30,210 sure that they are being safe, and that they are not 293 00:17:30,210 --> 00:17:33,600 compromising the organization. And but you need to do it in an 294 00:17:33,630 --> 00:17:37,770 honest way. And one that's not too cumbersome. And I'm assuming 295 00:17:37,770 --> 00:17:41,400 that's a big piece of what plays into this, how do you make the 296 00:17:41,400 --> 00:17:44,910 employees feel like, the big brother isn't like just watching 297 00:17:44,910 --> 00:17:46,500 every move that they take? 298 00:17:46,950 --> 00:17:49,560 Jamal Walsh: Yeah, it's really interesting. And you know, I 299 00:17:49,560 --> 00:17:52,470 work we work, we work in a financially regulated business 300 00:17:52,470 --> 00:17:56,220 as well. So, you know, it's even even more stringent in 301 00:17:56,220 --> 00:17:58,500 financially regulated businesses, when it comes to 302 00:17:58,500 --> 00:18:02,820 security and things like that. There are certain changes 303 00:18:02,820 --> 00:18:06,540 happening in the PCI compliance space where you have to start, 304 00:18:06,720 --> 00:18:10,320 you know, talking about how you're securing your software 305 00:18:10,320 --> 00:18:13,620 development. And they never, never seen that in any kind of 306 00:18:13,620 --> 00:18:18,180 PCI audits before, and now they're really starting, you 307 00:18:18,180 --> 00:18:20,460 know, if you're financially regulated, and you're doing 308 00:18:20,460 --> 00:18:23,550 payments and things like that, then yeah, they're starting to 309 00:18:23,550 --> 00:18:28,950 really delve deeper into your architecture and ensuring your 310 00:18:28,950 --> 00:18:32,760 engineers are kind of up to date with everything that's going on. 311 00:18:32,790 --> 00:18:35,850 There's, there's obviously a lot of training. And I think the 312 00:18:35,850 --> 00:18:38,790 other thing we seen in one of the latest PCI audits that we 313 00:18:38,790 --> 00:18:43,620 had to do is we had to prove that our engineers were taking 314 00:18:43,650 --> 00:18:48,060 regular security training. So you know, these, these are the 315 00:18:48,060 --> 00:18:50,370 things that are starting to happen now with, especially in 316 00:18:50,370 --> 00:18:53,760 the regulated space is that you're now having to show that 317 00:18:53,790 --> 00:18:56,490 the engineers that are developing your software that is 318 00:18:56,490 --> 00:19:00,420 financially regulated, for example, have taken some 319 00:19:00,510 --> 00:19:04,020 relevant training to ensure that they practice secure coding and 320 00:19:04,020 --> 00:19:04,620 things like that. 321 00:19:05,340 --> 00:19:07,770 Jason Baum: It's so funny, I remember at one of my my very 322 00:19:07,770 --> 00:19:11,460 first jobs, we during orientation, you all go into the 323 00:19:11,460 --> 00:19:15,720 room and they have the chief, you know of information 324 00:19:15,720 --> 00:19:18,660 technology, and they sit you know, they have everybody sit 325 00:19:18,660 --> 00:19:23,100 down, I do the presentation on if you get a suspicious email, 326 00:19:23,220 --> 00:19:27,060 make sure you forward up to us and don't open it. I feel like 327 00:19:27,060 --> 00:19:31,200 we have come such a long way from that, you know, that that 328 00:19:31,200 --> 00:19:34,830 orientation meeting, but in many ways, it still holds true, but 329 00:19:34,860 --> 00:19:37,350 yeah, it's like, this is a completely different world. 330 00:19:37,740 --> 00:19:40,230 Jamal Walsh: Yeah, so we have a we have some software in the 331 00:19:40,230 --> 00:19:44,340 company that actually sends out malicious emails. Purposely. Oh, 332 00:19:44,340 --> 00:19:48,630 really to see if there yeah, if you click on them, it will tell 333 00:19:48,630 --> 00:19:52,080 you if you forward it on like you're supposed to you get a 334 00:19:52,080 --> 00:19:53,490 little pat on the back. So 335 00:19:53,520 --> 00:19:55,320 Jason Baum: I was gonna say what happens if you click on it? Do 336 00:19:55,320 --> 00:19:56,940 they like send yell? 337 00:19:57,180 --> 00:19:59,520 Jamal Walsh: No, no, no, it's much more friendly than that. I 338 00:19:59,520 --> 00:20:02,850 think it's just This day is to help people recognize when, as 339 00:20:02,850 --> 00:20:05,160 you know, I think it's really helpful for everyone, right? 340 00:20:05,160 --> 00:20:07,920 It's not just for, for work, it's people in their, in their 341 00:20:07,920 --> 00:20:12,180 personal circumstances and things like that. Being able to, 342 00:20:12,360 --> 00:20:15,900 you know, recognize those kinds of malicious requests and emails 343 00:20:15,900 --> 00:20:17,970 and things like that is a really, you know, important 344 00:20:17,970 --> 00:20:20,400 thing, not just inside workbook personally as well. 345 00:20:20,580 --> 00:20:22,500 Jason Baum: Yeah, I mean, you see it all the time, my Twitter 346 00:20:22,500 --> 00:20:25,320 was hacked, my Facebook was hacked, please don't respond to 347 00:20:25,320 --> 00:20:28,500 this email for me. It's not me. Yeah. It's, it's, it's very 348 00:20:28,500 --> 00:20:31,830 prevalent. So what are the biggest security issues facing 349 00:20:31,830 --> 00:20:32,910 DevOps teams? 350 00:20:34,020 --> 00:20:39,810 Jamal Walsh: Um, I think, I think, I think training is one 351 00:20:39,810 --> 00:20:45,630 of the biggest things, kind of, you know, from, from a, from a 352 00:20:45,630 --> 00:20:48,690 DevOps team point of view, it's about having multidisciplinary 353 00:20:48,690 --> 00:20:51,900 teams, where you all work together to deliver, you know, 354 00:20:52,110 --> 00:20:58,410 fast, secure software. And I think, I think from a from a 355 00:20:58,410 --> 00:21:02,550 security point of view, it's, it's, it's bringing everyone up 356 00:21:02,550 --> 00:21:07,140 to speed, to be able to understand, you know, what it 357 00:21:07,140 --> 00:21:10,980 means to be secure what, what tools and processes, can you and 358 00:21:10,980 --> 00:21:14,730 there's so much to think about? Engineers have a lot to think 359 00:21:14,730 --> 00:21:17,640 about anyway, when it comes to software development. And then 360 00:21:17,640 --> 00:21:21,630 this just adds another layer of complexity on top of that. So 361 00:21:21,630 --> 00:21:25,830 yeah, it's, it's, it's, for me, the biggest challenge, and the 362 00:21:25,830 --> 00:21:29,130 biggest issue is, is understanding how you can 363 00:21:29,130 --> 00:21:34,050 improve that awareness. And, you know, add those security skills 364 00:21:34,110 --> 00:21:37,830 and mindsets to the engineers, not just software engineers, QA 365 00:21:37,830 --> 00:21:42,330 engineers, you know, all the roles within your, your kind of 366 00:21:42,360 --> 00:21:43,560 your DevOps team. 367 00:21:43,830 --> 00:21:46,830 Jason Baum: And you're doing all that, and you can't slow things 368 00:21:46,830 --> 00:21:50,130 down. I think that's right. I mean, that's a huge piece. 369 00:21:50,400 --> 00:21:54,120 Jamal Walsh: So that is probably the most important part of the 370 00:21:54,120 --> 00:21:59,070 whole thing for me is the fact that if you if you get it wrong, 371 00:21:59,130 --> 00:22:03,690 security can absolutely cripple you. Because, you know, security 372 00:22:03,690 --> 00:22:05,550 can turn around and go, you can't release that into 373 00:22:05,550 --> 00:22:10,080 production. Yeah. And then you stopped. And it's for me, it's 374 00:22:10,080 --> 00:22:16,320 finding the right balance of security versus getting features 375 00:22:16,320 --> 00:22:19,980 and products out to your customers. And that part is the 376 00:22:19,980 --> 00:22:23,730 balance is the the most heart the hardest thing to kind of 377 00:22:23,730 --> 00:22:28,320 find wins in that scenario. Well, it's, it's a negotiation, 378 00:22:28,320 --> 00:22:32,880 right? Security want you to be 100%, secure, and you want to 379 00:22:32,880 --> 00:22:36,690 get product out to customer. And in the end, it's a lot of risk 380 00:22:36,690 --> 00:22:41,130 management. So it's about, you know, understanding, you know, 381 00:22:41,130 --> 00:22:44,520 why you're not going to do something and saying, you know, 382 00:22:44,550 --> 00:22:47,010 if you're not going to, if you're not going to implement a 383 00:22:47,010 --> 00:22:50,490 specific thing, because it may take a long time and the risk is 384 00:22:50,490 --> 00:22:54,690 quite low, then it's something you can discuss and negotiate 385 00:22:54,690 --> 00:22:57,030 and say, right, well, maybe, you know, we'll do this, this and 386 00:22:57,030 --> 00:23:00,150 this, which will give us, you know, this level of security, 387 00:23:00,540 --> 00:23:04,380 and then we will start to develop the other parts and add 388 00:23:04,380 --> 00:23:07,500 that over time. It's about for me, it's about continuous 389 00:23:07,500 --> 00:23:10,200 improvement if you try and if you try and go for 100%, 390 00:23:10,200 --> 00:23:12,300 security upfront, you're never going to deliver anything to 391 00:23:12,300 --> 00:23:16,230 your customers. So yeah, it's about the continuous improvement 392 00:23:16,230 --> 00:23:19,920 and working with security to gradually get more and more and 393 00:23:19,920 --> 00:23:20,670 more secure. 394 00:23:21,570 --> 00:23:23,820 Jason Baum: What are the little things we can do because, you 395 00:23:23,820 --> 00:23:28,590 know, celebrating the Safer Internet day and with that 396 00:23:28,590 --> 00:23:31,800 general theme of together for a better internet, and things that 397 00:23:31,830 --> 00:23:37,890 we can all do personally to help secure ourselves or family make 398 00:23:37,890 --> 00:23:40,020 the internet just in general safer? What are the little 399 00:23:40,020 --> 00:23:40,950 things that we can do? 400 00:23:41,310 --> 00:23:45,510 Jamal Walsh: So my number absolute number one tip is get a 401 00:23:45,510 --> 00:23:50,610 password manager. So I use LastPass other password managers 402 00:23:50,610 --> 00:23:56,790 are available. But yeah, I think I think, you know, we spoke 403 00:23:56,790 --> 00:23:59,550 before about credential stuffing. So for those who don't 404 00:23:59,550 --> 00:24:04,590 know what credential stuffing is, it's where malicious actors 405 00:24:04,800 --> 00:24:10,470 go on the dark web, get a list of credentials that have been 406 00:24:10,470 --> 00:24:15,270 taken from a hacked website. So if your credentials are in that 407 00:24:15,420 --> 00:24:19,800 list, your email and your password, they use credential 408 00:24:19,800 --> 00:24:21,840 stuffing, then and what they'll do is they'll take that email 409 00:24:21,840 --> 00:24:25,800 address and that password, and they will go off to hundreds and 410 00:24:25,800 --> 00:24:29,220 hundreds and 1000s of websites and they will try and access. 411 00:24:29,370 --> 00:24:32,310 Those are the sites Facebook, you know all the social sites 412 00:24:32,520 --> 00:24:34,740 with those credentials that they've taken from another 413 00:24:34,740 --> 00:24:38,190 system. And if they get access to that, that then got access to 414 00:24:38,220 --> 00:24:41,700 you know, and if you're using the same email and password on 415 00:24:41,700 --> 00:24:43,920 all those different sites, you're going to be in real 416 00:24:43,920 --> 00:24:47,910 trouble trouble pretty quickly. So having Password Manager and 417 00:24:47,910 --> 00:24:51,180 making sure all your passwords are unique in each different 418 00:24:51,180 --> 00:24:53,700 system and password managers make that really easy. Some of 419 00:24:53,700 --> 00:24:56,520 them will even go in and automatically change your 420 00:24:56,520 --> 00:24:59,670 passwords every month for you. So yeah, that would be my number 421 00:24:59,670 --> 00:25:04,230 one thing And then the second one is, anywhere you're doing 422 00:25:04,230 --> 00:25:07,860 any kind of financial transactions, or anything to do 423 00:25:07,860 --> 00:25:10,890 with money, because this is where, you know, bad actors are 424 00:25:10,890 --> 00:25:13,440 really focusing on that's where they want to get your get your 425 00:25:13,560 --> 00:25:17,490 hard earned cash. I would definitely have MFA, so multi 426 00:25:17,490 --> 00:25:21,300 factor authentication, any any kind of banking or anything like 427 00:25:21,300 --> 00:25:24,210 that any way, anywhere where you're spending if MFA is 428 00:25:24,210 --> 00:25:27,870 available, and switch it on, get the app on your phone, and use 429 00:25:27,870 --> 00:25:32,640 the apps don't use text MFA, because text MFA sends a coding 430 00:25:32,640 --> 00:25:36,120 clear text. So always try and use an authenticator app on your 431 00:25:36,120 --> 00:25:36,300 phone. 432 00:25:36,809 --> 00:25:39,419 Jason Baum: I mean, are we at the point where biometrics needs 433 00:25:39,419 --> 00:25:42,779 to be part of this? And eventually, you know, some of 434 00:25:42,779 --> 00:25:46,229 the most secure sites that I've been on at least, the government 435 00:25:46,229 --> 00:25:48,779 sites use biometrics, but at this point? 436 00:25:49,469 --> 00:25:51,209 Jamal Walsh: Yeah, I think I think there's I think there's a 437 00:25:51,209 --> 00:25:55,589 big push to I think, I read a statistic that MFA, I mean, MFA 438 00:25:55,589 --> 00:26:00,959 can use different types of biometrics is a way of having 439 00:26:00,959 --> 00:26:03,149 multi multi factor authentication, there are 440 00:26:03,149 --> 00:26:06,269 different, there are different levels of multi factor 441 00:26:06,269 --> 00:26:09,839 authentication, biometrics being one of them. But you know, just 442 00:26:10,109 --> 00:26:12,989 just the fact that, you know, when you when you look at the 443 00:26:12,989 --> 00:26:18,479 stats around MFA, and how many, you know, the percentage of 444 00:26:18,539 --> 00:26:22,859 malicious access to a person's account is stopped. I think it's 445 00:26:22,859 --> 00:26:29,819 somewhat like 99% of, you know, accounts that have MFA or not or 446 00:26:29,819 --> 00:26:34,229 not. You it's very difficult to get an account that has MFA on 447 00:26:34,229 --> 00:26:34,709 basically, 448 00:26:35,069 --> 00:26:41,639 Jason Baum: yeah, yeah. That's, that's great. So back in 2009, I 449 00:26:41,639 --> 00:26:46,289 was part of an organization an association that had frank abig 450 00:26:46,289 --> 00:26:50,879 nail speak. Frank Abagnale is the Catch Me If You Can main 451 00:26:50,879 --> 00:26:56,579 character, he now works for the FBI. But he's known for forging 452 00:26:56,579 --> 00:27:00,719 checks and money and, but he's also I mean, he's also he was a 453 00:27:00,719 --> 00:27:04,949 kind of a hacker as well. And, and obviously, the FBI has, 454 00:27:04,949 --> 00:27:11,039 like, recruited him, but but we also had Colin Powell. And, and 455 00:27:11,039 --> 00:27:13,259 the two of them were speaking so frank McNeil, during his 456 00:27:13,259 --> 00:27:15,809 presentation did one of the most amazing things I've ever seen 457 00:27:15,809 --> 00:27:18,179 anybody do during a presentation, and he's like, I'm 458 00:27:18,179 --> 00:27:20,849 gonna hack Colin Powell. He's like, I'm gonna steal his 459 00:27:20,849 --> 00:27:23,759 identity is a Colin Powell is pretty, pretty important, dude. 460 00:27:23,909 --> 00:27:26,969 Right? I mean, he's, he's pretty high up there in the government, 461 00:27:27,119 --> 00:27:30,989 you think he's super secure everything secure, right. And 462 00:27:31,019 --> 00:27:32,879 he's like, I'm going to hack him. And not only I'm going to 463 00:27:32,879 --> 00:27:36,599 hack him, I'm going to steal basically his identity in 15 464 00:27:36,599 --> 00:27:40,979 minutes. And he's like, all I need is his address, his 465 00:27:40,979 --> 00:27:47,129 birthday, and, and his password. And he got everything. And he 466 00:27:47,129 --> 00:27:50,759 got it in 15 minutes. And so he stole compounds identity now, I 467 00:27:50,759 --> 00:27:54,089 would hope that things are a little more secure now, in 2022, 468 00:27:54,089 --> 00:27:56,219 than they were in 2009. 469 00:27:57,150 --> 00:28:02,370 Jamal Walsh: Wow. So I think what you're talking about, 470 00:28:02,370 --> 00:28:05,400 there's something called social engineering. And I think it's, 471 00:28:05,460 --> 00:28:09,870 it's a really big thing at the moment. So it comes down to 472 00:28:09,870 --> 00:28:13,620 privacy, and people not realizing what privacy means. 473 00:28:14,250 --> 00:28:19,260 And when you go on to the social media sites, the more 474 00:28:19,260 --> 00:28:24,120 information you publish about yourself, the easier it is for 475 00:28:24,120 --> 00:28:28,410 people to then take advantage of that. So it's really important 476 00:28:28,410 --> 00:28:31,260 that you think about what you're posting online, what you're 477 00:28:31,260 --> 00:28:34,140 sharing online, who you're accepting as friends online, 478 00:28:34,140 --> 00:28:38,280 like just accepting random people, and then not realizing 479 00:28:38,280 --> 00:28:42,780 that by accepting that request, you are then exposing a ton of 480 00:28:42,780 --> 00:28:45,720 data that can be used against you, right? So you always have 481 00:28:45,720 --> 00:28:48,720 to think about, you know, how much am I sharing here? Do I 482 00:28:48,720 --> 00:28:51,990 know this person? You know, it's kind of like, it's kind of like, 483 00:28:52,470 --> 00:28:54,750 you know, going out in the street, would you hand a 484 00:28:54,750 --> 00:28:57,240 complete stranger your well, it was all your ID cards, 485 00:28:57,360 --> 00:28:59,670 Jason Baum: right? I was just gonna use the example of like, 486 00:28:59,670 --> 00:29:02,640 when you post on the internet, like in a social media setting, 487 00:29:02,640 --> 00:29:04,980 and if it's a public post, and you're basically saying you're 488 00:29:04,980 --> 00:29:07,050 on vacation, it's like, would you just stand out with a 489 00:29:07,050 --> 00:29:10,560 megaphone and announce to the whole neighborhood? I am going 490 00:29:10,560 --> 00:29:17,550 on vacation now. At my house is empty. No one's home? No. But we 491 00:29:17,550 --> 00:29:18,540 don't think of it that way. 492 00:29:19,530 --> 00:29:22,650 Jamal Walsh: No, we should shoot. Absolutely. Yeah. Yeah. 493 00:29:23,430 --> 00:29:25,350 Jason Baum: Thank you so much, Jamal. I mean, we could talk 494 00:29:25,350 --> 00:29:28,470 about this is a really interesting topic. It's a very 495 00:29:28,470 --> 00:29:33,930 timely topic. And I hope you know, now through this podcast 496 00:29:33,930 --> 00:29:36,960 and all the different means that you have out there that we can 497 00:29:36,960 --> 00:29:41,130 all learn to to be safer together for a better internet, 498 00:29:41,130 --> 00:29:45,360 not just for our data, but for our families and ourselves. 499 00:29:45,540 --> 00:29:50,280 Yeah, absolutely. Thanks again for coming on. I'm going to ask 500 00:29:50,550 --> 00:29:55,590 our last questions. So you were on Last time we asked. We asked 501 00:29:55,860 --> 00:30:01,080 a question very much focused on you And what was something that 502 00:30:01,080 --> 00:30:03,960 you would like to share that no one else knows. So if you're 503 00:30:03,960 --> 00:30:07,230 curious about what Jamal's answer was to that question, you 504 00:30:07,230 --> 00:30:10,290 have to go back and listen to episode 36. I'm not gonna, I'm 505 00:30:10,290 --> 00:30:14,370 not gonna repeat it here. So there you go. But our question 506 00:30:14,370 --> 00:30:17,850 today for you is, what's something everybody in your 507 00:30:17,850 --> 00:30:21,660 industry should stop or start doing? Immediately? 508 00:30:22,410 --> 00:30:25,830 Jamal Walsh: It's a really good question. So I've ever seen that 509 00:30:25,860 --> 00:30:28,620 kind of, say pretty much anywhere and everywhere I've 510 00:30:28,620 --> 00:30:33,390 worked, which is stop starting and start finishing. And that 511 00:30:33,390 --> 00:30:37,320 basically means stop trying to do too many things at once, 512 00:30:37,920 --> 00:30:42,330 break your work down into small, achievable pieces, and start 513 00:30:42,330 --> 00:30:45,720 delivering stuff. I think, I think sometimes people have a 514 00:30:45,720 --> 00:30:50,370 concept that by doing many things at once, they're 515 00:30:50,370 --> 00:30:54,960 delivering a lot, when actually you're not. If you just deliver 516 00:30:54,960 --> 00:30:58,800 one thing at a time, when you deliver that one thing, move on 517 00:30:58,800 --> 00:31:02,370 to the next, you're actually getting value delivered much 518 00:31:02,370 --> 00:31:04,980 quicker. And it's a concept that, you know, should be 519 00:31:04,980 --> 00:31:08,310 practicing in DevOps and all DevOps teams is the fact that, 520 00:31:08,640 --> 00:31:11,640 you know, if you try and work on 10 things at the same time, 521 00:31:11,910 --> 00:31:14,670 there's only so many things you can you know, it takes longer 522 00:31:14,670 --> 00:31:17,610 for those 10 things to finish, right. Whereas if you just work 523 00:31:17,610 --> 00:31:20,460 on the one thing, finish that and then start in the next 524 00:31:20,460 --> 00:31:24,210 thing. Easier said than done. I've got to admit, I do have 525 00:31:24,210 --> 00:31:26,610 trouble with it myself sometimes. But yeah, I just keep 526 00:31:26,610 --> 00:31:27,840 reminding myself every day. 527 00:31:28,410 --> 00:31:30,450 Jason Baum: I think getting to the finish line. Don't we all 528 00:31:30,450 --> 00:31:34,890 need that feeling of like you did it? You know, it's it keeps 529 00:31:34,890 --> 00:31:37,680 you going and motivated to do the next thing. Exactly, 530 00:31:37,740 --> 00:31:41,370 exactly. Well, thanks so much, Jamal. I really appreciate it. 531 00:31:41,370 --> 00:31:42,870 You're always welcome to come back. 532 00:31:43,320 --> 00:31:45,270 Jamal Walsh: Anytime I love. I love having a chat with you. 533 00:31:45,270 --> 00:31:46,680 It's great. Awesome. 534 00:31:47,730 --> 00:31:49,770 Jason Baum: And thank you for listening to this episode of the 535 00:31:49,770 --> 00:31:52,980 humans of DevOps Podcast. I'm going to end this episode the 536 00:31:52,980 --> 00:31:56,730 same way I always do encourage you to become a member of DevOps 537 00:31:56,730 --> 00:32:00,030 Institute to get access to even more great resources just like 538 00:32:00,030 --> 00:32:03,720 this one. Until next time, stay safe, stay healthy, and most of 539 00:32:03,720 --> 00:32:06,300 all, stay human, live long and prosper. 540 00:32:08,070 --> 00:32:10,170 Narrator: Thanks for listening to this episode of the humans of 541 00:32:10,170 --> 00:32:13,710 DevOps podcast. Don't forget to join our global community to get 542 00:32:13,710 --> 00:32:17,040 access to even more great resources like this. Until next 543 00:32:17,040 --> 00:32:20,490 time, remember, you are part of something bigger than yourself. 544 00:32:20,820 --> 00:32:21,540 You belong