SECURED

From Code to Cybersecurity: A Deep Dive into Open Source, Encryption, and Leadership with Edwin Kwan

Formerly a software engineer, today Edwin Kwan is Head of Application Security and Advisory at Tyro Payments. Edwin is also a contributing journalist to the It’s 5:05 Podcast, which highlights cybersecurity and open source software news. 

Host Cole Cornford chats with Edwin about transitioning from focusing on the nitty gritty challenges of an engineer to the very different challenges of overseeing a team, the importance of due diligence when using open source software, the pros and cons of end to end encryption, and plenty more.

2:55 – Importance of listening.

3:50 – Edwin’s current role.

4:28 – A recent news story: end to end encryption & Google.

7:30 – Unintended results from security decisions.

8:38 – Security about making “an informed risk decision.”

9:50 – Edwin’s background and career trajectory.

12:50 – The challenges of doing intangible work vs. work you can see the tangible impact of in the real world.

13:30 – Edwin: “Changing from a technical challenge to a people and culture challenge,” i.e., going from a technical role to a manager role.

15:50 – Cole: Would you want to go back to a technical role?

18:30 – Edwin: In security, there’s this idea that security is a blocker.

20:30 – Edwin: “What you know today is obsolete in 11 months.”

23:40 – Cole: I think AI is a really good example of security not having a proactive mindset.

25:00 – Edwin: Security team always chasing its tail.

26:30 – Cole: I always worry when cybersecurity teams advocate for having more money.

27:30 – Edwin: Security is seen as a “cost centre,” not revenue generation.

30:30 – Advice for young people wanting to enter the industry/tech more generally.

32:40 – Rapid fire questions.

35:50 – Edwin’s favourite book to recommend: How To Win Friends and Influence People.

37:30 – Edwin’s 1 piece of advice: “Look at your open source supply chain.”

Edwin Kwan:

The work that you do is quite different along the way. When you’re starting out, it’s all about being hands on, understanding the details of the problem you’re trying to solve. You tend to be the one driving the solution. And then as I moved along, it’s changed from being a technical kind of challenge to a people and culture challenge.

Cole Cornford:

Hi, I’m Cole Cornford and this is Secured, the podcast that dives deep into the world of application security. I’ll be chatting with Australia’s top software security experts to uncover insights on their diverse approaches to AppSec.

Formerly a software engineer, today, Edwin Kwan is head of application security and advisory at one of Australia’s most recognizable financial services companies. Edwin is also contributing journalist to the It’s 5:05 podcast, which highlights cybersecurity and open source software news. Our conversation was full of interesting insights into AppSec and cybersecurity more broadly. So I’m sure whether you’re a veteran of the industry or just getting started, there’ll be something valuable for you here.

How are you going, Edwin? Good to see you, mate.

Edwin Kwan:

Hey, Cole. I’m doing well. Thank you for having me.

Cole Cornford:

Yes, it’s an absolute pleasure. So as the head of Galah Cyber, I ask everyone who comes onto the Secured show, which bird you’re most like and why?

Edwin Kwan:

Well, that’s a very good question. Let me just think about that. I would say it would be an owl, mostly because the owl does a lot of listening and watching. And I feel like that’s how I am with regards to the work that I do, always listening to what our internal stakeholders and all, I guess wanting to see and then just looking out for threats that we can identify and address. So it would be an owl.

Cole Cornford:

I like that. Do you know tawny frogmouths?

Edwin Kwan:

Yes. Yes, I do. I have a great picture of four of them sitting on a fence next to a house I was living in a few years ago. I have a really good picture of that, yeah.

Cole Cornford:

Frogmouths/boobooks. I don’t think they’re owls, but they’re kind of related to owls, aren’t they?

Edwin Kwan:

I think so. I think, yeah, you might be right there.

Cole Cornford:

Out near my house, we get a bunch of frogmouths just rocking up and turning on our fences because we live across the road from a creek, so there’s always bugs for them to eat. So I’m keeping a watch on the frogmouths every night.

Edwin Kwan:

Well, nice.

Cole Cornford:

But I do like that metaphor. You’re listening, you’re alert, you’re ready to help out when you need to. And I think that we do need… It’d be good if we spent more time listening to what people are really trying to say in businesses instead of just responding to every kind of fret that comes out of nowhere.

Edwin Kwan:

Yeah, absolutely. There’s just so much happening out there and you can’t just be responding. You got to kind of listen and watch and observe and see what your business really needs so that you can respond appropriately.

Cole Cornford:

And you mentioned that you’re looking for frets as well. So is that something that you’re actively out there having a look around? I guess that’s kind of your role, isn’t it, to listen and then also keep your eye open?

Edwin Kwan:

Yep, absolutely. Definitely that’s my role, making sure that we stay up to date. Also watching the news, if there’s any latest news about the latest vulnerabilities or attacks, looking back into your organization and going, are we exposed to this? Are we vulnerable? What kind of mitigations do we have? Do we need to respond? And how should we respond to this? So yeah, lots of stuff out there.

Cole Cornford:

So everybody should be an owl.

Edwin Kwan:

Yeah, that’s right. Everybody should be an owl.

Cole Cornford:

Oh, dear. So you say you listen to the cyber news a fair bit. Any recent news stories or things that you think are interesting that viewers should pay attention to?

Edwin Kwan:

There was one that came out not too long ago where the Google Authenticator app release a new feature where they do synchronization of your data onto their cloud service. And from my reading on that very same day, there was another article by a security researcher that did some analysis and said, “Wait a minute, there is no end-to-end encryption on your 2FA tokens that are being stored on the Google cloud.”

So there was an outcry on that. The following day, Google responded saying, “Okay, we’ve heard everybody’s concern. We’re going to eventually release end-to-end encryption on the authenticator app at some point in time.” So that was something that was interesting that I read, and I obviously did some more reading on end-to-end encryption and whether that’s a good thing or a bad thing.

You’ve probably heard a lot of debate about that where it depends on which side of fence you’re on. If you’re a parent of a child, you would absolutely want your child to be safe. You want a government to be reading the communication of the bad guys and intercepting them. However, if you’re a reporter reporting in a very repressed regime, you probably want that secrecy too because your life probably depends on it. So that’s an interesting thing I’ve read recently.

Cole Cornford:

I think that authenticated one is pretty interesting to me as well. I’ve done the mistake of buying a new phone and then forget it, leaving the old one at my dad’s house or something, and then it’s like, wow, I locked out of literally every account because there’s no synchronization between my OTPs onto Google app and my new phone.

So then that was quite embarrassing, being like, okay, driving back to my dad’s to go pick up my old phone I gave to him before he factory reset it just so I could get all the codes to move across to the new one. So I do think that the sync’s actually a good idea from user experience perspective because people do change phones quite regularly. And I do wonder, whoever that…

I know that there’s going to be security risk with having that gap for end-to-end encryption, but I wonder whether more people were getting locked out by changing phones or devices than they were having their tokens stolen in transit, right?

Edwin Kwan:

Yeah, you’re quite right. So there’s always a balance in there in terms of security and convenience, and that was the comment that Google made that if they did end-to-end encryption, there’s going to be a higher likelihood of users locking themselves out. So there is going to be that trade off, and I believe where we need to be at is giving users the choice to decide, do I want to have that or do I not want to have that?

Cole Cornford:

So how would you go about doing a choice here, it’s like you just press a button and then you have end-to-end turned on kind of thing. Is that how you do it?

Edwin Kwan:

Oh, I’m not a UI person. But maybe when you say yes to that feature, hopefully it’s not on by default. It kind of tells you about the limitations, if there’s anything in there and you can choose to say yes or no to those functionality.

Cole Cornford:

I guess it’s like always going to be an important thing is to think about how do I, there are concerns about enabling security controls because they can have unintended consequences for doing that. I remember quite a long time ago, 15 years ago, there was a story about eBay enabling with auctions. You could see the other people that were bidding against you and one of the things that users often did is they’d see who’s bidding against you and then a few minutes before the auction’s about to expire, try to log in as that person 10 times and cause their account to get locked out.

And once they’re locked out of their account, they can’t actually bid again until the auction’s passed. So really that means that you’d know who won the auction because they can’t bid against you, which is a funny way of a security control actually causing an unintended consequence for business operations, right?

Edwin Kwan:

That’s so true. Humans are really smart. We can find out whatever it is, whatever feature or functionality and use it to our advantage. And I’m sure when that happened with the eBay staff, the developers and security went, “Oh, why do we think about that use case? Of course, they would use it for that,” thinking back retrospectively.

But it comes down to making an informed risk decision. That’s the main thing we’re talking about down here especially with the Google Authenticator app. If you value the convenience, it also comes down to what is the data that it is protecting? What are those 2FA things in there? You might say yes to not having that end-to-end for some of your systems that are not as critical to you for that convenience aspect. But there are some things that you might say, “Hey, this is my email. I use my banking apps or everything, this is absolutely critical. I definitely want 2FA on there.”

And if you presented that information, you can then make the decision yourself and going, should I have it or should I not have it? Rather than not knowing about this and thinking that this is a security app. It does synchronization, I’m sure they would’ve done it well, so let’s just turn it on.

Cole Cornford:

Yeah, I think relying on the companies to do things correctly, we’ve been proven time and time again that that’s not necessarily the best choice.

Edwin Kwan:

Yes, that is always the case, isn’t it?

Cole Cornford:

Moving on to something a bit different, I’d love to look back at your career. So could you tell our users about yourself? Just how did you get into cybersecurity and get to where you are today?

Edwin Kwan:

I started many, many years ago and I started off as a software engineer. I was working for a telco company, and after a few years I decided to move up to Sydney. And I decided to join a financial services startup company and I joined that company as a software engineer. And very quickly, I think within the first few months I’ve learned that the company was working towards getting a food banking license. And as part of that, they had to uplift their security posture to meet the requirements set forth by APRA. And some of those were specific to application security.

So I went from a software engineer into an application security engineering role, and then it all started from there, kind of just build up with those challenges.

Cole Cornford:

I find it’s a fairly common pathway for a lot of people, at least in application security is to start out as an engineer and then some kind of regulatory requirement forces them to pick up some security pieces and then they go, “Wow, okay, actually this is fairly interesting.” Not necessarily in financial services, I’ve seen it also in health for instance. This is patient data that we have to care about or offering a government with essential aids and similar. So it’s like, “Oh, I’m interested in these kind of security controls as well.”

So I think it’s really cool that you went from telecommunications into financial services and into a smaller player. What was it like working for a small shop but then having it grow over time as the AppSec lead?

Edwin Kwan:

It’s quite interesting because it felt like I actually moved to a bigger team. So my very first team in the telco space was with a US-based company. We had a small Australian satellite office and we were in the 911 geo-location space where if you dial 911, we have to locate your phone within I think a 400-meter radius within a few seconds. And at that time, not all phones had GPS, so you had to do things like sales sector. I think timing differences and different things in there. It’s been a while.

It was a bigger company shift and it was also quite interesting because it was more tangible. In the telco sector, you don’t really see the work that you’re doing partly because it’s a US based company, but it’s more for the cell towers. Whereas with the financial services, we could actually see the products that we’re building out in the wall on a day-to-day basis. So it’s quite different and quite refreshing.

Cole Cornford:

I like having a tangible outcome. I think that’s why a lot of people like working in tech companies because you do get to go see basically the website is there. You know how people interact with your platform. You get experience from your friends in valley that this is how I did this, this is how I did that. So I think that when you are working in a back-of-house kind of system and you can’t really talk about what you do all that much, it’s difficult to take a lot of pride in the work that you’re doing because it seems like a bit of a conveyor belt kind of thing. So this is the widget I’m working on instead of, I make meaningful difference to a lot of people. Yeah?

Edwin Kwan:

Yeah, no, absolutely. You’re quite right. It feels different when you can see the product and you interact with the product. You have a lot more pride in the features that you roll out and say, this was me, I played a part in this. No, absolutely.

Cole Cornford:

Yeah, So I like that you moved to a slightly larger team. I guess the team was larger because you start in FSI as a regulated sector, so you need to have some security in place. But I know that over time you’ve ended up accelerating into leadership positions up in there. What was that journey like moving from an IC into more of a manager and now a strategist?

Edwin Kwan:

The work that you do is quite different along the way and the impact that you have is also quite different. When you’re starting out, it’s all about being hands on, understanding the details of the problem you’re trying to solve, the solution that you need to put in place. You tend to be the one driving the solution, working with all the stakeholders directly, trying to get that in. And then as I moved along, it was more about the strategy in terms of what is the uplift or the capability we want to try and get out there.

And you spend a lot of time talking to stakeholders who unnecessarily, the engineers who are working on the code itself, but more the leads of the engineers try and drive, I guess, your project or initiative and in talking about how it’s going to benefit them, how it’s going to benefit the company, hearing their concerns and working through them. It’s changed from being a technical kind of challenge to a people and culture challenge.

Cole Cornford:

It’s one of the things I always find people struggle with is that transition. So it’s like, oh, I’m really good at setting up static analysis tools or having an answer to when someone comes to me and talks about content security policies, or whatever. But then when you’re like, okay, now I need to put the dollar figures down about how much money or of risk mitigation is the CSP worth as opposed to other opportunities that a business could be investing in, I think that that’s a hard skill to pick up for someone who’s dealt with just cutting code every day.

Edwin Kwan:

And you’re quite right, and it’s also hard mentally to let go. I find that most people on this journey would want to still be doing because they enjoy that. But when you start moving into more of a lead position, that’s not where your greatest value to the organization is. You’ve got other people helping you with those areas and they’re probably better than you at this point in time at doing that. So as much as you enjoy getting your hands dirty, that’s not your job anymore. Your job is to clear any obstacles, get any information that they need to be successful in rolling that out.

Cole Cornford:

Do you miss it or would you want to go back?

Edwin Kwan:

I definitely do miss it. Do I want to go back? Not sure. Because I feel like the effectiveness of your influence or what you can do has also increased as you move up. So when you are working on a tooling, I guess your influence or where the value you’re driving is with just that tool. Whereas when you move it up, you’re working on not just one initiative, you’re working on multiple. So you get to help the organization be successful in multiple areas rather than just one area.

So it’s a greater sense of achievement, but it’s a different sense of achievement. It’s not a hands on to go, yep, I solved this technical issue. It’s more of, yep, we’ve got this buy-in, we’ve rolled it out, different measurements in there.

Cole Cornford:

It’s like the sugar hit that you get for being able to crack a university algorithm assignment. It’s like, oh yes, I finally am able to just meet the requirements and the code works as expected. So I love every year doing advent of code and I only do about 9, 10 days of it because then it requires you to actually think about the problems after that, and it’s like I don’t cut code anymore.

So for me, I don’t want to sit there thinking, wait, how does fast field flow algorithm work? Or how does Dijkstra’s work again? I don’t know, I can’t remember. But the main thing is there’s a difference between that sugar high and then just from solving an individual small little task and getting yourself to feel good versus these bigger things where you can take pride in really influencing an outcome for a really large scale piece of work.

And I love that needle analogy as well. Most enterprises are like an elephant and you’re kind of a fly on the back, who’s occasionally a mosquito even, just stabbing your nose in the elephant, trying to move it in the right direction. And honestly, the best thing most of us get to do is get the elephant to move at all.

Edwin Kwan:

That’s a great analogy. Yeah, I know.

Cole Cornford:

So, yeah. I think that’s really cool. Let’s move on to the next section, which is a little bit about your current role. What keeps you excited about the work that you are currently doing?

Edwin Kwan:

The work that I’m doing, so I’ll talk mainly about the AppSec space just because this podcast is focused on that. What keeps me excited is knowing where we’re at in terms of maturity in the different areas and where we want to go, and also keeping up with the different challenges in terms of new coding languages, new environments. Sometimes you’re moving to the cloud, new technologies and trying to stay up to date with all that. So that’s where the challenges are.

And also, how can we do things better. In security, there’s this mindset that everyone thinks that security is a blocker. That isn’t the intent obviously for most security people. We’re all in the same company. When the company is successful, everyone is successful. We’re trying to make sure we’re all doing things right.

And one thing that challenged me is how can we have the least amount of friction in security to allow developers to still do their job, but set up those guard rails so that they can actually move faster doing the right things?

Cole Cornford:

Yeah, I find that we’re very good at introducing friction points.

Edwin Kwan:

Yeah.

Cole Cornford:

Checks and balances are there for a reason, but at the same time, that’s all my career has been about, trying to just apply some lubricant, make things move a bit faster in the process. And also, you did mention new technologies like programming languages and cloud and AI and stuff. I know that one of the big challenges of our industry is that we’re incredibly reactive, whereas a lot of developers tend to just be really cutting edge.

There’s no way that we’re going to be able to be across every piece of technology. I know that in the past, I’ve written a blog post recently about how I like my views on artificial intelligence a bit because I started by saying that I was just going to wait until AI matured a bit more, only on account of the fact that in the past, I spent time getting really good at Golang and learning Angular. And I just picked the wrong horse every single time. So I don’t want to jump in and start learning ChatGPT and then have it obsolete in six months, and then I’m suddenly saying, “Why’d I do that?”

But with security people, you have to kind of wait until something gets to relatively mainstream consumption before you are… It’s worth for you to really invest in making sure that that has a security pathway forward.

Edwin Kwan:

Would that be why people say that security is reactive rather than proactive because we’re waiting to that consumption to get to that level before we jump into it?

Cole Cornford:

I guess it’s like an economic decision. I mean, I run my own consultancy and one of the things I always think about is where are we going to be moving to in the future? And I really think that security should be in a world of a microservices architecture, really heavily leaning on observability as one of the key measures for determining how vulnerable you actually are and where you are exposed as opposed to being really reactive and looking at just scan and outputs of tools and then basically having a Christmas tree turn up. It’s a bit scary for engineers playing whack-a-mole, right?

But what I find is that very few organizations actually have really good observability of what’s actually happening in there. So it’s often better to start with crawling if no one’s running yet.

Edwin Kwan:

No, no, absolutely. You’re quite right and I definitely agree with that.

Cole Cornford:

Yeah. How are you finding it so far?

Edwin Kwan:

It’s been challenging at the moment and partly because the security teams don’t scale with the number of development teams out there. And like you say, there’s all these new technologies, so we get reached out early in terms of, “Hey, I want to use this new thing, I want to try different tooling.” And like you say, as those economies of scale, where do you… Ideally we like to support everything, but we just don’t have enough people, don’t have enough hours to do all that on top of all the other BAU stuff that we have to do, so what do we do then?

And we have to be selective and sometimes, like you say, we get involved once it’s hit tipping point. But then you have to pick it up really quickly because everyone’s on board the train already at that point in time and going forward with it. So there’s always constant learning and I think that’s what makes the job interesting in the security area. Some us say that what you know today is obsolete in 11 months. I can’t remember someone who said that, but it seems to be true quite a fair bit. That whole ChatGPT AI thing, that was in the last 12 months or less, and now it’s kind of mainstream.

Everyone’s talking about, yep, let’s use Copilot, let’s use ChatGPT for anything and everything. It is so convincing and giving you the wrong information if it’s hallucinations that sometimes you go, “Okay, what’s our policy on this?” And I know most companies don’t have a policy, they picked the let’s wait and see. And has the train left already? Are we past the tipping point? Is everyone using it and putting their company private data in there to be consumed? Not entirely sure. I know there are some companies that decide not to do that. So it’s always a challenge to determine what to focus on.

And for things like the ChatGPT, if you come in late, then it can be seen as security coming in and spoiling the party for all because now you’ve moved from a policy where it was no policy and do whatever you want into something more restrictions in there. So you’re taking things away from people and people don’t necessarily like that when you do that.

Cole Cornford:

So what did I say, I’m from the government and I’m here to help, and then everyone shies away. I think artificial intelligence is a really good place because to talk about specifically with security not having a proactive mindset, what I am noticing is that there are a lot of security professionals who are really getting involved in the space and saying, “Hey, I want to understand how can we abuse LLMs. Are we able to do prompt injection and similar and really playing around, and I’m trying to understand it?”

I even know that one of my friends, Daniel Meissler, is really heavily involved in trying to stitch various artificial intelligence engines together to basically automate a lot of security consulting, which that could be realistically something very scary for me. But I like that the fact is that nowadays we actually get involved in this kind of stuff relatively early instead of, I did say that I’m a second mover but it’s because I’ve got a young family, I don’t have infinite time. It’s like you say, there’s only so much mental capacity that we have to actually really spend on learning all this stuff in detail.

So I’m interested for how we as an industry would start shifting people to be more proactive instead of going back and hitting the books and still learning a net sec plus and firewalls and basics instead of looking at where we’re going to be in the future, right?

Edwin Kwan:

Yeah. I can only speak from my experience. I feel that the security team is always chasing its tail. There’s a lot of work, but always under-resourced. That’s the story you always hear, under-resourced, under budget, not enough talent. So there’s always so much to do already. And everybody wants to, I guess, keep up to date, learn the new things out there. But the constant thing is we don’t have enough time.

And I think what we need to do to be able to keep up and stay relevant is to make sure we put learning at the same level of priority as the other parts of work that we do to set aside some time in there and hold our team accountable for doing that learning in there too, put it as part of their KPI. You have a learning objective or you have to do this learning and do a playback for the rest of security or the larger security team or to your security champions.

And that would force them by holding everybody accountable and yourself included. You have to start by being the first one to make that step to kind of, I guess, stay current.

Cole Cornford:

Yeah, I guess I know that a lot of companies really like investing in their staff members and giving that time for them to be able to keep on top of things. Because if you’re just out there churning through work constantly, then you inevitably get to a point where what you have been doing has not been preparing you for the future and you’re relatively unemployable in the current market, so you kind of get stuck with where you are.

But you’re right. I do hear that conversation quite a lot actually. How does security advocate for more costs and more money and more resourcing? And I’m always really concerned when people’s initial stance is how do I get more funding for cybersecurity? That always worries me, because it means that they haven’t really fought through demonstrating what their value proposition is to the business. If you can show to people, not so much, we’ve prevented X breaches, which doesn’t mean much to a business owner.

But in terms of dollar costs and in terms of time to remediation, or things where does genuine impact on the services [inaudible] the business that you’re doing security with it, then you can point to how investment in this is going to make the consequence of this significantly lower than if we didn’t do that investment, then that suddenly the conversation’s a lot better.

But I find few and far between, it’s almost always we get 30 million Sock alerts today and it’s going to be 40 million next week, so we need another person to scale from 30 to 40 million instead of maybe we should be looking at reducing the amount of Sock alerts we get.

Edwin Kwan:

Yeah, that’s an interesting thing. I’ve heard this story so many times because security is seen as a cost centre. We’re not really in terms of revenue generation. Our job is mainly revenue protection to make sure we don’t lose money.

Cole Cornford:

I hear that so many times in AppSec, right? “Oh yeah, we’re an enabler. We’re going to…” Security is going to make the business function faster. And at the end of the day, I always think to myself that, “You don’t know what security is, do you?”

Edwin Kwan:

You want that thing to happen, right? Basically that’s what it is. Your job, like you say, you need to kind of align your security strategy to the business and then talk about what the risks are and then talk about what are you going to do to address those risks, have some metrics, what gets measured gets done, and what gets done tend to get funded. You need to tie into that.

One of the things that I have seen in security is we try to do everything. We try to secure everything in there and it’s just an infinite task. You can never, you’re always chasing a tail. You need to be making sure that you’re focusing on the most important things, and I believe that’s where the goal is, determining on what those important things are, getting the business justification for that and trying to make sure that those get funded.

Cole Cornford:

I think that my security professionals don’t have the business acumen yet, and I do see the industry professionalizing and people do starting to really understand effectively who their frontline employees are, how do they transact and earn revenue, and what kind of things like genuine catastrophic risks from a CRO level, not from an InfoSec level. Because in my view, a cybersecurity incident or a hack is one of many different risks like limited cash flow, key resource risks or regulatory risk and so on and so forth, which they’re all basically probably more important than cybersecurity risk. But we have a bit of a high horse. We like to jump on being like, “We’re not funded effectively to do our jobs.”

Edwin Kwan:

And funding’s limited. When you get funding, some other department is not getting the funding and how do you justify that you’re more deserving of it than them? Everyone’s fighting for that same bucket in there.

And you asked early on in terms of the difference between individual contributor all the way up to a leader. And I think that’s also one of the main things in there. As an individual contributor, you’re focusing on the vulnerabilities, the threats. And then as you come to a leadership position, you’re talking more about the business risks and how are you going to address that, and obviously translating those vulnerability and threats to the business risk to see if that’s informed risk acceptance you’re going to take on there.

Cole Cornford:

Yeah. Cool. All right. We’ll move on to our next section. Our audience tends to move a little bit younger. I was just wondering if you had any advice about young professionals moving into cybersecurity or just generally within tech.

Edwin Kwan:

The main advice I would have for young people in there is if you have a strong engineering background, software development background, that’s a good start. That’s a great start in there. And just being very security aware is kind of the path that most people would take to get in security. As we spoke off earlier, a lot of times when we try to hire a new application security engineer, we start off looking internally. It’s hard to find good security engineers with strong technical backgrounds.

And what makes good security engineers are not just the technical skills, but also their listening abilities to listen to the developers in terms of what the problems are. Too often, we find something and we treat it like a hammer or we try and find problems just soft and we say, “This is the way you’re doing it,” without understanding what is the ramifications for the different teams because they’re being measured based on delivery, speed of delivery, and you need to weigh out the balance in terms of what are you introducing with them.

Having good interpersonal skills to be able to listen and empathize with your stakeholders and also be able to, I guess, help out with the security awareness in terms of what they should be doing to keep the application more secure.

Cole Cornford:

And so all for the young outlets, I guess, then you need to keep your ears open and listen to people.

Edwin Kwan:

That’s right. That’s right.

Cole Cornford:

And be quite technical as well. So yeah, I find that at least for all the IC roles, it’s like the quickest way into the position is just to really know your stuff. I know very few people who’ve managed to get by. There’s a lot of non-technical people, good social skills. There’s not a lot of really technical people with okay social skills.

And I think it’s easier to just double down and get really, really good at, I don’t know, learn gRPC and protobuf or something and talk about that in an interview and someone will be like, “Wow, that guy is a nerd for gRPC and protobuf. I don’t know anyone else, but it’s clearly technical, going to hire him,” versus the guy who’s just like, “I’ve got great written and communication skills. I understand business stakeholders and acumen.” I think that’s great, just not for an entry level role, right?

Edwin Kwan:

Yeah, you’re right. Absolutely.

Cole Cornford:

Cool. All right, so we’ll move on to our final section, which is rapid fire questions. These ones just tell me straight away what comes to the top of your mind, and here we go. First question, best purchase under a hundred dollars, and why.

Edwin Kwan:

A YubiKey, a hardware security key because it helps me keep my credentials more secure.

Cole Cornford:

Are you worried about YubiKey getting acquired?

Edwin Kwan:

I didn’t know that there were talks about that.

Cole Cornford:

No, they literally announced it two weeks ago. They’re getting acquired by some venture firm and being listed on the stock exchange, so you might find some changes. I always find out when a small startup gets acquired that it changes a bit, right?

Edwin Kwan:

Better go read up on that now, now that you mentioned that.

Cole Cornford:

Oh, no. What have I done? Cool. Where’s the best holiday destination?

Edwin Kwan:

The best holiday destination for me would have to be Singapore, because I’m born in Singapore and that’s where I remember most of my childhood, food and memories are at. And most of my childhood friends are there too. So that’s a place I like to go back to, to see how much have changed, to savour some of the food from my childhood memory and to catch up with all friends.

Cole Cornford:

For me, it’s always like chicken schnitzel, so it’s not really terribly different from me in Cessnock. It’s a very homegrown Australian pub grub. So, I don’t have to go particularly far to get that again, but it’s a place I haven’t visited yet.

Edwin Kwan:

If not, you should.

Cole Cornford:

No, I haven’t been there yet.

Edwin Kwan:

Not even as a stopover?

Cole Cornford:

No, because I’ve pretty much always flown direct. I’ve gone to Dubai eight times, so just direct straight to SF usually. So, never really had a need to stop in Singapore yet. Got any tips? What should I do? What’s cool?

Edwin Kwan:

Oh, it’s just so many. Where do you start? It depends on how many days you have in that country in there and what do you like to do? So food to me is the main thing, just trying different food. Meeting out with friends, different activities up there. There’s like an island resort called Sentosa. So that’s where people normally go to, and just the shopping. So yeah, lots of stuff.

Cole Cornford:

For me, I know my wife would certainly love the shopping aspect. But I kind of like the go-to nature, but I think Singapore’s a big island city, so I don’t think the go to nature aspect is particularly a thing there compared to Australia.

Edwin Kwan:

It’s quite interesting. I believe that there is… They have Garden By The Bay, so it’s like this whole avatar kind of buildings. And then there’s this whole really big glass house where all the plants are growing. And even at the airport, there’s like a huge rainforest in the airport itself. So you’d be quite surprised when you get there and in the middle of the airport. So you’ve got different terminals and they’re all connected by this place called the Jewel. And in the middle, there is this waterfall that just, I don’t know how many stories it is. It is just… Cannot describe to you. You have to go look it up, you have to be there yourself to experience it. It’s quite amazing.

Cole Cornford:

All right. Pro tip for everyone. Go to Singapore tomorrow. Got it. One last question, what’s your favourite book to recommend to people and why?

Edwin Kwan:

Oh, favourite book. It would be the How to Win Friends and Influence People. That is a very important thing. I think one of the first rules in there, or the first tips or whatever you call that, is seek first to understand before being understood. And I always remember that in my role in security, talking to stakeholders where the first thing you want to do with respect to the hour analogy is to listen, to understand the other person’s viewpoint and all before you try to make them understand yours. So, some really good tips in there for stakeholder management.

Cole Cornford:

Yeah, when I read that book, it was I think like 2013 or ’14, and it really did change my perspective on how to approach work and life in a lot of ways. My brother at the time just said that I’d joined a cult effectively, so I just changed an entirely different person going from being competitive and elitist, which are attributes I developed through playing online competitive games.

So the community was toxic and the people weren’t that much different. If you emulate those behaviors, and yeah, I got really good at the games, but sometimes I was just quite cruel to people. But that’s one of the things that you learn in the book pretty much is just like the honey gets a lot more flies than vinegar and it’s another one.

Edwin Kwan:

So true. Yeah, that’s a great book. It’s timeless too. So yeah, I recommend, highly recommend everyone to read that.

Cole Cornford:

All right, cool. Thanks so much for coming along. We’ve got one last question to wrap up. One piece of advice would you give to our listeners that people wouldn’t normally think about to help them keep themselves and their businesses secured?

Edwin Kwan:

I would say look at your open source supply chain. One thing that surprises me all the time is just how much of our application is actually not written by our developers. It just blows my mind because as I moved up the career ladder, I also look after third party due diligence. And seeing the process that we take when we bring a third-party SaaS provider in the due diligence, the checks, the legal stuff, all the things that we check, we do so much to make sure our data is safe.

But when it comes to open source software supply chain, the criteria tends to be, “Does it work,” and that’s it. And it’s quite surprising the level of stuff that we do on there, because our developers, we’ve done a police check. We’ve fed them all software supply chain, our software development tools, we’ve got 2FA, we’ve got all these checks in there. But we have no idea what is being done for those third-party open source tools that we just blindly put into our system and just run in there. So that’s the biggest thing that I found.

Cole Cornford:

And I think with SBOM and SLSA and a lot of these other frameworks coming out to keep an eye on what is actually inside there, it’s starting to get a little bit more maturity, but I don’t think we’ll ever see vendor assessments for software components because we’ll just slow down development too much. But yeah, definitely an area of risk that people are completely unaware about.

Edwin Kwan:

Yeah, it’s getting more traction, it’s getting more attention, especially in the US. It still has a long way to go.

Cole Cornford:

Especially in Australia. We’ll be there just a few years later. All right. Thank you so much for coming on, Edwin. It’s been a pleasure to have you here.

Edwin Kwan:

Thanks, Cole. Thanks for having me.

Cole Cornford:

Thank you for listening to this episode of Secured. We hope you enjoyed today’s conversation. Don’t forget to follow the podcast on your favourite platform and leave us a review. Want some more content like the above? Why not subscribe to our newsletter at galahcyber.com.au/newsletter and get high quality AppSec content straight to your mailbox. Stay safe, stay secured. I’ll see you next episode.