Behind Elttam: Matt Jones Discusses Infosec Innovations and Australia’s Cybersecurity Landscape

Cole Cornford
Hi, I’m Cole Cornford, and this is Secured, the podcast that dives deep into the world of application security.

Today I’m joined by Matt Jones, co-founder of Elton. Elton do assurance of basically everything. They’re really smart security researchers and I’m privileged to have him come onto the podcast. Matt helps out with BSides Canberra’s call for papers. He’s written a lot of open source tooling, including talkback.sh, which you should really look at. Gives lots of aggregations of information security news, but also likes growing things like presentations, PDF documents, and all sorts of crazy stuff in the space, and brings them together. I like using it to look at AppSec research myself. So if you are into vulnerability research or a specific programming language or whatever, go use talkback.sh. Matt’s a good friend of mine too. He checks in. I love it. We covered a lot of ground in the podcast. We largely kept it to technical content, so sorry, but Matt is really smart and I wanted to get lots of cool techie stuff out of him.

So we talked about why founding Elton, what kind of research and why they do the tests they do, why security assurance and just broader information security is really far behind in Australia compared to the rest of the world, the exploit development space, and plenty of other topics. If you love episodes like this, make sure you tell me. I’ve had a lot of great feedback from you all and I appreciate every time I hear someone tell me that they like the podcast. So shout out to all you people who messaged me on LinkedIn randomly saying, hey, big fan. It just fills me with joy. Anyway, let’s dive in with Matt Jones, director at Elton. And I’m here with Matt Jones. Hey Matt, how are you going mate?

Matt Jones
Hey, Cole. How you going?

Cole Cornford
It’s a public holiday, so I’m really thankful that you would dane to spend some time with me on the King’s birthday.

Matt Jones
More than happy to. Thanks for having me.

Cole Cornford
That’s all right. Maybe you could tell everybody a bit about your own background, and yeah, just start out with helping us know a bit more about you.

Matt Jones
Sure. So, currently I help run Elton, which I’m director co-founder of, but I’ve been in the industry, it’s 20 years this year.

Cole Cornford
20 years.

Matt Jones
Yeah. Interesting. I knew the date was coming around for a while and then realized it’s just passed. I’ve been doing mostly technical roles for the last 20 years. First started off based in Sydney. My first role was as a SOC analyst. It was a great team, really good experience. But prior to that, getting that job was a bit of a whirlwind and a few years in the making. So I guess, pre-professional 20 years, I had about three, four years of really being a hobbyist, in air quotes, and it was mostly teaching myself and trying, there wasn’t really an industry, it was very hard to get jobs, very scarce job market, teaching myself to be able to have some skills that I could actually apply for a role and people believed that I could do the things that they needed.

I guess maybe taking a step back, I dropped out of school pretty young, so I was about 14 when I dropped out, and I was working at supermarkets and doing night field jobs and all that sort of stuff, and enrolled myself into TAFE. When I enrolled myself into TAFE, there wasn’t a computer security course back then. I was doing computer networking and computer mathematics. I found it all really interesting, like the actual content, and it gave me exposure to things like physical hardware and networking tools that I never would’ve been able to afford as a kid, but in my spare time, I really sunk deep into learning about computer security concepts and programming and stuff like that. So I saved up to buy some books on Linux programming and Linux system administration and networking, like TCP/IP Illustrated and things like that.

Cole Cornford
Ah yes, a classic.

Matt Jones
Yeah, the classics, actually, and just read them, basically, one chapter at a time and tried to learn, put things into practice, but at the same time I was also reading a lot of stuff online and I got integrated into some of the Australian hacking scene and really started to get into things like Phrack and all those types of zines. And one of the things that was interesting back then was reading an article and going, I’m maybe 30 minutes into it and it’s like three or four things. I have no idea what this is. It’s like now I need to go off and read about memory management or kernel fundamentals, or whatever it might be.

And so, I would make a little study plan in my spare time to teach myself all these things, but did that for a few years, but I couldn’t find any work when I was back then. So this is around 2000, early 2000. Yeah, I applied for jobs and pretty much always hit the same thing of you have no experience, but you seem like a smart cookie who’s learning stuff. But eventually I got a job offer on IRC from someone who I kind of knew and he knew I could do some programming and knew some security fundamentals, and I moved to Sydney when I was 17 and I was doing just software development. There was a little bit of security and firewalling and CIS admin and that kind of stuff as well.

But most important thing was I met a lot of people who were in security or security enthusiasts in the Sydney scene, and it was a huge scene back then, a lot of smart people around, a lot of interesting characters and whatnot. And that’s where I kind of went a bit more focused on more technical, more into binary exploitation and source code auditing and that kind of stuff. And after a couple of years of that, myself and a handful of other people were interested in starting a conference in Sydney, and that’s when Ruxcon started in 2003. So that was 21 years ago. I gave a presentation at Ruxcon, the first one, I was the second presenter, and I spoke about network service exploitation and privilege separation, so how privileged separation was incorporated into really big network demons like OpenSSH and Postix and VSFTPD and stuff like that. And so, I spoke about that and I ended up getting, that’s where I got my first job, which was early 2004.

Cole Cornford
That’s a crazy journey, man. I would never have expected you to not be an academic who went straight to university, did a computer science background. I didn’t realize that you’d gone to TAFE, dropped out of school, and just kind of picked things up. That’s an amazing pathway, man.

Matt Jones
Oh, thanks. It’s weird because I don’t talk about it much. It’s one of those things that just doesn’t come up anymore, but I was thinking when you asked me this, it’s probably useful to talk about it because it was really different back then. Everyone was very enthusiast and very passionate, and life takes you on the journey of what am I going to do next. And I felt pretty hopeless when I was in Perth. I just couldn’t get work. I was like, what am I going to do? I’m going to go back to working at supermarkets full-time kind of thing. So I kind of got lucky. There’s the opportunity that popped up [inaudible 00:07:08]. I was thinking to myself, what am I going to do? Every single opportunity kind of led flat and then suddenly I got a break and it worked out. So since then it was pretty life-changing to get the opportunity to move to Sydney and just everything since then has had its own path. So I’ve been really fortunate in the industry.

Cole Cornford
I think that’s basically everybody. It starts out with some kind of lucky break or two. I’ve always been interested in security. I think the main reason is because my STEAM library got hacked when I was young, and that’s because I fell for just a normal phishing scam and I got locked out of my Team Fortress 2 account. That’s all I really cared about in the early 2000s. For me, I just wanted to play video games a lot and I was really worried about my reputation in an online video game because if they back-banned me, then everyone would think I’m a cheater and then my life is over as far as the online community is concerned.

But at that point I was like, oh, this security thing seems kind of cool and interesting. And I think in my third year of university when I did data security, which, mind you, was all about the mathematics behind security, it’s not actually any of the practical stuff about use these algorithms in these contexts that it makes sense. It’s more this is how Chinese remainder theory works. So this is the extended Euclidean algorithm and things I’ve completely forgotten, but I’m sure that there’s some very smart cryptographers in the world that know that very well. But I loved it. I thought it was great. And then I went to all of the different places doing graduate positions and just hit them all up and said, I want to do security. Almost all of them said we don’t even hire for security at that point in time. And the only reason I really got my first security role-

Matt Jones
Was that in Newcastle?

Cole Cornford
No, I went everywhere around the country. So I just said I’d relocate everywhere, but I hit people up and they said, oh, why don’t you get a job? And then when you’re inside a bigger enterprise, then you can look at transitioning across. And so, I did a lot of software development gigs until eventually I landed a software dev gig at the ATO, and then I met someone at tax office who said, “Oh, I’m starting an AppSec team. Do you want to come across because you like security and I can’t find anyone who wants to read source code?” I’m like, “I love source code. Of course, let me go.” And here I am today.

But I love when it’s just a series of fortuitous breaks for everybody. It doesn’t take very much. And it’s why whenever someone comes to me and is somewhat concerned about their career, I always ask them, what are they trying to do to maximize the chances that they’re going to get lucky? And that means putting themselves out there, doing online research, going to networking events, reading the material that gives them credibility, like TCP/IP Illustrated. I wish I could sit there and read that chapter by chapter. I just think my brain’s very small and can’t fit all that in.

Matt Jones
Yeah, I think it’s really good to keep at it and also have something to be obsessive about because then when you actually get that opportunity which pops up, you can talk about it with that passion and the other person on the side of the table identifies that, right? And that’s what people are looking for.

Cole Cornford
I’m seeing that a lot because I’m hiring a few positions in my company, even a few entry-level ones, and I see a lot of people who want to break into cyber, but who just don’t do research about what my company does or why we do it. And that makes it really challenging to have conversations of entry-level employees because they’re saying, I want to be a penetration tester, and I have no interest in software engineering, which is basically my first two qualifying questions is what do you want to do and do you care about the thing that I care about? And it’s hard. It can be a challenge, but the jobs are there. It’s just about putting your first foot forward. And lo and behold, now we’re both employers that run our own consultancy businesses. So maybe that’s a good transition. When did you start Elton, and tell me what made you want to start that with your old mate, Daniel?

Matt Jones
Good question. So 2015 is when we started. Dan and myself had a very similar background. So Dan I actually met at the first Ruxcon 21 years ago, and we worked together for several years as well in Sydney. We were working quite closely together and became friends there, and it was good, but we also became freelancers around the same time doing [inaudible 00:11:17] auditing and stuff like that. Being a freelancer has pros and cons, like everything, but we eventually hit a point where we thought that the cons of fluctuating requests of work and not taking holidays and looking at sick leave really unhealthily and whatnot, it would be better to join forces and make something where we can have a team and we can share things, share the responsibility, but also the work, and have defined roles.

And so, we came together around 2015 and we basically wanted to set out and take our past experiences and offer being a premium consultancy, focusing on technical assessments, white box reviews, code review, and so on, but also of everything, not just web app testing, but we can do embedded systems and low-level systems research and cloud infrastructure, or whatever it might be. And for things we couldn’t do, which weren’t up our alley, then we can hire people to do those types of things.

But it was that approach of white box assessments when we first started wasn’t the norm, and we knew that. We really wanted to set a new standard in regards to how pen testing and assessments were done in Australia and taking a lot of that international experience or bringing a lot of that international experience to the table. So yeah, now we’re a team kind of all over Australia. We have some people overseas as well. We have a good mix of customers. I’m really grateful for the team we have. That’s awesome. And we’re doing a mix of technical assessments for our customers, also, we’re doing our own research and engineering. We bootstrap everything. We’re a complete indie shop. Yeah, it’s coming up to 10 years next year. So time has flown by.

Cole Cornford
You’ll have to have a 10-year celebration party somewhere.

Matt Jones
We will. A hundred percent. Can’t wait.

Cole Cornford
I really do think that it’s really good that you’re able to bootstrap your business, and I really like the international exposure and bringing it back to Australia. I think that we have a very immature information security scene domestically, and whether it’s everything from the depth of capability that we can bring to the table to the way that we handle price, scope, and even look after our customers, and even the artifacts that we give to people at the end. So the reports still depth of expertise, remediation, guidance. I have not seen it done very well here in comparison to the US. And so, I guess my experience of being a director at change.org, I looked into a bunch of pen test providers and I was just blown away at what a level of quality difference it was from what we get access to domestically, right?

Matt Jones
A hundred percent. We’re trying our best to always get better and better and just set a high standard, and ultimately be one of those respected boutiques globally, which people look to. I think we’ve done pretty well over the past several years just building up our capability and building a reasonably good reputation. But it comes with a lot of hard work and bootstrapping yourself comes with challenges. There’s a lot of investment that you have to make, and Dan has a saying, which I believe in really strongly, which is you’re only as good as your last project, which puts a lot of pressure constantly. But it’s true. You really do want to continuously push yourself and have that incremental improvements to your business and the way you work.

So we do operate a lot like a dev shop, I think, in regards to how we plan and iterate everything. So even our documentation and working in Git very heavily. So that incremental improvement’s really important. I feel like at the moment now we’re putting a lot of investment into more strategic research and engineering and have a good stable customer base, but also hiring people for really clear roles. So that allows us to be less on the business like Dan and myself and back being in the business doing technical things. So that’s been a refreshing change in the last year or so. I think we’ll continue.

Cole Cornford
Yeah, bootstrapping is really challenging because, obviously, you don’t have access to capital to fill those roles anymore. You can’t go and hire a growth officer, you can’t hire IT, you can’t hire developers.

Matt Jones
Yeah. It’s a lot more hard work.

Cole Cornford
You just got to do it yourself, or you got to find people who are willing to take a cut to have more freedom, flexibility, or whatever your employee value proposition is. For you guys, it’s pretty straightforward to me. You get to work with some of the best people in the business in Australia, so hopefully that attracts similar people that want to learn from you guys. Yeah?

Matt Jones
Yeah. I really enjoy, we have a range of customers, and they’re various maturities, various types of sectors building different types of things, and I really enjoy the mix. I enjoy seeing the ones that are really mature and they have threat models, they have established security teams. Things feel proportionate in nature with how they work, and they get us in with really clear objectives. But we also work with people who they’re trying to understand their problems more and they need that independent assessment to give them insights and perspective and give them that tailored guidance so that, again, they’re incrementally improving year to year, tangible, achievable things. And it’s like a health check of a good doctor versus a bad doctor. So we’re trying to be that good specialized doctor, but the customers in Australia, and as you said, there’s a lot of immaturity not just in the tech side of things, but also in the culture and organizational side of things, which creates bad habits and it creates vulnerabilities are essentially outcomes of some of these bad habits and cultural situations of organizations.

So we see that, but it’s nice to actually have a proper think about it and go, oh, we’ve seen these patterns before. What tangible appropriate recommendations can we give, but how can we be specific as well? So we have source code, we talk to the engineers, we get that perspective, we can actually give really tailored recommendations. But the thing which I found interesting when we were starting was seeing other pen test reports and seeing other deliverables, thinking who can work with this generic advice? When [inaudible 00:17:32] top 10 copy and paste isn’t really useful for people when there’s been no triage or root cause analysis or variant analysis or putting things into perspective. And I appreciate what you guys do as well, having pride in what you do. Trying to have it so that the quality of the deliverable when you hand it you’re proud of it is an important part of consulting, which I think was lost a bit in Australia with a lot of the pen testing providers.

Cole Cornford
Yeah. I think it came back down to ultimately we are here to service customers. And I think that people probably spent way too much time reading, managing the professional services firm, and working out whether they were a gray beard organization or a grad labor one and not so much a brains organization. And so, how do you deal with that? You have to just get as much scale as possible with relatively cheap resources that are quite replaceable. And then what the obvious cost is that the partner of the organization is only doing business development sales and has no idea about anything that goes on beneath. And then guess what’s happening? Quality obviously disappears because if the director is only in charge of just supervising a team of 10 grads and the partner’s just out doing sales and drinking and eating, doing nothing useful, then what do you think is going to happen?

So it’s good that we’re able to come into the market and have a fresh expert perspective. And I think the thing that we both do very well is that we’re not all things to everyone. There’s a lot of cybersecurity firms that just say, we do cyber. And I am very explicit and say, I do software security, I do application security. I’m not a governance risk and compliance, I don’t do managed SOC, I don’t do digital forensics. And I think if I did all of those things, I would be awful at them. I would not be interested in doing that kind of work. I’d be a terrible DFIR person. I’m never going to put incident response onto my list of things I’m going to be doing because I like to spend time my kids on the weekend and I don’t want to be up stressing about whether a bank’s going to go offline or a telcos having an issue.

But then if you have to be all things to everybody, you can’t specialize in anything. So your education is going to be, here’s secure code training, right? What we’re going to look at? Oh, what’s the top 10? Because we can give the top 10 to anyone with three months’ experience of reading the AppSec playbook and they run with it. And then when the developers inevitably ask questions like, I’m not really sure why we should be learning about injection vulnerabilities when we specifically have only ETL processes, so we’re kind of screwed anyway if they’re going to be able to inject code into our ETL, and then they come back and say, oh, well, that’s not in the top 10, so it’s outside my skill set, so we’re going to stick to the curriculum. They collapse. Yeah?

Matt Jones
Yeah. I mean, there’s a couple of things. The first one is people only have so much bandwidth, so you have to simmer it down to what people are susceptible to and what applies to their product, their design decisions, their features, and their tech stack. The second one is about stretching yourself too broad. And that’s very dangerous. And for small teams, when you’re bootstrapping yourself, it’s incredibly costly just to do one thing well. But if you’re trying to do many things, you’re just going to be really average at many things, basically. So I think there’s a place for people who stretch themselves too broad and provide general services across many things, and they’re that one-shop stop, which is fine, but there’s also a really important need for people just to focus on what they do so they can be the go-to people, the go-to indie boutiques for specific problems.

So we try to refer on anything which we don’t do really clearly and transparently and try to build that network of other boutiques that we refer work to, and it’s vice versa as well. So it’s quite pleasant that that’s the state of things at the moment. There’s definitely a lot of work to share around and people don’t need to hoard everything, but we’re just focusing nowadays on that. How can we be doing the best we can at good quality assessments? How can we be on the bleeding edge of things? And there’s definitely a market and a need for that sort of skilled humans doing independent assessment still. And I think there will be for a few more years to come. So I’m quite content with where we’re at with it all.

Cole Cornford
Yeah. So that’s probably a good one to move into is over the last couple of years, and I know I talked to Paul McCarty about this recently, is we’ve moved into bug bounty programs and vulnerability research and red teaming and traditional penetration testing, and then also anything under the, just what I’d call software quality enhancement, so SaaS, SCA, DAS, all that stuff to help developers make better quality decisions. How do you think things have evolved from your own perspective over the last 20 years and where do you see them moving to?

Matt Jones
Yeah, good question. Such a big topic.

Cole Cornford
That’s right. Plenty of time, man.

Matt Jones
I think when we started, I was avoiding using the word pen testing. I thought it was such a tainted, overloaded term and I didn’t really identify or resonate with the approach and skills that were being applied. And I was referring to it as code auditing or security auditing or just code-assisted security assessments. And that’s become quite popular. Since we’ve started, that was what we did from [inaudible 00:22:52]. But since we’ve started, that’s become a much more talked about approach and it makes sense why it is. I’ll start on testing since that’s kind of where my epicenter is. But I am surprised by the amount of firms that still do black box testing a lot of the time, and also that in-and-out sweat shop style of three-day engagements, or whatever. We normally do a minimum of two-week bookings for any project we do.

And that was to essentially say, if you’re doing an assessment, let’s work on some priorities. You’re either trying to get baseline coverage with some priorities or you’re doing a more comprehensive review or maybe a hybrid of [inaudible 00:23:32] priorities and baseline review, but also some strategic guidance. But we need to spend a couple of weeks on this to be able to have good tangible results for you. And the thing is that people sometimes get this confusion about, well, we’re an agile shop, we can’t do this all the time. And that’s where people shifting left and having internal AppSec teams or working with other providers who are doing small reviews makes sense. Bug bounty is, I have a lot of thoughts on, I’m actually an advocate of pretty much all the things. I think they all have a place and they all provide value, but the context and the approach needs to be proportionate and considering a threat model really well, and I don’t see that happening very often.

So yeah, good quality testing is important. I liken it a lot to, I think I said before, like a good doctor, they should be applying Western and Eastern principles and science to it. And when you see vulnerabilities, like understanding what the patterns are, understanding what the behaviors and susceptibility of issues, and understanding how things change over time, everything’s quite dynamic. So how are you promoting good habits and defensive principles so that people are bolstering and fortifying things properly? And that’s what a good testing firm should be doing and explaining what they found, what they did, and also what didn’t work and why it didn’t work. So you have the independent loop back to your security teams and your engineering teams.

Bug bounties, I see a lot of customers, we have a lot of customers who use bug bounties. Some of them have interesting stories and interesting history with bounties. I think the thing which is interesting is there’s a few use cases which I see working really well for it. The general idea is that it needs to be proportionate to the threat model, otherwise the bug bounty hunters become their own threat. If anything, sometimes people are not exploiting the vulnerabilities and bounties, but they’re exploiting the bounty program running in the first place in an opportunistic way. They’re a new opportunistic threat actor for the org. And a lot of the findings that they might be getting might not be the real vectors and attacks which real actors would be doing otherwise. And it’s very similar to, Harun Mea back in 2012 had a talk on pen testing considered harmful. Have you seen that from 44CON?

Cole Cornford
I haven’t. But if you can link it to me afterwards, I’d love to have a look at it. He’s the guy behind Finks Canary, isn’t he?

Matt Jones
Yeah, he’s such a OG. He’s such very wise and he comes out with really good perspective. And I remember seeing this talk at 44CON, and it was such a useful take on pen testing, and it was called pen testing is considered harmful. And it talked about how pen testing has become a market of lemons and how pen testers get hired to secure these organizations, but they spend so much time, it was like the draining the swamp theory of you get hired to drain the swamp with alligators in it and you spend all these times building tools to fight the alligators instead of draining the swamp. And similar with pen testing, we spent so much time building tools to make ourselves more efficient, but we forget what we’re doing. It also brings up another point about how you could have three pen tests back to back. They’re all successful in breaching you, and that’s not a good thing.

How can we provide better assurance? How can we really pen testers simulate pen testers? And I feel like bug bounty hunters quite often are simulating bug bounty hunters now. And it’s interesting because it’s really good for catching gaps, which from your internal processes through to your own independent audits, and it’s good for catching those edge cases and then feeding back and having a really good triage process. Like what’s the pattern? What’s the attack vector? What’s the attack surface? And then adding that to your threat model and then doing some analysis so that you’re more proactive about it. That works really well. And I’ve seen some customers, and I’ve heard of some organizations doing this really well, but a lot of the time I see that it creates really bad habits, really bad patching. There’s a lack of internal analysis that happens, but also gives a false sense of security when people are really scratching at the surface and they’re not paying attention to your decisions of frameworks and libraries and dependencies and your patterns in regards to how you do secure defensive development practices.

And I think one of the things that really bugged me with some of the marketing of these companies, because we also have to remember that a lot of these companies are very heavily VC funded, so they have huge marketing teams and they’re also quite aggressive with their way they sell things, and it’s usually very disproportionate and not fair to the broader sense of assurance practices and other players in the assurance field. One of the things I found interesting was advertising, we find 10 times more issues or whatever. And if you think about it just for a second, this could be a talk, I think, but if you think about it just for a second, 10 times more issues, and then when I see writeups and when I see people talking about things they found or some sort of public report about some results of a program or whatever it might be, and you see that, you think about how we approach things, right?

Let’s say you have a code base. Let’s say it’s some IOT device, it does some system or P open or exec to call a binary, right? Has a bunch of rest APIs and different access levels or trust levels for the different risk. Some are pre-auth, some are post-auth, whatever, some are more complicated than others. And we say, you have this wrapper for this exec call and it’s forking out to this random binary and we found an argument injection or a command injection or whatever. Let’s just say hypothetically. We would probably think about the trust level, we would think about the complicated nature. How complicated would it be to exploit this black box? And then we would write it up and group them. So we would say something like, here’s the construct, but you can reach it from these endpoints, this one’s pre-auth and this is top priority and these ones are post-auth, and these ones are inaccessible from admins, so it’s lower priority maybe, but we’d group them up.

Cole Cornford
There’s a lot of stuff to unpack there and I think that the approach you’ve just mentioned there is actually really good where if you find a specific type of bug and it’s systemic to a code base, instead of reporting 197 instances of cross-site scripting, you would just write a finding saying that you have fundamentally got a flaw with how you do outputting coding. You just need to be addressing that. Yeah, that’s really good because it means you go from a 110-page report down to 70, and per bug. And that matters to me if I think, one of the things I care about deeply is as a person who is a consumer of an assurance report, what is my customer experience? How am I going to be using this? How is the report going to be given to stakeholders? Do they feel comfortable using it?

And so, simple things like taking pictures instead of writing a code base, so then the developers can’t search for the code because it’s a screenshot of the code instead of the actual code itself, or getting a burp repeated request response and then just putting it on the page as is with such small fonts that they can’t even read what’s going on. It’s like people don’t think about the experience, let alone the writing.

There’s a lot of things I want to talk about here as well, but just specifically about pen testing reports, I think that the bar needs to be raised so much higher on what the expectations from a consumer is, and that’s across a number of things. But for one, yeah, you should be reporting things that are materially relevant for that business. And I always say this to pretty much every single one of my customers, what do you care about? And turns out if the customers haven’t figured out what they care about yet, which is often the case, in security, they don’t necessarily know what they care about. We guide them to get to that stage and then we shape a program or shape an assurance activity or shape training based around what matters for their business. So a fair, selling shoes online, which to be fair, e-commerce is a big area of attack.

If they’re a local council and they’re worried about customer data being stolen, if they’re a research institution and they’re worried about nation-state actors, they all are different things that they really care about. But if we’re raising findings that say you have 192 dependencies that are out of date and there may be a chance that they could be exploitable, all it does is creates busy work for engineering functions. And so, they’re never able to actually tackle things that genuinely matter for that organization especially. If I think about the incentives in the industry, I’ve spoken to a few testing firms and they say, hey, the reason that we have to raise a report with 400 lows is because if we don’t report it on the low, then we’re going to have a liability against us. And we don’t want to be sued for missing one of those lows in case that low gets changed to become a medium and then cause material damage to some kind of place.

But I go back and say, okay, well, you’re just working with the wrong customers. That’s my view. If they are going to be litigious, why are you engaging with these people in the first place? The whole point of having a good assurance activity is to help businesses. And if they value your expertise and you provide it in a format that makes it easy for them to take in consumer, then you shouldn’t be too worried about having to list every single, you know, this cipher is out of date down here or you’re missing a security header. Oh, don’t get me started on security headers and reports. They shit me to tears, I tell you. Oh, you’re missing content security policy. Hey, CSP, one of the hardest headers to get correct. You’re telling an engineering function to create maintenance issues for life, for indefinitely, or they could just write better software.

Matt Jones
It’s tricky. It really depends. So we make sure we’re very careful with risk ratings and how we do informationals. So there’s a really clear distinction between vulnerabilities, weaknesses, and recommendations, particularly around hardening. And I suppose top priority obviously is the highest bonds, and that’s factoring in the threat model. And our risk rational are related to the finding itself, trying to group things, and whatnot. But when you’re getting into weaknesses, that susceptibility what we’re talking about before, making sure that people have processes around it and they have good habits.

So that’s usually a good thing because we’ve had customers before where we’ve saved them a few times when we call out, it’s not a vulnerability at the time, it’s not exploitable at the time, but we say you do fork out and use ImageMagick here. You know this is always a threat. And so, how are you going to sandbox it, or how are you going to make sure that you limit the inputs from the file which is being attached in them? That saved them when there was another round of exploitation related to that.

So if there’s susceptibility, it’s good to think about preventative controls, mitigating controls, and how you’re going to detect exploits or have coverage with your logging. But as you were saying before, I think making sure that everything you do has a reason and it’s documented somewhere. It doesn’t have to be crazy detailed, but a very basic secure development lifecycle should have for our phases in software development, we come in and do an independent audit of that later stage, typically. Sometimes we do a design review as well, but we’re feeding back into the secure development lifecycle and we’re trying to make it so that people understand the susceptibility to things.

And it’s really hard for things like bug bounties to get that coverage. They can sometimes identify a new attack surface or they can identify a feature there and it picks everyone by surprise and it can give a lot of value for that. But ultimately, your internal documentation on how your security assurance program is working should be thinking about how everything ties to these practices really well, including automation and your SaaS tooling and your secret scanning and your training, and so on. So at the moment, I would say, in Australia, a lot of organizations don’t do this particularly well.

Cole Cornford
I’m trying to change it one step at a time, man. So we’ll get there.

Matt Jones
It’s definitely improved dramatically over the last several years, and it’s great to see, to be honest, because I was a bit taken back when I realized when I was seeing some organizations heavily reliant on bug bounties or heavily reliant on Big Four pen testing or whatever it might be. And when, unfortunately, what ultimately happened is the industry and the threats actually caught up to the problem. It was places were able to get away with it for a long time and they’re like, this is actually working. And then the reality comes crashing in and saying, no, it’s actually not adequate. You need to be managing your threats better. So I feel like that’s where the industry is at now, having that realization that, oh, there’s a lot of hackers and a lot of people who are breaking into systems and a lot of incidental threats that are possible as well, and we really need to get on top of it.

Cole Cornford
I think another thing is also that we’ve probably been pretty bad in Australia by, again, we don’t really have the pathways like the other countries do. And so, I think we’ve been training people to maximize for getting jobs rather than training them to have good security outcomes. And so, I know a lot of pen testers who have learned nothing except how to run every single tool available on the planet and how to manually interrogate a system, how to spider, and otherwise. But then when you ask him, okay, so developer is first question to you after you spend ages going through your methodology start to finish, the answer is going to be, should I do something about this? Does it matter? And what should I do? And unless you’ve had some level of business acumen, which is why I don’t really think that security is necessarily an entry-level role, I think it’s something that you would even need to get some level of broad business acumen so you can speak to the right stakeholders in clear language about what is the adequate level of investment I need so that I can operate safely.

I always go back to that. Or you need to be detailed in tech somewhere, really far into the weeds. And if you’re not in either of those camps, you have to learn one of them. And I find way too many people are instead going on the TryHackMe and Bug Bounty programs and just trying to maximize for being able to get an entry-level role instead of making themselves a valuable professional ready to be hired who actually solves security challenges. And I feel like part of that’s our fault because if we look at the big four, or honestly, a lot of the security consultancies domestically in Australia, we hire for OSCP for experience in doing this kind of stuff. We don’t tend to hire for novel research because how do you commercialize that? Well, it’s difficult unless you work for an [inaudible 00:38:56], for whatever they’re called nowadays, L3Harris, I don’t know. Anyway, so what do you think about that? Have we created a cottage industry?

Matt Jones
Just thinking about it. Yeah, I don’t think it was just localized here in Australia though. I think it was a very… There’s mainstream InfoSec that pushes down a lot of messaging about how things should be and what topics are important to learn and what approaches and tools, and I don’t think there’s enough independent thought and challenging of those things. And so, I think that it is slowly changing and I think that there’s a lot of really smart cookies coming out of CTFs and bounties and stuff like that who they’ve got that test bed to be able to apply those skills and demonstrate their interests. But I suppose there’s a few things about that side of the industry and how people are entering into the industry as well, which is expectations going into the workforce and how the skills can translate over to real benefit for whoever the customer is.

And the VR space has really taken off in the last few years. It’s been a hot area for a long time, but the last two, three years in particular seem to have really peaking at the moment. And it seems like a lot of CTF players and so on are finding good career paths there. Unfortunately, I think maybe it seems like the other roles in Australia, let’s say consulting, is nowhere near as appealing when I kind of wish it was more appealing in that there were the right types of opportunities and challenges for these smart cookies to be working on these problems. So for example, let’s say there’s a divide, there’s the nemesis of VR, which is people who are going into the weeds and working with product companies and people who are highly targeted by skilled full-time threat actors who are researching their products, their technologies.

And on the other side of this, the consultants, the internal teams, a lot of these people are incredibly skilled. They share similar skill sets, but their full-time job isn’t objective focused in the sense of writing an exploit or having a capability that’s maintainable and reliable, but it’s rather being quite strategic and tactical at the same time with building a roadmap for a defense which might be multi-years or more kind of investments, which you have to apply a lot of research and you have to apply a lot of engineering effort, but ultimately, you’re changing the economics of how that side of the market and that industry is working. So even though it’s a hot area at the moment, if you look at Zerodium’s and [inaudible 00:41:43], when you see an indicator of what ubiquitous top-tier targets look like, they’re incredibly expensive now, which is a good thing.

So there’s definitely in terms of go back to what, it’s a bit of a tangent, but to go back to what we’re talking about was these skilled people who are coming out from CTFs and bug bounties, they don’t just need to go to VR. There’s a lot of opportunities for them to go into really big tech shops or in other kind of adjacent areas doing really cool work to make things harder to hack. And there’s actually a lot of people who are XVR working in these tech companies as well, trying to make it so that things are expensive, things are hard, and that’s the way it should be. It should be hard to remotely hack important technologies.

Unfortunately, there’s a big divide between that high-end difficult style hacking and the realities of command injections and VPN appliances on the internet and other bad enterprise software that’s public-facing, and bad application security, and so on. It’s a very big divide between the challenges and the skills at how these people are going to apply to these problems. Yeah, it’s tricky. I think we’re dealing with the aftermath of how there’s been the web 2.0 boom, and so much tech debt, so much flaws, so many technologies, blended layers of technologies working together, creating a lot of different types of problems. And unfortunately, a lot of places are struggling to keep up with it, right?

Cole Cornford
Yeah, a lot of the consulting I do, you get to a point where you say you just have to invest in a cloud-native modern system and start from scratch because your crystal reports, they’re probably really lovely, but I’m just going to say that it’s probably out of date at this point as all sorts of vulnerabilities I don’t want to talk about, right? So it’s challenging because going to a business a lot of time they’d see IT as a capital expenditure. You fund a project, it builds a capability, that capability should be there for life. And it’s only in the last couple of years that what I’ve seen is a complete shift in the market from a project delivery mindset to a product ownership one. And that product is an ongoing thing that is fundamental to your business and that you need to be continuously investing in.

And it’s only because people from these large technology firms have decided to, whether from their own choice or from the massive redundancies we’ve had over the last couple of years, they’ve had to reintegrate to the rest of the market and bring that capability. So I’m really happy to start seeing that because application security programs only really work when you have a product that has a continuous level of investment needed that it just needs to stay on top of. And it doesn’t really work when you have a traditional project where you have security architecture up front, somewhere in the middle you do some software quality testing, towards the end you have an assurance program, and then the project’s finished. And I really don’t think that that’s terribly effective in today’s world as much as I hate the whole shift left shenanigans.

Matt Jones
Yeah, I agree. That waterfall approach is certainly like, yeah, I think maybe 10 years ago people were talking about how that’s on its way out, it doesn’t work anymore. General agility in terms of how people look at tech, how people look at our roles in security is essentially critical nowadays. I think people are seeing that and acknowledging it a lot more transparently and openly nowadays. As you said, once a product is live, depending on what’s going on with that product, it needs a really small amount of maintenance, which includes deleting code, which removes removing, reducing default features if it’s not used very regularly, and minimizing attack surfaces. And those simple principles can be a part of a very low-effort, low-maintenance practice that product teams manage. We see some customers doing this really well and it’s great to see.

I think there’s been a lot of good keynotes over the last few years that talk about this, and one was from Halver about offensive security and that market, but also the patterns and why is it so expensive. What do people do well? Why are things like OpenSSH considered secure and how did they get there? And when you watch these presentations, you really see that there’s a bunch of key fundamental principles that people apply. And if I was to think about the OpenSSH example, for a second, I was talking about my first presentation on the privilege separation implementation, like 22 years old or whatever it is. But since then there’s been a bunch of papers on OpenSSH and lots of attacks and lots of vulnerabilities, but every time they learn from it really well, they then incorporate that into their strategy, into their practices, their defensive programming is incredibly good.

Then we see the backdoor that happens recently and that shows how attacks and threat actors have to pivot and move to other avenues when things get really bolstered down. So when you’re thinking about product security, it’s this constantly evolving thing, but then you also have to take a step back and think about other attack vectors and other types of threats that are possible because it’s no longer practical for an attacker to exploit this. So hopefully, in the next few years, we see AppSec getting really mature and we see that it’s getting really expensive, but then what’s going to happen after that is social engineering is going to probably blow up a lot more and also assume breach positions of developers and support staff and cloud engineers and that kind of thing. And so, it’s really important that we keep that in mind as well. When someone gets secure at one thing that they need to take a step back and think about the other avenues of attack as well.

Cole Cornford
That’s where we get all our CISMs and CISSPs and so on to come in and start having conversations as well. So I always like looking at source code that’s quite old from the eighties and the nineties because at that period of time, development was fundamentally different. It was programming languages where security wasn’t necessarily something they thought about all that much, with C, C++, PEARL, and so on. But the way that people approached was the quality was just such a high bar because a lot of people came from the space programs, from defense programs like defense industry, from physical device manufacturing into the space, and they brought all that kind of behavior with them.

And so, every function would have pre and post conditions. At the top of the functions, you’d have guard conditions to make sure that you cover for most of the edge cases, you would run formal verification across everything, you’d do property-based testing, and all of that stuff has basically thrown out the window completely nowadays just because we just don’t have the ability to produce software at speed while maintaining those quality attributes. So I’m a big fan of saying, hey, let’s go read some Mythical Man-Month, let’s go read some Pragmatic Programmer from the early 2000s. We’ll be good guys. Speaking of, I know we’re starting to run out of time. I think it would be good for us to move into the fast-money questions, yeah?

Matt Jones
Sure.

Cole Cornford
So number one for you, what’s your favorite purchase for under a hundred bucks?

Matt Jones
So I did a lap around my house when I heard this question. I decided on my… Have you ever used Pomodoro technique for time management?

Cole Cornford
The 20-minute tomato thing?

Matt Jones
25 and five I think it is. So I bought a physical device about three years ago, which I have on my desk, and you just smack it when you need to focus. And I get so much benefit out of this, it’s whenever I’m procrastinating or if I need to just block out everything else and just focus on completing something, I hit that, give it 25 minutes, have a five-minute break, which is equally important, and then repeat until I get my thing done. That’s about 20 bucks.

Cole Cornford
Ooh, you get five of them. I do a very manual boring process instead. I have a playlist on Apple Music, which is pretty much around 25 minutes long of just ambient music. And then when the music stops, I go up and go see my kids. So it’s like Pomodoro without the ability to slam something and be like, yeah. And the next question is, what’s a favorite book to give a friend?

Matt Jones
A hard one to answer just one. I thought about it from a few angles. Probably the one I’ve recommended to most and I’ve had the best feedback from the friend who’s read it, is The Resilience Project that came out in 2019. The summary of it is an Australian teacher, I think he was a sports teacher in Melbourne, can’t pronounce his last name. First name’s Hugh. I’ve seen that he’s been doing tours around Australia a bit, talking about resiliency, and basically, he went from being a teacher in Melbourne to being a teacher in India, and looking at kids and just going, they have so much less and yet they seem so happy. And then back home he is thinking about all the different mental health challenges. He goes, why is this? And his book is about, it’s a very personal and has a few different angles to it, but basically, it’s about gratitude, achieving happiness via gratitude, empathy, and mindfulness.

I read this in 2020, so I was in Melbourne and I was grateful that work was busy, but I was also in the Melbourne lockdown and kind of stuck inside all day every day and getting bit in a rut with just the grind day to day. And I read this book and it really helped me shift my perspective when I’m starting to think a bit more negatively to be more grateful. That book is great. It’s an easy read. I really like some of his stories, he works a lot with professional sports players and their mental health and so on, and the stories he has in his book is excellent. He had a follow-up book as well, which I’ve read as well, which is also equally good. But I’d recommend starting with this one.

Cole Cornford
I think that’s such an important lesson for probably to close out on, is that living life, like for myself, I don’t have any covert contracts. I don’t go do things with people with the expectation that in my head, someone’s going to owe me something. I just want to do well by people and I hope they live good lives. And whenever, I guess with running a business, you would know totally well, it’s so easy to collapse under the weight of I’ve got to get sales, I’ve got to get delivery done, I need to market myself to attract people. There’s so many different ways that you could just fundamentally wake up and say, I’m going to check out it today. I draw a lot of strength from being able to spend time with my kids and my family and have a lot of supportive people like yourself who do check in on me to see how things are going. So thank you. It’s glad to have someone like you as a friend.

Matt Jones
Oh yeah, you too. I’m a really big fan of what you do in the podcast and your philosophies and friendliness, and speak so clearly. It’s very admirable how eloquently you speak, I think quite often. So no, thanks for having me on the podcast. The book itself, it’s so interesting, and just to talk about that mindfulness, and I remember thinking for a while, I think being open and talking about it as well is a good habit. So it just creates that culture with everyone where they’re supportive of everyone instead of being oddly competitive or you’re not even sure how to perceive things. So this book was useful, but yeah, as you just said, surrounding yourself with other people. There’s been so many friends over the years, and working with Daniel, I’m so grateful for as well, because we’re like best mates grinding through trying to make this business and do good work and have a happy team, and so on. It’s really important to have people supporting you. So yeah, good way of ending up.

Cole Cornford
All right, well, Matt, thank you so much for sharing all your knowledge about everything to do with assurance of AppSec programs and front modeling, and it’s been an absolute pleasure. I have a few other topics I’d love to catch up with you for next time about all of the amazing stuff that you’re doing or talk back, but we’ll keep it for next episode. Yeah?

Matt Jones
No worries. Thanks very much. Cheers. Thanks for having me.

Cole Cornford
All right. Thanks, Matt.

Thanks a lot for listening to this episode of Secured. If you’ve got any feedback at all, feel free to hit us up and let us know. If you’d like to learn more about how Galah Cyber can help keep your business secured, go to galahcyber.com.au.