Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
/DevSecOps: security at scale
81 Plays7 months ago
James and Aaron are joined this episode by David Imhoff. David is the Director of DevSecOps and Product Security at Kroger. They dive deep into application security, and how to champion security within your organization.
Recommended
Transcript
Integrating Security into Code
00:00:05
Speaker
i I always struggle with you know written policies that are on some confluence somewhere and expecting that everyone has read all of them and that they're going to remember that's just not likely. You have to have them for lots of reasons and they certainly have their purpose. But you know for the people that are actually the doers that are doing things in their daily life, I think putting those guardrails in to where it's actually going to limit you. um And it actually in the code makes things a lot more likely that they're going to go the way that you want as a security professional versus just hoping that somebody runs the document.
Podcast Introduction
00:00:49
Speaker
Welcome to the Forward Slash where we lean into the future of IT. t I'm your host, Aaron Chesney, with my beautiful co-host, James Carmen. And our special guest today David Imhoff from Kroger. Why don't you introduce yourself, David? Hi, guys. um so I'm David Imhoff. I'm the application security product security leader for Kroger. I spend most of my time kind of ah living right in between the engineering world and the security world, making sure that our applications and our products in general are secure.
00:01:26
Speaker
ah Kroger, you guys have like, it's like a little, little grocery store kind of thing going on. oh Yeah. just It's just, there's a couple of them, you know, in your neighborhood. It's, you know, you may not have heard of it. Yeah. Well, keep it up. You guys will do fine.
David Imhoff's Career Journey
00:01:42
Speaker
How did you get to, you know, so so yeah yeah we've we've talked in the past, Dave, but like kind of tell us how how did you get from, you know, I know you've done like been engineering manager, but how did how did security come to be like kind of your your area where of interest? So I spent ah most of my career at General Electric. um That was great because I got to see a lot of different, you know, parts of the business, parts of IT. t And it was great to figure out what I did not want to do, right? Which is a whole lot easier than figuring out what you do want to do.
00:02:12
Speaker
that's That's really the hard part. um I was always really interested in um how how do you actually lock some of this stuff down, right? I spent a lot of time in storage and backup, um did some SAP implementations, but you know I really always wondered, how do we prevent things from doing the things that they're not supposed to do?
00:02:39
Speaker
um and And how do we keep people ah kind of following the happy path? right So I left GE and you know did something kind of similar ah at CBTS for a little bit, ran their managed services practice. When I was over there, um security started getting hotter and hotter. i um I really wanted to create more of a managed security practice there.
00:03:06
Speaker
um the you know we did patching we did some things like that it was nothing like they have now right they have a great security program now um but as security was heating up I got a call from some of my friends that were still at GE and they had just received quite a bit of funding they were really starting to move from you know Security equals compliance to a much more evolved, you know, how do we respond to APT
Evolving Security Approaches at GE
00:03:34
Speaker
threats? Um, you know, let's really beef up the program. And that was really interesting to me. So I jumped at the chance to go back there and really kind of, you know, dive headfirst into security in general, uh, started out, i you know, I.
00:03:52
Speaker
It was a great opportunity to learn, but I wanted to bring something valuable too. so I started out really managing and running there their security tools team. right so and we We had a lot of things. um you know There's third product party products for about everything now, but that wasn't really true at that point in time. so um I knew a lot about infrastructure and and and how to stand that up, how to lead that, and how to build things out. so I was doing that while I was really soaking up um a lot of great knowledge from really some of the smartest people and and the best security practitioners I've ever met. So that just kind of made me fall in love with security. From there, I took a lot of different roles. My role expanded and kind of morphed a little bit into a couple of different things. um I led security ops for a bit, Intel detect response, in addition to the tools teams, took on more of the compliance side.
00:04:49
Speaker
At some point, I would love to be a CISO, right? So I was working for Denine DeFiori at the time when she was at aviation, and um we were just starting the BISO program in general. So that was really a ah clear way to um kind of learn security as a whole, right? Because it's when you're when you're really trying to get a lot more
00:05:12
Speaker
you know, advanced and and really partner with the business, you have to understand the risk and compliance component. That's the language that they speak, right? You know, ah DFIR is cool and everything like that. But, you know, if you really want to partner with them and and kind of get into that upper echelon of leadership, you have to be able to talk risk.
Transition to Security Leadership
00:05:34
Speaker
ah So that was a a great learning for me.
00:05:37
Speaker
um been you know i Then i went to I went to Fifth Third and led their software engineering team for our Fifth Third Digital. That was, you know I skipped the part where I led software engineering at GE for a little bit there, but that was an interesting time. I do really like building things as well. So you know that was a really nice way to um you know build something that was direct to customer.
00:06:08
Speaker
I had never done that before, right? It was really B2B, not B2C. So living in that world and and helping kind of yeah evolve that fifth or digital organization was great. But what I really started to realize was, man, I really miss security and you know the strategic components of that and and really helping folks understand risk and and constantly learning on on on how to stay ahead of the evolving threat.
Current Role and Responsibilities at Kroger
00:06:35
Speaker
so Here I am at Kroger, just trying to make sure that um we are looking in all the places we need to look, assessing the threats we need to assess and communicating that effectively to make sure that, you know, our Kroger leadership um really understands and and can react to the risks that we face.
Clarifying Security Terminology
00:06:57
Speaker
So there's a couple of things you mentioned in there that, um, I'm unfamiliar with. Uh, so in, in, for those at home, they may, they may not understand it because a lot of us don't live in the security world. What's an APT attack? Oh yeah. So APT is advanced persistent threat. Right. Um, those are really your, um, highly skilled.
00:07:24
Speaker
highly motivated, usually highly compensated ah in some way or another, uh, groups that create really effective, very targeted attacks, uh, toward either your business's crown jewels. Um, you know, really but they, they will find a way to figure out what they need to extract from you or what they want to do to you. And, you know, if, you if you think about the.
00:07:52
Speaker
You know, kind of the rating system. um You kind of have script kitties at the bottom, right? That's just people that know how to use Metasploit. You know, they can download Kali Linux. They can press a couple of buttons. You know, if, if a website is just incredibly vulnerable, they can quote hack it, right? APT threats are all the way at the top of that list where, you know, they're almost always state sponsored. They know exactly what they're looking for. They have a plan.
00:08:22
Speaker
And, you know, the P and APT is persistent. They, they are not going to stop. So they're kind of like the mob level organized crime, you know, you're on ah of digital security. All right. And then, uh, another one you mentioned was, was it VSO or CISO? Uh, BSO, business information security officer.
Role of the BISO in Organizations
00:08:44
Speaker
Yeah. So that, that role, um, you know, that that's generally a role that.
00:08:50
Speaker
It kind of sits right in between and is really in deep partnership with a a business line or a business unit to where you are the security person, right? It's usually a very senior role where you understand security and risk in general, but you are really embedded into their business. So you really understand um what they're trying to accomplish.
00:09:15
Speaker
uh, you know, from, from their point of view, right? What are the big company initiatives? How do they, what is that worth? Right? Because risk is always a trade-off decision, right? Um, you know, is this idea worth $500 or $500 million? Um, and they really partner with, with the business to make sure that, um, they understand the risk that they could be taking. Um,
00:09:42
Speaker
how to mitigate that, right because there's always a better way to go about something. And then they're also really kind of the liaison right to make sure that you don't end up with security in its own silo, right which is the bigger the company, the easier that is for that
Reporting Structure of Security Roles
00:10:00
Speaker
to happen. right So they're kind of the liaison to remind the security organization in general, hey, I hear what you're saying. right That's a great idea in general. but Are, you know, this business line needs X, Y, and Z, right? Or have you thought about A, B, and C? ah to it to It's kind of a check and balance, right? To make sure that things are, yes, very secure, but are also going to work for the business in general, because that's ultimately why businesses exist, unless you're a security company, right? Sure. So those typically would, hold on, maybe they would report into like, into the business unit itself, not to the CISO.
00:10:40
Speaker
they They usually report into the CISO, but I have seen it the other way as well. okay um know it's it's It's one of those things where I think that goes right along with kind of the conversations around where should the CISO report, right? Should it be to the CEO? Should it be to achieve security risk officer? um you know That kind of follows that same line of thinking I think is Okay, this is really business risk, right? It's not just technology risk, it's business risk. So where do you put
Role and Importance of DFIR
00:11:15
Speaker
them? But right now I've seen them almost always report to the CISO. So is the career ladder ASO, BISO, CISO?
00:11:26
Speaker
don't
00:11:29
Speaker
<unk> I'm assuming the CISO is that that C-level executive for security, right? You got it, right? That's the leader. um Okay, the last one I have is DFIR.
00:11:45
Speaker
Yeah, so forensics incident response, right? So um that is something has happened. We need to respond, right? It's really detective work. but To be honest, that's my absolute favorite part about security. I don't get to do any of that anymore, but um That is, I mean, you will really are, you're using technology, but you, you really are acting as a detective in every sense of the word, right? You're looking at human behavior. You're looking at motive. You're looking at, uh, you know, the literally the forensics of, of what has happened. Uh, you know, the events, things like that. Um, that is, um, that's a really cool, but very high burnout.
00:12:33
Speaker
ah area insecurity A lot of times when you hear it people talk about security burnout, it's people that are in the SOC, the Security Operations Center, that because incidents don't stop right and they're never going to.
Memorable Security Incidents
00:12:47
Speaker
um So that's hard work, but it's at least to me, that's one of the most, that and the Intel uh, you know, lead role or the Intel team that gathers Intel and does threat attribution, right? Who, who did these things? Those are the absolute coolest part of security. Um, but yeah, it's, you know, you, you can only get, uh, so far with, you know, a board or the C suite by continuing to perform kind of a shock and awe campaign. Right. Um,
00:13:23
Speaker
When incidents happen all the time, it it kind of loses its luster, right? So you really have to kind of evolve that and to talk about risk. I think this is going to be like one of those new like, um you know, cop drama series is the DFIR, you know, is coming to the Clibberty Broadcasting Network in this fall.
Creative Uses of AI Tools
00:13:46
Speaker
DFIR.
00:13:50
Speaker
yeah the well The funny thing, one of the one of the consistent memes ah that gets spread around is, I don't know if you guys watch NCIS, but there's the incredibly cringy scene where two of them are using the same keyboard to fight the hacker. you know like that It does poke up. It it it pops up in in culture every once in a while, ah but yeah, usually in in ways like that.
00:14:19
Speaker
Yeah, I i love you know the the Hollywood um interfaces that are used to you know hack systems and know yeah do that kind of thing. It's just amazing.
00:14:33
Speaker
like That's not how that works. The interface for Jurassic Park, where it was all 3D and they're like, no, that's not how it works. Yeah, it definitely does not look like that.
00:14:48
Speaker
I think the most accurate one was probably WarGames from the 80s. There was some things that they had to actually change in security because they were a little too accurate.
Establishing Security Standards
00:15:02
Speaker
ah Like when he short circuited the phone to get a call through.
00:15:08
Speaker
um They actually had to go through and replace payphones. And those for you that don't know, there used to be phones on the corners of different city blocks that you could go to and use for some change. I've got a trivia question for you. What, do you remember what the password for the Whopper that, that DOD computer that he hacked was? Joseph.
00:15:34
Speaker
Joshua. jo club Joshua. josh josh but that it was yeah it was this kid it was the back door that's right the backdoor password Joshua. Joshua. Joshua. Joshua. Joshua. Joshua. Joshua. Joshua. Joshua.
00:15:53
Speaker
start thermonuclear war stop that's outla thermonuclear war
00:16:03
Speaker
Joshua. He gives up. The only way to win is not to play. right All right. So you you mentioned a lot of really cool things, at forensics and all of this stuff. And a lot of times I ask folks, like, what is like the biggest for you when maybe you saw an incident that happened and you were like, what? I didn't even know that was a thing. Like, what is one of the strangest things you've encountered in in your your career as so being in security? Besides us.
00:16:34
Speaker
but okay then let think Let me think a little bit then. That's a really good question. um but So there was one time, I won't name where I was, but um but we were reverse engineering a payload and we we realized, and I don't know if it was just a mistake.
00:16:57
Speaker
Uh, you know, it was basically malware that was dropped from a spearfish, right? So a spearfish is a very targeted fish, right? So person clicks a link, they click link, uh, malware, or at least a malware dropper gets onto the computer, phones home, pulls the rest of the package down. Um, so usually that package that gets pulled down is something that you're going to alert on that is, you know,
00:17:25
Speaker
I mean, it's basically a hacker's toolkit, right? In this case, and we we really, it really threw us for a loop. I swear, I think it's just a mistake. But what it pulled down was an MP3 of the song, Mockingbird by the Beatles. So I don't know. I don't know why that happened. I think that's the Beatles, isn't it?
00:17:51
Speaker
I only think of like Jim Carrey in Dumb and Dumber when they're going muck. Oh, yeah, not that. Not that one. OK, sorry. Not that. It was really when I'm thinking of Blackbird. Blackbirds. Oh, no, it was black. You're absolutely right. It's Blackbird. OK. But but we think it was just an absolute mistake. Right. That instead of, you know, I mean, you know, there are people, too. Right. They make mistakes. But yeah, we just pulled down a song You know, and, and we looked at it to see if maybe there was something embedded in it there. By all, you know, indications there was not, and it was just odd. Kind of, kind of threw us a little bit. That that's a, it's kind of like, uh, I'm, I'm surprised it wasn't like a Rick Ashley song. we known rick rollling Yeah. Yeah. Rick rolled. Yeah. That would make more sense. Right. least I was like, Oh, that's funny.
00:18:51
Speaker
Um, but we've got a security hole. So that's not, we're going to give you back your database till you pay some cash to release it. i never wishing You should record that and and make it a single. Yeah, I should. I'll write out, I'll i'll have chat GPT, write me all the words to it. So that's a good idea. Yeah, absolutely. I actually use, uh, Suno it'll put music to it.
00:19:21
Speaker
Yeah, I love it too. i I've done a bunch of stuff. I actually wrote my wife a song on between chat beep GPT in Suno. I actually wrote her a pretty cool song. um That's awesome. Yeah. You want to sing it now? No. Yeah, let's let's hear it. it's i go ahead I could play it for you. I haven't downloaded. Actually, I can't because I haven't Wait, I haven't paid for the commercial license, so I can't rebroadcast it. yeah so um So, okay, moving on to the topic at hand. So in your day-to-day, in that kind of thing, what is one of those, one of the things that you find difficult to do um with with your position and
00:20:16
Speaker
and The responsibility is like, you know, you said you, you know, you're working with trying to set up a security like standards and, and making sure everybody's compliant. So what are some of the ah issues you run into with that?
Balancing Secure Coding and Flexibility
00:20:34
Speaker
Yeah. So I'm going to give you two of them. Um, first is kind of an easy one, right? It's not going to be that surprising. Um, we have a lot, a lot, lot of software developers, right?
00:20:48
Speaker
Um, making contact and spend finding the time to spend with them, you know, just to get your message out and to make sure that they know where to look for instructions and guidelines and things like that. And we're going to do the right thing. That's a challenge in itself, but.
00:21:10
Speaker
You know, when you get people to do what you want them to do, right, which is ask questions, come to you, you know, when they're not sure if some they should do something or not, you know, you would like to be there to help them, uh, and walk them through the lie. So they learn next time, right? And maybe they can teach other people, you know, what we are, the ratio is just very askew, right? I mean, it's, it's basically like four to 3000. Um, so.
00:21:40
Speaker
It's very, very hard to make contact, stay in contact and really partner with the engineering community in general, uh, at a level that I would like to, where I think we should be able to, uh, just due to sheer size. Um, and, and the other one is, um, finding it's such a fine balance between helping engineering teams.
00:22:09
Speaker
code securely and understand how to do that, and helping make things secure by design for them so it's easy to do the right thing, um versus being overly prescriptive, getting in the way too much, slowing things down, and you know unnecessarily um making things cumbersome for them. right in That is a really, really hard thing. There, you know, there is no right answer. That's on a continuum, right? That that's constantly, uh, kind of a floating point that moves around and you really just have kind of have to understand all the context that you're in. Uh, when you're talking about a project or a product or a teams deliverable, um, that that's where it takes a lot of understanding on what they're trying to do and why.
Securing Internal vs. External Systems
00:23:05
Speaker
So that you can apply the. Correct amount of security, right? Because you don't, you don't want to secure things more than you need to. And you certainly don't want to under secure things. So, you know, like a lot of things in life that that's, that's a hard thing to figure out how to balance. Yeah. I've run in, I've run into some situations where the the balance was skewed. I worked at, uh, I don't know if you remember earthlink, the ISP. Oh yeah. I was working there and it was.
00:23:36
Speaker
more secure from internal usage than it was from external. So it was easier to get into systems externally than it was from on-premises. And I was just like, this ah seems like security done backwards. So and it was it was very frustrating at times because we had to access servers and and in lower environments and that kind of thing and just had issues all over the place. um Yeah, it's it's really easy to get kind of tunnel vision, you know, when you're in security, because you're just you're, you're trying to give consistent advice, and you're trying to make sure that things are secure, obviously. um But it can be really easy to lose sight of the bigger picture. When you're
00:24:35
Speaker
really in the details all the time. So, you know, that's not surprising that that, that happened. Right. like Sometimes you just get blind spots and you don't even realize it. Yeah. And it's got to be hard to, because you you are trying to like protect, um, I think, what what did you call them? The crown jewels of yeah of the company. Right. And, you know, sometimes that internal threat is worse than an external
Integrating Security into DevOps
00:25:01
Speaker
threat.
00:25:01
Speaker
on those kinds of things, especially depending, you know, because if you've got, you know, people that have the wrong level of access in, in that kind of thing. Um, I was just listening to, uh, Joe Rogan's podcast and they were talking about, uh, someone he knew that had, uh, like secure, like high level security clearance and typed in a search for little green men, just being funny.
00:25:30
Speaker
next thing you know, like her access gets shut down and, and they're like pulling her in and questioning her. It's like, why did you put that in? And you know, the conspiracy theorists out there are all going, Oh, because they're hiding stuff, you know, it's area 51. They got it. Oh no. You know, it's like, they're, they're covering it up. And then it really is, you misused your security clearance to do something stupid. Right. And, um, you know, so that,
00:25:57
Speaker
yeah You know, I kind of get that, but I i thought that was, you know, kind of interesting that the, the internal threat there was actually, um, more dangerous than an external one. Now there was another thing that you mentioned too, and we talked a little bit about this in our, our pre-interview with this idea of DevSecOps and you kind of alluded to it a little bit with that, that, you know, designing things so that it's easy to do the right thing.
Early Detection of Security Issues
00:26:27
Speaker
Um, which leads to like the dev ops type of philosophy of shifting things a lot. So how, how do you, how do you do that with security? How do you shift things left with security? Yeah. So good question. Um, to me, a defect is a defect, right? So shift less quality has been here for a long time.
00:26:56
Speaker
You know, I mean, it's a lot easier to catch something in a unit test of your software engineer than to realize when things have already gone through performance. And now you're under regression testing or UAT that, you know, oops, we need to refactor this whole application. Now we have to have a change and pull it back out. Exact same thing with security defects, right? Um, you know, where, where I would absolutely love everybody to focus right, is as far as left as possible, which is, you know, there are a lot of plugins that are right in your IDE. There are a lot of command line interface, you know, things that you can do where, you know, as you are programming, you know, just like with linting and everything, anything else, right? It's, it's going to give you red squiggly lines underneath, you know, the thing that you weren't supposed to do that needs attention, right? It is a whole lot easier and less frustrating and cheaper for every everyone.
00:27:54
Speaker
If while you're programming, you see, Oh, you just brought in this really old version of, you know, the spring framework, right? You should use this version, right? Just changing that text costs nearly nothing, um, versus you get all the way through the process and you've got a production release and, you know, the worst case, it gets out there and now it's vulnerable.
00:28:23
Speaker
But, you know, best cases, a lot of people have been involved in testing, a lot of people have put time in that, and now you need to go all the way back. Um, you know, you'll see, you'll see numbers, some of them sound crazy. Um, but you know, if you look at Gardner, Forester, a lot of those, like generally, I mean, you're talking at least 200 X the cost to fix a vulnerability that has made it to prod.
00:28:50
Speaker
versus in your IDE or in your pipeline. So some some of the things right that that you really should do that we do here, um and most people do, right is those IDE plugins are key. A little bit to the right of that is your CICD pipeline. So whatever you use, Jenkins, GitHub Actions, whatever.
00:29:15
Speaker
um Making sure that that is going to hit a security tool, right? Hopefully SCA and SAST both. So, you know, you want to make sure that your open source dependencies are up to date, right? um That as the SCA tool will catch that. SAST is your, you know, oops, it looks like we think there might be a SQL injection here. This might be cross-site scripting vulnerable, things like that.
00:29:44
Speaker
um You want to make sure that as you are committing to your branch, that right in there you see what those issues might be, right? You don't want to roll that into a prod branch and release it um if if you don't need to. So there's multiple checkpoints along the way that you can use, but that that's generally what we want to do. And with that, right, kind of underscoring the whole thing is making sure that people understand why they're doing these things right and and how to fix it. Because if they just keep making the same mistake and having to fix it over and over again, that's a lot worse than um helping people understand. And and all of these tools give great feedback now. right they'll give you Most of them give examples. you know Hey, we found this in public GitHub. Here's where somebody fixed a ah vulnerability just like this.
00:30:42
Speaker
Like they're really moving into learning tools versus just, Hey, this is bad. Fix it, which is what they used to be right now. It's, and if you pay attention, you know, as you're fixing it, hopefully you have time, right? I know not, not every software engineer has a whole lot of time. Most do not, but if you really pay attention, you can learn quite a bit from just the guidance that you find in there.
Managing Open-source Vulnerabilities
00:31:06
Speaker
Yeah, i I always tell folks, one of my best teaching tools for a team is Sonar Cube, because you know yeah yes, it'll tell you what you're doing wrong. If you click on it and read, it'll say, this is what you're doing wrong. This is a good example of what good looks like. I love that tool. It does a great job there. One of the things that you mentioned, you know i'm I'm a Java developer, so you know Spring that hit a vein there a little bit. I've noticed recently,
00:31:30
Speaker
Even when I bring in like the latest version of Spring Boot and all of that in my IDE, CVE, blah, blah, blah. like How do you judge that? It's like the boy who cried wolf for me sometimes. It's like, okay, yeah, that that's a vulnerability. But if I dig in, I spend a half an hour, 45 minutes, I'm really dig, dig, dig. And I'm like, yeah, I don't use that part of because it's such such a vast library.
00:31:51
Speaker
There's so many attack surfaces that, but I don't use that. I'm not using XML, you know, that kind of stuff or or whatever the case may be. And I just ignore it. So now I've gotten to the point where I've got a bad habit. I'm just like, ah, forget about that stuff. I'm not even able to dig into it because it takes too long. How do you balance that? So that, that's a great question. So the the space is evolving pretty rapidly because of things exactly like that. Right. Um, ah my, the gold standard, at least for me, like, and where I would love to get to is a point where.
00:32:21
Speaker
you know It's kind of like a graph that kind of drops off, right? a lot of um So there's a space that exists. It's still kind of evolving. It's called ASPM, Application Security Posture Management. you know It's more you know acronyms and security tools of things that are you know combining, you know not combining, you know you know how that goes. But Application Security Posture manager Management is really answering the question that you just asked, right, with context. So it's more intelligently putting together context around what you're looking at. So, you know, ideally, the tool or tools can show reachability, right? Is, is this function even reachable, right? So there could be a vulnerability that
00:33:13
Speaker
is not possible to exploit because that function cannot be called anywhere in that code because it doesn't exist. right um Then there's visibility. So are you actually able to hit this externally? like can Can something see this or you know have you most likely covered that through another defense and death strategy where it's behind a couple of things, network segmented, you know all those things?
00:33:40
Speaker
um So, you know, and then you, you are able to now at really big scale, this is hard to do without, um, a more comprehensive strategy, but especially for like small, medium businesses, a lot of times in these tools, you can mark the criticality, um, of each like repo, um, right in the tool. So it will also give you some intelligence to say, okay.
00:34:09
Speaker
You've also marked this as as a critical repo in general, right? So you kind of combine all those factors so that you can really look at things that are actually important because it's and it's always been the problem, right? Same thing with quality tools, right? Separating the signal from the noise is is very, very hard. And and yeah people do get very numb to, you know, if you if if all of a sudden you run a project and it has 5,000 vulnerabilities,
00:34:39
Speaker
You're not going to go in and fix two of them. It's just that's not human nature, right? You're going to say, Oh geez, well, I can't
Application Security Posture Management
00:34:46
Speaker
fix all those. So I i guess this is just going to be bad, right? Like, I mean, it's not great, but the way that is how people think. But if you can cut that down to 10 actual critical vulnerabilities that are really actually posing risk, then you can fix 10, right? Um,
00:35:07
Speaker
And, and you know, you shouldn't just ignore those because it has all the context to tell you definitively or as close to it as it can that, Hey, these are actual threats, right? That you should do something about versus just a hypothetical. Well, this might be, you know, vulnerable, I don't know.
00:35:30
Speaker
Okay. I think spring boots just because of the, all the optional dependencies are, there's so many things that could be reachable. If you pull in one dependency, if you pull in Gson, there's all this other crap. You know what I mean? Like that. And yeah, I don't know. but It just causes a big, huge web and false signals all the time. it All the transitive dependencies makes that extremely, extremely hard. Right. yeah but And that is. i um Right. In, in, you know, with like, so with PCI four, um, you have to provide an S bomb, right? A software bill of materials. Um, I think that's going to come for a lot more things, right? Because I don't know what is it probably 90% of code out there is composed of open source libraries and dependencies that people pull in. It's just the way it is. Um, but S bombs are basically enumerating your Palm file, right? For Java project and telling you what's in there.
00:36:27
Speaker
And then, then you start having to interpret that and figuring out, is it reachable? Does it have transitive dependency? So that whole space I think is, it's, it's, it's absolutely growing, right? Because you see, you know, all of the massive third party compromises that happen, um, you know, like solar winds, right? Um, where regulators are getting a lot more serious about that.
00:36:52
Speaker
Um, and just general security practitioners, right? It, it concerns me a lot too, but yeah, it's a hard problem.
Static Code and Application Security Testing
00:36:59
Speaker
Yeah. I, I've dropped some S bumps while dealing with this stuff.
00:37:06
Speaker
believe you lots of them yeah ah So one of the things that you had mentioned was these, these ID in CICD tools for detecting vulnerabilities, um, early on.
00:37:19
Speaker
what are What are kind of your go-to tools um for those listening at home that may want to shift their security focus left? Yeah, so I mean, there's there's a couple industry leaders, right? You know, Snyk, Veracode, those are two two big ones there. What was that second one? Veracode. Veracode? Yeah. um You know, both of those tools do pretty well on, you know,
00:37:49
Speaker
SCA and SAS findings. There are a ton out there, but those are the two that I've seen. yeah know There's also check marks that's used in a lot of shops. right So you know most of those tools, there they're pretty comparable. right A lot of them can get you where you want to go. um it just And especially with you know what I mentioned around the ASPM space, I think a lot of it is going to depend on What does your environment look like and, um, how much context are you looking for and how quickly do all of those companies, um, you know, either acquire or create that capability, uh, to provide that context.
API Security Strategy
00:38:37
Speaker
right in And these tools are mainly used in CICD or IDE? Um, all of the above.
00:38:45
Speaker
all the above. So they've got like plug-ins for your IDE. And then when you run it through your CI CD, it kind of does like a final check as well. Yeah, you got it. Right. And, and, you know, then there's, I mean, you want to, ideally you want to make sure you have a DAST scanner too. Right. Oh, I'm sorry. what scanner DAST DAST. So dynamic application security testing. Um, you know, so, you know, SCA and SAS look for, they look at your source code itself.
00:39:15
Speaker
right, and and glean what they it can from it. DAST, a lot of times you get a lot more false positives, right? It's a little more cumbersome, but DAST is actually going to view it as run, so that you really get a view of, oh, geez, you know, when it's when this is actually built, it pulls in this other thing that wasn't necessarily in the source code. And the way that that other thing is configured, you know,
00:39:43
Speaker
opens up this vulnerability or this attack vector, um you know you want to make sure you have a comprehensive so tool set there. And then you know if you've got APIs, which literally everyone does, right um API security, API runtime security is a pretty hot space. um A lot of times those will sit on your gateway. um They'll intersect intercept traffic. you know They'll look at the request responses and the payloads. and you know they are looking for you know issues and or attacks on on those APIs themselves. So that that raises an interesting question because i I've done a lot of API development myself and have had to deal with these security tools and things like that.
Ideal Security Organization Setup
00:40:32
Speaker
And one of the things that like kind of gets me is like, well, don't I have all the security I need from
00:40:38
Speaker
my gateway that's authenticating the request coming in ahead of time it' to where I'm only getting exposed to my upstream services that are calling me because i've it's not publicly available. I mean, so the authentication and auth, yes, but there are a whole lot of other attack vectors once you get past that, right? So if it's visible or if if somebody gets a foothold and it can become visible to them,
00:41:08
Speaker
then you want to make sure you understand it. And it's, they do a lot more than just, um, this is a security vulnerability. They also do a lot of, uh, you know, you can start to understand what data is exposed through those APIs so that you can kind of keep track. They're great for an inventory tool where they'll tell you like, Hey, it looks like, you know, the API, A, B and C, uh, are handling PHI data.
00:41:35
Speaker
Right. And they're, they're looking through the request response and they can look at, you know, that Jason and, and, you know, kind of infer that, Oh geez, that looks like a social security number. We should, you know, put an alert in here. Right. So it's really the overall security posture of the APIs themselves, not just can it get hacked or not, but how secure is this thing? And and do you really understand what this thing is doing?
00:42:04
Speaker
So let's maybe do a thought experiment here. Let's let's assume this, what was it, Kroger you said it was? it's This little grocery thing that you've got going on. let's Let's assume this takes off. Let's assume it becomes a big thing someday. And and money is no object. And you can build your organization and your your team and everything just the way you want. like What does that nirvana look like for you from an organizational standpoint? How do you support those teams the best? Because you mentioned it's 4,000 to 3,000 ratio.
00:42:34
Speaker
How do you, how would you structure that? If you just had all the money you could spend, how would you go about it? So money itself won't buy it. Right. Um, I would start with having somebody, you know, much like the BSO model we talked about earlier, I would start by making sure that I had one person for every single pillar business unit, you know, however the organization is divided and you call those. You know, organizational constructs, what they are.
00:43:02
Speaker
Um, I would make sure I had at least one person dedicated to each of those to really be embedded into, um, the hardest part is being involved when they're doing, you know, ideation, right? Like not, not a lot of people think, Hey, let's invite security to this brainstorming meeting where we're talking about designing this new architecture. Right. But if you had somebody embedded who really their incentive is to help.
Balancing Security and Development Demands
00:43:31
Speaker
the teams get done what they're trying to get done, but just do it in a safe way or at least at least consult and and raise where where it's not safe so that the leadership can make a judgment call on that writer and ask for an exception. Then it's gonna be a lot easier, right? So just having somebody that's that's actually, and and I mean, they sit in that business unit, they go to all the staff meetings in that business unit for all intents and purposes, they are part of that business unit.
00:43:59
Speaker
um Honestly, even better than that, they would have a peer that's basically kind of a two in the box that actually is in that engineering organization that's dedicated to, you know, uh, application security itself, uh, that is 100%, um, part of the, the, um, you know, engineering team, engineering organization, whatever. Um, so that you have both, you have kind of a working team of.
00:44:29
Speaker
the actual security side of the house that's embedded and the actual engineering side of the house that is also dedicated, right? So that would go a long way. um And then, you know, what there there are security champion programs, right? That is a great way to do kind of a train the trainer approach. ah You know, you find folks that aren't necessarily security people, right, and aren't in security, but, you know, generally they, you know, the most successful ones look like somebody that is kind of ready for a stretch assignment, looking for something more, you know, or, you know, they are kind of more senior and they want to be challenged a little bit more, things like that. um Or they might just want to dip their toe in security and see if it's something that's interesting to them because they've
00:45:23
Speaker
been around application code and they know that that's kind of the next thing in a lot of cases. The security champion program is fantastic. What I see happen a lot, right, is those people, you know, they're not directly incented on what they're doing in the security champion program. They are on the engineering teams and they're incented to deliver business features or, you know, at best non-functionals, right?
00:45:53
Speaker
So the it's making sure that every leader of the organizations that those folks are in correctly incentivizes those people, really understands, but more than anything has really bought in, right? They've got to believe in it. They've got to actually support those people and they can't let, um, you know, non-security work just totally take all the air out of the room, right? Because It will absolutely do that if left unattended. There's never any shortage of features that need to get developed for the business.
Prioritizing Development Team Demands
00:46:31
Speaker
um So that those would be the two things that I would really do is you know A, it's dedicated people that are truly embedded with you know a counterpart in those organizations and B, real clear incentivization, sponsorship and agreement ah from every one of those leaders that
00:46:52
Speaker
the people that are in their security they're quote security champions, right, that are in that program um that are kind of friends of security are are, you know, not being asked to do other things that just eventually take over a hundred percent of their work. I like that thought you mentioned about the the balance of work too. It's like you don't want to, you don't want to not think about security, but you don't want it to overtake your project either. Similar to things like um, accessibility or design or any of these other things that can just snowball and get out of control. And the next thing you know, Oh, we've shut everything down because we're solving tech debt. Right. And, and it's like, we can't, we can't operate that way. We can't continue to add value. So we've got to keep everything kind of in balance all, you know, like if you're juggling all these balls at the same time, you want to keep them all in the air.
00:47:49
Speaker
and and keep everything moving forward. And ah I think that's a it's a good message to have is that you try and keep all of your different channels of development moving forward at a steady pace so that one doesn't stack up and topple your project. So it's a very good message.
00:48:12
Speaker
that that you know and and i have you know We touched on it a little bit, but like I've spent several years leading engineering teams themselves right directly. That is the hardest thing in the world to do right because you really kind of do get death by 1,000 paper cuts as a software engineer because the demand, everything wants just ah wants to shift left. right And the demand on you, right there's never any shortage of features and there's never a timeline that is
00:48:44
Speaker
you know totally reasonable, right? Um, that's just not the way that the world usually works. So your, your delivery is always, uh, you know, at a hundred percent, at least, right. And you have to keep moving, but then at the same time, you know, and, and I, I truly believe that most developers, they, they want to do the right thing. I don't think that anybody is trying actively not to do, uh, you know, uh, secure development, but
00:49:15
Speaker
It's really making the space and the time for them to tackle. and It's hard enough just to tackle the non-functionals. I can't tell you how many times you know at every company I've been at, and I'm sure everybody listening to this podcast and you guys are seeing where it's, listen, we just need to get that out. I promise we're going to make a user story and we're going to come back and fix that.
00:49:39
Speaker
right ah it It happens sometimes where you fix it, right? But you're constantly fighting to remind people, hey, remember, yes, we went to market with that feature, but you still owe me, you know, this amount of time from this team because we have to fix this thing or it will come back and bite us, right? and Or it will at least slow us down as we look to make new features. um And with certain parts of the organization. Security is another one of those things.
00:50:09
Speaker
And with certain parts of the organization, you know, each, each, you know, if if you're working on kind of a, a flagship product, you've got different parts of the organization asking for things at the same time. You got marketing asking for this so that they compete with, you know, Acme company down the road. And then you've got your sales guys that are saying, Hey, I can sell a lot more of this. If I have this feature, and then you've got your.
00:50:36
Speaker
your Your business analyst saying we really need this and and you've got um ah Your your security and your operations and all these people want something done plus you've got defects in tech debt so you're getting you're getting all these multiple channels of incoming work and if you have You absolutely need to have somebody at the helm you know filtering that out prioritizing that stuff and keeping it in balance so that and Okay. We're going to please everybody. It's not going to be on. It may not be on the timelines that you want it, but we are going to get to it. And this is how, and you can show that out and it helps quiet that noise up. I need to have it. I need to have it. Or we're going to do that later and never get around to it. Right. So yeah and that's one of the, that's definitely you're right. It's absolutely one of the hardest things. And if you don't have.
00:51:31
Speaker
If you don't have somebody filtering that for you, it is death by a thousand paper cuts because you're trying to please everyone because as developers, that's, that's our, that's what we like to do we use is produce something that makes people happy. You know, and, and, and we're always, it's, it's very hard for developers to say no, because in, in their mind, they're like, yeah, I could do that. I can do that. I can make that happen. That's something in my wheelhouse that I can say yes to, but.
00:52:02
Speaker
the, where it breaks down is they don't have the time to do that. And it's just, and and then, you know, they say yes to everybody. And then it's still, then you've got this, you know, giant amount of work. And it's like, I can't make anybody happy now, because yeah I've said yes to everyone.
Specialization vs. Generalization in DevOps
00:52:19
Speaker
um Dylan got to see me do that dance firsthand for two years. So we can tell you how well or not well I did with that.
00:52:28
Speaker
its It's interesting that the, you know, kind of the stuff you're talking about, like, you know, education is the key, right? um But our industry seems to have, you know, and I think it came kind of came with the DevOps movement a little bit of like, you build it, you run it. So like, a software developer doesn't just sit down, clackity-clack and-by-clack on a keyboard and in writing Java code, you're Now I need to know Kubernetes. Now I need to know networking. I need to know all of these things. and They're like, well, we just have the developers do it. And in some sense, that accountability, yeah, it's a lot of stuff to know. And as there's no way, you know, that you could be the jack of all trades in the ace of none, right? So how how do you get people that are really good at software engineering, but then cover all these things? I think there's been a little bit of from the industry, a little bit of a backlash on that whole
00:53:11
Speaker
You build it, you run it, and people are wanting to go back into like specialization. So that it's going to be an interesting where we settle on that pendulum that that the industry thinks, okay, this is the right blend. This is the right balance. And maybe it's not the same for every team, but but there is, it seems like that pendulum is swinging back a little bit.
'Ship it or Skip it' Game
00:53:28
Speaker
It's just an interesting observation. So I'm going to make an abrupt change of topic. All right. but Wonderful.
00:53:35
Speaker
yes for ah Let's talk about ship it or skip it. Ship or skip, ship or skip, everybody, we gotta tell them to ship or skip. All right. Remind me how to play this. So you're either going to answer ship it or skip it. Those are the rules. We're going to get, it's very simple. It's a very simple game to play. We're going to, we're going to throw out a couple, you know, ideas, concepts, or products.
00:54:12
Speaker
Uh, that, uh, we'll discuss and we'll each phone on whether we believe it is something we should ship, meaning we use it all the time or yes, implement it in, in, in your day to day life or skip it. You know, don't worry about this thing. Just forget about it.
Importance of White Hat Pen Testing
00:54:30
Speaker
Right. So, um, so one of the first things that I want to bring up in this was when we were talking about is white hat pen testing. i Because as you were talking, I was thinking about this, I'm like, yeah, white hat pen testing. let's What do you think on on that topic? Is that a ship it or skip it? Is the white hat part of the actual company itself or are you talking about like bug bounties?
00:55:05
Speaker
Hmm, which way do you want to answer it? Which way do you, does it, does it change your answer if it's like a contracted white hat versus an in-house white hat? No, I think ship it on both of them. Honestly, you know, it's, um, it tools can get you so far, but if you have something that's super critical, you really want somebody, um, touching that thing and really trying to break it.
00:55:32
Speaker
that has done that before, right? that That has a human brain and not just an algorithm.
00:55:40
Speaker
James, what about you? Um, you know, as a, as a backend developer, I hate when people say we have to do pen testing, but I understand. And I think it's, I think it's a necessary evil. Um, yeah, I think that I would say ship it as well. So for me, I,
00:55:59
Speaker
I say ship it with the caveat is that they it's not a ah black hat converted to white hat.
Software Bill of Materials
00:56:06
Speaker
because i don't I don't agree with the ethics of black hatting somebody ah to get a white hat position. so Yeah, yeah i don't I don't like that either. and No. It's like like that guy that catch me if you can movie and now he's like a security analyst for the Abagnale model. right so that's that's That's where I, that's where I draw the light. It's like, okay, you don't break the law to get a job. That's just not the way you do things. Um, it's like the old mafia, you know, you gotta get a nice website here. It sure would be bad if something were to happen to it. like yeah Like if I were to hit this key here and get all of your personal data, that would be unfortunate. All right. What's our next one?
00:56:59
Speaker
Oh, let's do it. We mentioned this earlier, the software bill materials. Yeah. Uh, ship it, it, it, that is, um, more and more, um, critical, you know, especially as a consumer of products, right? Um,
00:57:18
Speaker
I want to know what you used to build that product because when I see something, you know, on dark reading or CSO, you know, that says that, you know, Hey, there's a horrible zero day in this library or this dependency and things like that. I want to be able to go back and look at, you know, what was in the recipe of all the products I bought so that then I can go back to them and say, Hey,
00:57:45
Speaker
Show me what you did about this, right? Have you actually done something about this? Cause otherwise you're blind, right? And you've got things running that are vulnerable in your environment and you're not sure where.
00:58:01
Speaker
Yeah. I, I'd have to say ship it as well. I think, and I've said this for a long time, I think something like Maven and the dependency management has been like a huge boon to the Java world. Like the the fact that we have structured dependencies. I'm very like.
00:58:16
Speaker
I don't know, i'm I'm weird about S-bomb stuff. I actually wrote one for a project we were doing that was... so I didn't trust the one that you can spit out with Maven, right? So it'll go through the dependencies and and sp spread spit out the tree and all that. I actually wrote a runtime S-bomb. So when you go, you can go to a, like it was actually an actuator endpoint for Spring Boot. And it would go through and scan the class path, all the jar files and say, this is the actual class path I am running on right now. And try to, and and you know, introspect all the jars and say, this is commons-lang-3 and this is this and yeah these versions. And it would spit out the actual runtime jar files from the class.
00:58:50
Speaker
That was pretty cool. I don't know if it differed very much from Maven, but i would I'm, you know, I was very nervous. Like, ah okay, I want to make sure this is accurate, but that was pretty cool tool. Chip, it's awesome. Um, I am, I'm, I'm mostly a ship it. Um, I, I used S bombs in practice and one of the most frustrating things is when you're like pushing for a release, your S bomb changes and it breaks something in your code.
00:59:20
Speaker
Right? ah it Because it's like, well, now we got to go in and change this because we're using a centralized S-bomb that everybody's using. I've got to update these versions. And now I've got additional work that's impeding my release. So that's kind of the downside of it. But in general, i I really do like it.
Debate on AI in Threat Detection
00:59:41
Speaker
when When the version updates don't impact me, it's great because I don't have to think about you know, version matching between dependencies and that kind of thing, especially with Spring Boot, when you have the, you know, all these different starters and network component pieces and and all that that have to match. It's great for managing that kind of stuff. um It's just when those version changes happen, they get pushed down and it impacts your code. Now you've got extra work. So yeah, I'm a tentative ship it. um
01:00:14
Speaker
um on that, but I do think it is it's the right direction. I think there just needs to be some some little bit of controls in place or you know like pre-testing on how this could impact you or scheduling a version change on ah on the bomb. Especially as it relates to some of these vulnerability checks. So ah especially like if you're doing And as mom update, because you have a vulnerability in your governance committee is saying, you well, you can't release because you've got these vulnerabilities in place. And then you go to update your mom brings down all these new versions. It and breaks your stuff. And now you've got to go back through. It's just a. It's always a good time, right? Yeah. Yeah, he says somebody who doesn't code and and decided this is this is the dependency you have to use. And yeah, that's always fun. Yeah, that doesn't always much work out. No. All right. You mentioned something earlier when we were talking about White Hat testing. You said somebody like a human being or something. So I thought this one might be interesting. We had it written down. AI for threat detection and remediation. Where where do you think, where your stance on that? Skip it. Skip I i figured. It's not there yet.
01:01:26
Speaker
Um, it, I, I, I think, I'll refine that just a little bit. I think multi indicator behavioral detection, if you want to call that AI is critical, right? UEBA, um, that's critical, right? Because you're looking at a string of events as in a composite risk score. Um, that is great, but you know,
01:01:57
Speaker
If you have a product that's, you know, you can just use our chat bot to ask it to do all the things I just. That I just can't see that working right now. That would be great if it worked in the future, but I, I would not want AI to do anything more than triage at this point. Uh, you know, hopefully get rid of some of the busy work that part I would like. Uh, but you know, I, I feel like I would want an actual responder to go back and make sure.
01:02:27
Speaker
that it did what it did. Yeah, I, I'm going to say skip it as well, because I don't think that if an AI told me that we were all secure, I would completely trust it at this point, given, you know, how yeah new everything is. Um, and you know, whether it actually did a thorough analysis of my system, uh, but if it did find something,
01:02:57
Speaker
i I would trust that it actually found something. So I think as like a, yeah as a checkbox to say, yeah, we ran an AI thing and it cleared, but that's not the only thing we're going to go by. You know, but still, I think I would skip it for now. I think it's, I think there's other tools out there that are, are better suited for, for doing that thing or, you know, going back to the white hat, pat white hat pen testing. If, if, if my white hat says,
01:03:25
Speaker
Yeah, we're good. I couldn't get into it. um I'm going to trust that a heck of a lot more than an AI. Right. A hundred percent agree. Yeah, I'm gonna agree with you guys, skip it for now. ah I'm just because i'm I don't trust anything, right? So like the if you're if you're talking about generative AI type of an LLM, there's all sorts of things you can do putting gunk out there in GitHub as they're scanning through public repositories to put garbage into the base LLM and that's an attack vector. So if I'm just relying on AI to do all my threat detection and somebody pollutes the the language model itself,
01:04:02
Speaker
but And then they can capitalize on that. That's, that's
Policy as Code
01:04:05
Speaker
a problem. And there's no way, I mean, it's just all black magic inside the base, LLMs, you know? So I'd say skip it for that. Well, the thing I do like, and I've used it is like the the anomaly detection for, and this isn't necessarily threats, but it's, if my query is starting to take longer and those sort of things to say like, Hey, there's something weird going on with your infrastructure or whatever of them. And I think, I think that's, that's interesting to me, but no, I don't think for threats. Agree.
01:04:31
Speaker
I think the last one I want to cover and ship it or skip it is policy as code. Um, ship it, you know, especially when you're, when you're talking about, um, like cloud security posh policy is a big one. Right. Um, you know, Azure has a lot that you can do and restrict, uh, with policy in general. Um,
01:04:59
Speaker
It is a whole lot more likely that somebody is actually going to follow a policy if it's actually encoded and you know the the thing that they are doing um will or will not allow you to do it per the policy. I i always struggle with you know written policies that are on some confluence somewhere and expecting that everyone has read all of them and that they're going to remember, right?
01:05:27
Speaker
that's just not likely. You have to have them for lots of reasons, and they certainly have their purpose. But you know for the people that are actually the doers that are doing things in their daily life, I think putting those guardrails in to where it's actually going to limit you and it's actually in the code makes things a lot more likely that they're going to go the way that you want as a security professional versus just hoping that somebody read the document.
01:05:58
Speaker
So this is where we're going to differ in opinion. it all right So I'm, I'm, I'm going to be skip it because one, I think that it's, it's putting more on the developer's plate in an area where they're, they're not necessarily the expert. Like I'm, I'm by no means a security expert and I'm always nervous when I go in to do policy configurations, because am I breaking something? Am I going against.
01:06:26
Speaker
you know, what the security policies are for what I'm trying to do. You know, do I have enough checks and balances in place? And it's, it's very, it's, I always feel like I'm diffusing a bomb where I'm just like, before I snip this wire, right? Is it the blue one or the red one? Blue or red, blue or red, blue or red. Somebody tell me, right? You know, because I need, I need this to work, but this is in the way. And I, you know, I've been, I think I can, you know,
01:06:57
Speaker
remove it because it's not critical for this part, but I'm not sure. And then, so I get this, you know, nervousness about, is it the right thing? And I think with, when you have like a microservice environment where you've got many implementations of like the same security that if there is a rolling change, now you have to coordinate a lot of work against a lot of teams in order to update that. Like, and it could be as simple as just.
01:07:26
Speaker
we've moved authenticators, right? We're going from Auth0 to OAuth2 or vice versa, right? So we're making that wide sweeping security change. So now all of you teams have to go out and change this to the new security model because your security is going to break, your authentication is going to break given this date. And then you run into the issue of like, well,
01:07:51
Speaker
This project was in maintenance mode. Nobody's actively developing on it. And we're going to go in and do that and change that. So for me, I think that that having that policy as code for for everything is ah is a skip it. I see your point. Yeah. I mean, i i'm I'm ship it. But i'm you know of course, it's with any of these things that are kind of done centrally and I think this one would only best be done centrally because if there are new things coming in, new threats and new, you know, all all all of the things that can happen in our world of of security, somebody that's really, really good at that needs to be kind of maintaining that centrally. Now with that, now comes that that abstraction. I'm away from the teams and of course every team thinks, oh, my application is so special and we're a unique snowflake. We don't, when nobody else does what we do, well, that's,
01:08:44
Speaker
Maybe you shouldn't be doing the snowflakey stuff. But anyway, I'm a ship it, but with the caveats, I do think that you need the really smart people that are keeping an eye on the threats that are out there and making sure that the policies are reflective of that and being kept up to date. Otherwise, they're just written once and they're just put off to the side, okay, we checked that box. I think they need to evolve.
Rapid-fire Personal Questions to Imhoff
01:09:06
Speaker
All right, are we ready for our lightning round?
01:09:28
Speaker
You know, abstract we're looking, we're looking for short answers. um And there, there's not always a correct answer, just more about getting an answer.
01:09:40
Speaker
We'll each give you five. But there are more correct answers for some of them. They are more correct. Fair enough. And there are some just wrong answers. There might not be just one right answer, but there's definitely some wrong answers in there. I hope I pass. Coldplay is always the wrong answer. Yeah, you're not going to get that answer from me. I'm kidding. I'll pass on that one. I'm kidding.
01:10:06
Speaker
All right. Okay. So we're each going to ask you, yeah, we're each going to ask you, uh, five questions. We'll alternate back and forth, uh, for a total of 10 questions in the lightning round. Are you ready, sir? I am. Let's do it. All right. So question number one, how many hours of sleep do you need? Oh, I need eight. Like I am just an absolute miserable person if I don't get eight. Um,
01:10:35
Speaker
I wish it was less. I used to be able to operate on less, but I have got to get eight. Okay. And I don't know how our questions are related, but it is when you fly on a plane. I don't know why you have to specify fly on a plane. Is it? I guess there are other ways to fly with like a dirigible or something. But anyway, when you fly on a plane, do you wear a neck pillow? No, no, I cannot sleep no matter what on a plane. So a neck pillow is just extra cargo.
01:11:06
Speaker
Fair. Yeah. I mean, this is one of those where there is a right answer. We would have also accepted. Yes. Fair enough. Have you ever slapped someone in the face? And don't worry. We're not going to press charges. I don't think I have. Definitely not that I'm going to say on this podcast. So that's a no.
01:11:28
Speaker
How would you rate your karaoke skills on a scale of one to Mariah Carey? Oh, so was that one to one?
01:11:39
Speaker
Right answer. i would give my I would give my effort a six and my talent a one. OK, all right. On that same vein, make a high pitch sound. I'm not going to do that. Just pretend that that happened.
01:12:03
Speaker
we'll We'll edit one in or something. and but Skittles. Let's Skittles do that for you. We can get that. Aaron's bird. I can escape that habit. Yeah, we'll get Skittles to do that. I love it. All right. ah Super Mario Brothers or Zelda? Oh, Zelda. Zelda all day. That's like my childhood right there. The gold cartridge. Yeah. yeah Oh, yeah. Absolutely. Yes.
01:12:32
Speaker
Uh, how long can you hold your breath for? Uh, geez, I don't know that I've tried recently, probably a a minute. so mean i'll prove it probably Here we go. if the time starts now
01:12:50
Speaker
Let's see. All right. If the toilet paper roll is really low, but not completely out, do you replace it or leave it for someone else? Uh, what am I at home?
01:13:02
Speaker
Well, I guess I would. Yeah. Yeah. yeah I think well we'll go with home. I would replace it. All right. That's an upstanding guy. You probably put away your shopping carts at the grocery store. I do. I like that. I do. That's good. That's good. So I have replaced the ones when ah in in a public restroom, too, like you know sliding the door over so that the next person... yeah Yeah, yeah. Yeah. I like things to be in their place. Yes. I am i think I'm the only one in my house that replaces the toilet paper.
01:13:32
Speaker
Just throwing that out there. Do you believe in Santa Claus? I know. I definitely do not. I think it's, have you, did you ever? Oh, I did. I read the question wrong. We go from the same question bank. I saw that. Did you ever believe in Santa Claus? I definitely did believe in Santa and I was absolutely crushed when everybody at school ah told me that he didn't exist.
01:14:02
Speaker
Would you go to a movie alone? Uh, no. I, I would probably rather find something to watch at home. Is that fine? I don't know. I think, uh, I think we got one more round here. Let's do one more round, uh, back and forth, polka dots or stripes.
01:14:28
Speaker
Stripes. I cannot pull off polka dots to save my life.
01:14:35
Speaker
How many times do you believe you've sneezed in the last seven days? Oh man, that's a good question. ah Probably not a lot, like six maybe? Six, if you're lucky. Rag meat season is ending. If you would have asked me this earlier, it would have been in the hundreds. Yeah. right I've been a miserable mess this season, so.
01:15:05
Speaker
And to keep the lawyers happy, Mr. Imhoff's answers to these questions are, they do not reflect the views of Kroger as a company. They may like Mariah Carey. We don't know. They might. At least the music version. That was my childhood memories of Kroger was, you know, listening to the music playing as we go down the aisles. It was like, I know that song.
01:15:34
Speaker
We've kept Mr. Inhofe past the time that we've, we've requested of him. So I want to make sure we, we were respecting his time here. Yeah. I was just going to say, I think that does it for this episode of the Ford slash where we lean into the future of IT. I'd like to thank our guests, Mr. David Imhoff and my beautiful co-host James Carmen. Thank you both gentlemen. And also our production staff as well. Stay tuned for future episodes of the Ford slash.
01:16:04
Speaker
I am Aaron Chesney, thank you, and good night.