January 24, 2019
Ep. #24, Application Security with Omer Levi Hevroni
In episode 24 of The Secure Developer, Guy is joined by Omer Levi Hevroni, DevSecOps Engineer at Soluto, to discuss application security, O...
Hey, everyone. My name is Ari. I work at Twilio, as mentioned. If you haven't heard of Twilio, we offer APIs to developers to include communications in your software. If you've ever had a phone call from Uber or Lyft, a text message from your bank, or done one of those online doctor visits via video, that was most likely Twilio.
We've also been moving into the contact center space which is super interesting. So you should check it out. As mentioned, I lead our risk trust and compliance group at Twilio. And I think the reason I'm up here is because part of that group includes a team we call Customer Trust. That team is dedicated to talking about security with our customers, specifically our enterprise customers.
This presentation is a lot of the learnings that myself and my team have taken away over the past few years, hopefully share it with you. If you all have any feedback or ideas or you have different experiences I would actually love to hear about them afterwards. We're still growing, we're still learning and always looking to improve.
Today, I talk about three things. Security's role in the procurement process, I think everyone here is relatively familiar with that so we'll breeze through it. Common concerns to address, and then how to establish trust, "What things can you do to implement a sustainable trust organization that your customers will appreciate?" Before we jump into all of that, just a quick note.
Security is extremely expensive.
If you're looking to go to market with trust or security as a differentiator, just know this ahead of time, it's not going to be cheap and it's not going to be easy.
Security professionals are very highly paid. Security tooling is extremely expensive. Just know that when you walk into this, it's not going to be like you drop a security team in place and voila, you're ready to sell to the enterprise.
That being said, even though building a security team is expensive, not building a security team can be way more expensive. I put some fun facts on the screen for you all to read through.
As expensive as these are, as expensive as building out a good security team and a good security program is, personal opinion, I might be biased, it's way better to start establishing trust with your customers first by building a good security program, by having good security foundations in place, and having that foundational relationship in place than to try and build that relationship after something like this happens.
Now that we've covered my PSA for the day, let's jump into it. When people think about sales they typically think about, "How do we increase sales? How do we convert leads? How do we come out with the newest marketing initiative? What are we going to do to increase top of funnel efforts?"
What people don't always immediately think about, unless you're Uri, you teed up my talk nicely. Thank you. "How do we get security ready for the enterprise procurement process? How do we get ready to sell security within enterprises?"
Security is actually in approval for new vendors and new services, etc. So if you don't pass muster on your security review with an enterprise, sorry, but you are not going to make it past the sales process into any further steps.
How do you go about gaining that customer approval, the enterprise approval? A bunch of different things. You have questionnaires, you have white papers, you have compliance certifications, you have customer audits where the customer will actually come on site and perform a security audit with your security team.
Very time intensive, but starts the beginnings of what I like to think of as a beautiful security relationship. Additional phone calls, and one thing that's not on the screen, legal reviews. Your customers will often ask you to sign a legal addendum to the MSA where you are committing to some minimum security expectations.
While you're going through all of those different steps, there are some common concerns to make sure that you're addressing.
The number one thing I've found that enterprises care about is what's happening to their data. Twilio is a platform company, so customers often send data to us that we store within our environment.
If you're selling on prem software, this is really about the platform that you're providing and how that platform will take care of their data within their environment. Either way, people will want to know.
And by people I mean enterprise customers will want to know how you're encrypting it, who has access to it, what kind of access controls they can put in place so that they can minimize who's accessing their data. How long are you retaining it? GDPR blew up this question over the past year or so.
Then, if you're a platform company or if you're a SaaS provider, how are you preventing exfiltration? How are you keeping their data where it's supposed to be? Common concern to address is a holistic security program.
There are a couple of frameworks to use, NIST is great, the ISO 27000 series is really nice. The thing about security is that there's actually multiple disciplines within it. If you're really great at one discipline, say you're great at awareness and training, your users know everything about spear fishing, everything. Great. The enterprise doesn't care if you're not doing all the rest of the things as well.
Building that holistic security program, making sure that you're taking care of risk management, you are doing business continuity and disaster recovery, you have security controls built into your change management process, etc. Another common concern is security compliance.
Everybody loves compliance. Auditors running around everywhere, it's a beautiful sight. Enterprise customers will have compliance needs, and depending on what service you're providing to them, you might have them too. If you're providing on prem software solution, your solution will need to be ready to handle all of the compliance controls that your enterprise customers need to accommodate.
If you're a SaaS solution, you're a platform company like Twilio, those compliance needs might become your compliance needs. Twilio is in an interesting position where we don't have to legally be compliant with anything, but if we want to be a platform that helps healthcare providers or takes credit card numbers over the phone, we need to think about all of these compliance needs that our customers have.
This is where knowing who your customer is really important. If you're selling to healthcare companies you better start looking at HIPAA if you're not already. If you're selling to the government, FedRAMP better be on your radar. There's also a few certifications that are more broadly recognized and a little bit less industry specific. ISO 27001, SOC 2. Those are both broad certifications. ISO in particular is internationally recognized, which is nice.
Now that we have some of those common concerns laid out, how is it that we're going to be able to establish trust with our customer, with those in mind? First thing is, build your foundation.
If you don't actually have a good security program in place, all of the talking in the world will not get you through that procurement process. Having your security team, having the foundational programs, doing a good job across all of the different security disciplines. That is the first and foremost thing that you should think about.
After you build that foundation, it's really up to you and up to your customers as to what you want to do next. I have a couple of examples from a lot of things that we've done at Twilio that you all can-- We can have a quick discussion about. By discussion I mean I can present about it.
This is not meant to be a be a Twilio commercial, but it is meant to have some concrete examples of things that have worked and are working at Twilio. Again, if there are any additional things that you all know about, I would love to know about them too. The first thing that we did was create the Twilio for Enterprise plan.
This full of additional features for our enterprise customers based on their feedback to us, so it's nice for them. They get the additional features. It's also nice for us because this is a revenue generating product. And actually, I didn't realize this, but the owner of the Twilio Enterprise plan product is right here in the audience.
If you have any questions about that, he's your best guy. Yeah, you bet. I tried to get him to get up on stage with me to help present this section but he declined. OK. Many of the features within Twilio's Enterprise Plan are actually security related, even though they're not in the security and legal section, necessarily.
We talk about access controls, higher availability commitments, additional logging to provide more insight, and then briefings with our security team. Really, the white glove treatment for enterprise customers. We've also started moving towards a model of having auditors independently validate our security controls.
I talked about ISO 27001 before. It's a great holistic security framework to work off of. It's internationally recognized. It covers that holistic view. This has worked really well for us and is appreciated by our enterprise customers.
Also this year, we announced compliance with GDPR, which is the EU privacy regulation. I'm seeing a lot of nods, so I feel good that we don't have to dive into a GDPR overview. With both of these and with some other things that are not necessarily on this side, to keep it uncomplicated.
We've been going to our customers with this idea of, "We know what you care about. You want some independent validation. Here it is, along with everything else that we're doing."
The third thing that I want to talk about is product-specific features. I mentioned that Twilio-- I think I mentioned that Twilio has a programmable voice product, and as a part of that programmable voice product we also can do recordings of voice calls. Our enterprise customers began coming to us and saying, "We know you're encrypting the S3 buckets that you're storing these recordings on, but we want to add additional security controls on top of that."
So we rolled out a "Bring your own keys" model, where our enterprise customers can send us their public keys and we'll encrypt their recordings at the file level, and they have the private key and only they can then decrypt their own recordings.
This is great because it covers off on some of the issues that I mentioned earlier. "Who has access to the data?" Now it's only them. They only have the private key. "How is the data protected?" Great, they have control over how it's protected, because they're choosing what to do with it. A lot of those things get put back in their hands, which is appreciated by them.
When you're a cloud vendor you always have to straddle that line with enterprises: what's cloud, versus, how much control do they actually want? This product has been one of several that has really helped with that story.
Then the last thing that I'll talk about is the actual creation of what we're calling the Customer Trust group at Twilio. When I joined Twilio three years ago now, we had this fun model where it was a spin the wheel for who gets to answer the security questions. So sometimes I would take them, and sometimes our head of infrastructure security would handle the phone calls, and the questionnaires would get filled out by the architect and then the chief security officer at the time would do the onsite visits. It just ended up with this whole smorgasbord of information that was flowing around to our customers.
It was inconsistent. It was correct, but definitely people were getting different messages from different people, said differently, and organizations did not appreciate that in the least bit.
What we did was we took a step back and said, "We need to approach this from a much more organized manner." We created a group called Customer Trust which is solely dedicated to working with our customers. For security only, I only have three people on the group, so that's security and security only.
This allowed us to do a few things. It allows us to have a consistent message. That team was dedicated to creating internal documentation that we could use to fill out those questionnaires, to answer questions from the sales team. They were able to also proactively address issues by creating white papers, or doing trainings with the sales folks.
It also allowed the other folks on the security team to do their jobs, which was a big problem before. Our architects instead of architecting, was filling out questionnaires and copying and pasting. Our application security folks were not doing application security, they were on phone calls. So this allowed them to dedicate their time to what their job actually was, and gave a better experience to our customers, which is really the end goal.
Quick summary. Security is an important part of the enterprise's procurement process. I think you all already knew that, otherwise I would never have been invited here. Be ready to address common concerns. Data protection, a holistic security program, and compliance. Compliance is especially important when you start talking to regulated companies. Financial firms, health care, etc. Then have strategies to establish trust with your customer.
Make sure that you have a good security program in place, first and foremost, and then figure out what your customers need and go about meeting those needs and meeting those expectations in a way that fosters trust, that fosters a good relationship with your enterprise customers.
There will be a time where something happens within security, because it always does, and you'll value those relationships that you thoughtfully built beforehand when you have to call them and say that that something is wrong. Which hopefully never happens, but we all know that's not true. Thank you very much. I appreciate your time.