uh-huh Uh-huh [Music]
Hey hey hey Welcome to security and GRC decoded I’m Raj Krishna Morti your host
and we have the awesome amazing and multi-talented multiaceted Josh Brussels with us today Josh is responsible for
security at Anchor He’s a hacker host of a hacker history podcast and has led
security and products at uh Elastic and Red Hat Josh welcome I’m so excited to be here Raj Thank you so much for having
me No thank you Josh So let’s get started Josh before we talk about you what is one controversial opinion that
you hold All right so I don’t know how controversial this is but I am of the
opinion that no one will do compliance or security out of the goodness of their
heart that these things are generally secondord functions Be it you have things like compliance or legal reasons
maybe your insurance is telling you you have to do it or if we make it the easy way This is where something like Rust is
one of my favorite examples where Rust automatically comes with a bunch of free security and people aren’t using Rust
for the security They’re using Rust for all this other stuff It’s just security kind of comes with it And this is one of
those things that I have the conversation many times where there are a lot of security people that think like “Oh people will do security because it’s
right.” I’m like “I don’t think so I think people will only do security if you make them do security or it’s the
easy default.” Okay that’s that’s interesting Can I call you the Yesb dude
Josh if if you like I mean I would I would give that title to Alan Freriedman who’s he’s at SISA and he definitely is
like the godfather of the esbomb But I I do love sbombs I do a ton of with sbombs right now I’ve got the company I work
for Anchor We do SSBOM management We’ve got an ESBOM generator an open source tool called CIF that’s like very very
popular I head up a group at the OpenSSF called ESBOMB everywhere where we’re trying to bring ESBOMs into some of the
open source world which is that that’s a bag of snakes in its own own right But then I also I I help out with various
working groups like at SISA and kind of anywhere I can just to just to further sbombs because I think they’re really cool and I really like what what we can
do with them and I’m looking forward to the things we can’t imagine yet that we’re going to do with them someday
Totally Um so let’s talk about you Josh How did you get started in security
technology I mean that’s a long story but I’ll give
you the very short version is I am a child of the ‘9s right I’m a gentleman of a certain age we’ll say now but when
I really started paying attention to technology it was the heyday of these
hacker groups like you had cult of the dead cow and you had loft and there was all this new technology and open source
coming out and you know when you’re a poor college kid a poor high school kid and you want a development environment
you want a Unix workstation and you don’t have you know $45,000 to buy a son
All this open source all this Linux stuff was really the thing to use and the thing to learn And so I feel like I
existed in this just like perfect nexus of like amazing security people that I really wanted to understand what they
did and be like them There was this open-source universe that just I I loved and it intrigued me And I’ll never
forget is when I was very young I would tell people I want to either do security work or I want to work at Red Hat like
that’s my dream and I ended up doing security work at Red Hat So I’m like nailed that one No that’s beautiful And
so you and then you moved from Red Hat into Elastic Is that is that right And then Yeah that’s right That was that was a lot of fun I So obviously Red Hat I
was at Red Hat during we’ll say the heyday of open source where we had a lot of conversations where people would be like “Oh that open source thing I don’t
know if that’s going to catch on.” And I mean I’ll never forget I had a boss at my first job that was like “You’re a smart kid Stop using this open source
crap like you’re wasting your life You know you Windows Windows is the future And of course being young and filled
with passion It’s like no no open source is the the only way It’s it’s it’s we’re going to win And it did I mean thank
goodness But but yeah so and then Elastic was kind of when all of the big data started becoming a thing right
where we had these the ability to ingest you know gigabytes and terabytes of data
and start understanding it and knowing what it was And so you know I I I won’t say open source was boring but I feel
like we kind of figured out a lot of the open source challenges So I’m like big data like that’s where I want to go next And so yeah I spent I think six years at
Elastic and I learned an amazing amount And even now I still run Elastic Search in my basement and anytime I see any
data of any sort it goes into Elastic Search and we start poking around at it It’s really a lot of fun I love it a lot
And then I would say kind of once the data thing I got you know I got my my cut my teeth in there and I I started
figuring that out I feel like the the whole open source supply chain esbomb thing became well I’ll say hip I don’t
know if I call it the hip thing but it it it is where my interest went And so then when when Ankor called I was like
ah this is it Like I’m in Yeah So you’re you’re a you’re a Linux dude you’re a
security dude you’re an SBOM dude you’re a maybe a supply chain dude Let me ask what is your opinion of uh the the crowd
strike falcon Can I dare to say the fiasco Uh what what is your opinion of
that It was a fiasco for sure I mean it’s amazing when one company has such
market share that they can just crash the world which is bananas I was actually funny enough I went on vacation
the week after that happened and I was flying Delta and I remember sitting my family down and I was like we might not
get to go anywhere like we’re going to find out And I remember we we got on the airplane in the morning and we flew to
Atlanta and I was like we might be spending a couple days in Atlanta like just to prepare everyone We didn’t thank
good we were very late getting out of Atlanta but we made it out so it was it was good But anyway so the whole crowd
strike thing I I think this is a really good lesson in the just the the supply
chain and and safety universe is where I would put it And and I bring up safety because anytime you have a system that
fails this is something that there’s a a friend of mine Tom Pierre He he wrote a blog post called I am not your supplier
is kind of his claim to fame But he also does a lot of safety work and I’ve learned a lot from him and I talk to him whenever I can about this But if you
look at failure of complex systems it’s never like one thing There’s always like
10 or 20 or a whole bunch of little things that all have to fail in in their own spectacular way to come together And
CrowdStrike was very much this right How many times had they pushed out these sort of updates to the world right
Multiple times per day And we’ve never seen an incident like this And it was you know this combination of it was a
very specific kind of update it had a very specific test that wasn’t checking this one thing that they did and it all
came together And I think this is kind of one of those lessons that we can take as you know GRC types where you have to
take a step back after an event like this and and take a good look at it and say like how could we have made sure
this didn’t happen and make sure it never happens again because I can promise you that particular failure mode
is never going to happen again at Crowd Strike guaranteed There are other things that could happen but that one is
certainly not right They know what they know what they did So what is your take um uh Josh that is it my and I’m not
trying to play blame games here but is it Microsoft at fault or for opening up the kernel updates to vendors or is it
the vendor’s fault crowd strike in this case for doing a bad patch resulting in a blue screen of death I mean you can
blame everybody You can blame the people who are running Crowd Strike Why were these organizations running software in
this way that they weren’t doing any testing on updates They were just pulling this stuff in and deploying it They didn’t have the ability to fail
over to something else Crowd Strike yeah certainly should not have pushed a bad update I mean that’s a no-brainer
Obviously Microsoft’s will say difficulties in working with these endpoint vendors in the way the kernels
access Yeah but again this comes back to remember when I said when complex systems fail like a whole bunch of
little things go wrong Those are all of the little things that had to go wrong in order for this to fail And so you can definitely spread the blame all over the
place I mean fundamentally at the end of the day the view I take on things like this and this comes from my days at Red
Hat when we would ship a lot of open source software If you ship it you support it So we can explain how
everyone could have done different things but I think at the end of the day this is like it’s CrowdStrike’s product
It broke Yeah you can blame everyone else but like Crowd Strike is holding the bag at the end of the day I think
Got it No that’s a that’s an interesting perspective Do you think sandboxing techniques like u if I if I can use ebpf
as a sandboxing technique that we have on Linux something like that could have
not avoided but at least mitigate can mitigate some of these issues I mean
probably everything I understand from what I’ve read says yes But at the same time like if you have a system that on
boot is just instantly crashing or making things not work that’s not it’s not going to matter if it’s sandboxed or not I mean if you have some sort of
endpoint you know protection running in place and it doesn’t allow any network access Like who cares if it’s in the
kernel or EPF Like you’ve broke everything I guess the one advantage is theoretically it might be easier to fix
Maybe I don’t know but I I don’t think eBPF is necessarily the magic bullet
that some may have claimed it was It it we’re just trading some problems for
other problems I think that the problems with EPF are probably less horrific than when you’re you know like literally down
in the kernel but it’s certainly not a silver bullet for this problem Got it And so I think it brings us back to
sbombs And for the for our users listeners what problems do you think Sbombs solve All right so I’m going to
define an SSBOM first just to set set the stage here for anyone who doesn’t know As sbomb software bill of materials
and the idea being you have this document that tells you what is in a
thing It could be a computer can have an asbomb of all the software on the computer You can have an application where let’s say I’m getting what we’ll
say crowd strike from a vendor and they give me an sbomb and it tells me everything inside of that application because as we know nobody’s writing all
their their code You’re using like 80 90% open source in in every single
public survey I’ve seen to date The number is just amazing how much open source is out there Like open source
truly won The dog caught the car Now what But it it’s it’s absolutely everywhere And so the purpose of this
document is to help convey what is in like what are the parts I’m using to build my stuff And this is not a new
concept When you buy let’s say a lawn mower it’s not uncommon at all that in
the back of the manual you have a list of every part they used You have diagrams showing where the parts go And of course this is for maintenance
reasons often that that you know oh this screw broke What kind of screw was it Let’s go buy a new one And it’s the same
basic idea for software right like why why do we treat software as this magic black box that we don’t know anything
about on the inside versus saying I want to know what’s in the stuff you’re selling me and then we can use that
information to do things like say when there’s an incident with a log forj we
can say do we have log forj running in any of our stuff have we ever had log forj running in any of our stuff the
history of this is what makes it really fun because these are JSON documents you can easily store this kind of goes back
to my whole elastic universe we can put them all into a system forever and then we can query back and
say like three years ago what was I running in this application like what was there was log forj there and so
that’s part of the fun of this is you can go you know way back in time because they’re they’re not huge documents they’re very easy to store got it and
and and this I’m I’m connecting this back to your earlier comment on Thomas DP right and the and the I’m not a
supplier article so are the incentives stacked well enough because as you
rightly said we consume open source at a extraordinarily high rate right and are the incentives stacked enough in the
open source community to build the right software security products and how do we go solve if not I I don’t think so the
way I describe this is I I say open source owes us nothing these are people that have written software they’ve put
it on GitHub they’ve added it to a foundation they’ve done whatever and if you look at every open source license that exists at the very beginning in all
capital letters it says this software is provided as is like there There are no guarantees that come with this You are
using it at your own risk essentially And I I don’t think it’s on open source to secure open source I mean I’m not
saying they’re like running around trying to be insecure but I think especially like log forj we saw this a
lot where you had these like Fortune 500 companies sending questionnaires to open source developers and they’re like I
work on this on Saturday afternoon Like I’m not answering your freaking questionnaire Like you have people who do this Go figure it out yourself And I
think this is one of those instances of like if you ship it you support it It is not open source’s job to do your
homework for you Like you’re using this open source It is your responsibility to understand what am I using and then at
the end of the day I have to deal with the fixes because I’m the one shipping product that contains this
code Totally And how do you fit see sbombs fitting into this the the the
notion of supply chain security Maybe it’ll be helpful to first describe what is your notion of supply chain security
and then how is bombs fit into it I don’t think anyone knows what supply chain security really is It’s I mean
look the way I kind of view it is when we go from a developer working on a
thing all the way to that thing going into production be it I’m selling software to you I’m deploying SAS I’ve
got an API running somewhere there are stages along the way right where you have a developer writing code you have a
developer pulling in open source dependencies you send it off to CI/CD you send it off to build it ends up
getting into the production system somehow maybe you’re compiling code there’s all these steps along the way
And I think we’ve created these very intricate and complex systems over the years and we just kind of gave them all
a pass for a long time I mean you probably see this all the time in the compliance world Raj where the focus the
obsession is with the thing I’ve deployed at the very end right When you’re going to get like your FedRAMP
compliance when you’re getting your PCI compliance it’s historically simply focused on like the thing I deployed
right It could be a complete mess over there to the left We don’t care because
that’s not what we’re that’s not what we’re auditing right My report doesn’t say anything about what’s going on over there And so I think this whole notion
of supply chain security is starting to lift that curtain and looking everywhere now At the same time I think we’re
seeing you know we’ve been talking about shift left for what like five years now and there’s this obsession with what
developers are doing but there’s also like a ton of stuff between developers and deployment that we’re not paying
attention to very well I mean and if you look at things like the the XZ incident
you had the Solar Winds incident those were like in the build systems Yep Who’s talking about I I feel like sometimes I
feel like this is madness because most of the successful supply chain attacks are happening like in the middle between
developers and deployment yet our obsession is with developers and deployment and it’s like look at what’s
going on here So anyway back to your question So sbombs right This is where
we can do things like we can take a snapshot of what is on the developer system We can take a snapshot of what
are the dependencies the developer is using we can take a snapshot of like what’s in CI what version of the
compiler did we use to build this stuff Like if you ask most people that they’re like I don’t know like GCC it’s like no
no no that’s not the version that’s the compiler’s name there are versions of it
and you know same thing where once you start to deploy things you can say like this is what I deployed this is what the
system looked like I deployed it on and then you can also do you can like rescan
it and say like this is what it looked like today this is what it looked like a week later why did all this stuff change
nothing was supposed to change and so that’s really what sbombs are giving you at this point is You take snapshots many
many times along the way and now you’re saving a reasonable size document versus like let’s say you’re working with
container images If you have you know a 1 gigbyte container image and you you snapshot it 10 times now you’re storing
10 gigs now do that you know five times a day and your your storage costs get out of control And so that’s kind of the
the power of these things Now granted we have a long way to go We are not in a place that we can do this successfully
today without a lot of just heroic and heavy lifting But that is the idea and I
think that’s what makes them so interesting and useful What scares me Josh is the are these transitive
dependencies and the depth at which you need to go right because software is made of software which is made of
software and it keeps going on So any advice in terms of how people should think about this I mean look transitive
or not it’s your dependency Again if you ship it you support it And I I this is
this amuses me always because I I have this argument sometimes People like “Oh we’re only going to scan the dependencies we added.” It’s like “No
that’s ridiculous If you ship it you support it It doesn’t matter It doesn’t matter if you added it or if something
five layers deep added it.” Like you still need to know it’s there Now there are some challenges because let’s say
you have a security vulnerability in something five layers deep you generally can’t just go update that You have to
get everything along the way to update itself So like that’s one of the challenges we see in this space that we don’t have necessarily good solutions
for But at the end of the day like transitive or not it’s your problem I don’t care Like stop making excuses and
fix your software No I I love what you’re saying If you ship it you support it I love it I mean that’s a very simple
effective tagline So is ESBOM a security necessity for companies building commercial software It it’s becoming one
I think if you look at a lot of the the the regulatory landscape and what it’s starting to look like we’re seeing ESBOM
demanded in more and more places For example like the in the United States you’ve got the FDA is
mandating them for device manufacturers We’re seeing the federal government is is they’re saying if you’re a vendor to
the federal government you need to supply us bombs I we all know how that works It’s it’s an unfunded mandate So
it’s you know this is the executive order Yeah Yeah Right Exactly Well there’s executive order but then we’ve
got like uh SISA has their SSDF questionnaire You’ve got um I think it I
I forget which organization it was but they put out guidance that said like every software vendor has to provide sbombs to whoever you’re selling
software to We’re seeing things coming out of Europe There’s like the the CRA
you’ve got NIS 2 they’re doing these these regulations that are requiring
ESBOMs And and it’s funny because we chatted the other day and I said “Oh I forgot what CRA means.” And I I I’ll
make sure I know And I’ve already forgotten So Cyber Security Resiliency Act Thank you H I I always forget Cyber
Resiliency Act I don’t think it is Yeah Yes But like that’s one of those things that are telling vendors in Europe like
you need an ESBOM And so again I think back to my my initial controversial statement You know people don’t do
things unless they have to And I think ESBOM is one of those Like it’s easy to say “Oh we should all make Sbombs.” And
we’ll all say “Yes that’s that’s a great idea.” But it it they’re not free Like you have to have infrastructure to do
this You have to have a place to store them You have to have a way to distribute them And so when it come when
the hard problems show up it’s easy to be like “Ah we’ll do it later right?” And then later never comes versus when the government starts saying you have to
absolutely do this Now it changes Now that also though the way these are written is you also need esbombs from
your suppliers So like if I’m selling you software that you as a company are going to say give me your sbomb and then
you give the asbomb you know you pass it on along the chain So that’s one of the things that we’re starting to see in the
space And do you see by maybe a I I don’t know if it’s a contro
controversial question or not and maybe a dumb question even Do you see publishing sbomb as a security threat
No No I I don’t think so I mean this is one of those things you’ll get people arguing back and forth about it you know
it’s intellectual property What software I have that the bad guys could look at it and figure out what’s going on I
think security through obscurity has never never worked And I think this is the same thing I mean you can maybe make
the intellectual property argument where you don’t want a competitor to know what open source you’re using or something
but I feel like it’s weak But regardless you don’t have to publish an ESBOM in public you can just give an sbomb to you
know whoever you’re selling to to your customer and and tell them like this is IP You can’t share it And that that’s
just the way it is I mean any sort of business relationship you know we got NDAs we’ve got the the protection of
intellectual property That that’s not uncommon And I think this is actually one of the the challenges ESBO has had
is in the early days when the NTIA in the US was was behind ESBOMs They put
out some guidance that sounded like you had to make them all public which people got a little up in arms about And that’s
not what their guidance was supposed to mean but it’s kind of how it looked So there’s lots of facts and things that
say “Oh that this isn’t true at all.” But I mean you know how things go It it can be tough to to get those updated
sometimes What do you how do you generally rate uh the maturity of our industry especially
dealing with these risks I have a great question for you to to
that that will judge this Is there a compliance standard I can follow that if
I’m brought into court and sued because I have an incident I can say I followed these best practices I did the right
thing There’s no case here There is no such thing because every compliance report is co-signed right by the auditor
who supposed to evaluate risk and by the management who’s who supposed to state that I provided everything to the
auditor that you know on which they are basing their evidence on so it’s a shared responsibility and each can
escape the other right and I think that’s one of the problems I mean there are industries where you can show
evidence that you’ve taken the we’ll say correct precautions and when the
accident happened It was not because you weren’t doing what you were supposed to do in terms of like say human safety or
something like that right Versus that’s where you get into kind of negligence versus just expected failure modes I
feel like in the world of security in IT security we’re still immature enough that we don’t have like we don’t have
the ability to say if you take the standard and you follow these instructions the odds of you being
breached are going to go down significantly Like you see the same thing with insurance How how often do you see your cyber insurance provider
say you have to follow this standard because if you do that like you’re not going to get breached as often and and
we don’t have that today I’m hopeful we will get them but that’s that’s kind of the the thing I keep in my mind all the
time is the industry I would call it mature when we have guidance that we
know works And I feel like a lot of our guidance often feels like you know kind of chicken bones and and voodoo
So maybe okay I I see your point So your point is that I think it goes back to the first comment that you made So your
point is that if with a proper regulation and I’m using the word regulation loosely and compliance
essentially an oversight body your argument is that a lot of these problems
can be mitigated Is that is that a fair thing to say I mean hopefully Now I I
will I’ll point at PCI as I think something that has shown promise I feel
like before PCI was as widespread as as it is you had horrific security breaches
where people I mean I remember a decade ago I feel like I got a new credit card every 3 months right And I I don’t think
I’ve had mine replaced in more than a year at this point which is I mean it’s pretty nice because it’s pain in the butt every time you get a new credit
card But I feel like PCI is one of those examples where some of this guidance appears to actually be having a positive
impact of what’s going on Now I’m sure I could find plenty of people to argue with me that that PCI is stupid and it
doesn’t do anything But like I’ve known I I you know what I have a story I can tell is I remember back in my early days
this was early early 90s I was working as an intern at a very tiny ISP and we
there was a a local marathon that was like we want people to be able to register online for the marathon and
enter their credit card number and then we’ll charge them We were just writing credit card numbers into a SQL database
Like there was no HTTPS that nothing was encrypted And I think about that and I’m like that’s nuts But I bet everyone was
doing that That was probably not uncommon right And now obviously PCI has guidance that says like absolutely not
You cannot do any of these things You have to encrypt the data You can’t collect entire card numbers You know
there there’s so much that you have to do And again I feel like when I look at like the credit card industry it feels
more secure than it did 10 or 20 years ago And so that I feel like is progress But I don’t always feel the same way
about all the other guidance Now I’m not I’m not dismissing compliance or security standards because I have no
doubt if we did not have what we have today things would be way worse than they are because like as weak as some of
these might be like as as nondescriptive as as ISO 27,0001 might
be I know we we chatted about that you know before the show It is very loose
and it is not well defined But I I think part of that problem is just we don’t
we’re learning right It takes a long time to figure this stuff out And you also the other challenge is in the world
of like compliance and standards If you put out bad compliance that’s sometimes
worse than no compliance And so I think they’re being very careful and measured
in what they’re trying to define versus being you know fast and loose and everyone being like “These people are
idiots We’re not listening to them ever again.” No I I love it Josh But let me ask you this How prescriptive should
compliance standards be Should they tell you what you should do I think yes Like I love the NIST 853
guidance I feel like it’s it honestly I think it could be more prescriptive in many instances I think I I love Fed RAM
for this reason Like when you’re trying to get Fed RAM compliance it is very specific about what you should or
shouldn’t do in many cases And I like that And the reason being how many security people do you know that you
would just say are completely overworked and they’re like running everything at 110% all the time right That’s that’s
every security person ever one of them And so by by not being very prescriptive
by be by having these more descriptive style compliance standards that puts a lot of mental strain on an already
mentally strained person And so they’re going to make mistakes They’re going to forget things are going to leave things out And yeah maybe auditors will catch
some of it maybe they won’t I mean when you have an auditor going through you know hundreds and hundreds of controls
they suffer from the same sort of fatigue everyone else does where I mean how many times have we been there where
just like copy paste copy paste copy paste whoops I’ve been pasting the wrong thing for the last 25 minutes I’ve got
to go fix them all you know because you just you you get tired and you don’t see these things and and you’re looking at a
sample of 20 for a size set of two two million 20 million records right Yeah Yeah Exactly Exactly
So I mean that that’s kind of my view on that But at the same time every environment is different and so it’s
very hard to have this very prescriptive guidance that says like you have to do exactly this because that doesn’t always
work I mean and again this I I’ll I’ll like turn the the light back on the ESBOM universe Like this is I feel like
it’s very it’s very understandable in that context where if you scan 10
applications and then you look at the software in them they might not have anything in common right Because they’re
like so grossly different So how do you provide guidance for those 10 things And now the the average enterprise has
thousands of things running at it Do you want thousands of different guidance documents for every one of those I mean
that sounds maybe worse I don’t know Maybe it’s better I can’t say That’s a beautiful argument But I feel that
you’re arguing on both sides Josh On one hand you’re saying it should be prescriptive On the other hand you’re making a case that it cannot be
prescriptive Yes I’m ex doing exactly that 100% Okay I’m not here Here’s how I
look at it though right As the person that’s trying to secure things I want very prescriptive guidance We I I have
customers that like we Ankor has their a a a product that does esma management We
do like vulnerability scanning policy enforcement things like that And our users say like I don’t want to figure
this crap out Like give me a policy that does what I want it to do They want something that has all the rules in
place and they don’t want to have to like read something and interpret it and figure out what it means right So as a
practitioner I want something to solve my problem But now as a vendor or as a
person existing in a world where we’re defining some of the compliance standards I understand the challenges
here Now how do we how do we bring these both of these sides you know kind of together in the middle I do not have an
answer for that But I think it is what we have to do We have to be more clear
because if we if we don’t have good guidance that really tells people like this is exactly what you need to do and
this is why you need to do it I think we don’t see the kind of progress we want to see If if a very smart person like
Josh does not have an answer who do you think has an answer I I don’t think anyone does I mean I think this is one
of the challenges you have when you have like a new industry I’ll I’ll tell you I I told you this story early but I I’ll
tell it for the audience So there is a a story I have about air brakes on trains
So back in the day when you see like the the old timey trains they had those like wheels on the top of the cars Those were
brakes and people would run back and forth on top of a train and they would spin those wheels to stop the train
because every brake was connected to one of those wheels and people would obviously fall off the train You fall off the train you’re dead Like that’s it
And it was horrific and there were lots of accidents and then someone invents air brakes and air brakes obviously
solved this problem because now people aren’t running back and forth on top of trains It took 80 years from the creation of the air bra until the the
regulators finally said like that enough like air brakes you’re using air brakes no more people on top of trains and how
how old is it I mean granted C is like 50 so we’ve got 30 more years to go
there But you know a lot of the stuff we’re doing it moves so fast and it’s so hard to keep track of And so that I
think is one of the extra challenges we have is it is really I mean like ESBOM is a great example I I mean what 2 3
years ago most people have never even heard of them And now it’s something that gets talked about all the time Well
what does that mean How do we how do we turn some of the things we can do with asbombs into you know useful compliance
into useful regulations and so we we don’t know today but now this is part of
the like human experience of being in any field is we have to learn we’re going to make mistakes we have made
mistakes we’ve made a lot of mistakes but that’s how it is but what we need to do is we need to make sure when we make
mistakes when there are challenges when things don’t make sense that we take good honest looks at them and say like
let’s figure out what happened and let’s make it better I do think in a lot of the computer security world and cyber
security we do not do a good job of learning lessons and making changes in
the future I think we could do better there and I think that would help a lot And what do you say to people
that this idea of compliance right or conformance stifles speed and innovation
I mean it might It probably does But that’s okay too right Because you need
some level of sanity I mean like move fast and break things is fun when you’re a social media site It’s not fun when
it’s my pacemaker you know I think there’s different levels of how things
work in the industries you’re in Like I don’t want my food manufacturer trying random things for flavors that no one’s
ever eaten before and we don’t know if it’s safe or not Like that’s terrifying right I mean honestly if you look at
food at the turn of the century in the early 1900s it’s kind of what they did I’m just like I just throw some of this
in there It’ll probably be fine And and it was horrifying right There were like people literally died And so I think
that’s one of the things we have to start reconciling is now that everything is becoming technology I mean you can’t
hardly buy a thing that doesn’t have a microprocessor in it now And so what does that mean How do we regulate it How
do we make sure we don’t kill a whole bunch of people And unfortunately an enormous amount of regulation is written
in blood And I would like to say that that it will avoid some of that but I I
I don’t know I mean I think history says we’re we’re going to learn some lessons and some of them are going to be pretty ugly Okay With engineers and product um
product guys right And even security compliance gets a very bad rap Why do you think that is the case Oh man It’s
totally our fault So so the stories I like to tell is I remember back in the days when I was a young security person
at at mostly at Red Hat is we would just show up and be like “Hey security’s here Everything’s going to be fine Like you
have just listen to us and we’ll solve your problems.” And developers were like “What are you even talking about Like none of this makes sense You don’t know
what you’re doing.” And I think security had this overinflated sense of importance for a long time And I think
we’ve kind of ruined our reputation quite a bit And so now when when you say like “Oh the security people are coming
They’re like h these guys like and and so I think the problem isn’t compliance
and the problem isn’t developers.” I don’t think anyone wants to develop bad code I think developers want to do things that help the company like being
compliant helps the company You can now sell to different markets You maybe have cheaper insurance whatever There’s a
million things that that it can be And so I just totally think it’s like that that whole attitude of security thinking
they’re smarter than everyone they’re better than everyone and just like get out of the way I’ll do it And no that’s not how any of this works And so I I
completely blame us It’s a human problem We screwed it up And I mean it’s funny because this is something I’m very aware
of And when I when I went to Anchor you know I’m like hatinand all the time when I go try to talk to someone and I’m like
“Okay here’s what I see.” Like you you tell me like “Does this make sense Are we doing the right thing In our yearly
compliance training or our yearly awareness training that I put together which I I I do it myself because like all the awareness training I found just
infuriated me and I’m like screw it I’m doing it my on my own And and basically I I keep pointing out I’m like look if
something happens just come tell me I’m not going to yell at you I’m not going to make you feel bad Like I promise you that is some security people you may
have worked with in the past I am not going to do that And I try my best to be as approachable and polite as I can I
tell people like if you’re buying your parents a computer you can ask me for advice and I will help you And and a
bunch of people have done things like that where you know they’ll come ask me like “Oh hey I need a password manager for home My kids’s going to college What
kind of stuff should I do?” And I think that’s part of it is like I I work really hard to build that goodwill
because someday I do have to show up and be like “We have to do this horrible thing you don’t want to do We have to you know delay this release We we have
to fix this package You don’t and it’s going to suck and it’s going to break a lot of stuff.” But when when you’re a
friend and you’re working together that’s an easier conversation than when you’re an adversary and they’re just
trying to get rid of you Oh beautifully said So to the to the security guys and girls that are watching this and your
peers you’re basically saying get off the moral high ground That’s what you’re saying We have no moral high ground Yeah
it’s it’s we’re we’re all we’re all on the same team Like just work together And I know that’s easy to say It’s hard
to do And especially if if security teams have been burnt in the past or I’m sorry developers been burnt in the past
by security teams it can be really hard to rebuild that trust like it’s it’s really tough for sure You have said
before that sbombs you see asbombs as an observability tool Can you explain for
our audience Yeah Yeah for sure So this I ironically this kind of hearkens back to elastic is elastic was used for
observability of software being what I mean by that is let’s say I have an application running and I’m going to pay
attention to what the application’s doing like what is the RAM use look like how much processor is using what is the
disk usage like how long our function calls taking there’s lots of things you can do right you collect all this data
and then you can look and and see like oh we see this part of the application gets slower when this part of the
application does this one thing right because you can start connecting all these seemingly unrelated events and it’s
super interesting and super powerful and I think like software bill materials feel very similar to me where we can
start looking at our software and it’s not the the executing part of it but rather the kind of development and how
it’s changing over time You can look at something like for example we could say we’re seeing developers are changing
this component on a regular basis like what’s going on why is that happening we can say we’re seeing like this new
dependency flowing through our systems like let’s understand what that means You could there’s so much information we
can start extracting from this and it it intrigues me like we don’t even know what we can do with it yet I mean I
think this is one of the things I learned from the big data universe is sometimes you don’t know what you don’t
know until you start poking at things and you look at trends and you can look and say things like something weird is
happening at 3:00 a.m every day in this application Why is that happening We could do the same thing with like an
esbomb You could say like why is it that on the 15th of every month we see all these dependencies start to change or
we’re seeing more dependencies added on a Tuesday or whatever like weird things And then we can start saying like why is
this happening And then once we start asking those questions we can start better understanding what our
development environment looks like what our supply chain looks like and then we can maybe make changes or maybe just be
aware that this exists at all That’s brilliant Josh I called you a Linux dude
Uh what did I call you Esbomb dude Uh I I’m I’m a security dude And I’m going to
add a data dude to it Yeah I’m an arbitrary data nerd I love data Um it’s one of my favorite things It’s so much
fun Like one of my favorite things I do kind of on the side is I I have I have two two projects I like to do where I I
take all the CVE data and I put it into Elastic Search and I create these like bizarre graphs Like actually um we’re
recording at the end of February and a couple days before we recorded the Linux kernel added 700 CVEes to the database
So when I’m looking at it like takes this huge spike up I’m like holy crap what just happened And then of course thanks to Elastic Search I could figure
out exactly why that happened which is cool Uh and the other thing I like to do is I take all as much open source data
as I can find about open source projects There’s this thing called ecosystems Um a fellow named Andrew Nesbbit runs it
It’s this like public API It’s an awesome service and I download like as much metadata as he has about all the
open source projects and you can watch them grow Like there’s literally hundreds of millions of open source releases in the world There are tens of
millions of open source projects in the world Like it is mind-boggling numbers and you can’t like as a human you can’t
wrap your head around it You can look at graphs and be like oh look at it go it’s going up exponentially That’s great Like
what are we going to do about this And again though I think that’s where like the whole ESBOM universe comes into play
is we can take this data and we can ask questions about it and we can say things like “Okay I have a dependency that’s
used by me and two other people That’s weird Like let’s figure out what’s going on here Did I just get hacked You know
have I downloaded the wrong thing I don’t know.” And so that’s where we can start combining all this data and really
having a lot of fun with it And I I just want to unpack what he just said because I think it is very profound What you’re basically saying is SBOM is loaded with
signals Oh yeah And it is and we we are still just trying to figure out what can
we infer from those signals and it can be huge That’s the point Yeah for sure For sure I mean I think today the the
the most common use case I see is just scanning for vulnerabilities where you say like I’m running version one version
1.5 has these vulnerabilities and they fix it in version 1.6 so I should upgrade to version 1.6 But there’s so
much more going on Like there’s so much fun data you can look at like how many files are there How big are they Where
did this stuff come from Like one of my favorites is we have this concept in our in the open source scanner sift that
Inkor works on where we call them known unknowns where you have a container right And there’s obviously stuff in the
container and you’ve got like you know the the operating system packages let’s say RPMs or Debian images You’ve got
like the npm stuff you installed So we can look at like all these things that got installed as part of your expected
development universe But what about this other crap that isn’t claimed by npm or
RPM or any any sort of package manager Where did that come from And sometimes you look at it and it’s stuff like oh a
developer accidentally copied a bunch of crap from their home directory into this this ESB you know into this container
And again that’s like some of the fun data we can unpack and unwind and and look at And um I I have a funny story
about that actually was um when I was at Elastic we had a release one time where
one of our customers we were not scanning with for we were not running an SPOM scanner at the at that time This
was way early days As scanners didn’t even exist honestly where a customer basically you know sends me an email and
they’re like “Hey why did the number of dependencies in this this thing you released double?” I’m like “What What
are you talking about?” And I went and looked I’m like “Oh holy crap they did.” And it’s because the developer accidentally packaged up all the
development dependencies with the production build And I’m like “Oh my goodness we look like idiots.” You know
and of course I made sure we weren’t going to do that again But you know it’s that kind of stuff where you can start looking at this and saying like “Our
dependencies doubled Why did they double What have we done We screwed something up?” Probably on a on a sidebar are we having
um a discussion around CVSS uh the CVSS scoring I mean the the
common vulnerability scoring system right Is there is there is there a big debate that is going on right now I mean
there’s been a debate for like a decade CVSs So we in in in the world of
vulnerabilities we love to crap on CVSS It’s not really CVSS’s fault So CVSS is
a scoring project from first.org or which I’m sure I suspect a lot of people are aware of first because they do a
whole bunch of compliance stuff but they have the the CVS common vulnerability scoring system and f this group has
created like this set of I guess metrics where you can say like this affects local network you you know you have to
be on the local machine it has oh I can’t remember all the all the
terms even now for it but anyway you you you kind of click all these boxes you say what the impact is you know like
does it impact confidentiality availability things like that very very normal GR RC things and then it gives
you a score and the score is intended to give you some sense of severity and of
course you’re supposed to apply this to your environment and understand how you’re using an application because like a good example is if I’m you know
writing a web server now we’re talking like network access versus if I’m just writing like
you know some tool that that runs against local data once a day like it
never touches a network those are very different situations and the CVS scores are going to be drastically different in those two environments Now there is a
project called NVD the National Vulnerability Database that NIST runs and they take CVEes and they give them
CVSS scores and we hate their scores We hate them so much and everyone knows
about them But what happens is and this is I I partially blame NVD for this I
partially don’t Like they assume the worst They don’t know how you’re using that library So they just assume people
are like parsing data off the internet with it And so they obviously the scores are very high much higher than they they
need to be And so I think CVSS gets a really bad rap in that regard because
what what we actually don’t like is we don’t like the way NVD is scoring things The problem isn’t CVS
Got it And and and first dog.org also publishes a model for exploitability
right a 30-day exploitability Uh EPSS EPSS Exactly So does that help does that
help address this issue I I I think so I mean so what we’re I think where we are
right now in the world of vulnerabilities is everyone is trying to find ways to prioritize this stuff We
used to just use CVSS and I think it has become abundantly clear that CVS is a terrible way to prioritize
vulnerabilities And I suspect all of the people who work on CVSS would agree with that statement 100% they’d be like “Stop
using this to prioritize vulnerabilities Like please stop stop hating us.” Um but
so EPSS is they’re looking at all of this kind of public data and it creates a a score between zero and one of how
likely is it that this vulnerability is going to be exploited in the next 30 days One being 100% because there is a
public exploit And obviously zero nothing is zero but you can be very very low And the number of things that are
highly ranked is very low because if you look at all of the data that’s out there it’s like 3% of vulnerabilities are ever
exploited in a given year Like the number is very very low Yet we’re running around crazy over every
vulnerability all the time And so the intent of EPSS is to start giving us this sense of like how important is it
going to be for me to fix this vulnerability Because the other thing the other thing that I think this also makes people hate security people is
there’s this like notion of zero CVEEs that that comes and goes every couple of years and it it’s it’s hip again Zero
CVE is just a fool’s errand right If that’s your if that’s your goal like
you’re going to hit zero CVE but you’re not going to do it in the right way This is 100% you know that that situation
where you just have these perverse incentives like the Cobra effect is one of my favorites right where it was uh
back in the many many years ago you had the British government telling you know folks in India if you bring us a dead
cobra we’ll pay you well you know the Indians being the entre entrepreneurs they are they started breeding cobras so
the cobra problem was way worse not better because now and then of course when the British government found this
out they’re like oh we’re not paying anyone they just let all the cobras go now it’s like way way worse than it was before you know and and I think the
challenges we have now is just how do we take all this data how do we take everything we understand and how do we
start making good decisions about it and we’re we’re we’re learning I mean there’s we have a long way to go but
there’s definitely a lot of interesting things happening in this space So I I feel like it’s better than it was a
couple years ago but I wouldn’t say it’s a solved problem at all Okay I want to come back to Sbombs Why are Sbombs so
difficult to generate Because software is complicated I
mean it’s getting easier There are many scanners that are doing a nicer job
We’re seeing some of the like packaging ecosystems are starting to just make
sbombs for you when you like Python is one of these that they’re just starting to add that ability into their build
tools which is 100% the right way to do this You’ve got other environments So like for example if you have CC code
like where did that CC code even come from You probably don’t remember I mean I’ll never forget I worked at a company fresh out of college that we had a a C
library in the product and one day I was like “What Where did this come from?” And they’re like “No one knows.” Like we
just have it Don’t ask questions Build it It goes in And it’s one of those things like “What What is this Where did
even and and in C that’s much harder.” Now there are a lot of tools like the the anchors tool sift makes it very easy
I’m not saying it’s perfect but we’re working really really hard to find more and more things and it’s constantly
evolving And I think making an sbomb today is a thousand times easier than it
was 5 years ago And I have no doubt in a couple years it’ll be a thousand times easier than it is now Like we’re making
a ton of progress in this space So it’s easy to crap on ESBO and say “Oh the scanners all suck and the data is bad and whatever.” Like to a degree but it’s
getting better And this is definitely one of those instances where like if you run an Esbomb scanner and it doesn’t find something report it It’s a bug
right Report it as a bug And and like I from our perspective we love those bugs like yeah we’re totally going to figure
out why it did that and and what we can do to make it better And and now at the same time there are things that are very
complicated that you’re never going to be able to scan And there’s um there’s a project at the Linux Foundation called
the Yakto project This is where they build like an embedded version of Linux that you can run in with IoT type stuff
They have instrumented their whole build system to output sbombs as part of the process because they know the thing they
output is this just unintelligible piece of binary stuff Like there’s nothing to
scan There’s nothing to figure out So they’ve said we’re going to do this for you and we’re going to give you an SBOM
so you know exactly what it is If you build it you support it right Or if you ship it you support it I should No
that’s that’s beautiful because that was going to be my follow-up question So if I build compile especially for compile systems if I build a binary from go and
delete the go some sum and the go mod what do you go scan against So actually go has done an amazing thing Your
example is really good So go has augmented the
compiler to add in information about which dependencies were included in that
build Now grant you can turn that off so you have smaller binaries but for most of us we want that data So actually when
SIFT scans Go material we get way better information out of that than we do out
of almost every other ecosystem that exists because the Go compiler puts all of that information into the Go binary
itself It’s amazing That’s beautiful So I want to come back as a from a compliance perspective Josh how and
maybe it’s from a security perspective as well From a security and a compliance perspective how do we accelerate this adoption of SBOPS what can we do as
practitioners as comp um and what can companies do I mean I think at this
point companies need to follow the law Like that’s the I I don’t think the question is how do we accelerate it It’s
going to be how do we how do we do this in a way that keeps us compliant because
it’s coming Like every industry is starting to worry about this stuff and I think we’re all going to need it And now
as I’m sure you’re very aware Raj as humans we love putting things off until the absolute last minute Like it always
amuses me when there’s some new compliance standard is is being enforced Um my favorite was what Dora just just
went into effect in the EU And I had someone email me like a week before Dora was supposed to be on like “Oh Dora’s
coming What do I need to do?” I’m like “You need to go back in time That’s what you need to do You’re not getting this
done in a week.” But I I think from the ESPOM perspective it’s really about you know understand the industry you’re in
Understand some of the compliance requirements and expectations that are
that are coming your way Like none of this is new we have years to prepare and
you know you know what’s coming if you’re in the industry you you pay attention and so I think what it really
comes down to is just understanding your environment and then finding tools that will help you create the sbomb for the
thing you have no one is saying you need a perfect sbomb they’re saying you need an sbomb right and it needs to be good
enough I mean this is all compliance right like there’s no such thing as perfect security you just need to make sure it’s good enough to pass the audit
and and comp and sbombs are going to be the same story like there are lots of tools there’s lots of open source tools There’s lots of vendors working on this
stuff Like I work for a vendor working on this stuff We even have an open source tool We try to make it easy to
use And so like step one is just just start doing it right Just go make an Espanner run it on your stuff and take a
look and see what you get And then of course there’s iteration and we need to improve And we need to figure out like
where do we need to be to make sure that we’re following this regulation that’s being in you know forced upon us by
Europe or the FDA or our our large customers or or or whoever And it it’s
less hard than it was even a year ago I would say So if you you kind of took a look at this and you were like “This is
ridiculous I’m out.” I would take another look I think things are getting better fast and I no doubt in a year or
two it’s going to be even better than it is today You ship it you own it for
uh yes that was your that was your your statement You ship it you support it You support it Okay You confuse me Yes I
mean Yep What do you see as the role of generative AI large language models
small language models in software supply chain I mean I don’t know I wonder this a lot actually There’s there’s an
article I just read this morning where Nvidia actually has a an a tool they
call Morpheus and and actually Ankor is in their tool chain of this this thing But what Morpheus does is they scan like
a container image because Nvidia has this thing that they have this like big container registry for all this
generative AI work they’re doing And they scan these images and then they get the the the vulnerability list right
And they built this tool called Morpheus that basically looks at these vulnerabilities It it goes out and
collects as much information as it can to put together some you know detailed descriptions of what they are using
their Gen AI And then it can also basically look at the thing it is in and
make some determinations about how is this piece of software used in the larger container in the larger you know
product or or project or whatever it is And then it tries to prioritize this stuff And the intent isn’t to like
automate the fixes It’s to help humans figure out like what are the things I need to know And I feel like automating
fixes in a lot of cases like we have depend about at GitHub That works great That I think is less interesting now
versus being able to use some of this technology to make to just help weed
through the trash Like there’s so many CVEes there’s so much vulnerability information and it’s really hard to
figure out what some of this is And so I’m really intrigued by what we can do But now that said one of the challenges
of security is there are certain things we have to not miss because they can be
catastrophic And I also think in many instances some of the generative AI will
say is not predictable or accurate enough that I would necessarily feel comfortable only using generative AI But
I think when it comes down to trying to understand and unwind some of these technical details it has some I I think
there’s purpose I I think there’s potential there So we’ll see I I I’m
very interested and I’m hopeful We’ll say cuz while drowning I love your
example So essentially I think you are saying generative AI especially in the world of sbomb supply chain can help you
narrow down on the signal to noise ratio because which is a huge problem Okay Yeah I I agree There’s so much noise
It’s so hard to figure out what is and isn’t noise in this space And I mean I feel like most of the tooling everyone
is working on goodness knows I am like the the tooling is more about at this point weeding out the noise than
anything else Got it We are approaching the end of the segment Um Josh um
for the new person who wants to enter into this field right What is your
advice to them How they can how can they become the next Josh Brussels Oh goodness don’t do that Um I mean in all
seriousness that’s one of the funny things that I’ve talked to many other geysers about is like we didn’t have any
education There were no certifications There was nothing Like we we it was all trial by fire So like the the way I got
to where I am shouldn’t will never exist again and goodness know should never exist again because like it was security
This all was so new and it was so weird and so crazy I mean there’s a lot of good ways to learn about anything you
want now right There’s so many working groups There’s all these communities and places like Reddit and Discord and
there’s Slacks there’s local university meetups There’s so much to learn from
this And and I feel like step one is just you need a foundation in technology right If you’re not if you don’t know
how a network works you cannot do network security by definition Like that’s just that is the reality Whether
you want to believe me or not that is how it works So you need that that foundation in just technology and the
things you’re interested in And and likewise if you’re interested in something it’s not a chore right You like learning about networks you like
learning about microprocessors you like learning about you know secure development whatever And then I think
it’s a lot of just knowing just meeting people and having discussions and figuring out what you can learn and how
you can learn it I learn more from the people I know than from anywhere else because someone will send me a link and
say “Hey look at this article I found Hey you should read this book I really liked it.” And I think the people you meet is the most important aspect And
this is true of any field This isn’t just security But the people I know are far more valuable to me than almost
anything else is because I can ask questions I can teach them things when I learn something new I mean it’s very
human that when we do a thing we want to show someone like who who can I show this cool thing I just did You know it’s
and that that I feel like open source is very much that of like look I built this cool thing everybody Isn’t this neat and
and so you get that and and I think like even open source is part of the story There’s so many open source tools
There’s so much open source stuff like you can get involved use it like sometimes like using a tool and writing
a blog post about it Even if there’s a million blog posts like you will learn as you write and there is someone who
will find value in that And so it I I feel I feel like this is a non-answer almost But it’s there’s so much going on
There’s like no one way Like yeah you can go to school you can go to meetups you can read books but at the end of the
day all of that is really going to come down to the people you meet and the people you know I think I think that’s
actually a great answer And any call outs for any specific open source projects in security or compliance Well
I mean obviously CIFS and Gripe are the two that help feed my family so I like
them a lot But then I I think from kind of a just a compliance perspective you’ve got all of these organizations
like I I I help out at the OpenSSF And now granted I complain about the OpenSSF all the time I’m not saying they’re perfect and I could I we could do a
two-hour podcast just about my complaints about OpenSSF projects but there’s all of these groups like like
FIRST is another good example like you can join first you can get involved you can be a part of this and you’ll meet
people along the way which is part of the fun And so there there’s a lot of that but when you look at just kind of
open source it it depends on the area you’re interested in I mean from the perspective of like you know sbombs and
and supply chain and all of this you’ve got you know there there’s these tools there’s a tool Google’s working on at
the opens stuff called guac guac which is like why you can’t even user
artifact composition something like that well done yes um I I it’s funny cuz the
guy who created I’m like Brandon you can’t name something guac I cannot find this
but but like you know it’s a great way to you know collect all the supply chain information you can visualize it and you
can understand it better and it’s really really interesting and there’s oh goodness what else is there there there’s a really cool project I’m
starting to work on um at part of the ESOM everywhere working group at the open ss staff where we’re calling it the
catalog very well we’re very good at naming things but it’s what we’re doing is in fact we’re using genai as part of
this project where we’re trying to find all of the like sbomb related tools and sbomb adjacent tools then we use genai
to help write descriptions and and we find some capabilities so We’re talking about literally hundreds and hundreds of things at this point Like we’re we’re
past the point where humans can actually do this easily Genai creates a descriptions and then it’s it’s a
website that you can like say I’m looking for an SBOM tool that generates like spdx sbombs for Python packages and
it’ll show you all the tools that can do that thing right And then there’s also like we put some fancy buttons in it so
you can like make edits and you know correct text and because we we know the gen AI is not going to get it right every time and that’s okay too Like our
intent is we love to just generate the stuff as humans go and fix it for us But we’ll get there I mean it’s it reminds
me of what’s that that law that says the easiest way to get isn’t to ask a question on the internet It’s to give
the wrong answer and someone will correct you Like it’s exactly the same idea But I I I mean oh man And and I
guess the other piece of that I would say is I’m an avid podcast consumer And
so I mean I call obviously this this podcast I’ll assume people are already subscribed if they’re listening but it
it’s a lot of fun and but there’s a handful of other things I love like there’s I like a lot of just random
space podcasts like Universe Today is one of my favorites I love um Paul Acidorian has Paul Security Weekly and
like his whole universe of that like that’s super fun They’re a great crowd I’ve been on that one a couple of times and a it’s always so much fun But then
there’s like um one of my favorites was Yahoo Paranoids used to have a podcast that was just like oh it was so good Um
unfortunately that one that was falling away but there’s just there’s so much media There’s so much fun stuff I I
can’t even I can’t even pick one Raj just there’s just there’s too much stuff you know and and that’s part of the fun
and again this is where knowing people I have people come to me all the time and say hey you should listen to this podcast like um in fact it was uh one of
my favorites right now It’s called security cryptography whatever and it’s incredibly technical It talks about
cryptography all the time I don’t even know what the heck they’re talking about half the time but it’s fun to listen to And that one was like I I was on Paul
Asidorian’s show and before we hit record he’s like oh I I found this podcast You should listen to it I’m like holy cow it’s awesome I love it You know
and that’s one of those things like there’s just so much cool stuff and ask the people you know for more cool stuff
cuz they’re going to they’re going to tell you what it is I think we should get the get this list from you and we would love to sort of put this as part
of the podcast so that people can see this Josh Yeah for sure You have so much information packed there Uh one final
question and I think you sort of already answered it other than the podcast Do you follow uh do you read read books
Read any books Follow any authors Follow any mentors Anything that you want to give a shout out I read so many books I
love I love reading it It’s super fun Um the the the one shout out I would give so I read a lot of technology books
obviously and and the one I would say everyone should go read if you haven’t read it is uh Joseph Men wrote a book on the cult of the dead cow which is
phenomenal and it was really good and that was like that was my growing up as a child like everything in that book I
remember all of it which was really cool but then I I also like to not read
technology books necessarily like it’s funny I had someone once asked me like what’s the best management book you ever read and I said Moby Dick He’s like what
Like I’m serious Like read Moby Dick and pay attention to like the management structure on that boat Like it is
horrifying Like it is the perfect example of what not to do you know And so I I think there’s a lot of value in
things like that Like I love reading science fiction I’ve been reading The Wheel of Time for like years at this point but I’ll get through that someday
But then um yeah it’s just again everything I read is because someone I
know said I should go read it and and that it it’s fun cuz then also when I read it I can go talk to them and be
like oh I read that book you told me to read and I you know this is what I thought about it this is what I liked this is what I didn’t like and it’s super fun then I will send you a book I
don’t know if you’ve heard of it Peter Singi wrote a book called the fifth discipline Peter is uh the what he’s
considered the systems engineering guru but there is nothing engineering about it and it it is sounds more
philosophical than engineering and I would I would love to for you to take a look at that book and you know give us
some feedback I’m excited Yeah definitely send it along Again this is the fun Raj Like people tell you things
and and it’s way more interesting than trying to find it on your own I love it Uh Josh this has been super super fun
conversation It’s been great Thank you very much Awesome and make you right
