_This article was initially published _here
A conversation with Julie Tsai on her initiative of #ShiftLeft at Roblox. Julie is the Head of Information Security at Roblox — a wildly successful online gaming company.
Julie talks about the practice of Shifting Left in cybersecurity, centrality of empowering developers through code analysis, interactions between red/blue teams and as a bonus — security leaders she admires and could be role models to increase diversity in cybersecurity.
Julie Tsai
This podcast has been reproduced below in an interview format
**Alok — **Hello, Julie, how do you practice this entire concept of moving security to the left or as it popularly called — ShiftLeft?
**Julie **— Well, it comes back to the idea that security can only be done in its most efficient and most pure form when you’re doing it at the root. So it comes back to the understanding that it has to get into the hearts and minds of all of your practitioners at the company in terms of engineers, as well as other people in their day to day actions.
And inserting that mindset into how do I incorporate a secure way of thinking at every step in the process, from product inception to design and architecture to when do we actually discover that there are vulnerabilities in code and then being able to fix it quickly.
**Alok — **So what are your KPIs to judge the success of this process of moving security to the left?
**Julie — **I would look at two important metrics. And these things usually tend to be work in progress for for every company but, you know, depending on the level of visibility and telemetry you have, I would look at the overall number of security issues that you’re having, whether they’re active incidents or potential vulnerabilities.
And then secondly, I would look at the level of vulnerability coverage that you have. There’s a concept of, you know, when programs are first bootstrapping in the innocence, you know, groups that are sort of blissfully ignorant of what is underneath the covers. But as you get deeper in terms of your understanding of your stack, and your entire operations, you might see something in an increase in issues and remediations because now you have more knowledge. As you start coming around that curve, improving your practices, moving the thinking and the culture into a more embedded place, you should see an improvement in the overall number of issues, as well as an increasing understanding of security status of the company.
**Alok — **Okay, so now, in terms of shifting left of security, static analysis of code is coming across as a prominent choice of tool for empowering developers. Why do you think that is the case?
**Julie **— I think that there’s two major components to it.
One is the obvious aspect of coverage you can’t really know or manage things that you don’t, that you’re not aware of. You may unintentionally create good outcomes or bad outcomes. But unless you know, it’s not intentional.
I think the second piece to it is the control. If the developers have the capability to know as they’re programming they have more capability of internalizing that knowledge as well as correcting it up front. So I think that’s a major reason that your that static analysis and source code analysis matters.
#podcast #application-security #static-code-analysis #roblox #shiftleft
