Over a hundred girl geeks gathered at Palo Alto Networks to hear from Liane Hornsey (Chief People Officer), Nir Zuk (Chief Technology Officer & Founder), Citlalli Solano (Director of Engineering), Archana Muralidharan (Principal Risk Analyst), Meghana Dwarakanath (Manager SQA Engineering) and Paddy Narasimha Murthy (Senior Product Manager) on April 25, 2019 at the beautiful Palo Alto Networks campus in Santa Clara! Palo Alto Networks is making the world a safer place — These speakers talk about how they design, build, maintain software with a security mindset in every function and capability. Get inspired and armed with Palo Alto Networks’ security-first mindset (vs security as an after thought).
Like what you see here? Girl Geek mission-aligned partners are hiring!
See open jobs at Palo Alto Networks and check out recent open jobs at our trusted partner companies.
Transcript from Palo Alto Networks Girl Geek X Dinner:
Angie Chang: My name is Angie Chang, founder of Girl Geek X. I want to thank you all so much for coming out tonight to this beautiful Palo Alto Networks campus inside Santa Clara.
Angie Chang: Thank you so much to the Palo Alto Networks for sponsoring. I’ve never been here and the campus is amazing. This space is beautiful. We’ve had so much fun meeting people here, checking out the demos, eating delicious food and drink. Now we’re really excited tonight to meet some of the people who work here, talking about their expertise.
Gretchen DeKnikker: Angie was going to tell you this part but I’m going to tell you. Okay, did you guys see all the cool stuff? There’s a photo booth here, over there and you can do that. Then you can make a little flip book where you move and then they’ll make you a little flip book on the spot.
Gretchen DeKnikker: There’s demos back there, which seem to be fabulously popular. Got the little cards. There are recruiters all over so if it seems awesome here, and it seems pretty awesome, the food’s awesome, everything’s awesome so far, right? Yes?
Gretchen DeKnikker: Yes. Okay, so if you want to work here, they’re also hiring. Then you can work with some of these amazing women that you see here tonight. Girl Geek, we do these every week. Who’s their first time here?
Gretchen DeKnikker: Okay, cool. We’ve been doing these for about 10 years. We’ve done over 200 of them. We do them every week now up and down the Peninsula, in San Francisco. If this is fun, make sure you’re on the mailing list and come to the next ones.
Gretchen DeKnikker: We also got a podcast, we just got going. I think we’re on episode eight. What was it about?
Gretchen DeKnikker: Tech stayers. Yes. Don’t leave. Tech stayers. But there’s ones on impostor syndrome and mentorship and career transitions and learning styles and just like, so check it out, it’s on all of your usual podcasting places, and then let us know if you like it or what we could do to improve it because we’re not podcasters, we have no idea what we’re doing. We’re just talking. Like I am right now.
Gretchen DeKnikker: Without further ado, thank you guys so much for coming tonight and I don’t know who I’m turning this over to.
Varun Badhwar: I’ll take it.
Gretchen DeKnikker: Okay. Let’s welcome the man to the stage.
Varun Badhwar: Thank you. Privilege to be here. Good evening, everyone. Really an honor to have all of you here. My name is Varun Badhwar. Figured I’d just spend a few minutes sharing a little bit of my story. I’m six months or so new into Palo Alto Networks. Came in through an acquisition, actually. We recently, Palo Alto Networks acquired a company called RedLock. I was a founder CEO of that company. As a startup, one of the biggest things that makes you successful, brings the teams together is really the culture, right?
Varun Badhwar: A lot of people, there’s no product, there’s very little salary we can pay people, the office isn’t as nice as this, but ultimately we join companies for the people who are going to work with and really a grand vision of a problem we’re going to solve. That problem for us was securing the cloud. As you’re doing that and as you’re building… For those of you who are not familiar with cybersecurity, there’s normally in this industry, if you’re successful, you likely end up getting acquired by just potentially six or seven companies that can do that.
Varun Badhwar: For me, a lot of people have said, we were only three years into building RedLock, sort of how we ended up here? Why did we make that decision? Ultimately, Palo Alto Networks, for those of you not very familiar with the company, has always been at the very top of that list for us for a couple of reasons.
Varun Badhwar: One, is you’re going to hear from our founder, Nir and the team. Just incredible pace at which Palo Alto Networks has disrupted the market, has taken a leadership position, now is the largest pure play cybersecurity company in the planet.
Varun Badhwar: More importantly, all of that has been done with only 6,000 people in the company, right? Larger companies in security have 80, 100,000 people. For us, it’s been fantastic. You come in, you get the best of feeling like a startup operating really rapidly yet having a culture, and having values that are very startup like. Everything from empowerment for the teams, empowerment down to individuals working in this company to–
Varun Badhwar: I’ve just been fascinated with how important diversity has been to this company. Obviously this is one small commitment towards that. But as I can come in here and I’m asked to go work towards our annual conference, which is Ignite that’s happening next month. From the number of attendees, our customers that are coming and tracking diversity statistics there to how many speakers we’re bringing to the table, have these advanced diversity there, diversity in hiring. and diversity obviously is is about professional backgrounds–
Varun Badhwar: Maybe, heck, if you look at our CEO, he never worked in cybersecurity before this, he came from Google, right? He’s first timer in cybersecurity, so for those of you say, “This feels like too geeky of a space.” Not really. I think we really appreciate diversity. Whether you’re coming from a consumer background, enterprise background, you get race, ethnicities, values as well.
Varun Badhwar: I don’t want to take up too much time here. Just articulating a couple of things. One, phenomenal company. We’ve loved the last six months. My teams tell me we are working harder than we did at a startup and having a lot more fun. The fact that the values are so aligned to–what I think a lot of us love probably the companies we’ve worked for. The intersection of just cybersecurity, and specifically for my part, cloud is just so fascinating. It’s a cat and mouse game, security. You’re never done building products that work well. You’re always against forces that are from–Maybe Nir will touch on, it’s a good topic for him.
Varun Badhwar: There’s people that are putting more and more emphasis. Attackers are trying every which way to get into people’s environments. They just need to be right once, we need to be right every time with the products that we build, right? Really an amazing career opportunity. Again, want to thank you all for coming here. Hopefully, you’re going to learn a lot about secure development, secure design, how security is just such a core part of development life cycles. I will pass that over to Liane and Nir.
Liane Hornsey: Hello, everybody. I am the Chief People Officer of Palo Alto Networks and honestly, I love moments like this, and I really love moments like this because I’m in the company of a lot of technical women. I always feel, oh gosh, they’re so much better than me. They’ve got all these skills I haven’t got. They know how to code, they know how to build product, they know how to make things happen, and I work in HR. But I also think and feel very, very humble when I’m with technical women, that it is also harder for women in technical jobs to come to work each and every day. It’s harder for them than it is for me.
Liane Hornsey: When I walk through this door, I walk into a function and I’m surrounded by other women. I am not surrounded just by people who are different to me. So I don’t carry that burden of being different as I walk through the door, in the same way as many of you do. Because you work as a minority in many of your teams. I’m doubly in awe, because you can do all these things and you have all these skills that I don’t have, and you have that additional, not burden, but that additional concern of being different.
Liane Hornsey: Now, I have only been at this company for seven months, a little like Varun, about the same time. I joined this company, honestly, not really knowing much about this company. But truly, I have come to love this company with all my heart. I really love this company, and I want to tell you why. Partly it’s this, I truly believe you have to work for a company that is doing good stuff.
Liane Hornsey: Every night I drive home and I turn on my radio and I feel just that little bit less safe. Every day I think about my children online, who are a bit bigger than your children. But I think of them online, and I think about their safety. Every day, particularly as a European, I think about the importance of cybersecurity. I know I am working for the good guys and I’ve got to tell you, that feels really very, very nice, but it’s not just about what we do. What I really love about this company is how we do it. When I first came here I met my team and the first thing they said to me is, “We don’t have D&I here. We don’t have diversity and inclusion.” I’m like, “Whoa, bit weird,” and they said, “No, we have inclusion and diversity.” Then I thought, yeah, yeah, that’s a bit of a fad. You’re just changing the words around.
Liane Hornsey: But I do want to impress something upon each and every one of you. Diversity and inclusion does not work. There is no point putting in more underrepresented minorities into companies that can’t change and make them feel welcome. There is no point pulling more women into technology, if you can’t make them feel like they can bring their whole selves to work each and every day.
Liane Hornsey: For me, it’s not the diversity agenda. It’s about the inclusion agenda, and that is what Palo Alto Networks is going to be known for. That is what we are going to do that is different and unique. I don’t believe there are companies in the valley that have solved the diversity and inclusion issue. We all know we’re spending a ton of money each and every year trying to encourage minorities, trying to encourage more women, trying to encourage difference and we’re failing. And we’re failing, I realize now, because we are doing it wrong.
Liane Hornsey: It’s about time we understand, each and every person in this room, even if we’re united largely in agenda, we are not the same. I am not the same as every other woman in this room. I am an individual. I am unique, and I am special as are each and every one of you, and that is what Palo Alto Networks is going to be about. It’s going to be about over the next couple of years, making sure that each and every individual that joins this company feels special, feels that they’re doing amazing blooming work, work that will change this world and work that will make everybody safe, and that we can all be whoever we want to be at work. I think if we crack that, we’ve done something pretty darn good.
Liane Hornsey: I’m not going to say much more to you. I am so glad that you’re here. I am so glad you can see everything, that’s wonderful. But I’m most glad for you that you can hear from our founder. In my career I have worked with a number of founders, and I’ve got to tell you, it is not always a joy. They can be a little unusual. This time it’s an absolute, an amazing joy, and I’d like to introduce Nir.
Nir Zuk: Thank you, Liane. Thank you all for being here. I’m Nir, I started this mess about 14 years ago. We got funded about 13 and a half years ago. We’ve been selling products for about 12 years. Like Varun said, we are the largest cybersecurity vendor in the world today, we’re also the largest cybersecurity business in the world. Even businesses inside other large companies are smaller than us and these businesses have been around for 25, 30 years, sometimes even more than that.
Nir Zuk: How does a company that’s only been selling products for 13 years, becomes larger than companies like Cisco and Juniper and Semantic and other large cybersecurity vendors? Of course, it would through disruption, right? To disrupt the market, you completely change the market, and maybe I’ll say few words about disruption.
Nir Zuk: The first thing about disruption is that it’s a weird thing. It’s not like it’s… The way you disrupt the market is not by building a product and starting to sell it and then figuring out, wow, I disrupted the market. It’s actually the other way around. You find the market that’s ready for disruption. You find the reason why it’s ready for disruption and you address that, right?
Nir Zuk: If you think about it, some of the companies that you work with and a lot of the companies that have changed things like the taxi industry, and the hospitality industry, on the consumer side, and then companies that have changed the way we do HR and the way we do salesforce management and CRM and the way we do IT operations and so on, they were all going into markets that have been doing the same thing again and again and again and again for many, many years and found the reason to disrupt those markets, disrupted the markets, and have been successful at that. We’ve done the same thing.
Nir Zuk: The next question that I always get asked is, how do you make sure that nobody comes behind and disrupts you? It’s not easy. The thing about disruption is that when you face disruption as a large company, it’s very, very difficult to deal with that. It’s very difficult to deal with disruption because you have two pretty much bad options. The first option you have is to embrace the disruption, meaning to say, wow, this is very disruptive. Everything I’ve done so far is irrelevant. Let’s embrace the disruption. The challenge, especially as a large company, as a publicly traded company and so on, is that that really kills your business, and you have to start again. It’s not that you start from scratch, but it’s enough that your revenues go down 2, 3% and you’re done. Right?
Nir Zuk: Embracing disruption is hard because you have to start convincing the markets that you are disruptive and then you have to buy and sell them something new while they don’t buy your old thing. Then you can fight the disruption, but if the disruption is real and true, then you’re going to eventually end up staying behind, which is really what happens to our competitors when we started disrupting the market. They all fought the disruption, they all went through the five stages or first denial, right? Nobody needs it. Then we do it too, and then eventually it’s, okay, let’s go and find something else to do.
Nir Zuk: To make sure that we don’t get disrupted ourselves, the only logical way to do it is to disrupt ourselves. Keep looking why the market is ready for disruption and going and disrupting it at the risk of hurting your existing business, which we do. We keep doing that all the time and we don’t have time to talk about it right now and today, but we keep disrupting the market, we keep changing the market and changing the way the cybersecurity market works. I think that that’s the first thing that we’ve done.
Nir Zuk: The second thing that’s interesting about the cybersecurity market is that when we started, it was made of two types of companies. It was made of very large vendors. Again, I mentioned some names, Cisco and Symantec and there’s another company that they used to work for in the past called Checkpoint out of Israel, which is also a very large vendor in the industry. There’s McAfee and Juniper used to be a large vendor in the industry and there are a few others, and they all sell products that are very, very successful, but really aren’t doing anything to secure their customers. In fact, they all sell products that we call firewalls, you’ve probably heard about firewalls and everybody knows that you need the firewall, it’s just firewall is not going to make anyone secure.
Nir Zuk: Firewalls are not a security product, they are a hygiene product. Saying that the firewall is security products is like saying that soap is going to make you healthy. It’s a hygiene products, it’s not going to make you sick, but it’s not going to make you healthy. You’re not going to prevent some or the most important diseases. Right? That’s one set of companies.
Nir Zuk: The other set of companies that we saw when we started the company 14 years ago was the innovative companies, the companies that actually do something for their customers to stop the bad guys and to make the world safer, but those companies just never took off. There was this disconnect between the two when… and part of it is because it’s very hard for customers, especially very hard for organizations to tell what’s working and not working, what’s not working. Like how are you going to evaluate a cybersecurity product? They’re going to hire a bunch of hackers and pay them a lot of money and go create an attack against yourself and then see if the product… Nobody does that, right? Usually you get a script from the vendor and you followed the script, then guess what? It works, right?
Nir Zuk: When we started the company, we decided to be different. We decided that we’re going to build the product that is both going to be big, and is going to actually do something for our customers, and that’s part of our culture. There are other things in our culture that I think are very important. But I think… and I’ll talk about him in a second, but I think the most important thing in our culture, or about culture is that we strongly believe is that cultures create companies and not vice versa. Meaning it’s the culture that you have when you start a company, and if you work really hard and make sure it doesn’t change much, it’s the culture that you have over the years that’s great in your company versus your company creating a culture. Okay? If your culture is to be disruptive, then you’re going to be disruptive. If your culture is going to be, you’re going to invest in sales and marketing to convince the world that the products that you build that aren’t doing anything, actually do something, then that’s going to be your culture.
Nir Zuk: There are a few very important things that we created in the culture of the company that I think have brought us to where we are, and the largest vendor in the cybersecurity industry, and we’re also growing much faster than everyone else. There are areas where we’re by far the largest vendor, well, there are areas where we’re bigger than everybody else combined. Doing really well, and again, it’s our culture and it’s things like being disruptive. It’s things like we always… we don’t solve simple problems. Meaning, if there was something in cybersecurity that we think someone else is already doing well or we don’t know how to do better than them then we’re not going to do it.
Nir Zuk: Customers keep asking me, “Why aren’t you doing the… Distributed Denial of Service protection?” Whatever that means, right? Because I just don’t know how to do it better than others that are doing it today. They ask me, “Why aren’t you doing web application firewall?” I just don’t know how to do it better than others, so why would I do that? Okay? The things that we do here are things that we know how to do better, or we think at least we know how to do better than everyone else. That’s in our culture. Like when we make a decision whether to do something or not, that’s a very important criteria. Criteria, right? There are other important criteria. That’s one part of our culture.
Nir Zuk: The other part of our culture is to always do the right thing for the customer. Now, of course, every company that you work for will say that they are doing the right thing for the customer, but as an example that I used just a moment ago, if you invest in sales and marketing to convince your customers that the stuff that doesn’t work, doesn’t do much for your customers actually does, then that’s not your culture. Your culture is not to do the right thing for the customer and… For us to do the right thing for the customer, I think the way we think about it, the way we’re presenting this, we always do… we only do things that we can be proud of. Okay? I cannot be proud of selling a customer a product that doesn’t do what the customer thinks that the product does. So, we’re just not going to do that. We’re going to do the right things so that we are proud of what we do so that customers eventually will get the benefit of the products, and that’s very important for us.
Nir Zuk: Another area that’s very important for us is self-awareness, okay? Many companies just aren’t self-aware when it comes to the issues that they have. Whether in their structure or in their products or in whatever it is. We are very very self aware. I mean I’m not going to, of course, wash the dirty laundry here, but in meetings we always talk about the issues that we have. We always talk about competitive issues that we have, we always talk about organizational issues, we always talk about the different things that are going to make us not successful, or are making us not successful in some areas, and we’re very self aware of that and we fix it. We certainly don’t kill the messenger up, we promote the messenger here, and take care of that. Those are important things that just don’t exist in many companies. When you look back 14 years ago and we look at the set of companies that we compete against today, they just have a very, very different culture than we have today.
Nir Zuk: The last thing, which you’ve already heard, that’s important for us in the culture is diversity. Diversity is not just gender diversity, which is very important. I think among the first 25 employees of the company, about a quarter, 25th and a quarter were women. But it’s not just gender, it’s also underrepresented minorities. It’s also diversity as to where people come from in terms of the companies that they come from. We don’t just hire from two companies, we hire from as many different companies as possible, so we get as many different opinions as we can. When we think about diversity, we think about diversity across everything. It’s really an important part of our culture. Like if you walk around and you see the list of things that are in our culture, which are posted in various areas of our buildings, that’s one of them. Being diverse is very, very important for us. We just think that it makes us better and it makes us build better product for our customers. Okay?
Nir Zuk: Maybe the last thing I want to talk about is would… like Liane said, not too many people know about Palo Alto Networks, especially if you’re not in the enterprise space and not in cybersecurity space. You don’t know much about Palo Alto Networks other than maybe you every now and then you’ll hear about our financials or things like that. But if I look at the things that we’re proud of and the things that are somewhat unique to us, we are one of the large… we have one of the largest infrastructures in the world, or certainly building one of the largest infrastructures in the world. Cybersecurity is becoming more and more, and that’s something we’re driving, but it’s becoming more and more a data problem. The amount of data that you need to deal with in order to find the bad guys and stop them, it’s just unbelievably huge. We’re talking… I mean, if we today had to collect or are able to collect all the data that we need from our customers, we’re talking about several billions of events per second. Okay? This is the kind of infrastructure that we need to build. We’re talking about many, many, many, many exabytes of data in order to make our customers secure. I mean, I’m not saying we’re there yet, but that’s something that we need to build, and over the next few years we need to build.
Nir Zuk: Cybersecurity is becoming a data problem and we’re leading that. We’re very large infrastructure company.
Nir Zuk: One of the things that we’ve done, and one of the disruptions that we brought to the market is we have transformed the cybersecurity market from a market where you buy a lot of products. A typical organization and typical enterprise will have dozens and sometimes more than 100 different cybersecurity products that they deploy in their infrastructure. We transform that into a market that’s delivered via SaaS. Okay? That’s another thing that’s important about Palo Alto Networks, and yeah, there’s also the cybersecurity aspects. You’re going to be a cybersecurity expert to work at Palo Alto Networks. The number of people here that actually know cybersecurity, probably 200 or 300 of our employees, actually are cybersecurity experts. All the rest are data experts, and service delivery experts, and operations experts, and of course, that’s in the engineering department and we have many other organizations within the company. Okay? That’s what I had to say. I’ll stick around if you have some questions. We don’t have time for questions right now, and I guess next one is Citlalli. Thank you.
Citlalli Solano Leonce: Hello, everybody. My name is Citlalli Solano Leonce. I am a director of engineering here at Palo Alto Networks. I’m a software development and I really couldn’t be more proud of having you guys here tonight. A little bit about myself, so let me share a little bit of my story. I grew up in Mexico City, back in the day there were no cell phones, no tablets, no flat TV screens, no nothing, right? No, internet even, and I remember vividly how my mom would take me with her to the bank, right? The old big computers with black screens and green letters and characters going around. I always wonder what is happening behind? How could that person type something, and then some magic happens? Right? Fast forward a little bit. I got… that’s what I… got me to study computer science.
Citlalli Solano Leonce: Finally right out of college, my first job was at the central bank in Mexico. I finally, my dream come true. I was able to understand what was happening behind the scenes, but there was a slight difference back then, and is that I was not only understanding what was happening, but I was in the driver’s seat. Here I am, 21, 23 year old, building systems for my country. I was developing in C++ and my modules eventually ended up in the payment systems.
Citlalli Solano Leonce: Now people are able to transfer money from one bank to another immediately. I was paving the way for the digital transformation of my own country. That was… at that time probably, I didn’t realize that impact, but looking back it’s like, really I was a key player there.
Citlalli Solano Leonce: Fast forward a little more. Here I am standing in front of all of you in the middle of the Silicon Valley. A day in the life, you wake up, your phone plays a nice tune for you. With the internet of things, you can have your coffee machine make coffee for you, and then you wake up to the very nice smell of coffee beans. You can say, “Alexa play, what’s the weather today? What’s my stock options? You take your car, the car drives you wherever you want, right? Like that, so it’s amazing, right? All these transformation, I can’t believe I have been fortunate in life to live this revolution, right? But there’s another side to that. What is happening with all of that? Now, we all have our lives in the digital world. Raise up hands, how many of you do your banking online? Probably everybody, right? How many of you do video gaming or your kids do video gaming? Right? Now, even that is online.
Citlalli Solano Leonce: Some of us are doing… those DNA test, 23andMe, okay? Then we can share and, or maybe we’re cousins, we’re third cousins or whatever. Right? That’s amazing. But, where do you think all these data is going? Everything is hosted in the cloud, right? We are leaving our digital fingerprint over there, and it’s not only the data, these services themselves are deployed in the cloud. They’re either running in AWS, Azure, GCP. Who knows? right?
Citlalli Solano Leonce: Amazing. But we also have a big responsibility. Everything is interconnected. How do we prevent the bad guys from getting that? It’s not only just your little blog post, it’s now your financial information, it’s now your DNA information, right? Who knows what’s going to happen in a few years.
Citlalli Solano Leonce: Let’s look at how we are developing those various systems, and something that Nir was referring to, it’s not only about cybersecurity and cybersecurity professionals, right? We at Palo Alto Networks happen to make software that secures the enterprise. But security is responsibility of everybody. Who is building that 23andMe mobile app? Probably one of us. Right? Who is building those banking applications? One of us. right? what are we doing to prevent that from being vulnerable? It shouldn’t be an afterthought and in and out of the job of the InfoSec guys. Archana here, who specializes in InfoSec can tell you a lot more about the security practices, but that should start before.
Citlalli Solano Leonce: Looking at this SDLC, it’s something that’s probably very, very familiar to many of you. What do you think here is missing? Any ideas? We have the the planning, we have architecture and design, implementation, testing, deployment, maintaining, anything that is missing here?
Speaker 9: Security.
Citlalli Solano Leonce: Security. Where do you think security should go? What circle are we missing? Where do you think that goes?
Citlalli Solano Leonce: Everywhere? Yeah. Oh, you guys are too good for me. Yeah, spoiler alert. Yes, security is everywhere. It’s not, oh, QA should test for security, and Meghana can tell you a lot more about all our QA security practices. But this goes before, even as we are designing, Paddy here also will talk to you about product management, but it’s everybody’s responsibility.
Citlalli Solano Leonce: Circling back, we are living in this amazing world. We have all these services at our fingertips, right? Everybody’s now, now our kids, everybody is. But also we have a big responsibility. I personally love working here because I really identify with our mission of securing our digital way of life. I truly believe that. As the previous presenters were saying, it’s truly our responsibility and we are hoping for a better world one day after another. I’m hoping that tomorrow is going to be a little safer than today, so that the world that I leave to my kids and my legacy is much better than what I’m living right now. I invite you all to adopt security as your own, and let’s build that secure world together. Thank you very much.
Meghana Dwarakanath: Hello, everybody. My name is Meghana Dwarakanath. I’m the Software Quality Assurance Manager for public cloud security here at Palo Alto Networks. Now, I have been able to contribute across three different products here at Palo Alto Networks: WildFire, which is our malware protection as a service, Aperture, which is our data loss prevention as a service for SaaS applications, and now with public cloud security product RedLock. I’m sure you all know already all about it, with all the demos you’ve attended.
Meghana Dwarakanath: How did I get started? I like to tell people that I’ve worked my way up the networking stack. I started off on CDMA. Then IP, TCP, SUDP, finally landed in the cloud, and out of pure curiosity took a right turn into security. This is a story you’ll hear a lot more from people who are working here. Because, initially when you think security, or at least when I heard about security, the first thing that comes to your mind is some Mission Impossible scene. There’s lot of screens, hackers. But then working here I came to know it takes a lot of people from a lot of different backgrounds and expertise to come together and make a good security product. Now, if you take my team, for example, I have people from DevOps background. I have people from Dev background, of course QA background, security company experiences, non-security company experiences, and with all those different perspectives, we are able to build a much more secure and successful QA process, which is what I’m going to talk about today.
Meghana Dwarakanath: One of the axioms in security is, you’re only as strong as your weakest link. Now let me ask all of you something. What do you think is the weakest link in your companies? Maybe you don’t want to say it out loud. But the answer should be, nothing. We are all strong, we’re all doing good, and we agreed, right? Now, of course, when it comes to our production environments, we are very thoughtful about protecting them, and we should be. Because it has our customer data, it has our reputations, and it needs the protection. By the time we come to our QA environment, it kind of tapers a bit, right? Why? Because you’re thinking it’s QA.
Meghana Dwarakanath: We don’t have customer data in there, hopefully. It’s an afterthought, we really don’t think about it. But if you really think about the challenges we have and the kind of products we are testing today, we need to think about why we need to secure QA environments. Because when somebody gets to your QA environment, there are a lot more things they can get out of it, apart from customer data. For example, they can get an insight into your system internals. They can figure out how your systems and services are talking to each other and you’re literally helping them make a blueprint to attack your production environment. You have proprietary code, of course, that is running in your QA and staging environments, and so there’s a potential loss of intellectual property there.
Meghana Dwarakanath: Again, hopefully you don’t have customer data in your QA environments. I really hope you don’t, because here at Palo Alto Networks, the InfoSec team, Archana will tell you more, they’ll find out, come hunt you down, and take that data. Then, of course, if you’re the unfortunate victim of something like a bitcoin mining and that, you get a very massive bill at the end of the month, a very, very unpleasant surprise, right?
Meghana Dwarakanath: This is just your test environment. What is the other aspect of testing? Test automation, right? Anybody who is testing the SaaS service will tell you they test against production. Every time you release, you want to make sure that your production is doing okay. All the features are doing okay. So what do you do? You run your test automation against production, which means your test automation now has credentials that can access your production environment. You probably have privileged access because you want to see better what you’re testing, and now you’re co-located next to customer data, which is a very–potentially–a very unsafe mix.
Meghana Dwarakanath: How do you do the security? One of the ways we have been able to do this successfully here, is to consider test as yet another microservice that is running in your production. All those production microservices that you deploy, test is just another one of them. How do your microservices store credentials? That is exactly how you test automation will store credentials, the same SDLC process that Citlalli talked about, where security is not an afterthought. The same thing applies to your test automation code as well. You deploy monitoring for your test automation services just like you would do for your production services, and then whatever deployment automation you have, your IS automation code you have, you first test deployment into the same very architecture, and now you have all the added protections that your production microservices are getting.
Meghana Dwarakanath: There are a lot of fun new QA testing concepts, right? AB testing, blue-green testing. How do you test this global? With this, we are able to be in every single stack we deploy, test continuously, and get continuous feedback about our test and production environments.
Meghana Dwarakanath: Now we have the right people, we have the right mindset, we have the right intentions. We just want to ensure that our intentions have the right impact. What do we do? We just happen to have a set of world-class microservices at our disposal, so we don’t put our own environments, which means for example, all my test environment are monitored by RedLock, to see if we have any security vulnerabilities there so that I can immediately know about them and then I can make sure they’re secured, right? This is a win, win situation, of course, because we are in the same cycle of continuous feedback. We tell how the product is doing, the product is securing us.
Meghana Dwarakanath: Now, from this talk, I really want all of you to have two takeaways from this. One, of course, to really go and think about how your QA practices are, are they secure? And what needs to be done to make them secure. The second thing is to realize that we are in an ever changing landscape and there are different and new challenges, right? We have to continuously rethink our role and what we need to do in our roles to be successful. This mindset is not only encouraged here at Palo Alto Networks, it is expected, and that is what I love the most about working here. Thank you.
Archana Muralidharan: Good evening, everyone. I am Archana Muralidharan, I work as Principal, Technical Risk Management, here at Palo Alto Networks, InfoSec department, and the same function of a lot of people refer to now. I feel more responsible now to deliver what exactly we do put into product security here.
Archana Muralidharan: Before we get into the specifics of how we do stuff at Palo Alto Networks, let me share with you some fun facts about me. I was born and raised in Chennai, a city in southern part of India. Where the weather is really hot all through the year, 365 days a year. There are only three seasons, according to us, hot, hotter and hottest.
Archana Muralidharan: There is there are no cold seasons that are known to us. If you ever see me wearing a jacket when it’s 70 degrees outside, you know why it is. My childhood dream was to actually become, any guesses? Was a Bollywood singer. Honestly, I still learn Indian classical music just for the fact that I couldn’t become one. But destiny was something else, I completed my engineering and I ended up becoming a software engineer.
Archana Muralidharan: It was by accident, I would say that I got into information security, because I didn’t even know what it was like 12, 13 years ago when I started my career in InfoSec. After having been in InfoSec for so long, I really, really love the domain. It is so interesting because it throws a unique set of challenges and problems for us to solve. Now that we heard a lot of our leaders, Citlalli, Meghana, touching upon how important is security to be incorporated as part of SDLC, let me dive deep into that.
Archana Muralidharan: There are some debates here and there in terms of the actual estimates, but all research does confirm the cost and time involved to remediate the vulnerability, grows exponentially over the different phases of SDLC. That’s why it’s really important for us to start thinking about security, during the initial phases.
Archana Muralidharan: Especially when you’re delivering the cybersecurity product, we want to be doubly sure, triply sure, over cautious sometimes to ensure the way we develop [inaudible 00:44:00] makes us really secure, because we have commitment to protect the digital way of life.
Archana Muralidharan: Our approach here at Palo Alto Networks is to embed security as part of every phase of [inaudible 00:44:17] like how you just heard from a lot of the speakers who spoke previous to me. As part of requirements, we make it a point that we collect security requirements as an NFR, meaning non-functional requirements, in addition to the normal performance ahead of requirements. We ensure that they are understood, well documented so that we could potentially prevent a lot of vulnerabilities creeping down street.
Archana Muralidharan: As part of Design phase, being from InfoSec, worked very closely with the product architects to understand the architecture and review it from a security perspective to ensure… to look for all possible attacks, incorporate possible mitigations well in time to prevent design flaws that would otherwise result in vulnerabilities in the product.
Archana Muralidharan: As part of Build phase, we primarily do two activities. The first one being static code analysis where we look for vulnerabilities and remediate in the custom code what we developed, as part of product development. The second piece being, using this open source vulnerability assessment tools to figure out the vulnerabilities in the open source libraries and frameworks worth the use in our product. But it’s really important that we understand what we sign up for.
Archana Muralidharan: During Testing phase, we do something called as application integration testing to find vulnerability that we had missed as part of Build phase. For instance, when we do static code analysis during Build phase, the code doesn’t run, [inaudible 00:46:05] it is static. When more components are integrated, come together, there could be a possibility of more vulnerabilities, which we typically find, specifically targeting areas, some of the stack like versus logic errors, privilege escalation, which no static analysis tool can find as of today.
Archana Muralidharan: As part of Deployment we perform deployment architecture review. This is very similar to what we do as part of design phase. The only reason is because we are in the [inaudible 00:46:38]. We follow [inaudible 00:46:41] frameworks, we build stock so fast. There’s always a chance that they may miss the actual design, what was approved versus the actual design one gets to plan, finally may differ and you want to be really sure that the final architecture, what gets deployed is indeed what was approved.
Archana Muralidharan: Finally, I’m very sure all of us would be aware and agree that security is not a one-time concept. It’s a continuous process. We monitor… We scan our product environments for vulnerabilities in infrastructure, web application, API, SQA configuration, so forth and so on, and remediate those vulnerabilities well in time.
Archana Muralidharan: Aside from that, there could be a situation where a vulnerability is out in the market, but it’s not part of your scan cycle, so we don’t want such vulnerabilities to be executed and end up being in a breach situation. We use runtime application, self protection to detect those vulnerabilities and lock it from getting executed during run time. These are all the activities that precisely we do as part of software development life cycle. We take security really very serious.
Archana Muralidharan: Before [inaudible 00:48:07], I want to share, why do I love working for Palo Alto Networks? Trying to give a basic… I would like to share my personal story when I interviewed with Palo Alto Networks. Having been in consulting for 10 plus years, the very fact, the very idea that I’m going to work for a cybersecurity product company, really thrilled me, really excited me.
Archana Muralidharan: I applied for a job, I went for an interview, everything went well, and always we have this feeling that we could have done probably a little better. Any of you think like that? After any interview? I felt the same. But all well, I get a call from the hiring manager, did a very appreciative of all the great qualifications, what I have and I was super excited. I thought I was [inaudible 00:49:02] the job, but then there’s a slight twist to it. I did not get the job. Difference, I was not a right fit for that job. Instead, they offered me a totally different job, which in their opinion, they believe that’ll be a better fit for me. As you all are confused now, I was completely lost and confused, because never in my career of 15 plus years, there was ever a situation where something like this happen. It is always either a yes, or a no.
Archana Muralidharan: With a lot of confusion, I agreed. I accepted the offer. Glad that I made the decision, no regrets whatsoever after that. It has been a great learning experience here. The reason why I’m sharing this with you today is to reemphasize that teams here at Palo Alto Networks think very differently to solve the problem statement. That’s what makes this place unique and a great place to work. Thank you so much for your time.
Paddy Narasimha Murthy: Thank you, Archana. Hi, everyone. Glad to be here with all of you. I’m Paddy Narasimha Murthy. I’m a product manager on the Cortex team, an engineer turned product manager. That’s a very brief introduction about me and I’m here to talk about the perspective of PM-ing at Palo Alto Networks. What does that mean? You heard from a development manager’s perspective, QA, and InfoSec perspective, and now this is the PM perspective. But before I go into the details, I want to go over… what does a PM do, and then what does a Security PM do, and finally, why is it fun working here at Palo Alto Networks?
Paddy Narasimha Murthy: Many of you might’ve seen this image. This is a classic image where you see different perspectives for the exact same element, and here the element is elephant. What a PM does is basically intuit what a customer wants. Let me go over that with an example. Let’s say Customer A comes to you and they say, “I have certain data set and I want only the senior management to actually have access to that data set.” Okay, great. As a PM, you make an order for it and you say, “Okay, this is probably how I’m going to go build that feature.” But in the meanwhile, Customer B comes to you and says, “I have a data set, but I only want my support engineers to access that data set,” and you go, “Okay, that’s also great and I can build a feature for that.”
Paddy Narasimha Murthy: Imagine if you are a PM and you were to build a feature that satisfies that Customer A, and another feature that actually satisfies Customer B. Do you think that’s going to be sustainable? Because it’s very soon you are going to run into a situation where there’s going to be dozens of customers and probably even hundreds of customers asking for something very similar saying, different people need to have access to it. That is where you as a PM come into a picture and where you actually help draw this elephant. In this particular case, you could solve this problem by building something called a role-based access control, for example, where you can actually have a common solution that would satisfy with Customer A, Customer B, as well as thousands of customers who could have the same need in the future.
Paddy Narasimha Murthy: Role-based access control system, just a brief introduction is basically setting up rules, which are privileges, and those privileges tell you what users have access to and what they don’t have access to, and you can assign these privileges to users. That is one way of solving this problem. This is what a PM [inaudible 00:52:57] does.
Paddy Narasimha Murthy: The other important aspect is that PM also helps understand teams the big picture. For example, different teams when they are building different features, what they see is just a tiny part of it and probably an isolated view of that feature because they might only be integrating with one more team or in some cases just couple of more teams. They’re a very isolated view of the work. So a PM’s job is to step in and actually help draw the elephant where you tell teams that, “Hey, this is what we’re building and here is how your piece is going to fit in.” That’s the job of a PM.
Paddy Narasimha Murthy: That said, what does a Security PM do? A Security PM does all of what I mentioned, and a little more. The first factor is security actually takes time. It’s not a one or zero or, okay, let’s do this feature or let’s not do this feature. There’s a cost to it. As a PM, what you do is typically you try to figure out how to build a secure product. If building a secure product, let’s say, you can only… ship five features in a product instead of 10 features, then so be it, because that would actually make your product a lot more secure because you’re able to spend more time on security related features.
Paddy Narasimha Murthy: Next is it’s actually an investment. By that, what I mean is it pays in the future. Let me explain that with an example. Many of you might’ve heard two factor authentication. It is basically you put in your password as well as another form… another factor for authenticating yourself. We all know 2FA is important and many online services and companies and so many others online accounts offered 2FA. But how many of you go turn it on, or how many companies even go turn it on. Even though this is a new feature and explain it to the customers as to why this is important, it actually go ahead and build this feature and explain it to the customer as to why this is important, because this is going to prevent them from the ever evolving threat landscape, and pushing this feature out in the next 10 years or so is not really going to benefit our customers. That’s what you may have trade off.
Paddy Narasimha Murthy: Next is, it is ongoing. Let’s say as a PM you decide that your product is reasonably secure, so you put the secure stamp on it, you ship it out into the world, and that’s it, your job is done. No, it’s not. Because security is constantly ongoing and you have to evaluate, is your product continuing to secure the customers? Is there more to it? If I were to extend the 2FA example, what I would be doing for the ongoing aspect of it is to now figure out, maybe I should be offering multi-factor authentication and not just two-factor authentication, because that is how I am going to protect my customers from the ever evolving threat.
Paddy Narasimha Murthy: Moving onto why PM in Palo Alto Networks. Security up and down the stack. Because Palo Alto Networks, we have a wide suite of products that our different speakers alluded to earlier. We have firewalls, so ranging from the physical devices up to the cloud, we have a whole suite of security products. If you were to join as a PM or in any role, you would actually get to work across the stack of products.
Paddy Narasimha Murthy: Product-oriented engineering is another factor. Where we don’t just stack up products because some customer came and told us, “Hey this feature is cool and I would like to see this feature in my product.” That’s not how we go about it. Everything that we build here at Palo Alto Networks starts with a problem statement. PM sits down and write a very cohesive problem statement. We start our process on there, and with that problem statement would be good, we actually sit together with the PM teams and we go over that problem statement and we convince ourselves, is this the right thing to do? Is this the right problem that we would need to solve? Is this the right thing for our customers. We attack the problem from different perspectives to make sure that we’re actually going after a problem that really needs to be solved. That is another factor that I really like.
Paddy Narasimha Murthy: The last one here, everyone here wants to do the right thing. Palo Alto Networks is a pretty large organization. We have several different teams. If you think about it, different teams have their own ways of doing things. We have different priorities, and they have different incentives too. But in a lot of cases when we have to work together, there is going to be conflict. But it’s really easy to work together because everyone in the room really wants to do the right thing. That is the biggest reason why I really enjoy working here. With that, I’m done, so are all the speakers. Really want to thank every one of you for coming here and spending your evening with us. Thank you all, we’ll be hanging out here, so happy to answer any questions you have. Thank you once again.
Pictured: Citlalli Solano (Director of Engineering) at Palo Alto Networks Girl Geek Dinner 2019.