Velkommen til lørn.tech - en læringsdugnad om teknologi og samfunn, med Silvija Seres og venner.

Silvija Seres: Hello and welcome to Lørn, my name is Silvija Seres and the topic today is security and my guest is Daniela Soares Cruzes, senior research scientist at SINTEF, welcome. 

Daniela Soares Cruzes: Thank you.

Silvija: Did I pronounce your name more or less right? 

Daniela: Yes.

Silvija: Close enough. So, Daniela, you work with software security and empirical studies, will you help us understand what those difficult names mean?

Daniela: I will try.

Silvija: And you will teach us a little bit about software security, why it is important and why it is interesting. Maybe you have your own way of looking at it, that’s also very interesting. And then, for my own personal curiosity, maybe you will tell us why you chose to do this work from Norway. We will get there. So let’s start actually with you, who are you and what drives you and what makes you stay here?

Daniela: Those are all difficult questions, but I usually say that I'm a research scientist, that’s what I am and that’s what I love to do. My drive is always to work with companies and do studies with companies. To try to understand what they do and what are the effects of what they do in what they want to achieve. This is what we call empirical studies, it is about trying to learn from practise what they do and then explain practise. Hopefully creating theories about how practices work, and so on. That is our ultimate goal. It is not always what we do, but it is always what we should do, create theories about practice, that is our main work.

Silvija: So empirical studies are basically studies from experience.

Daniela: Yes. We study practise and then try to understand practise and explain practise. 

Silvija: Very cool, and maybe find best practise as well?

Daniela: Yes, we don’t like to work so much with what is called best practise, because every context is different, that’s why we need to understand the different context and do the studies in the way context allows us. It is to find the practise that works and where and how.

Silvija: What works and why. Exactly what we are trying to do here in Lørn. So what is your Norwegian story? 

Daniela: Norwegian story? I don’t speak Norwegian yet, that’s kind of a shame sometimes.

Silvija: You came here for studies or for work?

Daniela: I came because of love.

Silvija: It is the best export article they have.

Daniela: I know, especially from Brazil. But I got a job so that I could be together with my ex husband, now, and then I started first in NTNU and then I came to SINTEF in 2013.

Silvija: You came to Trondheim?

Daniela: Yes, directly to Trondheim.

Silvija: Is it not the easiest place weather wise for a Brazilian?

Daniela: No, but that doesn’t really bother me. Actually never did. Of course, at the end of January when the weather is just so cold and dark, then I start to get a little bit upset, but is it not really something. I usually say that it needs a lot of Norwegian complaining for me to start complaining. Weather is not really the main issue in Norway to stay or not stay.

Silvija: So work wise, you’re at SINTEF, you like applied science, obviously, that must be a wonderful place to be. But do you see other international advantages of working with what you do, from Norway?

Daniela: It is maybe a bit cocky to say, but our group is one of the best in the world in what we do, so the results we do here in our group is really known everywhere and everyone wants to see what we do here in Norway to apply it to their context. 

Silvija: Why is this, is it because we have this energy sector that is so advanced that you have good examples, or what?

Daniela: No, the software companies in Norway are quite innovative, so that is something that people usually don’t know, but in Norway, the software companies are pretty good and they were one of the first one that started software agile, software development, software process and so on and we were, not me, but the group, were one of the first one to study that, so it got very soon recognised internationally as one of the best one in the world. That is why it is kind of the best place for me to be, because it is subjects that I like to work with. 

Silvija: You told us that you collect empirical data and you analyse software processes, can we make this somewhat more concrete, some examples on how you worked, or maybe you are not allowed to talk about companies you work with?

Daniela: We are allowed to talk about the companies we work with, like now lately we have been working with a project that is called SoS-agile, that is founded by the Research Council of Norway. Five years ago, what happened was that the software companies were doing agile, but they didn’t really know how to include software security in the process in a way that they could continue to work with agile and self manage, but being secure as well.

Silvija: So, for them security was something they would do at the end or too late? What we are trying to do is make them work agile, but safety and security goes in all along.

Daniela: Yes. So our goal is to make security as a routine, as a part of what they do on a daily basis and without really thinking as an extra prosess, but as a part of their prosess. We started quite early with this project with Visma, and now we are spreading the way that Visma works, for example. We change it to different thing and help them understand some of the effects of what they are doing and what advantage it do. And then we also started sharing knowledge between companies, so they learn a lot about the experience from each other and then change or create a new prosess and things like that. The innovation for us is in the way they work, the processes. What we work for innovate the way they work and that is innovation for us. 

Silvija: How do you this, do you spend your time with these agile teams? 

Daniela: We have meetings every week with them, we do interviews, we do field work, we go there and do retrospectives with the teams, we talk with different people, we interview the developers and testers and people that are involved with this software development team and try to understand what they do. Sometimes we take a theory and try to apply on that to see if that will still hold the theory, or not. Sometimes it is theories that are not from software engineering, but business, and then we use that in the context, and sometimes we try to build up the knowledge from ourselves and create our own models of what we think explains how the things work. 

Silvija: So you document and you structure, but you also prescribe? Do you help them to kind of see? I think what you do is also organisational culture work, right?

Daniela: Yes.

Silvija: And how do you help them understand or how do you help them change areas that will benefit from changing?

Daniela: It is all based on what we observe. The effects of what we observe, and then we talk it back again. One of the things I do with Visma, for example, is that I do interviews with the teams, and then I talk with the managers about: What do you think are the effects of what you did the last two months? Now this is the effects that the developers see themselves. So then we discuss and we discuss together and try to understand what is the reason for that. I don’t like to say that we prescribe anything, but we discuss together with the companies and reach to conclusions. And then we try to describe this with the research papers, so that other companies can also try those methods and see if the effects will be the same. We can not say that the effects will be the same in all companies, but we can say that this is the context where we have seen this phenomena and probably or most hopefully it is going to happen the same if you have a similar context. 

Silvija: So, for me it sounds like what you are trying is to get them to do is agile security culture. First awareness and then perhaps development.

Daniela: We do that. But we also for example work technically with static analyse tools and then we also see the effects of that in the development life cycle or not, if it gets more secure or less secure and things like that. So we work both with the culture, but also with the technical and the processes. 

Silvija: Software development process sound both very abstract and difficult, but really it is how they organise their work around building new software, right? And there is a lot of talk, there was a revolution with agile, I think there is almost nobody these days that doesn’t have one or another form of agile…

Daniela: …In Norway.

Silvija: In Norway? So that’s not necessarily the case worldwide?

Daniela: No. There are different levels of maturity in different countries and different faculties, also. In US, now they are a little bit more agile, but they are quite faculties doomed in process maturity mode and things like that.

Silvija: Which means this waterfall where you develop one phase to completion and then you think again. 

Daniela: Yes, a lot work was like that, but it is changing, also. There are a lot of companies that are agile now a days in US, also.

Silvija: Can I ask you Daniela, I really don’t know much about this area, but I was wondering if there might be a connection between if you have a very KPI driven culture, and there is this tailer somewhere, everything is optimised for number of lines of codes for day, then it is much harder to go from this very big waterfall model to agile. While in  Norway if you are much more based on trust, collaboration and maybe everybody is allowed to challenge etc, it is easier, do we have cultural advantage maybe of going to agile?

Daniela: There are some things that helps with the model that Norway has. One of the things is trust, we see a lot of models that we have tried, and in some countries it doesn’t work because of trust issues. The way that team works, you have to have trust, you have to be accountable, you have to be accountable with your actions and the other ones has to be accountable as well. The power system is also very different, the structure in the hierarchy, so all those things change a lot the effects of things. I think that it is a big advantage in Norway, that the software companies had since the beginning. 

Silvija: I think partly, also, that if you are not measured on your own lines of code, but you are in a way measured as a team, it is much easier to accept that: Okay, so my part changed. That’s fine, no problem. This kind of collective responsibility must be a cultural advantage.

Daniela: Yeah, there is one practise in agile, that we call the whole-team approach and then there is a whole team approach to different parts of what you do. You can say that the whole team approach to testing, the whole team approach to security, that is one that we use more now. That is to try to understand how everyone has a role in the security, then they can get products that are secure in the end.

Silvija: So if I ask you about the whole-team approach to security, I'm thinking it could be so that I make my part of the system very secure, but that will cost you a lot of coding or it will make your part… what you are trying to say is that we don’t think like that, we try to think of the whole system. 

Daniela: Also, but you also have to think about your part. When every code a developer puts in the system matters. That's what we do in software security, that’s the difference between software security and network security, for example. It’s outside of the alliance of code. What we work on is  that every decision that you make online of code, it matters. That’s why we have these static analysis tools, for example, that analyse each one of the aligns of code that each developer has put in the code. To see if that, for example, has any known vulnerabilities or have vulnerabilities that are known outside of the company or inside of the company, and so on. So we have tools that helps with that, but also most of the times just human judgement is what we do.

Silvija: So, collective responsibility which helps more, more eyes, more minds, see the problems better. But then I have to ask you, is there a cultural disadvantage when it comes to working with security, because we are so trusting in this country, are we a little too naive?

Daniela: I work with companies that are here and in Poland, for example. In Poland the guys comes with a way more set mindset of thinking that we have to close doors, we have to take a look on different things, because it's like we are prone to be attacked. In Norway we have much less of this thinking. We are like: Why does anyone want this thing from us? That’s the mindset that Norwegians have, you have your own things and don’t need anyone else’s things. And that is something that we have to work with more in Norway, then we can work with other companies. 

Silvija: I have noticed it with my own kids, I travelled back to Montenegro and I am a person that would have my backpack open and my kids will just walk out in the streets without looking for cars, you have to kind of rearrange your mind.

Daniela: Yeah, it is the same thing. I am from Brazil and we have a different mindset and I have to behave differently here than in Brazil, because the context is completely different. One of the things that the software companies has learned in the last few years, is that we are not in a bubble anymore. All software companies in Norway are exposed to the same type of attack that any other companies anywhere else in the world are. One thing is cyber security, another thing is what elevates the risks that the company has. 

Silvija: One of the things that is really fascinating to me with what you do is… I am an old school software programmer, ages ago, and I'm kind of used to that individual programmer sitting with your own computer and you hack at it until you make a server. It doesn’t work like that anymore, now it is a puzzle game and it is all in the collaboration. It is a complex process as you say. It is almost like it is the architect and the leader of the team, how can people learn this?

Daniela: That is one of the challenges we have, one of the things we started doing in NTNU, was to start creating the courses in software security, we helped and lectured a lot about that. It is very hard to say that this is the knowledge you need to have. We are trying to build up some kind of ways for developers, we kind of understand what they need to know, but they have tech for example, we don’t really know exactly everything that they need to know or the products owners for example. how do they know, for example if they are going to prioritise one specific thing to be developed or to improve security in a certain part of the code. All those things are still things that the companies doesn’t know how to do, and we still don’t know 

Silvija: It is very interesting, because I think that kind of a skillset of a programmer changes from being able to build from basic principles to being able to find these different bits of codes and then integrate them. The systems are becoming enormous.

Daniela: There is this thing we joke about, that developers are now becoming superheroes, because they now have to know, not only how to code, but they have to know so many other things. It is changing a lot the way that we see developers, also. Like there is this whole thing about being, not only a person that is introvert and looking at their own code, but they have to be a part of their team, they have to collaborate with the others ones, they have to be much more aware of all the things that are not only technically how to code, certain functionalities and things like that. So it is quite a change in how developers have to be and in what we are looking for in a developer nowadays.

Silvija: Very cool. We are coming to the controversies, what would you think would be a fun thing to debate over a cup of coffee? You mentioned, actually, communication as maybe one of the most important things, not necessarily the unique tech skills. 

Daniela: Yeah, so, I don’t know if my mindset is so much knowing the Norwegian companies, then you ask, like, what is the advantage that Norway has. One of the things we see a lot in our studies is that many times the problem is communication. The problem comes to us because the team didn’t manage to sit together and discuss security, or the team was not able to find out together that there was a problem, and they had to fix it. That's kind of a controversy, because if you think like a developer, he is technically very good, he is the best one to be employed, but not always. So now we have to think much more like: Okay, what are the other skills that we need in the team to make this team work as a whole-team approach. Now we have to think more of if we have people with leadership skills in the team. Do we have people that communicate and talk about different things? Now that we are talking about security, say that someone in the team has to have some knowledge about security or some extra knowledge in security, then they are the ones who are able to discuss and bring these things up front as well. It is a lot of change.

Silvija: But it is also changing the culture in terms of what you ask, what you challenge. There is also this tradition of, you know, stick to your own desk or computer and what you are suppose to do, and it is not necessarily easy for people to start challenging their teammates on something, but you are saying that that is exactly what you need to do, and you need to trust each other enough to be able to do that.

Daniela: Yeah. One of the practises that we also have quite strongly in the team is called code review. You never commit a code by yourself. You always have someone to review your code, so that is also a way to challenge what the other ones are doing, and so on. And we also have the tools that analyses the code and bring it back to the developers. “This is not acceptable”. “This is not going to be committed”. “It is not going to be built if you don’t fix this”. Then it's not anymore like you do your own and then everything will be fine. It doesn’t work anymore.

Silvija: What is the timeline, you say your most relevant project was last year making software developments more secure software.

Daniela: Yeah.

Silvija: What is the development path in a way, can team start thinking about the things you talk about here and half a year/year later they work more agile with security as well?

Daniela: I hope so, that is our goal and what we are trying to work with in the different companies. We have already seen that the companies we have worked with are there and they have started to spread the knowledge and shared the knowledge with other companies like VISMA, and now I also work in Fara, that’s another company that work with that. But it is still a challenge to change the mindset and try to make all pieces of the puzzle to work so that we have the whole team approached to security. So, that is really a challenge, but it is possible, and we know how to do it, we just need to like, stop, and do it in a way. 

Silvija: Where can we look for other examples that could inspire us? Do you have an international example that you like very much? 

Daniela: We are not the only ones doing software security in agile, Microsoft, for example, have created Microsoft security life cycle, so then that is also something many companies are starting to use and many companies are starting to shop line their developments life cycle and it is a lot of knowledge based on that as well. I usually say, go to their website and take a look and inspire yourself to change the practise inside of your company. We don’t say like, use ours, we have ours and we have to use that, the Microsoft security agile life cycle is quite good. 

Silvija: Very good. What do you think is the most important thing people should learn to be skilled for the future?

Daniela: In software security? Or in software development? I think there is one thing that is kind of burning for me now, it is this thing called coopetition, that you compete and collaborate with different parts.

Silvija: Even in the team?

Daniela: Even in the team. It depends on how you conceptualise a team. Now the concept of a team is also changing quite a lot, so what is changing now is like you said, before when you were a developer, twenty years ago maybe, then you were just doing your code and then you were able to finish what you needed to deliver yourself, right? Then we changed it to something that the company delivered, then you could say that a company is going to deliver us this time or deliver a product, and they were not able to do that by themselves. Nowadays we are in this situation that no one is able to do anything by themselves, so the concept of a team now or a product for you to be able to deliver, you have to be using a lot of third parties, you have to collaborate and compete with these other companies, as well. Sometimes you are competing in a certain niche of a market and you are collaborating to create functionality and analyse another niche of the market. 

Silvija: I think this is super interesting, I was just reading something a very cool book called What Algorithms Want, it is analysing how these new data giants are actually creating data platforms where they invite their customers to develop the code on, right?

Daniela: Yes.

Silvija: To exploit the data. So it is a completely new direction of collaboration, I think.

Daniela: Yes, and that’s why I said that the concept of team, I think, change also, if you have to use and collaborate with another company to do your product anyways, team them, right?

Silvija: Yeah, and maybe more and more there will be things we will collaborate with, with our traditional competitors, and we will find new unique things to deliver on top of that common. It is a little bit like Vipps in Norway, where you basically collaborate on the infrastructure and then provide some unique customer experience. 

Daniela: Yes.

Silvija: And maybe there will be communication and then human relationships on top.

Daniela: It is a lot of challenges there. We also think of, like how are we going to deal with security, if you say that I know how my developers work, I know that we have handled security and we have control of all the things, but then how about the third party that we are using, right. Can we trust them the same way, how can we trust and say that we can trust that one and trust that one. we don’t have ways yet to measure that, we can not say that a third part component is a hundred percent secure. 

Silvija: Very good. We talked a little bit about Norway and the many good things, including our trust and our communication. You also mentioned to me that you think we have a very good educational system, why do you think it is that good?

Daniela: Actually, that is kind of a hinge I have, because I think that Norwegians are quite reflective, they are able to stop when they read something, they reflect on it. Maybe it is because they have time to do that, something that maybe other companies in some countries don’t have time to, because you have so much competition that you have to just run and go to the next thing all the time, that's the way I see it. I think developers in Norway are very good and usually when I talk to them, I have different interviews and discussions with them, they are able to reflect and think of why they are doing certain things and how they are doing certain things, and it's not only like they do things because everyone is doing it, so they reflect a lot on the ways that they do things, I think that is great. Maybe I’m biased because of the way I'm working with developers and the developers are very good. 

Silvija: I think there is something with the Norwegian educational system and maybe the whole country that invites people to take responsibility for the whole and to think critically in order to contribute, and I like it very much, as well. 

Daniela: Me too. I think that is also one of the factors for success in our field, because then everyone is so open to talk about the different things and get a lot of reflections. Then we are able to act about these things and find reasons about these things, and even going back to the companies and discuss if those are really true, and that helps a lot with the scientific knowledge. 

Silvija: I asked if you could recommend us something to read, and you recommended the book called Software Security by Gary McGraw, can you say something about the book? What will we learn there?

Daniela: Actually, that is quite technical. There are some misunderstanding of software security, and I think that this book is quite good to explain what software security is and what software security is not. A lot of companies, now it is changing a bit, but a lot of companies focus a lot on security and IT security, put up firewalls and make sure that the network is quite secure and so on, but not many companies understand what software security is, so that’s why I think that’s an important book. 

Silvija: Help me, which is building software without all these holes in it? 

Daniela: It is building software that is going to behave in a way that is not going to them as the company as much as if we were not thinking about security.

Silvija: Waterproof? Or something else? 

Daniela: So that’s the thing. A hundred percent security, no one will ever be able to do it. Every software can be hacked, it’s almost like we can say that we need to debate about this thing we are doing. It is a hundred percent sure that any software can be hacked, but then, how the software behave when it is being attacked, that’s one of the things we work with. If it is resilient to be attacked, then it is a different thing.

Silvija: So what you are trying to build is not a perfectly healthy software that is never affected, but you want to build a big or a very strong immune system?

Daniela: Hopefully with the least number of vulnerabilities as possible in production, that is our goal. Because that will help you to be resilient anyways, right. If you have a software that is faulty or full of vulnerabilities, the probability that you are going to be attacked is much bigger. 

Silvija: Can I ask you just out of curiosity again, a question? Is it possible to build software that is very immune, in a sense that it learns or the organisation behind it learns quicker than average? It finds things and close things. I think of this sandbox, or is it just still security companies that learn fast enough and just help people plug. 

Daniela: We are trying to understand how to do that, that is one of the things we are researching with Visma, to try to see what we can use from previous history that we can adapt to our systems to what is coming. It's very hard, I don’t think that we can still do that. What we are doing is mostly reacting to the different things and being adaptive.

Silvija: Reaching out fast and skilfully. Do you have a little quote we could attach to your picture? 

Daniela: That's a hard one, but there is something that I learned with my adviser from my PHD, and I never forgot it, so that’s what I put as my quote. That is: Be generous. He always said to me, and then he said that it is the secret to success. If you are generous, you are always going to be fine. I’ve tried to use that in everything and I've tried to use that in the companies, be generous, share what you have with the other companies and you are going to have a lot back. Many companies are doing it and receiving the benefits of it.

Silvija: Be generous, also with your knowledge.

Daniela: Yes. So I think be generous in general and with knowledge, I think its’ quite important.

Silvija: If you have to choose one thing that you want to make sure people should remember from our conversation, what’s the most important thing?

Daniela: I think that this thing about generosity, sharing knowledge. We would not be able to be here if the companies was not sharing the knowledge that they are creating. For us as empiricists it is important that people share what they learn and their experiences and what they experience in software development. So I still say sharing your knowledge and share what you know.

Silvija: Very cool. Well, Daniela Crusez, a senior research scientist at SINTEF, thank you for coming here to share generously from your knowledge about security and software development processes.

Daniela: Thank you. 

Silvija: Thank you for listening. 

Du har nå lyttet til en podkast fra lørn.tech en læringsdugnad om teknologi og samfunn. Følg oss i sosiale medier og på våre nettsider lorn.tech