Nikhil Gupta's Perspective on The Purple Book Community
Bigger things can be achieved much easier and faster if like-minded people come together for one collective goal. This is what the Purple Book Community wants to do in improving today's approach and mindset towards software security. Nikhil Gupta joins LingRaj Patil to look at the origin of the Purple Book of Software Security. They discuss how the book has matured with the participation of new members, giving birth to ten informative chapters. LingRaj and Nikhil also delve into how the book evolves into a community, serving as a cradle for shared insights about software security and a stage for effective mentorship.
Listen to the podcast here:
Nikhil Gupta's Perspective On The Purple Book Community
In the increasingly digital world that we live in, building secure software is important for us all. Just as personal safety and security are fundamental needs, we at The Purple Book Community believe digital security is a fundamental need as well. Welcome to The Purple Book Show. This show is part of The Purple Book Community, a community of some of the world's leading security leaders. In this show, we host thought leaders and security practitioners to tackle the monumental challenge of building secure software. Our goal is to bring informative and insightful discussions about securing software, sharing challenges in doing so, and promoting best practices that will inspire you to take action.
I'm your host, LingRaj Patil. I also go by Raj Patil. I'm based in Silicon Valley, California, the hub of technology innovations. As you may well know, the pace of software development has accelerated dramatically going from once a year release to releases every month, week or even hourly in some cases. This certainly has made it more challenging to secure that software. Leaders from The Purple Book Community are also writing The Purple Book of Software Security. This will be a how-to handbook for anybody looking to build secure applications and products with insights from top security practitioners.
This book looks at case studies and best practices from startups to Fortune 10 corporations. No matter the size and maturity of your organization, this book will provide something for you. This book will be released in the third quarter of 2021 and will be offered free of charge to all for the benefit of software security. You can find out more about it at ThePurpleBook.club. We invite you to come and join us to be part of this community and be part of the dialogue around securing software.
Nikhil, welcome to the show.
Thanks for having me.
It is a pleasure to have you. We are going to talk about the Purple Book Community. It's something that's very close to your heart and something that I've been closely involved in as well. Can you tell the readers, why did you come up with the idea of the Purple Book Community?
Application security needs to be re-imagined. While application development has transformed from the old waterfall days to agile methodology, monolithic to microservices, and open-source has become very prolific. At the same time, application security processes and tools are still very antiquated. There are too many application security tools that are not talking to each other and they generate a lot of false positives. There is a severe lack of automation and orchestration among those tools. Last, but not least, there is a lack of collaboration between security and the development team.
As I was talking to several different security leaders, I found out that they are using a lot of Excel sheets. They're getting these tools and they're throwing people at the problem. At the end of the day, few leaders are able to find that solution. What I found out here was that the solution to this problem is building a community where we bring the best of the best minds together and come up with the handbook so that others can benefit. The vision of Purple Book Community is to come up with enough knowledge and the book is just the beginning, where people can come together in a trusted environment, talk to each other and learn from each other.
That sounds very interesting, especially in this day and time, the community is the way to go. Some of the security leaders have already been there, done it, and others can benefit by learning from them. We will go into the details. It's very exciting. I'd like to go deeper into how things have progressed since the idea of this community came about in December 2020. Before that, I like to ask everybody who comes on the show a personal question. Can you share an experience in your life that has made a lasting impression and shaped you to be who you are now?
Everybody has a story here and mine dates back into 1999. I started my career at Bell Labs in New Jersey. I was fortunate to work with the likes of Ken Thompson, the father of Unix, and some of the other legends. At that time, while most people join Bell Labs and retired their whole life, I always was an entrepreneur at heart. I took all day to leave that cushy environment of Bell Labs to move to the Bay Area. People were telling me, “Nikhil you're crazy. You don't have a green card. You're working with a dream team.”
I always had this thing in the back of my mind that I always wanted to listen to my heart. I moved to Bay Area and joined a small company. Sure enough, these legends left Bell Labs after 30 years and started their own company. I was fortunate to become a founding engineer over there. While most companies were struggling, as you may remember, the dot-com burst and the telecoms burst, because of this dream team over there, we were being showered with money. Money was not even a problem. We are working on some of the coolest technologies.
From 2000 to 2006, we did some of the greatest innovations in Fiber to the Home and other things. I was excited to realize my American dream of becoming a successful entrepreneur and making a lot of money. However, in 2007 as the financial crisis hit, the whole world toppled. The outcome of that company was not in my favor. We didn't have good financial success and it put me in very bad shape. I was in this country for 7 to 8 years with no green card. I'm kind of on the leash here. I was a single earning member of my family and I had a young daughter. That time was one of the lowest times of my life where I was thinking hard, “Why did I do what I did?” I still remember I was sitting in the car in front of the company, just scratching my head and pulling my hair thinking, “Did I make the right decision? Why did I go on this entrepreneurial ride?” I was sure that I'm one of the biggest failures in my life.
You may have the best content, but it's no good if people are not consuming it.
After a couple of days when things settled, I started to think back. I always look at opportunities, not a calamity. I started to pull myself back up. I started to see the good things that came out of that calamity. I realized that I was always able to make customers happy. I was always able to motivate people, not because of money but because of the larger cause, something which is bigger. With that, I was confident that it was not a failure. It was a beginning of a journey which is going to be long-lasting. Now, I'm a serial entrepreneur and a lot of credit goes back to that era of my life.
It’s a very inspiring journey, Nikhil. You’re saying the genesis of the success that came later was the failures that preceded that. It seems like it was a spectacular failure. The buildup that was there and in the end, the dream did not happen but you're able to use that experience to make who you are. Coming to your point now with the Purple Book Community, how has that experience shape you to coming up with the idea of Purple Book Community?
One of the things which those experience brought to me was clarity. It was not just me. You were there and few other security leaders were there. As we were talking to them, I realized that we didn't want to reinvent the wheel. In these thousands of literature out there, why another book on software security? What we realized was while there was a lot of good information there, there was a key element that was missing. It was a book by the practitioners for the practitioners.
What's happening here is in software security or supply chain security, there is a big dearth of knowledge out there. As a result, we took a step back. The idea here was first of all define the problem space clearly. I'll give you my entrepreneurial analogy because as an entrepreneur, I was taking the same approach for this book as well. Getting clarity was very important. Let's define what the problem is. Now, if you look at it, people will talk about software, security people will talk about application security, DevSecOps and SecDevOps. At the core, pretty much all of them are the same. Getting everybody on the same page was very important. That was number one.
The second thing was a book by the practitioners for the practitioners. There were few people in the large financial industries or other industries who were able to crack it. They were able to crack it in a certain environment and other people can get the lessons learned from them. In the beginning, we're just starting with very simple 3 or 4 chapters. People, process, technology and environment. As we were brainstorming, it was a group effort. I came up with the genesis of the idea, but thanks to you and a lot of other leaders who have put a lot of time and energy into this, we evolved.
The other thing here was creating a valuable resource so that the industry can start using it. There are three important things. You may have the best content but if people are not consuming it, it's no good. Ensuring that at any given point we are creating something of value. Last but not the least, there is huge, tremendous power in the community. In the community, some people are in software, hardware, and also there's a big need for facilitating networking amongst the leaders here. These were the four principles that they thought about and that's the whole idea about the approach.
I do remember the early days when we had come up with this idea and you were reaching out to the security leaders. I was still not sure about how the reception will be. If this particular problem will resonate with the people or not, but the enthusiasm with which the security leaders joined validated that this was a very solid problem that they were having and they wanted to contribute to that. Kudos to you for that one. As a next step, what happens? You got the security leaders together and how did putting the book together come about?
It was just not my effort. It's a group and team effort. At the end of the day, I was just the catalyst and pulling things together. It was building on top of the other. What I realized was that, whenever you're building a community, it's always good if there's something tangible, to begin with. Since there was no handbook, the big vision here was to create a software security handbook similar to Google SRE Handbook, which people can keep with them forever.
One of the esteem members here, while we are having initial conversations, she took out a book from the bookshelf next to her. She mentioned, “Nikhil, I go to these events all the time. Every time, I get bombarded with hundreds of this book. In my twenty-plus years, these are the only four books which I have kept here.” That was the a-ha moment that we need to have something which can be created and could be there. Knowledge should be free and we want to democratize software security knowledge as well. The idea here is we got these bunch of security leaders who are taking time from their important schedules. We get together on a regular cadence and brainstorm. That's where the journey started on The Software Security Book. With everybody's effort, we have come to a point where I feel very proud when we are launching this community.
When will the book be released?
The book will be released in Q3 2021. We are being very unconventional in the entire approach. Unlike the traditional book where you write the content and you go to different media publishing houses, which takes 10 to 12 months. What we are doing here is since it's a book by the practitioners for the practitioners, instead of writing this book and then coming back and finding out what it’s missing, we are taking the entrepreneurial approach in this book. We are going to release part of the contents on a regular basis. This is why it's very important for people to join hands and be part of this community where they can guide and let us know what kind of information is needed. The idea here is that we have some table of contents which we are going to share and then we'll get constant feedback. We'll go back and pivot on the content. The goal here is to launch the book in Q3 of 2021.
The community itself is launching before that. What's the idea behind launching the community before the book?
Every feedback is great, and that creates a vibrant community where people come back and share ideas.
The whole idea here is that this book is being written for the community. For people to benefit from. We could meet these 25, 30 leaders who we can have a private social network and we can exchange information. Each of the leaders is very distinguished and has a lot of experience as you can see in their résumés and profiles. The idea for this community is to be active and let people know, are we in the right direction? Is the information of the content that is being generated the pain point that they're looking for? The idea here is to make it an active community where we go back and forth and we would love to have critiqued. Good or bad, every feedback is great. The whole idea is to be a vibrant community where people come back and share their needs. They can let us see and know if this information helped or not. At the end of the day, the whole book is being written for the community.
That makes sense. In terms of the book itself, I remember back when we started, there were four chapters, people, process, technology and environment. What are the challenges in those three dimensions when it comes to implementing software security? Over a period of time, it ended up being a book with ten chapters in it. Can you tell what those ten chapters are and why did it end up being ten chapters?
Because the community has grown, the authors have grown. It started with a couple of us and then it grew to 29 or 30. The whole idea is that as we have been brainstorming, they are realizing what the needs are. Starting with people, process, technology and environment. First of all, the apparent need of why software security? There have been several efforts even by the US government. We're talking about executive orders. There is the importance of creating the need or generating it because everything starts with the why. Why software security is the number one chapter, apart from the introduction?
The second thing is we have to talk about people, culture and organization, which is as important in process and technology. The other aspect is the compliance governance and risk frameworks, especially in the software. As the world has moved from monolithic to microservices, and from waterfall to agile, compliance gets outdated before even it is done. The authors thought that it's important. Compliance is not equal to security to cover the compliance aspect. Securing software supply chain, we were debating in the beginning, and then we had the SolarWinds breach and a couple of other breaches where the feedback calls for its own chapter. We added that and then one of the important aspects came in because a lot of these leaders didn't have the budget to support software security. In the middle of the year when these issues happened, how do we go about creating a budget for that?
That's where chapter eight came in, Building Business Cases for a Software Security Program. This is where leaders shared their insights on how they were successful in creating the budgets in their respective organization. At the end of the day, you need to measure. Whatever you can't measure you can't gauge, whether it's success or failure. Chapter nine came about the KPIs and also talking about the Capability Maturity Model or Software Assurance Maturity Model because that's the measurable thing which board, leaders and CEOs are interested in.
Last but not the least, because it's a handbook, the idea here is to have some key takeaways and next steps. That way, people are equipped and it's more of a workbook. It's not like you come and read this book once and it’s done. It's a handbook that you keep. That's what is represented in the logo. It's a book which hopefully people will keep for life. The vision of the authors here is to have a book that we can keep for life, make notes, come back again and again. That is the evolution of the book. This is why community plays an important role. We want to hear from the community, is this information enough? In this chapter, what is more important? What is the burning issue that they have where these leaders can share this information and help, and make their life simpler?
It's interesting how the table of content evolved as new leaders and perspectives came in. I remember the time when the chapter on securing software supply chain was added, especially with the SolarWinds attack. We all know that it was a supply chain breach. There was this added focus on securing the supply chain itself. There was also an executive order by President Biden to make sure that software security is handled appropriately, and given the due attention that it requires when software is being made. How do you see events like SolarWinds and Colonial Pipeline attack that happened? Do you think those are all moments that will hopefully, put more focus on software security?
I think so. The amount of emphasis I've seen in the last few months is significantly more than what I've seen in my past life. Unfortunately, security is a cat and mouse game. These breaches, as much as we would like to prevent them, will continue to happen. However, what we believe is that hopefully, these are wake-up calls. Especially with President Biden talking about the executive order, incidents like this will enforce a lot of organizations to put additional emphasis. We are hopeful that this will give the desired focus and importance to software security, whether you call it application security or product security or DevSecOps. It's important. Hopefully, people will be more vigilant.
The community, especially this community, has an important role to play when an event like SolarWinds happens. One of the things that happen when you have an event like that is the company's board of directors, the CEO and the leadership get worried about whether they have the same vulnerability that companies like SolarWinds had. They come and talk to the security leader, “Is our company secure from an attack like SolarWinds?” In the initial days, the information is so less. All the details about how the attack happened, what the vulnerabilities are and things are not very clear. I can see how a community like this can come together and educate each other. Instead of one person knowing, ten people together can figure out the problem better than the others.
You're spot on here. As you may have realized, it's a safe community. We are meeting at intervals. People do get together in scenarios like that. We also have a special network for Mighty Networks, which we are using to facilitate that communication. You're spot on over there as well that for scenarios like this, people get together and this is where the collective wisdom is better than individual wisdom. A few months from now, everybody would have figured it out, but the biggest importance of a community like this is, when the issue happens and when the information is not there, how do people come together? They are going through the same challenges.
In the community, we have been blessed to have some of the leading security leaders from Fortune 10 to Global 5,000 companies. That is where people share the information with each other in a trusted environment, and try to make their environment safer as well as help each other. That's one of the biggest strengths of this community. I’m calling out to everybody who's reading this, you should become a part of this community and contribute. The strength and the success of this community will depend upon the people who are joining this community.
Thank you. Nikhil, we have talked about how it started from an idea to the book, and there are about 30 leaders who are contributing as co-authors to this book. There are ten chapters in it. Insights from these different security leaders have been codified as best practices. You're opening up this community to more than 30 people, maybe 100, 200 or 300. At some point in the future, hopefully, it will be a few thousand people. How do you think these new members coming on will benefit from being part of this community?
Software security compliance gets out of date before and even when it is done.
The reason why we started with 30 was we're trying to get a method to understand what is needed and how do we structure. In a smaller group, it's easier. However, now that we have the structure and processes in how we want to scale, we want to open it up to the community of hundreds of thousands of people. The number one way that the community members will benefit is by raising their voice on what is needed. It's not that often that you get to listen or have access to these security leaders to understand and think through their mindset, whether it is related to a problem, career growth or anything of that sort.
The second thing is we are focused on generating content. We are initiating panels as you can see on the launch event. We are planning to have more panel discussion podcasts. We would love to have people mention what kind of information they would like to hear. Last, but not least, what we're coming up with is just volume one of the book. Down the road, security and software security is going to continue to evolve. There may be a need for many more volumes. Some of the community members will get an opportunity to be elevated and contribute as an author. All these things are at zero cost. We believe in democratizing software knowledge and software security knowledge. These are all available at zero cost. These are some of the benefits which are there for the community members.
Thanks for bringing up the fact that everything is available at zero cost. It's heartening to see experts and top leaders in security coming together and sharing their knowledge for the benefit of the wider community. Looking at the chapters, looking at how the book has evolved from 4 chapters to 10 chapters, the way you're explaining, I was thinking there is such a diversity of companies. The people and culture aspect of software security are different for a startup with 50 people in it versus a Fortune 10 company with 50,000 or 100,000 people in it. The insights, the lessons and the best practices for each one of them will be different. Do you see, as the community evolves with super specialization developing, it's not just now that we are talking about the people aspect of the security chapter developing further, but maybe the leaders within a startup?
We have already put a lot of thought into that and this is how the book is structured. We have leaders from Fortune 10 to Fortune 50 to startups. We have people from various verticals, from financials to pharmaceuticals to other industries. One size doesn't fit all. I have worked in a 125,000-people company to the point where I am the founder and I started the company from employee number one. The security best practices which I saw in those large companies versus what we're implementing in ours are very different. The whole idea here, and this comes back to the point that this is just the beginning and not the end, is volume one is the beginning of the new era of the knowledge being shared. The way I see it is this will continue to evolve.
I will not be surprised if it gets super specialization. The ultimate victory would be that each chapter will become its own modules to the point where if I'm a community member, who becomes a CISO for a 50-people company or a company that is going public or in a finance state, I should be able to go and see and have a playbook. That's the ultimate vision. The ultimate victory would be that people could come in here. The other thing is I cannot underestimate the power of people who carry aspirations. Several people want to get to the positions where a lot of these leaders are. These leaders have been kind enough to share their journeys of what they have done to reach the point where they are. This kind of information is not easily available. Not only on the technology front, but these leaders are also ready to become mentors. That is another soft benefit of being part of this community where an aspiring CISO, CIO or CTO can come in here and learn from these leaders.
I remember an incident as we were developing the community. There was one particular CISO who was going to take his company public, and there were other CISOs in the room who had already taken their company public. That leader could reach out to people who had already been there and done it. This is the kind of network that is hard to get outside. In this community, they are just one degree of separation. They can call them up and say, “These are the kinds of challenges that I'm facing. How do I go about it?” I have seen it happening and it's quite powerful.
What we are also doing is to facilitate so that this is not just one-on-one. We are also going to use Mighty Network, which is a private social media network just for the community members where there will be different topics. You can go and raise a question. These various topics are owned by different leaders. They will be generously sharing that information. This becomes a knowledge base. That is another aspect where you don't need to go and ask people. It's a kind of many-to-many relationship at the end of the day.
You may have a problem and you may ask that question. Other persons may be shy or otherwise. I may join the community late and I can benefit from the information that has already been shared by that leader. The idea here is to have that information collectively. The part of the community, I see in various aspects. The book is one, which is structured for building a program for security leader. The other is this community aspect where all the information is there. There are mentorship and pointers. Several leaders have open-sourced their knowledge. For instance, there is a leader who has open-sourced the KPIs. He is known as a KPI guru. There is another leader who has built a powerful presentation required to be presented to the board by a CISO. All these things will be open-sourced on the Purple Book Community. There's another area if you just became a CISO and you're looking for help on how to present to the board, all that information will be here.
These are the other benefits of coming here. One of the leaders is a Vice Chairman at OWASP. Software security may not be paying money at all. There are opportunities to build a security program for free by using OWASP open source tools. We have a leader from that community who is going to share a lot of that information. We have a diverse set of leaders who are providing all this information. We're looking for further diverse sets of community members who are willing to share their information and exchange their thoughts and make this community more powerful.
It's great that you brought up that a security program can be started for free. You don't have to spend a whole lot of money and there is expertise in the community to help do that. Nikhil, what do you do for your day job? The community by itself is quite challenging. How do you manage?
As you can see, this community is my passion. This is the larger cause that keeps me awake and working. For my day job, I'm the Cofounder and CEO of a company called ArmorCode. The pain point when I saw this earlier and some of those things which are described, a part of it can be solved through a platform. That is where ArmorCode comes in. Our vision is to help leaders take charge of their application security. Before that, I was the Founder and CEO of a security startup called Avid Secure, which was building an AI-powered multi-cloud security platform, which was acquired by Sophos. Prior to that, I have 25 years of experience. I'm a serial entrepreneur at heart. I'm living my dream but at the same time, this community keeps me going. This is the larger, bigger cause which I love to spend a lot of time on.
How do you manage these two quite challenging tasks?
The strength and success of a community depend on the contribution of the people joining it.
Whenever you're passionate about something, you will find time, and I'm not alone. Each of the leaders who is a co-author engaged with the community. They are very accomplished and are juggling several different priorities. When you know what things are important to you in life, you will carve out time. This is very important and near and dear to me. I don't even have to think about taking out time for this.
I have seen whatever you said in action. Leaders are taking their time from their time to dedicate for this. The people coming from 8:00 to 9:30, there are meetings at 5:00 our time in Pacific, which is 8:00 Eastern time. People working from 8:00 to 9:30 and being part of the discussions. Some of these discussions have been engaging. It's amazing to see the whole chat box lighting up with comments, people wanting to contribute to the discussions that are happening. In some of the panel discussions, we had to stop at 90 minutes but the discussion was going on because that's the level of engagement we see. That's why people keep coming back.
As you can see, you and I are talking here. We’re taking time away from our family on a long weekend. As a startup and as an entrepreneur, I have 50 other things but because this is important, we are carving out time. It's not me alone. I'm thankful for the other community members. I know people, because of the launch, have been going back and promoting. A lot of them are engaged. It's not just me. I see that passion and other people's passion are very contagious. That’s the power of community. We are driving from each other's energy. We are pulling each other. That's what keeps me excited and coming back to this community and give back.
You summed it up well. We are coming towards the end of this. You talked about everybody’s bringing their energy to this community and then driving it. It's been absolute fun being part of this community and seeing the energy that these leaders are bringing in. We can't wait for it to grow beyond the 30 people, maybe 300 or 3,000 and the amount of energy that will come into play.
To add to that, some leaders have gone to a COVID shot and taken two Tylenol at 8:30, 9:00 coming to the panel. There are security leaders who have to go to India for unfortunate scenarios and they have been taking calls from there or coming back and contributing. By looking at those people, that is where you drive energy. This is where it's a great source of energy and positivity. I want to personally commend each and every individual. They have put a lot of time and effort. Life happens and there are people in the community who had newborns. I can go and individually see how people have been contributing despite the various challenges they are going through. That is what I like about this community. I hope we can keep that culture as we expand.
There is one thing that touched me when you told this whole story. I remember all the personal hardships that these leaders have gone through. You talked about how people’s families back in India were impacted. You were here taking Tylenol shots. In a normal scenario, these would be experiences that would drain your energy and demotivate or depress you. The fact that they are making this a priority, in spite of all those things, energizes everybody else. It seems like everybody else is on a mission here. That's what you're talking about. When you find something as important, people take time out of their personal lives, no matter what the circumstances are. That's the beauty of the community that we have here. Nikhil, thank you. It's been a pleasure talking. Are there any last words that you'd like to share before we end?
Thank you for having me. The only last word is to come and join this community. Make it more vibrant and bigger. We would love to learn from you and grow together.
Where can they join?
They can all come to ThePurpleBook.club. There are forms over there. They can fill-up the form. There is a cadence, we will go through that. We will invite the next batch of community members right after the launch.
Thank you so much, Nikhil. It’s a pleasure having you.
Thank you for tuning in to the show. Building secure software is in our hands. Every step we take in democratizing that process and sharing it with all will certainly benefit us all. To learn and to join us at this moment, I welcome you to join our community at ThePurpleBook.club. If you found this show helpful, we will be thrilled if you share it with other people that you think will benefit from reading it. Bye, until next time.
About Nikhil Gupta
An entrepreneurial business leader with proven track record of building products and businesses from ground up to multi-million dollar revenue. Adept at leading cross-functional, transformational initiatives across diverse groups to successfully develop Go To Market Strategy (GTM) and launch innovative products, services, and solutions.