What is The Purple Book of Software Security?
As technology continues to become deeply embedded in our every life, software security has become a field that everyone could not just set aside anymore. Joining LingRaj Patil to delve into this subject is Poornaprajna Udupi, Chief Technology Officer of Good Money, and Pavi Ramamurthy, Chief Information Security Officer of Upstart. Together, they look at the Purple Book Community and how the Purple Book of Software Security came about. They also explain why this book is timely today when software attacks like the Solarwinds and Colonial Pipeline attacks are on the rise. The trio discusses its table of contents and even shares personal stories that will touch your hearts.
Listen to the podcast here:
What Is Purple Book Of Software Security With Poornaprajna Udupi And Pavi Ramamurthy
In the increasingly digital world that we live in, building secure software is important for us all. Just as personal safety and security are fundamental needs, we at the Purple Book Community believe digital security is a fundamental need as well. Welcome to the show. This show is part of the Purple Book Community, a community of some of the world's leading security leaders. In this show, we host thought-leaders and security practitioners to tackle the monumental challenge of building secure software. Our goal is to bring informative and insightful discussions about securing software, sharing challenges in doing so, and promoting best practices that will inspire you to take action.
As you may well know, the pace of software development has accelerated dramatically going from once-a-year releases to releases every month, week, or even hourly in some cases. This certainly has made it more challenging to secure that software. Leaders from the Purple Book Community are also writing a purple book on software security. This will be a how-to handbook for anybody looking to build secure applications and products with insights from top security practitioners. This book looks at case studies and best practices from startups to Fortune 10 corporations. No matter the size and maturity of your organization, this book will provide something for you. This book will be released in the third quarter of 2021 and will be offered free of charge to all for the benefit of software security. You can find out more about it at ThePurpleBook.club. We invite you to come and join us to be part of this community and be part of the dialogue around securing software.
Thanks for having us on.
I'm glad to be here.
It's been months since I've met you two for the first time. Time has flown in those months. I remember the first call that we had and the idea of a Purple Book software community was still an idea and we didn't know how it would come out. Since then, I have had a lot of fun listening to the security leaders like you sharing your thought leadership. Can you share your experience being part of this community so far?
I was brought into the Purple Book Community by Poorna. I was not aware of it. Thank you so much, Poorna, for introducing me to this wonderful community. In my experience, the last few months to me selfishly, have been about networking more. Hearing from other thought leaders on what their perspective is, arguing about a just cost, which we have done but more broadly, it's highlighted a problem. We have books on software security, pentesting, articles, or video courses, whatever you may call it. There is no one concise, comprehensive book that we can either refer to where industry leaders come together to discuss what they have seen in the last X years of their careers. Also, what their mistakes have been, how they have learned from it, and how they have either gone back to the drawing board and completely overhauled all of those things.
This is an opportunity for up-and-coming leaders or individual contributors in the security community to use this as a resource to tap into whatever aspect they may. Whether as an individual trying to make something work or as a leader trying to visualize a tactical and strategic vision for the security organization. That's where this book will bring in a lot of impacts and that's where I see that I'm going to benefit myself. Even though Poorna and I are contributors to the book, I'm going to take away many key lessons and I hope that this will serve the same way to others.
You cannot talk in the security community without talking about compliance governance and risk frameworks.
I story that I remember is my daughter reads this book called Who Would Win? Tyrannosaurus Rex vs. Velociraptor. Velociraptors are these tiny little thingies compared to the Tyrannosaurus Rex, which is huge. If they were to fight, the Tyrannosaurus would lose despite its size and heft because the velociraptors work in a group. They coordinate with each other and take down the bigger animal. It's like that situation with security. All of us have a lot of experience from the previous companies we have worked at, the setup that existed there, the people, the processes, and the technology that exists there but it's not enough by itself.
If you think of the giant of security concerns across the industry, across the different verticals, we have to collectively work together. No amount of book reading or certifications is going to help it. We could wear our CISSP badges as long as we want but that's not going to get us to the other side. It’s the experience of interacting with each other and also interacting with each other in context. What works for one CSO and one CTO or one leader in this organization may not work for others. Understanding the context in which they succeeded and applying that to ourselves. Even coming to terms with what success means for any initiative you take, the answer is going to be different for everybody. Have a conversation and get a chance to be vulnerable with each other.
If we can honestly in a community share with each other, “Here is what I experienced. Here is where I was jubilant and here are the things where I failed. How would others have handled it?” Drafting from the wisdom that comes from the community setup, that's what the Purple Book means to me. Since we met, it's been an avalanche of amazing folks that we've been meeting. Folks like Pavi and others who have joined the community are significantly getting the strength of our community higher. Education, networking, learning from vulnerability and learning from moments have been a great experience so far.
I agree with you, the power of the community, that's what we see here at the Purple Club. We have been a part of the panel discussions. The chatbox lights up with comments from many different people. We have had discussions where, at the end of 90 minutes, we had to say, “We have to end this because we cannot keep this discussion going on forever.” It's been an amazing knowledge transfer and exchange that's happening.
We don't shy away from voicing our opinions. We all know that about each other.
Poorna, I like the way that you brought your daughter's story into this. It's so much relatable to everything that happens in our life. In my show, I always like to go back to some personal aspects of my guest’s life. I'll do the same thing. Pavi and Poorna, share one experience from your childhood that has made a great impression on you or that has shaped you to be the person that you are now.
Time and again, I feel grateful and fortunate for everything that I have. If at all anything, what are the elements that am I made of? I was raised in an academic family with a solid value system. Mostly from there on, it had been serendipitous help from folks like friends and family. For example, my parents said, “We know all the things up to your school grade.” Interestingly enough, Raj and I went to the same college back in Harvard in India. Until then, my family knew what to tell me. Beyond that, engineering and the different branches of engineering and all that, my parents are like, “It's up to you.”
It was a friend's brother who told me about how to even choose a college, how to navigate the system, what entrance examinations matter, and all that. It's information sharing by somebody you know that is your network. Eventually, when I wanted to come to the United States for my Master's degree, it was a Hail Mary attempt from my entire family who pulled all their money into one account. They showed that Poorna has money to go pay his first quarter at UC San Diego, which was $10,000.
If I had to be broken down, probably it’s not going to be carbon and water. All my friends, family, community, the information-sharing that has happened, and this collective that has brought me here. As they say, “You can't be lucky. You have to work hard to be lucky but along with that, you need to be a part of a group or a collective that can help you be lucky.” That's what I got. When I think back on my background, all the strings go back to my friends, family, community, and the values that they have bestowed upon me. I'm probably sharing a lot of information but that's what I think of fondly.
You related the childhood story to this. You have stayed true to that. You've benefited from the network. You're giving back to the network. That's an amazing story. Going back to what Poorna is saying, I was pleasantly surprised when I found out that there's this town called Harvard in India and that he is from there. We were in a meeting and 6, 7 people were there. We found out that we are from the same city. We started going off on a tangent talking about the spices that are a specialty of our place. We were saying, “Maybe we should have a separate conversation on that.” It's been such a pleasure knowing that somebody from my hometown was in the same network that I have here. Thanks for sharing this story, Poorna.
Thanks, Poorna. I don't have an emotional and impactful story like Poorna does but I can give you a little bit of insight. I'm an only child. Growing up in India, my parents did not have a STEM degree. They had the basics. There wasn't a great push towards a tech degree. Being an only child, my dad was particular that I do not step within 1 kilometer or 2 miles outside the whole thing. Engineering was out because all these colleges were all over the place. I was told, “You can pick a discipline that's within a five-mile radius of where the home is.”
You make the best of what you have. Especially coming from India, which is the land of many people. It’s survival of the fittest. You make do with what you have. I took a degree. I majored in math in my undergrad. I said, “I'll do that.” I came to this country at a young age. I labeled the first 5, 6 years of me being here in this country as also part of my childhood because I was barely an adult when I came to this country. I had a basic knowledge of computers. I applied to the Master's program in computer engineering. I got accepted. I didn't have the money to pay for it because it's expensive in a private university. You're looking for research assistance or teaching assistance.
There was a civil engineering professor at Santa Clara University who was generous and gave me an opportunity with the Caltrans program. He said, “I need these numbers. I need these things plotted.” I'm like, “I can do that. I know Lotus 1-2-3.” You had no money at that time to buy your computer so you're using the university resources. The first day, I showed up for the RA project. There's a system and then there's a mouse. I’ve never have seen a mouse before in my entire life. I do not know how to use it. It's scary. They did not even have Lotus 1-2-3. It was in between Lotus and Excel. There was one more, which is completely different.
Your survival instincts kick in. You learn to cope with it. That is one of the things that I'm grateful for, which is don't give up. If you can go in a crowded bus in India, hanging on to the footboard and get to school and get back all in one piece, “This is just mouse and you don’t even know.” That's how my career in computer science even started. Years hence, my security interest also was providence and serendipity. There are a few of us where things happen to us at the right time and we happened to be in the right place.
One of the things that you also realize as you come along this journey, especially being a woman and raising kids along the way in your career is all the trials and tribulations that you face being the woman in the room. Also, being the only woman in the room from a security perspective and then working through all of those challenges, tripping, falling, being sidelined, and then realizing, “I don't want this to happen to anyone else.” For me, it‘s more than security and more than anything else.
At this time in my life, this is the right opportunity for me to say, “I'm in a good place. Now I'm going to see what I can do to help others.” Whether it's developing confidence, bringing more people into security saying, “There are various opportunities for you here.” How do you impact a community? For me, it's a little bit of a narrow slice. How do you impact women? How do you uplift and empower women? If my vision is too large, I don't think I'll execute as effectively as when my vision is slightly narrow and I know that I can make an impact.
What a story. It’s inspiring to see the background that it came from, fighting against the odds that you fought. I would not have imagined that.
With the many cyberattacks today, you cannot just gloss over software security.
It’s a tiny mouse, I can't tell you how freaked out I was.
We want to encourage women to get into information security. I'd love to host you in one of those because a lot of people need to hear your story. It's not just girls. Girls can get acquired by it and also, the odds that you beat to be where you are and being scared of a mouse to securing some of the biggest corporations in the world. That's a great story right there.
I do have to add a tiny bit. I have two kids. My kids are much older now. When they were younger, they knew that mom was in security. I would tell them, “If you even touch your laptop, I know every single thing. It comes through me. I get the mail. I get the message. I know everything.” They’re like, “Mom, you would know everything.” I don't even need to be here or around anywhere. They used to get freaked out and I milked it for as long as I could.
As Pavi was speaking, there's a paragraph in the book where she talks about how she brings this notion of setting the goal high but then showing everybody that's the destination we want to go to in terms of your security programs but then creating a lot of intermediate milestones or small steps. When she was talking about the security program and impacting a part of the community before she can have a big impact, that's a true principle that she follows everywhere. There are some scenarios where she talks about it. I'm pretty excited that it comes from true principles from her life.
Poorna, it’s great that you brought up how you and Pavi collaborated on a part of the book. At this point, maybe we can talk about how we structured the book. We have 25 plus or almost close to 30 security leaders. How do we get them to co-author a book? How do we make sure that we get input from them? Can you tell me how you guys went about it?
It's not me. It's all Poorna. Poorna did the entire work. All I did was ask him now and then, “Poorna, do you need any help?” I can give you a tiny bit of context on how Poorna reached out to me. He dangled this in front of me and said, “Do you want to be an author for a software security book?” I'm like, “Yeah. That sounds cool.” It's a lot of crowdsourcing. There's a lot of backend work that had happened to get these 25 people on board. I’ll let Poorna talk about the table of contents and what the book is about. It wasn't even easy getting this group together.
You want to convince them that you have a message and a vision as to why you're doing this book. Are they bought into your vision? It all depends on how well you articulate that vision to them. They are then bought into it. This part is easy. The hard part is committing time, content, and discussions. We are in the last few months, multiple meetings that all of us have missed. It's making that commitment. That part is not easy because all of us are well-intentioned. It's still not an easy thing to do saying, “I'm setting aside time for the community.” I think we're getting collectively better at it. To me at least, Poorna had already laid the foundation. He knew what he wanted to and I was on the sideline. It's all him.
She’s being modest. That's not even true. Let's say I drew the boundaries for the football stadium, she played the actual game. Back to your question, the starting point was how do we build a community around this where we can share? We understood that it is a collection. It's building the community from the ground up. From there, we were like, “If we were to write something, who would read it? Who’s even the audience? If we were to write, what would we even write about?” It’s classic management books. We want to write about the processes. We want to write about technology. We want to write about the people and culture. We want to write about the environment. We started with the classic process, technology, people, and environmental aspects.
We very quickly reached the horizon of our capabilities. We immediately realized that a few people sitting down and writing a book is not going to cut it because there's not one person's experience that can make a book. If you think about what every leader in security is tasked with, it's different. It can be summarized in one word. What is the starting situation that they find themselves in? What is the industry sector? Working at D2C, Silicon Valley consumer-facing company like Facebook or Google is completely different from working in an industry-heavy giant like Lockheed Martin or Boeing. It's the organizational structure.
What is the growth rate of steady-state stable companies that have been doing something versus a new company that is about to go IPO and has such a flurry of activity to meet certain numbers but also, shows up in terms of their stack budget and many things? We looked around and we’re like, “Do we have the right expertise around us?” That's when I said, “I know Pavi.” Pavi had given a security conference where she had talked about her Security Champions Program. I was so excited about it that I was like, “She would be a great person to talk in the people and culture aspect of how we could potentially get support for security initiatives in a company. Not just that but that's the talk I had heard. She's a fountain of wisdom so we should probably tap into people like her who can help us make this community better.”
Every member that we reached out to has faced a lot of challenges that are characteristic of their industry and vertical. They came up with a solution right then or they iterated over time an amazing solution. There is so much to learn from it. We have so much to learn from what worked and what didn't work. There are many internal drivers within your company. There are many like the people, the processes that are already in place, and the technologies that have already been deployed. There are many external drivers for each company. Do you need to be compliant with a certain compliance standard?
For example, when Zoom became a super popular company as soon as COVID hit, they went into a lot of trouble because of the setup that they had. How did they come up with that? That's an external driver. Suddenly they became popular beyond their imagination. They had to face a lot of scale challenges and they did a phenomenal job of it. There are external drivers. How does anybody go from 0 to 1 state? It depends on the situation that they are landed in and, as Pavi says, make the best of that situation to get to one state in an incremental fashion.
How do they show the same vision to everybody? It’s like, “This is a zero state. Let me show you the one state. Follow my path.” The entire company follows their security initiatives to go behind them. That's how this community got built because we thought through the variety of experiences that we want to capture. Otherwise, it would be one person sitting down and writing their biography of all the experiences that they had and that's not going to be a 360-degree view of what happens in the world of security. We wanted leaders who can narrate. We are choosing the best experiences that are worth highlighting in a format of, what was the situation that they landed in? What were the challenges or tasks that they had to think of? What were the actions that they took for those challenges? What worked? What didn't work? What were the results that they came up with?
Poorna, it's a great segue. You should mention your Scar Framework. You started off with a star. We all carried battle scars. I want to hear you talk about that.
Management books have this framework called the star format. In any situation, what tasks do you undertake? What are the tasks in front of you? How do you prioritize them? What actions do you take? What results do you expect to see? That's usually a goal-setting format. The person who brought it to my attention was another co-author, Upendra Mardikar. He's written a lot of chapters in the book. He brought up, “Why don't we think of that as the goal?” Talking to all the stories that people had, a lot of people didn't have a bunch of tasks that they had to prioritize. They had to go through a lot of challenges that they had to face.
The star format became the scar format. People had a lot of security scars that they had to address. It was a fun way that we changed it to a scar format where every case study has been written in the book and it draws from the experiences and wisdom that a lot of the folks have faced. It would not be possible to write such a comprehensive book with 1 or 2 people's experience. That's why the community begets the wisdom of the book and the book is driven by the wisdom of the community.
Over-communication is always good, especially in solving problems resulted from miscommunication.
To add to that, at least the chapter that Poorna and I worked on and the scar format, we have a bunch of case studies in that chapter. Each of those case studies is delivered by a security professional who is in their organization at various stages. One case study could be a startup organization where the professional has come from the onset to develop the security team. The second could be mostly there but we have to mature the program. There are instances where it's a well-oiled machine conveyor belt chugging along.
Each of these case studies is coming from various pivots saying, “Here is how I faced a challenge in this state of my organization. Here is the situation. Here is the challenge that I had. Here are the actions that we took. Here are the results and the key insights that we got from it.” It's an easy read in the sense that once you read the first case study and you understand, “This person is from a startup thing.” You then read the second case study and then where it's highlighted pretty nicely saying that it's a well-established company that the security professional belongs to.
In whatever capacity you serve in your organization, there is something in there that you can say, “It resonates with me. I'm in the same boat.” You can take that. It's not meant to be a Bible. It's meant to be a guide where you can take that and you can then say, “Based on my business needs, regulatory needs, my organization, my culture, my organization's culture, which is different in each organization, can I tweak that and can I adapt it?” This is what this book is going to provide for people.
Towards the end of the book are resources. What happens if you have an incident? Big company or small company, it doesn't matter. You may have an incident. If you're a new security leader, you may be scrambling with either Google links or YouTube videos. Here's a chapter where you can say, “Here's a template if you want to use it. Here are some resources that we have that's tried and tested.” I see the book as being that guide where they can say, “There is a scenario that is similar to what I'm facing. I can take some guidance from that. I can adapt it to my needs.”
That was the vision of how this whole book started. That was the vision that somebody could pick up the and they could flip to a particular chapter where they felt the need, maybe the people aspect, process aspect, the technology aspect. Within that, the company type is different. That's the framework that the book provides. Now we are at a point where we understand that the book is a starting point because it will not cover everything. It’s now going back to the analogy that Poorna gave that we are all small pieces of everybody contributing to who we are. We have this vision of a community, which goes beyond the authors, maybe 300, 500, 5,000, 10,000, whatever number we have working at a time.
They come to this community with any problem or situation that they have. There is somebody else who's already faced it who can mentor that person. That's the community that we are launching. For more details, people can go to ThePurpleBook.club. I hope the readers who are here can join in. The community that we have of 25 plus security leaders have gotten better as every leader has come onboard. It's gotten better not in a linear fashion but an exponential fashion because every new point interacts with other 25 different points and then that adds so much richness to the discussions that happen.
I would add to that. Initially, our scope was the classic management theory books like people, process, technology, and environment. Suddenly, when we got the input from more leaders, it expanded. You cannot talk in the security community without talking about compliance, governance, and risk frameworks. What are you trying to secure? What are you guiding the people to watch out for? What are your technology tools gearing up for? What is your process about? It's all pegged to risk frameworks and how you want to govern and manage your compliance. We have a chapter on that and it’s led by folks who have accomplished amazing things.
Until now, we weren't talking about the software supply chain. Developers included whatever JARs and libraries they wanted to in their code. We use whatever SaaS services we needed to. Now, with some of the latest attacks we've been seeing, you cannot gloss over that. Securing a software supply chain is a whole domain within security in itself. Our previous training and security learnings and frameworks do not capture that yet. The book goes beyond what is needed for now. It's not a part of any other framework that has our compliance framework yet but it's something that we are seeing and trying to be in front of.
Similarly, many leaders struggle with the right amount of expenditure. Does it mean that if you flew in a ton of money, then your security program is going to be great? If you said, “No. I'm not going to spend a penny. Figure it out by using open source tools.” Does that work? How do you even calculate the cost of getting the security that is right for the risks that your company and your industry for your size and your consumers face? That's a whole another topic.
We have had significant debates, discussions, panels, arguments back and forth, and calculators for it. It's fascinating how that whole chapter came to be. How do we even know if we are making progress? Everything else is measured in this world. What are the KPIs? How do we track the maturity model for our program that we have initiated? Starting with people process, technology, and environment to now expanding to many chapters and going into the details, those last four months have been a crash course for all the things I didn't know.
It’s more and more comprehensive. As Poorna mentioned, it's no longer one segment. It becomes holistic. It's not even the Purple Book of software security. It's almost like a Purple Book of security or how to conduct your security business. Going back to those couple of startups, well-established midrange whatever, if you're a startup and you want to know, “What should I focus on the technology aspect? What will I invest in? What should my lean security stack look like?” There should be guidance there.
Still, you're a small company and you're required to report to the audit committee and the Board of Directors, “What am I reporting? I don't even know what to report. What are they asking for?” Providing that guidance in a templatized form or even some suggestions on keeping it short. Those are prescriptive but do not necessarily need to be taken access. They can tweak it. Also, things like guidance. If you're not thinking about it, present it to your management. Every quarter, do this or do that. These are not theoretical guidance. This is practical. From our experience, Poorna and I made mistakes along the way where we have probably not communicated as well as we should have.
Over-communication is always good. We also tell them that it's also like securities and insurance. Yes, we are spending millions of your dollars. You never want to hear from us. No news from us is always good news. Making them understand that is also a challenge. Engaging your audience, whether it's from a cultural point of view, your management from an alignment point of view, your board from a reassurance point of view, takes different skills. It takes a different mindset. As a security leader, you need to quickly flip to that mindset and convey the right message. The underlying content may be the same but the message is different.
I remember the point she made in the people and organization panel that she was part of. She was a panelist at that. She had mentioned how important it is to help the stakeholders buy-in to what you're trying to do. Without it, it’s just a plan. Coming into a new role, they want us to do this. I wanted to make sure that you’re behind this plan or not. Only then that will happen. The people aspect of it is important. This is a good overview of the book. Poorna, I don’t know if you have the table of contents in the front of you. I know you touched upon the table of contents. Can we go through 1, 2, 3, 4 chapters? What are the chapters that are in the book?
From a chapter perspective, we started with an introduction of why we got together to build this community and this book and specifically, why software security. For most of us in the security world, it’s like, “Do I have to tell you to breathe oxygen?” It's obvious. We still have to explicitly write it out as a part of being comprehensive. That's the second chapter. In the previous conversation with Pavi, we were talking about people, culture, and organization. That is the first element of where we talk about and the nuggets in Pavi’s conversation is when you're talking to developers, you're still talking about security but the words you use and the context that you provide are different.
If you're talking to the board, the words that you use and the context that you're providing are different. If you are talking to your peers is the vertical and horizontal alignment within your company. The reason you're participating with other team members is important. The people, culture, and organization capture all those conversations and initiatives and how to bring the company together. The fourth chapter is about the process. This talks about security processes, automation, annual versus proactive, reactive, and everything we know that we can do in this world with security orchestration. Also, the technology. Each of us probably is bombarded with many solutions that come our way and what makes sense for each stage and size and vertical of our industry.
Software security must always be kept up to date. This will help the community grow and have a quick way to tap into human resources.
Chapter six is about compliance, governance, and risk framework. We touched upon that earlier. Chapter seven that I'm excited about is securing the software supply chain. This is something that is pretty new. If we do a good job of capturing all the panel discussions and all the conversations that the Purple Book Community had on this, that would be by itself worth a good read for many practitioners in the industry. Chapter eight talks about building the business case for software security. That's more the total cost of ownership. How do you seek a budget? How do you utilize the budget? What should you anticipate? It's a constantly shifting industry with tools, people, and processes that we can undertake. How should you estimate what you're going to embark on?
Chapter number nine is the capability maturity model, KPIs, and security metrics. How do we know that we are making progress? We do all these things with people and all these technical processes. We have our GRC. We secure our supply chain but how do we know? How are we doing from bottom left to top right on our graph? How do we measure? What are the right kinds of measures you should use for different stages of the company? That's another chapter I love. I shouldn't pick favorites. This book is great.
Finally, chapter ten captures everything we talked about. If you did not remember anything, what are some key takeaways that you should walk away from this book? What are some immediate next steps you can take from wherever you are? There are some things that are true. It doesn't matter which stage of your company or which situation you end up in, some things are true. What are some key takeaways and steps that you should anticipate from this book?
I'm not sure if we will end up adding more chapters. It's it is probable. The key takeaway is the chapter where we would include resources. Over the course of our careers, we have done some open-source templates. The Security Champions that I did at LinkedIn were open-source. Presenting to your board and audit committee, that's open-source. We will include that. More of us have a lot more resources like that. We have tweaked it over the years to make it almost workable for anybody. We'll add those resources. Since this is all in a digital format, it's easy for us to do a V1, V2. Keep refreshing the content. Keep the content up-to-date and hopefully, it will be easy to navigate as well. The community will only grow and also have a quick way to tap into the human resource to say, “How do I do something?” All of that is going to be possible with the Purple Book.
Especially the key takeaways, it's important what you do with what you learn from this book. This is an ongoing conversation. This book is a starting point. The community that we are building is where the rest of that conversation continues. For people who’ll join this community, there will be a private social network focused on community members where people will get to talk to each other, learn from each other, seek help from each other, and advise each other. That's something that will be there as well.
For more details about all these things, www.ThePurpleBook.club is the place where you can find more information. We are at the top of our year. Thank you very much. Time flew off. We had a lot of fun knowing your personal stories and then telling the stories about these things. I know I can have another episode focusing on each one of your journeys. I hope to do that soon here. Thank you so much, Poorna and Pavi. I appreciate it.
It’s our pleasure.
Thank you for reading. Building secure software is in our hands. Every step we take in democratizing that process and sharing it with all will certainly benefit us all. To learn and to join us at this moment, I welcome you to join our community at ThePurpleBook.club. If you found this podcast helpful, we will be thrilled if you share it with other people that you think will benefit from reading it.
- Good Money
- Who Would Win? Tyrannosaurus Rex vs. Velociraptor
- Security Champions Program - LinkedIn
- Upendra Mardikar - LinkedIn
About Poornaprajna Udupi
(aka Poorna Udupi), Chief Technology Officer, Good Money
I am an engineer who is very passionate about applying myself to new contexts and challenges in product development. I am skilled and most excited about working with startups and early-stage companies.
We are building the first socially conscious banking platform committing 50% of annual profits to actively protect and restore the environment, fight for social justice, and expand ownership to every member.
About Pavi Ramamurthy
Chief Information Security Officer, Upstart
Pavi is responsible for Upstart’s overall security strategy as well as driving and managing security initiatives across the Corporate and Product platforms. She also oversees Security Operations in addition to managing compliance certifications, third party risk, and providing security assurance for Upstart’s investors and bank partners. Pavi has close to 26 years of experience working in the software industry with more than 15 years in the security sector. Her previous stints include Anaplan, LinkedIn, VMware, Determina, Vitria Technology and 3Com. Pavi holds a Master’s degree in Computer Engineering from Santa Clara University and a Bachelor’s degree in Mathematics from University of Madras, India.