Les Correia’s Perspective on The Purple Book Community

The speed of software releases today jumped from only once or twice a year to almost every month or every day. This poses a challenge for developers to come up with proper software security measures while keeping up with the rapid demand. LingRaj Patil sits down with Les Correia, Global Head of Application Security at Estee Lauder, to discuss why a big mindset change is needed for the software to become truly secure. They talk about how the Total Quality Management movement revolutionized the Japanese auto industry from being perceived as makers of substandard cars to becoming globally recognized in quality. Les also shares how the Purple Book Community feels like a family, where people can speak their mind, learn something from others, challenge each other’s thinking, and give something back to the group.

Listen to the podcast here:

Les Correia’s Perspective On The Purple Book Community

In the increasingly digital world that we live in, building secure software is important for us all. As personal safety and security are fundamental needs, we at the Purple Book Community believes digital security is a fundamental need as well. This show is part of the Purple Book Community, a community of some of the world's leading security leaders. In this show, we host thought leaders and security practitioners to tackle the monumental challenge of building secure software. Our goal is to bring informative and insightful discussions about securing software, sharing challenges in doing so, and promoting best practices that will inspire you to take action. I'm based in Silicon Valley, California, the hub of technology innovations. As you may well know, the pace of software development has accelerated dramatically going from once-a-year releases to releases every month, week or even hourly in some cases. This certainly has made it more challenging to secure that software.

Leaders from the Purple Book Community are also writing The Purple Book of Software Security. This will be a how-to handbook for anybody looking to build secure applications and products with insights from top security practitioners. This book looks at case studies and best practices from startups to Fortune 10 corporations. No matter the size and maturity of your organization, this book will provide something for you. This book will be released in the third quarter of 2021 and will be offered free of charge to all for the benefit of software security. You can find out more about it at ThePurpleBook.club. We invite you to come and join us to be part of this community and be part of the dialogue around securing software.

Our guest is Les Correia, the Global Head of Application Security at Estée Lauder. Welcome, Les. We met in January 2021 and you came on board. Les is a co-author of The Purple Book of Software Security. Time does fly. It's been an incredible experience meeting you, knowing you and learning from you. I'd love to know what your experience has been being a part of this community.

That's a loaded question. It's difficult to explain this. At the onset, you’re in a core team that I met. Brian, you and Nikhil shared a story, which is enticing. It was right to the heart. The experience by itself is quite big. For the longest time, I've been thinking of writing a book because I was asked to lead the application security space, moving out from architecture, engineering and ops. Since I was asked to lead, I started working on an assessment and the vision as you go. Frankly, I was thinking, “This is an apt time.” There are lessons learned on how you get a buck, but I was looking for something where I could share and co-author with if anything but I couldn't get that a-ha moment where it's like, "This is exactly this." It was back and forth. In a short nutshell, that’s what I could expand upon further if needed.

You’ve been with the community for a few months. What's been your experience engaging with the community and the different leaders who have been part of this community, those discussions, and things like that?

The community itself feels like family. That's why I'm so grateful to the team and particularly, Nikhil because he said, “Come and join. See what it is and you tell me after.” At the first meeting, I was like, “Let me go join this meeting and see.” It felt like family right away. Everyone was sharing ideas. It was from the heart. We challenged each other. I told you I had that dream of writing a book and looking for a co-author. I said, “This is what the doctor ordered. This is exactly what I was thinking.” This is something that I don't know if you had the plan of asking me.

First of all, I'm indebted to all people who came before me. You always learn from each other and our communities. This felt so different because we not only had leaders but also practitioners. It's a mix of folks that we agree with and sometimes, we disagree. It was almost sitting at a table and we were discussing our experiences. We’re not talking about confidential stuff but just expressing ideas. I like the way we broke things down. I say we but it's all of us because we had ideas and we challenge ourselves pushing us further on, “The next meeting, you're going to have this. We've talked about this so please come in.” There are different panels and challenge each other.

‍

We had practitioners from various startups to large multinational companies to product development, which is crazy. Depending on which industry and I missed a lot more, each of us thinks slightly differently. We have different challenges. We all seem to want to share this so that the industry will get better because otherwise, you find books that talk about tooling and not missing a large chunk of the process part or all these other areas. I don't know if that was the intent of asking me further.

We will go into the details of the panel discussions that happened themselves. I echo your sentiment that it feels like family because we are an informal group. We come together, there's a topic, we talk about it, we have fun and we laugh about it. That's the experience that I felt too. I'm happy to know that it was like a homecoming to you.

It resonated and not only that, but something that is missed out also and is easy to miss out on is most people will talk about things. We take time within the community to write it down and to articulate. We said, “Let's make it into a book.” It's the first of a living book. This is the vision that I thought came out of it. One of our other community members shared, “You have this book and twenty years from now, you open it and it's still current.” The foundation was laid and things will change. We all know things will change, but there's foundational thinking not just for one-dimensional tooling and all that stuff, but all those other dimensions.

I like the way the table of contents has evolved over time. I was talking to Poorna who is a part of this community. He talked about how we started out with how people process technology and the environment as the chapters. As people came in, they brought in different perspectives, we realized there are so many different dimensions to solving the software security problem, and then it became a ten-chapter book. It's quite comprehensive. People are bringing in their skillsets. For each one of those ten chapters, I can see 2 to 3 people who are experts on it. The community is loaded with so much talent and experience in each one of those areas. That's what I love about it.

I said that on the first day. I'm impressed with some of these folks and the way they communicate their ideas. The others are more inward and introverted but when they speak, it’s different. These are the topics I’m talking about here, business cases that we felt was important, supply chain and how that factor in and why it's important, and metrics. It was beyond all that, so thank you for that.

Before we dive deeper into the book, I always ask the guests of the show about something personal. Can you tell me one personal experience that has shaped you to be the person that you are now?

I've got lots of bad experiences.

Almost everything is software these days. They used to be built in standard. Now, something is code.

There are no bad experiences. They're all experiences that you learn from.

I'll tell you my opinion because I might have an opinion that somebody might not agree with. I tend to have cultural empathy. That's a strength of mine, as well as pushing the envelope of challenging any herd mentality. It's a gifted skeptic. I challenge everything. In my parents' units when I was young, I would try things outside the box.

I see you do that to the community.

The reasoning for that is because I've lived across four continents in eight countries or so. That forces us to think differently and have that empathy because we otherwise think of, “This guy is brilliant because he's got a big IQ.” It's that empathy part or the EQ part that is important now.

It’s interesting that you said you had lived in eight countries.

There are a lot of countries. That's where I lived and then I traveled because of work. Four continents, in Africa, that's where I was born. In India, the Middle East, Europe, Cyprus, Portugal, England, Canada and the US.

Those are very diverse cultures.

‍

You travel because of other things. I don't know that any one of us is any different from each other. It's just that we tend to work. Things are only difficult when you don't know about them in life. Once you figure it out, “This is simple,” and you go on to other things. I'm going to tee off into something. That's why I like the idea of sharing and communities because you share on and then you can move on. People don’t keep asking the same things and learning and all that stuff. That's my general thought process anyway.

Maybe I took you off track here a little bit. You're saying that your experience living in different countries has given you empathy for different ways of life and different perspectives. You try to bring that to any community that you're a part of and I’ve certainly seen you do that. In The Purple Book Community, somebody makes some statement and you nudge them to think, “Why is it like that? Can it be looked at differently?”

That's my belief. That's what I think of it. People have said that and I tend to challenge that, so that's why. At the same time, everyone's got an idea. Whether they’re new, old or novice, everyone's got an idea that maybe we can learn.

That seems to come in handy for the community that we are in because one of the things that we realized early on when we started writing this book, The Purple Book of Software Security, was the sheer diversity in the companies. There are ten people startups. They are building software and they need to secure it and they're not even thinking about it. How do we come up with some practices, processes, and technologies that they can use to secure their software? We have Fortune 10 companies with tens of business units in them. How do you secure them with so many different application types and cultures within those companies? What are the people challenges, process challenges and technology challenges were like?

It's so energizing being part of this community. You find the time. Somehow, all of us are busy. At the end of the day, who wants to go into another call? When we meet, we’re sitting at the table, laughing it out, joking around, and sharing these ideas, poking holes and stuff like that. We come up with some method and we write it down. It became a chapter and then you've added more chapters. I know you were the backend adding more chapters, the notes, and all that stuff from the meeting.

In terms of the time that's been given, it’s phenomenal the amount of commitment that we're seeing from members. There are times when we are meeting twice a week for 90 minutes each and the attendance was still very high. People were joining in at 5:00 Pacific time or 8:00 Eastern time and they’re posting the meeting.

There are folks from overseas as well, so that is also a factor. I was joking around in one of our meetings. I thought the meetings are going to be short. The next thing, it's twice as long because we’re engrossed in this whole thing. We forget and we lose track of time.

You can use tooling as best as you can, but you need to change your behavior.

Going to the book, can you tell what have you learned or gained from being part of this community?

Getting perspectives because of the diversity within it. Diversity in terms of leadership and people who've led big organizations within the space, as well as practitioners and so on in how their lessons learned and their stepping stones. That's the biggest strength besides the communications and even the camaraderie that we built. For years to come, we’ll be friends and we can talk with all the community members like, “I know so-and-so.” You feel like you don't even have to ask.

One of the things that I get asked is The Purple Book of Software Security and software security seems like such a loaded term. People talk about application security, product security and DevSecOps. For our readers, can you give your perspective of what software security means and how these different terms are interrelated?

You alluded to commoditized hardware, software and cloud deployments in this whole cycle. Now, almost everything is software. They used to be built in standard. Now, something is coded. That is the crux of the problem. We build servers to code. We do things manually. Automation is another big thing. For us, speaking now for OpsSec, it's more than just DevSecOps. It's the COTS stuff, the Commercial Off-The-Shelf products or products that you bought. How do you deal with that? That's a security function.

It includes managing the lifecycle, licenses, end-of-life and what happens when you do vulnerabilities. Once it's in production, how do you bring it back? It's those ideations and all the suppliers that go with it as such. It's people, process and technology, but it's more than that, which is in the book. Each idea with how startups, product developers or multinationals think about it, and even multinationals that build products. Sometimes, I'll call it silos because maybe politics is a bad term. Those areas are how you deal with it, so we try to explain that. It's end-of-life configurations, vulnerabilities, remediation and so on. That's the way I envision applications.

It's not just applications as one thing. It could be hardware because even hardware is turning on how you build it in. It's part of that whole cycle. As we digitize, it's getting even crazier. We communicate through APIs, for example. There are hundreds and thousands of API calls around the environment, and then within each SaaS or application. Those applications target behind-the-scenes to other products. You need to be aware of the security that goes with that because of marketing or otherwise, it could be information being shared. We have to be cognizant. I hope I've answered that as best as I can.

That's quite a good perspective there. You’re a global head of application security. You have worked at various companies and interacted with other people. In your mind, if you were to list three things that make software security challenging, what are those things?

‍

The hardest one is people and changing behavior. We all talk about things. You can use tooling as best as you can, but you need to change behaviors. I'll say it from a perspective of a larger company but it could be across the board. In our case, it’s grants, regions and functions because it's money too. When the money comes in, somebody wants to build right away. If you're strapped with using other outsourced vendors or whatever, you've got that other challenge, so it’s standardizing and creating behaviors.

Organizational change management is a big thing, at least in our space. You have to start breaking down the silos and collaborating better. It also inculcates that old agile thinking which is training. Agile goes across even project management and change management. If you don't look at it that way, you will end up looking at fully tooling. You're assuming that the tool will do something for you magically, which will not. To me, people are the hardest. I'm just summarizing but we can talk at length about that.

We all speak in different ways. Creating communities within your organization includes business people so that they understand ops, dev and so on. We share ideas. Let’s say a security person sits with their business folks and you understand the business thing, a day in the life sort of thing. You're creating this community and in the end, they ended up being champions for you anyway because they are cascading the ideas of why we do the things we do. It’s almost like shifting. That way, we’re creating that awareness.

I agree on people being an important part of it. That's why in our book, the first chapter of The Purple Book of Software Security are people, culture and organization. We believe that's where the whole thing starts. The process is done and managed by people, and technologies are then used by people. I agree that people are such an important part of this whole story. You said that's the challenging part. If you were to list three things that can help overcome people's challenges, what would those be?

It's awareness. The way you build awareness is by creating security communities, if anything, to cascade. It's one of the hardest things. Usually, there's friction, even though you shift left and all that. Each development will have certain priorities and all that stuff in terms of speed. Even though you shift left, you still need to create that empathy of people understanding why we need to do these things because otherwise, we only react when it's too late. Community is a big thing. We are trying to introduce that. The security person as part of that governance must sit together with business folks and spend time with them to understand the business much better. At the same time, they sit with us and they can understand why they do the things they do in business language. This way, it improves business technical things. Similarly, there are business dev, security dev ops, so on and so forth. That’s one aspect.

The overall organizational change management is the leadership thing. Leadership must agree that this is the way we will change behaviors as a company. If you do it at a lower level, you will keep talking and try to do something but then, business has other priorities which are not necessarily covered. You need the organization to change behavior to even transform to a new way of doing things at speed and all that. If it comes from the top and you got that buy-in, start changing things. Their own way of doing change management, for example. The big thing is organizational change.

I’ll give you 2 or 3 examples but I’ll say maybe change management. When we go through committees and the board, that thing takes forever. In the meantime, developers are stuck or our methods of security vulnerabilities go through something and somebody has to approve it and all that. You can automate but you still have to have ways of doing it. Make the change, log it and move forward. With the most critical, you probably need to have some form of approval. That behavior change is odd. That’s the organizational policy and then there are things in between that.

If you don’t have proper policies in space, you will always be talking at such a high level no one could relate to.

Policies should be set in place. Policies for everything, including what can or cannot go into the cloud, for example. If you don’t have that, you will always be talking at such a high level. You have to have it written down. Our ideas from the book, they’re ideas but then we had to write it down, stuff like that. Each group, whether they’re large multinational, you’re in product development, you’re a startup or different, will have its own idiosyncrasies. That's what I like. It's our stories of how we can get about it and the shared vision.

I like that you brought up empathy, which is important. The other one is buy-in from the leadership, which is important as well. For us, if you see in any other part of engineering, safety and security are built-in. When a car is made, there are all kinds of safety and security measures put in. When a house is built, all kinds of safety and security measures are put in to make sure that it’s engineered in such a way that it just doesn’t fall apart or people can’t get in. People still find ways to get in but the thing is they’re all factored in.

When it comes to software, sometimes security seems like an afterthought. The fact that we are in this race to release software sooner and quicker makes it even more challenging. We have gone from releasing software. I remember when I was a software engineer, we used to release software once a year or maybe twice a year. We are at a time where every month, every week, every day and sometimes every hour software gets released. How do you make security a part of it? How do you get leadership to buy into that concept that security is important?

That's been a challenge. That's why we need to educate when I say awareness that security is everybody's responsibility. Tim Deming came up with this in the forums. Security is quality, then the Toyota guys got to move with it. It's quality and it's to inculcate that thinking that it has to be part of it because otherwise, you pay twice as much trying to sort that problem out. Either you pay it by reputation, by being exposed or you paid otherwise. That's why organizational thinking has to start from the top and you have to educate because sometimes as technologists, we have to be better at explaining it to the board in terms of business. You have business advisors, in the end, to be in that space. That's my two cents on it.

The example that you gave of how the Japanese automobile industry turned around. If you go back many decades ago, Japanese products were not known for quality. They were substandard. At some point, they realized, “We need to rework this.” There are these great stories about Tim Deming. He didn't get the buy-in here in America’s automobile industries. He went there and took every word that he was saying and implemented it to the core. The whole TQM, Total Quality Management, became an integral part of their car making. Over a period of time, they have become synonymous with when you say quality cars, you talk of Japanese cars. When you talk about longevity, you look at Japanese cars. That's an excellent example from another industry where a mindset shift happened that can be brought to this software security.

This whole concept of quality and building it is a change of behavior, OCM. Inculcating that behavior in the way we do and build things.

One more thing about TQM in Japan, they didn't stop at quality at their factory. They went to their suppliers and said, “If you want to be a supplier, you need to meet these standards. These are the rigorous standards that we're going to hold you to.” That meant it's not just Toyota but it's even the OEM manufacturers that were supplying to that. It's such an important and relevant aspect of the software with all these attacks and supply chain concerns coming up that an executive order had to be passed to make sure that we adhere to those things.

‍

You've probably said it in that sentence, the whole supply chain thing that comes up is a fact. Now, we’re trying to scramble backwards. We should have proper third-party risk review and all that stuff. These are fundamentals. Many years ago, it's only now that we have to change our behavior.

When we talk about supply chains, even though there are upstream vendors who supply to us, then there are these downstream customers who we supply to, we become part of the supply chain. How do we make sure that the whole thing lines up? I was having this discussion with Cassie Crossley from Schneider. She has been evangelizing the importance of software bill of materials for a long time. When SolarWinds happened is when people started thinking, “Cassie you have been talking about this. This is important.” She was talking about the importance of let's say a problem happens in software or hardware, you should be able to then track it all the way to the source of where that happened. In nowaday’s open-source world, many times, there is no mechanism to track it.

That's a shame because there are some people who are dealing with this whole concept of the bill of materials. It goes to even bill of materials of APIs. Many companies will not even have a clue of how many APIs they have internally in the software industry because they're using it. Things had changed, some have gone owned and exposed. There are third parties that we are communicating with the SaaS application, this COTS that I was talking about. There are marketing stuff and regulations. There are many aspects that you talked about. That's true.

Talking about the bill of materials and executive order that came around software security, do you have an opinion on that?

That's good hygiene anyway. Within our company, we've already started working, and I'm speaking for our company. We've already started taking these strong reasons to have the bill of materials of only open source that we have. Even the concept of open source might have been said in many ways. People say open-source license. There are licenses involved there. You got to get legal involved because sometimes when you use open source, you are obliged to keep your code open as well. You have to be careful of what kind of licensing there is involved, but then have that bill of materials. As something changes in one of those open sources, you're tracking all this vulnerability so that you fix them when they are already in production and all that.

The other aspect we've started doing is the API bill of materials. I'm saying this as an industry. I told you about SaaS talking to another SaaS. We have a relationship with Office 365 or Salesforce or whatever, but Microsoft and Salesforce or not a company. They might have communications with some acts because those are business relationships. I started with some other vendors and all that stuff. They might be sharing things at the backend that you don't even have a clue about that's been shared. It's a complicated problem. Maybe you need tooling in order to work it. This is exactly what's happening. It's virtually impossible unless you have some kind of automation. I know that some of you guys are working on all the automation of stuff. I don't want to get into the sales pitch of that. What's important is to find out what is changing and bubble up the important things because it's happening at the speed. That speed is not like the old days where you spoke about it once a year or two. I grew up in that world of thinking, “This is happening. It's speed and people don't have time.”

That’s an appropriate observation. The complexity of the problem that we are dealing with is so huge that you can't deal with it without automation. Automation has to be part of this whole process. Les, in the book, we talked about different chapters. We talked about ten chapters and then specifically, we started off with people, process and technology. Do you have a perspective on what are those chapters and how to look at those when we're looking at software security?

Security is a shared responsibility. It's not anymore about one department because that's a myopic way of thinking.

We have perspectives and I want to highlight that because I encourage everyone to read this. Each of us had our own perspectives of different things. I'm not saying that we were all right or wrong, but we had a perspective depending on which side you were coming from in business or whatever. DevOps or DevSecOps both embrace agile transformation. There are many processes and cultural aspects to it. There are many ways like we mentioned about the governance and how to reduce function by creating these communities as an example, including business development, IT, operations and security.

Also, we have to bombard the idea of security is a shared responsibility. It's not anymore one department because that's a myopic way of thinking. For example, you leave the house and you lock the door. There are fundamentals. It's not like your child does that or your grandmother does that. Something like that is normal. I'm not saying, in general, everybody has to start thinking that way. From a process thing, this is difficult. I'm not talking about the training and the other thinking so I leave that aside because that's an assumption.

From a process perspective, you need to do certain things anyway. It’s not enough to see if you follow us or follow something or the other. You have to build minimum standards within your company. I'm sharing this because we've set out in different ways in the book but in areas in terms of privacy and security, you can refer to different standards. There are certain minimum things as a company. This is what you will follow. In our case, it will be global so we have different regional aspects to it.

Put the context of agile both in change management, project management and communication itself. In communications, we spoke about ChatOps or some way of how we communicate. From a technology perspective, that's the most said in industry. Even today, when we talk about SecOps, each one will tell their own way. Make sure that the tools that you get can orchestrate, integrate, automate and discover. Those are the fundamentals. The best is something that can work and is agile enough or adaptive enough to bring this all together. That's about it.

More details are in the book, some of the case studies that you mentioned, and the different perspectives. One of the things that I like about the way the book has evolved is it has different chapters. Within those chapters, people would have perspectives from a startup, a fast-growing company, an established company and a company that does a lot of M&A because they get a lot of different IT systems and applications into the mix. That becomes complex in itself. There are companies who are having their difficulties and they're looking to turn around under heavy budget pressure but the size is big. How do you handle those situations? Those perspectives are there in the book.

I'm saying this for the leaders eventually and those who will join our community. There’s a combination. You could be an established company that has M&A and it's happening. You'll get ideas that can help you only get better. The good thing is this book is building that foundation and it's going to be living. There will be a sequel to it if anything. At least that's how the community envisions this.

We started with a group of about 30 security leaders. Now we want to expand it and invite other broader community's participation. We’ll have a private social network, the mighty network that we have, where different members of the community will be there and we'll have a vibrant discussion on different topics. Somebody may come and say, “I am facing a challenge with this particular aspect, people implementation, tool implementation or process. Has anybody been there and done it? I would love to talk to them.” This becomes a tribe where you go for answers for some of the problems that you're having because somebody's been there and done it already. That's one thing.

‍

In this day and age, attacks are happening bigger and more frequently like SolarWinds. People are trying to figure out, “What does this means to me? I am a midsize company or I'm a big company. What does this mean because I'm getting asked? Are we protected against SolarWinds?” This community becomes your network or a therapy group where you come for advice. You discuss among the group to figure out how best to respond to something like SolarWinds or something like the Colonial Pipeline Attack that happened. What does this executive order on software security mean to us? There is this set of peers who can brainstorm and come up with some advice on that. It's been a pleasure having known you for months. I look forward to more engagement with you. We have this community. I'm excited. Maybe there will be a lot more talented people like you who will come into our community and make it interesting to answer questions. Thank you so much.

Thank you. I am indebted to the whole community and the environment as well as many of those who came before me. We should always acknowledge them because they've had these ideas and they’ve shared them. My growth has been communicating with a community beyond work. That's it.

Thank you.

Thank you for reading. Building secure software is in our hands. Every step we take in democratizing that process and sharing it with all will certainly benefit us all. To learn and to join us at this moment, I welcome you to join our community at ThePurpleBook.Club. If you found this show helpful, we will be thrilled if you share it with other people that you think will benefit from it. Until next time.

Important Links:

• Les Correia - LinkedIn
• ThePurpleBook.Club
• Schneider
• SolarWinds

About Les Correia

Global Head of Application Security, Estee Lauder

I drive business capabilities and success through cutting-edge technology infrastructure, leadership, and strategy. I am an innovative, collaborative, and visionary Information Technology and Information Security Leader with extensive experience driving business objectives, security, and compliance through dynamic technology functions and solutions.

I have a strong record of success developing and overseeing policies, programs, and scalable processes that mitigate risk, optimize operations, and improve bottom-line results for Fortune 500 and other market-leading companies. My thorough understanding of Cybersecurity, Application Security, Cloud security technologies best practices drives global security practices and data protection. I also possess expertise in Business Continuity, Disaster Recovery, Network Strategy, ITIL, Six Sigma, and Program Management planning and execution.

As an industry thought leader, I employ custom methodologies and frameworks that balance security with business agility. Based on my insight and professional success in this area, I am often requested to speak at industry conferences or to author articles that address Cyber Security, Application Security, Crisis Investigation & Response, and Emerging Technologies.

My colleagues and co-workers describe me as an approachable, pragmatic and effective leader. They praise my ability to understand business requirements and develop a security posture that sustains operational fluidity.

Outside of the office, I enjoy learning about new cultures, traveling, flying aircraft and drones, mountain climbing and photography. I speak basic Portuguese, basic Hindi, and basic Swahili.