The Voice of Cyberยฎ

KBKAST
Episode 279 Deep Dive: Courtenay Farquharson | The Final Cog In DevOps Data Protection
First Aired: October 09, 2024

In this episode, we’re joined by Courtenay Farquharson, Founder and CTO of Backrightup as he explores the critical importance of robust backup plans for businesses, especially in the face of rising cyber threats like ransomware. Courtenay also talks about the balance between security investments and business profitability, the impact of human error in DevOps, and the ‘shift-left’ security approach that integrates security early in the development pipeline.

Courtenay Farquharson is the founder and Chief Technology Officer of Backrightup and has over 20 years experience in the cybersecurity, backup and devops specifically. Backrightup was founded by Courtenay Farquharson in 2021 to address the data protection, compliance and business continuity challenges with storing your important code and associated metadata in the cloud (GitHub, Azure Devops and GitLab).

In a world where unintended cloud data loss scenarios like UniSuper in May 2024 are a very real possibility, Courtenay is passionate about educating organizations in shift-left DevSecOps processes and integrating backup into the SDLC together with other Developer Security Platforms (SAST, ASPM etc)

Help Us Improve

Please take two minutes to write a quick and honest review on your perception of KBKast, and what value it brings to you professionally. The button below will open a new tab, and allow you to add your thoughts to either (or both!) of the two podcast review aggregators, Apple Podcasts or Podchaser.

Episode Transcription

These transcriptions are automatically generated. Please excuse any errors in the text.

Courtenay Farquharson [00:00:00]:
Data’s becoming such a, an important piece of important tack points from a attacker’s point of view. It’s also, in my opinion, of primary importance to actually protect the code itself, right? Protect the data too. So implement the security practices, but also protect the data.

Karissa Breen [00:00:31]:
Joining me today is Courtenay Farquharson, CTO from Backright Up. And today, we’re discussing the final cog in DevOps data protection. So, Courtenay, thanks for joining, and welcome.

Courtenay Farquharson [00:00:44]:
Yeah. Thanks so much for having me here.

Karissa Breen [00:00:46]:
Okay. So I caught up with you and, I think, your colleague a fair few months ago, and we were talking about, like, what were we gonna discuss on today’s show. So I wanted to start right there with the whole term shift left insecurity that we often hear, people banging around. It’s written in a lot of content that we see online, and people talk about it on social media. But I sort of feel maybe perhaps, you know, people’s eyes glaze over once I start to hear that term. So what are your sort of thoughts on the whole shift left approach?

Courtenay Farquharson [00:01:18]:
Yeah. It’s a it’s a great question. I think there’s there’s probably a lot of terms in the sort of cybersecurity world that results in people glazing over. A lot of acronyms and phrases that people, especially companies as well, kind of make up, but sort of overwhelming. And even as a tech founder myself, I struggle. Understanding what the various options do, you know, sort of like ASTM and app risk and IAC and SOAR, and there’s a lot of stuff being thrown at CISOs and CTOs, you know, and every security company is shouting on LinkedIn about them. So, you know, it’s trying to cut through the noise. The way I sort of think about shift left security is, you know, when you’re a CISO or a CTI, you really want to understand what the threats are and how well you’re covered as a company.

Courtenay Farquharson [00:02:02]:
Right? So I’ll borrow from, Snyk, which is a very well known cybersecurity platform. And their front page tagline on their website is developed for us, stay secure. And I think that’s really what you’re worried about as a CTO and CISO. So business wants to go faster, get to market, and the CISO wants to stay secure to avoid ending up, I guess, on the, on the covering of the local newspaper. Right? So wanting to stay secure can add overhead and costs. If, you know, the security is not built in automatically into the pipeline of getting code from the development machine to production. And that, that in essence is the shift left security is how do we get it from, from the developer machine into production securely and safely. And that’s a fine balance, right? So you have to kind of land somewhere in between developing fast and staying secure.

Courtenay Farquharson [00:02:54]:
I think also the concept of shift left from the concept of security is, is, is obviously automating and building in those security practices at the beginning of the park pipeline. So, you know, if we check-in code, instead of having to manually check-in whether the code is secure as a developer, we now have tools that can do that. Right. Which is great. And so we start that security process right at the beginning of the chain. And then the concept of potentially, you know, shift left testing, which has also been thrown around a lot would be implementing automated testing in the beginning of the pipeline. So you’re releasing your QA’s and your testers from manually testing every change a developer makes and rather than to have a series of automated tests that run against that code to check that everything still works. So in essence, then if you’ve implemented shift left security correctly, you know, developing fast and staying secure means you can reduce manual costs.

Courtenay Farquharson [00:03:46]:
So I guess the shift left security, it’s a bit of a buzz phrase, but it takes in so many different, I guess, thoughts and optimizations. And I think it’s always a process that you’re, you never arrive at the end of shift left security. So, there’s always been more vulnerabilities found every day. There’s always more automated testing security could introduce, but then you end up developing SOIs that pipeline security is too slow or reverse or over engineered. So yeah, I think the CIOs, the CISOs and CTOs core job was to make sure that over engine the shift over engineering, the shift left mechanisms doesn’t occur either. And every minute of developers waiting on the pipeline cost of the business, It’s a fine balance, push flow in business, which is which is constant.

Karissa Breen [00:04:33]:
So, Courtenay, you mentioned that with the whole shift left approach, you never sort of arrive there. Like, obviously, things are always gonna evolve and things are always going to be there in terms of vulnerabilities, etcetera. So do you think people ever think, hey. I’ve arrived, and I don’t have to do anything more?

Courtenay Farquharson [00:04:49]:
Yeah. So I I think that I think that people often bring in well, maybe companies bring in external consultants. I mean, we even work with a couple of DevOps consulting practices that come in and reengineer, you know, and help with the shift left approach. And I think that they, you know, potentially come in there and implement the best practices and then leave and potentially to the upper management. I think, okay, we’ve been there, we’ve done that. But at the same time, you know, like I said, it’s, there’s always new vulnerabilities. There’s always new ways of doing things, assuming your code base is growing and growing. You know, those practices have to be implemented for the new code content maybe that’s being produced.

Courtenay Farquharson [00:05:33]:
So I think it’s an ever evolving process, especially with how quickly cybersecurity and specifically dev sec ops is changing. Yeah.

Karissa Breen [00:05:42]:
No. That that’s interesting as well. And I think that this is that’s why, like, getting people like yourself on the show to be able to have this conversation and to explain that. Would you sort of say as well that perhaps to your earlier point, like, you know, so many acronyms and all of that, do you think that people just maybe think about this whole shift left approach as, oh, it’s just another thing I’ve gotta add to my never ending to do list, and then sometimes people just don’t quite get around to it?

Courtenay Farquharson [00:06:06]:
Yes. I I think so. I mean, it’s because it is quite vague, you know, you’ve had other guests that I’ve heard on your podcast talk about shift left and I’m sure they talk about it very differently to what I would maybe. So I think the concept of it is different to every person. And so, yeah, I mean, that’s always the conversation that should be ever evolving, but potentially isn’t. You know, it’s not black and white. It’s not like implementing Office 365 or implementing the ERP and then being done with it.

Karissa Breen [00:06:36]:
So, Courtenay, I want us to switch gears now, and I flip over into backups. Now perhaps, you know, backups is one of those things that maybe, you know, people think it’s not the most interesting topic, for example. But, also, I think it’s one that people seem to perhaps forget about, or it seems to get relegated a lot. So maybe talk to me about your thoughts here.

Courtenay Farquharson [00:06:57]:
Yeah. It’s a good one. I mean, it’s running a backup company. It’s, I try I try to make it exciting, but let’s be honest, it’s a bit of a insurance policy. I suppose, around since the dawn of time in that, you know, people have been producing any applications and sort of on premise kind of stuff and backing those up to, you know, today where companies are backing up code also in the content, right? So in Office 365, for instance. So now with that shift of workload, say in a company that may have had like a email server sitting on premise somewhere, They’ve now accepted, you know, that a lot of that needs to move to the cloud in order to offset, you know, maybe the maintenance that you had with on premise services. The next question then comes comes is okay, if it’s in the cloud, then is it backed up? And so countless companies that would assist in backing up, say your office 365, your Salesforce, your Gmail, your G Suite, or whatever it is, there’s a, there’s a lot of companies that will help you out and implement these backups for you in that space. And so, you know, I mean, and it’s relevant, right? So we’ve seen, say, the UniSuper debacle where Google, and I’ll and I’ll quote this one, that the disruption arose from an unprecedented sequence of events.

Courtenay Farquharson [00:08:13]:
So if those unprecedented sequences of events happened more often, and there’s stories also in Australia where countless ransomware attacks have occurred on office 365 data, like email, you know, word documents, things like that, where attackers use, say, like email phishing to get access to employee accounts and then to office 365 data. They do encrypted and demand a ransom to the data. So if you have an unencrypted backup, well, then, I guess, at least you have options. Right? So do you actually need to pay that ransom if I’ve got another backup of that data? Sure. Your ransom, you know, attacker might use the data, but at least you can get it back. So, yeah, I think backups are definitely relevant. The next question, you know, I mostly ask people when it comes to code is because predominantly we find that companies come to us, they back up the office and supply, but they don’t necessarily backup the GitHub or Azure DevOps. And so then the question I ask is, well, if you think your word document or email content stored in the cloud is important, then why would your code content stored in the cloud not be as important, right? So code repositories or metadata around that code, GitHub or Azure DevOps, Why is that not equally important? I mean, I’d even argue that you likely paid more for your code content than you did producing word documents, right? So content and types are generally BBI backed up and whatever system or format it, you know, whatever system or format it is in.

Courtenay Farquharson [00:09:39]:
And so the code and the associated pipelines and work items and tasks and all that kind of stuff is, I guess, just as vulnerable as as your Word documents.

Karissa Breen [00:09:48]:
Okay. So you said when, you know, when you’re asking people around, you know, why wouldn’t they back up their repositories, like GitHub, for example, what do people say to that?

Courtenay Farquharson [00:09:55]:
Yeah. That that’s a great question. Right? And it and it’s a it’s a very valid one too. I think probably the most common reason we hear is because engineers and and potentially even management that may have have an engineering background will say that the Git system is decentralized. So, so really what that means is when the team works on, on code, let’s say you and I, we work on a code repository. I, I pull it down from the code, from the cloud, that’s my local machine. And then so do you. Right? And so we both work on it.

Courtenay Farquharson [00:10:26]:
We both have a full copy of the code and all the history that’s occurred. So really if I got hacked today and everything was deleted, you could come to, you know, you or I and say, okay, let’s restore that from the local copy that we have on our sheets. And so people and companies feel confident in that. Right? So they’ll just, you know, say lost everything. They’ll just go to their local, they’ll just go to the developers. Right. But you, you can kind of foresee the holes in that. Right.

Courtenay Farquharson [00:10:53]:
Because how does that scale? Let’s say I have 2,000 repositories of code. Let’s say you have a code repository for a mobile application that no developer has touched in 2 years and somebody comes and deletes it. And every developer since left the company or, you know, got a new laptop, now you’re a little bit, you know, I’m shit, now you’re a bit stuffed right without the backups. And then what about all the issues, you know, if you lost those because of all of these code platforms, they track the issues around, you know, sort of like a Jira where you’re tracking the tasks around developing codes. So, and then all the pipelines sort of you know, effectively you would have spent maybe 100 of 1000 or 1,000,000 implementing these, you know, secure coding practices. And so, you know, definitely valuable to back those up. Right? And I think sometimes people overlook the edge cases in terms of backup.

Karissa Breen [00:11:47]:
Okay. So there’s a couple of interesting things you said before that I wanna revisit, and mentioning, more specifically, the UniSuper case. So maybe what you can do is provide a little bit of an overview for people who aren’t familiar or for people who live overseas and as, you know, aren’t as exposed to that situation. And then you mentioned before, I’m, you know, I am precedent, like, sequence of events, but what we are often seeing in the market, as you would know, like, these things are becoming pretty common now. So it’s not like it’s, oh, it’s unprecedented. Like, it’s just it’s happening. Would Bobcha get your thoughts then on the exploration of the the UniSuper and then, you know, people sort of trying to perhaps sweep these sort of things under the carpet because these things are becoming really common now with large companies as well. So it’s not like, oh, it happens once in a 100 years.

Karissa Breen [00:12:29]:
Like, it’s

Courtenay Farquharson [00:12:30]:
happening quite frequently. Potentially, like, even from a political standpoint, we won’t go too far into that, but the sort of security and and cyber side of things is is a very interesting attack point for any company these days, you know, 20 years ago, hackers may not have thought about, or malicious people would not necessarily thought about attacking a company from a code point of view or content point of view. Right? So they might’ve had to try to manipulate companies in say, you know, invoice scams or things like that. Right? But now with people’s content all in the cloud, it’s becoming more and more prevalent. Right? So if you look at the UniSuper case, you’ve got people’s super accounts, you know, let’s say, you know, my balance, right, which is, is, is just a number and it’s a number in a database. Right? So if that, if that disappears, it almost feels like it’s it’s your word against mine as to how much is in there. Right? So it’s becoming more and more prevalent to be able to have backups for this kind of content. And, you know, that critical infrastructure that affects everyday consumers is all there in the cloud.

Courtenay Farquharson [00:13:38]:
So I think, you know, from a backup standpoint, it’s very important to back up that content. And then also, you know, the applications that actually support that content and, of course, the code that supports those applications.

Karissa Breen [00:13:52]:
And then you mentioned before as well, Courtenay, that Uniseap were lucky to have backups of their backup, but I’m assuming that companies don’t have that at all. So in this particular case, just say they didn’t have that, what would have happened?

Courtenay Farquharson [00:14:03]:
So if they didn’t have the backup of the backup, I don’t know the intricate details of that particular case, but I do know that the UnisukacTO relied on a third party backup, which may or may not have been Google themselves. But what we see in the market is, and what background up provides is 3 to 1 backup. So really what that means is that people or companies back up their code, say to, let’s say, let’s say I’m running Azure DevOps, right, which is a Microsoft product. I might back up my code to Azure, but what happens if all of Microsoft goes down? Right. You know, wouldn’t I want my code elsewhere? Wouldn’t I want it in GCP, like Google Cloud Platform, or wouldn’t I want it in AWS? So what we’re seeing more and more companies wanting to do is to have a copy in Azure and then have a copy in an alternate, I guess, data provider. Right? So that really offsets that risk.

Karissa Breen [00:15:05]:
Yeah. Okay. I think that makes sense. Because this is more so just I’m just seeing that the the average sort of company, right, and their maturation around these things. And sometimes not having like, having a backup of a backup like that, you know, a lot of people probably probably aren’t even in that position. They think, oh, we’ve got a backup. Maybe it’s, you know, backed up a couple of months ago. Maybe it’s that.

Karissa Breen [00:15:24]:
But, you know, you’ve probably seen cases in your experience where people aren’t doing that at all. They’re not doing it as frequently. Like, what do you think perhaps peep where people go wrong when it comes to backup? What do you think it is? Is it is it one of those things where, again, it’s something that just go you know, is the the long list of things people need to do, and, you know, sometimes backups just aren’t high on the priority list type. So what what are some of these misconceptions that you often see when it comes to backups?

Courtenay Farquharson [00:15:50]:
The one thing that people sort of see from the top, you know, they might get, say, the board. The board of the company might say, hey. You know, how, you know, how protected are we? If it all goes if it all goes wrong, you know, what happens? And so then they come out to the market and they say, okay. Let’s see if if Office 365 goes down, can we still recover our documents? So they go, okay. Let’s let’s back those documents up to another provider. So they’re backing up to AWS. But then the first thing that they might not do is ever check that they can recover from it. Right? So in some instances, they try to run the restore and not so much these days, but certainly there are cases of it previously where they can’t actually run the restoration process.

Courtenay Farquharson [00:16:36]:
And so we have companies too, where they come to us and they rely on us to not only backup the content, but also run what we call BCP testings of business continuity. Just I think it is testing. So they’re able to, make sure that in the event that things do go wrong, they have a process to actually run those restorations, and that when they do it, it will succeed because they have been testing it, you know, months before.

Karissa Breen [00:17:08]:
Do you think people are doing that, though? Like, because that’s sort of like a nice to have world when and especially when it comes to, like, BCP side

Courtenay Farquharson [00:17:14]:
of things. Mhmm.

Karissa Breen [00:17:15]:
I know a lot of friends in the industry that, you know, run a lot of these workshops, etcetera. But from what I’m hearing is is, like, companies just aren’t doing that. Or they’re saying they’re doing it, but then when something goes wrong, everyone sort of just freaks out. It’s like, well, we don’t know what would we don’t know what we’re supposed to do.

Courtenay Farquharson [00:17:29]:
Yeah. I mean, it’s it’s and it’s it’s really complicated sometimes because to comply with, I guess, certifications, like, say, SOP 2 or ISO 27,001 or even our APRA’s, you know, for, for financial companies, they need to comply with these regulations where, you know, they’re meant to be testing all of these things. But, you know, they’re not. Right? And we obviously monitor our usage on on background up. And I would say that there aren’t that many companies that are actually running these RESTORE procedures. Like, we’re confident and a 100% confident that we can restore, but we don’t have a lot of companies that are actually running these tests every month. So I think your view of the market is definitely correct. I think that people are regulated or doing these things, but are are not actually doing them in reality.

Karissa Breen [00:18:23]:
So in terms of sort of backups in general, maybe can you give us an example of and you can pick up, you know, a a type of company and industry. Do give us an example of what a a good backup strategy would look like from your experience. Right? So I know it’s like all it depends or but maybe just give us an example so people can understand a little bit more around what your thoughts are when it comes to this. Like, what are the things people need to take into consideration that are that are reasonable?

Courtenay Farquharson [00:18:48]:
Yeah. Sure. I think I’ll look at it from a code point of view in terms of backing up your code because that’s probably what I know most about. There’s a lot of standards in the backup industry, which, again, are not necessarily regulated, but are sort of best practices, one would say. So the first one that comes up quite often is immutability of backups. So really what that means is you basically create a backup and then make sure that it is only read only. So you can never close or write that back up. So the so in that instance, let’s say a an attacker got hold of that backup.

Courtenay Farquharson [00:19:25]:
They wouldn’t be able to overwrite it in any case, or if, you know, a backup provider was to inadvertently, you know, ship some kind of bugs that, you know, the backups didn’t get overwritten. So the immutability, meaning the practice that those backups are never overwritten, is definitely a best practice that occurs and is pretty much standard now. And then the 3 to 1 backups also is another common best practice. So the idea, as I said, you know, you have 3 copies of the data, 1 in production, which is your actual data, and then another copy, which is potentially in one of the cloud providers. So if I run that backup or run a backup of, say, a code repository, I can back it up in a, in a format that’s easily recoverable, say to Azure or Google Cloud. And then I have one more copy, which is potentially on premise too. Right? So we support something called SFTP, which is a way for you to connect our software to, say, an on premise server somewhere. So even if the cloud version or that backup disappeared, then there would be another copy.

Courtenay Farquharson [00:20:39]:
And again, we get to that backup of a backup, right? So the UniSuper case where, you know, they re they really relied on that 3rd copy. And so that’s another best practice. And then lastly, what we’re seeing is people encrypting those backups. So if a hacker was able to get to the backups, then wouldn’t it just be easy for them to download them and and effectively back to square 1? So, you know, it’s a next practice that people and companies are implementing is encryption around those backups and that, you know, that can be endless too in the way that you encrypt that data and the best way for it to, you know, to keep those encryption keys safe as well.

Karissa Breen [00:21:19]:
Okay. So that’s interesting. Okay. I wanna follow this a little bit more. So going back to the 321 example on the backups, would you say generally, if you had to weight it, do you think people actually have the backup of the backup? Like, I’ll do is this a common that, like, maybe perhaps, you know, mature organizations have this sort of, approach and this capability? But just generally speaking with your experience, like, do you think people are doing that at all? Like, because I like I said, I’m even some people are saying that they don’t even have a backup, let alone a backup of the backup. So, I mean, what percentage of companies don’t have the backup of the backup, for example, if you had to weight it?

Courtenay Farquharson [00:21:56]:
Yeah. Good question. I mean, I would say only 10% of our customers might be using a secondary storage so that there’s the copy in production and then there’s one backup and then there’s a 3rd backup. Right? So we call that the secondary storage. That, you know, is probably 10% in our case. Now you would expect in some of our larger customers that you would know, say, Telcos and things like that, they’re almost always using those. But then if you look at a small software house, you know, potentially under, say, 50 employees, maybe just a local agency, I would guess that they may not even have backups at all. I guess it all depends on that risk profile.

Courtenay Farquharson [00:22:41]:
And that usually, in my experience, stems from from the blog.

Karissa Breen [00:22:45]:
Yeah. Okay. So then I’ve got another question as well, which I’ve asked people on the show recently. So going back to that IT outage that we experienced now, my it’s actually my husband who was talking to me about he saw someone on the news saying, you know, in an ideal world, we have, you know, this whole a, b, c, d, e, f, g, sort of, you know, b, c, p process, but then he was like, this is not feasible for companies to actually, you know, employ something like that. So, like, where do you draw the line when it’s like I don’t know. You say you turned around and was like, okay, Carissa. Well, we’re gonna have I’m making this up, by the way. 3 backups of the backup because that makes sense and just in case something happens.

Karissa Breen [00:23:24]:
But where do we draw the line when it becomes obviously, businesses are in business to make money. Right? And this is an executive podcast, so it’s like from a if I put my security hat on, I get it. And then the other side of it, when it’s you got executives that trying to understand security and all these types of things and writing all this money, where do we find the balance between making money to make sure our business continues, but then not going down the path where we’re just overdoing it because, like I said, in the perfect world of this IT outage, for example, like, we just can’t have plan a to plan e in place or else businesses would just go bankrupt. So how do you would you sort of find the balance between that?

Courtenay Farquharson [00:24:02]:
Yeah, it’s a, it’s a great question. I sort of put myself definitely on the more lean approach, and that’s maybe because I’ve run startups myself and I’ve, and I’ve worked for Microsoft myself. So I’ve seen over engineering. I’ve seen, and I’ve, and I’ve worked in, in government institutions as well. And you see a lot more over engineering there. And what I mean by over engineering is, I guess, employees and there’s, there’s this oversensitivity around, like you said, having backups or backups or backups, and we just keep going. Right? And so it’s endless and potentially in a government situation, don’t necessarily, and I might’ve been speaking out of turn here, but they don’t necessarily have to be too concerned about the profit at the end of the day. They really have to be concerned about delivering a service.

Courtenay Farquharson [00:24:52]:
Right? So potentially having 5 backups to deliver service New South Wales, for instance, is a good thing. Right? Because at the end of the day, we wanna make sure that our license data and everything else is safe no matter what. Right? So we need flight back. I think the you know, and then you’ve got on the other side of the coin, like you like you were alluding to, you know, it’s just not feasible, And it’s just not in the, in the company’s best interest from a business point of view to make money and then spend all of it trying to secure what you have. Right? Because that’s just at the end of the day, it’s it’s the way that your company will go downhill. Right? So I think the automation piece again is what we come back to. Like, if you can put your, if you could put your sort of, I guess, your backup hat on for a moment, implement the best practices, which a lot of back backup providers provide, say, companies like Veeam or Rubrik, where just by default, they’re able to plug into your Office 365 and create you 2 backups. And that’s pretty pretty much all automated.

Courtenay Farquharson [00:25:56]:
As long as you provision your own storage, companies like BackrightUp or or even Beam and others are able to just provision that storage sorry, provision the backups within the storage that you create. Right? And that’s usually good enough for most companies. You know? And then from a process point of view and not spending endless resource on actually creating those backups. And I think that that is probably the starting point. And then after that, you’re starting to think about, okay, could these backups actually work? But that, again, you’re not going to start spending money on somebody actually manually respond things and checking that they, they work. So again, you know, that’s going to eat into profitability. So there’s a, there’s a whole line of, of, I guess, measures, and you pick where you want to lie on that, versus, you know, the kinds of risk that you want and are happy to have as a business.

Karissa Breen [00:26:46]:
Yeah. I think that makes sense. Because, again, like, at the end of the day, like, of course, like, from a security point of view, we wanna do all these things, but it just it just doesn’t make sense sometimes. Like you said, some people’s overengineer it. Right? So it’s more about having conversations like yourself like, people like yourself on the show to, yes, talk about the security element of it, but then also wanna focus on, you know, executives and what they what they’re responsible for. So it’s like, yeah. That’s cool, but, like, I can’t all literally come at the end of the day, and I have $0 left because I’ve gone and spent it all on backups because I’ve got 7 of them. Do I need 7 of them? Probably not.

Karissa Breen [00:27:22]:
So I think it’s around where’s the line? And I think sometimes, perhaps, in my experience, people perhaps get lost in the vision of what they’re really there to do, And it’s not to literally blow profits on all the technology capability. Look. I get it. But at the same time, I think perhaps you will lose sight of what they’re there to do, which is to make sure the business keeps operating.

Courtenay Farquharson [00:27:43]:
Yeah. Sadly, there is a a lot of what I think is fear mongering in the, in the security world. You know, a lot of the time people will, or companies, especially, you know, platforms will say to you, you need all these things, right? You need x, y, and zed. And if you don’t have it, you’re gonna get hacked and you’re gonna get fished and you’re gonna be on the front page of this and in what we hear all. Right? And so there’s a, there’s a bit of fear tactics in there. But at the end of the day, we actually do live in a by the numbers, we actually live in quite a secure environment in terms of producing applications. Sure. Accidents happen and they they come to the top of the media, but, you know, they are very few and far between.

Courtenay Farquharson [00:28:26]:
And I say this as as a company in, you know, in the security environment. Right? I think that these practices are really, especially from a backup point of view, an insurance policy against things going really, really wrong. But day to day, typically, we’re quite as in a in quite a safe environment. So I

Karissa Breen [00:28:45]:
wanna focus now on resources that you mentioned before, but perhaps maybe talk us through human error in managing DevOps data. Like, what does this sort of look like?

Courtenay Farquharson [00:28:55]:
Yeah. So, I mean, maybe some examples are best. We we have had companies come to us. I would say they would come to an office 365 or Salesforce sort of data protection tool where they’ll, you know, they may have let me think of an example. The first one might be in migration. So we have had a customer who is doing a migration from Azure DevOps to GitHub. They corrupted some of their data, removing it, and they had already removed it from Azure DevOps. And so we’re in a situation where they couldn’t restore it into GitHub.

Courtenay Farquharson [00:29:26]:
And so, you know, from the human, I guess you could put that down to human error. We also have had a customer come to us that thought that so they were a software house. They had they were working with a developer. The developer said they had given the source code to the, client. Client said that they didn’t have it, and and so the code had basically disappeared. They’d been removed, you know, for costs point of view from the software house. So, you know, obviously, hosting code, you have costs. So in a software house, if you remove that, and the client didn’t have it either.

Courtenay Farquharson [00:30:01]:
So from a human error point of view, I think there’s probably 2 of the examples I could think of offhand where, you know, that does come into effect.

Karissa Breen [00:30:09]:
And And would you say as well with, like, automation, etcetera, it’s gonna reduce a lot of that that error now? And it’s also gonna save save costs. Right? Because, again, you know, people that are perhaps spending a lot of, you know, money on, like, resources of doing this stuff manually can be reduced by automation, etcetera.

Courtenay Farquharson [00:30:25]:
I mean, we run a platform which automatically searches your DevOps on a daily or even more periodic basis and finds any new content you might have produced. So first one being code, but then also tasks and work items and attachments and everything else that’s stored in your DevOps. And we automatically find it and back it up for you and push it to your storage without you even even knowing. So, you know, the automation piece of that is very important.

Karissa Breen [00:30:53]:
So I wanna sort of switch gears now, and I wanna focus on we’ve sort of touched on a little bit, maybe maybe you can go a little bit deeper into, you know, a ransomware attack, for example. So maybe talk us through this. What does this look like? And then perhaps some of the fall that you’ve seen businesses go through because maybe they don’t have a backup, and they definitely don’t have a backup of a backup. What does that sort of look like?

Courtenay Farquharson [00:31:15]:
Yeah. That’s right. So, ironically, in in 2022, Microsoft themselves who run Azure DevOps, so they think about, you know, obviously Microsoft produced code. So they run Azure DevOps internally, which is their own platform. I mean, they also now own GitHub, so they own the 2 biggest code sources in the world. And they, at the time, were running Azure DevOps internally, and they had the Azure DevOps ransom by some hackers that were able to get access to the Bing map source code. So as much as I don’t talk about fear mongering, I mean, I can tell this story to customers too, in terms of, you know, the source of your code has also been hacked. Right? So that again is not a common outcome, but is clearly possible.

Courtenay Farquharson [00:32:00]:
Right? So, and we’ve had another example of where a customer has come to us having experienced a ransom attack and sadly backup doesn’t help after the fact, right? So hacker gets in, they download all the code and then they effectively delete it overnight. So that’s what happened to this customer that came to us. They deleted it overnight. And then when, in the next morning, the developers arrived to basically no code. Of course, they have their local copies, but as I said before, it could be older repositories that no local copies. And then, you know, once it’s deleted all, they put a price on it and say, you know, so it’s a $1,000,000. You purchase a $1,000,000 and they’ll give it back to you. Right? But at least with the backups, you’re not at the mercy of that attacker.

Courtenay Farquharson [00:32:44]:
Right? So if you had no backup, you have to pay the ransom, and then they take your money unnecessary. You don’t necessarily get that code back. Right? You can just take your money and and walk away. But at least on the backup, you stand the chance. Right? At least you have that option to be able to restore from backup and and take that ransom attack out of play somewhat.

Karissa Breen [00:33:03]:
And that’s a good point that you raise around being at the mercy of people. Right? And would you say, at times, people are in that position like, well, I don’t have anything else going on. So I I feel like my back’s against the wall.

Courtenay Farquharson [00:33:15]:
Yes. Definitely. I mean, the in the example we had a customer, I’m not sure of the full story, but I I I do know that that customer paid that ransom attack. Luckily, the hacker was was able to give their code back. So, you know, that ended well, but I guess you don’t really know any deal with it.

Karissa Breen [00:33:33]:
And what do you sort of see moving forward now with you know, we’ve touched on the importance of backups, but then also, you know, perhaps this whole unprecedented sequence of events, but these things are becoming common now with what we’ve seen with very, very large technology players out there. So it really can happen anytime, anywhere, and look how quickly our whole world sort of came to a bit of a standstill depending on which industry you’re at, we’re in. Do you think now people have to start really focusing on this? Because it is gonna become probably a common occurrence, and I hate to say it, but it probably will. Cybercriminals are getting better. It’s easier to do things now more than ever. We’ve got AI. We’ve got automation. So things are becoming faster.

Karissa Breen [00:34:12]:
Is this something that people do need to start to pay attention to? Because as we’ve seen, our whole society can stop very quickly when something goes wrong because it is a bit of a domino effect. So what are your thoughts then, Courtenay, sort of looking ahead and how businesses are reacting to these, for example, large IT outages that are occurring right around the world?

Courtenay Farquharson [00:34:32]:
Data is obviously a great attack point. Right? So, you know, you’re probably leading to the CrowdStrike outage where, you know, all these machines were effectively offline. And I know of customers that, you know, had a whole bunch of developers that couldn’t work right while they stayed at the blue screens. You know, and so something small like that can easily be engineered, right, in the same way that, you know, attacking somebody’s code and attacking their data that they have is probably the best way of bringing down a, you know, a customer. And you’re bringing down a company. You’re just really hamstrung by that situation. Right? You can do nothing without your word documents. You can do nothing without your Salesforce data.

Courtenay Farquharson [00:35:15]:
You can do nothing with without your code. Right? You can’t produce anything. So, you know, more and more, it’s basically attacking somebody’s data is the best way to bring them down. So what does that mean? It becomes one of the most important points to actually protect.

Karissa Breen [00:35:30]:
So, Courtenay, do you have any sort of closing comments or any final thoughts you’d like to leave our audience with today?

Courtenay Farquharson [00:35:36]:
Basically, there is a lot of there’s a lot of acronyms. There’s a lot of, content coming at you. There’s a especially in the cybersecurity world, and there’s a lot of a lot of fear mongering. I think, you know, if you get back to basics, really at the end of the day, it’s implementing, you know, best practices from, you know, some of the great providers in terms of shift left, you know, looking at companies like Snyk, where you, you know, you can protect that, you know, that code base, you know, definitely some vulnerabilities from, like, testing and and be able to optimize the way that you produce code. But I think also because data’s becoming such a, you know, a, an important piece of, or important tack points from a attacker’s point of view, it’s also, in my opinion, of primary importance to actually protect the code itself. Right. Protect the data too. So implement the security practices, but also protect the data.

Share This