Join host Sean Martin as he delves into the OWASP AppSec Lisbon event with guests Kim Wuyts and Avi Douglen, who explore the vital integration of privacy and security in application development. Discover how privacy by design and threat modeling can enhance your organization's security posture and ensure compliance.
Guests:
Kim Wuyts, Manager Cyber & Privacy, PwC Belgium [@PwC_Belgium]
On LinkedIn | https://www.linkedin.com/in/kwuyts/
On Twitter | https://twitter.com/Wuytski
On Mastodon | https://mastodon.social/@kimw
Avi Douglen, CEO / Board of Directors, Bounce Security & OWASP
On LinkedIn | https://www.linkedin.com/in/avidouglen/
On Twitter | https://twitter.com/sec_tigger
____________________________
Hosts:
Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/sean-martin
Marco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society Podcast
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli
____________________________
Episode Notes
In this episode of On Location with Sean and Marco, host Sean Martin offers a deep dive into the OWASP AppSec Lisbon event, engaging in a meaningful conversation with Kim Wuyts and Avi Douglen. Sean starts by setting the stage for an insightful discussion focused on privacy, security, and the integration of both in modern application development.
Kim Wuyts, a Cyber and Privacy Manager at PwC Belgium, shares her journey from a security researcher to a privacy engineering expert, emphasizing the importance of privacy threat modeling and the intricate balance between security and privacy. She explains how privacy not only strengthens security but also involves complex considerations like legal, ethical, and technological aspects. Kim highlights the need for companies to adopt privacy by design, ensuring data is used with care and transparency, rather than merely being collected and stored.
Avi Douglen, Lead Consultant at Bounce Security, brings his experience in threat modeling to the conversation, recounting his learning curve in understanding the depths of privacy beyond mere confidentiality. He speaks about the importance of educating security engineers on privacy considerations and using value-driven security to protect stakeholders' interests. Avi stresses that privacy and security should be integrated from the beginning of the application development process to avoid clashes and ensure robust, privacy-respecting systems.
Throughout the discussion, the guests delve into various privacy engineering practices, including data minimization, the handling of meta-information, and the potential conflicts between security requirements and privacy needs. They touch on real-world scenarios where privacy can enhance overall security posture and how privacy engineering aligns with compliance requirements such as GDPR.
Sean, Kim, and Avi also explore the concept of architectural data mapping and selecting the right components for privacy. They discuss the evolving skill set required for privacy engineering and how integrating privacy with existing security practices can add significant value to any organization.
The episode concludes with a look at the upcoming training session at the OWASP AppSec event in Lisbon, emphasizing the need for a diverse audience, including security engineers, privacy professionals, and developers. This session aims to foster a collaborative environment where participants can expand their knowledge and apply practical privacy by design principles in their work.
Be sure to follow our Coverage Journey and subscribe to our podcasts!
____________________________
Follow our OWASP AppSec Global Lisbon 2024 coverage: https://www.itspmagazine.com/owasp-global-2024-lisbon-application-security-event-coverage-in-portugal
On YouTube: 📺 https://www.youtube.com/playlist?list=PLnYu0psdcllTzdBL4GGWZ_x-B1ifPIIBV
Be sure to share and subscribe!
____________________________
Resources
Training: https://lisbon.globalappsec.org/trainings/#sku_PPBD
Threat modeling manifesto: https://www.threatmodelingmanifesto.org/
Learn more about OWASP AppSec Global Lisbon 2024: https://lisbon.globalappsec.org/
____________________________
Catch all of our event coverage: https://www.itspmagazine.com/technology-cybersecurity-society-humanity-conference-and-event-coverage
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit: https://www.itspmagazine.com/redefining-cybersecurity-podcast
To see and hear more Redefining Society stories on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-society-podcast
Are you interested in sponsoring our event coverage with an ad placement in the podcast?
Learn More 👉 https://itspm.ag/podadplc
Want to tell your Brand Story as part of our event coverage?
Learn More 👉 https://itspm.ag/evtcovbrf
Practical Privacy by Design - Building Secure Applications that Respect Privacy | An OWASP AppSec Global Lisbon 2024 Conversation with Kim Wuyts and Avi Douglen | On Location Coverage with Sean Martin and Marco Ciappelli
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
Sean Martin: [00:00:00] And hello everybody. You're very welcome to a new On Location Chats on the Road episode here with Sean Martin. I'm flying solo for this. Marco, uh, my co founder is back in the States and I get the joy of covering OWASP AppSec Global in Lisbon. It's going to be a fun event. I've, I've missed the AppSec community, DevOps, DevSecOps, and the like.
And, uh, I get to. Dig deep back into my past when I once was an engineer back in the day. And, uh, it's always fun. I miss it. I couldn't do it. I don't think anymore. There's too much going on for me to keep track of it all. That's why I'm thrilled to have folks like Kim and Avi on to, uh, to help share some knowledge with the community about things that are taking place in privacy is a training session that you're going to be presenting.
And, uh, yeah, caught my attention. I said, I want to talk about this as we lead up to the event. [00:01:00] So I'm thrilled to have you both on. Um, how about we kick it off with a word from each of you, your role, what you're up to, and, and maybe, maybe just a quick word on why privacy is important to you.
Kim Wuyts: Okay. Um, happy to start.
Um, I'm Kim Watz. I am a cyber and privacy manager at PwC in Belgium. And, uh, well, I have a long history of being a privacy engineering researcher where I. mainly focused on privacy threat modeling and the Linden privacy threat modeling framework. Um, and well, why privacy is important. I kind of rolled into it.
Uh, I started as a security researcher and then got into contact with privacy people and realized, well, this is Not just interesting, this is really important and it can also actually strengthen security. So, um, it has this nice interplay between GRC legal stuff, um, technology, [00:02:00] ethics. Um, so I, I think it's a really interesting domain and it's really important.
So yeah.
Sean Martin: And a lot of cultural differences as well.
Kim Wuyts: Yes, absolutely. Yeah, yeah.
Sean Martin: Yeah, perfect. Avi.
Avi Douglen: I'm Avi Duglin, lead consulting at a small boutique called Bounce Security. We focus on product security processes. Um, I do a lot of spend a lot of time doing things like threat modeling. Uh, that's kind of how I first originally met Kim when we were working on the threat modeling manifesto together.
Um, and you know, doing threat modeling, I always covered privacy. Sure. You know, we have confidentiality. We, we manage the cookies. We have that. Uh, and I very quickly got educated hard about that. Privacy is actually a lot more than that. Yeah. And I went through, you know, Kim had me go through this whole process of learning all that stuff.
And that's when I realized, wow, this is actually really, really useful for me as a product [00:03:00] security engineer and a consultant. And this is where this, this idea for this training came from. We wanted to share this with other security engineers, other products, security, and an app that realized they can actually leverage so much more when they understand the nuances and the intricacies and the different things that privacy actually means,
Sean Martin: well, let me do this to, to kick it off.
Um, it's been a few years now that I had this, this revelation, um, as Yeah. Some laws were coming into play GDPR, of course, a number of years back. That's when we talk about confidentiality and security, it's really about keeping things private. And the revelation I had with respect to privacy is that. It's all about using data when possible, I guess, if I can say it correctly.
The, I guess the point is it's [00:04:00] you, you want in privacy, you want the data, you want to keep it private, but you need to have access and use it in many different ways. Um, so somebody who's in privacy may not always, or the policies and privacy may not always jive with the policies and.
Kim Wuyts: Well, well, first of all, um, I think there's this, um, private has been used in different ways indeed.
Um, so if you look at it from the security perspective, you're right. We want to keep things private, meaning we want to keep our assets that we care about. We want to keep it private. Private from external bad guys from a privacy perspective, what we mean then with private, although I don't like the word private from a privacy perspective, um, it's more like, um, even though you collect my data, I want you to use it, um, with care, only use it for the purposes that you are allowed to use it for don't share it with other people.
[00:05:00] Even though from a company perspective, you might think, well, this is okay. From a privacy perspective, you need to think of it, not from the company perspective, but from the. personal perspective, would that individual be okay with it? So it's a bit of a different mindset. Um, and while there might be some, um, differences between the two things, but I don't think it's ever very, um, that conflicting that you can't resolve it.
I think it's important that you tackle them together and then you can find this solution that works for both. But if you start from Here is a secure system. And then let's Sprinkle some privacy on top. Of course, it's going to clash.
Avi Douglen: And this is always the same thing that we had, you know, if you first build a system and then sprinkle security on top, that's not going to work either.
It's going to clash with the functionality. I feel like it's a lot of the same conversation that, that we had previously and security we're preaching. Now we need to be involved at the beginning and then ignore privacy. [00:06:00] We need to be involved. We need to be involved, but never actually got privacy involved in that conversation, and now we are having that from the other direction.
Sean Martin: So. Have the developers, engineers, have they kind of embraced the idea of building with privacy by design from the beginning? Or what's kind of the current, current mindset there?
Kim Wuyts: We're working on that. Um, no. Yeah, no, not enough. Well, I think security people will even say that they haven't embraced security enough.
So, um, I think for privacy, we're even lagging behind a bit there. But that's the interesting thing of the whole privacy journey, because, um, privacy has a lot of similarities with security. It has kind of the same foundation. Um, the way to tackle it, the way to bring it into the system is very, very similar.
So rather than considering it isolate in isolation, let's [00:07:00] use that paved road that has been built for security and just Attach the privacy concepts there too. Um, it's already there. We know how to do it properly for security. You probably already have this whole, uh, security practice working. So let's figure out how to, well, add privacy on top of that, instead of making it a whole new, uh, domain that needs a whole new way of, of being implemented.
Sean Martin: So one of the things that many moons ago, I was a quality assurance engineer, why I did. Basically AppSec before was, was, uh, called AppSec, I guess, testing functions and APIs and a bunch of different things. And, and being rooted in quality assurance, my background was all around user stories. So what do we expect the experience to be like?
What do we expect the product to do in different search situations? What can we [00:08:00] expect it not to do? And then from inside, can we verify that? Functions would be called properly and data would be retrieved and accessed properly and all that stuff. Um, does the world of privacy leverage user stories and use cases and things like that as well, or describe to me how teams could look at this.
Kim Wuyts: Um, yeah, I, I, as I, as I said before, it's kind of very similar to the security part. Uh, well, you have two different angles to look at privacy. You have the more legal angle where it's more the checkbox compliance kind of thing. Uh, so I'm not talking about that one. Um, but if we're talking about privacy engineering, then it's very similar.
Um, there's privacy red teams, there's, um, privacy requirements. Um, there's all the things you would expect for security. To also, um, be there for, for privacy. Um, [00:09:00] it's, um, it's a bit trickier as your requirements come from what you expect the individuals will want. So you also need to take that into consideration, into consideration, rather than just focusing on from our company perspective.
This is the goal. Um, so that requires a bit of a mind shift, um, from the people executing it, but also from management because to do it properly, you actually need buy it and you need to have people understand that privacy is important. But I, I like to say that you can start small. And if you just, um, Includes the, the one question when you're adding a new feature or building a new product.
And that question is, do I really need all these data? Then I think you're already a great way to, uh, to starting implementing privacy.
Avi Douglen: Look at a certain level of abstraction, they're pretty much the same thing. When you replace the stakeholders, [00:10:00] right? A certain level of abstraction security is protecting what's important, right?
Protecting the value that is moving in that system. It's gotten to the point where I, in my practice, I've gone so lightweight. I call this value driven security and just focus just one value and we can embed that in the user story. Every user story has a value. We focus on that. And if you replace, you know what the value is to the business, Or the different stakeholders, and you replace that with, well, let's talk about that individual and what the value is to that individual.
Well, we're still just trying to protect the value to that individual to that stakeholder. And we're just just pivoting around that, um, and looking for the value chain that applies to that individual. Right. Um, and we're looking for different ways to protect that. And I don't know if we need to get to the resolution of a user story.
But a feature set, right. A fun, a specific set of functionality. In our training, we focus on, [00:11:00] uh, we have a whole module around decomposing, taking a, a functionality and understanding how that applies and where the value is to that individual. And based on that, we can understand, well, these are the things that we need to protect.
So it's so similar, right? But but yet so different because it's different language. The business owns the application, the business controls the data, right? And poor little individual is sitting there and sending their data to the system and, you know, I have no control, I have no say, except that you do.
Kim Wuyts: Yeah, and just, yeah, okay, go ahead.
Sean Martin: No, please go.
Kim Wuyts: No, I wanted to stress that it's not just something you do because you want to do good, but you do that because You give value to your, to the individual, to the users, and that makes your application more valuable and more interesting to the users and, um, well, improves the overall value.
Um, and while also by investing in privacy, um, you [00:12:00] also increased the, the, let's say security posture. Um, for one thing, um, well, if you minimize data because you don't really need it, that's already data that cannot be leaked when there is a security breach. So that's the obvious one. Um, so privacy is not the confidentiality part of security.
Privacy is really about data minimization, about making sure that, um, when you have, uh, a lot of information you aggregated, you make sure it cannot be. Re identified when you assume it's the identified, it's also about transparency, about providing controls to the individuals. So it, it, it goes far beyond security while security is still a very important part because of course, without encryption and access control, we just throw all the data on the street and then, well, we're lost basically.
Sean Martin: So you mentioned just even. De identified and then re identified, just, just that, um, is a concept [00:13:00] that wouldn't be a security concept necessarily, right? Um, and so I'm wondering, are there, are there other things like that, including that one, that, that really needs to come to the forefront? And I guess what I'm really asking is, There's a lot of apps and tools available to look for the OWASP top 10 now, even with the, the LLM top 10.
Right. Is there a, is there a privacy? I'm just wondering,
Kim Wuyts: I actually think there is one in OWASP, but. I think it's focused on web or something. I don't know. I think we, I think that would be an interesting one to work on. Um, I, I, I will put it on my to do list to work on that. I think it's really interesting to have, um, top 10 for, for privacy.
Um, well minimization is, is the first one, like not, not being that company that says, well, [00:14:00] let's just collect it and save it just in case, um, because well, maybe you just can't, or maybe you shouldn't at least, um,
An interesting one is, I think, dark patterns is also an interesting one to that, that we're familiar with, like, um, being nudged into going for less privacy friendly options because companies make it like a sneaky banner or something, and they hide the information. Um, I'm looking at Avi because, well, we don't have a top 10 now, so, um, I don't know.
Avi Douglen: So Sean, you actually started your question asking about things like the identification, which I'm sure with your background is history that kind of tripped you up, right? We want identification. That's a good thing, right? Another great one, by the way, it's not repudiation. That's right there. You know, you do threat modeling, you do stride.
Now repudiation is a threat [00:15:00] and from a privacy perspective when you look at it from the individual perspective, that's a value. You want to be able to repudiate. You want to be able to claim, no, I don't have an account on that site, right? No, I did not send that message. So it's competing forces. It doesn't necessarily mean there's a conflict here.
It just means you need to balance this. And that's what architecture really is about comp uh, uh, balancing competing forces and finding appropriate trade offs, right? Even just, you know, forget security even, and privacy. Even just building functionality, you always have competing forces that you need to balance when it comes to things like identification versus de identification.
Uh, repudiation versus non repudiation. We have competing forces that we need to account for and balance. And again, it's what the company, what the business, what the site, the application values versus what the individual values. And we can absolutely find that [00:16:00] balance if we start early enough and, and integrate them and have that cohesive view of these are the things that I need to balance, let's find the way to find that trade off as opposed to let's build it and then figure out all the problems later.
Kim Wuyts: Yeah. Yeah. Authentication is not a synonym for identification. It can help, but it's not necessary. It's not necessary. You can find other ways too.
Sean Martin: And one, one of the things you noted in, uh, in the topics you list, you, you reference architectural data mapping. And I'm going to, I'm going to focus on kind of the architecture because if a team is mature and how they build and they, and they care about security in their, in their development process, they're probably going to architect and select components that support the security aspects of their program while also enabling the business piece of it.
One would hope. One would hope, exactly.
So my question is, are there architectural best [00:17:00] practices to select the right components and configure them, connect them in the right way? For privacy. And if so, are there any examples you can give for teams that do that?
Avi Douglen: Well, so I'm going to let Kim follow up because she's probably going to tell me I'm wrong about this.
But from my perspective, listen, the first big step, and I see this even from the security side, the biggest and I'll talk about bad practice for a second. The biggest mistake I see most teams have is that they don't know what their architecture is. They never actually went in and built a well defined, Oh, our architecture is, uh, web APIs and REST and a database.
Well, that's not enough to define the architecture. What are the pieces? What are the interactions? What are the different various aspects of that? Um, and that's the first thing. And that's the first thing we're going to be focusing on is how to understand what the architecture actually is. Before we get into what you should be doing, right?
And there are certain things that we're going to get to. [00:18:00] I don't think there's anything I would say that is generic other than data minimization. I don't think there are any real patterns that are absolutely generic. And Kim, correct me if I'm wrong here.
Kim Wuyts: Well, there is, there are privacy design patterns, but they often are not necessarily on the architectural level.
It's more conceptual things to, to include there. Um, maybe what is worth mentioning is that the concept of data, um, needs a bit more, uh, of a granular approach when you are thinking about privacy, because well, for security, it's often enough to just think of this blob of information you want to protect and encrypt.
And I don't know what, but from a privacy perspective, it makes sense to also think of what does this actually mean. Um, is there meta information that will reveal additional things, um, reason about, well, is it really de identified because you claim it, but maybe it's not, or what additional information [00:19:00] can be deduced, what profiles can be built on an individual because you have all this information.
So what does it mean basically?
Avi Douglen: Yeah, because there's all these different correlations, for example, right? There's different ways of deducting Uh, different pieces of information simply by saying, okay, here's a blob of data, which is fine from a business perspective, because I'm controlling it. I'm in charge of it.
But from the individual perspective of the fact that you are, have that big blob and controlling it, that itself is a, might, might be a problem.
Sean Martin: So I think early on, you both mentioned, certainly did Kim, that the threat modeling, uh, stuff they're working on when, when I think of threats generally, yes, there, there might be insider threats where somebody who's doing something malicious, but generally speaking, when we think of threats.
It's some external force trying to gain access and, and probably sell, sell information. Certainly when [00:20:00] we talk about privacy as part of security, but when, and this is kind of to my point earlier, when we, when we're looking at privacy in the organization, we're trying to dance along that line of how much can we collect, how can we properly use it to the, to the fullest extent that we're allowed to legally and ethically.
Maybe not ethically for some companies. And to me, those are threats as well, where they, and not even intentional. But somebody, I guess to the point of this conversation, an engineer builds something that allows data to be accessed or used or something in a way that isn't in line with the, uh. GDPR or some of the US uh, state regulations or, uh, I don't know, some of the other acts out of the EU that are, that are coming along.
Um, I guess from a threat model perspective, you could, because I think you're gonna be talking about this in your training as well, what are, what are some of the components of that activity [00:21:00] and does it touch on some of those things that I'm referring to?
Kim Wuyts: You want to go first? Should I try?
Avi Douglen: I don't mind because there's one part of that that I want to jump on.
Um, you mentioned ethics and then you kind of backtrack that. But I absolutely think this is a big part of that as well. It's an odd situation where we're relying on the business to build a system that respects individuals privacy from themselves. Right? So that engineer Might be giving themselves access and that itself is already a problem.
So it's absolutely an ethical situation. For me, the legal and the compliance and all that stuff. Yes, it's, it's important. It's there, but more of a stick to make sure you're doing the right thing. But that's not why you're doing it.
Kim Wuyts: Yeah, yeah, exactly. So, so from a privacy threat modeling perspective, the organization or the system is often the, um, Misactor, uh, or [00:22:00] threat source, um, and you, you just need to, to keep that into account when you do threat modeling for privacy that you're not thinking of, um, would this hurt the system or would this hurt the organization, but would this hurt the individual?
And how does that impact it? And, um, It's, um, it's sometimes interesting to communicate that to the company because you're basically pointing fingers. Um, but yeah, it's kind of like an own goal. Um, I, one of my privacy friends was calling it that way and I think it's, it makes it feel, um, less finger pointy, but it's still the same, uh, story.
Um, but also, uh, about. The third parties you share information with, um, that's also something that will have an effect, um, which from a security perspective in a way also does, but from a privacy perspective, it has more impact, um, there to the individuals. Um, Observers, [00:23:00] um, people outside of the system that can still see some communication.
That's also a potential, um, threat source. So it's not just the, the hacker who gets into the system. It's, it's, it's all the stuff that's happening with the data, um, and that's going on around it. So, so it's, it's, it's. Broader than that. It, it needs a different mindset basically. So you can definitely approach security and privacy together, but you need to be aware of that, that difference, because otherwise you will, I've, I've done a lot of threat modeling sessions with, um, mainly secure or, or, uh, people with a security background and well, they first need to get the security threats out of their system because otherwise they cannot, they cannot Make that mindset shift because they, they are thinking about confidentiality and integrity while from a privacy perspective, we are looking at minimization and is that a good purpose [00:24:00] to process that information?
And so, um, yeah,
Avi Douglen: look from security for security threat modeling. You know, we always talk about the malicious admin, right? And we usually kind of stick a pin in that because what are you going to do about that? And very often I'm talking, I'm teaching threat, security threat modeling to develop, to a development team and say, well, what do you do if malicious developer does, you know, pushes something to production or what if that guy gets fired, right?
I always pick a friendly guy in the front of the room. What if that guy gets fired tomorrow? What's going to, what's going to happen? And in this case, we're kind of doing the same thing to the whole business. What if tomorrow the whole business, hypothetically, Starts being hypothetically malicious about about the data.
They don't need to be intentionally malicious about it, but it's about building the privacy respecting systems. Sorry. Can I still that term? Um, privacy respecting systems so that the individuals feel comfortable. And they can be [00:25:00] assured of, of the state that even if there's a new boss in the company, I'm kind of protected to some extent.
Is that, is that fair? Do you do that, Kim?
Kim Wuyts: Yeah. Also, let's not forget because you touched upon the, um, legal a bit, um, or, well, you actually didn't. So I want to highlight that there's also a link there, um, because GDPR and other, uh, data protection compliance, um, legislations. Require the privacy or data protection by design, um, paradigm.
So if you do this thread modeling privacy engineering, uh, approach, well, you're doing what is expected and if you do it properly, you can, uh, well, you can check that box off, um, for your compliance people and, and make them rest assured that you thought it through and that it was not just this, um, Well, one five minutes, uh, discussion you had with a lawyer, but it's actually embedded in the system [00:26:00] rather than having it somewhere on paper where it's, it's gonna fail.
Avi Douglen: Well, I never do what's expected of me, but I like thinking things through. No, it's true. Ask my mother.
Sean Martin: I'm sure we could all say that, right? Uh, I think that's why many of us, uh, wear sometimes not, not the Irish hat, but the hacker hat. But, um, let's, uh, I want to, uh, we only have a few minutes left here. I want to talk about the session that you're putting on.
Um, clearly a lot of security minded. Engineers will be on, on site in Lisbon and I suspect there'll be a lot of the folks sitting in your session as well. Um, who else do you want to be included in your, in your training? Um, will you, will you speak to privacy folks? Is it a good, good session for them to [00:27:00] join?
Uh, threat and risk folks? Um, I don't know. Tell me, tell me who you want in the, in the room with you that day.
Avi Douglen: This is one thing that we don't actually agree about. We're, we're, we agree, but we're focused in different places. Listen, having been that, that, you know, a security engineer who knows really well that stuff and thinks I know very well, the other stuff.
But didn't. I really want to help everybody else find out that other stuff. There's a whole world of stuff. And I'm still learning, you know, as we're doing this, I'm learning so much more. Um, and there's a whole world of stuff and it's a completely different perspective. And I want to bring more of that to security engineers and software engineers, software architect as well.
Kim Wuyts: Yeah, well, um, in the privacy world, there's this, um, growing skills gap for. Technical privacy, basically privacy engineering is still kind of a new domain. Well, it, it isn't really, but privacy in industry mainly, um, [00:28:00] got in there because of GRC, so it has a lot of legal backgrounds. So it, it, it often lacks that engineering skill.
Um, so I think that's, that's, uh, something that we can help build. Um, so I, I, I think. Privacy people can learn from security people like Avi. And I hope that together we can also bring, bring that combined knowledge of security and privacy to the, um, security engineers who, who, um, basically want to extend their horizon and, and, and, and extend their skillset because it's not just, it shouldn't just be about that core security, but also privacy is something that will add value and can be easily integrated into what's already in the company.
Avi Douglen: Ultimately, we're not just talking about privacy by design, and it's not just threat modeling either, right? That's one piece of it. But it's a big, it's much larger than that. It's privacy by design and privacy engineering, but it's also how to [00:29:00] combine that with security. So even a privacy engineer will learn how to combine that with security.
And if you come from a security engineering background, that's fantastic. And you'll be able to integrate privacy with that.
Sean Martin: Another privacy engineering
Kim Wuyts: There are, but yeah, there are, um, there, there's this, um, um, community within a larger privacy, uh, professionals community that focuses on privacy engineering.
Um, but I say it's still not really very, um, present yet. I mean, there's, there's plenty of people, but if you compare it to the overall privacy community, Um, we're still in, in the minority usually. Um, so this is, uh, again, a great opportunity to, well, to, to increase knowledge and awareness and, and get more people to, to really, um, [00:30:00] embrace that more technical approach to, to privacy.
Um, because while in the end, we're not doing all this work, we're not, we don't want privacy to just be that checkbooks compliance exercise because. What the goal of all those regulations are is making privacy respecting systems. Um, and well, we need some technical background to be able to achieve that.
So, um, it's the combination of privacy and the technical part, the engineering part and then integrating it with existing security practices that, um, I think is a really great and useful, um, and Pretty unique twist to it. Um, as far as I know. So
Sean Martin: yeah, I love it. Hopefully we get some nice, nice crossover here and, uh, architects, engineers, security developers, a whole mix.
And, uh, I mean, it, it really is a mindset, right. That we're talking about here and, [00:31:00] and taking, taking the right actions. For security and privacy together. So hopefully, hopefully you fill the room, pack it out with lots of folks, uh, that will collaborate. And if I can say, put you both to the test, right?
Continuous learning. I was talking to Jim Manico earlier. He said he while he's while he's an instructor, he's always, he's always Constant student. He's always learning about something new. And I think it's all all driven by what the business wants, right? Every time a new business idea comes up, we have to ask, well, how does that affect security and privacy?
Both? Exactly. Well, good stuff. Your session is practical privacy by design building secure apps that respect privacy. It's two days that it.
I really do hope you get a nice collection of folks and, uh, some good outcomes there. I appreciate you sharing some insights with me today, Kim, Kim and Ali. [00:32:00]
Kim Wuyts: Thanks for having us.
Sean Martin: Thank you. And we'll see, uh, see everybody in Lisbon in a few weeks. Please do stay tuned. Many more chats on the road here from ITSB magazine, looking at the event up and down the stack.
Unintended. All right. Thanks everybody.