Hendrik Ewerlin -- Threat Modeling of Threat Modeling

Show Notes

Robert and Chris talk with Hendrik Ewerlin, a threat modeling advocate and trainer. Hendrik believes you can threat model anything, and he recently applied threat modeling to the process of threat modeling itself. His conclusions are published in the document Threat Modeling of Threat Modeling, where he aims to help practitioners, in his own words, "tame the threats to the threat modeling process."

They explore the role of threat modeling in software development, emphasizing the dire consequences of overlooking this crucial process.
They discuss why threat modeling serves as a cornerstone for security, and why Hendrik stresses the importance of adopting a process that is effective, efficient, and satisfying. If you care about secure software, you will want to listen in as Hendrik emphasizes why the approach to threat modeling, as well as the process itself, is so critical to success in security.

Links:
=> Hendrik Ewerlin: https://hendrik.ewerlin.com/security/
=> Threat Modeling of Threat Modeling: https://threat-modeling.net/threat-modeling-of-threat-modeling/

Recommended Reading:
=> Steal Like An Artist and other books by Austin Kleon https://austinkleon.com/books/

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Transcript

Chris Romeo: 0:00

Hendrik Ewerlin loves to build secure software and empower people to do so. He strongly believes in the power of threat modeling. He provides threat modeling training and helps software vendors who are new to threat modeling and want to improve the security of their systems. Before devoting his whole career to building secure software, he worked as a dev and made full stack medical image viewer applications with high security demands. Hendrik joins us to introduce a project he's working on called The threat modeling of threat modeling. He has applied the threat modeling process to the discipline of threat modeling and draws some entertaining conclusions. We hope you enjoy this conversation with Hendrik Ewerlin. Okay, Hey folks, welcome to another episode of the application security podcast. My name is Chris Romeo. I am the CEO of Devici. and also co host of said podcast. Excited to be joined by my co host for, seems like decades, maybe we haven't been at it that long. We've been at it almost a decade, but more about that in just a second. But Robert, great to have you with us here again as well.

Robert Hurlbut: 1:39

Hey, Chris. Yes. Absolutely. Great to be here. Robert Hurlbut. I'm a Principal Application Security Architect as well as Threat Modeling Lead at Aquia.

Chris Romeo: 1:48

And we hit a momentous occasion here. Uh, we just happened to, uh, I got an email from our podcast hosting provider who told us that we just crossed our 250th.

Robert Hurlbut: 2:00

That's

Chris Romeo: 2:00

seems like when we started this thing back in 2016, did not think we would continue on. I knew it was going to be fun, and I knew we were going to have fun making it, but I never dreamed we'd still be going strong at 250 episodes, so. You know, Robert, here's to another 250. Let's see if we can get to 500. That's our next, our next goal along the way. So we're joined today by Hendrik Ewerlin uh, who is going to talk about a topic that Robert and I just happened to love. But first, Hendrik, you must tell us your security origin story. How did you

Hendrik Ewerlin: 2:38

Yes.

Chris Romeo: 2:39

this wild, wacky, fun,

Hendrik Ewerlin: 2:42

Yeah.

Chris Romeo: 2:43

exciting adventure called application security?

Hendrik Ewerlin: 2:46

so hello everyone. Uh, I'm excited to be here. Um, so, um, my story with security started quite early. I've, uh, developed software ever since I was a child and one early project was, uh, A community website with private messaging and I learned PHP and SQL and also got across SQL injection quite early and this was the first time when it absolutely blew my mind and I was like, Oh my God, this is so impactful, uh, we should better not screw up security. So, um, I started this journey quite early and, um, then I. I studied at the university and got my first job in, um, as a software developer in medical imaging. And again, I, I see this is so impactful. So highly valuable, sensitive, um, data and also availability is a huge topic. So, uh, uh, so I was happy to contribute, uh, in the security group and get, uh, Things better and better. And then, um, I really wanted to improve and, uh, studied, uh, IT security networks and systems at the, uh, Ruhr University of Bochum. This is in, uh, Germany, Western Germany. And, yeah, now I work as a cybersecurity architect in said, uh, company. Um, yeah. Um, I'm starting to, um, also offer threat modeling as a service, so to say, and get people familiar with it, so, yeah.

Chris Romeo: 4:38

Nice. So how old were you when you built that community website? I'm just curious,

Hendrik Ewerlin: 4:43

was probably when I was, um, 14 years old, or something,

Chris Romeo: 4:47

okay? So parents out there, when your kids say they want to get into tech,

Hendrik Ewerlin: 4:52

yeah,

Chris Romeo: 4:53

let them build something when they're, when they're in their teens. Why not? You know, who knows what they, they might create the next, uh, the next big thing in the startup world before they even turn 18.

Hendrik Ewerlin: 5:05

yeah. Yes, so this is my motivation, basically.

Robert Hurlbut: 5:14

Excellent. So Hendrik, we're talking about threat modeling today. As Chris mentioned, this is a topic dear, near and dear to our hearts. Uh, so, um, in your opinion and your thoughts on this, what makes threat modeling a success?

Hendrik Ewerlin: 5:29

Yes, so I have a simple definition of secure. Secure is, from my perspective, being protected from danger. So Um, this is very close to having threats mitigated. So, okay. And so you can easily see this is very close to Adam Shostak's question two and three. What can go wrong? What are we going to do about it? So basically that definition, you can't help but think about, uh, you absolutely need threat modeling. And, uh, so, but there's a lot of things that can go wrong when we look at the four questions. Of course, you first have to know what you're working on, you have to attach it to a process. Um, and then really think about what can go wrong, what are we going to do about it? And even before that, you have to get this whole thing started So, uh, so obviously we see, uh, this is, um, complicated thing to do maybe with, uh, lots of different possibilities and lots of things can go wrong and you should do something about it, And this is the meta approach to, uh. We threat model threat modeling, so,

Chris Romeo: 6:55

Yeah, we want to get into that, we want to, we

Hendrik Ewerlin: 6:57

Yeah. Okay.

Chris Romeo: 6:59

some of your motivation behind

Hendrik Ewerlin: 7:01

Yeah.

Chris Romeo: 7:01

idea of, because we think about threat modeling is this process that we go through when we are analyzing something, normally something that we're building, trying to figure out what are the security and privacy challenges, but you took it a step further.

Hendrik Ewerlin: 7:16

yeah.

Chris Romeo: 7:17

decided to do a threat model of threat modeling,

Hendrik Ewerlin: 7:20

Yes.

Chris Romeo: 7:21

is very meta, which I know is a word from a few years ago, but I'm going to. You know, you used it in your document as well. But why? Why threat model threat modeling?

Hendrik Ewerlin: 7:31

Okay. We have quite some journey with threat modeling, so discovered it years ago, I can't tell when exactly. Uh, and I just thought, well, this is so awesome. We, we must use this And, um, meanwhile we had a external consulting, uh, bringing in some of this thing. And, um, yeah, we really started to get this going, but we improved over time and time and made some mistakes. Um, and, uh, so it's not that easy in some, some parts. So you really have to, uh, iterate, get better, uh, find out how to do things, um, reach a certain maturity. Um, and this is where we went and, um. We also asked ourselves the questions, okay, what, what can make this a success? And we better think about it in a systematic way. And this started to, um, the threat modeling here. And, um, I now provide it as something that I can publish. And this has a different perspective. So, yeah,

Chris Romeo: 8:50

is the goal of this exercise to put together a guide? to help people build better threat modeling programs is the goal to help me have a list of things to watch out for, things that could go wrong. Like what's, what's the ultimate goal? What's the ultimate thing that you want people to do if they, after reading this document?

Hendrik Ewerlin: 9:14

yeah, it's probably some kind of list. Oh, you might have encountered this. And so this, these are some ideas. So basically another, uh, idea to think about is some problem solution mapping, but I like threats mitigations better because we can apply the same likelihood impact thing we know already. So,

Chris Romeo: 9:38

yeah, so it's so it's basically it's designed to help me learn from your experience.

Hendrik Ewerlin: 9:43

yes. And it's about succeeding at, uh, building a threat modeling program.

Chris Romeo: 9:49

Okay. So it's about the program Okay So it's about how to it's it's really is ultimately a guide to help me build a successful threat modeling program based on your experience, but using the threat and mitigation approach that we all love to apply to things that other people build.

Hendrik Ewerlin: 10:08

And my idea is also to include the famous varied viewpoints. Ask other people what they think, so this will improve it even further.

Robert Hurlbut: 10:22

So what is your approach, uh, to threat modeling and threat modeling programs?

Hendrik Ewerlin: 10:26

Ah, yeah, okay, so this is about success of a process. So, it's a question of what are the threats. And we can borrow from usability. Usability has some definitions. Basically, it's about making people succeed about what they try to accomplish with something you offer. So, this is usability. And it has these effectiveness, uh, efficiency, satisfaction, so we want people to get the job done. We want, uh, good quality, uh, low cost, and we want satisfaction, so they should like it. And we can think about this. And go through the phases and then come up with all sorts of threats and then try to figure out how you should solve them. And also add lots of, um, inspiration from online and so I try to make it, uh, So that everyone can relate and it's not so much only about what we experience. Okay.

Chris Romeo: 11:39

Yeah, I did notice that you, you took, you took various kind of sources from, added some different things that other people had said and whatnot throughout the document. So, when I think about your approach then and kind of your methodology, so what I'm, what I'm seeing is, so you just, you use the four phases of threat modeling, kind of what are the typical activities in that phase, what's the threat and what's the mitigation between those. And so, you made reference to, you know, phases one to four are Adam's four questions, but you introduced this idea of phase zero. How do we threat model?

Hendrik Ewerlin: 12:17

Yeah. Yeah. Okay.

Chris Romeo: 12:19

tell us about this phase zero.

Hendrik Ewerlin: 12:21

Yeah. Okay. So, uh, imagine you have a company that's, um, getting, it's totally new to threat modeling. They don't know probably about it. So, they first have to figure out it exists, they totally need it, why do they totally need it? And, uh, they have to get this whole thing started. And this is what I learned in my early, early, early days. So, I was so excited and I was like, here's stride, here's the four questions, and not quite took off. So, what I learned is people need some actionable advice. They need, okay. Um, you have to threat model in these occasions and this is how you do it. And this is how we write things down and you don't want to think about this when you threat model. So this distracts. Let's figure this out when you threat model. So you need a paved road and so you're ready to go. And of course there's maturity levels. So it's a difference if you do something and create some security issues, or if you have a mature security process and then program, really figure out how you integrate this everywhere. Yeah,

Chris Romeo: 13:38

phase zero then is, how do we threat model? And it's, it's capturing from one organization's perspective how the things that are, how they're going to accomplish this. Is that, is that the point of, of the how do we threat model or am I missing the point

Hendrik Ewerlin: 14:01

yes, probably, yeah, so to say.

Chris Romeo: 14:06

Alright, so should we add Adam to the call right now and get his opinion on you adding a question to his four question framework? I'm just kidding. We don't, we don't have Adam waiting behind the,

Hendrik Ewerlin: 14:18

question. The five question framework, four plus one question.

Chris Romeo: 14:24

Hendrick is famous for the five question framework, which, uh, does have an include statement at the top. It's

Hendrik Ewerlin: 14:31

yeah,

Chris Romeo: 14:32

include bracket The, uh, Adam underscore show stack underscore four questions dot h another, uh, greater than sign.

Robert Hurlbut: 14:42

Is some of the phase zero, how do we threat model a bit of also, you know, that convincing and,

Hendrik Ewerlin: 14:50

yeah, definitely,

Robert Hurlbut: 14:51

and, and getting on the same plane. So, I know one of the challenges, uh, that I'm sure many threat modelers who've been doing this for a while face is that, you know, we already know threat modeling, but you're talking to people who don't. Typically, and how do you convince them? How do you get them to where we're on the same page so that when you hit the four question framework, it's not a, they're still back. Why are we doing this again? What's this all about? Uh, so is that, is that a bit of that as well about, you know, what? Okay. Very

Hendrik Ewerlin: 15:23

people have to get to know, uh, threat modeling. They have to get really excited about it. And yeah, we need it. And also some, some legal pressure heads here and there. And, uh, we need management buy in and all that stuff. So we really have to figure out how to get this going.

Robert Hurlbut: 15:42

Okay.

Chris Romeo: 15:43

So let's, I'm going to explore the diagram, or the diagram, where I'm in threat modeling mode. We're going to explore the document here a little bit. I just want to, I just want to kind of scroll through it and get, get your takes on some of these things, Hendrik. So I'm in the first section, zero, how do we threat model? And so this first, so I'm looking at the first. First threat you have here. Develop software without threat modeling, slash the scary consequences of not applying threat modeling may serve motivation.

Hendrik Ewerlin: 16:11

Yeah.

Chris Romeo: 16:11

So that's, so you're describing that, so the threat is that somebody developed software without threat modeling, right?

Hendrik Ewerlin: 16:17

yeah. That's if you think about some kind of attack tree, this is just one thing. Okay. They don't use threat modeling. So what is the impact? What's the consequence? And I talk about three things here. I call it blindness. Insecurity and actual damage. So, what does it mean? Blindness. If you say security is being protected from danger, so, uh, how would you know if you are secure if you are not threat modeling? So, there's some alternatives obviously. So, we have some gut feelings. No security issues, incidents reported, or last pen tests or something, but it's far inferior than showing, Okay, we have this methodology, look, this is a document, it's up to date, this is how it's integrated in our process, and most importantly, We implemented the mitigations, so this is how you can really tell you're not blind, you're not insecure, and of course, um, the ultimate goal is to prevent actual damage. So, so this is some kind of my take on motivation. Um, but in this threat mitigation framing, so yeah, yeah,

Chris Romeo: 17:40

I like how you described each of the mitigations here too. So threat model and know the security of your system was one for the

Hendrik Ewerlin: 17:47

yeah,

Chris Romeo: 17:48

um, threat model implement mitigations and secure the system for the insecurity and then threat model as early as possible. Sounds like something from the Threat Modeling Manifesto. I think that sounds familiar. Which I know you, you referenced that as a source as well, which, which we love. We love the fact that you used that as a source to populate some of the, some of the things that you had here.

Hendrik Ewerlin: 18:07

yeah,

Robert Hurlbut: 18:10

Are there some other things that you discovered as you were working on, uh, this, doing this study and, and writing this document?

Hendrik Ewerlin: 18:18

ah, yes. So we have to focus a little bit more, so by the time this gets published, I will be able to also publish the document. So, but we. Probably we focus on some of the things. So, um, so really in the first phase, I think the most important thing is about okay, not threat modeling. So we need to know what's other consequences. So this is some motivation. Why do we need it? We have to have good compelling material that gets people excited about this. And then that's also the, the question about an actionable process. So. Um, I think there's two traps. One trap is the perfect process trap, so people think, oh, we need to figure out how this I don't know how this works and don't get things going, um, and the mitigations of obviously experiment, uh, also think about, um, it's like a little bit like version one, one is better than version none. So, so, um, rather start improve and also the, um, OWASP SAM threat assessment has some nice maturity levels, so you can use it as some plan for okay, we, we do some best effort thing first, and then we improve, improve, improve, and, uh, later on we have this also awesome threat modeling program. Um, yes, and the other, uh, trap is not having something actually, uh, actionable, probably. So I would suggest really thinking about, okay, what will people do? We had good success with also having checklists and stuff. So yeah. Um, yeah.

Chris Romeo: 20:21

For those following along in the document too, that's when you have the ability to, to consume the document yourself. Um, there's, Hendrick just made some references from design threat modeling process, how, under the kind of level zero, just if you're following along.

Hendrik Ewerlin: 20:37

Yes,

Chris Romeo: 20:39

Document. So one of the things, Hendrick, that I noticed about the document is really just the depth of it. You've put a lot of thought and a lot of experience into the document. And I think there's really something for everybody. There's multiple things for everybody who's trying to do a threat modeling program. Um, I'd love to just, Highlight a few more and get your thoughts. Specifically, I know people can go dive into the depth of the document, but let's just let's just highlight a couple of things and so I noticed under your How do we threat model? You had a section under the zero phase here of train and launch a threat modeling program. And so Robert and I are both Threat modeling educators. We'd love to teach people about it. So what is the What if if you've got a couple different threats here? Um, walk us through some of these threats and mitigations from a training and, and launching the program.

Hendrik Ewerlin: 21:33

Ah, yeah. Okay. So first, obviously there's lack of training, so thinking people can just start it out of the box. So it's better when they are educated. So, also, um, uh, training can be too theoretical. So this is where your, uh, approach kicks in to not talk too much about threat modeling, but rather get people going with the famous 30 minute rule.

Chris Romeo: 22:03

I don't know about famous, but I hope it becomes famous someday.

Hendrik Ewerlin: 22:10

yeah, and we also had good experience with this. So I, I got to train 50 people, uh, people lately on, uh, threat modeling. And we have a very practical approach, um, and a scenario that is, um, um, together with, um, um, a scenario which is known in our domain. So it's clear that it somehow relates to what we really do.

Chris Romeo: 22:42

Okay.

Hendrik Ewerlin: 22:43

And this, uh, turned out to be very helpful and also to get people motivated so they really see, oh, okay, uh, security is being protected from danger and reduce blindness. And we, we want to. Reduce blindness and really get things mitigated. So yes, this is, um, our, some of the training aspects.

Chris Romeo: 23:08

Yeah, and I, and I noticed you had one. I'm going to, I'm going to move on to phase one because I like I like one of the conclusions you drew here, um, under catch up on threat models for existing products. Threat modeling a giant is definitely a big threat that a lot of people suffer with and, and I love how you put that. Threat, I've never seen it described like that, threat modeling a giant, but I will, uh, probably use that in the future and I will quote you two times.

Hendrik Ewerlin: 23:33

Yeah. I we have to put giant in quotes. So, uh, why is this? So people often think, oh, this product is so big. Uh. Depends on how your actual state of security really is, but, um, my experience is that people sometimes make it worse than it actually is. So, so to say, how big is this really and how can we catch up? So, so one approach is really to use embrace incremental threat modeling. So, um, what you said, um, So it has two directions, um, threat modeling the existing and threat modeling the new. And threat modeling the giant, uh, is about threat modeling the existing. So, um, there's some success factors how to make this work in my opinion. So, powerful set of people, management support, appreciate what already exists. So, and also this encouraging language. So, not, uh, Uh, to say, Oh, this is so such a big thing. We can never do it, rather start and then divide and conquer, choose a level of abstraction that works, um, yeah, prioritize and, uh, see what works best. And these are some, some of the ideas, uh, how to make this a success, so.

Chris Romeo: 25:01

Yeah, and I love where you went with that. One of our friends of the show, Dustin Lair, who does a lot of work with security champions, uses that analogy all the time, like Don't go on, like, don't set the stage negatively for people when it comes to communicating about something. Don't be like, like, and he always does it in regards to when you get to the end of a presentation and nobody has any questions. Like, don't say, you're a quiet group today. Because that sets the group up to be a quiet group. Like you're telling them, I'm prescribing to you to be a quiet group. So I love how you went there with language. Like, don't, don't make people think this is impossible. Don't be like, Oh, well, there's, you know, I, as the threat modeling leader, there's, this is such a hard task. There's no way we could possibly threat model the whole thing. Well, everybody on the line's going, why'd you invite me to this meeting then? If we can't achieve the goal that you had for us. So I love that that's where you went though, from the language perspective.

Hendrik Ewerlin: 26:00

So yeah. Yeah. This is really about cutting, focusing, doing things that, uh, matter at first and, uh, encouraging language. So there's even worse words. So like big ball of matter, something I've read online, I think, Oh,

Chris Romeo: 26:18

a big ball of

Hendrik Ewerlin: 26:19

talk about the thing like this? Yeah. Yeah. Ah, matter. Oh

Chris Romeo: 26:25

So, let's

Hendrik Ewerlin: 26:27

And I think, uh, so the bottom line is really to get people excited about a future, um, uh, that, and really to take this thing from both sides. So, um, Uh, you need to thread model new stuff, but also catch up. So,

Chris Romeo: 26:47

Yeah, I saw the next section you had threat model new developments.

Hendrik Ewerlin: 26:52

Yeah, this is obviously about the continuous threat modeling mantra, threat model every story. So at least consider if it has some security impacts. So, uh, and then I think there's some challenges or threats depends on your process. So if you really get the, uh, this attached, so. One pattern would be, Oh, we will threat model this later. Or another pattern would be a mitigation depth. So, ah, yeah, we can add the security later and later equals never. So, so you really have to think about when you design programs, um, what's your opinion about it? Do you want to scale things for later? So your development doesn't get blocked or will you follow? Um, it's not, uh, done until it's secure. So. These are some ideas.

Chris Romeo: 27:47

and I love

Hendrik Ewerlin: 27:48

has to find their own opinion. Yeah,

Chris Romeo: 27:56

enough people like me smile. You, so you wrote mitigation debt slash security later and later equals never anti pattern. So there's just a, you know, it's, it's, it's, that's normally what the problem is though, right? Like, Hey, we'll do this later. Well, which means we're never going to do that.

Hendrik Ewerlin: 28:13

yeah.

Chris Romeo: 28:14

That's just the reality of it, right? So

Hendrik Ewerlin: 28:16

yeah, companies need to have, have this figured out. So how much insecurity are we going to accept or will we not ship insecurity? So, and there's some answers, um, depends on what you're building. So. Yeah. Okay.

Chris Romeo: 28:35

a lot of depth here. I'm just scanning through the document, looking for other things to, and so folks are going to have to go read this because we really do, you really have written a 27 page document right now is what, what this work is. And so there's just a lot of depth that Hendrick has put into this. And, uh, some, we can't cover even 1 percent of the depth in this document in this conversation. But really that wasn't our intention. Our intention was to introduce this document to the community and then others can go read it, can give you feedback, can figure

Hendrik Ewerlin: 29:11

That would be so awesome. So I could use some more varied viewpoints. So I'm very excited to learn what threats others experience or. These mitigations are also just suggestions, so you will have to figure out for your own if this applies or not, or

Chris Romeo: 29:29

Yeah, very

Hendrik Ewerlin: 29:30

what you're going to do about it. So, maybe we can talk a bit about blindness. so. um,

Chris Romeo: 29:39

Sure, yeah,

Hendrik Ewerlin: 29:40

yeah, okay. So I think blindness is, um, the most important thing in threat discovery. So, do we have blind spots? Do we have blind areas? Uh, how will we discover threats?

Chris Romeo: 29:53

So, yeah, we, we've seen many examples of the depth of what this document contains. We just flashed through, you know, this section that had the different threats in regards to discovering threats. Uh, under the what can go wrong section, but there's just a lot of depth here. And so the, you know, the, the really the, the call to action is to go take a look at this project that Hendrix put together, read it, consider it, offer feedback on it. Um, so that's kind of our key takeaway and our call to action for this conversation. But we cannot end an episode without Robert's now famous section called the lightning round. Robert,

Robert Hurlbut: 30:34

All

Hendrik Ewerlin: 30:34

Yay.

Robert Hurlbut: 30:35

All right, three questions. First one is, what's your most controversial opinion on application security, and why do you hold that view?

Hendrik Ewerlin: 30:43

Okay. So probably the opinion is you can basically thread model everything. So it doesn't matter if it's a product process. Uh, so, um, when you discover this mindset, so, um, We're talking about danger as possibility of damage occurring. And you can just apply this to everything. Think about, uh, likelihood impacts, uh, try reducing things. So this is some general problems solution approach, so to say. So my opinion is we can just connect all these domains and threat model everything. So this would be some suggestion. Okay.

Robert Hurlbut: 31:31

So, question two is, what would it say if you could display a single message RSA or Black Hat conference?

Hendrik Ewerlin: 31:41

This. probably be, um, Go Threat Model. How else would you tell if your system is secure?

Robert Hurlbut: 31:49

Perfect.

Chris Romeo: 31:50

I like the simple version of that. Just put GoThreatModel right on the billboard.

Robert Hurlbut: 31:54

Just do it. Yeah, let's

Hendrik Ewerlin: 31:55

Yeah,

Chris Romeo: 31:55

that on a t shirt. I'll have to get Hendrick, I'll have to give you some credit for that again. I'll have to put goThreatModel on my t shirt.

Hendrik Ewerlin: 32:01

Yeah, okay. Uh, I, I would like to wear this as well. So we

Robert Hurlbut: 32:06

There you go.

Hendrik Ewerlin: 32:08

we could add a star and on the back, uh, that it could say how else would you tell if the system is secure.

Chris Romeo: 32:15

There you go.

Hendrik Ewerlin: 32:16

That would definitely work.

Robert Hurlbut: 32:19

Okay. And the third question is, uh, what's your top book recommendation and why do you find it valuable?

Hendrik Ewerlin: 32:25

Okay, um, there's a book series from Austin Cleon. It's about creative work in general and they are so approachable. Uh, nice pictures. Uh, great wisdom, and they're called Steal Like an Artist, it's about remixing ideas, Keep Going, and Show Your Work. So these are really, uh, it's great advice for any kind of creator. Uh, also very valuable for, uh, people working in development or security. Yeah.

Chris Romeo: 33:06

hunt for books outside of the security realm that help us to be better at what we do. So, um, Hendrik, thank you for sharing this project with us, for educating us on it. And, uh, congratulations on reaching the release of what we'll call the 1.0 of it. version Um, I know I'm going to dive into it deeper and give you some more, uh, detailed feedback on it. And I'd encourage other people to do that as well. So, um, once again, congratulations on being able to release it. And thank you. for sharing it with

Hendrik Ewerlin: 33:35

Thank you. Yeah. I was so excited to, to be your guest.

Chris Romeo: 33:40

And we're glad to have, we were glad to have you. And, uh, we look forward to seeing all the cool things you create in the future beyond, uh, this first document.