On this episode of the DevelopSec podcast, James talks about tools, process and knowledge with a fun little story to go with it. Tackling the challenge to integrate security into the development process. Looking for insights, answers and practical solutions to avoid getting overwhelmed. Welcome to the DevelopSec podcast, where our focus is your success in securing and improving development processes. And here is your host, James Jardine. Hey everyone. Welcome to the podcast. Today I wanted to start talking about tools, process and knowledge. And maybe that doesn't sound like a whole lot, just kind of three words thrown together right here. But I'm going to tie it all together as I share a story about a recent experience I had working on an E scooter, of all things. And I'll share how working on that made me kind of think about what we do in security and these three components, the tools, the process, the knowledge, and how those all work together. But before I start that, I wanted to kind of share the story of recent experience I had with this E scooter. So a couple months back, I bought this E scooter for my teenage son. And, you know, there's quite a few things you have to consider when looking to get an E scooter. And one of those components happens to be around the tires. And so with the E scooter you can either get tubeless tires, these like solid tires that don't pop, we don't have to worry about them deflating. You can run over nails, whatever. The downside to those is that they're a little bit more of a rough ride because they are that solid rubber, you kind of feel everything in the road. The other option is you can go with the tubed tires, right? Inflatable tires, it gives you a little bit softer of a ride. So even with the shock systems that they have in some of these scooters, it kind of, you know, hides some of those vibrations, the little things in the road that with those solid rubber tires you would have felt. So after going through this decision making process and understanding, you know, kind of the pros and cons, I went with the tubed slash inflatable tires because I've been a cyclist for a long time. I've had to replace a couple tubes in my day. One, it's not really that bad. I mean, you wrestle with the tire a little bit to get that thing back on the rim, but with some bike levers, it's not too difficult. And to be fair, over the last 20 years, I've probably only changed like five tubes. So it wasn't a huge effort. And it was possible. So for the smoother ride, I went with the tube tires, hoping that this is something that wouldn't come up very often. I mean, seriously, how often could these tubes pop? Well, fast forward a few months, and here I am with the first flat tire on the back of this scooter, and lo and behold, doing some searches. There's not a lot of places in town that'll actually repair scooters. So that posed a little bit of a problem. So I was like, all right, well, I guess I'm gonna do this myself. And, you know, I started down that route again. I've changed tires before, you know, I know where, where the pain points are going to be. And the biggest ones, the biggest two are getting that tire off of the rim and putting that tire back on the rim. So I ordered some tubes off of Amazon, and while I waited for those to arrive, I went ahead and pulled the tire off the rim and get that old tube out of there, which for sure had an actual hole in it. Now I was using those bike levers, which are just Those maybe like 5 inch long, maybe 6 inch long levers that, you know, have a little bit of scoop at the end of them that you can kind of pry under that rim and yank it out. And with some, with some effort, I was able to get that tire off the rim. But I mean, I was going through a mix of things. I was rubbing oil around the edges of it. I was prying. I had three of those levers. I ended with two of those levers because one of them broke. And, you know, that I was a little worried the other ones were going to break as well. But through some effort, probably about an hour's worth of time, I got the tire off of that rim. While waiting for the new tubes to come in that morning, I actually went out and I bought a tire spoon set. I don't know if you've ever seen these before, but they're basically like the bike levers, except for they're about 11 inches long and they're made of metal. So it's going to give a little bit more leverage. And I don't have to worry so much about the plastic breaking, trying to force that stuff off. So this is the tools part of the area of having the right tools. And I say it all the time, you know, so many things are much easier if you have the right tool to do it. When I'm doing woodworking, same thing. If you've got the right saws, you've got the right tools. It's usually not that bad. It's when you don't have the right tools that jobs become way more challenging. So I got this tire spoon set and just waiting, itching for these tubes to finally come in. So they do finally come in a little bit before dinner time, as my wife expected would happen. And so I go out there, I pull the first tube out. I figure out how to wrestle that thing on there. There was some, some tricky pieces around the stem, how you inflate the tire, trying to get that in. I actually had to put the tube on the rim first so I could get the stem through and then try to wrestle this tire over it and then try to cram the tube down inside of this tire. Not an easy task, but I get all that finally to the point where I'm ready to get the second part of the tire back over the rim. And this is the hardest part. And I'm wrestling with this thing and, you know, you just can't push it from each side and work it up. It's way too tight for that. So you need some sort of lever to get in there. And I'm using dish soap this time instead of the oil because I read that oil actually will degrade the rubber tires. So I switched to the dish soap and, you know, I got this thing on the floor I'm kneeling on. It's only a 10 inch tire, so it's small, it's hard to work with. And I grabbed that tire spoon that, you know, it's about, I'd say like 11 inches long. It's got a nice handle on it, it's metal. I start cramming that thing in there and just like forcing and like working that tire up over that rim. And probably after like two or three minutes with that tire spoon, I was able to get that back on. So I'm pumped. No way would I have done that with those little tiny bike levers. The plastic probably would have broken, but I wouldn't have had the leverage to be able to get in and really pry this thing up over that rim. So I get it on. I'm feeling pretty good success. I blow the tire up, and I immediately start noticing that the air pressure is dropping again, half a pound every time I put the gauge on there. Sure enough, this tube has a hole in it too. Now I have to take the whole tire apart again just to put a new tube back in. And I can tell you that with these new tire spoons. Wow. Did it make a difference getting that tire off? Because putting it Back on again. Now, the hardest part was just squeezing that tube inside the tire after getting it on with the stem on there. But I did blow the tube up first, make sure there was no leaks, deflated it, got it back on there. So it, you know, it was a challenge. But having done some of it without those tire spoons and some of it with it, a world of difference. Not only did I gain a little bit of knowledge and experience through that first part, right, of struggling with those other pieces, but being able to have the right tool made a world of difference getting this thing back together. I might not have ever got it back with the tools that I had. And I share this story because oftentimes in security, we talk about tools. We talk about all these different tools that are available, but then we forget about the process or the knowledge experience that is involved with making sure that whatever we're trying to solve with that tool is actually successful. I can go get a tool and maybe we can even go implement it. But if I don't have processes around that tool, then what are we really going to do with it? How do we know that we're using it the way we should be using it? If I'm required to run a scan every night, well, I need that process to tell me I need to run that scan every night. Otherwise I've got a tool that's just sitting there that maybe we're ad hoc running or maybe we just don't know how often we're running it. But that tool was purchased for a reason. There was a solution it was trying to bring, whether that's doing static analysis, whether that's trying to protect against ransomware on the endpoint, right? We get tools for all these different things, and the tool isn't the solution. It's looking to solve a problem, but it's part of that solution. We still need the right process in place to be able to manage that tool, if you will, and to describe how we want to be using that to solve the problem that we have to actually create that solution. We start with that process, like, how do I solve this problem? Then, okay, well, let's look at what knowledge do we have around this problem. Because knowledge is a key ingredient here, too. Not just for the use of the tool, but to solve the problem. If I look back at changing that tire, having the knowledge to be able to, you know, know that lubricating the rim will make that a little bit easier to get it back on there, you know, even, I guess, learning the knowledge of using oil versus Dish soap as better ways to do it. Both lubricated, one might be a little bit worse for the tire than the other one. You know, there's something there. Knowing that the knowledge of the process of how to get the rim off or the tire off the rim, you know, taking the tube out, putting it all back together, knowing that this spot is going to be the most challenging, right? Knowing that trying to get that rip tire off of the rim is going to be a struggle. Trying to get that tire back on the rim. Like, we're going to need special tools for this area. So we take that process of how do you remove the tire, put the tire back on, what are the tools I'll need to be successful in that? So take that back to I'm solving static analysis or I'm solving ransomware. What is the knowledge I need through the process of how I solve that problem? And when I combine those two, I start to consider, okay, here's the tools that are going to help me solve that problem. I could have just gone out and got tire levers or tire spoons, but that wouldn't have done anything. I wouldn't have even known I needed those, right? Without having that past knowledge, very recent past knowledge that the plastic levers aren't going to work on that size tire, it's just not going to happen. So combining that knowledge and process, I can identify the right tools to be able to put those in place and then using that knowledge to be able to configure those tools properly and understand how we're going to deal with the output from the tools. Are those events going to your Sam? Are those events going to the AppSec team or directly to the developers? And static analysis? Maybe it's a response straight into a pull request. All these pieces fit together to create that solution for whatever we were trying to solve. And I think often we forget what we're actually trying to solve. We throw, well, we need static analysis. So we go out and buy a tool and we implement it. We need iam, let's go buy some tools and let's implement it. We need ransomware protection or we need an edr. Great, let's go get a tool. We'll solve this problem without actually taking the time to say, well, what are we doing with static analysis? What are we trying to solve? What do we know we can solve with this and what we can't solve with this? Because those are different things and depending on the tools that we get changes what we can solve and what we can't solve. Some tools are going to do a better job finding vulnerabilities. Some tools are going to have more false positives. Understanding our landscape is really what's going to help us understand what the best tool is for our situation. One tool may work better for this other company, but maybe our situation, that tool, either it's overkill, maybe it doesn't do enough, maybe it doesn't have the right integrations to know. Again, this is where that knowledge comes in play how to take that tool and integrate it into our systems. Maybe we need to integrate it with GitHub versus Azure DevOps, making sure that we have the tools that are going to meet those needs. How do the developers work day to day? Does the tool fit into their process and do we understand how that's going to work? Because if we just go out and buy tools, most likely either they're not going to be effective or they're just going to sit and kind of fall in to the shadows because nobody's following any process around them. There's no process to drive it. There's no expertise around the tools to understand really how they work and how to get the benefit from them. So we just spending budget on nothing. But I guess we can say at least we've got a SaaS tool or we've got a ransomware tool. But how good are those if we're not using them properly and effectively? They lose that value and it turns into what I see more and more these days of the security theater talk, but that's really what it is. And I mean I remember this 15 years ago, talking about static analysis tools and the difficulty in bringing those into an organization. And this is when they didn't integrate with pull requests or anything like that. You actually had to take your binaries of your code, right? The compiled pieces, upload them to a system, wait three days to a week, get those results back and then process those right? There wasn't a lot of integrations. It was very clunky back then, very time consuming. Now everything's very embedded, there's integrations everywhere. We get that stuff right away. The way we solve those problems is different, our solutions look different and we need to be able to understand that. But back then, because of how disconnected everything was, it was all too often that you'd see places go out and get static analysis and six months later you check in and it's like, oh yeah, no, we haven't, we haven't ran a scan in the last four months. We did it while we were in the excited mode of putting this thing together and implementing it, but we don't have any process around it. There's nothing defined about how we're supposed to use this. We don't really have any expertise. The developers don't understand it. The AppSec team maybe somewhat understands that we got it enough to get it stood up and then it falls to the wayside. So, you know, I think it's important for us when we're thinking about the tools, the process, the knowledge around these different things of what we're trying to solve, what's the problem you're trying to solve? What knowledge do we have around this, what processes do we need in place to make sure that whatever our solution is is going to be effective? And then when we look at all those, that's going to help us identify what tools do we need that will help us improve this process. Knowing all this information is really what's going to help create the best solution that you might actually use and continue using going forward. But without considering all those and having all the right pieces in play, you're just kind of cobbling together a few different ideas and tools and praying that they're going to work and catch whatever it is you're trying to look for. So just a little quick thoughts on some of this stuff about tools, process and knowledge. Curious to hear if you guys have any experience like this. I'd love to see and read comments about other experiences where tools have solved the day and having the right tools. I can tell you again, working, I do a lot of woodworking and I tell my neighbor sometimes, you know, it's just the tools, like if you have the right tools, things seem a lot easier. Have you ever watched, you know, these home makeover shows or woodworking shows, right? This old house, that type of stuff. Everything they do looks so easy. Laying the tile, doing all this stuff, it's like wow, how they do it. So perfect. They're such, they do such a good job and really, yes is experience right? I mean they, they've done it a bunch of times, they know the process for doing it and they have the right tools that make their job so much easier. Whether it's the laser level for hanging cabinets instead of out there with a four foot long level trying to draw lines or having the right saw, all this stuff. The tools can be enhancement or they could be your detriment. So just think about that. So if you've got any stories like that doesn't have to be security related, I'd love to hear examples of how having the right tool made doing some tasks so much easier. So I appreciate everybody listening. Sorry it's been so long since the last episode. We're going to start getting some more going here in 2026, but thanks for listening. I hope everybody has a great day. You know, check us out online developsec.com and we'll catch you on another episode. Thanks. You have been listening to the DevelopSec podcast with James Jardine. To find out more about how we can help you with application security, follow us on Twitter eevelopsec or check out our website at www.developsec.com.