Caleb Sima is the CSO at Robinhood

Episode 247: Into the AppSec Trenches with Robinhood CSO Caleb Sima

In this episode of the Security Ledger Podcast, Paul speaks with Caleb Sima, the CSO of the online trading platform Robinhood, about his journey from teenage cybersecurity phenom and web security pioneer, to successful entrepreneur to an executive in the trenches of protecting high value financial services firms from cyberattacks.

[MP3] | [Transcript]


These days, every business is online and a huge – and growing – chunk of business activity is transacted online. The “web” has, in the space of 30 years, transformed from a funky little corner of the Internet full of pictures and text to become the bedrock of modern commerce.

The web: 100% hackable

Caleb Sima is the CSO at Robinhood.

But it wasn’t always that way. Our guest today, Caleb Sima (@csima), was there at the beginning, before SQL injection was a thing (or at least a thing with a name). This was in the heady days when prominent firms were keen to get web pages, but didn’t think that web security was anything that warranted their attention. 

As Mobile Fraud Rises, The Password Persists

As a security analyst at the pioneering security firm Internet Security Systems (ISS) Caleb was happy to prove them wrong and turned what he learned exposing security weaknesses in corporate websites into a thriving business: SPI Dynamics, which was sold to HP in 2007

Once more unto the (data) breach!

Caleb followed that with another startup, Bluebox, a mobile application security firm he sold to Lookout in 2016, followed by senior roles as a Managing Vice President at CapitalOne and Vice President of Information Security at Databricks. These days, Sima has situated himself on the other end of the vendor divide as the Chief Security Officer at Robinhood, the Menlo Park based stock trading and investments firm.

Identity Fraud: The New Corporate Battleground

In this podcast, which is part of our CISO Close Up series, Caleb and I talk about his work as a pioneer in the field of web application security, his decision to go from an entrepreneur selling cyber tools into enterprises to fighting in the trenches himself at a cutting edge, online financial services and trading platform. I started off by asking Caleb to talk about his responsibilities as CSO at Robinhood. 

Check out the podcast using the player (above). Or, use the button below to download an MP3 of the episode!


Transcript

Caleb Sima, Robinhood: Caleb Sima, Chief Security Officer at Robinhood. Robinhood is a company that focuses on democratizing finance for all as our mission. And we are primarily a mobile app, but we’re also a web application that allows you to be, we’re a brokerage, we’re a crypto company and we’re a payments company. You can trade, buy, sell, and send in our company.

Paul Roberts, Security Ledger: Yeah. And CSO, Chief Security Officer what are your marching orders? What is your mandate?

Caleb Sima, Robinhood: I had to do this presentation for our team kickoff and I was like, what’s the simplest way to explain what we do? Because I think like everyone has these different things. Oh, we manage risk. Oh, we do these things. But when I was like, if I’m at a cocktail party and there’s no one, and I’m talking to people who aren’t technical, who don’t [00:01:00] know security, like what’s the simplest way?

And we like, well, we try to stop the company from getting hacked. That’s really the most simple explanation, right?

Paul Roberts, Security Ledger: …and stealing people’s money. Yeah.

Caleb Sima, Robinhood: But then I was thinking about it. It’s, that’s actually not that simple, right? Because you can actually stop getting hacked by just not doing business.

That’s really the answer. I think the challenging part comes back is how do you stop the company from getting hacked. While moving at the speed of the business? And that I think is the hard part. And so very very much comedically drew a Venn diagram to explain this, where I had one circle that’s ‘don’t get hacked.’

And then the other circle is ‘move at the speed of the business.’ And then the overlap is really where all the work is done, right? And so what do we do? It’s, as a, as chief security officer, and I think as a security team, our job is to help us to not get hacked while allowing the company to move at the [00:02:00] speed of business, to take risks and and that, that overlap is is the hard stuff.

And that’s where our job is to increase that overlap between the two.

Paul Roberts, Security Ledger: Yeah. And we’re gonna, we’re gonna talk about that a little later. Cause I think that’s a really interesting kind of observation. And we talk about the, you talk about the speed of business, but the speed of business is not actually a constant, it it’s accelerating. We’re you mean

Caleb Sima, Robinhood: We’re you mean we’re not going 60 miles an hour. We’re going 120 miles an hour.

hour

Paul Roberts, Security Ledger: And And next year you might need to go 240 miles an hour. It’s right. It’s not like the speed of light or something. The speed of business changes

Caleb Sima, Robinhood: I could also keep this analogy going by saying, depending on the stage of your company, you could be a a broken down car trying to go 120 miles an Or you could be like a Ferrari going 120

Paul Roberts, Security Ledger: That’s right.

Caleb Sima, Robinhood: Yes.

Paul Roberts, Security Ledger: Yeah. You could try to be going 120 miles an hour with a, blown head

Caleb Sima, Robinhood: That’s right.

Paul Roberts, Security Ledger: gasket. Yeah. [00:03:00] When I, so when we first met which was early, I think really pretty soon after I came on the cybersecurity beat. You were the CTO and co-founder of Spi Dynamics which was the first company you founded?

It was sold to Hewlett Packard, hp. Talk a little bit about where the idea to start Spi Dynamics came from this was a web application security company.

Caleb Sima, Robinhood: So I think I would say that the journey really started at this company called Internet Security Systems out of Atlanta iss. And it was founded by this guy named Chris Klaus,

Paul Roberts, Security Ledger: by IBM eventually. Yes.

Caleb Sima, Robinhood: Yeah, so IBM bought the company, although I was out, I left is s prior to that acquisition. But yeah, started by Chris Klaus cuz he created this, this scanner called Internet Security Scanner. And somehow turned it into a business, which back then was really. [00:04:00] Very rare, right? Because this is, we’re talking 1994, 1995 kind of timeframe. And so dedicated security companies not like what at RSA today when you walk around the conference. And I joined that company as a researcher in the X-Force which is what it was called prior to their IPOs. It was a pretty small company. I was one of those guys. Sit in the office with the room with the lights turned off and then like they slid pizzas under the door while we like reverse engineered software and wrote exploits. That was my first job really at i s s. And

Paul Roberts, Security Ledger: all Yeah,

stock

Caleb Sima, Robinhood: um,

Paul Roberts, Security Ledger: art of the guys in the hoodies at computer terminals in dark rooms, that’s actually, those are actually pictures of Caleb when he was starting out.

Caleb Sima, Robinhood: And And, funny enough, I’m still wearing a hoodie even during this podcast yeah. That was that was like the job. And then I remember [00:05:00] one day. They came to me and they said, Hey Caleb we want to go start doing these tests against companies because our buyers, our customers are asking to test them to be able to prove that they need to buy our software, our products, right?

And they’re like, would you like to go do that? And I was like, ‘Okay, sure’. So I went out of this sort of dark room research mode into. Pen testing, but it wasn’t called pen testing back then. It like, there, that wasn’t even, I think a term, it was just basically called ‘Caleb go justify the purchase of our products,’ right?

And so I would get pointed, a customer would say, okay, come test us. And then I would go and break in and and I started doing that. So often that I got very good at it. But at that time, firewalls were becoming the standard and all these things were coming [00:06:00] up and I just, I remember the first time and again, this was like, gosh, probably ’96 or ’95 or something, I went to a website. and it had their website just had a, an authentication form on it, right? Username, the password box. And I was like, okay, Ike, what am I gonna do with this? You try, brute force guessing some things, and then I just viewed the source code of the webpage. And in the source of the code of the webpage, there is comments in it.

That was a conversation between developers of the website talking inside the comments of the webpage, talking about, oh, go here to change this. And they put a URL and they would do all these things. I was like, what in the world? And I copied the URL and it dumped me into an admin little dashboard of that website.

And that was the first time I was like, whoa, this is crazy.

Paul Roberts, Security Ledger: I think there’s a security problem with Web pages!

Caleb Sima, Robinhood: I was like, really? And I just started going down that road. Every single company I [00:07:00] went to, I started just looking at the web stuff, cuz this is when web was first started really coming out, becoming a business thing.

And I just started breaking into everything through websites. And I think that started this momentum of, hey, oh my gosh, there is something really, there’s a real problem here that no one talks about. Yeah. eBay was getting really popular, all of these things were all like, people were starting to say, okay, this is how business is. You know when you start moving to the web, right?

Paul Roberts, Security Ledger: I anticipate that the answer to this question is gonna be really depressing, but what were some of the security issues that you found back then? Caleb

Caleb Sima, Robinhood: I obviously you talk about I’ll talk about names, but it went from everything. At the time and I don’t know if you remember this, but yeah. Obviously SQL injection was a known today, but back then it was not even a term, SQL injection.

Paul Roberts, Security Ledger: Number one on the OWASP I think Yeah. Yeah.

Caleb Sima, Robinhood: so when I was doing this I [00:08:00] stumbled upon SQL injection by accident and was using SQL injection until I had stumbled upon R F P or Rainforest Puppy actually posting about SQL injection. Not, again, not calling it that. And at the timeframe it was difficult to find a company or a application that was not vulnerable to it. So that was really interesting.

I remember we, I wrote a a Google script, an automated script that would basically rotate through as many Google results as I could

Paul Roberts, Security Ledger: Right.

Caleb Sima, Robinhood: automatically put in the single tick and like 95% of the results at time would always flag it. It was. So basically anything you can think of during that time I was at ISS. I broke into, [00:09:00] you name it, . So

Paul Roberts, Security Ledger: Yeah, there was no security.

Caleb Sima, Robinhood: Not through the web. It was just completely wide open.

Paul Roberts, Security Ledger: So at what point did you did the idea for Spi Dynamics come into your head and you said, actually, I think we can make a business out of this.

Caleb Sima, Robinhood: As any good lazy person, and I am a lazy person does you automate all of the things you do? So I had written this script cuz I was doing the same stuff over and over again. Crawling websites, injecting bad parameters, doing things, looking for directories. So I just automated that all up and I remember.

I was at a customer site and I was doing an assessment and the person was sitting next to me. At the time we didn’t really have CISOs, but he was the person in charge of security and I was running this thing and he was watching me do this, and he was like, what is that? And I was like, oh, this is just my script that automates all the web stuff that [00:10:00] I do.

And he was like, can you give that to me? And I was like, I don’t know. I just, it’s just my stuff. And he was like, I’ll buy it from, And I was like, really? He yeah, he is like, how much, how much would you sell it to me for? And I was like, I don’t know, 20 K. And he okay, done.

And I was like, really ? And he was like, yeah, just like zip it up and then send it to me. I was like, okay. And so I did that. I got I was like, this is interesting. And I started like talking to others, right? So I started talking to other people and they were like, oh yeah, I would totally pay for that. And I was like, wow, this is maybe a thing. And so I went to I went to the, at

Paul Roberts, Security Ledger: The signs, you’re in the early days of the security industry do you know that you had an idea? It’s people were literally like pushing money into my hands to, to get what I [00:11:00] had. That was the sign.

Caleb Sima, Robinhood: That was the sign. I was this is something,’ right?

Paul Roberts, Security Ledger: Don’t need deck.

Caleb Sima, Robinhood: You don’t need any of that. And it was, it was bootstrapped, like actually spy was mostly bootstrapped, but by the way, not because, not by choice. We tried to go raise capital at tons and tons of places and they’re all. Who’s this 19 year old kid and talking this web stuff like, nobody got it. Nobody understood. And so it was a really fascinating journey on doing this. And I remember I was so frustrated by not being able to raise capital because nobody understood it.

So I said, okay, from this point, In the next meeting, I’m going to basically break into something. And so in the next meeting, in the next Capital I was like, they were like, we don’t understand. I was like, let me just show you. And so I brought up. [00:12:00] A company and I broke into it via the website and they were like, oh, you shouldn’t be able to do that. And I’m like, exactly. And they were like ‘okay we could probably put some money in,’ and it worked.

Paul Roberts, Security Ledger: yeah.

Caleb Sima, Robinhood: By the way, like when I break into something, it’s not like a real website that was like, there they were like, oh, I get it. Now that I see what you’re doing I can see how this is done.

Paul Roberts, Security Ledger: Yeah. It’s it’s so funny. It’s unless you were there, like it’s hard to get people to understand how. Clueless and wide open. Everything was even as early as it, early two thousands, when obviously there were a lot of companies, investing heavily in this technology.

But I remember, getting briefed by you and talking, as spy dynamics and some of your competitors as well, and. It was, it was still a challenge for [00:13:00] you to convince companies that this was technology that they needed to invest in, that the downside risk for them was substantial enough to warrant the investment. That was not no-brainer conversation,

Caleb Sima, Robinhood: and it took, we had to, we were creating a new market, right? And we had to educate that market and it took a lot of work, a lot of time. I remember like one of our claims to fame is that we got web security into PCI. And people will either hate me or love me for that, but the fact that we, I feel like I’ve helped change the industry by getting something like that into a standard, right?

Paul Roberts, Security Ledger: The face that launched a thousand consultants, Caleb

Caleb Sima, Robinhood: And made a lot of people a lot of money. I’m pretty sure . But it’s and now when you look at the industry today, obviously almost everything is web, right? Everything is application based. And like I knew that was gonna be the case, right?

Paul Roberts, Security Ledger: You saw that coming.[00:14:00]

Caleb Sima, Robinhood: Yeah, and it’s amazing to see actually today how advance. People have gotten in terms of how they do things and like I look at some of the things that my team does at Robinhood and it just blows my mind in terms of how our red team works and the ways that they are able to navigate and think. Or you just look at bug bounties and how the level of complexity that they put together to bypass things is absolutely.

Paul Roberts, Security Ledger: You were saying that you were talking with one of your colleagues and like they didn’t know that you were actually like an application security like OG

Caleb Sima, Robinhood: Yeah.

Paul Roberts, Security Ledger: somebody, somebody had to like enlighten them.

Caleb Sima, Robinhood: So my head of product security at Robinhood he’s, he messaged me this was maybe like a month or two ago, and he goes, I had no idea you knew about application security [00:15:00] and my, my, my response to ’em was, see, this shows what a good leader I am. I’m not micromanaging you at all.

Paul Roberts, Security Ledger: That is true. Yeah. Yeah. You’re not like trotting out your, your actually very impressive, track record and talking about your exits and all the other crap. Yeah.

Caleb Sima, Robinhood: Yeah I don’t talk a lot about what I do. The one thing I don’t do is I don’t go to my prodsec team and say, I know a lot about AppSec and here’s what you’re gonna go do, because actually I don’t anymore. Like when you think about where those things are today, my level of knowledge is so old. But I can claim I helped change an industry, I think, and I think that’s really awesome to say. Yeah.

Paul Roberts, Security Ledger: So after you did, SPI Dynamics. The next two positions you had were actually CEO positions at Armorize and and what was it? Blue Box?

Caleb Sima, Robinhood: Blue box. Yep.

Paul Roberts, Security Ledger: And both acquired, right? And then, and now you [00:16:00] are a CSO, so you’ve done tour of the C-suite, basically , CTO, CEO, CSO CMO maybe is in your future, I don’t know, but

Caleb Sima, Robinhood: that, that would be an interesting one. N not on my plan. Not on my list of things to go do.

Paul Roberts, Security Ledger: Talk about that and what you got outta each of those positions and whether which of them Caleb is happiest being.

Caleb Sima, Robinhood: That’s a great question. So those are two questions. So first I’ll talk about a little bit how. Things came to be and then we’ll talk about the happiest. I would say that how it came to be was obviously as I was moving up in my career I was looking and I had more and more ideas, right?

Like once you’ve done. A lot of people say once you’ve been an entrepreneur it’s in your blood and you become a builder. And that’s just what you wanna do. You want you look at [00:17:00] the way you look at the world, the way it should be versus the way it is. And everything that drives me is how do I get the way the world to be, the way that I see it.

And that is the entrepreneurial spirit. And. Both with Armorize, with Blue Box there were things that I wanted to go do in areas I wanted to go build to be able to go do that. And CEOs came as as a natural position into those roads because I just started saying, here’s what I want to go do, here’s how I’m gonna go do it.

And it just started rolling that way. Now the real interesting juncture, I think is how did I go from sort. CEO and founders on the entrepreneurial path, which is most of my life, is in that path to this. Oh, I went to go be basically a soldier at Capital One defending an organization moving to a large company [00:18:00] basically just having many layers of bosses.

Like what, how did that happen? I think that’s what most people ask is why make that switch? And what happened, I think after Blue Box was. I really wanted to go build something like what I was building in the sort of, the last two companies were things that were really interesting, but niche in their

Paul Roberts, Security Ledger: Mm-hmm.

Caleb Sima, Robinhood: solution sets,

And I wanted to build, I wanted to go solve like a really big problem that really mattered. And so when I th thinking about what. What really matters, and I started looking at the market, the cybersecurity in it. There’s all of these great cybersecurity startups doing almost everything you can think of, right?

Yet when you go look at the actual news of breaches and what occurs in actual breaches, they’re all because of fundamental problems. Like patching databases, just being open on the Internet. Like these aren’t hard hard…authentication, yeah. These aren’t hard problems, right? Or quote unquote, you [00:19:00] think, oh, why?

Like we have technology to solve this. Why are we getting popped by these issues? And so I was like, okay, I could go do what I used to do, which I go talk to CISOs and say, Hey, what is your problems? And go figure out how to go build something to solve that. But I was like, I’ve been in security my entire life.

Since I’ve been like 16. . But I’ve never defended a company, right? Never been in the trenches, the battleground, right? Like when you’re a vendor, it’s like you’re making weapons, but in reality you’re never in the battleground using them. And so I was like, Let’s just go do it.

And so I took a step back and said, I’m just gonna go be an operator and go figure it out. And so I went to Capital One on the goals of saying, let’s go figure out what the real problems are and why these problems exist. And again, if I can think of the way the world should be, then I’m gonna have a whole list of startups that are ways that I want to go solve the problems that I learn.

So when I went to Capital [00:20:00] One, I actually learned, I really enjoy this. Being in the battlefield is pretty amazing, right? You are in the action, you’re dealing with the stuff every day and it’s crazy. Like the amount of things that you’ve gotta deal with and the things you’ve gotta learn and understand, and it really.

It really enlightened me a lot. Like when I used to think back when I was a vendor and building startups, like the fact that I didn’t know the side of the house baffles me, right? Because now that I know the side of the house, things are so much clearer.

Paul Roberts, Security Ledger: What What kind of came into focus for you?

Caleb Sima, Robinhood: I think that when you think about building things, you think about, again, just hey, here’s this problem that I can go create and solve for.

When in reality, when you look at the biggest problems, I think in an organization, it’s not about these niche. Sort of problem sets in these areas. We are still [00:21:00] today struggling with the basic fundamentals of an organiza. Like patching is still a problem in every single organization. It’s still and I remember like just when I walked into Capital One, my first question was, Hey.

I was like, what do we own? What sort of things do we have? And the fact that no one at the time could really answer. Was like, ‘What? Really?’ You have this really, is that really a problem? And so it’s like these fundamentals that every org has, and like anyone who’s listening.

Paul Roberts, Security Ledger: And IT asset management was born…

Caleb Sima, Robinhood: Yeah. Well, and IT asset management was like dealing with like hardware, like laptops and chairs and tables. But then you ask hey, how many root users do we have in our company? Who is going to go answer that for me? Like all the listeners of this right now can’t go pull that number is gonna be my bet.

Paul Roberts, Security Ledger: Nope.

Caleb Sima, Robinhood: Right? And so it’s like really simple fundamental…

Paul Roberts, Security Ledger: Not unless they’re sole proprietorships, which, in which case, maybe they can

Caleb Sima, Robinhood: Like Paul, [00:22:00] as an L, as a standalone, LLC? I have one root user on my laptop but

Uh

Paul Roberts, Security Ledger: I can get you that information if you need it.

Caleb Sima, Robinhood: So it’s just that it’s just like these, what’s enlightening and what’s clarifying is

Paul Roberts, Security Ledger: Yeah.

Caleb Sima, Robinhood: it’s the basic problems is still the things that we deal with. And it’s the, what happens is technology moves quickly and we just don’t learn. So the same basic problems that you have in a technology of yesterday then reiterates itself as the same problem, but in a different technology stack tomorrow.

Right and our jobs are effectively I just tried to solve it here, but I’m at moving at the speed of business. I need to now go solve it here. And it just becomes this ever increasing pattern of this So, Yeah.

Paul Roberts, Security Ledger: One thing that you hear a lot too is just that compliance, while useful, can also [00:23:00] be, drain attention, time, resources from actually productive security where, you were a Capital One, obviously highly regulated industry. Did you have that experience? Did you feel like we’re spending way too much of our time on compliance? Not enough time on doing stuff that matters.

Caleb Sima, Robinhood: I have a little bit of a different view on this. I actually truly believe that compliance and regulations are really doing and pushing for the right things. When you look at what they’re doing they are asking the right questions. Of course, some of them can be behind the times, right?

Again, moving at the speed of business is hard to do, but compliance is really trying to do the right thing. Regulations are trying to do the right thing. They’re looking at it through the lens of, how do I look at you? have you verify that you’re doing the right thing. And that’s a hard question to ans answer, right?

I think where the struggle happens is when, if you’re a CISO or you’re [00:24:00] driving a security organization based solely on compliance or regulation, then that’s when you’re, you need to rethink how you’re doing that. Let me give you an example. To me, compliance and regulation is a translation, right?

So if you do the fundamentals well, which, what they’re what compliance is trying to do is say, Hey, are you doing the fundamentals well? It’s a, it’s, you have to tell them and verify that. But if you do the fundamentals well then it doesn’t matter who is, or what organizations trying to ask you and verify you’re doing the, it’s then translation.

It’s okay, I’ve done the base fundamentals really well, and now I just need to translate it to all the different compliances that need to understand that. And so if you focus on doing the fundamentals, if you focus on actually doing the right level of risk management in your organization, then compliance should be able to be done. easier, right? Because then you’re just translating what [00:25:00] you’ve done to all the different ways that they need to hear it so that they can then verify it. I think if you do it the opposite way, which it says one compliance comes down and says, you need to do it this way, and this way, and that’s where you start building it.

Then when the next one comes, then it’s a whole different way, and then you are just like basically spot thing everywhere, right? And that’s very difficult versus just.

Paul Roberts, Security Ledger: Stamping out fires, right?

Caleb Sima, Robinhood: Like they’re all just trying to verify that you are doing the right things fundamentally well, and you just go for that, and then translate it for them later.

Paul Roberts, Security Ledger: As you mentioned, Robinhood is a b B2C platform. You’re a mobile and web-based stock trading platform. And you’ve talked a lot when we’ve talked personally just about the need to improve the customer experience of security and really make it consumer friendly in some ways user friendly in a way it [00:26:00] isn’t. Most of the companies you’ve been at to date have been, enterprise focused. So talk about that what you mean by that and how that, how having maybe more of a customer-centric or consumer-centric approach would change the way you, we, companies think about how they do security.

Caleb Sima, Robinhood: My, my inspiration has always been Apple’s, iPhone. When I think about security and privacy done well. The iPhone is a fantastic example of this.

Paul Roberts, Security Ledger: Yeah.

Caleb Sima, Robinhood: We use an iPhone every single day to get what we want done from, whether it’s editing a work document to taking a photo of yourself, right? And you don’t think about the security and privacy that.

Apple’s iPhone comes with it. But what it does come with is extraordinarily advanced, right? All the way through the entire stack from [00:27:00] hardware to you security privacy is built into every single layer of that phone. And it’s very complex. And that to me is the way that we should be going is how do we make it so simple and so easy.

For example, coming into Robinhood, one of the things that is really. I think very useful is this passwordless movement, right? Where you look at an Apple iPhone. We went from having to put in pin codes, passcodes to touch ID, to face id, and it’s start. It’s the, not only is it becoming easier, but the actual verification is becoming better. It’s becoming more secure. And so when I, one of the goals I wanted coming into Robinhood was how can we do that for our customers? It’s, it, passwordless is the one thing that you can actually, one, make a better user experience for customers and two [00:28:00] more secure. And that is a win-win across the board.

Right? And one of the things I am proud of is that when Io. Came out with Passkey on day one. Robinhood was there. We had the ability to do passkey and passwordless inside of our app right off the gate, and we worked really hard during that year to make sure that was there. Now we’re not quite done, but we’re like it’s we’re doing really good things there.

Paul Roberts, Security Ledger: So for folks who haven’t used Passkey yet, or one of the other technologies that uses the same kind of underlying technology how is it different? What is it? What does it do? And from an implementation standpoint, what’s involved in switching from, maybe traditional password plus 2FA to passkey? ?

Caleb Sima, Robinhood: It’s the simplest way to say it is, people are familiar with hardware keys, right? You’ve got this UBI key or hardware keys that people plug [00:29:00] in and use in order to be the most secure. In, in, in passkey, it’s embedding that key into your device, and that’s fantastic. And so now it means you don’t have to carry around this extra key. You actually have it built into your mobile device or to your iPhone, and you can then just use and authenticate to these applications like Robinhood using that hardware device in, in, in the right way. And that becomes super, super easy. And in Robinhood, all you have to do is go to your security settings and you can choose Passkey, and then that enables it for you.

It is hardware based. Using WebAuthn, you’ve got a chip inside of the device that allows you to basically do the right authentication to say, I know this is the device. And like, how does that, how does a user experience it? Let me give you an example. So if you were to let’s.

Log in or delete the Robinhood app. Log in and [00:30:00] reinstall and log in as your user. And as an upgrade, you can just choose, oh, hey, I want to use Passkey. And on fresh install it would say, great. It will recognize it. Log you right into your account, no password needed, which is really nice.

Paul Roberts, Security Ledger: Yeah.

Caleb Sima, Robinhood: And I think that again gives you great user experience with great.

Paul Roberts, Security Ledger: Yeah, because how many breaches, how many both, low end. Forget about the consumer space, but even, the enterprise space really resolved to leaked, stolen credentials, right? Whether those are, remote desktop credentials, v VPN credentials, what have you.

Developer accounts this is just such a core problem having, still relying on passwords,

Caleb Sima, Robinhood: And I’m very excited that we will we do, we will have a time at will, we will get there. Because passwords have to [00:31:00] die,

Paul Roberts, Security Ledger: I agree. One of the things that’s really accelerating the speed of business is DevOps and agile development. Supply chain security is a really big topic right now. What’s your take on it? Is this just the latest kind of fad in the information security space, or is it really where the problem and the and the, and the attacks and, attacks and are going?

Caleb Sima, Robinhood: I think that there is, there’s a short term and a long term answer to this, right? I think that short term no, this is not a problem that I think most people should be worried about. I think that there are unique cases around where that should be worried about. But for example, I’m not going through every single piece of our software and every dependency to determine if someone is embedding a back door in that dependency because some open source contributor was malicious, right? Trying to go tr track and trace that [00:32:00] down is a real waste of time at the current timeframe. What do I do instead?

I assume that they’re already in that code base, right? And so then what happens is you have to ask the question, okay, if my software does have a malicious embedded library, what are they gonna do with it? Is the question to ask. And so if you deploy. Malicious software onto your production endpoints, they’re gonna have to use it in some way.

At some point, they’re gonna have to say what am I going to go do with this? And that means they’re gonna have to break out of that software and or figure out how to exploit your production servers in order to go do that. So the. Where I’m putting my energy is making the assumption it’s already malicious.

And so when we look at our production stuff, we say, if this was malicious, what are these people gonna go do? And spend our time focusing on those things as an, as a well, what’s the blast [00:33:00] radius? How do you retain, how do you contain them? How do you respond? Those are the things we wanna spend our time and effort on.

Right now. However long-term. I do think that there’s importance in this understanding where software comes from and the validity of the software and the reliability all of, and the security of that software, I think is a great long-term challenge. But I don’t see this being solved anytime soon.

Paul Roberts, Security Ledger: Caleb Sima, CSO at Robinhood. Thank you so much for coming in and speaking to us on the Security Ledger podcast. We’ll have to do this again.

Caleb Sima, Robinhood: Okay. It was fun. Thanks Paul.

[Top]