#228: Hunting bugs and tech startups with Python Transcript
00:00 Michael Kennedy: What's it like building a startup with Python and going through a tech accelerator? Well, you're about to find out. On this episode, you'll meet Elissa Shevinsky from Faster Than Light. They're building a static code analysis-as-a-service business for Python and other codebases. We touch on a bunch of fun topics, including static code analysis, entrepreneurship, and tech accelerators. This is Talk Python To Me, Episode 228, recorded August 7th, 2019. Welcome to Talk Python To Me, a weekly podcast on Python. The language, the libraries, the ecosystem, and the personalities. This is your host, Michael Kennedy. Follow me on Twitter where I'm @mkennedy. Keep up with the show and listen to past episodes at talkpython.fm. And follow the show on Twitter via @talkpython. This episode is brought to you by the podcast Command Line Heroes from Red Hat, and Linode. Please check out what they're offering during their segments. It really helps support the show. Elissa, welcome to Talk Python To Me.
01:06 Elissa Shevinsky: It's great to be here.
01:07 Michael Kennedy: It's really great to have you here. I'm excited to talk about all of the stuff that you're doing. There's so many different angles and aspects of what you've got going on. I think it's going to be interesting for everyone. We're talking about going through a tech accelerator, starting a software business, building on top of open source, working with Python as a core way to build a business. Things like this, and some others as well. A lot we have to talk about together.
01:34 Elissa Shevinsky: These are some of my favorite topics so hopefully it will be a good conversation.
01:38 Michael Kennedy: I'm sure that it will. Let's start it off by just getting your background. How did you get into programming in Python? How did you get here?
01:44 Elissa Shevinsky: I got into programming basically my first day of college. I took an introduction to the web. It was like Computer Science 105. This was 1997.
01:56 Michael Kennedy: Just to set the perspective for people, the web came out in like '93 as a proper browser. That's like years, a couple of years into it, right?
02:06 Elissa Shevinsky: Oh, yeah. I don't want to say nobody, but it was extremely unusual to be doing the kind of tech stuff that I was doing. And I loved it. But I didn't become a programmer at that point in my life. I got introduced to it. I thought it was cool. I had this really warm and wonderful computer science professor and these friends who were computer programmers. And just kind of had this mental note that if I ever wanted to go into programming, they would have me. And it was geeky, and it was fun. And over the next few years I just kept being friends with all these developers. And then I got this job, and I wasn't thinking too hard about it. Just my friends are at this startup called Everyday Health, and I joined. And for the first year, I worked with the founders to set up the customer service infrastructure. Then I wanted to go back home to New York. And I got promoted to the tech team kind of as an accident. There was this moment where they needed someone to do QA, and I was just around. It was for like New Year's Eve and Christmas when no one wanted to work. And I was good at it. Then they threw me on the tech team, and there I was suddenly shipping new software every three months. I just fell in love with it. I'm still in love with it. There's a short list of things that I love, and making software is really one of the... I can think of very few things I love more. And I got into Python specifically once I started doing talks. I just looked around and pretty much applied to any open call for papers. And I fell into PyCon Canada. It was like, whoa. These people, they're warm and wonderful. And this conference is really deep, and interesting, and covers a lot of ground. That just became my home in all of these ways. And I went and I did every Python conference that would have me. I had this talk on the history of women in computer science that also included all the contributions that women and nonbinary people made in Python. And all these events really wanted that talk, so I kind of went on this worldwide tour, going to Australia, and London, and all over, giving this talk on Python community.
04:23 Michael Kennedy: That sounds so fun to be able to dive into that. I totally know what you're saying. I had the same feeling with PyCon and the community. Just, like, wow, this place is special.
04:32 Elissa Shevinsky: It really, really is. I mean, I could go on and on about how and why I love Python and the Python community, which I guess is appropriate for this show. But Python is a really good learning language. There's so much that's great about Python. And I saw myself as someone who was still, in some ways, a beginner as a developer. I'm very sophisticated in some of these other aspects. I've got all this deep security knowledge, and I know a lot about the process of shipping software. But I liked that I could go to a Python event and follow along with the talks there, and make a really meaningful contribution. And I still like that Python, that it's a good first language for people. I like being part of a community where you can tell beginners, oh, come here first.
05:21 Michael Kennedy: You know what's really interesting? And I do agree with that, for sure. I met so many people who were hesitant to go to events like that. They're like, well, I'm not really a developer enough to come to that. I'm not a super pro. I've only been doing this for a few years, or it's not my main thing. I'm mostly a doctor, or whatever. And they're all, you know, this is amazing. I'm so glad I decided to get over that and come. I think that's really wonderful. But also, there are a bunch of people who it's not just a beginning language for them. It's a professional language they've been working with for a long time. And what I think is special about Python is you can be effective with Python with only a partial understanding of it. If you don't know what a class is...
06:02 Elissa Shevinsky: I think that's true.
06:04 Michael Kennedy: If you don't know what a class is, a generator, a metaclass, a database, you can still write scripts. You don't even need to know what a function is in terms of creating them, and you could still use it. But at the same time, you can grow all the way into building Instagram, or YouTube, or you name it. I think that that's really special about it.
06:22 Elissa Shevinsky: Yeah, it's a very powerful language. We're using Python at our company, at Faster Than Light. And our CTO is a very senior Python developer. But it gives me a little bit of a lens into what you could do if you were junior. We certainly see a lot of projects where people... It's a high impact language, across the board, for lots of people.
06:43 Michael Kennedy: I think it's definitely special. There's a lot of languages that are great for building pro apps. There's a lot of good beginner languages. But there's not many that do both. I think that's a lot of what makes that special and why it makes sense for beginners to come and yet still have this full, rich ecosystem that we do. Which is great. Let's talk about what you do day to day. You're doing some pretty exciting stuff right now.
07:06 Elissa Shevinsky: I think what I do is a mix of these really, really dull, not glamorous things. Like I'll sit and I'll do taxes, and accounting, and build a leads list. So like, I'm in an Excel spreadsheet just putting in names and emails, and LinkedIn. Because, for whatever reason, I want to connect with those folks through the business. And then just the most glamorous stuff. We're part of the Techstars London accelerator now. And I meet the most remarkable people. I have introductions pending to, like, the chief executive officers at really large banks and corporates. We just met the CTO from IKEA. I guess for me that's glamorous. Glamorous is like, I met this really cool developer.
07:53 Michael Kennedy: It's geek glamorous and geek famous, which I think is pretty awesome.
07:58 Elissa Shevinsky: I've also traveled all over the world, which I think meets a lot of people's definitions of glamor.
08:04 Michael Kennedy: It's interesting because how many people think of, I'm going to go learn software development, which is often from the outside perceived as, like, those are the people that go into the dark room and no one talks to them. It's kind of a solitary thing. And the result is all this glamorous travel and all these experiences that a lot of people who thought they had a glamorous job maybe are not actually getting out of it. I think there's a lot of interesting stuff. I had similar stuff. I traveled all over the world teaching classes and got to hang out in amazing places. And I'm like, wow, how did writing code get me here? But it does, and it's great.
08:40 Elissa Shevinsky: Yeah, I think that says a lot about just how powerful it is to be able to make software these days. Because you can take it in either direction. If you really want to just stay home and work on interesting projects on your own terms, writing Python code is a really good way to do that. And when I think about a lot of developers I know, that's exactly what they do. And if I wanted to do that, I could. And then there's also this other side of it where if you want to travel the world, software development, and specifically Python, is a great avenue for that. I just think it's an exciting... It's a very good time to be a nerd.
09:20 Michael Kennedy: Yeah, that's definitely a true statement. You said that you do some very incredible stuff, this traveling, but also a lot of boring things being CEO of Faster Than Light. I can definitely relate to some of the stuff you're talking about. You know, running Talk Python, and the training business, and all that, there's a lot of meetings with business partners. I definitely do a lot of accounting and taxes. But one of the things I think that stands out really big that I think a lot of people are not initially prepared for is marketing, and that kind of stuff. How do you go from working in QA to understanding what you need to do around marketing? Because to me, building a software business, it's interesting technically, it's challenging technically. But those are kind of table stakes. And then you've got to get users, and break through the noise and get people to care. How did you get those skills? Because they're not really taught in any computer...
10:27 Elissa Shevinsky: That happened over a very long period of time. Like 2004, I'm a QA analyst. And then 2008, I tried to do some digital marketing consulting, and I started to learn a few things there. And I did okay. I had some small businesses, a guy who was selling sneakers on the internet, and I managed his AdWords and social media. I started small and worked my way up. And really, I've just been hustling so hard learning new skills and leveling up over the last 10 years. Where, in 2011, I tried to do my first startup. And that didn't really go because people didn't have a lot of confidence in me. There was a lot I still had to learn. Back to like 2013, 2014, I'm starting to learn a little bit more and I've gotten some press attention. There's this process where I learned how you talk to the press and how you get noticed.
11:26 Michael Kennedy: Never been able to figure that out. That's very tricky.
11:29 Elissa Shevinsky: Oh, I'm happy to talk about that. It's probably out of scope for this conversation. That was one of the first things I learned. You have to do or be something interesting, and then figure out how to tell the story to the press in a way that reflects the message you want to share. And then the big thing I learned was that in order to really break out, you either need a big audience, or you need someone with a big audience sharing things. I had all this envy from the founders who I saw who got traction and things went viral, and I just studied that, a little bit obsessively, to figure out how do I become or do that. Because I loved making software but it's not enough to make the software. People have to use it. And then I figured out how to be the person who has an audience. I'm not the person with the biggest audience. But I have 13,000 people on Twitter. I can get attention in the press. There's different things that I learned how to do. I guess the TLDR there is that was over 10 years of really studying it and trying things. And eventually building up credibility and building up an audience, up to the moment where people come to me now. And they're like, hey, I've got a job posting. Just like, oh, cool. I could be helpful there. I have to remind myself what it used to be like when I didn't have that so I appreciate where we are.
12:53 Michael Kennedy: Yeah, absolutely agree that that's a huge part of the hidden success story of a lot of these types of things. There's that initial audience that care to this initial group. Obviously that's part of my story with the podcast and whatnot I'm doing there. More mainstream examples would be like 37signals and Basecamp.
13:17 Elissa Shevinsky: I love them.
13:18 Michael Kennedy: Yeah, I do too. And even almost Ruby on Rails as a thing itself. Those guys did a ton of writing. They had a huge blog following. And I feel like their products are really good, but there's a ton of project management products. I think that their writing, and their blogs, and their philosophy, actually was a big secret of their success.
13:39 Elissa Shevinsky: I'm happy to hear that. I think about that all the time. I've been going through what they call Mentor Madness at Techstars London. That's a process where, from 9:00 o'clock until around 1:00 o'clock we meet with all these mentors from Techstars. It's pretty wonderful, and they're all there to be helpful. But they also all ask questions about the businesses. They're trying to figure out which startups they want to work with the most. It's good for us to practice or learn how to have good answers for that. And one of the things I get asked all the time is like, what's your moat. Technology moat only lasts for so long. And I think the only really good answer that we have, other than just continually trying to stay on top of product innovation, is that kind of brand moat. I have to go out there and evangelize code quality. And when you think of code quality, you'll think of me and our team. I'm excited about that because I think it's really important. I'm happy to think about going and spending the next several years convincing, and sharing, and getting people really excited about shipping better code. But I also think what will make us different from other companies. It's like, well, if you think of us as the experts for that. I think about that idea a lot. I'm kind of happy about it. On the one hand there's something kind of crappy or not great about the idea that the best products don't win. It feels like in a fair or just world, the best products will just win by default.
15:11 Michael Kennedy: Yeah, that's a harsh lesson, and I agree that that is not true, even though it should be.
15:15 Elissa Shevinsky: I grew up in Queens, with a single mom, in this environment where I felt like I'm not making the rules. I don't make the rules. But I have to figure out the rules and accept them if I'm going to move ahead and achieve things. I think that's part of just me being a sane person in this whole startup ecosystem. But I also think it's part of me to the extent that I'm successful in the things that I set out to do. I'm just like, okay, these are the rules, this is what it is. We can build the best product. That's never going to be enough. We just have to accept that and then figure out, okay, if we have this thing, we want you to play with it and try it, what does that mean.
15:59 Michael Kennedy: Yeah, you definitely have to be able to legitimately see all the ways that things are working, all the rules. Then you can try to break them or try to be different. But you've got to understand the playing field first. And then you can start to get out there. This portion of Talk Python To Me is brought to you by Command Line Heroes. For the Free Software Foundation, making a free, as in speech, version of the Bourne shell was critical for their operating system. Enter Brian Fox. Command Line Heroes, an original podcast from Red Hat, is all about the people who transform tech from the command line up. Episode six dives into the origins and evolution of the Bourne Again Shell, aka Bash. Bell Lab's Bourne shell was the default for Unix. The Free Software Foundation, however, needed to create their own version for their not-Unix operating system without using any of the Bourne source code. Get the story, and subscribe to Command Line Heroes wherever you get your podcasts. Or just visit talkpython.fm/heroes. One of the really interesting things that I think you're doing is going through this tech accelerator, this startup accelerator Techstars. How did you decide to come and do that? There's a lot of ways to start your business. You could just bootstrap it from the ground up. You could try to go around and pitch VCs. You could do one of these accelerators. There's a bunch of options. What led you down this path?
17:26 Elissa Shevinsky: That's such a good question, actually, because it's so personal, and I feel like there's no right or wrong answer. And there's even a company inside our accelerator that doesn't really want to raise money and they want to bootstrap. Good for them. I think they're going to be very successful there. For me, I thought it would be good for us to raise money, and just hire people to do the things that aren't our strength. When I talk about I'm doing all this back office stuff, I have this fantasy where someday, someone else does that.
17:57 Michael Kennedy: I have the same fantasy. I know what you mean.
18:01 Elissa Shevinsky: Like, what is it, what's your dream? I love the idea of us getting big enough where I can really go around the world and just evangelize code quality, and our brand, and hire great people, and have someone else who is doing a lot of the operational stuff. As companies get bigger, the CEO job does become more like representing and holding the vision, and hiring, and fundraising. That's what I really want to do. But because we're a three-person company, I'm going to do everything. So I had this fantasy that we became a bigger company and we could just do the things where we're really strong, and hire other people to do the other stuff. That means we have to become a big enough company, we have to raise money. It's actually really hard to raise money without other people vouching for you. And some of that is just the dynamic of how, I don't know, how people work. It's such a big difference if I go up to someone. I'm like, hey, I have a company, and I would like you to write me a check. And then they're a little on edge, like, who is this strange person? That's not a normal way to approach a VC. It's just not normal, and it's not how things are done in Silicon Valley. Versus, now Eamonn who is the managing director at Techstars London will tell VCs he thinks are a fit, they're like, there's this amazing company, and you have to meet them. They have a round, but it's going to close soon. It's going to close soon, so you have to talk to them fast. And then they come in and they meet me.
19:24 Michael Kennedy: They've had experience with you, too, the folks at Techstars. And they can say, actually, they're not crazy. I've been working with them for a couple months. It seems like they've got a solid plan. Rather than... The reason I brought up the marketing side of things is it's so much easier, I'm not going to say easy, but easier, much easier compared to 10 years, 15 years ago, to create software companies and to get them out to the world. But that means there are so many other... There's so much noise, and so many other people trying to vie for the same attention. I think it's, in some ways, it's harder to run a software business, but it's easier to create software. Which is interesting. I think any of these times that you can have just a little recommendation or something is really important.
20:12 Elissa Shevinsky: I think about that also because my CTO Brett Thomas previously built and sold Vindicia. And when he started Vindicia it was about 16 years ago. And that was a point in time when just everything was slower and there was less competition. But he had to build everything from scratch. And so he's coming on now and building all this stuff, and will chat with us on the Slack or a Zoom call. We'll be like, it's so cool. There's some new technology, whatever it is, that does this thing that he used to have to build from scratch. And so we're really thinking about that day to day because he's learning all these new things, and implementing them. It's really cool to see. And it reminds me of how the ecosystem has changed. But the hard part is it's really hard to stand out. I think it's very hard to build a successful business these days. And everyone thinks that they can, and lots of people try. And it's actually really hard and sad to build a business and fail. That was another reason I wanted to do the accelerator. The downside is they take a little equity. But the upside is we have customer introductions, and just all these people on our team now. The whole Techstars network, which is just this very powerful worldwide network that has the motto, "Give first." Which is very nice. And they seem to really mean it. It's warm and wonderful. And in fact, the co-CEO of Techstars came into our office this morning in Techstars London. Like, I met him. I was really fan-ish. For me, that's like a life changing thing to show up and you have all of these people backing you. Because entrepreneurship is just actually very lonely. We'll get together about once a week, all the CEOs in this batch. And some of them are not technical at all. And so you have, like, Banjo is this company and they send letters to children about this cat that's traveling the world. And so, it's not like everyone is also coding in Python or thinking about Python. There's this camaraderie where we're all thinking about the same entrepreneurship challenges. And that's been really nice.
22:19 Michael Kennedy: Yeah, it looks a little bit different than say, like, Y Combinator or something like that where, at least from the outside, I get the feeling that a lot of that is super tech focused. They're trying to create Airbnb, or Uber, or something to that effect.
22:33 Elissa Shevinsky: Yeah, I think YC has what they're looking for. In some ways, I got into this because of YC. I mean, I've been in startups since 1999. But I came to Silicon Valley and I met Paul Graham in 2011. And I waited in line as he talked to nine people before me. And he told all of them that they should not do whatever they were doing. I was like, oh. Then I got there and I was like, I'm going to do a Jewish dating site. And here's how I'm going to do it, and here's my plan. He was like, you should go do that. I was like, oh my goodness, Paul Graham said I should go do my startup. And then I went and I tried to do it. And I felt really motivated by that support. You know, I always have to be a little bit grateful to Paul Graham. But I also feel like, just, I'm not really aligned with a lot of YC stuff. They really want you to be in San Francisco. I think I'm really excited about this idea that you can be anywhere in the world. I think that speaks to some of what we talked about before. Being a software developer, some of that should be this freedom of all we need is a wifi connection and a Zoom link. And like, yeah, communication is hard and people are hard. But I think it's worth it to try to make that work.
23:47 Michael Kennedy: Yeah, I definitely appreciate the thinking about let people be where they want to be. I think a lot of opportunities to hire interesting people get lost because somebody in a small town doesn't get the opportunities to meet the people and make the connections. There's probably some opportunity to connect to people who are not right in the center of these tech hubs. Although London is a pretty good place to be as well. I love that town. It's got a lot of interesting tech going on there.
23:47 Elissa Shevinsky: It's nice for me. I'm on a new adventure. And I think you and I spoke earlier about being 40 and over, and still starting a company. I'm a good example of being older and still being an entrepreneur, but also still being on my adventures. I want to go to London. And I wanted to go to London for personal reasons. But it's also a really good decision for the company, and so the two things work together. There's a lot of reasons why. I mean, just, London is a huge business hub. And actually, Shoreditch is this really cool tech hub. It's been really interesting to be here.
23:47 Michael Kennedy: Yeah, for sure. I've definitely spent some time in that part of London. I know what you're talking about, it's great. I want to talk about this idea of being over 40 and starting a company. I also hear this around the context of just becoming a programmer at all. A lot of people feel like, you're over 40, you've missed your chance. For me, and it sounds like you pretty much as well, if you wanted to start a business, you should have done it in 1998. Right at the dotcom boom when we were in our 20s. That would have been great, probably. But I don't know that even that's necessarily a good idea. I think you get a lot of experience working in the industry. And then you have something meaningful to contribute other than just lots of energy and some ideas. If we look at what you're doing with Faster Than Light and Bug Catcher, you told me your story about how you started in QA. That was kind of your launch into this whole tech world, way back when. You've been doing it for so long, and now you're starting this company. And you've had all this experience. The first year you got into it and you started this company, how much experience do you really have? And I think there's actually a lot of opportunities for people who are 40 and older.
23:47 Elissa Shevinsky: Yeah, 100%. I have so much to say on that. The first thing is, we run a security company. And the whole premise is that we've seen a lot, we've done a lot, we know what we're doing, and we'll be around for a while. And you can trust us. There are certain types of businesses that are hard to start when you're 21. So you can take advantage and leverage whatever experiences you have. And then I see some younger entrepreneurs really struggle. So for example, they'll get maybe 10 different pieces of advice from advisors, or investors, or mentors. And they're like, oh, what should I do? It's like, I'm 40. I know what we should do. And if I don't know, I'll sit down with the team and we'll talk it out, and we'll figure it out. And there's this confidence and this easiness that can come with being older and having a sense of who you are and what your values are. That helps a lot in entrepreneurship. When you look at the businesses that have been really successful, a lot of them were started by older people. I think about my own life. I did get started early in tech startups and in companies. But I also did a lot of meandering. I was a journalist, and a yoga teacher. And then I went on this tremendous spiritual quest. I spent a year in the Jewish equivalent of a monastery, like a yeshiva for women in Jerusalem. I did all this stuff that helped me really grow as a person. And then, at 31, I did my first C corp startup, trying to get VC funding. And I came into that with the self-awareness and all these qualities and character traits that I didn't have at 21, and that also I don't think other people have if they just followed doing some consulting job or not really pushing their boundaries of who they are. I feel like the adventures and the challenges I had in my 20s, I brought them into my 30s and that's one reason why I came up so fast as an entrepreneur. Because I came to Silicon Valley in 2011, and two years later, three years later? Three years later, I was on the cover of The New York Times Sunday Business. That is fast.
23:47 Michael Kennedy: That is incredible, that's awesome.
23:47 Elissa Shevinsky: That's fast. How did that happen so fast? Because at 31 I had a good 10 years of really getting to know myself and really just figuring out how to show up, like really show up.
23:47 Michael Kennedy: It's really interesting, your story. I totally agree with it. Let me do some quick math. I guess I was around 42 when I started my business now. I don't look back and say, I wish I started earlier, for most of the time. I wish I had started earlier only in starting earlier in the trend of what I'm doing. If I had started 10 years earlier, it would be easier to create online video training because fewer people were doing it. But that's not me as my age. That's just opportunity timing.
23:47 Elissa Shevinsky: Well, and now is the right opportunity for something that 20 years from now will feel really mainstream. I think there's this challenge of just looking at the moment you're in and trying to make the most of that. That's hard. But I think as you get older, those things get easier.
23:47 Michael Kennedy: You have that perspective that you've been around for a while, you've seen the trends, you see how stuff plays out. You can make better bets on that. This portion of Talk Python To Me is brought to you by Linode. Are you looking for hosting that's fast, simple, and incredibly affordable? Well, look past that bookstore and check out Linode at talkpython.fm/linode. That's L-I-N-O-D-E. Plans start at just $5 a month for a dedicated server with a gig of RAM. They have 10 data centers across the globe, so no matter where you are or where your users are, there's a data center for you. Whether you want to run a Python web app, host a private Git server, or just a file server, you'll get native SSDs on all the machines a newly upgraded 200 gigabit network, 24/7 friendly support, even on holidays, and a seven-day money-back guarantee. Need a little help with your infrastructure? They even offer professional services to help you with architectures, migrations, and more. Do you want a dedicated server for free for the next four months? Just visit talkpython.fm/linode.
23:47 Michael Kennedy: I totally agree. Let's talk a little bit about your business that you're building, and this whole side of security, basically finding security problems in software.
23:47 Elissa Shevinsky: There are so many. It's not hard.
23:47 Michael Kennedy: I'm sure it's not. Let's start with just the overall idea and the name of what you're building.
23:47 Elissa Shevinsky: We are Faster Than Light. And that is our goal. Our goal is to be faster than light at static analysis and other security tools.
23:47 Michael Kennedy: Yeah, awesome. Primarily what you're doing is you're trying to democratize and speed up static analysis of code. So, I've got some software. And I've written it, I've put it on the internet. But who knows how long it's going to stay safe up there.
23:47 Elissa Shevinsky: That's a mistake. Don't do that. Undo it. Revert, un-pull.
23:47 Michael Kennedy: So I can run my software, whether it's Flask, or Django, or whatever, through your tool, the source code through your workflow, and it will tell me things that are potentially wrong with it. Like, for example, if I'm running Flask in debug mode, and then I just put it on the internet.
23:47 Elissa Shevinsky: Don't do that either.
23:47 Michael Kennedy: The Werkzeug debugger that you can just open up and see what's happening, and issue commands, all sorts of craziness, may just be on the internet for people to find. There's literally tools that go around and look for that kind of stuff, and have a catalog. Shodan and some of these tools will just, like, show me all of the sites that have this open and I can just talk to it. So you want to know about that.
23:47 Elissa Shevinsky: Yeah, I think we're seeing a lot of that. I think the Capital One hack that happened recently is a good example where they had something misconfigured and the hacker got in. This sort of thing is very, very common. It can happen to anyone. Part of my mission, what I'm trying to do here with the whole team at Faster Than Light is just make it easier, and faster, and simpler, for people to test and ship more secure code. And I like static analysis as a way to get into that because it's really accessible to anyone. It's something that an individual developer can do. On the one hand, it's something that big corporates do, and that's good, because it means we have a business model and know we can eventually stay in business. But for individual developers, I think that's where my heart is, because it's a way for you to level up as a developer and just ship higher quality code.
23:47 Michael Kennedy: There might be some kind of problem with the software that you've written. Maybe you don't have someone doing a code review, you wouldn't know anything about it. But if you put it through some sort of static analysis like this it will say, oh, did you know that you are sending commands to the shell and you're not sanitizing user input. You're like, wait, is that a thing I should worry about? I didn't even know I needed to worry about that. It can help you learn a lot about these things just by discovering a problem that you didn't even realize was a problem.
23:47 Elissa Shevinsky: That actually can be a way for someone to come into security for the first time. Scan your code, see what issues come up, and then learn about those issues and how to fix them. I would love to eventually create content, and stuff on our website, and videos, about how to fix these issues. Hopefully that will be coming down the pipe soon. But in the meantime, there's a lot of information available. And if there is a pretty serious security issue, you should fix it. The tools are helpful for that. We're building on top of open source tooling, which I'm actually really happy about. Because these existing open source tools are actually really, really good. It's just that they're a little bit of work to setup and to use. And for me, I'm kind of inpatient about doing that kind of configuration. And I think for people inside companies, you just have so much to do. You have too much to do in a day. So we built a tool that saves you the trouble of the configuration. And it's free. We have a free tier. At some point we'll put a paywall up, but we're always going to keep the free tier for developers. For us, we think that what's useful for developers is just making it super, super fast to test your code. What we've done in terms of interface is we have a command line tool coming next week. And we have right now a website interface where you just upload your code. We run Bandit against it, and then we give you a PDF with the results. And then we hope you'll go and you'll fix things. I guess you can message me or Brett.
23:47 Michael Kennedy: Yeah, yeah, for sure. The command line tool sounds really nice and pretty obvious. For the upload, do you zip a folder and upload the folder, or something like that? How does that work?
23:47 Elissa Shevinsky: You can just drop a folder in. We flatten the dependencies and we make it easy for you to just drop all the code in. Right now we can run tests against, give or take, 1,000 files. Which is, like, a lot.
23:47 Michael Kennedy: For Python code that's a lot, actually.
23:47 Elissa Shevinsky: It is a lot. That's part of what we want to do. I'm very inpatient. I was like, it should just all be instantaneous, and make it as easy as possible. I'm like, everyone should just test their code and not have to wait for the scans to run. And I think I'm a little bit unreasonable in what I'm hoping to do here. Some of that is, like, Brett has set the bar really high because there's a lot that he's capable of getting done. We are building this parallelization tech, which is exciting, and it's going to run the scans in parallel. I'm very excited about that. That will make things very, very, very fast. And that should be live in a few weeks. But in the meantime, the site works. You can go to bugcatcher.fasterthanlight.dev and upload your Python code, and test it. And if you have questions about the things that come up, like you don't know what the errors are, how to fix them, my DMs are open on Twitter and we can figure out what's the best way to get in touch. I want everyone, please, test your code. And if I can help you test your code, let me know.
23:47 Michael Kennedy: That's a great service that you're providing. People can go and setup the tooling. But to be able to just drop it in and get an answer and not have to think about learning how to setup something like Bandit or something like that, it's really nice. I'm sure there are a lot of folks who go, eh, we should probably test this for security, but I haven't done it, right. But if it's a matter of just dropping it in... One thing that comes to mind for me that sounds really interesting is some form of GitHub integration.
23:47 Elissa Shevinsky: Yeah, that's on the roadmap.
23:47 Michael Kennedy: Yeah, yeah. If I'm going to accept a PR it would be great to have capabilities in GitHub to plug it into continuous integration build pipelines, or flake8, or something like that. But just one more, like, oh, Faster Than Light gives it the green check, so from a security perspective nothing is super obviously broken.
23:47 Elissa Shevinsky: Yeah, I can see the usefulness of that. Because we run into a lot of issues just accepting pull requests, or accepting things that are upstream. And it's been actually really cool to see, like, you've got Sneak here in London is doing stuff for testing upstream, things in open source. There's a lot of awareness around that. But pull requests and, for sure, just your own code. How do they say, like, the danger is in the house? The biggest risk is the code that you're writing yourself. You're the biggest risk.
23:47 Michael Kennedy: The call is coming from inside the house, that's right.
23:47 Elissa Shevinsky: That's right, that's right. The bug is coming from inside your basement.
23:47 Michael Kennedy: Interesting. This is analyzing your code. Do you all do anything around dependencies? I write some code. It depends on package X. Package X depends on three more. Do you do anything around tracking or analyzing that kind of stuff? I mean, you probably don't download and analyze it. But do you have any warnings for issues that are downstream, or upstream, I guess, rather?
23:47 Michael Kennedy: Yeah, well, one of the problems with these kind of tools, I think, is sometimes it will tell you you shouldn't do something. But in this case, it's okay. I know actually actually what's happening means this value will never come from user input. It's only going to come from what we type in the CMS, for example, or whatever. And you're still going to get that warning that you're not escaping this in HTML code. You're like, that's because I don't want to. You know what I mean? And I see, if you would add that to all the dependencies you would just get a huge number of false positives as well, and it could just be overwhelming.
23:47 Elissa Shevinsky: You know, I talk to a lot of people who say that they would do static analysis, and they need it to be faster. Like, okay, good, we can do that. But they also just want to see the top 20 bugs, or they don't want to see the noise. So we're able to show you just the top bugs because we have this interface, and so it's pretty easy for us to give you settings where you choose that. In terms of saying you don't want to see certain errors anymore, Bandit and a lot of the open source tools already have pretty good features for that. And then, of course, we can do that too. And I think that's part of the challenge with static analysis. Right now, you always need a human to do the review. And part of what makes static analysis so frustrating is it's like a spell checker, and there's all these things where you're just like, none of these are relevant. But then there's the two things that it catches that you really need it to catch those things. And so it's still not optimal. But I think a lot about how do we reduce all that noise. We have an annotation feature, which we're pretty excited about. We don't talk about it much. It's not deep tech. It's just the ability to write notes. But if you are sharing your reports with other people it can be kind of neat. Just make a little note like, okay, it says that there's an API key there. It says that there's this problem. But actually, it's fine, it's safe, we're aware of it, and please don't not buy us, or please don't yell at us about this. Because that's one of the big problems. It looks like there's bug sometimes when everything is just fine because the code is written safely.
23:47 Michael Kennedy: That's another interesting thing. If you might be licensing your source code or your software, or you're actually be acquired, or something like this, a lot of times those situations will require that your code go through a whole bunch of different auditing and security checks. And so, it would be great if, as you built your software, you already mostly removed all those things and kept track of them.
23:47 Elissa Shevinsky: It would be good to not be surprised in those moments. And actually, acquisitions can be really difficult, and that's the type of thing where the acquisitions take a lot longer than people expect. I don't think a lot of your listeners are in this situation, but if you are, I guess, like, good for you.
23:47 Michael Kennedy: Yeah, these are good problems to have, for sure. I guess maybe another way to look at it is if you take finished software that's been around for a long time that's pretty big and complicated, and you throw it at static analysis, it can be kind of overwhelming. If you use it from the start, it's a couple issues here and there and you address them as they go. But if 10 people have been working for a couple years, whose job is it to go back and fix all those problems? That can be really overwhelming.
23:47 Elissa Shevinsky: Yeah, I was just talking about that with my friend Alex. He's CEO at Stepsize, and they deal with tech debt. Part of their thesis is you want to handle the tech debt a little bit at a time, so it's manageable. And he was saying static analysis is maybe the same thing. Just keep doing it regularly and then it doesn't become overwhelming. But yeah, I think if you were going to scan like a million lines of code... I'm talking to Tandusta right now and he has a million lines of code that he has to scan. That company is going to be sad. That's just a lot. We're security people, and part of the message from security people is, like, please do this all the time. I don't know how to not be annoying about that. I want to make it fun. And I guess wish me luck.
23:47 Michael Kennedy: Good luck, for sure. Well, I do think minimum friction is part of it. That's why I was thinking of in automatic integration with GitHub when you check in and stuff. Because then, you don't have to even ask anyone to do it. It just happens automatically. They get a little check mark, or warning, or whatever. And you can ignore it or not, but it's like, it's just happening right there all the time. I think that would actually help a lot.
23:47 Elissa Shevinsky: Yeah, I think that's right. That's on our roadmap for September. It's always nice when something that we think is important, someone like you also thinks is important. We've been thinking about it as, like, when you check in your code, you'll get that feedback. But I love the idea of integrating it so you can scan the pull requests as they come in. Because that's like, you don't want to bring in bad pull requests.
23:47 Michael Kennedy: Yeah, for sure. And then there's so many of the tools that happen automatically. If you had to go then check out the pull request and run it locally, then upload it somewhere... Just that integration, that friction that would be gone, would be great. Let's talk about some of the issues that you would find running it through your system. You already said this basically runs on top of Bandit for Python, and FindBugs for Java. Most importantly, your service is making this easy, giving you the reports to share it, making it fast, all those kinds of things. Understanding what you could find is pretty much, at the moment, looking at what say Bandit could find, right?
23:47 Elissa Shevinsky: Right. Although I think we're going to bring in other tools. And that's exciting. But Bandit is really comprehensive. And you look at what are the range of things you should be worried about in Python. And people say, oh, Python is a safe language, it's not like C. But actually, you know... Okay, fine, it's not like C, but you can still get a possible SQL injection vector through string-based query construction.
23:47 Michael Kennedy: Exactly. Little Bobby Tables would work in Python just as well.
23:47 Elissa Shevinsky: Our Flask app appears to be run with debug equals true and allows the execution of arbitrary code. There are a lot of these bugs, and if you don't run analyzer it's very easy to write bugs, actually.
23:47 Michael Kennedy: What I was thinking about when I talked about the junior developer not knowing they're doing something wrong when they are, probably the first thing that comes to mind is SQL injection where you're just constructing SQL strings out of static SQL strings plus variables where the values of the query filter bits go, and that's always really bad. So it would find that, of course. The Flask debug true, obviously bad. It's very easy to tell if app.run has debug equals true in it, so that should never be there. But then there's other stuff that's more subtle like autoescape, for example, in Jinja and Flask.
23:47 Elissa Shevinsky: I am going to let you talk for a minute while I go plug my laptop in. I'm at 4%.
23:47 Michael Kennedy: No worries, no worries. I didn't know that Jinja did not autoescape the inputs. The reason is because I usually work with Chameleon. I don't work with Jinja that much, as often, and I don't use it in that context. But it turns out that if I've got some structured HTML and I just convert it to a string in a double curly bracket, it will come back out as whatever I put in. Which is super bad if that is user input. If I'm in a forum and I type in curly bracket script, do this bad thing, then when that gets viewed by, rendered by Jinja, it's basically some form of injection attack. Which is not good. So checking for things like autoescape equals false. And it even shows you how to turn it on. I think these are all really interesting. Let's see. What else do we got there that's pretty interesting? There's stuff about sending commands to the shell. There's all sorts of things that I think are really worth flipping through that list and definitely running that against your code.
23:47 Elissa Shevinsky: Yeah, and one of the things that we do is just prioritize. The highest priority bugs show up at the top. I think Thana probably does that as well if you just run the tool and get the output. And so, you can just find... One of the things that static analysis is it can give you suggestions for formatting errors. Maybe you don't care about that so much. But you'll see the highest priority errors are security related. I'm actually really excited for junior developers to take those as a way to go and learn some security things. And for senior developers, we run our own code against our tool after we built it, and we found stuff, and we fixed it. And so, like bugs, it can happen to you.
23:47 Michael Kennedy: Yeah, that's pretty awesome. I love these sort of meta experiences where your tool analyzes your tool. Or your language writes your language, the compiler and runtime for your language. Or something like this. It's always fun to see that in the tech space.
23:47 Elissa Shevinsky: The first code that we ran was ours.
23:47 Michael Kennedy: Nice, that's really cool. Let's talk really quickly about the business model for what you're building here. I think some folks that are thinking about software business will probably find your thinking on that interesting. You said there's going to be a free tier for individual developers to do some level of analysis. But then also maybe something bigger for enterprises. Just give us your thoughts on how that comes together.
23:47 Elissa Shevinsky: Yeah, it feels really important to me. And not just me, I think there's a lot of conventional wisdom around this. That if you have a developer tool, you have to make it accessible to developers. And in our case it just makes a lot of sense to have at least, we have to figure out exactly what does it look like, but some kind of free tool so devs can use it, and play with it. Because we actually really want people to write and ship better code. Our parallelization tech is really expensive so we're not going to give that away. But you don't really need that if you're one developer uploading a reasonable number of files. You don't need to have it go in super speed. And there's this concept of, like, just build it and give it away for free. It's no business model and just lots of VC funding. And that just feels really, a little bit dishonest to me. If people figure out how to make that work, I think that's cool. Cockroach Labs just raised a bunch of money and they seem to be doing a really good job of balancing having started off as a free open source tool and then figuring out an enterprise model.
23:47 Michael Kennedy: Yeah, that's interesting. Just so people know, Cockroach Labs, they created a thing called CockroachDB. Which I haven't had a lot of experience with it. But it's supposed to be like a globally distributed redundant database server. That's about all I know about it. But yeah, they're definitely... I saw they just raised a big round as well.
23:47 Elissa Shevinsky: Yeah, and I think, they seem to be doing a really good job. And I've met with some folks from Cockroach Labs, and I like them a lot. But for us, for me, and Brett, and Ruben, we looked at who we were and who we wanted to be. And we were like, we just think there's something really honest and really sincere about just making software and charging for it.
23:47 Michael Kennedy: I think that is so undervalued because, so often, the get a bunch of money, get a bunch of users, and we're going to figure out how to make money from them, it sets up a lot of bad incentives to not put users first.
23:47 Elissa Shevinsky: Well, and it runs counter to security industry thinking. I think a lot of security people are very aware of being the product and not the user. You look at all these ad-driven businesses, it's like, okay, does Twitter think I'm the user, or do they think I'm something else? I don't know. You don't know, always. It's confusing. And so we wanted to have this simplicity where you pay us, and you know you're the user. And if it's a free tier, then it's like, we just want developers to love it, and say nice things, and give us feedback. And I think there's a certain honesty in that too. Where it's like, okay, not everyone has a ton of money, but you should still be able to try it. You shouldn't have to pay money just to try it. And we are really excited to give some things away for open source. We have to figure out what's the scope of that. But if you have an open source project, we really want you using the tool as much as you need for who you are, and we don't want to charge you for that. So we've talked about that a bit internally. And we want to charge enterprises a ton of money. And I feel just fine about that. Enterprises have a lot of money, and they are wasteful about it. And we just want to help them to be secure, and actually use services that work and are efficient. So, I like that model.
23:47 Michael Kennedy: Well, around the enterprises, I have a couple of thoughts. One, I feel like so many companies, I don't know what the percentage is, but it's got to be in the 99%+, they take so much benefit from open source. They build so incredibly much on open source. And they give back almost zero.
23:47 Elissa Shevinsky: That's such a problem.
23:47 Michael Kennedy: A bank that makes $100 billion a year, could they donate $1 million a year to open source? Sure they could. Do they? Maybe they employee a core developer, which is great. But they could do a lot more. And it would be in their interest to do so. And the other is, the consequence of failure at that level is really high. You mentioned Capital One. You could look at Equifax. If there are these security problems, it's really bad. So it's also worth it, their money. Yeah, exactly. It seems totally reasonable to me.
23:47 Elissa Shevinsky: Yeah, and I think what we'll want to figure out as a company is how do we give back to the open source tools that we build on top of. And while we're a three-person team, that's a little tricky. We had an intern who was going to come in and give back, and contribute and do pull requests to Bandit, and find bugs. And then the intern had to drop out. But that was one idea I had. I was like, okay, we'll bring in people, and their whole job will just be to give back to these tools that we're on top of.
23:47 Michael Kennedy: Yeah, that seems really good.
23:47 Elissa Shevinsky: Yeah, so we're really early in that. But I think, like, we're thinking about it, and we care about it. That's a good start. And as we find bugs, as we use these tools and we find issues in the documentation, or actual bugs, we can do pull requests. And also, now, larger enterprises, or even just smaller businesses, can use those open source tools a little more easily, and I feel pretty good about that. Actually, I love all the business model stuff. I'm actually really happy with our business model. I like the idea, like, we make stuff, and you buy it, we hope, and we appreciate it, and that helps us stay in business. And even if we do take funding, that funding is to grow. It's not confusing us about... Like, our business model isn't that VCs pay us.
23:47 Michael Kennedy: That's definitely a short term one. So, I think that's a really genuine model, and I think that's nice. Thanks for sharing that. We're about out of time, but I do want to give you a chance before we call it a show to just give a quick shout out to your book, Lean Out.
23:47 Elissa Shevinsky: Ah yeah, thank you.
23:47 Michael Kennedy: Yeah, you bet. The title is Lean Out: The Struggle for Gender Equity in Tech and Startup Culture. And you talked a little bit about that earlier. Do you want to just tell people quickly about your book?
23:47 Elissa Shevinsky: Lean Out is stories from over a dozen different people, women, genderqueer people in tech and startup culture, just sharing what it's like for them. One commonality that came out in these stories is that making things is easy, or at least relatively easy, and fitting in is hard. And that's a lesson and a moral that I think speaks to all kinds of people. And can be, I think, a bit of comfort for people as they navigate startup life, or corporate life, whatever it is. I think a lot of us have that in common. And if you're feeling that, if you're feeling like culturally it's a bit of a challenge, Lean Out can be a really warm read for you.
23:47 Michael Kennedy: Yeah, for sure. It's interesting that it's essays from a bunch of different folks sharing their stories. I'll definitely put a link. People can check it out if they're interested, in the show notes. Before I let you out of here, though, I've got to ask you the two questions I always ask.
23:47 Elissa Shevinsky: Please.
23:47 Michael Kennedy: If you're going to write some Python code, what editor do you use?
23:47 Elissa Shevinsky: Ah, that's a good question. I'm not writing any code right now. I'm going to disappoint everyone. I used to be a fan of Sublime. This is awhile ago. And then Visual Studio.
23:47 Michael Kennedy: All right, very cool. I feel like VS Code has definitely seemed to capture the Sublime crowd pretty heavily these days. Definitely cool.
23:47 Elissa Shevinsky: Oh, just on that, I think a lot about what IDE we'll integrate into first. Again, this is coming from, I'm so in the product mindset as opposed to the "I'm coding" mindset. And so I think it's probably Visual Studio, with the hope that Microsoft would give us some help there.
23:47 Michael Kennedy: That would be certainly cool. And it definitely ties back a little bit into the enterprise side of things. It's pretty popular with that crowd. Cool, cool. And then, do you have a notable PyPI package or Python library you want to give a shout out to?
23:47 Elissa Shevinsky: Oh, just we love Bandit. I love Bandit. Any shout out has to be to Bandit.
23:47 Michael Kennedy: Awesome. Very cool. All right, final call to action. People are interested in static code analysis, maybe even joining something like Techstars. What can you leave them with?
23:47 Elissa Shevinsky: Please try out Bug Catcher and let us know what you think. That would be great. That is bugcatcher.fasterthanlight.dev. And if you are interested in Techstars, I'd love to chat with you about it. Techstars London will be opening up soon. All kind of Techstars around the world. I would be happy to introduce you if it seems like it's a good fit.
23:47 Michael Kennedy: Super. All right, well, it's been really interesting to chat with you about what you're up to. Thanks for sharing your story.
23:47 Elissa Shevinsky: Yeah, thank you.
23:47 Michael Kennedy: You bet.
23:47 Elissa Shevinsky: Bye.
23:47 Michael Kennedy: Bye. This has been another episode of Talk Python To Me. Our guest on this episode was Elissa Shevinsky. And it's been brought to you by Command Line Heroes, and Linode. Command Line Heroes is a podcast telling the story of developers. This season is all about programming languages, and starts off with Python, of course. Subscribe at talkpython.fm/heroes. Linode is your go-to hosting for whatever you're building with Python. Get four months free at talkpython.fm/linode. That's L-I-N-O-D-E. Want to level up your Python? If you're just getting started, try my Python Jumpstart by Building 10 Apps course. Or if you're looking for something more advanced, check out our new Async course that digs into all the different types of async programming you can do in Python. And of course, if you're interested in more than one of these, be sure to check out our everything bundle. It's like a subscription that never expires. Be sure to subscribe to the show. Open your favorite podcatcher and search for Python. We should be right at the top. You can also find the iTunes feed at /itunes, the Google Play feed at /play, and the direct RSS feed at /rss on talkpython.fm. This is your host, Michael Kennedy. Thanks so much for listening. I really appreciate it. Now get out there and write some Python code.