Query

content/21.From-Audio/to-fix-transcription/InfoSec/The Metro Bank Example.md

@@ -1,15 +1,15 @@
-**The Metro Bank Example**
+### The Metro Bank Example
 
-Metro Bank is a new bank that has opened in the UK, and it is built from scratch, all very sort of new age nicer facilities, nice environment etcetera. The analogy I would like to give sometimes on the security assessments that we do when you are doing application security is imagine that you want to know or the guys who are investing or regulators or somebody wants to know how secure Metro Bank is. And it is legit for them to ask that question.
+Metro Bank is a new high street bank that opened in the UK in 2010. Its buildings are brand new, with facilities designed to create an attractive environment for customers. The analogy I would like to make in relation to security assessments in AppSec is this: Imagine that you, or investors, or regulators, want to know how secure Metro Bank is. This is a perfectly legitimate question to ask.
 
-What we do is basically we let them build the whole building with everything on it and then hire some local detectives from around the neighborhood to say, "hey can you test security of that thing?"
+In AppSec, we let them build the whole building with everything in it and then we hire some 'local detectives' to test the security of 'the building'.
 
-And in a way a lot of times the best that they can do is go, "oh look, your security guards are okay, when I went in there they kept an eye, I wasn't able to pass. I was not able to trick the tellers", and all sorts of stuff.
+Frequently, the best that they can say is, "Oh look, your security guards are okay, when I went in there they kept an eye on me, I wasn't able to pass. I wasn't able to trick the tellers", and so on.
 
-So, you get a first pass at the security but does that mean that for example that thing has a vote? Does that mean that you know security of the money that goes into the bank is actually any good? And of course, we don't know because that isn't how we expect those things to occur.
+So, you have passed the first security test,  but does this mean that you know the security of the money that goes into the bank is actually any good? Of course you don't know, because that isn't how you expect those things to occur.
 
-What you expect is somebody to have access to the plans, to the information, to all the understanding of their security and then you review that and then you make a good assessment.
+What you expect is for someone to have access to the plans, and to have a full understanding of the security, which you can then review, and assess where security can be improved.
 
-So, it is the same thing as if you have an effective and professional criminal,they will look a lot more like oceans eleven on the movie. Basically they will plan it, they will find all the information in a way you get a sense that they will know more about the system than the guys who designed it themselves which is always why they always find those blind spots.
+It is the same thing when effective, professional criminals plan an attack on a physical, or a virtual, security system. They will resemble the criminals in the movie Ocean's Eleven.  They will find so much information that you get a sense that they know more about the system than the guys who designed it themselves. This is how they always find the blind spots in a security system.
 
-So, ultimately when you do a security assessment on applications, if you don't give the person doing it the full source code, access to developers, threat models, all that is available, all your risks, all your current understanding, then you are selling yourself short, you are asking the wrong question and don't be disappointed if you get a bad answer.
+So, when you do a security assessment on applications, give the person doing the assessment all the necessary information: the full source code, access to developers, threat models, all your risks, all your current understanding. If you don't give them this information, you are selling yourself short. You are asking the wrong question, so don't be disappointed if you get the wrong answer.