We need to create a bridge between engineers and security experts
Interview with Anastasiia Voitova - DevExperience 2019
The matter of security when building an online product has always been important, yet somehow it has constantly been treated as an afterthought. And the same goes for data protection and privacy.
However, in the last couple of years I’ve seen a paradigm shift in the tech world towards building and using applications that provide a higher level of security. On the one hand, consumers have acknowledged the importance of protecting their data by browsing safely and using products that can be trusted. On the other hand, we have the companies that have finally understood that engineers need time and knowledge to build a secure product customers would want to use. Furthermore, the introduction of the General Data Protection Regulation has definitely opened some eyes and made people aware that security and privacy are important.
DevExperience organizers have picked up on the trend and this year’s edition has included an amazing security track. The international speakers have addressed a series of key aspects related to building secure applications and, during a compelling panel discussion, have shared with the audience some of the things they do to make sure they protect their privacy and online data.
Present at the event, Press on Security has seized the opportunity and had the pleasure of interviewing some of the speakers, to learn more about their thoughts on the conference, app security and data protection.
Anastasiia is a full-stack security engineer. She maintains open source cryptographic tools, engineers security software, consults companies about data protection, and tutors developers in building more secure applications.
Anastasiia’s session atDevExperience 2019 was titled “Protecting sensitive data in modernmulti-component systems”.
In 2018, during her talk “Don’t waste time on learning cryptography: better use it properly”, she explained why cryptography is the “lesser of two evils” because it doesn’t leave your data open to intruders.
PressOnSecurity: Anastasiia, this is your second time atDevExperience. What do you think of the conference?
Anastasiia V: Indeed, this is my second time at DevExperience andin the city. And I like them both. I like the fact that DevExperience is a realinternational conference, with a lot of international speakers. And I amespecially happy that this year they’ve included a security track. I havereally enjoyed all of the sessions from the security track.
PressOnSecurity: The track was centered around the idea of building secure apps. What would you say are the top three aspects we need to have in mind in order to build a product that has security and data protection by default and by design?
Anastasiia V: I think the most important thing is to minimizesensitive data. Make sure data is encrypted and also limit access to such data.We see a lot of breaches because people leaked data in logs or in other ways.
Another key action is to have aproper authentication mechanism. Also, monitoring is really important. MonitorACLs (Access Control Lists), dependencies and make sure you always useup-to-date tools, libraries, etc.
Last but not least is education. Inmy opinion, building secure products will not be possible if the people thatneed to build them do not keep themselves up-to-date with industry standards,security updates or best practices. I think engineers should attend conferenceson security and read articles on this. Furthermore, I think we need to makesure we close the existing gap between engineers and security professionals andhave them working together for better results.
PressOnSecurity: What’s your take on GDPR? I’ve noticed certainsecurity experts have mixed feelings about the regulation.
Anastasiia V: I think GPDR is a good thing because, before anythingelse, it’s a regulation for human rights. Of course, there are a lot ofcompanies that struggle now and for which GDPR is a total mess. But I see it asa ‘push’. Organizations are effectively being pushed to finally do somethingwith their security. This leads to discussions about security, newtechnologies, new roles, security-related ones being added and this is a verygood thing. Engineers are also educated to acknowledge the importance ofsecurity and they will be able to build better software. In the end, this willhelp create a more security-oriented mindset.
PressOnSecurity: What advice would you give to someone who istrying to build a career as a security expert or someone that is justpassionate about the topic and wants to learn more?
Anastasiia V: Twitter is a great source to get your updates. I reada lot of news on Twitter, I follow security-related professionals that use technologiesfrom different stacks. I like to know and understand vulnerabilities from allthe areas so I can create the bigger picture. So, get on Twitter and make sureto create your own list with people you want to follow based on your needs.
Additionally, if you have thepossibility, attend conferences that invite security experts. In case youcannot go, try to find the videos or get access to the presentations.Conferences are a great way to get insights into the industry and catch-up onthe latest updates. Sometimes, you learn in half an hour something that wouldotherwise take you 3 books and a couple of months.
Reading OWASP (Open Web Application Security Project) can also help a lot. The website contains a lot of information and includes the answers to a lot of the questions we confront with when it comes to app security. For those who have a technical background, there are a lot of interesting exercises and the possibility to actually experiment with techniques and build protection, so it is worth trying out.
Thank you, Anastasiia, for your valuable input and for taking the time to discuss with Press on Security. Hope to see you again at DevExperience 2020!
Stay tuned for the next interview with Christian Wenz, author, consultant and trainer focusing on web technologies and web application security.