My name is Alina and I am part of the AppSec team here at The Workshop. In this post, I will share my AppSec experience and how it fits into the skillset of a modern software engineer.
All my professional life I have been an engineer. Over 16 years, I have worked in three companies, starting as a Java developer with a strong passion for implementing algorithms. Being promoted to Team Lead brought an opportunity to expand my expertise within areas such as work organisation, team effectiveness and closer collaboration with Product. Following the direction, The Workshop has taken toward full-stack development, I have invested time in getting better at front-end coding, engineering-driven QA, and a little bit of DevOps.
Nine months ago, I decided to take on a new challenge, accepting the opportunity to join the Application Security team. Trying out not-so-clear and unusual activities is my nature, and this change meant exactly that. After the move, some colleagues were asking me what this new role was actually about. At the beginning I had no answer, but now after getting a taste of it, I am ready to reflect on this journey.
Getting started
Getting up to speed in the AppSec team was easy. In my previous team, we were technical owners of the Player domain for the platform. I was dealing with profiles creation, authentication and session management, including solutions for protecting our systems from attacks. In this new team, I was involved in activities which were very familiar to me: evolving and enhancing security features.
The main difference from the past role was a greater inclusion in requirements collection and shaping the solution while still doing hands-on coding, which I love so much. Participating in the whole feature creation process, from early elaboration till adoption in production, was always exciting for me. The fact that TWS provides the opportunity for this type of full lifecycle involvement is really great.
I also started to learn “the theory” about Application Security, thus exploring this large and far-from-trivial world. To those who are willing to get a quick dive-in into modern web application security I suggest looking at OWASP Top Ten, however, be warned this is only the tip of the iceberg.
Digging deeper
As time went on, I started to have more AppSec specific tasks in my daily work. These are some of the activities we do within our team:
- Security Assessments
- Consultancy
- Threat Modelling
- Continuous Learning
- Research and Prototyping
- Building Solutions
- Monitoring and Incident Response
Challenges
After joining AppSec new challenges appeared in my life.
Consultancy-style behaviour
I am a person of action who loves building things. I was always biased against jumping into full consultancy mode. Once a senior engineer and especially a lead, you get used to the fact that your focus switches from doing the work yourself to helping people. I see the ability of contributing to tasks going on around me as a very rewarding activity. The tricky part became the subject matter expertise. The amount of security knowledge accumulated in my brain was still quite limited. Consulting about things I don’t know in depth – that sounds like a cool challenge! The required skill is the ability to learn and analyse quickly. Saying: “I don’t now, but will research it and come back with the answer” is totally acceptable in our culture at The Workshop.
Seeking a compromise
It turns out that security usually comes at the cost of affecting other product’s aspects, such as UX, performance and code complexity/maintainability. Assessing risk factor and negotiating the best option with Product, Architects and Engineers requires certain expertise and a lot of practice.
Embedding security into development lifecycle
In my view, the greatest challenge at the moment in the industry, is finding ways of naturally embedding security into engineering processes. Security is not a matter to be analysed post factum by some third-party consultant at the end of a project.
Finding pragmatic ways to raise general awareness of security practices and achieving the intended results by having these applied by engineering teams – especially in busy environments – can be very challenging.
AppSec in engineering practice
Achieving this goal starts with individual changes. AppSec eventually becomes just another set of skills in an already broad toolbox for full-stack engineers (which may induce brain explosion for many people, but makes sense).
That said, the starting point for developing security-aware mindset for an engineer can be straight forward if the following principles are followed:
- Critical mindset: What can go wrong? How the system could be broken?
- Attention to details: Being careful when coding and especially during code reviews.
- Broad knowledge of architecture: Aim to understand all architectural layers.
- Deep product understanding: Taking care of product evolution and UX is essential to good security practices.
Stay tuned, in the next posts I will be sharing more on AppSec from an engineer’s perspective.