We need to create a bridge between engineers and security experts
Interview with Anastasiia Voitova – DevExperience 2019
The matter of security when building an online product has always been important, yet somehow it has constantly been treated as an afterthought. And the same goes for data protection and privacy.
However, in the last couple of years I’ve seen a paradigm shift in the tech world towards building and using applications that provide a higher level of security. On the one hand, consumers have acknowledged the importance of protecting their data by browsing safely and using products that can be trusted. On the other hand, we have the companies that have finally understood that engineers need time and knowledge to build a secure product customers would want to use. Furthermore, the introduction of the General Data Protection Regulation has definitely opened some eyes and made people aware that security and privacy are important.
DevExperience organizers have picked up on the trend and this year’s edition has included an amazing security track. The international speakers have addressed a series of key aspects related to building secure applications and, during a compelling panel discussion, have shared with the audience some of the things they do to make sure they protect their privacy and online data.
Present at the event, Press on Security has seized the opportunity and had the pleasure of interviewing some of the speakers, to learn more about their thoughts on the conference, app security and data protection.
Anastasiia is a full-stack security engineer. She maintains open source cryptographic tools, engineers security software, consults companies about data protection, and tutors developers in building more secure applications.
Anastasiia’s session at DevExperience 2019 was titled “Protecting sensitive data in modern multi-component systems”.
In 2018, during her talk “Don’t waste time on learning cryptography: better use it properly”, she explained why cryptography is the “lesser of two evils” because it doesn’t leave your data open to intruders.
PressOnSecurity: Anastasiia, this is your second time at DevExperience. What do you think of the conference?
Anastasiia V: Indeed, this is my second time at DevExperience and in the city. And I like them both. I like the fact that DevExperience is a real international conference, with a lot of international speakers. And I am especially happy that this year they’ve included a security track. I have really enjoyed all of the sessions from the security track.
PressOnSecurity: The track was centered around the idea of building secure apps. What would you say are the top three aspects we need to have in mind in order to build a product that has security and data protection by default and by design?
Anastasiia V: I think the most important thing is to minimize sensitive data. Make sure data is encrypted and also limit access to such data. We see a lot of breaches because people leaked data in logs or in other ways.
Another key action is to have a proper authentication mechanism. Also, monitoring is really important. Monitor ACLs (Access Control Lists), dependencies and make sure you always use up-to-date tools, libraries, etc.
Last but not least is education. In my opinion, building secure products will not be possible if the people that need to build them do not keep themselves up-to-date with industry standards, security updates or best practices. I think engineers should attend conferences on security and read articles on this. Furthermore, I think we need to make sure we close the existing gap between engineers and security professionals and have them working together for better results.
PressOnSecurity: What’s your take on GDPR? I’ve noticed certain security experts have mixed feelings about the regulation.
Anastasiia V: I think GPDR is a good thing because, before anything else, it’s a regulation for human rights. Of course, there are a lot of companies that struggle now and for which GDPR is a total mess. But I see it as a ‘push’. Organizations are effectively being pushed to finally do something with their security. This leads to discussions about security, new technologies, new roles, security-related ones being added and this is a very good thing. Engineers are also educated to acknowledge the importance of security and they will be able to build better software. In the end, this will help create a more security-oriented mindset.
PressOnSecurity: What advice would you give to someone who is trying to build a career as a security expert or someone that is just passionate about the topic and wants to learn more?
Anastasiia V: Twitter is a great source to get your updates. I read a lot of news on Twitter, I follow security-related professionals that use technologies from different stacks. I like to know and understand vulnerabilities from all the areas so I can create the bigger picture. So, get on Twitter and make sure to create your own list with people you want to follow based on your needs.
Additionally, if you have the possibility, attend conferences that invite security experts. In case you cannot go, try to find the videos or get access to the presentations. Conferences are a great way to get insights into the industry and catch-up on the latest updates. Sometimes, you learn in half an hour something that would otherwise take you 3 books and a couple of months.
Reading OWASP (Open Web Application Security Project) can also help a lot. The website contains a lot of information and includes the answers to a lot of the questions we confront with when it comes to app security. For those who have a technical background, there are a lot of interesting exercises and the possibility to actually experiment with techniques and build protection, so it is worth trying out.
Thank you, Anastasiia, for your valuable input and for taking the time to discuss with Press on Security. Hope to see you again at DevExperience 2020!
Stay tuned for the next interview with Christian Wenz, author, consultant and trainer focusing on web technologies and web application security.