What I Am Doing At Silverskin
When writing this post I have worked as Head of Continuous Services for over two years. Before starting my current job working with offensive information security at Silverskin, I worked as a software developer and software product manager at Deltagon.
At Deltagon we offered continuous services for mission critical and confidential communication related software services. The skills learned at Deltagon have been very useful and valuable. At Silverskin we have actively designed a continuous security testing solution that has been live for almost three years already. Testing in this case means that professional hackers try to find vulnerabilities in the targeted software.
On a concrete level our main mission is to – with our client’s permission – simulate an attack on our client’s software. We use the same techniques as criminals and other malicious actors. Based on the attack we report the issues we find and provide remediation recommendations. In the past Silverskin offered the attacking service only as a project delivery, but now it is also available as a continuous service. An integral part of my job is to make sure that our service perfectly matches Silverskin’s customer’s needs.
My previous work at Deltagon, producing scalable and reliable solutions and services for mission critical use -cases, challenged me to learn and study a lot. I truly learned what it takes to develop a secure web application. Now I work as an information security consultant whenever I have time left between my main tasks. All the skills learned at Deltagon are now in full use when I help Silverskin’s clients as an information security consultant.
Lessons Learned So Far
From a security perspective business critical software requires continuous effort. This is something I learned already at Deltagon, but my time at Silverskin has definitely deepened my understanding of this. There will never be a time when there are no more vulnerabilities in software (just like there will never be a time without bugs). On the contrary – the more code and complexity we develop, the more vulnerabilities we will get.
The famous “I have nothing to hide” attitude still exists, but the future looks brighter. More and more people and organizations are taking information security more seriously these days! Still, there is a lot left to do in the world to ensure a secure digital environment for society.
Even though security is being taken more seriously today, it still surprises me to see the type of extremely basic level vulnerabilities we continue to see in applications! On the other hand, there are digital assets that have been protected extremely well and consequently those assets are often ignored by the attackers.
What Surprised Me The Most?
My background is from applications that have been developed without compromises from a security perspective and with a high mature software development lifecycle. I was really surprised how rare these kinds of high security standards are in software development. Consequently, I have noticed that with my background I have a lot to give as an information security consultant.
Another thing that has surprised me is the variety of security specialization required in the increasingly large digital world. It is a totally different game to be able to push an organization through the ISO 27001 process than it is to for example test if an application is protected against typical cyber attacks.
Last but not least I have an example that still continues to surprise me every time I think about it. A hacker that up until recently had been working as a plumber was able to completely compromise the main revenue generating asset of a multinational, publicly listed company. All in a few days time! How is it possible? The case is from real life, but some facts that could reveal confidential information have been changed.