Over Two Years As One Of Silverskin’s Hackers

December 20, 2021

What I Am Doing At Silverskin

When writing this post I have worked as Head of Continuous Services for over two years. Before starting my current job working with offensive information security at Silverskin, I worked as a software developer and software product manager at Deltagon.

At Deltagon we offered continuous services for mission critical and confidential communication related software services. The skills learned at Deltagon have been very useful and valuable. At Silverskin we have actively designed a continuous security testing solution that has been live for almost three years already. Testing in this case means that professional hackers try to find vulnerabilities in the targeted software.

On a concrete level our main mission is to – with our client’s permission – simulate an attack on our client’s software. We use the same techniques as criminals and other malicious actors. Based on the attack we report the issues we find and provide remediation recommendations. In the past Silverskin offered the attacking service only as a project delivery, but now it is also available as a continuous service. An integral part of my job is to make sure that our service perfectly matches Silverskin’s customer’s needs.

My previous work at Deltagon, producing scalable and reliable solutions and services for mission critical use -cases, challenged me to learn and study a lot. I truly learned what it takes to develop a secure web application. Now I work as an information security consultant whenever I have time left between my main tasks. All the skills learned at Deltagon are now in full use when I help Silverskin’s clients as an information security consultant.

Lessons Learned So Far

From a security perspective business critical software requires continuous effort. This is something I learned already at Deltagon, but my time at Silverskin has definitely deepened my understanding of this. There will never be a time when there are no more vulnerabilities in software (just like there will never be a time without bugs). On the contrary – the more code and complexity we develop, the more vulnerabilities we will get.

The famous “I have nothing to hide” attitude still exists, but the future looks brighter. More and more people and organizations are taking information security more seriously these days! Still, there is a lot left to do in the world to ensure a secure digital environment for society.

Even though security is being taken more seriously today, it still surprises me to see the type of extremely basic level vulnerabilities we continue to see in applications! On the other hand, there are digital assets that have been protected extremely well and consequently those assets are often ignored by the attackers.

What Surprised Me The Most?

My background is from applications that have been developed without compromises from a security perspective and with a high mature software development lifecycle. I was really surprised how rare these kinds of high security standards are in software development. Consequently, I have noticed that with my background I have a lot to give as an information security consultant.

Another thing that has surprised me is the variety of security specialization required in the increasingly large digital world. It is a totally different game to be able to push an organization through the ISO 27001 process than it is to for example test if an application is protected against typical cyber attacks.

Last but not least I have an example that still continues to surprise me every time I think about it. A hacker that up until recently had been working as a plumber was able to completely compromise the main revenue generating asset of a multinational, publicly listed company. All in a few days time! How is it possible? The case is from real life, but some facts that could reveal confidential information have been changed.

From Software Engineer to Product Manager – Learning New Skills in the Cyber Security Industry

January 19, 2019

I joined Deltagon Group almost four years ago. The first two years I worked 100 percent of my time as a Software Engineer. Then my position started to drift towards the business side and I got promoted to Product Manager for all of Deltagon’s products. As of today, I have worked as a Product Manager for one year. In this post I will summaries what has happened in that year and analyze how it feels and what it takes to be a Product Manager in the cyber security industry.

What is Deltagon Group?

From deltagon.com: “Deltagon develops information security solutions for electronic communications and electronic services across a wide range of industries from the financial sector to public administration – and everything in between.Deltagon’s story started 20 years ago and the first launched product Sec@GW for email encryption is still alive. Sec@GW’s lifecycle phase is still in growth position.  Deltagon’s email encryption solution is definitely a market leader in Finland. It is also used in other Nordic countries. For example the government of justice in Sweden has used Sec@GW for several years to send court decisions to all stakeholders. Main customer segments for the product are: the public sector, finance and insurance, healthcare, the legal industry and security operators. In addition to email encryption Deltagon has three other products. Here’s a list of all four of Deltagon’s products:

What Product Manager Position Covers on a High Level

  • Own, lead and maintain product management process
  • Ensure company’s continuous customer value delivery
  • Active management and development of competitive product portfolio
  • Lead product idea creation, prioritization and decision making
  • Product roadmap creation and communication
  • Product lifecycle management and communication
  • Maintain competitive intelligence of relevant markets, players and products
  • Product knowledge transfer internally, for partners and customers

Switching to a New Position Was a Shock

To be honest switching from almost pure technical position into a business minded position was a shock at first. Quite fast the new challenges forced my mind from a state of shock to actually realising that there was a lot of interesting work to do. Even though the products were amazing, there was a lot of long overdue work to be done. In other words, I dived right into the tasks ahead. Without help I couldn’t have succeed as well as I did. The most important help came from product management heavyweight player Pekka Usva. Deltagon hired him as a consultant to give me the advice I needed to succeed in product management. Pekka has history of 20 years in different product management related positions at F-Secure. His last position at F-Secure  was Vice President for different departments. In the beginning, Pekka coached me full-time and later he offered consultation as needed. He drastically improved my knowledge of software development business and helped to develop my skills to perform succesfully as a Product Manager. Quite soon I faced the public part of my new position. Previously I was typically sitting in the offices corner coding like a maniac. Sometimes I met customers with Sales Managers but it did not happen every week. As a Product Manager I had to constantly meet different stake holders. One of the first investments was getting new formal shirts for the role.

Travelling to Conferences and Seeing Customers, Public Speaking and Interviews

I realised that after switching position I often found myself at the airport. The glamour of flying slowly diminished. Now I know how it feels to work and travel at same time. I had to travel to Sweden and Norway to meet customers and partners. Typically, I took the first plane in the morning, travelled for a couple of hours before the first meeting and then continued with a couple of meetings. It does not require high math skills to realise that workdays were over 14 hours long. Many conferences and events in Finland became familiar. I also attended Asis conference in Rotterdam and Critical Communications World 2018 in Berlin. Berlin’s conference I attended as a speaker. During the 2018 I was interviewed for an article that was published in Norwegian magazine’s Nordic Businesses & Innovations appendix. The magazine could be read in all of Norwegian’s aeroplanes. Tuukka Merilainen's Interview in Norwegian's Magazine Inspired by the article I wrote two blog posts to Deltagon’s official blog. First post covered the same topic as the Norwegian’s article: “Do you want to gain cost savings with security?“. The second post continued the topic and I wrote about a culture of signing agreements: “We continue to rely on signatures from the Stone Age“.  

Product Vision and Refreshing the Strategy

Deltagon’s vision and strategy defines that the company produces solutions for confidential communications and digital services. This is implemented in the form of the four different products mentioned earlier. The product ideas were great and all products had many good features and customers already. Still, we realised that both the product vision and the strategy were lacking. Some products (especially others than Sec@GW) did not have clearly documented business goals or value propositions. We started by re-creating each product vision from scratch. After the visions were re-created we started defining the product strategy. We used Roman Pichlers product vision boards as a template for product strategy work. We chose an extended vision board, that contains all the basic aspects that have to be crystallised to succeed with product strategy. Roman Pichler extended product vision board The vision and strategy re-creation process was far from unnecessary. In the end we found a couple of bottlenecks regarding our products and portfolio and we chose a new path.

Improvements Regarding the Product Development Process

Lucky for me, Deltagon was already using a Jira for maintaining product development process. Also the decision to use Kanban instead of Scrum was already made. Kanban method fitted our business model. On a high level the process was fine and workflows existed. What I did realise was that the workflows required some fine-tuning. For example prioritazion of the tickets in Jira were lacking. Also the Kanban board did not contained any limits like it should. Basically the developers could have as many tasks in progress as they wanted. We made a decision that all the tickets have to have priority and maximum number of tickets in progress status is 2 x per developers. Sometimes the different statuses weren’t used properly. We agreed together that it is very important to switch the ticket status into “In Progress” when developing starts etc.

Product Portfolio Roadmap Creation

Deltagon was Missing the Portfolio Roadmap. Of course some plans existed, but the official portfolio roadmap was missing. I published a roadmap which showed the plans for the next 18 months for Deltagon’s products. Rather than doing a feature based roadmap I decide to go with a goal based roadmap. For example, for 2019 we set these four goals:
  1. Overall Automation and Integration Possibilities Improved
  2. Multi tenancy Improvements
  3. Fast Deployment
  4. Added Value for Cloud Services

Maintaining the Product Backlog

Maintaining the backlog required a lot of effort. Bringing new ideas from the customers into a backlog might sound like a easy task. Reality hit hard and keeping the backlog updated was a big task. Luckily, the development team’s lead contributed a lot  and together we could keep the backlog in shape. Our goal was to have the tickets in better shape than before. We decided that all the tickets should contain at least the following:
  • Background info for the change request (what is wrong/missing and why this is relevant)
  • Implementation guidelines (tips for developers)
  • Priority

Sales Support and Partner Meetings

The past year, supporting the Sales team in their process has been an important part of my work. Deltagon’s sales team consist of very skilled sales professionals. However, naturally they didn’t have a deeper knowledge about the technical capabilities of the products. This is were my background came in handy. Together with the sales team we also realised that sometimes a value proposition is easier to do in pairs. Because of these two reasons I joined some of the sales meetings with our sales managers or sales director. We worked as a team to help the customers understand the value of our solutions. Deltagon has many high value end customers who are handled by the partners. In many cases the partners’ solution catalog contained a wide range of different solutions. Deltagon’s solutions completed the catalog by adding a solution for confidential communication and business critical information storing. I helped our partners to develop their business with Deltagon’s solutions. The moments spent with partners were the most valuable for me and I really enjoyed to work in co-operation with such important players.

Battle Cards

During the sales meetings and the moments spent with partners I noticed that we were facing the same questions all over again related to features of our product compared to others. Many times finding the right words for value proposition was also a pain. Mr. Pekka Usva suggested that we should create battle cards to help with those kinds of situations. Together with our marketing team and Pekka I created the first Deltagon’s battle cards to help with value proposition.

Documentation Improvements

Several times Pekka said that helping the partners do their work should be a top priority. On the other hand, he said that if partners have capabilities to maintain the solution by themselves they will do it if it brings profit and value. Further, he added that if the facilities are not in place, you will have to do all the work by yourself and it lowers the value of the partner. After seeing the partners and developing the business with them I realised we had a bottleneck regarding our documentation. This bottleneck was actually a missing facility. Partners could not maintain the systems well enough because the documentation was lacking. I had to tell them the same things all over again and sometimes the amount of information was so overwhelming that they forgot most of it. We did have many documents containing useful information. However, it was quite hard to get a decent overall view of everything as all of the information was in separate documents. I decided to put a stop to the separate documents. I implemented a documentation portal with MkDocs and I introduced a new way to maintain documentation. Instead of writing Microsoft Word documents and saving those as a PDFs we started composing markdown documents and publishing those in a fancy web portal. Next goal is to complete implementation and launch the portal for partners.

Product Launch in ALSO Cloud Marketplace

One of the first task’s as a Product Manager I got was to help the sales and marketing team to launch our Sec@GW product in ALSO Cloud Marketplace. At first the task felt easy, but it turned out that it required a lot of effort from all Deltagon’s key players. Together with one of our Sales Manager’s I gathered the material and lead the decision making process to make the product launch possible.

Conclusion

Since I have been a developer at Deltagon for over two years I have a deep knowledge of the capabilities of all of Deltagon’s products. Moving to the position of Product Manager after that was a great success. It glued together all the pieces of my expertise. As a Software Engineer I had a couple of projects that I was handling as a manager. But as a Product Manager I actually had to take on more of Project Manager role in many different type of projects. I’ve learned a lot about what it takes to launch, execute and successfully complete a project. Sometimes I miss the work as a developer. However, being a Product Manager has definitely helped me grow as a professional. It has given me a much better understanding for the business side of software development in the cyber security industry. I believe I now have much more complete skills for successfully maintaining or creating software in the future no matter what professional position I might have.    

Speaker at Critical Communications World 2018 in Berlin – Criteria for Mission-Critical Applications

January 5, 2019

 

critical-communications-world-panel-starting-tuukka-merilainen

Critical Communications World 2018 was held in Berlin. The event gathered cyber and physical security experts together and offered several stages for different speakers, including many world top critical communications professionals. My current employer Deltagon Group participated in the event in co-operation with the Finnish security cluster Critical Communications Finland.

I was truly honored to be one of the panelists discussing a very interesting topic: “Criteria for Mission-Critical Applications”. The panel was hosted by Airbus Marketing Director Tapio Makinen. Other panelist were: Jyrki Rantonen – Insta Defsec Oy, Jani Lehtinen – Secapp of Magister Solutions, Esa Suutari – Sunit and Marko Saukkola – Jolla.

During the discussions Tapio asked what kind of products the panelists’ organizations are developing and where the vision for the product came from in the first place. He was very curious about what the criteria of mission-critical applications were and what the most important things customers were demanding was.

Quite soon the discussion led to the topic of what the best practices to handle research and development of mission-critical applications were.

At the end of the panel a couple of audience questions were asked. One interesting question was “How can customers ensure that proprietary (or closed-source) software does not contain backdoors or that the overall security is at a high level?”. The question was something that I have been thinking about a lot, so I was eager to answer it and had an extensive answer ready. A separate blog post could be dedicated for this altogether, but in a nutshell here are the most important points:

  • First of all, to fulfill the criteria of mission-critical applications internal development process and infra has to be solid and well documented (not to forget skilled developers).
  • Internal quality and assurance process has to have many steps and code changes must be approved by different isolated departments/stakeholders.
  • Third party audits must be in place and regularly organized (of course the third party must be well known a trusted)
  • If the application is used by the public sector it is highly recommended that National Security Authority does the regular checks as well.
  • Finally, customers can do black-box security testing by themselves or hire security experts to do it.

Developing the Travel Blog – traveljael.com

January 1, 2019
A couple of months ago I got an inquiry for a freelance project to develop a travel blog for my existing client Jael. Last year I developed a personal portfolio jaelmaxine.com for her. Now she wanted to build up a new site which would focus on travel blogging. The site would be launched as traveljael.com. Together we decided that the site should be based on WordPress. Key features/requirements for the sites were:
  • Fancy and modern layout which gives the reader a feeling of wanting to travel
  • Mobile usability priority 1
  • Smooth and flexible connection with traveljael’s instagram
  • Super easy content management features

API design and development

September 30, 2018

API developer featured image

As a developer in Deltagon I designed and developed couple of different REST APIs. All those cases were slightly different but shared one thing. I had to gather information about a problem we were actually trying to solve. I did it by asking the question “What is our problem or what kind of pains you have” from different stakeholders. I was a project manager in problem defining part. I planned, organized and leaded design sessions with our top of the line partners and clients. Real work started after the actual problem was defined. I designed also the technical part and started coding the APIs. With SCIM API I also had to ask help from other developers and we worked as a team when implementing the API.

List of the REST APIs which I have designed and developed that are now in production use:

  • SCIM (RFC 7644) API to manage provisioning via API for one of the Deltagon’s product
  • External API which let to fetch some basic data about products
  • Billing API which makes it possible to monitor billing related informationt from all Deltagon’s customers

APIs were built with Perl and MariaDB.

Personal portfolio website jaelmaxine.com

October 27, 2017

The client wanted to get a beautiful and elegant portfolio style website for personal marketing purposes. In the beginning of the project we did research of existing WordPress themes and chose the one which was close enough to desired result. The client wanted to be part of the development process and she drawed the basic layout of the site on paper. My job was to implement that layout with WordPress.

Finally when the layout was ready the customer provided contents and I added them on the site. We worked closely together during the whole process. The result is great thanks to seamless cooperation.

My main responsibilities as a developer were:

  • Handle hosting subscription for the website
  • Install and configure WordPress
  • Implement the website with WordPress according to the clients wishes
  • Edit images fit the website style
  • Add content provided by the client on to the website

Developing digital signature platform secSigned

September 14, 2017

Two years ago I started working as a full-time Software Engineer in finnish Cyber security company Deltagon. After couple of months our CEO pointed that we should develope solutions for digital signatures. I was very excited about the task and we started working with it immediately. I had lucky that I have just started workin in Deltagon when the company decide that new product should be done.

Today is 14.9.2017 and I am very proud of what we have made. We released digital signature solution called secSigned 29.9.2017. I was one of the key developers during the whole process from start to this point. I was also honored to be the one who introduced the solution for our key partners/customers.

secSigned makes it possible to easily get signatures for any type of documents. It is possible to sign documents by hand using touchscreen or with strong electronic authentication for example bank identifiers. The solution brings three different interfaces for starting the process: email API, responsive web interface and XML API. After the process has been started signers will get email invitations to sign the documents. The signing happens via tls capable web browser in responsive user interface which makes it easy to use with any type of device.

My main responsibilities as a developer were:

  • design and code frontend and backend for the webinterface
  • build statistics for admins
  • design and code various small features

If you like to read more about secSigned please go to read these post from Deltagon’s blog:
https://www.deltagon.com/blog/deltagon-launches-new-product-digital-signature-for-quick-electronic-services
https://www.deltagon.com/blog/quick-and-easy-esignature-with-deltagon-secsigned-solution

pxs.fi e-commerce site

March 29, 2017

I was asked to do a clean and modern e-commerce site. Main goal was to keep things simple and let the products step up. I was responsible for the technical implementation and design of the site.

Site stands for:

  • Clean modern design
  • WordPress + WooCommerce
  • Klarna
  • Custom design based on existing theme
  • 100% responsive

xcx.fi corporation site

November 22, 2016

AD-Productions Oy decided to move forward and they established new XCX-Productions Oy. I was assigned to help with the company’s re-branding and especially take care of new websites.

New site stands for:

  • Simple modern corporation site
  • WordPress
  • Custom design based on existing theme
  • Single page
  • 100% responsive

 

Hullutyyli.fi e-commerce site

September 29, 2016

In this project I was responsible for the technical implementation.

The site stands for “Simple but stylish”. Hullutyyli is clothing brand which is selling high quality urban clothes.

  • Simple but stylish e-commerce site
  • WordPress + WooCommerce
  • Klarna
  • Custom design based on existing theme
  • 100% responsive

Vastuu.fi association website

September 29, 2016

In this project I was responsible for the technical implementation.

Finnish Association vastuu.fi wanted to renew their websites to 2010’s. The main purpose was to make information readily available.

  • Clean and simple
  • WordPress
  • Contact form
  • Blogging
  • Custom design based on existing theme
  • 100% responsive

Espressoservices.fi

September 29, 2016

In this project I was responsible for the technical implementation.

Espresso Services (ESE), is an importer, reseller and technical service supplier of high quality espresso related products. Site stands for modern and clean style.

  • Clean and simple
  • WordPress
  • Custom theme
  • 100% responsive

Faktoi.fi e-commerce site

September 29, 2016

In this project I was responsible for the technical implementation.

Site was built to keep customers wish “Super simple and clean e-commerce site” on mind. The site is part of  the Finnish Tasoi record company Tasoi records. The company is headed by well-known Finnish rapper Mikael Gabriel.

  • Super simple and clean e-commerce site
  • WordPress + WooCommerce
  • Klarna & PayPal integration
  • Custom design based on existing theme
  • 100% responsive