1 Year @Appsecco

Working at a modern security company

Wow! what an exciting year it has been! Today (May 16th, 2017), I celebrate my first year anniversary of joining Appsecco. While working here I have had the opportunity to conduct real world security research and solve interesting problems with simple innovative solutions. The amount of learning so far has been indescribable where each day I get to work with an incredibly knowledgeable group of people. After my first 30 days, here’s what the rest of the year has been like.

What I do at Appsecco

My title says Automation Ninja but we are not bound by titles. I end up planning team outings to building and managing company infrastructure and operations securely.

I have had the opportunity to manage cloud infrastructure and the security of organisations, which has taught me how to do real-world DevSecOps. When a tech team wants to deploy their code and integrate new features seamlessly, I try to find the best solution to help them using technology like containers, pipelines, etc. When the Offensive Security team needs vulnerable environments to practice new exploits, I keep my playbooks and containers ready to provide them with environments that can be up and running in seconds. My job entails keeping the organization infrastructure up and running and supporting the team with operations and deployments.

Apart from this, I also do internal research. Before I joined Appsecco, I knew about a lot of tools and techniques and at Appsecco, I got an opportunity to apply that knowledge and implement them in many useful ways. My focus has shifted from learning to use more tools to “how do I solve a problem”?. This came about when I started focusing on automating secure infrastructure management using Ansible, Docker and many other tools. I have also learnt the value of documentation and have been using Markdown which helps me and my team a lot!.

While doing all these, I’ve goofed up many times. Appsecco has an interesting goof-up policy; goof-ups are encouraged as if we don’t make mistakes we aren’t at the edge of our knowledge. It has turned out that most times I’ve goofed up I have skipped the middle portions of an article about a tool or a set of instructions, and end up reading only the beginning and end, because I get excited by the concept or tool and want to try it out as soon as I can. This, predictably, ends up with me failing and missing something obvious. Then I go to Akash who points me back to the README.md file! :D

What I did at Appsecco this year

I wanted to list down some of my achievements while working at Appsecco

• Trained, spoke at and attended these dream conferences around the world which included:

1. Defcon 24, LasVegas
2. All Day DevOps
3. DevOps Days India
4. DevSecCon London and Singapore
5. null community Bachhav & Puliya sessions
6. Guest speaker, Local Meetups and Many more

• Completed my Offensive Security Certified Professional (OSCP) certification
• Contributed to open source software and the security community (null, devsecops, meetups)
• Worked on cloud, containers and microservices apart from security
• Built an in-house near real-time logging & monitoring solution
• Broke some apps and learnt pentesting skills from @wincmdfu
• Learnt to write code using Python and Flask
• Apart from learning technology stuff, understood more about a lean start-up culture
• Lot’s of fun with team and awesome team outings
• I think this list keep goes on…

What I am looking forward to

This list is ever-growing both in my personal and professional life. I am a never-ending learner and would love to keep learning new things. Working with a great team and especially Gwilym, Akash, Riyaz, Abhisek and Bharath it never gets boring. They keep giving me new information and resources which I hungrily consume.

• Moving towards more automation with less ops work in terms of managing the infrastructure using solutions like kubernetes and CI/CD with built-in security. This allows me to do more R&D while managing the infrastructure as well.
• Learning and building in-house automated solutions for internal organisation, which helps to get more productive for teams.
• Training, speaking at and attending more conferences & events to learn and share my research.
• Improving the automated defence system for security monitoring which can be used to protect against security attacks.
• Doing more research on devops tools for using them securely, and contributing back any security vulnerabilities.
• Contributing to opensource projects and working with communities
• Building process and measurement for the work I’m doing, so that I can measure and improve the quality. Also thinking in terms of automation possibilities.

Overall, I want to become a Solutions Expert, where I help solve problems using simple, innovative and pragmatic approaches. I also want to contribute & work towards DevSecOps (everyone is responsible for security).

Is it work when it doesn’t feel like work?

It’s always exciting and challenging to work at Appsecco, as we mostly focus on innovative security research. While working with new technologies, we also understand how to work with different clients and applications when testing.

The most important part is that as it is a small and select group of people, each and every team member brings their respective areas of expertise and passion. This means that we all collaborate and there is a lot to learn.

In an organisation with a liberal holiday policy, I took only 1 personal day (despite tons of encouragement to take more days off), I think it’s enough to say how engaging it has been at Appsecco.