Talks Tech #46: Decoding AppSec: Chronicles of a Security Seeker
Ashwini Siddhi, Threat Modeling Service Owner for Dell Technologies, shares her talk, "Decoding AppSec: Chronicles of a Security Seeker.” She shares her journey from her school aged dream of joining Infosys, to learning she did not want to code for a lifetime, to her current role and all of the steps in between.
This is about my journey in general and what led me to be the Threat Modeling Service Owner at Dell Technologies. It's been a long journey. It's not been easy. I started my journey in the IT industry. I thought it was the natural thing to do. I come from Bangalore and Infosys and Wipro was a big deal. It was my childhood dream that I wanted to get into Infosys. I had absolutely no idea what happens in a development team, software company, what is a services company or a product company. I did my Mphasis Training in software. It was for about six months. It was a long-term training because I'm an electronics engineer. I was posted to a business unit, which was mostly dealing with telecommunication protocols. It was amazing because I was an electronics student. I had studied networks and communications, so it aligned with what I had studied and I could relate to it, and I was very happy to be there.
I didn't know what I was doing. I was just happy to start doing something. I thought, "Okay, let me be a developer and start writing code." Honestly, after a month or so, I was like, “Okay, I can't do this.” I realized it's not something that I can do for the rest of my life. It was not like you were designing a product all by yourself and writing the code. Somebody had already written lines of code in C or at the max C++ and all you had to do is add to it. It was certainly not exciting for me and I was bored. I spoke to my manager and said, “I can't do this." She was kind to me and she said, "Okay, let's put you on the testing team." This was on the same team because she was not ready to let go of me to a different team. I joined the testing team and I was happy to break stuff.
It was about being creative and trying to break things. I enjoyed it for some time but again, it was not something that I really could envision doing for years. Something where I would innovate etcetera. While I was in SDLC wanderer learning how to code, understanding how the development team works and also writing test cases, I was also actively looking for options as to what I could do. While I was looking up the net, I found that OWASP Top 10 was released for the first time in 2003. That sounded exciting but this was around 2006, '7 already so not many people were talking about it. There was an article on Rediff.com that too because there was a cross-site scripting that was reported. I'm not sure where and which product it was reported but it was something new that not many people were talking about. I was talking to one of my friends over lunch and said, “I wish Mphasis did something like this. It would be really good to be part of this team.” One thing led to another thing and I realized there was a team that did something like this. It was a really small team of 10 people and all of them were guys.
I went and spoke to the manager, I said that I really want to be part of your team. He said, "Yeah, somebody who's coming with an SDLC background, who understands what a development team does is of great value. So if you can clear the interview rounds, then you're sure to be on the team." That's where my learner mode got activated. I was a self-learned security person. I started reading up on OWASP Top 10 first and then installed web code and tried to replicate what was spoken about in OWASP Top 10. Reading and understanding OWASP Top 10 is one thing but actually to replicate it and ensure that you are getting results is another. We didn't have many apps like the variable apps that you have all over the net these days. You had to work with the minimal resources. I cleared my interview and I'm really grateful for that opportunity in Mphasis. I was put on the team for application security.
The 10 guys that had been there had been there for a long time. They had a special bond already. I was an outsider who didn’t seem to fit into the role of a security person or understand how to break into something. I was mostly kept out of all of these social events and interactions, etcetera. The best work went to them and anything that was left over came to me. Not just application security, it could also be network security. I didn't give a damn because I was learning. I was happy. I started doing pen testing, then source code analysis reviews. I had started doing VAPT Nessus and all of that. I was exploring different areas. There were times when I went to these data centers for network security to install gateways, to install firewalls, into huge machines. I installed antiviruses, malware solutions, and data loss prevention solutions. I've had hands-on experience in network security also. One fine day, fortunately, the RBI, Reserve Bank of India, came out with guidelines for all banking systems, saying that existing ways of working will not do for core banking systems. That is the software that bankers use, not what we use as end users. The software that the bankers use have to go through certain processes, have to be securely designed and developed. That's when the first concept of two factor authentication for core banking was spoken about in India.
I was to lead this multi-factor authentication for the core banking system. That started my security architecture journey. Until then, at least for core banking systems and the systems that we worked with, there was no security architect per se. That was a trailblazer thing for me, and that really kick-started my journey in security. That is what led me to where I am currently. I spent seven or eight years just trying to reach where I am. Each thing, each process phase that I went through, somehow added to my current journey. It gave me skills that could add to where I am. I kept an open mind and went with dreams, enforcing the fact that positivity really matters. I've spent at least about a year or so with our development team, which made me understand how a development team works. I was building forms for the UI, writing lines of code and writing test cases. When I define a process now, as a threat modeling service owner, I know how it is going to be taken in a development team. I know the challenges that they face.
I was first looking, then I was learning, and then I gave an interview, and then again, I was still learning, at a much deeper level. It is like a multi-year roadmap. You need to have that vision. I know so many people who've given up because they didn't have this vision. That phase really gave me the ability to plan long-term, not just for myself but anything that I work with, processes and solutions. I learned all of this myself, I had no mentor. I am able to train people better in a very different language. This was an advantage, and the reason I was picked as a Threat Modeling service owner when I joined Dell. There are folks who come from MIT, who have master's degrees in cybersecurity, who come from IITs. All my peers have master's. I'm the only one who does not. I've spent a considerable amount of time in the service industry trying to understand the practical aspects of things that I sold. My ability to train people in development friendly language was what gave me the edge over everybody else, over academic considerations. The ability to not just understand, but translate it to the community for a better purpose, gives you an edge as a leader, as an industry person in security or any area.
When I joined the security team, when I picked up anything and everything including Firewalls and Gateways, it gave me a breadth of experience. I could say that I'm not just an AppSec person, but I also am a network security person. I understand infrastructure, the network components, offers, solutions, etcetera. That is the reason I am not just involved in Threat Modeling, but also in Supply Chain, Zero Trust Architecture and Privacy by Design. You need to identify which area you resonate with. Anything that gives you enthusiasm to wake up every day and constantly have those ideas in your head, follow that. Identify some area like that and spend all of your time with it.