A conversation with Toufiq Ali — Principal Cybersecurity Engineer at Emirates Group on developer focused security initiatives at the Group.
Toufiq delves into the need of integrating security into development pipelines, how security and software development teams created this partnership, and how ShiftLeft Inspect has helped them achieve their goals.
Toufiq Ali
Here is the conversation reproduced in an interview format.
Introduction
We have seen an ever-growing trend of both B2B and B2C companies becoming technology companies. Starbucks, JPMorgan, Goldman Sachs all of them call themselves as technology companies who are in the business of coffee and investments respectively. This requires businesses to invest in building, manage and run their software. And for those companies that run a huge customer-oriented operation, it requires running deep and highly agile cybersecurity defenses. And in these scenarios, these mythical walls between security and engineering are beginning to crumble
Emirates Group is one such is one such company comprising of Emirates Airlines, one of the largest airlines in the world and dnata, one of the largest combined air services providers in the world. Underpinning is a technology operation that rivals the best in the world. Consequently, they have the software engineering function part of their IT support services department that delivers underlying technology platforms required to power their operations. All of this also requires running a top-notch security operation to secure all these digital assets.
Today, my guest is Toufiq Ali, Principal Cybersecurity Engineer at Emirates Group. Toufiq is responsible for application security practice for web & mobile streams that support various technology platforms at Emirates Group. Cybersecurity at Emirates Group clearly saw the need to bring down the mythical wall between security and engineering.
Alok — Hello Toufiq, Welcome to the podcast, When did Emirates Group Cybersecurity team start to realize that application security cannot continue to live outside of engineering?
Toufiq — Hi Alok, thanks for having me. Emirates Group Cybersecurity practice has been around for a while. When I joined the practice, our team was tasked to look into our existing assurance processes and identify opportunities to optimize them. In doing so, we realized we could not outlive the demand for security testing for too long. Generally, most security testing is carried out towards the end of the development process. And we did not want to be at the tail end of the process and become blockers for all good things. And, honestly, we wanted to do more than just security testing our code such as privacy by design reviews, threat modeling etc. It is then when we started the journey of transforming our security practices to integrate them into our software engineering practices.
Alok — How did engineering think about the security team’s proposal for integrating security in their workflow?
Toufiq — It was very positive be honest. We collected some key performance indicators over a period of time through various testing activities. For e.g. do we have more authentication issues or more authorization issues or other OWASP Top 10 issues, etc. We then used this data to identify gaps that we could address either early on or during the software development lifecycle. And our engineering teams played a vital role in this process.
Alok — At Emirates Group, what kind of tools are at the core of integrating security into the developer workflow?
Toufiq — A question, a tool could be non-technical and technical, right?
Alok — Sure, what do you mean?
#shiftleft #devsecops #application-security #emirates #podcast
