Wilford  Pagac

Wilford Pagac

1597604400

Podcast #ShiftLeft at Emirates Group — A conversation with Toufiq Ali

A conversation with Toufiq Ali — Principal Cybersecurity Engineer at Emirates Group on developer focused security initiatives at the Group.

Toufiq delves into the need of integrating security into development pipelines, how security and software development teams created this partnership, and how ShiftLeft Inspect has helped them achieve their goals.

Image for post

Toufiq Ali

Here is the conversation reproduced in an interview format.


Introduction

We have seen an ever-growing trend of both B2B and B2C companies becoming technology companies. Starbucks, JPMorgan, Goldman Sachs all of them call themselves as technology companies who are in the business of coffee and investments respectively. This requires businesses to invest in building, manage and run their software. And for those companies that run a huge customer-oriented operation, it requires running deep and highly agile cybersecurity defenses. And in these scenarios, these mythical walls between security and engineering are beginning to crumble

Emirates Group is one such is one such company comprising of Emirates Airlines, one of the largest airlines in the world and dnata, one of the largest combined air services providers in the world. Underpinning is a technology operation that rivals the best in the world. Consequently, they have the software engineering function part of their IT support services department that delivers underlying technology platforms required to power their operations. All of this also requires running a top-notch security operation to secure all these digital assets.

Today, my guest is Toufiq Ali, Principal Cybersecurity Engineer at Emirates Group. Toufiq is responsible for application security practice for web & mobile streams that support various technology platforms at Emirates Group. Cybersecurity at Emirates Group clearly saw the need to bring down the mythical wall between security and engineering.

Alok — Hello Toufiq, Welcome to the podcast, When did Emirates Group Cybersecurity team start to realize that application security cannot continue to live outside of engineering?

Toufiq — Hi Alok, thanks for having me. Emirates Group Cybersecurity practice has been around for a while. When I joined the practice, our team was tasked to look into our existing assurance processes and identify opportunities to optimize them. In doing so, we realized we could not outlive the demand for security testing for too long. Generally, most security testing is carried out towards the end of the development process. And we did not want to be at the tail end of the process and become blockers for all good things. And, honestly, we wanted to do more than just security testing our code such as privacy by design reviews, threat modeling etc. It is then when we started the journey of transforming our security practices to integrate them into our software engineering practices.

Alok — How did engineering think about the security team’s proposal for integrating security in their workflow?

Toufiq — It was very positive be honest. We collected some key performance indicators over a period of time through various testing activities. For e.g. do we have more authentication issues or more authorization issues or other OWASP Top 10 issues, etc. We then used this data to identify gaps that we could address either early on or during the software development lifecycle. And our engineering teams played a vital role in this process.

Alok — At Emirates Group, what kind of tools are at the core of integrating security into the developer workflow?

Toufiq — A question, a tool could be non-technical and technical, right?

Alok — Sure, what do you mean?

#shiftleft #devsecops #application-security #emirates #podcast

What is GEEK

Buddha Community

Podcast #ShiftLeft at Emirates Group — A conversation with Toufiq Ali
Wilford  Pagac

Wilford Pagac

1597604400

Podcast #ShiftLeft at Emirates Group — A conversation with Toufiq Ali

A conversation with Toufiq Ali — Principal Cybersecurity Engineer at Emirates Group on developer focused security initiatives at the Group.

Toufiq delves into the need of integrating security into development pipelines, how security and software development teams created this partnership, and how ShiftLeft Inspect has helped them achieve their goals.

Image for post

Toufiq Ali

Here is the conversation reproduced in an interview format.


Introduction

We have seen an ever-growing trend of both B2B and B2C companies becoming technology companies. Starbucks, JPMorgan, Goldman Sachs all of them call themselves as technology companies who are in the business of coffee and investments respectively. This requires businesses to invest in building, manage and run their software. And for those companies that run a huge customer-oriented operation, it requires running deep and highly agile cybersecurity defenses. And in these scenarios, these mythical walls between security and engineering are beginning to crumble

Emirates Group is one such is one such company comprising of Emirates Airlines, one of the largest airlines in the world and dnata, one of the largest combined air services providers in the world. Underpinning is a technology operation that rivals the best in the world. Consequently, they have the software engineering function part of their IT support services department that delivers underlying technology platforms required to power their operations. All of this also requires running a top-notch security operation to secure all these digital assets.

Today, my guest is Toufiq Ali, Principal Cybersecurity Engineer at Emirates Group. Toufiq is responsible for application security practice for web & mobile streams that support various technology platforms at Emirates Group. Cybersecurity at Emirates Group clearly saw the need to bring down the mythical wall between security and engineering.

Alok — Hello Toufiq, Welcome to the podcast, When did Emirates Group Cybersecurity team start to realize that application security cannot continue to live outside of engineering?

Toufiq — Hi Alok, thanks for having me. Emirates Group Cybersecurity practice has been around for a while. When I joined the practice, our team was tasked to look into our existing assurance processes and identify opportunities to optimize them. In doing so, we realized we could not outlive the demand for security testing for too long. Generally, most security testing is carried out towards the end of the development process. And we did not want to be at the tail end of the process and become blockers for all good things. And, honestly, we wanted to do more than just security testing our code such as privacy by design reviews, threat modeling etc. It is then when we started the journey of transforming our security practices to integrate them into our software engineering practices.

Alok — How did engineering think about the security team’s proposal for integrating security in their workflow?

Toufiq — It was very positive be honest. We collected some key performance indicators over a period of time through various testing activities. For e.g. do we have more authentication issues or more authorization issues or other OWASP Top 10 issues, etc. We then used this data to identify gaps that we could address either early on or during the software development lifecycle. And our engineering teams played a vital role in this process.

Alok — At Emirates Group, what kind of tools are at the core of integrating security into the developer workflow?

Toufiq — A question, a tool could be non-technical and technical, right?

Alok — Sure, what do you mean?

#shiftleft #devsecops #application-security #emirates #podcast

Obie  Rowe

Obie Rowe

1598835480

Next Level Ops Podcast: Modern Web Development Tools with Brian

Hello Pleskians! This week we’re back with the tenth and final episode of the Official Plesk Podcast: Next Level Ops.  We’re already at the close of the season and we’d like to thank every single one of our guests and listeners, as well as our host for being a part of Next Level Ops! In this installment, Superhost Joe chats with Brian Richards, Creator of WPSessions , about essential web development tools for modern web developers.

In This Episode: jQuery Turns 14, Brian’s Toolkit for Web Development, and Leveling Up

What coding tools are there for the everyday web developer? With a great amount of web development tools out there, how do you decide which ones to have in your toolbox? How can you level up your skills and find new tools to use? All of this and more in this episode of Next Level Ops.

“Knowing which tools to look for is the entire battle. So, where do you find the tools that help make your job easier? How do you know that they actually work as advertised? Why should you trust them? When can you trust them?” – Brian Richards, Creator of WPsessions

Use Code Linting

First of all, you can start with some concepts to get familiar with. For example, code linting helps you find errors in your code while you’re writing your code. It shows you where you’ve inserted a character that breaks your code depending on the language you’re coding in.

Configure Your Code Editor

Second, Brian recommends that you find a code editor that you love. Moreover, you can configure the code editor of your choice to be more productive for you by changing short codes and adding code completion and formatting. A few changes like this and it will customize your code editor to be the best choice for you. Keep in mind that instead of looking for the next shiny product, use the tools that work for you and stick to them. Keep reading for recommended code editors and local development tools below.

Follow Coding Standards

Additionally, for coding it’s important to adapt some kind of coding standards and making sure that you follow them. Following standards should help you avoid running into bugs. Learn about local development environments that help you build projects for the web while offline. There are many tools specialized for the platform and languages you want to work with.

Love the Command Line

And last but not least, become familiar with and begin to love the command line. So, read on to find the key takeaways of recommended tools and strategies from Brian to orient your web development._ This list is a must-have for web developers so better bookmark this page!_

#podcast #product and technology #coding #next level ops podcast #plesk podcast #podcast #web development

Hollie  Ratke

Hollie Ratke

1597705200

Next Level Ops Podcast: Working with Self-hosting Email with Christian Mollekopf

What should you consider when choosing an email hosting provider? What are some of the options users have when searching for good email providers, especially if you also want to look at enterprise options? Is it good enough to opt for what your web host offers or to use a service like GSuite? What are some of the things you should think about when going the self-hosting route? In this episode, Joe and Christian discuss how to address options and issues surrounding email hosting.

“I think usually it [email] is something that you are going to use for quite a long time. It’s like a very central part of your infrastructure typically. So, I think it’s definitely worth considering a couple of options,” says Christian. When choosing the right hosting provider, it’s worth considering things like what are the features you require, whether it’s simply email or also calendars and tasks, whether you need shared folders and calendars, and which type of client do you want. Another factor to consider is vendor lock in – just in case you want to transfer to another hosting provider and how easy will it be for you to migrate your data to another system.

If vendor lock in is an issue of concern for you, then the question arises whether you can self-host your email. What happens when you do that? Some common issues to watch out for are to make sure that other servers can distinguish between genuine email coming from your server and spam coming from other servers, pretending to come from your server, to ensure that your server doesn’t send spam, and reputation management of your domain. To read some of the best practices of self-hosting email, go here.

Key Takeaways

In This Episode: Choosing An Email Hosting Provider, Reputation Management and Taking Back Control - Next Level Ops Podcast: Working with Self-hosting Email with Christian Mollekopf - Plesk

  • What should someone consider when choosing an email hosting provider? Your email is probably going to be a central part of the infrastructure and you’ll use it for a long time to start out by keeping this in mind. The second thing is to consider the features you need, such as a calendar, for example. Do consider your email’s interoperability and vendor lock-in. You should be able to migrate away if you want to.
  • What are the benefits of self-hosting over using a service like Gmail? One word: Control. You maintain control over your solution. If you self-host, you have more control over your email.
  • As a hosting provider, what are some of the pitfalls of hosting email? The biggest pitfall is reputation management. Other services that receive email have to fight a lot of spam. Track the reputation of domains and IP addresses.
  • What features in Plesk help with email hosting? SPF, DMARK, DKIM are built-in. Other UIs for important measures like rate and message size limits and the Plesk Email Security extension with anti-spam. Find out more about the features here.

…Alright Pleskians, it’s time to hit the play button if you want to hear the rest. If you’re interested in hearing more from Next Level Ops, check out the rest of our podcasts. We’ll be back soon with our last installment.

#podcast #product and technology #email #hosting #next level ops podcast #plesk email security #plesk podcast #podcast #self-hosting email #spam

Next Level Ops Podcast: Francisco on Plesk's Partner Program

Hello Pleskians! We’re back with another episode of the Official Plesk Podcast: Next Level Ops.  This week, Superhost Joe  sits down with Francisco Pereira Carvalho, the Head of Sales at Plesk. As the Pleskian Wizard for Partner Experience, Francisco gives us the details about Plesk’s Partner Program.

#partners #podcast #plesk partners #plesk podcast #podcast #web hosting

Houston  Sipes

Houston Sipes

1597636800

Podcast-Ep-7 #Shifting Left at Roblox — A conversation with Julie Tsai

_This article was initially published _here

A conversation with Julie Tsai on her initiative of #ShiftLeft at Roblox. Julie is the Head of Information Security at Roblox — a wildly successful online gaming company.

Julie talks about the practice of Shifting Left in cybersecurity, centrality of empowering developers through code analysis, interactions between red/blue teams and as a bonus — security leaders she admires and could be role models to increase diversity in cybersecurity.

Image for post

Julie Tsai


This podcast has been reproduced below in an interview format

**Alok — **Hello, Julie, how do you practice this entire concept of moving security to the left or as it popularly called — ShiftLeft?

**Julie **— Well, it comes back to the idea that security can only be done in its most efficient and most pure form when you’re doing it at the root. So it comes back to the understanding that it has to get into the hearts and minds of all of your practitioners at the company in terms of engineers, as well as other people in their day to day actions.

And inserting that mindset into how do I incorporate a secure way of thinking at every step in the process, from product inception to design and architecture to when do we actually discover that there are vulnerabilities in code and then being able to fix it quickly.

**Alok — **So what are your KPIs to judge the success of this process of moving security to the left?

**Julie — **I would look at two important metrics. And these things usually tend to be work in progress for for every company but, you know, depending on the level of visibility and telemetry you have, I would look at the overall number of security issues that you’re having, whether they’re active incidents or potential vulnerabilities.

And then secondly, I would look at the level of vulnerability coverage that you have. There’s a concept of, you know, when programs are first bootstrapping in the innocence, you know, groups that are sort of blissfully ignorant of what is underneath the covers. But as you get deeper in terms of your understanding of your stack, and your entire operations, you might see something in an increase in issues and remediations because now you have more knowledge. As you start coming around that curve, improving your practices, moving the thinking and the culture into a more embedded place, you should see an improvement in the overall number of issues, as well as an increasing understanding of security status of the company.

**Alok — **Okay, so now, in terms of shifting left of security, static analysis of code is coming across as a prominent choice of tool for empowering developers. Why do you think that is the case?

**Julie **— I think that there’s two major components to it.

One is the obvious aspect of coverage you can’t really know or manage things that you don’t, that you’re not aware of. You may unintentionally create good outcomes or bad outcomes. But unless you know, it’s not intentional.

I think the second piece to it is the control. If the developers have the capability to know as they’re programming they have more capability of internalizing that knowledge as well as correcting it up front. So I think that’s a major reason that your that static analysis and source code analysis matters.

#podcast #application-security #static-code-analysis #roblox #shiftleft