AppForce1: news and info for iOS app developers

Anastasiia Voitova, Vixentael, security software engineer at Cossack Labs.

February 24, 2021 Jeroen Leenarts
AppForce1: news and info for iOS app developers
Anastasiia Voitova, Vixentael, security software engineer at Cossack Labs.
AppForce1: news and info for iOS app developers +
Help us continue making great content for listeners everywhere.
Starting at $3/month
Support
Show Notes Transcript Chapter Markers

Anastasiia and I had an awesome chat about her work as a head of customer solutions and security software engineer at Cossack Labs. The conversation we had really reflects the personality of Anastasiia. She is always very open and willing to share her deep knowledge on security related topics.

Cossack Labs,  Anastasiia's place of work.
Anastasiia on twitter. Most often she uses the handle VixenTael online.

Anastasiia at Do iOS in 2015.
Anastasiia's list of talks on Github.

The I.T. Career Podcast
Your ultimate guide to success in the I.T. industry. Helping you Grow your career!

Listen on: Apple Podcasts   Spotify

Runway
Put your mobile releases on autopilot and keep the whole team in sync throughout. More info on runway.team

Lead Software Developer 
Learn best practices for being a great lead software developer.

Support the show

Rate me on Apple Podcasts.

Send feedback on SpeakPipe
Or contact me on Mastodon: https://hachyderm.io/@appforce1

Support my podcast with a monthly subscription, it really helps.

My book: Being a Lead Software Developer

Jeroen Leenarts:

Hi, welcome to another special episode with Anastasia for Tova. She is somebody that I know from a couple years back, she was like a presenter at one of the first conferences that I organized and she was way deep into security related stuff on iOS development. And now she has moved on since then to other fields that are still security related. But over the years, I've kept somewhat of an eye on her work and what she's been doing over the years. And it's always great if she publishes anything. And she's just like this. Tiny but fun ball of energy that is always a fun person to be around and to have in the room and just to talk with. So I just wanted to share, Anastasia, to my audience, so to you as a listener, as being a great person. So, Anastasia, how are you doing today?

Anastasiia:

Hi, hello. Thank you for your kind words. Yeah, I think like a lot of people know me by my nickname vixen style. So yeah, indeed, we met like in 2016. Oh, my God. And I already was doing securities. Time flies. Yeah.

Jeroen Leenarts:

Yeah. But you still work at the same place? I think Cozart labs, right.

Anastasiia:

Yeah. But I believe in 2016. I was not working there. I think that I was working in my like, in my previous companies, and five, I was doing mostly iOS development. And then yeah, and then I switched like the security completely. Yeah. And then working in Gothic labs for like, couple of years already.

Jeroen Leenarts:

So cause a collapse. It's what does the company do? And what's your role within that company?

Anastasiia:

Well, that's British Ukrainian company, like, product company that does data security, right. So we create software for data protection, which means basically cryptographic software. Okay, so we do have a lot of open source software for different use cases. But all the things have the main goal is to protect data in use various types of encryption. The thing is that cryptography is quite complicated. So and with like, with the current data, like regulations, landscape, and like requirements and security incidents, many developers need to protect the data. But again, cryptography is complicated, right? So what we do is like a drive to create super developer friendly libraries, or like software, that they can integrate into their applications without excellent standing the maths and the crypto behind it. And except for like software for products, but as I'm a free like on GitHub, and part of them, I like paid enterprise version for large companies with large, huge, like data sets, right? A part of the products, we do some kind of services like consulting, let's put it this way. Because sometimes the product itself doesn't solve, you know, you need to understand how it works. And sometimes companies need this skill of security software architecture, of security design, like how to design and build new features, thinking about security. So with some people, we help them actually to build things. And as example, bear application, you might know the verification this like note taking app for iOS and Mac class. And Wizzair, we collaborated and we created the end to end encryption of nodes. Right. So we started like from, from the beginning how it will work encryption scheme, then code then like, verify and make sure that everything is working as expected, but this was like a collaboration, of course, claps and shiny frog, the company behind bear.

Jeroen Leenarts:

Okay, and what is your role in all of these kinds of things? Because he talked a lot about of cryptographic crypto cryptography. And, and I know you're a software developer, but at least when we met you were a software developer. So what is your role within Kosaki labs? Right now?

Anastasiia:

Yeah, so I like from security perspective. I'm a developer that's like switch to security, right? So I'm the one who you can say like, I know, like security software engineer. And partially I do this like I do the like security engineering, like security design secrets for architecture at the same time right now either have some management position. So we just called Head of Customer Solutions, and I'm the person that usually interacts with like our customers if they need something on mobile. So yeah, for for most people, like Bear like up Spectre, like another application, I can't name I was leading our security like efforts with them, right. So I design stuff for them and then just, their developers do it. And I make sure that everything is smooth.

Jeroen Leenarts:

So and you live in the Ukraine, I think in Kiev, is that

Anastasiia:

correct? Yeah. Right now I'm cave in cave. And yeah, previously, I get to be in other cities. Yeah. Like as we have an office in Kiev and London, so I was like, flying back and forth. But starting from March, I believe everyone, like in our companies is just no settle down somewhere. And yeah, right now, I'm Kiev. I don't even know when I'll see London next time. Like, hopefully. And in summer, maybe next time, but let's see.

Jeroen Leenarts:

Yeah, it's, it's, it's rough all around the world. And so you got started as a software developer at some points. But when you were a little girl, how did you grow an interest in, in computers, security coding programming? So how did that got started with you? Actually?

Anastasiia:

Well, let's kind of find a clause. I. My mom had a PC, because she was working as like it as an engineer, like computer engineer, right? Not like developer, but the person that kind of around the IT people unit how it was called back then. So she got PC at home when I was four years old. Right. So I had I had this at Sloan or Celeron. I don't remember with the first like Windows 95. Yeah. And when I was six, we got the second PC. So we build a local network. And I was playing like games in a local network was my younger brother. He's like two years younger. So we're already playing games, right? And as someone who had like BC from these, like, young age, I was super curious. And we at home, we had so many books about like, northern commander, and I was like, what? I didn't really understand what did that but still, it was really funny. So yeah, when I was in high school, I already knew that I want to do something with computers. I just wasn't sure what exactly right. And as a as I was quite good in math, and like physics, and now the thing that my last, like, read my last classes in high school, already understood that, okay, I want to do something related with Informit. Like infrared is it is programming. Yeah. And then I just got into university to typical computer science, programmed with computer science faculty, I was not super, you know, became spoiled, because there was like, 17, or something. So I just selected the university that was closest to my home. Yeah, it works, okay. The thing is that in our faculty, there was like a cafeteria, like, like a class, and then got into class that has that was like, it taught us a lot not about software development, but about hardware, right about how to create like, micro schemes, how to create those, like a bit of shapes, how to design computer, how, like how all those elements work, you know, like Boolean algebra, you know, this kind of thing, cryptography, etc, etc. So Zando, my education, I got this master's degree, at dance, I was already working as like part time as iOS developer. And Objective C was my like, first like, commercial language, but in university, I tried many of them starting from C. To prologue. So like, the whole, like range, and I will see Java Python, I don't even remember prolog. And when I was doing the my interview, my first interview to work as mobile app developer, no one your Objective C. At that point, you know, you remember like, it was iOS three, it was like iOS three, iOS x two. No one really no one knew Objective C give us this was like, We are language only used Yeah, with square brackets. Yeah, only used by those. We are people who wrote iOS, like software, like programs for iOS. So when I was doing my first interview, people asked me they couldn't ask me about Objective C because obviously right? So they asked me about C. And I was not like super indices. So before the interview, I go to other thing, I read out the thing, and I was kind of prepared. And it was fun and I rent. The interview was successful. But at the end, they had you know, this list of questions they were asking me, and at the end, seven of them told, Well, okay, here's the number So like, welcome aboard blah, blah. And then someone told that okay, maybe it will be easy if it was Java. And I understood that. Yeah, many of them, because they had like Android developers among them. Many of them, you Java. And I also knew Java, and a stack in a steady, you know, of like, instead of reading all these things about C, while otile functions, et cetera, et cetera, we could just do interview in Java, but no, we did the hard way. So yeah, but then they took me, and I was doing like, iOS applications for a while.

Jeroen Leenarts:

Yeah. So um, so and you mentioned that you studied a lot of languages during your university. So I mean, programming languages have, obviously. But did you really get started with programming in university? Or did you have some experience trying some codes before you wrote into any into university?

Anastasiia:

I think in school in school, because I was into, I was super interested in web development. And you remember, it was like HTML, CSS was not a thing yet. So it was HTML and iframes. And I was building some, you know, sites on iframes. Yeah,

Jeroen Leenarts:

yeah. And a lot of a lot of table based layout. Remember that? Okay, so um, so you had some work experience during your university years, and then you started at your first job immediately as an iOS developer. So that was back in the iOS three days. That's when they basically released UI kit from Apple. Yeah. So and then what happened? Because being a junior iOS developer, and then then growing into like this, this mythical beast from the Ukraine, that loads a lot about security on iOS, that's something that happens as well, because I've seen talks that you've done on iOS and security, and they've always been impressive. So how did you grow from being a junior iOS developer? to two? That's really, yeah,

Anastasiia:

the thing is that there wasn't a junior for a long time, I think it was only like half a year, because they have this really nice, like, education, real nice background. And again, iOS development was super new. Right? So yeah, I stopped being Junior quite fast. And at some point, I was doing like really a lot of iOS application, because we were, I was working at kind of like, you know, boutique, like agency boutique, not like outsource. But more like a company that's creating applications for others, like doing all this, you know, product cycle, blah, blah, blah. So I seen how we interacted with like, customers, how the product grew, how to make those defeat decisions, which features are useful, which are not, you know, this kind of thing. And at some point is felt really narrow. I don't know, I mean, that's just one platform, you know, especially this early iOS with tons of restrictions. Right, I remember all these optimizations we've done just for iOS application to run on iPhone and iPad, when iPad appeared, it had less RAM memory, on iPhones. So we did some crazy optimization just for our application to run an iPad, like come on. So at some point, then became boards. And I start doing like backend as well, because I usually was based off of back end developers, because I want my EOS application be smooth and fast. And you know, sometimes, like responses from backend servers, they were not optimized. So instead of kind of communicating with back end developers, I tried, I honestly tried, at some point and decided, come on, this is just like back end developer development, right? I can do it. Okay, so I switched the backend as well. And it felt so much better to be able to control you know, iOS side and backhand side as well. Yeah. And then I was like, after a few years, I understood, okay, now I'm kind of leading the product development itself, some like software for iOS, Android backend, using all these nice and shiny databases, and you know, like optimization, etc, etc. So, as soon as I did that, I can understand understanding that my software is not very secure. Because as developer, I can open the like, back end database because they have admin access, right? And I see everything. Oh, those like emails. Oh, that was like information that people input there, right. Like on the application side, I mean, and I believe that on this point, I was like, Okay, this feels wrong. Maybe I'm doing something wrong. And I think that this was like a huge Step like changing mice mindset for me, because again, I was able to control the whole like, like application on multiple platforms. So I've seen this data flows, how data, you know, it's been generated than what we've done visit on backhand how we store it, if we remove it at some point, we hope but we usually didn't, right?

Jeroen Leenarts:

Yeah, records were only marked as deleted. i Yeah,

Anastasiia:

yeah. I did this trick. I'm guilty. I did this a Centrix. And they were no GDPR at some point. And the point, right, was, we only knew about HIPAA, and, but it was like only for us and only for medical, like health care, blah, blah. So it's not something that could affect a lot of occasions. Right. So I started kind of Googling and learning more about application security. I also like my friends asked me to help with their open source library, open source cryptographic library, because they wanted to, to make sure that it works for iOS and Android. And they did a mistake. I said, Yes. And six years after we were like, five years, five years after I was still maintaining the library. Okay, does this like tennis library, cryptographic library? And now we support 14 different languages. And like, Oh, my God, if I always say no to them,

Jeroen Leenarts:

your life would have been different than most likely.

Anastasiia:

Yeah. So I saw that a great I started to dig into their cryptographic library. No one expected me to write cryptography. Yeah, but I like and I had some, like, indication University. So I was like, Okay, I don't understand all the things. So I start doing all these like Coursera courses on cryptography, like reading books, and fixing bugs in their cryptographic code. And then I was like, okay, I can do it. I mean, that's not so complicated, right? Yeah. And having this kind of background, I stopped doing mobile app development, because again, security is so much interesting. Because of them, like different areas, different platform, different things that could go wrong. So I just stopped being like a full time developer. And after like, short, I know certain time, when I was working as a freelancer, I was like, I decided that now I don't want to create a custom application for someone I want to create, like secure something security software, or like work on improving security. So I don't because the club's full time already as a security software engineer, and it's like, start forgiving, and learning even more about security, not only for iOS, but for all the platforms.

Jeroen Leenarts:

So you mentioned all the platforms, how wide ranging issuer security knowledge, sir right now?

Anastasiia:

Well, that depends on how we calculate, right? Because in security, like information, security has numerous domains. And I'm super comfortable with risk assessment, risk management, this is the way how you basically try to understand what risks threats and threats obligations facing, right, then the security software architecture, or how it's called like design, which explains how exactly we want to protect from those risks happening, right. And basically, implementation security engineering, it's not the first step. So it's like a cause there's a middle, and then like, verification, it's more like auditing, auditing of security software written by someone else. So in my experience, I do really nice ways, like building security software, like creating that, especially like encryption schemes, especially across platforms, like mostly it's like mobile and some of of backend, I'm not deep into network infrastructure, I would say, so I'm not that person that will sit up. I know, internal DNS server infrastructure for a company, right. But I am that person that will design a security feature. And like implement that that goes across all the platforms, you have this kind of thing.

Jeroen Leenarts:

So that's, you could say that your focus in security is mostly on the endpoints to server connectivity, that it's the final lack really, of the data reaching out to the end users device and I'm back or,

Anastasiia:

yeah, I would say that my focus is in like data protection. So when Like, if you think about data flow data flow is something that starts somewhere like on the front end, for example, it can be iOS, like iOS Android application or web front end, right? This is the front end, the data can regenerate, then guts across like backend code, its gets across, like goes to the database. Sometimes we do some calculation with that. All this logging all the things how data goes across, you know, and at some point, it can go back to the application. So the data flow and protecting the data flow, put in security controls, for the whole length in the data flow, designing them, yeah, this is what I do. And I don't actually care which languages backend to use. So I can read and write most of them.

Jeroen Leenarts:

So and if you, if you if you go back to iOS software development, what are the what are the biggest flaws that you have seen, or the most common flaws that you have seen for mobile app developers creating connectivity with something? So basically, the backhand or some other surface? So what are the biggest issues that you quite often see? If you're, for instance, auditing some piece of code?

Anastasiia:

Yeah, so first of all, there are a set of like, technical issues. But those you know how, like the past implement certain things, like for example, if they decide to encrypt the data, they often put the encryption key as data, right? For example, we encrypted the data and put it into a playlist and we put like our keys into pelase, because we want to save it persistent. So these kind of mistakes are super easy, but they're super common. But from this from technical from engineer, and point, zero sort of standards, and it's easy to find those mistakes. So we can just read checklists, like a wasp MSBs, which, which stands for available location, security verification standard, it's a huge, huge checklists about those, you know, small engineering bits, and yeah, many mistakes, or like, I hidden those, but I like it more. And I really, like enjoy more when I find flaws in design. You know, because often, like, when you create a mobile application, you can have, like, many developers believe that they the application is just the app, right? That just read the data and does something which referred security from security perspective, it's not just the app, it's part of the whole application of the whole like, system. And you can't just secure the application design without doing anything to protect the network, like the connection between application to your back end, to protect backend to protect data in your database, etc, etc, etc, right? So many security mistakes I seen even for for those teams, who like security who invest their time in security, is that they do things that won't actually help. Because they haven't done something else. Something else like, you know, protecting backhand endpoint, for example.

Jeroen Leenarts:

Yeah, yeah, there's one instance that I came across that was like, they had like, pretty decent security in place on their back end, and on their front ends, and everything was really working nice. But then they had their backups in, in public s3 buckets. It's like, yeah, it's my favorite. Yeah, you do everything right. And just one mistake, and and, and you're doomed, really. So

Anastasiia:

this is a file of security engineering. This is why right now I like to try to improve and gather more skills in security, engineering and security design, because it's not it's not platform specific. You know, it's kind of you build this huge, huge, like, system. And as you mentioned, you miss something. And like, sorry, you can get hacked really easily. And we don't want that,

Jeroen Leenarts:

right. Yeah, it's the it's a common Adagio here in security that as a defender, you have to be right every time. And as an attacker, you only have to be right one single time to and that's like a completely skewed game that you're playing really, because it's so hard to be perfect all the time.

Anastasiia:

And you don't need to be perfect. You just need to like be you know, like, good enough. Yeah. And this is the tricky part because you don't actually know how enough right so where is the line

Jeroen Leenarts:

you want to be? One where you're envelops, told told me that he's one of the authors behind the mobile security testing guide from OWASP. And he told me once that it's just like protecting your house really? You mean need to make sure that the neighbor's house, it looks like an easier target and you? And, and and somebody else told me Yeah, it's like, it's like out running a pack of fools, you just need to make sure you're not the slowest person of the group. And then you're okay. So at all these comparisons, it's like, I continue to think it must be really hard to to get it right, really. So but you as a software developer and security architect, it seems that is also part of your role. What were the biggest challenges that you've faced over the year as a, as a as a person working in software development in, in the broader sense of things?

Anastasiia:

You know, as you like, mentioned, right now that you need to run faster than like, people, if you're on, try to save yourself from divorce, right. So now, this is I think this is the most like really tricky thing in my work. Because imagine that, like, we have customers, we have people who either use our software or one like want our like assistance in building something. And here is me coming into like developers team saying, okay, you'll build a great product. Now, we will try to make it secure. And we will do and usually we do this risk assessment, we do this threat analysis. So we usually like to demonstrate that the security controls things that we will build, they are not appear out of nowhere. It's not because I'm like, you know, super smart, I say you to build the thing. Now, we do risks threats first. And based on that, based on understanding the business deadlines, you know, having in mind, like where we will lose money as a company based on only this, we try to design the security controls, and then try to prioritize them, trying to build fast those who like those controls, which will solve us from most troubles with less efforts, you know, you know, the drill, right? And this communication. When I go to development, I speak with all developer teams, with the architects, and usually Nicole, there is like a couple of people from our side. And like, you know, 10 people from their side, because they have like iOS developer, Android developer, back end developer, like database engineer, architect, security stakeholder, you know, a bunch of people, and this communication when I try to explain, so yeah, we should build these things. And they will help us to prevent from these three, like risks from happening. And these security controls, they can be, like, switchable. So instead of doing some of them, you can do others. And that's fine. You know, and sometimes people just don't want to do something that they believe is too complicated, but still say okay, to do something that they like, more, even if it's like, you know, from security standpoint, we can say, okay, instead of doing like this, you can do this, and this will work for you. So this communication, that's super tricky.

Jeroen Leenarts:

So and would you say that convincing people is, is the hardest thing that you do nowadays in your work? And then once you've convinced people, then you can, like, implement all the cool stuff, so to speak?

Anastasiia:

Yeah, I can say that. In this term. It's not like, you know, convincing, it's more like explaining. And for many people, security's too complicated, not understandable at all right. So when I try to like to explain why we do these and like, why we started, for example, with protecting data was like, encrypting the most sensible beats instead of obfuscating application called, right. So, and many people have heard that obfuscation is really cool. And when I start to kind of prioritize things that might they might have questions, like, why? And answering those questions, I can't answer them. Like, come on stops, like, learn Security Engineering, and in few years, you will understand what I mean. It's like, you know, like a doctor position. Yeah, sometimes I think about like, what we do is about like being a doctor, because we have a lot of patients that don't have this, like medical school background. And as a doctor, you want to say them what to do is better for the house and their, like, current position in life. Who is with this guy, right? And sometimes people don't like those suggestions. So you kinda need to be super harsh, but at the same time, explain things really nice.

Jeroen Leenarts:

Okay, well, I do know that from your presentation, skill set, it's, it's always a joy to to watch your presentations, especially with all the graphics that you always use in your presentations. So just to switch gears Here's a little bit in the morning, what's the thing that gets you up in the morning and ready to attack today? And, like, deal with all the fun stuff that that comes your way? And sometimes not so fun stuff. So what is your motivator to like really? jump out of bed in the morning?

Anastasiia:

Oh, mornings are complicated. I'm not a morning person, like at all. You know, usually I have this job that usually I don't see how work looks like at 8am. Just because I'm sleeping those time.

Jeroen Leenarts:

Let's leave race to Let's Let's rephrase the question. So if you're like into something and like, hacking away or coding away, or just enjoying yourself, really, what is the thing that keeps you up at night? Because you just cannot put it down and just want to know, one more line? One more thing I need to do? What keeps you going at those hours of the day that you probably should be in your bed? Sleeping?

Anastasiia:

Yeah, yeah, I'm this kind of person. So like, at the end of December, I was doing something to like four or 5am. In the morning, I was just I tried to finish the security system I was designing. I was like, No, I want to explain this more. No, I want to add this chart. You know, this kind of thing, just because it drives me like super excited when I see how different like security pieces come together. And when I imagine how cool the system would look like, like, oh, yeah, that's really, you know, it's like building process. I got, I really liked coding like development stuff, just because when I build something I kind of feel, you know, I imagine how the software will work. And I'm super proud. And I'm proud of myself that I can build these things. So yeah, I think this kind of like builders energy.

Jeroen Leenarts:

So you mean that you're like really a software developer or coder at heart? kind of person?

Anastasiia:

Yeah, and this is something that I can do. Like, if no one Okay, night is perfect, because no one is sending out those emails. And I don't have calls at night. Because during the day Hi, well, of course, I don't have time to focus, right.

Jeroen Leenarts:

Yeah, no, but nobody's sneaking up on you to ask you questions.

Anastasiia:

Oh, yeah. So great. Yeah. So yeah. And when I can focus, I really like to spend like my time on building things.

Jeroen Leenarts:

So and what is the biggest thing that you've built in the? Well, let's say during the pandemic, just to kick take a timeframe. So like in the last 10 months?

Anastasiia:

Well, I designed one call and the perception system, when was in a very tricky environment, you know, what is CR dt? So there was like, iOS, Mac OS application with CR dt, and with a data pieces that should be shared between many, many members. And the idea was to have it all end to end encrypted but shareable. Right? So I design that system, I even designed a couple of different like scenarios, like strategies to try because they had performance requirements. So until we try and do like build proof of concept, we can't be sure which option to choose. So I even left, you know, these like potential options. I was super proud of myself. And now like people are building this thing. So I'm waiting, you know, trying to see what will happen. And if it will be like, good, and it will go public, then maybe in couple months, maybe like in a year, we'll be able to say hey, build that that was me. Yay.

Jeroen Leenarts:

Yeah. So it's yeah, it's still under under an NDA. It sounds. You mentioned the acronym CR dt. Can you explain that to people that don't know what it is?

Anastasiia:

I need to Google the exact way. I need to do those exact like definition. So CR dt is conflict free replicated data type. In a simple awards. It's just like a data type and a protocol, like the data structure and the protocol. They usually they're used together, of how to coordinate and merge databases from different parts of the system. Like imagine that you have images, Google Docs, right? Imagine Google Docs and you share the Google doc between different people and you're editing the same, like the same. phrase, the same sentence, and all your small changes can got into like your own log of changes and as Syslog of changes, you synchronize those logs, using like back end server. Right. And the idea of serenity that is built, this is a data structure in has, it has the fields and is built in a way that makes this merging of small individual changes are really easy. There are different kinds of CR dt, with different optimizations. And as far as I know, Google docs are not built on stability, per se, but they use something else. But the idea is that when you when many people collaborate on the same data, you can split their work into small trackable changes actions, let's say like action edits on Chapter A, or something like that, and having this logs for everyone, then you can easily merge this log, because these logs have certain structure.

Jeroen Leenarts:

Yeah, yeah. Because the the work that you do in organizing data allows you to do the merging without too many hard conflicts, right? Because

Anastasiia:

yeah, so insert, the user has different thoughts, kinds of optimization, some of them is like real time, so you can have this like, almost in real time. Others try to optimize the space. Because imagine if you have those events, for every character, you place in your sentence, right? You will, your logs will overall really, really quickly. So there are a set of like, things you can do with those locks, just make them smaller, etc, etc.

Jeroen Leenarts:

Okay. Um, let's see, just jumping topics a little bit again. So imagine you're coming to a client's office, if that's ever gonna happen again in this year. And there's like, a team sitting there, software developers, QA people, architects, you know, front end back end mobile developers, once you like, got your foot on the ground tear, and she like, coming to grips what the environment is, what are things that you that you like to see and like to hear from the technical skilled people within this group that convinces you that okay, they have their basics in regards to security in order. And we can like skip the basics and dive into the more meaningful, sometimes more advanced topics, like in the first day.

Anastasiia:

Wow, I honestly, I was not that fan to go to people's office even before pandemics, right? Because many things happened. Honestly, I haven't even seen a lot of people I've worked for, it's only like online. Yeah. So Yeah. With this case, I would say that usually I assume that people don't have security background or have really little. Right. So that's my, like, default assumption. Sometimes when I was I just asked them, so I asked them, like, what they think about like, what's the reason? What's the goal, what they're doing there, right, so what they wants to do, because sometimes with security, there is like the team that wants changes, they understand that their software is not secure, but they want like a hub, they want someone else expertise they can use to make it more secure, right? So then those people are ready to work. And we kind of divide the areas of influence, because I like, I become more like a like security architect kind of person, I say, like, Okay, your product is great, and you understand how it works. I understand how security work. So let's like kind of merge our expertise to build something better, right. But sometimes, the team is not really interested. So there is like no solution, like an idea from somewhere else from like CD, or that they need to improve their security, right. And this might be complicated. And because I don't want to pend our time, like especially if a couple of people, you know, our like person hours arguing on if we should like protect these things of these things. So instead of arguing, I tried to start with again, risks and threats. So to talk with them, not about technical perspective, but about their organization, their company's product, what good things can happen. What bad things that happened, what worse things like from security perspective, you know, like leaks, incidents, like someone got fired, like insider leaks, you know, this kind of and then when they start thinking about it, when we write down the answers, they start to imagine the landscape is like, yeah, probably if we want to work in this company like in half a year. We want to put our efforts to make it more secure. Right? To find just some common ground.

Jeroen Leenarts:

Okay. And so I'm looking at the time and I want to like move up to sort of like wrapping things up a little bit. To any general software developer out there, what is the best advice that you could give them if they want to, like, improve their knowledge on security in general, just get to know the lay of the land a little bit know what common pitfalls in their specific technology stack they should avoid? What is the what is the what are the best resources for people out there?

Anastasiia:

Oh, was focuses, that's a last because number seven is like free and very well documented. And yeah. So if you're like a mobile developer, and you want to learn more about mobile app security, I really recommend a wasp MSBs, which are just checklist, right? You probably won't understand a lot of things about from the checklist itself. But we have the MSC G mobile security testing Guide, which is kind of book explains how it should work. Right. So as a good idea to start from a ball of developers, I will recommend to open them as best and then like to scan through those statements and to read about each of them in MSG. It's like an it's like an exam, you read a question? And you might not know how you should answer them. But then you read an answer. Right? And it's like starts getting sense. The same will serve up I believe there was like ISPs and something similar to MSG, but for web, how it's called.

Jeroen Leenarts:

Not sure. But I know it's out there. And it's it's something that's also published by the OWASP. Organization. And so yeah, so basically, you're saying that, Oh, wasp is actually one of the best starting points to just get an idea of what's, what's available? And what common pitfalls are usually made to your specific technology stack? As A Software?

Anastasiia:

Yeah, yeah, I think so because of us, but gives you like a whole picture. Right? So it's not obviously, it's not enough, right. But instead of reading some standalone guides, from someone in the internet, who is more interested about obfuscation, for example, this is a deep topic really likes but single topic, you can read, like of us checklists, and good luck guidelines to just see the whole picture.

Jeroen Leenarts:

Okay, well, the good thing is that a week from our recording, I'm recording with Julian Williamson. And he is like one of the people writing the MCG for Android and iOS. So I'm definitely look forward to, to see what he has to say about the topic of security. I think we covered most of the things that that you do as a software development security architect. Is there anything that you would like to add still, to our conversation?

Anastasiia:

Yeah, you know, I don't know, maybe it's just the circumstances. But I might start contributing to MSPs. And messaging really soon, because this just this week, we had a call with my colleague, who's also security engineer. And we come up with topics and with the exact plan. And we're even registered in OWASP, official Slack. So we might add some, you know, our experience into this community guidelines. And I'm really looking forward, because I've asked for so like, these guidelines were part of my life. So I was like, Yeah, I learned so many things. Thanks to them, I want to contribute and like, share my experience. And

Jeroen Leenarts:

that's, that's really cool. Because I know that one of the things that you seem to really enjoy is, is sharing knowledge with with people. And I look forward to what you can add to the MCG and other security related resources out there. By my assessment, I think it's going to be a lot that you can talk about a lot of topics. So I look forward to that. And so Anastasia, very much thank you for your time. And I look forward to seeing more content produced by you in the future. And I'll make sure to keep an eye on on your block and see if there's any interesting articles that you will publish soon. And yeah, who knows? I definitely hope to see you in person again sometimes because it's, it's been it's been too long ago. I must say Oprah For years so thank you for your time and I hope to talk to you soon

Anastasiia:

yeah thank you it was a pleasure

(Cont.) Anastasiia Voitova, Vixentael, security software engineer at Cossack Labs.