My dream Head of Application Security

By Dinis Cruz | October 6, 2018

I’m the CISO of the Photobox Group and we are currently hiring for a Head of Application Security to join our amazing team. Please share this post and Job Description with your network and with who you think would be a great match for our project and culture. Although we will always make a choice based on talent and fit, I would love to get more candidates from diverse backgrounds, namely women.

But first of all, a bit of context about how we think about Application Security (AppSec) at Photobox Group Security.

Basically, any company today is driven by the quality, effectiveness and adaptability of the applications they use. That’s because the value a company provides its customers/users is only as good as the technology that’s created by the applications it creates, buys or rents.

As we move more to an cloud/serverless world, some components are becoming thinner. But still, the thing that makes the difference is the code that we write - and we have to make sure it is secure (since that code have full, or very privileged, access to our assets). For us at Photobox Group Security, that means protecting the photos our customers store with us, their data, and some cases the personal data of our employees. To make this scale, it is critical that we create an environment where writing secure code is easy, smooth, effective, and ideally, invisible to the developer teams (most of the time).

The vision is: Create an environment where developers can code in the most efficient, fast, and powerful way to develop apps that are secure by default, by design and in deployment.

The ‘how we do that’ is:

  1. by having the right mix of frameworks and secure coding best practices
  2. by having technology that can understand and tell us about the side effects of what has been created (namely insecure code)
  3. by creating networks of security champions across all areas of the business, that allow us to share security knowledge and empower effective decision making
  4. by integrating threat models with our JIRA based company wide graph database (so that everything is hyperlinked and the right vulns and risks are connected to the right technical and business owners)
  5. by having maximum visibility into what is happening in the applications when executed in in QA, Test and Prod environments
  6. by using Tests to communicate with development teams (and helping those teams to improve their testing capabilities and coverage)

OK, so who do we need to help us achieve this?

The person that we want is somebody that will thrive on this challenge; who basically wants to figure out, implement, and make sure we have solutions that scale for application security.

The reality is that we already know a lot about writing secure code and writing secure applications at Photobox. We’ve also put a lot of work into creating environments where applications can be executed securely. And there is a whole range of technologies that can facilitate the next stage of our journey. The question is scalability. We do this in a way that doesn’t require a huge amount of security touch points, which usually turn security into a bottle neck.

For example, even if we could review all the code line by line, and had all the time in the world to make changes, that model just wouldn’t scale. With hundreds of developers, you would need dozens or hundreds of security consultants. That means the only way this scales is if we can automate the knowledge and the workflows that are available to our security team - and do that in a way that our developers have access to every day (namely via their team’s Security Champion).

This is even more important because of the world we’re heading into; the world of very fast deployments, where you push to production 5, 10, 20 times, 100 times, 1000s of times a day.

It’s a crazy idea that as we move into this mode of fast deployment, suddenly ‘we can’t do security’; ‘we can’t do threat models’; ‘we can’t do security standards’; and we can’t have all these practices that add a lot of value - to the business, not just to the security team. But the reality is that to do that, we need to be a lot more efficient. The problem we have is that in the past, application security has not focused on scalability. And, for a whole bunch of historical reasons, AppSec has not been caught up in the whole cycle of application development.

Also, these days ‘the application’ is actually the whole system (from deployment scripts, to infrastucture provisioning, to code running live, etc…). ‘Infrastucure as Code’ means that infrastructure ‘is’ code, and we need to apply the same security principles to it.

What we are looking for is innovative solutions and ideas to build a modern security function. This will allow us to focus on allowing the company to accelerate as fast as it can (in a secure way). And by ‘secure’, I mean that the risk implications of what we are putting into production, are understood by the multiple business owners (and meets their risk appetite).

The right candidate is somebody that looks at all this, and says “Wow! this is really exciting!”.

One of the great things about Photobox Group is that we have strong support for our security vision from the Board, from C-Level execs, from business owners and from developers (as an example see this blog post from our CTO: How we think about Security).

Our job at Photobox Group Security is figure out the right mix of People, Process and Technology. It is in our hands to make this happen :)

What all this adds up to is that our Head of AppSec AppSec needs to be fully hands on.

In addition to having strong strategy and communication skils, she/he needs to be able to spend time with developers/architects in helping to: fix issues, review pull requests, provide strong technical knowledge on how a particular challenge can be solved. One typical day will start with working with a team in their proposed AWS architecture, followed by doing secure code-review on a new component that needs to be deployed asap, followed by validating a new Bug Bounty submission, followed by helping to integrate a security tool into the CI pipeline (pushing security left), and ending the day with a presentation to senior management about the results of a Threat Model (helping to drive hard decisions/choices on the next steps). She/he will also be a key driver and enabler of our network of security champions, who are our bridge between the central security team, and the actual teams creating magic (Security Champions is how we scale everything that the central AppSec team does)

This means that we need somebody with very strong leadership skills, a strong ability to deal with pressure and the ability to delegate and communicate the ideas to a much wider team and players. I also expect a strong desire and hunger to learn as much as possible and work very closely with the rest of the highly talented Photobox Group Security team (knowing that no one has all the answers, but that as team we will get to the right answers together).

If this journey sounds like something you you would like to be part of, apply for the role here, and let’s make this happen :)

If you know somebody that would be perfect for this role, please share this blog post with them :)

About us

Photobox Group is Europe’s leading digital consumer service for personalised products and gifts and parent of the Photobox, Moonpig, Hofmann and posterXXL brands.

Creative Commons License

© 2018, Photobox Group Security. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Contact

Photobox Group Security
Unit 7, Metal Box Factory
30 Great Guildford Street
London
SE1 0HS
England