Thoughts on Application Security — jimio Talks to Cyber Defenders
Editor’s Note: Thank you Clinton Fernandes for putting this summary together.
Here at the San Jose City College, in the Cyber defenders program, we hosted our speaker Jim O’leary who works at facebook as an application security lead. We were happy to have him as he shared his knowledge and experience working at facebook and also his thoughts about the project topics that the groups at the cyber defenders program were working on.
Speaking to the individual groups, Jim gave advice to the students while telling them about his experience with regard to the project topics. Our summary below:
- The malware analysis (GotMalware) group mentioned that they were working on malware detection using simple techniques and after the successful implementation of which they would be using machine learning to improve malware analysis. Jim conveyed to them that at facebook, machine learning is heavily used to detect malware and threats.
- The network security (Raspi) group talked about their project which involves deployment of multiple raspberry pi mini computers that monitor the network in a region and prevent intrusion and alert a user about suspicious activity. Jim talked about the different places where portable network monitoring is carried out even by individuals.
- The last group on software vulnerability (HealthSec) talked about their project on strengthening the security of healthcare applications by formulating methods that would analyze the security risks of mobile healthcare applications and help people including hospitals to take informed decisions when it comes to privacy of patients health records. Jim mentioned about his involvement in the healthcare security area when he was associated with Microsoft to work on healthvault.
The group presentations were followed by questions. Some handpicked questions and answers were the following:
- How often does facebook identify bugs and threats?
Jim — Every day. We’re constantly working to find and fix new bugs, while people on the outside are doing the same.
- How difficult is it to defend against bad actors?
Jim — Every time a security breach is addressed or a bug is found, it is fixed. But some person will find a way to get around the defense and will cause another breach, while in the meantime a solution to this is identified, there is another gateway that a bad actor finds. It’s a never ending loop.
- What role does machine learning play at facebook?
Jim — ML is used in more ways that I can possibly comprehend at facebook, and across the industry on the whole. From a security perspective, this might be something like our systems noticing that you’re logging in from a new browser in a new location for the first time, but facebook and other companies are really pushing into all sorts of new places to apply machine learning..
- How did you get into this field of cyber security?
Jim — I have spent most of my life in cyber security. Security is a good field, and in my high school yearbook I wrote that I would go ahead and work on cryptography. The main focus of my undergrad degree was in artificial intelligence. Through my Computer science course, I learnt that you are either 100% correct or 0% correct and that is rewarding as it is concrete.
- What is a path for students to take after a Computer Science degree?
Jim — Bug hunting is very helpful as you can get a lot of problem solving practice through that. You got to sell yourself and talk about your knowledge, find internships in your field of interest, participate in capture-the-flag competitions and mention about the issues you come across in a blog post; this is a good way to tell people about your work. Be public, open and find ways to contribute open source projects. Microsoft paid for my grad school, exploit your employer!!. When you meet people, establish contacts with them. It is important to know that we are in this together, in security. You do not want to be enemies with a hacker.
- How difficult is it to find bugs in the softwares and in apps?
Jim — You can go with white box testing which involves coding. If you do not like coding then you can try black box testing that does not require you to code and there are a lot of people now who do it.
- Did you get to meet Mark Zuckerberg, and was it exciting?
Jim — Yes, I did meet him a few times and he is a nice guy who built this huge company. But to meet celebrities like Miley Cyrus and Ludacris was more exciting to me.