Epic Women in Cyber — Anastasiia Voitova
In August 2019, I started an epic #FF to promote amazing women from the cybersecurity industry. The list kept growing, and I decided to collate all the names in an article to make it a little bit more accessible. Now it’s time to sit down with all these amazing women and learn more about their experiences.
Anastasiia @vixentael has 10 years in software development, she builds security software for data protection (encrypt everything!). She shares a lot about “boring cryptography”, end-to-end encryption, data security, zero knowledge / zero trust systems, software security architecture.
She speaks at international conferences, conducts workshops and training for developers, and co-organizes cybersec events.
How did you get into the cybersecurity field?
I have an MS in computer science, so I started as a software developer; I have been developing iOS apps since iOS3. But mobile apps were “too bounded” for me, so I switched to the backend side as well, trying to control as much of the application flow as possible. I learnt a lot about user experience and noticed a gap between “as engineers, we want to build complicated technological systems“ vs “as users, we want to use understandable apps”. I managed to put my hands on several dozens of mobile apps, like secure chats, online shops, medical platforms for patients and doctors, apps for controlling smart devices, and so on.
At some point, I realized that as a developer I have “too much control”: I can see users’ data, I have access to databases, and as users often put their real name/email, so I can basically track real people. I understood that my apps are not secure, and I don’t respect users’ privacy as much as I should.
So I started to pay more attention to security engineering, data security, and cryptography. I became a contributor (and a leading maintainer afterwards) of FOSS cryptographic library, optimized for developers. Then I stopped trying to make my apps more secure and started creating cryptographic tools and security software for other developers.
Now I’m leading data security solutions at Cossack Labs, helping our customers to protect data of their users, speaking about security architecture, conducting workshops and training for developers, and co-organizing cybersec conferences.
What are the main challenges in this field?
One of the challenges is the gap between the world of product makers and the world of security people — the gap in their skills, competence, and mindset.
When I was working as a software developer, there was nobody responsible for product security (luckily, large companies start having security engineering roles, focused on working closely with developers helping to design and implement more secure apps). Many developers I know have no interest in security, no understanding of risks & threats, no skills in security analysis and architecture. For many companies, product security is just “run pen tests once a year”.
On the other hand, I noticed that many security people have no experience in developing decidedly usable software. Security software often is complicated to configure, it becomes pain-in-ass for developers, and security people often come by and tell developers to stop doing what they are doing and start fixing vulnerabilities and updating 3rd party libraries.
While I’m staying between two worlds, I feel this problem deeply.
What are the things you’ve learned being a woman in cybersecurity?
Bad things and good things.
I’ve learnt that even if I’m invited to a conference as a speaker, and my face is literally everywhere in the venue, some people still can confuse me with a coffee-making person, question my skills or doubt my expertise.
At the same time, I’ve met many great women that work in security, in very different areas — from digital forensics to devsecops, from creating antimalware software to hacking into systems. I always enjoy learning from them about their area of expertise and approaches to solve problems.
Right now, I’m putting a lot of effort to support my fellow colleagues by mentoring and promoting them.
What advice would you give to women who would like to join the industry?
I think that cybersecurity is the most exciting area of computers. It has so many different areas that anyone can find a suitable one. Don’t hesitate :)
Also, I’d recommend finding a community / a tribe: for example, a local community of Women Who Code or Women In AppSec. Usually, it is a great place to learn, to share knowledge, to get support and feel empowered.
Who are your role models?
Oh, that’s complicated.
I admire Emma Watson because of her position of gender equality, and she is an excellent example of a famous person that use their power to make changes. And of course, I respect the Queen, because I can only imagine how many complicated, devastating decisions she had made through her life.
Among fictional: Lara Croft, Buffy the Vampire Slayer, Xena the Warrior Princess.
If you could go back in time to your first days in the industry, what would you do differently or tell yourself?
I would have stopped being a full-stack software developer earlier, and switched into security.
Understanding security architecture and risk management gave me a much better perspective on how to create secure software and build security controls, than my experience of coding various apps using ~10 different languages.
If you are a founder or a member of a community for women in security, can you introduce it?
These are my local communities, in Ukraine.
- Women Who Code Kyiv — we have pretty solid security chapter, I’m one of the leads
- Women in AppSec Kyiv, I’m one the members
