Podcast- Ep-6 #ShiftLeft at Emirates Group — A conversation with Toufiq Ali
PS:- This blog was originally published at ShiftLeft Blog
A conversation with Toufiq Ali — Principal Cybersecurity Engineer at Emirates Group on developer focused security initiatives at the Group.
Toufiq delves into the need of integrating security into development pipelines, how security and software development teams created this partnership, and how ShiftLeft Inspect has helped them achieve their goals.
Here is the conversation reproduced in an interview format.
Introduction
We have seen an ever-growing trend of both B2B and B2C companies becoming technology companies. Starbucks, JPMorgan, Goldman Sachs all of them call themselves as technology companies who are in the business of coffee and investments respectively. This requires businesses to invest in building, manage and run their software. And for those companies that run a huge customer-oriented operation, it requires running deep and highly agile cybersecurity defenses. And in these scenarios, these mythical walls between security and engineering are beginning to crumble
Emirates Group is one such is one such company comprising of Emirates Airlines, one of the largest airlines in the world and dnata, one of the largest combined air services providers in the world. Underpinning is a technology operation that rivals the best in the world. Consequently, they have the software engineering function part of their IT support services department that delivers underlying technology platforms required to power their operations. All of this also requires running a top-notch security operation to secure all these digital assets.
Today, my guest is Toufiq Ali, Principal Cybersecurity Engineer at Emirates Group. Toufiq is responsible for application security practice for web & mobile streams that support various technology platforms at Emirates Group. Cybersecurity at Emirates Group clearly saw the need to bring down the mythical wall between security and engineering.
Alok — Hello Toufiq, Welcome to the podcast, When did Emirates Group Cybersecurity team start to realize that application security cannot continue to live outside of engineering?
Toufiq — Hi Alok, thanks for having me. Emirates Group Cybersecurity practice has been around for a while. When I joined the practice, our team was tasked to look into our existing assurance processes and identify opportunities to optimize them. In doing so, we realized we could not outlive the demand for security testing for too long. Generally, most security testing is carried out towards the end of the development process. And we did not want to be at the tail end of the process and become blockers for all good things. And, honestly, we wanted to do more than just security testing our code such as privacy by design reviews, threat modeling etc. It is then when we started the journey of transforming our security practices to integrate them into our software engineering practices.
Alok — How did engineering think about the security team’s proposal for integrating security in their workflow?
Toufiq — It was very positive be honest. We collected some key performance indicators over a period of time through various testing activities. For e.g. do we have more authentication issues or more authorization issues or other OWASP Top 10 issues, etc. We then used this data to identify gaps that we could address either early on or during the software development lifecycle. And our engineering teams played a vital role in this process.
Alok — At Emirates Group, what kind of tools are at the core of integrating security into the developer workflow?
Toufiq — A question, a tool could be non-technical and technical, right?
Alok — Sure, what do you mean?
Toufiq- So non-technical tools are like hosting capture the flags, tech talks or focused security workshops for our developer community. These events are tailored to mimic the most common errors our developers make and help them learn from such events. For technical tools, we make use of a number of open-source software’s with some commercial software’s to address our security requirements. For instance, we have recently started using ShiftLeft Inspect for doing static code analysis.
Alok — Tell me more about Capture the flag activity?
Toufiq — CTF as they are more popularly known as; are fun to setup. We create challenges that mimic issues of the same nature as our developers tend to make errors about. For e.g. not validating an input field. Once they solve the challenge, we follow up with a recommendation on the screen that helps them correlate to issues we have reported during our security testing. We have also used a commercial platform where the developers are given vulnerable code in programming languages of their choice and they have to write code to fix the vulnerability. The platform gives them an instant feedback, it is very interactive!
Alok — How has ShiftLeft Inspect code analysis platform has helped you and Emirates Group with your objectives?
Toufiq — As stated earlier, we could not outlive the demand for security testing. So getting a feedback early on in the development process & more importantly a good one was vital to our success. I think implementing a static code analysis platform will go a long way in forging a strong relationship between security and engineering. For e.g. if some of the KPI that I mentioned a while ago, start showing a downward trend or development process becomes more cost-effective, as you don’t have to spend resources on fixing bad code late in the cycle are some healthy indicators.
Alok — You have integrated ShiftLeft code analysis into developer pull requests, along with security checks to fail the build for new vulnerabilities. Did you find developer resistance for such an approach?
Toufiq — Well, that’s an important question, Alok. Look, software developers are at the core of engineering and they need to know what we are doing and why we are doing it. So, it is very important to have this dialogue with your developers. I don’t think they resist the approach, it’s just the idea of change. But they are also smart and often come around much faster. We have had feedback from how our developers are solving their engineering challenges using some of the tools we have implemented. And I think that is a very good testament to your relationship with them.
Alok — Recently, we have seen a lot of cybersecurity investments happening in the Middle East in general and UAE specifically. Why do you think that is happening?
Toufiq — I personally think it is largely due to a number of digital initiatives that are announced by government sectors and enterprises across UAE. For instance, Emirates unveiled the world’s first integrated “biometric path” that allows you to just walk through a tunnel for Dubai Airports passport control.
Alok — Interesting! Can you tell me more about it?
Toufiq — Well it is a mix of facial and iris recognition Emirates passengers can do a number of thing like check in to their flight, complete immigration formalities, enter the Emirates Lounge, and board their flights, simply by strolling through the airport.
Alok — That sounds pretty good. I will definitely visit this biometric path when I come next time to Dubai.
Alok — Thanks Toufiq for joining me on the podcast
Toufiq — Thank you again for having me and it was a pleasure Alok.
