The Change - Towards The Next Phase
Today is my last working day at Appsecco. Almost like an end of an era for me. An experience that I will never forget. An experience of transformation.
How it started
Sometime during mid 2016, Akash reached out to me and told me about his new company - Appsecco. He wanted to discuss about designing a database schema to store application security assessment data, something we have done successfully for the null Community as Swachalit.
At that time, professionally I was running 3S Labs, my own ambitious security services startup. I was working on stuff like Reverse Engineering and Malware Analysis, vulnerability research, delivering security services for our awesome clients and related stuff. It was a great experience running 3S Labs. I got a glimpse of the distinction between doing security work and actually meeting the need of the person paying you for that. The story that I tell everyone, weirdly companies that were supposed to be my competitor were actually my clients in 3S Labs.
I was taking a break from work during mid 2016 to acclimatize myself with her arrival. During this time, I frequently visited Appsecco office, which was, back then a small room where Akash, Riyaz and Madhu were working together. I found a super excited set of people willing to experiment, learn and build a great team that, true to its goal, provide awesome security advice to it’s customers. Akash shared his vision of a platform centric approach for application security service delivery backed by two key ingredients
- Research in application security
- Automation - Our value will be [1]
At 3S Labs, I have been thinking of something very similar but never had the time or motivation to actually follow through on it. This appeared to me as a great opportunity to join the bandwagon of a bunch of super motivated and smart people and build what I want to build. In no time, I spoke to Gwilym, Akash’s co-founder and on December 2016, I joined Appsecco.
Me at Appsecco
At Appsecco, I quickly built a product to manage application security service delivery. My past experience in working in early stage startup tells me that now is the time when I need to look for a way to deploy the product and setup a bunch of maintenance tasks around it.
Madhu, our DevSecOps Ninja, informs me that it is already deployed. In fact when I push to the release
branch, the deployed application will auto update. I was familiar with CI/CD tools but did not expect to see it in early days at Appsecco. A pleasant surprise for me to start with.
From that moment, it was a journey of professional transformation for me. I experienced accelerated learning. In particular
- Docker and containarized approach to development and delivery from Madhu
- Upskilled myself in application security thanks to Riyaz
- Exploring the unknown and the joy in it from Akash
I also worked extensively on Kubernetes Security along with Madhu, which ultimately became an area of long term pursuit for both of us.
I had the privilege of working with some amazing people in Appsecco whom I will greatly miss for no reason because I can just ping them anytime and say hi :)
The list is long and I probably have to spend entire week to describe it in greater detail. However, I want to highlight some of the cultural aspects of Appsecco that touched me in particular.
Preserving Knowledge
One of the things that Akash took charge in driving internally during the early days is to make it easy for everyone to document technical knowledge. This drive eventually became a large repository of really valuable technical information for reference.
We used Markdown with static website generators like mkdocs, Raneto and GitOps to make the documentation process seamless and easily available to everyone. The end result was, the notes that we wrote as part of our learning and research end up in our documentation repository which was continuously enriched. Eventually this was very useful as a daily reference.
Quality Assurance and Scalability in Service Delivery
The co-founders where very serious about creating value for customers from day one. As part of the service delivery, we had the job to ensure that we are able to provide great quality work to our customers every time, minimizing mistakes due to oversight or lack of skill/experience of an analyst, something which is a common phenomenon in a security services company.
While we had Riyaz, who can practically break anything and everything, we were not able to biologically clone him so as to scale our service delivery capability. To workaround this, we chose an easier path of leveraging our awesome documentation infrastructure to
- Create friendly checklists for each service
- Create usable reference on how to execute a test case
The objective was not to bind a security analyst in following checklists, but to reduce the need for continuous decision making during an assessment by providing a easy to follow reference of past project and the experience from it.
Problem Discovery
Me and Akash were always keen on maintaining that Appsecco is technology driven application security company. To this effect, we always maintained the discussion to identify problems related to
- What we can automate in our services workflow
- What is that key customer problem that we can solve
Our efforts related to application security workflow automation led us to extensively work with Kubernetes as an underlying platform. We developed and presented KubeSecO as an open source solution.
There are many other things that we worked on and some of these will mature into products solving real customer problems in the future. Do lookout for this @appseccouk.
The Company Grows with You
The culture of growth is of high importance at Appsecco. This is evident in the ninja level achievements of our beloved Madhu sir. Akash in particular, always encouraged everyone in the team to go present in security conferences and work on personal brand building and growth, which in turn contributed in company’s growth as well.
- Bharath’s work on Subdomain Enumeration was extremely well received by the community which increased our visibility as a company
- Akash and Madhu’s work on Automated Defense in the Cloud took us to the international stage of Blackhat Trainings
- Riyaz’s continuous work on publishing new attack techniques opened new doors for us in terms of business opportunities
- Riddhi’s work on mobile app security positioned us as experts in the field
- Sunesh completed his CKA with 100% score increased our Kubernetes expertise and capability
We also have our awesome security story teller Shruthi who bridges the gap between the in-house security nerds and our customers who enable us to do the stuff we enjoy on a daily basis.
The team is growing, with Ayush interning with us and then joining us freshly out of college. I will keep an eye on him as Appsecco has a track record of creating rockstars from kids. I missed the bandwagon as I was too old when I joined :(
Next for Me
It has been an exhilarating journey of change, learning and development for me at Appsecco. This contributed in getting me my next opportunity in an impactful product security role in a high-growth SaaS company. I wanted to work with established engineering leaders and learn from them, something that I have missed so far as I have entirely worked in early stage startups. Particularly I am looking forward to
- Learn to build products from an engineering leadership perspective
- Contribute to real-life product and platform security problems
- Switch role and play defender in an engineering organization
Some day, I will be back to early stage startups scene and when I do, I would want to build a security products company with some of Appsecco’s culture imbibed in it.