Max Feldman from Slack is one of the amazing speakers in our Controlling Complexity track at WeAreDevelopers World Congress in Berlin. Bug bounty, security assessments of Slack features, security tools development are his daily challenges.
We asked Max about the future of security, privacy, and the most interesting parts of his job. Also, he shared with us his tips and resources about where you can learn more about this industry.
Let’s get started! 🙂
– Max, could you please describe in a few sentences your role at Slack?
I work on the Product Security team, which works to ensure that we ship secure features at Slack and protect our users and their data. More specifically, we conduct security reviews, run pentests, work on building more secure libraries for our developers and build automation to better scale the team. Everyone on the team balances these tasks a bit differently; I focus a lot on our bug bounty program (https://hackerone.com/slack) and feature reviews but also work on some of our tools and processes.
– What does your typical day look like?
I work in our London office, so I start the day by checking Slack and catching up on any messages from San Francisco. I’ll then look at bug bounty submissions we’ve received, and see if action is required. Sometimes that involves meeting with an engineering team to discuss how best to resolve a particular bug. Throughout the day, I’ll divide up my time between a few remaining tasks. I’ll do feature reviews, which range from just reading a tech spec, to code reviews and dynamic pentesting, to longer engagements and meetings with a team to deliver a secure feature. I’ll help out Slack employees in the EMEA region with security needs, which includes general questions about security as well as meetings with customers. Recently I worked on a penetration test (dynamic testing as well as manual code review) of a large feature we’re launching. I’ll also try to block out some time during the week to work on an automation/tooling project.
– As a security engineer, what do you find the most interesting part of your job?
One of the most interesting things for me is the bug bounty, and in particular some of the very interesting bugs we’ve received. There are a lot of talented security researchers out there, and sometimes we’ll see a report that’s extremely clever and insightful. Working on shipping fast fixes to complex bugs and investigating to ensure that no users were affected are both an enjoyable part of that, as well. Those can present very exciting and subtle technical challenges.
I also enjoy the automation work. We’re a small team in a large company, and the tools we build allow us to scale and provide security assurance for our features. Meeting those scaling challenges and maturing as the company grows is rewarding.
– If some of our readers developers to learn more about security or start to work in this industry where would you recommend to start/what to read?
I first became interested in security when I took the security class in university. It opened my eyes to the opportunities that existed for breaking things in order to build them better, so to speak. With that said, the university is not the only path into security (and many brilliant security folks didn’t receive a formal education in the subject). For practical security experience finding security bugs (and possibly being rewarded for them), bug bounties are a great opportunity. Hackerone (https://www.hackerone.com/) and Bugcrowd (https://www.bugcrowd.com/) both offer avenues for researchers to submit vulnerabilities to various programs. If the reports are valid, those programs will then reward the researcher (generally with reputation points, swag, or money). I’ve participated in these on occasion, and they can be a fun way to poke around applications in a legal way, while also offering the potential to better the security of an application you may already use.
For the fundamentals of web application security, OWASP (https://www.owasp.org/) is a valuable resource. There are also local OWASP meetups and conferences, where security practitioners, as well as interested individuals, can meet and share knowledge. I also enjoyed the book “The Tangled Web” by Michal Zalewski.
For security beyond just that of web applications, BSides are local security conferences where presentations on a variety of topics are given. These are both pretty accessible introductory resources and can be inexpensive or free. Local hacker communities can be inviting and great places to learn from others who’ve been on the same path before. There are also larger conferences and more in-depth security training, though these can be more costly.
– How do you go about continuing to develop your professional skills and knowledge?
I read a handful of security blogs, especially blogs about vulnerabilities. Security researchers will often publish their bug bounty reports, or write a blog post about those bugs, which can be very insightful into both the nature of the vulnerability and the methodology used by the researcher.
I also check some of the security subreddits (https://www.reddit.com/r/netsec in particular). These generally aggregate interesting content. Aside from that, I keep in touch with friends in the security industry, both online and in-person. Conferences and meetups often have interesting talks and training, which can be a great way to stay up-to-date.
– Where do you see the trend of security going in the foreseeable future?
This is a tough question, and I think varies from region to region. I think that any shift where people care more about their own personal security benefits society as a whole, and there is a lot of care about security and privacy in Europe which is encouraging. But there are also other cases where I think people become desensitized to hacks and breaches. If your information is leaked multiple times in a year, it’s not hard to become exhausted and even lose track of which company or organization has lost it this time around. But I do believe it’s important to avoid a fatalistic view of security breaches. Plenty of companies work constantly to protect their users, and this should be the case. I’m generalizing here, but I think the mindset I’ve seen in Europe is correct in holding organizations to a higher standard of data security.
– What role does privacy play in those trends?
I think, in general, people will value their privacy more and more, and security will improve along with that. It’s easier than ever to build and deploy software, but companies are also investing more and more resources into securing their products. Additionally, there is a thriving information security community, with developers and researchers working to make secure development more accessible. My hope is that a shift of mindset will lead more individuals to take advantage of security resources offered to them, as well as being selective about what services they use, when possible. This would, in turn, motivate more organizations to assign greater importance to security. There have been some rough patches, but I’m optimistic about the future.
– Apart from work, what do you do with your time off?
Outside of work, I enjoy rock climbing, learning new languages, and playing music. I’m currently taking piano lessons and Russian classes. I moved to London a few months back, so I’ve also been spending a lot of time exploring and settling in. It’s a huge and exciting city, so I’m trying to make the most of being here!
And a few pictures from the Slack office that Max shared with us:
See you on 6th & 7th June 2019 in Berlin!