From Startup Speed To Security Mindset: My Shift From Dev To Infosec

Thank you so much. I'm so happy to see some familiar faces here as well because I'm a bit slightly nervous but it's all good. Okay. So, this is my title. So, I was a deb previously and now I'm in infosc. So, I'm here to share a bit about my journey today. And while I was trying to find something that can pretty much sum up my whole thing and maybe send you all out in 5 minutes even, I was asking chat GPT who I kind of have like a lovehate relationship with like to give me a phrase to sum up and something interesting popped up. Apparently the security community is supposed to love this. Uh it's a line in a proverb

[snorts] and it says um for the want of a nail a kingdom was lost. Has anybody ever heard this? Yeah. Okay, cool. Cuz it was my first time hearing that and I learned something new. Um but to pretty much sum it down is that there was a horse. The nail from the horse's shoe came off. The horse wasn't able to ride. The rider riding the horse wasn't able to deliver a message to the kingdom. The kingdom lost a battle because there was no message and the kingdom collapsed. It's quite dramatic, but security is supposed to be dramatic because it's the smallest cracks and the smallest things that attackers exploit and it's the smallest little details

that we often miss and it's just out there, right? So this is my story of a very personal story to me where I put a lot of effort into one of my projects and it just went bust basically. One exposed key for all those of you who are techie one environmental variable in a front end was exposed and that became a nightmare of a situation. So hi I'm Kaye by the way. I forgot to tell my name, but yeah, I'm Kaye and this is my journey. So, what if one line of code could sync up your startup? This is basically what happened to me, right? And it happened in the worst time possible when we were

pitching for a grant that could keep our startup going. [snorts] So, before I go into this, I'll give a bit of background about myself. It's very normal. I started studying software engineering and did my degree straight away after I graduated. I went into the startup world. Anybody here who's worked in startups? >> Yes. Do you like it? >> No. >> No. Well, it's quite the fastm moving place to be in, right? And that's where I was. Now, personally, I would say it grew me as an individual because it pushes you, right? It stretches you uncomfortably but at the same time as it stretches an individual the company has to also keep going in the same way and in one

particular startup that I was working the mantra was ship it fast right and you probably know of this yeah okay cool and why not in a sense because 2 years after the inception of a startup if you if they don't go stable then it's very rough so speed is an actual concern. But the same time as speed is a concern, uh there are vulnerabilities that come along with it. But first, let's take a look at what speed actually looks like. So in my case, we used to we used to be told, okay, you need to ship it. So we'd break things fast and we'd think about fixing later. And this always came with customization for clients because we always wanted to

please people to get more clients involved. And um we'd double a bit. We'd try to, you know, change the interface a bit, but there'd be so many things that we'd try to be like, "Oh, we'll fix it a bit later. We'll keep that later." Or we'll try to uh point it over to somebody else. [clears throat] Another thing that we do is we try to fix bugs and stuff like minutes before demos. That's just how fast it is. I'm pretty sure this might ring bells for some of you here as well. Um I would say that I was a jack of all trades when I was working in the startup world as well. I had only two hands but

I'd be dabbling everywhere. So I I used to do back end mostly but I did a bit of front end UI. I used to do a bit bit of business as well. I used to go pitching off and I used to go writing grants go to market strategies. You name it I was there. And the thing about being a jack of all trades again for yourself I think it's quite good as a professional you grow. Um but for the company it's a little tricky. That's a lot of information you're sharing around with everybody. And there was this one particular case where um one of our ex employees still had access to a Jira board where there was like a lot of

things going on and [snorts] uh we didn't notice that for 2 months right because not many hands lot of work to be done not many hands and likewise there were like lots of other things in terms of speed. We didn't have much of people to look at our codes. Not necessarily a lot of people to handle people, stuff like that. So, it was pretty fast. [snorts] Now, you might be thinking like this is kind of a no-brainer. This is common sense. You shouldn't be doing things like that. You should take it easy. Look at things clearly. But what if your hands are tied? You're not the one making the decision. Now I'm speaking from a startup perspective but

and these might be things in the corporate world or in a big company as well but that's a topic for later and I'll let you all dwell on that and have some personal reflection but in the startup world your hands are somewhat tied if you are the one working behind the computer and you don't have the luxury of resources and the luxury of time where We've been working in the startup world. We were sprinting from one crisis to another basically, right? And we were trying to just keep we keep on building, refining pitching building refining pitching just so that we could breathe for another year. And at one point we did get to a funding round and we

went to the last stage but that's when we got a re rejection email. So our idea was good. The product was working perfectly. The usability was praised but that one key that that one secret key that was in our front end we didn't catch that on. It was hidden in like hundreds and lines of code and it was there way before I came. So you can imagine how long it's been sitting there. That's the startup world. There's not a lot of people to look into those things. Maintenance is not a thing, right? Um and let's just say that it was very frustrating. We lost that round. Um and uh it was a lot of late nights at

the office going down the drain. And maybe maybe it was the frustration that I felt, but something in me shifted at that point. See, I didn't want to just be a developer that would build and then hope it would work. I know you got like these memes out there in Google that like you have a developer coding and we'd be like praying, oh, that it'd work or something or that, you know, don't try to break anything if it's working and stuff like that. But the truth is that's not a nice place to be at. And um I wanted to be a developer that would build something and then guarantee that it will work later on and make sure

that it's secure. So that's where my journey from being a developer to going to infosc actually came to. Um it wasn't easy because it meant getting out of the fast lane and I was so used to the fast lane in the startup world right and it also meant unlearning a lot of things and understanding that there were limits to what I know so I was at a conference yesterday uh where one speaker brilliant entrepreneur he was saying um don't let what you know stop you from what you don't know Right. And I knew dev, I knew coding, but security was not something I would necessarily think about. Of course, the basics you understand, authentication and all of those kind of things. Um, but

the rest things that are out there, things that are beyond my computer, I didn't give much thought to it. So that's when I knew that, okay, maybe it's time to shift my focus somewhere else as well, right? Maybe I don't need to just keep myself here. Maybe I should take a look around at what's happening. But because that's where the attack can come from where I don't look. So I moved to the UK to study cyber security. I'm currently on my third year doing my masters at the University of Surrey and I wanted to know myself. Got involved with everything you possibly can have out there. Went for hackathons, CTFs, got myself involved in those. uh

went for a lot of volunteering stuff, right? For anybody who is looking to volunteer in anything cyber space, come talk to me. I have like a load. I have a spreadsheet full of those things. I can give you all the information on that. Um I was and I learned and I started learning bit by bit. I started learning and this is the thing. So I realized I didn't need to like have a career or something like that to understand security. I could start from my day-to-day life from the moment I walk out of the door. Am I using my common sense of how to stay secure, you know, with my phone? Am I leaving it

somewhere? Am I taking pictures of unnecessary things and posting it on my social media? Things like that. I realized I didn't need much resource. I didn't need somebody's permission for any of that. Just needed to start somewhere. So, I started learning. I started getting involved with that. I started networking a lot, which is why I'm here, right? Um, and can't stress enough how much you really need your own tribe. So, put yourself out there. Go network with people cuz when you do fall down, you need people to push you up. I have a brilliant mentor here who's with me today who has been prepping me up, people like that. So, you do need your own tribe. Um so yeah I started getting

into all of that and then afterwards oh and being a developer well that was a plus point for me by the way there was um I don't know if you guys know but the coach who coached the UK cyber team for the UK this time Hani if you guys know him Hani Minia [snorts] he once said that it's always best to start somewhere other than in cyber security if you're going into a career based on cyber security because that could be your foundation into security and well that's just a suggestion food for thought but I thought that that was brilliant because being a dev was a plus point for me I was able to understand

how a dev thinks I I know the assumptions they make when they work and I now see patterns right so food for thought

getting into cyber security. I understand now how small mistakes like the really really small ones that you won't ever think of or you think I'll think about it later, they scale big, right? And I was a developer. I should have understood that that in what I do, I was the first line of defense. But I didn't think of it that way. I just did my job. I loved coding, but I didn't think beyond that. and secure habits save time later. So now I'm learning, now I'm doing and I can't get enough of it. So it's been a good journey. So key points before I wrap it up, key points I would take away from today.

There's a lot that one can actually fit and I'm pretty sure that most of you have heard of all of this, right? But before I go to the big one which is what one that I've highlighted like and I've put it in bold threat model everything and when I say everything I mean everything not just your work right to get to your work though first get to your personal space first. So understand where you're at and just be aware. You start by being aware of what's out there and there's no excuse for not being aware at the moment. you got enough resources out there to understand what's going on. Integrate security wherever you think you need it. Automate basic checks. I

know a lot of people are 50/50 here with AI, right? But the truth is the bad guys are not going to think about the 50/50 about AI. They're going to use it to automate their attacks faster than you can think. So you need to think about am I fast enough to counter that. Again, that's a suggestion, but that's up to you. Think like an attacker early. I do this at times and it kind of can be quite scary cuz it's like a bit of a personality switch. But if you place yourself as an attacker, I think you are able to [snorts] see what you can do and then understand how to defend it. And last of all, don't wait for somebody

with a security label or a title to come and do security for you. Right? Security is not someone else's job. It's mine. It's yours and it's everybody's. And you are the first line of defense for whatever you are responsible for. So always have that in mind. So that's pretty much my journey throughout. So, if you have any questions, I'd be happy to take it. >> Yeah. >> Sorry, I didn't did Did I see how this got there? >> Hello. >> Hi. >> Yeah, my journey was the inverse. I think I actually started as a pentester. I'm currently a developer. >> Mhm. And um I think your point on the automation of basic checks is just the

is is in my head the the line there that's bold. Um especially like we talk about or from the developer perspective you obviously will know like setting up your basic pipeline just to automate getting it from source code to customerf facing right and working with those integrations is definitely how you make it convenient for everyone. Um so yeah I think the question that I wanted to ask especially was is there any other points going the inverse of my journey like that you think is um just such a quick win for the security team like to work better with developers and to meet them at their level or >> Yeah. Um so basically a bridge between security

and the developers, right? Yeah. Um I would again go back to saying that everybody needs to know a bit of what everybody is doing because it becomes very hard when you're explaining something that are in different terms to different people. So it's always better to understand from the basic things because as a developer so you said you're a developer now you'll understand that when you're coding there are things that best best practices that you do right and in that case starting from there and then expanding in it more and then basically just being very open with your security team about what you do as well. I think that goes a long way and um just being open there and just

unders that also kind of bridges the gap of how they understand things as well. So [clears throat] yeah, >> no problem. >> We've got another question over here. >> Yeah, >> thank you. So [snorts] I've ran a few startups in cyber security but didn't did that transition exactly for the fact you there's a huge gap between security and dev community [snorts] >> but one thing is that and I do understand there's a security awareness and education is that that's clearly there are things that related to negligence that maybe someone will do or is not necessarily intentional that again goes back to the awareness but there are things that is just difficult Because um as you mentioned ship fast.

>> Yeah. >> As a startup you have to ship fast because if you don't have a functional product who cares about the security of it right but at the same time you want that product to be secure. So just your thoughts on sometimes just balancing these two >> is pretty difficult. Just the nature of this thing that we are doing is actually a hard thing. >> Yeah. Um I do think that if you disregard security with the whole ship it faster mantra right [snorts] it's not going to end well because this is one example I did give but we did pitch and ground for quite a few um and they're the little little things that were still

caught on and at the end of the day you get a pitch you you do your pitch you get a grant right from there onwards depending on what kind of grant you get whether you're going for an accelerator program or um they'll need to see and review your code base. They'll need to check your maintenance and stuff like that. That's if you're going for another step like with an accelerator program. But if not, like with a one-off thing, even you're later on, you're going to give out that product to some customer because that grant is not going to keep you stable for the years to come. That will maybe give you some breathing space, but then

later on you need to show that you're getting traction. And then when you're trying to get that traction and get people involved, that's where it's going to pop up in some way or another. So I would say it's being in a startup there's a lot of there's cost involved when you're trying to get extra hands on. So that's why like you you get interns involved, you get people involved to just you know build that then just go to a level where you're stable but starting at least with the basic awareness little things um whether it's your whether you're a developer whether you're in the business side of things or whatever I think again everybody needs

to know a bit of what they're doing and understand there should be there should be some sort of an incident response plan for what number on and most startups I know don't have that. There should be a basic communication platform that somebody they can fall down onto when things go wrong. A lot of startups don't have that. At least a WhatsApp group even that says okay when things shut down or something happens let's fall back here and communicate what's going on. But they don't have that things like that and that's out there for people to review. I know that the UK cyber council a lot of government bodies put that out even for startups andmemes.

So reviewing that and getting help would be a good idea to look into it. But you do need security otherwise that bridge otherwise it's not going to farewell even if you go on for about a year or two. Hopefully that answered your question. >> Thank you very much indeed. Uh everyone put the hands together for Kaylee. >> Thank you. [applause]