Like many of our customers, NowSecure has also embarked on a DevOps journey to shift left and speed the release cycle of our software. Here at the company, product management, security researchers, developers and devops engineers collaborate to produce our automated mobile appsec testing solutions and understand many of the challenges you face.
The following is the second installment of an occasional Q&A interview series to highlight key roles and responsibilities of our team members who advance mobile security at DevOps speed. In this discussion, we shine the spotlight on Jeff Fairman, senior vice president of product and engineering for NowSecure.
Q: How long have you been with NowSecure?
A: I joined in July 2016, so two years and a few months.
Q: Why did you join the company?
A: In my former position as CTO of an online brokerage OptionsHouse, we had a fairly significant mobile footprint and I was using outside vendors to pen test our applications for overall security posture and vulnerabilities. We’d do this a couple of times a year which gets pretty expensive. I thought at the time, ‘wow, this really should be automated.’ We were in Chicago and, while NowSecure was down the street and I looked for an automated solution, unfortunately I didn’t find NowSecure back then.
When I left OptionsHouse, a recruiting firm presented a NowSecure job opportunity and I realized that the NowSecure solution was what I was looking for a few years ago. This has always been an interest and a bit of a hobby for me and I thought this could be a really good organization.
Q: What do you do in your role?
A: I head up the Engineering, DevOps and Operations side of the house in terms of release management and the CI/CD pipeline, along with quality assurance. Most importantly, I take what our researchers add from a tooling and vulnerability perspective and make it into an SaaS enterprise solution. It is an elegant solution to a complex problem; connecting real devices to security test for vulnerabilities to a high scale cloud-based SaaS platform. It makes our own CI/CD very unique.
Q: What does your team do?
A: My team of engineers take the outputs of our research efforts and tooling and develop an enterprise SaaS solutions for our customers. Our APIs and UI allow multiple roles such as, security analysts, developers, QA and DevOps teams to automate the testing of their mobile apps. Ultimately, they see the results as an overall score rating but users also can dive deeper to see the details of the vulnerabilities, where those vulnerabilities exist, CVSS vector scores of vulnerabilities and ultimately how to remediate. On top of that, we are responsible for aggregating information into dashboards and reporting widgets to enable fine-grained access depending on the user role. I think of our job as creating enterprise-class software utilizing our own core IP, core security research and projects we sponsor such as Frida and Radare.
Q: How does your work support the work of the NowSecure customers?
A: Our solution inherently supports the DevOps pipeline because we are an API-first company. By extension, we have created several plug-ins for systems like Jenkins and CircleCI that allow companies to deeply and efficiently integrate our solutions into their existing security and development workflows — that is unique. We improve an often adversarial relationship between security and development teams and enable them to review app findings near real-time vs traditional end-of-cycle security testing which stops the release at the end and forces another dev/QA cycle. But what I think is most compelling about our solutions is the flexibility to work with our products. You can simply work with our UI to upload an app to test or go really deep and integrate all the way through DevOps pipeline.
Q: What is your typical schedule like?
A: I spend the majority of my time with engineering, sales and marketing talking to customers. I devote significant time to recruiting because we’re a growing organization. In addition, I spend a good chunk of my time working with customers and prospects to explain our technology, its integration, how it can empower and ultimately, its value. And, of course weave customer feedback back into engineering efforts.
Q: What projects are you currently working on?
A: We are architecting and designing what we want to do next and helping create the stories of the things we want to build. In particular, we’re working to unify the workflows across our two cloud products (NowSecure Platform and AUTO) into a single platform, allowing our customers to take advantage of features in a common singular way.
For example, we are enabling customers to pull in apps from third-party stores like the Apple® App Store® and Google Play™ to compare them against what they tested internally prior to releasing to app stores. We are finalizing global app binary support which enables mobile apps distributed in multiple stores to be tested once for broader coverage and efficiency. We are also expanding our alerts and messaging to push more real-time information to the people who need to know, and really futhers the “shift left” concept of testing security during the build cycle.
Moreover, we will continue to add more plug-ins that will allow deep integrations with tools enterprises already use and love. Imagine the power of utilizing our role-based access and messaging delivering a near real-time Slack of a vulnerability and its corresponding remediation to the developer who is working on the app.
Q: How do you lead your team?
A: I tend to be inspirational and encouraging rather than lead with a stick – it’s not always about dates, more often, it’s about the quality and feature set. Heavy agile bent and I’m always thinking about what’s next. I’m a bit hands-on too, but I tend to use the agile primitives to drive the process of engineering.
Q: How has the secure DevOps journey evolved?
A: We’ve always had an Amazon EC2 footprint, but have evolved to more of a componentized microservices approach. We use Docker to create catalogs of components that flow back through our CI/CD. We can test, push to staging and if approved, release almost in real time — it’s a very efficient and fluid system.
Q: What has been your experience with the DevOps tool chain and key workflows?
A: We are traditionally a GitHub shop, also leveraging GitLab with a microservices deployment strategy similar to our own. We utilize Rancher to manage and orchestrate a catalog of services. What is powerful about this approach is that it allows us to be fairly agnostic with respect to the cloud provider. For example, we can take our whole cloud footprint as-is and deploy it to customers in an on-premise scenario along with auto-updates just as we would do our cloud deployments.
Q: What DevOps metrics should organizations use to measure themselves?
A: From an agile standpoint, we track to a two-week iteration. But as I mentioned, we are flexible too and can nearly autonomously create releases with zero downtime. You want the ability to roll back (hopefully very infrequently) if something breaks and/or have the ability to quickly add a hotfix. Standard DevOps measures we use are deployment frequency (hotfix, regular releases), time to deploy, availability of our service, performance (utilizing Grafana and Prometheus), logging completeness and traceability through tools like Splunk, SLAs, downtime length, issues & issue rate in production and test coverage to name a few.
To learn best practices for securing mobile app DevOps, register for the webinar.
Q: What skills make a DevOps engineer successful?
A: Six or seven years ago, DevOps was evolving. People came from either the operations or build side of the house. And what has happened is that DevOps types have become more sophisticated — I see them as web engineers who have an operational side to them. As well, I see a growing trend to automate security and vulnerability management in the DevOps pipeline so having some security background helps.
People on our team tend to be the glue guys in that they can work on a variety of different things and in fact, develop if needed. They’re heavy into scripting, getting things to work, understanding how to deploy microservices and so forth a bit of a Jack-of-all-Trades.
As one of my best DevOps people says, “a good DevOps person’s goal should be to be lazy; they should set up their build, data collection, monitoring and deployment solutions to be nearly 100% automated so the data comes to you.” Of course, this is a never attainable goal in a start-up that is producing new and exciting things all the time, but a worthy goal nonetheless.
Q: What personality traits lend themselves to the role?
A: Attention to detail is really important — a person who likes to have a punch list of items and who employs methodologies like Kanban to help prioritize. You should also be comfortable handling a bit of ambiguity and be able to hold your ground with other smart folks in the organization like engineers and architects when you are seeing a production issue that they blame on the environment rather than their code
Q: What do you like best about your job?
A: I have a degree in organization and a degree in computer science and like to think I have this creative bent. If I get bogged down in one area too much, then I tend to get a little bored. NowSecure is in the nice sweet spot where we are growing, have a great product but there is still lots of room to be creative and solve organization and technical problems.
From a organization perspective, I see us on the tip of mobile security where we have a solid product and the market is catching up to what we can do and offer. I like to think we are pioneers leading the charge (and ultimately a public good) in helping to secure mobile applications in the CI/CD pipeline. I want to see how far can we go. We have customers today who rarely use our UI and push many apps automatically via API through our system. Ultimately, I think we win and have served our customers if we can mold our product around their use cases.
Q: What do you like the least?
A: This is more of a pet peeve, but I don’t like idle meetings from which there are no action items.
Q: What job-related accomplishment are you most proud of?
A: Going back into the way-way back time machine, circa late ‘90s I worked for a company called WorldStream Communications. I was VP of Engineering for a platform that enabled one-to-many style Internet broadcasts with rich multimedia capabilities to thousands of people (think hangouts on roids with late 90s postage stamp video as everyone was on 56Kbps). Our product was used in enterprise as well info/edu/entertainment. As it happened, David Bowie came across our product and decided to play music for fans using our platform. While playing and streaming cuts live, and utilizing our real-time polling, he let fans decide the B side of his latest album. To be in his studio and meet DB was simply amazing let alone David using my software.
More recently, being part of a growing company and team at OptionsHouse, really grow the technology and organization, and sell it to a PE firm and then eventually E-trade. The fun was in the build and being able to watch our planning and hard work unfold into a successful brokerage.
Most recently, I was with a G2K customer for the day and realized how big of an impact we have had on their organization. Moreover, to see and really validate the whole “shift left” notion of mobile app security that we believe to be the key to organizations becoming efficient and effective within their pipeline of development and security.
Q: How can others reach DevOps leadership roles?
A: They should have a developer stint under their belt and have a strong operational sense. Adding a splash of QA is not not bad, either. In terms of traits, you want someone with attention to detail, coding skills and a desire to own and automate resilient infrastructures. Throw in security minded, too. Once these skills are learned, it’s about being proactive and shifting from a discreet doer to someone who understands but can delegate.
Q: What are your favorite tools that the trade?
A: From a DevOps point-of-view, I really like what we’ve done with Rancher. Docker is an interesting product that we’ve been able to leverage quite extensively. Splunk is an amazing tool to search and find issues and correlate things. Grafana/Prometheus offers a nice way to view trends. There are a whole bunch of tools and I could go on and on.
Q: What personal mobile device do you carry and what are your favorite mobile apps?
A: I’m an iPhone guy – I really like the iPhone X form factor. I use Waze (have to in Seattle traffic), Slack, ESPN and Bleacher Report because I’m a little bit of a sports nut, Spotify, Audible, Amazon and Golf Shot Plus. Maybe a game or two as well.
To hear more from Jeff, please attend our webinar at 1 p.m. ET on Thursday, Dec. 6. Joined by Chief Mobility Officer Brian Reed, Jeff will share best practices for securing mobile app DevOps. You can reserve your spot here.
And for a spotlight on other people of NowSecure, check out our interview with Senior Security Research Engineer Francesco Tamagni and continue to watch this blog.