Anjana Miyar is a Senior Security Analyst at Riscure North America. Anjana’s specialty lies in software security testing. Unlike many others, Anjana did not have prior security experience before joining Riscure, which did not prevent her from succeeding. In this interview, Anjana shares what it was like joining Riscure and learning about software security. Anjana also talks about the principles of software security, what the testing process looks like and current industry developments.
Why did you choose Riscure?
I actually was a Python developer before, back in India, without any background in security. I learned more about it during my studies and after, but just on my own. When I first got interested in the field of security, I started watching a lot of videos, especially on YouTube. At some point, I came across a video from Jasper van Woudenberg, after which I researched more about Jasper and Riscure generally. I then understood that Riscure is very important in the security field and is working on a lot of interesting projects. So after my research, I applied to join the American office, and funnily enough, Jasper was my first mentor when I joined.
What was it like joining a security lab with little security background?
To be honest, at first, I was very nervous, as there were all these smart people surrounding me, talking about different hacks. But at Riscure you get help, I had a guide, who coached me on things, helped me understand and set my goals for the year, and based on these goals I got training. I still remember that the first training I did was Riscure training Fundamentals of Secure Coding, which covers software, code reviews, and exploitation area, and it covered almost everything I needed to perform certain orders. I also did a lot of shadowing people on their projects, and eventually, I received feedback that I am ready to work on my own projects.
What is the difference between a security analyst and a senior security analyst?
There is quite a difference. A security analyst is primarily focused on project work. You basically receive a piece of software and attempt to break it. Meanwhile, a senior security analyst also has to manage the team of security analysts, and observe the whole project’s progress. There is much more managerial responsibility than for a security analyst. It does not mean that senior security analyst doesn’t work on the technical side, they are still part of the team and working on evaluating the software. But while analysts might focus on only one component, seniors need to bring it all together.
You can’t become a senior right away, it is something that I was practicing and learning for over a year to test and to show others that I am capable and deserving of this position. We have a senior coach and the goals that I set pushed me toward becoming a Senior Security Analyst. This included working on more complex projects, collaborating with other seniors, and leading projects rather than simply doing them.
What is Riscure like internally?
It is a lot of smart people, who are ready to help. Everyone I have worked with over the years is extremely open to giving feedback and helping me improve. More importantly, they always take my feedback into consideration and work on improving our collaboration.
What is it like to work in a fully remote team?
First of all, working from home is a kind of blessing. Specifically in RNA. We recently had a lot of colleagues who are from different parts of the US. Earlier, that would not be possible, which would make us miss out on a lot of talent. At the same time, we have to connect with our team in Delft anyways, so we are used to online collaborations, which I guess makes it easier to work remotely within the North American team too. We also have these company-wide events, twice or thrice a year where we all meet up to collaborate. For example, we recently had all hands where everybody came in. All these three days we worked on brainstorming on the upcoming industries in security and how we can work on innovation research grants. But we also use this time to have fun and just spend time together.
How would you define device security?
There are some misconceptions that I often see. Usually, people think that device security is only hardware security, mainly focusing on Fault Injection testing and Side-Channel Analysis. I thought that myself initially too. It is in fact many different kinds of security from hardware and firmware levels up to cloud applications, like networking. Knowing this makes device security even more important. Imagine for a second that I am not a security analyst, but just a user. Everyone in the world right now uses some kind of app, for banking or for storing photos. It’s a lot of data on a single device, which makes a very close binding between device and application security. Since everything is digital, it is essential to secure your devices. And that is what the device security industry is all about, the security of both devices and applications to ensure that there are no vulnerabilities that hackers can exploit and steal user data. It is important for us, it is important for developers, and of course for the user.
What is Riscure’s role in the device security industry?
At Riscure, we not only find vulnerabilities, but we also help companies fix them, and we help them certify their products. Most importantly, we do it before devices hit the market, which allows companies to improve them when needed. As a result, products in the market become more secure. That is our role, to help check and improve the security of devices before vulnerabilities bring negative consequences to users.
What does a software security testing project look like?
When we start on the new project, we first gather all kinds of information about the product, including the documentation shared by the client and publicly available information. After that, we determine the assets, which are of value to a potential hacker. We then investigate how it is protected and how it can be broken, basically trying to break it.
My focus is usually on the inputs. When the hacker attacks the target, they need to have some kind of passage to interact with the target, and inputs are usually used for that. As a result, inputs are one of the only ways to access the system.
If we find security issues, it doesn’t mean the product is bad, however. One of the steps of the project is also analyzing the risks. It is called risk rating, during which we determine the value of the asset and the risk of it being exploited. Sometimes the risk can be high, but the value of the asset is really low, or the other way around. If the risk and value are low, the client might not patch these problems before moving forward. However, if the risks and value of data are high, then the vendor is more eager to make changes to the product before proceeding. Nevertheless, as the third-party lab, we recommend and evaluate, but it is up to the vendor to decide which changes they want to make.
Who needs to consider the software security of their products?
Hardware without software is nothing. Even the hardware needs software to work, it is kind of like the heart of the human body. Hardware needs software to function, thus software is relevant in everything. Everyone who is working on products like IoT devices or any kind of embedded solution needs to also test and improve the software security of their development.
What is your most memorable project?
My most memorable project is about a watch that I tested. It was a watch device with a payment app. Often, vendors overlook payment apps’ security on smartwatches, so it was really cool to test it for a change. I also like the logic behind such watches, that you don’t need to carry a phone and transactions can be completed with just a device on your wrist. It was a successful and fun project.
What are some of the major challenges in the device security industry in recent years?
New products appear all the time. There is no standard blueprint that shows how to evaluate the product. Every project is different and each product comes with its own challenges and unique properties. So there is no way to predict how the product will behave before the testing process starts. But with experience, we get to understand which path to take to find vulnerabilities and potential exploitation.
What kind of evolution do you expect in the industry and for Riscure in the future?
One of the major developments now is blockchain. Now all the banking and payment testing we do is still very centralized. But the more people move towards decentralization, I expect new areas of security where decentralized solutions will become more popular. 5G is also already on the rise. A lot of companies are already implementing it in their developments, but I expect it to rise even further. Lastly, a lot of discussions is revolving around quantum computing.
Not related to new developments, but extremely important change is that companies are paying attention to security much more than before. Over the last few years, security has become more popular, which leads to more research and security vulnerabilities being found, and also companies spending more time on it in the development process. Some may have concerns about the security of the devices, some for their reputation, but the main thing is that more devices are tested and evaluated before they go to market.