Usually, Stijn Crevits’ lips are sealed as DPG Media’s security approach is classified information. But today, the Security Engineer goes off the record. Well, at least a little bit. Let’s tune in on ethical hacking, Security to the Left, and unsolicited advice.
Just like in the movies?
Some say pentesting; others say ethical hacking. Either way, to Stijn, the name doesn’t matter; it’s the thrill that counts. “The search for vulnerabilities, the digging into applications, and then actually finding something that could be of serious danger…” Stijn’s eyes light up. “Not everything I find will make a site like HLN.be go down, but all small vulnerabilities do add up, of course.” Ethical hacking isn’t actually about breaking things; it’s about improving DPG Media’s cybersecurity - find it, fix it.
“Hollywood kind of killed the reputation of ethical hackers. People seem to think that we work in basements on black screens with green digits and always wear black hoodies”, Stijn - who is, by the way, wearing a hoodie during this interview - sighs. “In reality, I’m just like any other colleague here.”
Stijn joined DPG Media in June 2021 as a pentester, but soon his role evolved. He now has a broader focus on everything related to the technical aspect of security engineering.
The quick steps and fast growth that Stijn is experiencing are exemplary for the security team, a young and eager team. “We work with thousands of applications and numerous teams, so there is always something new to discover at DPG Media. As a Security Engineer, you get to know the entire organization. One day, you work with team A on the app of Algemeen Dagblad, and the next, you work on the Streamz video platform with team B.”
The team is amidst a growth spurt, both in numbers (check out the vacancies) and knowledge. “As priorities change, and we take on more responsibilities, we need to upgrade our skills continuously. Also to stay ahead of hackers, of course. And there is plenty of room to do so: we follow AWS training courses, join Akamai programs, learn about DevSecOps - you name it.”
Sometimes, developers are afraid that security solutions will affect the speed of deployments - that is rarely the case.
Application Security and Infrastructure Security
The security team is split into two squads: the Application Security squad and the Infrastructure Security squad. The latter is responsible for cloud (AWS) applications and workspace security. Stijn is a member of the Application Security squad, and his team performs pentests and works on projects like Security to the Left and Akamai’s Web Application Firewall (WAF).
Stijn: “We want to help teams set up WAF to protect their applications even better. It consists of rules and filters to prevent application attacks, including API-based attacks, client-side attacks, and even bots. Let’s say we find a vulnerability in a tool through WAF, but the tool doesn’t have an update available to fix the issue. We can then virtually patch the vulnerability for the time being until there’s an update.”
To the left, to the left
A lot of Stijn’s attention and time go to implementing Security to the Left. “It means that we’re introducing security checks and work during the development phase. We’re moving away from the ‘classical model’ of developers developing an application that security engineers check just before going live. But, that simply doesn’t work in a fast-paced environment like ours. Security shouldn’t be a bottleneck, but you also don’t want to push things live and perform security checks after either.”
So, the solution is Security to the Left. Stijn and his colleagues work with the developers to ensure security isn’t a courtesy check at the end but embedded in the way of working from the get-go. “We share blueprints, tips, and tricks, best practices, tools - anything development teams may need to deliver secure applications. For example, tooling can automatically check source code to find vulnerabilities or outdated software in test environments. If something surfaces, development teams can pick up issues in the next sprint, and unsafe applications never see the light of day.” A bug bounty program is also in place through Intigriti. If someone finds a bug or vulnerability in a DPG Media application, they get rewarded through this platform.
One of the tools that support Security to the Left is Snyk. Snyk finds and automatically fixes vulnerabilities in code, open-source dependencies, containers, and infrastructure as code. Stijn explains: “It scans all code repositories to see if we use external packages that contain vulnerabilities, which version we use, which versions contain vulnerabilities, and much more. We’ll use that data to talk to the different teams and see how we can improve together.”
But, luckily for Stijn, there’s still room for pentesting too, as a pentest is always much more in-depth than the automated solutions. There’s a great deal of manual labor involved, says Stijn. “Many of our applications are connected, and sometimes it’s that connection that causes issues. You can’t catch that through automated testing.”
Solicited and unsolicited advice
Security to the Left isn’t fully in place yet, but once it is, the security team will still give solicited and unsolicited advice. Sometimes they are called upon for help; other times, they run through the applications with a high impact on revenue to ensure they are secure. An incident could also trigger an investigation. That could be anything from a reported issue through the bug bounty program or news of a cyberattack on a competitor.
The security solutions - or interferences, depending on who you ask - aren’t always welcomed with open arms. “We’re marketers too, if you think about it,” Stijn says. “Some developers have perfected their way of working, and we have to convince them of the added value of our security solutions. They are afraid that changes or rules will affect the speed of deployments - which is rarely the case, by the way.”
Keeping DPG Media safe sounds like a 24/7 job, but the work-life balance is actually really good. Thanks to the many tools and technologies the team has in place, the biggest security risk at the moment is human-error; a colleague who clicks on a phishing link or accidentally installs malware, that sort of thing. As a result of the strong automated security landscape, the team can focus on what’s most important to the organization instead of wasting time responding to minor incidents.
And it allows for plenty of quality time with the family: Stijn has a one-year-old son. “It’s such a good age,” he smiles a slightly sleep-deprived smile. He quickly adds that the broken nights will pass - right? “I’m very satisfied with how DPG Media allows me to have a healthy work-life balance. It was something that I had already discussed in my application process, and it works out perfectly for me. I usually start my days taking care of my son and then start and end work a bit later. Some of my colleagues start early, so our combined availability spreads out nicely over the day.”
If you’re keen to join Stijn’s team, the typical vacancy text buzzwords are all applicable. Be flexible, be communicative, be a team player. “In our team, we look at everyone’s capabilities, likes, and dislikes. So we have the freedom to divide the work among ourselves, which is great. For example, I started as an ethical hacker but moved towards Application Security Engineer. Others may choose a different path, and that’s fine too, as long as you remain flexible. I mean, you may want to be a Google Cloud expert, but we work mainly with AWS, so that’s simply not going to happen soon. But if your ambitions align with the companies’ ambitions, anything is possible.”