When it comes to cybersecurity, it can be difficult to know whether a security product is working or not. After all, it's not until there’s a problem — say, a hack or data breach — that it comes front and center, said Robert Evans, a software engineering manager at NSS Labs.
But the team at NSS Labs believes it shouldn’t come to that. The company works with clients to test their cybersecurity products, identifying vulnerabilities and determining which security tools work best for each company's needs.
“Decision-makers in enterprise environments need to know that their security investments are actually paying off,” Evans said.
We spoke with four NSS Labs engineers to learn more about how they’re working to make cybersecurity more transparent.
EMPLOYEES: 100 national; 90 local
WHAT THEY DO: NSS Labs provides cybersecurity guidance and information to enterprises through its Continuous Security Validation Platform. They test cybersecurity products to provide business leaders with a real-time scorecard to substantiate their security investment.
WHERE THEY DO IT: Austin
NERF WARFARE: The engineering team keeps things fun with an ongoing Nerf war that can spring up at any moment during the day.
Jayendra Pathak, Chief Architect and Head of Offensive Research
Jayendra Pathak and his team research new and existing cyber attacks and then incorporate those attacks into test methods.
BEYOND WORK: Jayendra relieves stress by flying drones.
What is the breakdown of your day? What’s unique about it?
Most of our day is spent analyzing requirements, reading research reports and then formulating a plan for a short proof of concept. It’s never boring, and every day is a new learning experience.
What problems are you solving in the cybersecurity industry?
There are so many cybersecurity products advertising what they do, it makes it difficult for the enterprises that are buying these products to verify the claims. NSS Labs independently tests cybersecurity products to make sure that claims are valid so that enterprises can make the right decision.
There are so many cybersecurity products advertising what they do. It makes it difficult for the enterprises buying these products to verify the claims."
Does your team have a reputation within the company? What is it? How did you earn it?
We have a reputation in terms of creating interesting attacks using our own in-house tools that stress the security of various products. We earned our reputation by exposing the limitations of the products.
Robert Evans, Software Engineering Manager
Evans leads the back-end development of the Continuous Security Validation Platform. He architects designs for new features, collaborates with engineers on delivering those features and writes code.
BEYOND WORK: He’s an avid golfer who competes in amateur tournaments throughout Texas and the U.S.
You work with more complex technologies, applications and tools than you would at most other companies. How does that help you accomplish your goals in cybersecurity?
Our primary job is to fairly and adequately test security products for multiple vendors in a given product category. For each vendor participating in the test, attacks must be concurrently delivered at the same time.
Our software must be resilient enough to deliver automated attacks and monitor the results of those attacks — what processes were spawned on the OS, what network connections were made, what registry modifications were made? Working on the BaitNET teams gives developers the opportunity to solve these fun challenges head-on.
What challenge keeps you up at night? How is your company overcoming them?
We’re trying to increase visibility into how cybersecurity controls are performing for our enterprise customers. Decision-makers in enterprise environments need to know that their security investments are actually paying off.
Security is often swept under the rug until something bad happens, and then it is front and center. NSS Labs is improving the entire industry by scientifically and objectively testing these security controls in a continuous manner. We replicate a customer's security controls and automate attacks against them, which gives us the information needed to report where they may be vulnerable.
We’re trying to increase visibility into how cybersecurity controls are performing for our enterprise customers."
Tell us a moment during an interview when you knew a candidate was the perfect hire. What sold you on him or her?
We're always looking for candidates with excellent object-oriented engineering expertise with a focus on craftsmanship. During the interview, we require candidates to complete some on-the-spot coding exercises.
The value of a clean coder cannot be overstated in our environment. With our most recent senior engineer hire, his ability to knock this coding exercise out of the park was what really sold us on him. He quickly wrote an executable program and reached an optimal solution within minutes. When asked to refactor the solution, he provided excellent next steps in terms of where he would take the code if this were a production project. His ability to articulate a solution and implement it quickly led to our making an offer.
Tim Otto, Domain Manager, Security Architect, Network Test
Tim Otto leads a team of hackers in the quest for making the internet a safer place. To that end, Tim and his team work with network security vendors to help identify problems that could cause issues for their customers, as well as test and rate solutions.
BEYOND WORK: Tim enjoys learning as much as he can — any topic is fair game.
Tell us about your background. What attracted you to NSS Labs?
I think of myself as an old-school nerd. I started working on computers because my teachers had trouble reading my handwriting. I discovered the world of hacking in the AKA bulletin board systems through a friend. I built my first network by dumpster diving for old computer parts, combined with 10BASE2 and terminating resistors from RadioShack.
About seven years later, I moved to Austin and worked at a network security vendor at 19. I started in support and moved to the security team and then to competitive analyses. I then joined NSS Labs, where I got to test everyone’s products. Now, I’m a technical manager running not just one test, but many.
Is there a moment during an interview when a candidate stood out? What did they do to impress you?
During one interview, a candidate could not answer all of the questions, but it didn’t matter. We started talking about the projects they did on their own time. I find it very interesting what people do outside of work. Someone who does this stuff on their own without pay shows their passion for the work. That aptitude and attitude matter more than anything.
Someone who does this stuff on their own [...] shows their passion for the work. That aptitude and attitude matter more than anything."
What’s the team vibe? How do you keep things light on the engineering team?
We have Nerf gun wars on the floor with an arms agreement that does not allow for escalation beyond the bounds of Nerf. This treaty does not cover modification to the Nerf guns, so some are heavily modified. The floor is an open firing range, and there are often waves of Nerf rounds going back-and-forth. This helps break up the day and provides a welcome distraction.
Anthony Dodd, Systems Architect, Principal Engineer and Manager of the Cloud Platform
Anthony Dodd leads the Continuous Security Validation engineering team, which builds and maintains the control panel for the company’s platform along with the API and data layer the platform utilizes. His team built out a series of Kubernetes environments to accomplish this.
BEYOND WORK: Anthony enjoys the technical challenge of bouldering.
What advantages do the complex technologies and applications you work with provide? What about the challenges?
We’re fortunate to have the flexibility to make informed decisions about the technologies we choose to use. Being able to choose technologies like Docker, Kubernetes, Node and Rust have enabled our team to architect a system according to modern engineering principals.
However, building large, distributed, microservices-based systems comes with its own set of challenges. Difficulties with visibility into the inner workings of the system can be tough, so we use OpenTracing to help mitigate this issue. It can also be a challenge to scale based on custom KPIs per service, but we’re able to leverage Kubernetes and Prometheus to solve the challenge.
How does the company help its engineers learn these technologies?
Many of these technologies are quite new and not many engineers have practical experience with them. A large portion of my responsibilities has been to disseminate the knowledge and experience I have working with these technologies to the rest of the team. Last year, a few members of the team attended DockerCon here in Austin.
The world of software evolves rapidly, so software security must evolve even more rapidly."
Where do you see the industry of cybersecurity going in the next several years? Where will your company fit within that shift?
The world of software evolves rapidly, so software security must evolve even more rapidly. NSS Labs is in an interesting position to act as an unbiased observer of the efficacy of security-related devices and products. As technology continues to move forward — even as we branch into the world of commoditized quantum computing in the future — NSS Labs is able to continue developing new methodologies on testing and determining the efficacy of security devices everywhere.