I am working with some of the best minds in the industry, to secure the next generation of Autonomous Vehicles, and protect lives by helping develop the security landscape of the future. We're building ZTA into the very fabric of our devices, device attestation through hardware-backed identities, and managing complicated PKI hierarchies that assign identity down to a process-specific level.

It's wild.

The Security Engineering team at Airbnb focuses on evaluating and measuring risk, for all facets of the business. Though I have previously juggled many roles, responsibilities and focus areas in my past jobs, I now turn my attention to zero-in and reimagine how Airbnb can programmatically measure risk across the business.

Measuring security is difficult, and often fluffy with its elementary impact v likelihood matrixes. However, during my short stint at Airbnb, I developed a quantitative risk model that leveraged a variety of industry yardsticks (with their innate pros/cons), and distilled a data-driven risk engine to identity high risk areas in the company. This was the infrastructure in which other security teams at Airbnb utilized to measure adherences to security best practice, and inform developers how to improve their situation.

As a manager, I get the privilege to work with the most challenging (but rewarding!) part of the scalability question: people. After gaining a good understanding of our technical capabilities as a team and company, I turn my attention to how we can scale our processes so that we can effectively cover such a large surface area with a relatively small team.

In this role, I found myself wearing many hats: whatever that was needed to maximize the effectiveness of my team. For example:

I believe the only true success metric for engineering management / technical leadership is the accomplishments you see your team achieve, and the processes that persist and continue to improve the company when you leave. While being a manager during 2020 certainly had its challenges, I trust that I was able to positively impact my team and company within the constraints imposed on me.

Objective: How do we bolster our defense-in-depth measures, and scale it to support a larger organization?

As an organization gets larger, it's natural that complexity follows suit. And with complexity, there is an increasing amount of use cases to consider, as well as systems and teams that integrate together.

Building off the experience gained in a smaller ecosystem, this opportunity allowed me start thinking at scale: how do we build systems to shore up our defenses against a variety of use cases (i.e. mobile, web, business owners, internal users, other acquisitions), and can also be easily adopted by other teams? The challenge in this role was the constant trade-off between investing in preventative measures to avoid vulnerabilities from surfacing, or improving reactionary measures to better equip ourselves to handle eventual incidents.

Through this role, I learned to often question assumptions, and think creatively for both attack AND defense scenarios, as both are required for a solid security posture. I also learned to understand new systems quickly, as our team often has to deep dive into various different systems to perform threat modelling, or even patch security vulnerabilities.

Objective: How do we secure a legacy system, in a fast-paced growth environment?

Application Security defends the products of Yelp, including all user-facing interfaces. While many modern web frameworks provide basic safeguards out of the box, complexities arise when developing custom solutions to protect against OWASP vulnerabilities, yet still preserve legacy behavior.

Through this role, I became proficient in scanning complicated, hairy code for vulnerabilities, as well as learned how to employ creative methods to architect secure-by-design systems to support other less security-savvy feature developers. As the de-facto head of security for Eat24, it was always a challenge balancing the effort needed to migrate existing anti-patterns, or investing that time to design a solution that made those anti-patterns safer to use instead.