Welcome to week one of Checkmarx’s ‘Day in the Life’ Q&A series for Cybersecurity Awareness Month! Aren’t familiar with what we have planned for October? More here!
Have you ever wondered what a typical day looks like for a security researcher? If so, you've come to the right place! We’re kicking things off with Erez Yalon, Checkmarx’s head of security research, to learn more about the path he took to reach his current role, his research process, and his impact on improving software security for today’s organizations and software manufacturers. After all, this year’s Cybersecurity Awareness Month theme is “Do Your Part!”
Let’s dive in…
Thanks for sitting down with me, Erez! Let’s talk a little about how one becomes a security researcher. What was the path that got you to where you are today?
I don’t think there is an exact ‘path’ to becoming a security researcher. If you look at the group of security researchers I’m surrounded by, you’ll see people who started as software developers, gaming developers, penetration-testers, and bug bounty hunters. Some paths are more standard than others, and some have surprising twists and turns, but what all security researchers have in common is a curiosity toward how things work and what makes them break.
What goes into being a security researcher? Are there any misconceptions surrounding the role?
Overseeing an AppSec research team within an AppSec organization means that we are a knowledge source to numerous different departments, from R&D and product managers to support and technical services to marketing and management. Our team must constantly be up-to-date on current events and trends to help shape our product direction and roadmaps.
Research is prioritized in my role in a variety of different ways. Part of it involves uncovering and responsibly disclosing new vulnerabilities and exploit methods that help make software and its end users more secure. The other part involves investigating emerging trends and technologies such as infrastructure as code and API security to help inform and shape Checkmarx’s direction in addressing emerging threats to our customers and partners.
While the traditional role of a security researcher often gets depicted as us being “ethical hackers,” it extends far beyond that. We have a genuine curiosity in all things AppSec and what shapes this landscape beyond just tinkering with and exploring security flaws.
Can you provide an overview of how your research process works? What piques your interest in a particular subject to explore?
Being part of a research group in a software security company means that we handle a lot of different areas of research. Some is internal to ensure we continuously improve Checkmarx’s products, some is general, almost theoretical, security concepts to enhance our knowledge and ability to bring awareness to the security community and software industry. Another type of research, which is what you often see in the news headlines, is the external type, where we take an in-depth look at major players in the software industry and evaluate their security posture. This allows us to get a lot of knowledge about how secure today’s apps, platforms, IoT devices, etc. are.
I am not sure I can clearly say what piques our interest, because quite frankly, we are interested in everything. This curiosity is what led each of us to do what we do. With that said, we often prioritize the latest technologies or trending topics since the knowledge gaps are usually bigger around these areas, and our contributions are greater in ensuring end users are secure when adopting emerging platforms and software.
So, would you consider yourself a white hat hacker?
Yes, what we do daily is technically hacking. But, contrary to malicious cyber activity, our efforts are all done with good intentions. The end goal is to gain knowledge and make something or someone more secure, and not abuse the vulnerabilities we find for the purpose of illegal profit. The skills of an ethical hacker are the same as any hacker, moral or immoral. When you are hacking, the motivation and what drives you to do what you are doing will define you as a white hat or a black hat hacker.
In light of this year’s NCSAM theme, what role do security researchers like yourself play in advancing software security practices across the industry?
One of the biggest components revolves around generating and spreading awareness. Whether we’re working to uncover new vulnerabilities impacting a camera within a commonly-used home IoT device, thereby making the vendor and its users more secure, or putting together best practice guides to help developers use emerging programming languages more securely, it all boils down to awareness.
Without awareness, change can’t happen. It’s the first step in helping our industry notice that a problem exists, that it hasn’t been addressed, and that action is needed to turn the tides.
If you had to narrow it down, what are the three most essential skills to being a successful security researcher?
The first is not necessarily a skill, but a trait. A researcher must be curious. But, not just any type of curiosity. The “what if” kind that establishes the base of all critical thinking.
Second is autodidactism. The knowledge toolbox of a researcher is too wide to be acquired just from earning an academic degree, course, or certification. The process of learning is on-going and endless.
Another important skill for a researcher would be to be able to process your findings and thoughts and present them in a way that other people, with varying degrees of technical knowledge, will be able to understand and translate into actionable decisions.
What does success or a job well done feel/look like to you?
A job well done is enjoyed every time a loop is closed. Be it research that enhanced our products, and in-turn improves our customers’ security postures, research that results in a fix of a vulnerability that jeopardized millions of users’ safety, or research that results in a set of best practices that we share with the community and hear is useful. When we learn that something we did made an impact out there, this is where we feel successful.