What’s it like working to secure one of the most transparent organizations in the world? To be a security practitioner in a highly iterative and agile environment? What does that look like and what kind of people thrive in that environment? It takes a certain individual... curious, analytical, collaborative and dedicated. Of course, there’s more than meets the eye when it comes to our GitLab Security team; they also tackle the hard topics like the age-old 'Is a hotdog a sandwich?' debate, Vim vs Emacs, and Linux distros.
We take securing the GitLab product and service and protecting our company very seriously. But, we try not to take ourselves too seriously. We hope you learn something new in this series, but that you enjoy yourself too.
Name: Alexander Dietrich
Title: Senior security engineer, Automation
How long have you been at GitLab? I started in September 2018
GitLab handle: @adietrich
Connect with Alexander: LinkedIn
Tell us what you do here at GitLab:
I create tools for the security department to automate tasks that were previously done mostly manually (or not at all), so we can perform our work more quickly, consistently, and (I hope) delightfully. Security teams are rarely large teams, and security automation focuses on scaling the team.
What’s the most challenging or rewarding aspect of your role?
Nothing I have worked on so far has been cookie-cutter; there’s a continuous flow of new technologies to learn and use cases to cover, which I find challenging and rewarding at the same time. GitLab is a cloud native company, so having the full range of services at our disposal to solve a problem can be tempting (and potentially overwhelming), at which point it’s good to remember our value of efficiency and go for the “boring solution.” Your team members will be much happier too, when your PagerDuty, Slack, and GitLab integration is only a few lines of Python running serverless and just works.
And, what are the top 2-3 initiatives you’re currently focused on?
- Making sure we meet our remediation goals for security issues, i.e. through automated escalation (if necessary). Some examples:
- Reducing friction for our application security engineers: An example would be the automated import of HackerOne reports directly into GitLab issues or improving our engagement with HackerOne reporters through automated updates and responses.
- Laying the groundwork for GitLab’s Zero Trust initiative; currently, I’m focusing on building onto our SSO solution.
How did you get into security?
I have been following IT security topics for many years from a defender perspective, due to running things on the internet and an interest in privacy-enhancing technologies. Professionally, I switched to security from a regular software development position, when my previous employer needed a dedicated security team for their development organisation. Suddenly I was responsible not only for secure software development practices, but also awareness of potential threats to our services stack and operational security of our cloud environments. It was very exciting, and I learned a lot, especially about the value of automation.
In the past decade, how has your area of expertise changed?
Significantly, I started out writing software that was sold in boxes in stores (remember those?) and saw the entire business shift to “cloud native,” with me changing focus from writing software to making sure that software is written and operated securely. Being able to apply my general security-mindedness at work was a great opportunity, and it’s kind of funny to see the trend for security to “shift left,” towards where I’m originally coming from. Nice meeting y’all!
From the perspective of your role, what’s GitLab doing better than anyone else in terms of security?
When you consider where GitLab is in its evolution, the size and diversity of the security department demonstrates very clearly that security is not an afterthought here. I love being able to focus on my area of expertise and collaborating with teams that are equally well-staffed and dedicated. Initiatives like Zero Trust and the in-house Red Team also show a proactive attitude towards security, rather than just patching the latest vulnerabilities.
What is the most significant piece of security advice you could provide to a colleague or friend?
Use a password manager and generate unique passwords for everything. That way one website losing your data will not put all your other accounts at risk. Keep your systems updated, so you don’t get bitten by security holes that are years old. Ok, that was two pieces of advice.
What do you look forward to the most in security in the next five years?
I’m anxious to see the industry overcome the dichotomy of security and usability, and secure-by-default becoming the new normal. This might take longer than five years, though.
Is there an area of security research you think deserves more attention?
The design of decentralized systems that are secure and usable should receive more attention. When we read about the latest mind-boggling data breach, we often overlook the fact that bad operational security may be one cause, but another is the practice of piling up mountains of data in the first place.
What is something you advocate as a security professional, but find the most difficult to put into practice personally?
Applying the “principle of least privilege” is more difficult than I’d like. Giving a user or service only the required amount of permissions for certain tasks is intuitively a sensible strategy, yet doing this in practice is often hampered by obscure systems or documentation. I have yet to encounter a cloud provider with a permission system that is flexible, easy to use and well documented at the same time. It’s no surprise that software engineers tend to take the shortcut of overly broad permissions in this situation, I’m afraid.
What's your favorite security research paper or thought leadership piece?
I’m going to pick “Tor: The Second-Generation Onion Router,” because it lays the foundation for a system that provides accessible, secure communication for everyone to this day.
Now, for the questions you really want to have answered:
Vim or Emacs?
Vim, because I have at least basic proficiency here. I might dive into Emacs though, if I ever get tired of Linux.
Favorite Linux distro?
I’ve been very happy with Ubuntu, both on the server and desktop, even if they are occasionally a bit “ambitious” with their changes.
Is a hotdog a sandwich?
No, the geometry is all wrong.
Gif or Gif? (Gif or Jif?)
I’m more concerned about people who pronounce “router” incorrectly, to be honest.
What's been your most interesting experience while traveling?
Other than simply encountering a new place, probably tasting dishes and/or drinks I didn’t know before. When we went to New Orleans for GitLab Contribute, I was introduced to a whole range of Cajun cuisine that I had never had, which was amazing.
What is one food or beverage you can't live without?
Who is your favorite superhero and why?
Anyone who comes to the aid of their fellow human beings, even at great personal risk.