Eslam is a security professional with experience in web application security and testing. He has provided consultancy to a wide range of organisations before joining Founda in July 2021, and has worked since then as an in-house security engineer. This is a quite uncommon role in the early stages of a startup. In this article, Eslam explains his work and the culture of security at Founda.
“I’d like to describe it as bringing the hacking mindset in the processes that we run. I identify the processes and find possible weaknesses and recommend to the team on how to tackle those. There are risks in a development lifecycle, my role is to create an understanding of those risks and advise the team on how to integrate security in this process. That also means bringing security standards in place to ensure the security of the platform.”
“Founda puts security as a top priority, it is nice to be part of an organisation that takes security seriously. It is good to establish a strict security baseline. From the very beginning, we have been in control of that.”
“Yes, it can vary between companies, but often there is no one to check the security side of things in the background to ensure a high level of security is in place. But the development process needs to be reviewed and secured. Many companies don’t do that because they lack the funds or don’t see the importance of implementing additional security measures.”
“The challenge is when communicating the security controls that should be put in place, I have to find the right balance to not interrupt the development process, but still build a big cultural awareness of security. It’s interesting to think as a team about security risks.”
“The reason I’m not in a team is because I need to find vulnerabilities on all aspects of the platform, not in one team specific. The teams react very fast, and there are quick meetings to run through identified risks and the ways to solve them. If there are any vulnerabilities, they are always fixed right away.”
“At Founda there is a complex environment with a variety of technologies being used. I need to have an overview and understanding of all vulnerabilities in all technologies used, and of course come up with solutions. Apart from possible product related security issues, we also need to consider Founda as an organisation, everything is included in the security process.”
“The process starts from design and goes to release; I will look at the design and go through the possible risks and recommend solutions. When the code is written, I review the security of the code and identify possible vulnerabilities, and then work with the development team to fix them. Before releasing the code, we will do a pentest – a simulation of a hacker to see if we can compromise a certain function.”
“The results of a penetration test show the current security state of the platform. It gives an insight on what a malicious hacker can do from an external point of view and if he gains access to certain systems. With these results, we can take actions to mitigate any possible risks.
This means that the team can focus on developing the product, without losing track of security related issues.”
“To put it in a simpler way, instead of thinking from the user point of view, we ask the question of what a hacker can do and what hackers are looking for.
Healthcare data is extremely privacy sensitive, so our platform needs to be as safe and secure as possible. Thinking like a hacker forces us to actively think about the possible security risks, and take steps in advance to avoid them.”
“There are tools that can be used to catch the low hanging fruit, but bigger and deeper issues need to be found manually. This takes time and dedication. That’s why an in-house pentester is very beneficial for a company – their full attention goes to the security of the whole company, not just one project.”
“Pentesting is done continuously. We have planned manual testing periodically, in combination with automated testing during development.”
“Yes, we’re constantly testing the environment to make sure that there are no security issues. By doing so, we ensure a safe and secure integration – both during the development phase as well as in production.”
“In consulting you deal with different customers, this means that with each project you have a timeline and you need to get used to the environment of the customer within a short time period. In contrast, at Founda, I’m involved in the development of the environment from doing threat modelling to reviewing the code and testing it.
In addition, the team always has a security expert to reach out to, so a good relationship of trust is established. This goes the same with our clients in healthcare – they put trust in us that we will secure the transit of information between the Founda environment and theirs."
"It is our responsibility to build a secure platform."
“Security engineering is very critical in building any platform. There are lots of responsibilities entailed. At Founda, I get to participate in the whole process from start to end. Instead of finishing one project after another, there’s the chance for me to really help build something big.”
“I’ve worked in healthcare before. In healthcare the risks of data exposure are critical and it is important to make things secure and ensure privacy. I get to secure the data and be part of Founda’s mission to unlock the best possible care by bringing innovation to healthcare.”
“Every system has weaknesses, how you set up a connected system like fire alarms can have influence on compromising a network. But if you have a secure architecture built on zero trust, then you can rule out these types of risks. All in all, we work more and more in an age of connected systems and IoT technology – the internet of things. As long as there are connected devices sharing data, there are risks of a data breach.”
“Yes! Every day there is something new, I get exposure to all kinds of technologies in an exciting field. I never have to get bored and I work with a very enthusiastic team.”
Do you like Eslam's story and want to join the Founda team? Check out our open positions on our career page!