If the idea is good, the sky is the limit

In large parts of the IT industry, there is still a “penetration and patch” approach, where you only work on software security once the product has been fully developed. This often leads to treating the symptoms rather than the root cause of a problem, according to Michael Ustrup, Lead Systems Engineer specialising in software security.

“Even companies that are ahead of the game are still designing software solutions while leaving security considerations until the very end. For them, security is a bulletproof box built around the finished product. However, a more reliable approach is to include the security aspect from the start, so that it’s woven into all phases of the development life cycle,” explains Michael.

He therefore came up with the idea of developing a course to teach Systematic’s software developers and architects processes that include security in all stages of product development – from the first line of code to client implementation.

“The management team welcomed my idea. They saw the need for the solution I presented. When it comes to software security, it’s very important that everyone is on board; people need the knowledge and tools to do the job, and that requires you to invest in your employees. With this in mind, I was given the green light to start the project,” says Michael enthusiastically.

The course is called “Building Security In” and is available in two versions designed for architects and developers respectively. Michael has already seen more than 150 of his colleagues take the courses, and more are waiting to begin. So, he’s in the process of coaching others to also be able to teach and pass on the valuable knowledge.

His colleagues have given positive feedback on the courses – but Michael is still looking for suggested improvements, so he can perfect and further improve the content. For him, the courses are an important element in his and his colleagues’ development and an obvious opportunity for those with a particular interest in the security domain to advance in the field.

A great opportunity to enhance one’s skills

For those who can’t get enough of threat modelling and defensive coding, it’s possible to take the next step and become part of the “Systematic Security Red Team” that was founded by Michael. It consists of a select handful of passionate specialists who can offer colleagues help when they need it. The team become ethical hackers and try to breach their colleagues’ systems to check if the security protocols can hold up. If not, they help to find solutions to the problem. This further increases the security level of Systematic’s products, so Michael is pleased to be able to realise the concept.

“Systematic is a good place to express your interests and abilities. If you have the drive, most things can be done,” he says.

After developing the security projects in parallel with his normal tasks, Michael has reached a milestone: now 50% of his working time is officially earmarked for Building Security In. He also devotes some of his working hours to taking a Master’s degree in IT security as a follow-up to his Master’s in computer science.

“Not everyone is lucky enough to be able to change their job content so much, but Systematic could see the benefit of my ideas, so they gave me the time to realise them. If others come up with another good idea, I think they’d experience the same positive reaction,” he says encouragingly.

He therefore urges people to dare to think big:

“There are plenty of opportunities to enhance skills within the field you are passionate about. If there’s a need, you can also kick start something completely new – I’m living proof of that.”