When you think of Cisco you may not think of Security, Software, or even Cloud and Collaboration – but you should! We are so much more than just routing and switching these days as the world around us evolves, and we continue to push the boundaries as the company who created the infrastructure for the Internet as we know it.
My role at Cisco is to help our customers to use our Security products seamlessly, and I am extremely proud and grateful to have this incredible opportunity.
There was a time, however, at a previous job where something very traumatic happened to me and I have not really spoken about it with anyone – until now.
One of the products I worked on back then as a Software Engineer was hacked.
You can imagine the resulting emotions and fears I experienced because of this experience – who wants to admit that a software they were working on was vulnerable? Knowing that someone managed to replace that original software with another one not meant to be loaded on to the product by taking advantage of vulnerabilities that were indeed present in the software (vulnerabilities that I had all but put there!) was defeating. It was similar to “jailbreaking” a smartphone, so nothing too awful happened to me luckily, but I was still troubled when I realized that my software was not all it could be.
Why have I finally decided to talk about it?
Well, in short, now that I work within Software and Security at Cisco and have completed our extensive trainings – I know I never would’ve made these mistakes if I had received this level of training and awareness back in the day when I was just getting started.
In particular, a learning path known as Cisco’s “Security Ninja” has been incredibly helpful to me. This is a mandatory training for all developers and includes a series of courses with exams that are organized in “belts” with the analogy to martial arts: white, green, blue, etc.
It is extremely well done, and the training content is not only informative, but even funny and entertaining. The martial arts analogy also works extremely well here as the concept is about knowing the mind of the attacker in order to defend yourself vs. attacking first.
During the training we learn about existing attack techniques. Naturally, there are plenty of them, some work to exploit weaknesses in network protocols while others exploit the lack of “input validation” in the developer’s code. For example, did you know about a vulnerability named Smurf?
In this case, an attacker sends an Echo Request in broadcast (i.e. a “ping”) but forges the sender address to that of a victim, e.g. 9.9.9.9. What would happen to the victim, in this case? Yes, you got it: it would be flooded by Echo Replies coming from all the devices in the LAN and it will recall the idea of many small Smurfs self-multiplying in the network! If this is not handled in the right way, it may easily cause overload in the victim’s resources, or in the network itself.
Another important learning is how to use tools to prevent attacks. A fundamental tool for software architects is “Threat Modelling”. This is an approach, where you identify all possible threat attacks in your product, based on the protocol it uses and the inputs/outputs it exchanges with the external world, and then you scan all the measures you’ve applied to mitigate the risks.
But, the two most important lessons I’ve found are that security must be built up-front and part of your design from the beginning, and that “security is a journey, not a destination”, meaning that you’ll never stop learning! Cisco supports this as well as they never want their employees to stop growing or seeking knowledge – how would that help anyone, right?
If you are a developer, or an architect at Cisco you’ll enter this ninja journey as part of your role. You’ll see from the very start how developing a software product is not only about coding algorithms, but also designing security from the early phases onward in your product. This training will become engrained in your day-to-day work, and it will be knowledge that you can carry throughout your career to ensure your products are some of the safest (if not the safest) on the market.
It’s training I wish I had sooner in my career but am so grateful to have now.
Cisco has not only encouraged me to grow and applauded my sense of wonder to continue my education in enhancing my skills, but they have also challenged me to become the developer they (and I) always knew I could be. Yes, I may have made a mistake in the past, but I have learned from that mistake and grown in so many ways beyond it – in many ways, thanks to Cisco’s dedication to Security.
Want to join our amazing teams in Cisco Security or Software? We’re hiring! Apply now.
So glad you loved DevNet in Milan, it was a big effort to organize it and run it 🙂