Employee Spotlight: Stephanie Shupe, senior software engineer, on women in tech and writing clean code

In this series we’re highlighting some of our awesome employees and the work they do. In their own words, you’ll hear about our employees biggest wins, favorite moments, and reasons for doing what they do. Interested in starting a career at Lookout? Check out our open jobs.

Stephanie Shupe

Stephanie Shupe
Senior Software Engineer

Q: Why is what you do important?

A: The most important thing for me is furthering women in technology. That is something I do at work through Lookout’s Diversity Committee and give back to in my personal life as an advisor with Women Who Code. At this past year’s Grace Hopper conference, Sheryl Sandberg noted that while the conference attendance is growing, the actual numbers of women in tech — percentages within companies, acquisition, and retention — aren’t changing. We need to get more support from executives and boards in these tech companies to gain traction here. I’m glad that Lookout actually has a Diversity Committee. We have a CEO who supports our initiatives. Many companies aren’t even thinking about how to tackle this. All these women in tech conferences are great, but we need to start acting, and I’m glad that we have. It’s going to take every company dedicating effort to make a change.

Q: What is one of your favorite projects you’ve worked on at Lookout?

A: Working on our enterprise product has been one of my favorites. I was originally working on our consumer product, but recently had the opportunity to switch over to work on our enterprise product backend. It has been really cool to see how we use our data and funnel it into new products that help people and companies – both are important. Customers are responding to our work. Though I’m technically a backend engineer, I’ve been trying to learn both frontend and backend. My personal goal is not to be an expert in either one, but rather to understand the full stack. Getting to work on the enterprise product has given me an opportunity to do both and it has really helped me feel like I’m moving and learning.

Q: How has your team helped you or what is one of your favorite memories/anecdotes from the team?

A: One of the biggest skills my team helped me learn was testing. I hadn’t gotten into a habit of code testing when I first came out of my boot camp program years ago. I had done a little bit of it, but my team, and Lookout, really demands that code work as well as possible before it ever gets into quality assurance’s hands. They helped me set up tests, which changed the way I looked at writing my code. Here’s how it works: the product team gives us the expectations for that product or feature. You take those expectations and write them into your test. Effectively your code is going to fail all of those expectations at first, but then one by one you make them pass and can rest at the end knowing that your project works the way you wanted. It’s not a complete failsafe, but it’s a cool method of writing code that I learned solidly from my team. The nice thing is, Lookout’s whole engineering organization uses the same kind of methodology, so if you transfer teams like I did, you can carry your coding practice with you. That’s something I’m really thankful for.

Learn more about what it’s like to work for Lookout on our careers page.

How Skyport Systems wants to redefine security in the enterprise


Skyport Systems provides a management system as part of its product offering.

 Image: Skyport Systems

If you were to ask Doug Gourlay for a good model of security at work, he’d likely point you to two examples—the Xbox and the iPhone. There are a ton of them out in the wild, but you don’t often hear about them being hacked.

When it comes to enterprise security, though, it’s a different story. Organizations are spending billions of dollars on security, yet we are still routinely hearing about the massive data breaches in the world’s biggest companies.

The difference is that the systems supporting tech like the iPhone and Xbox were architected with security in mind—they were built from the ground up to be secure.

Gourlay is the corporate vice president for Skyport Systems, a startup that wants to help re-architect the enterprise with security in mind. The company’s SkySecure system brings together hardware, software, and management tools to provide an out of the box solution for enterprise customers to fix the internal problems of traditional architecture.

“The underlying infrastructure, the actual data center compute infrastructure, where we have all our important applications running and store all our data, is fundamentally insecure,” said Stefan Dyckerhoff, managing director of Sutter Hill Ventures, who invested in Skyport.

To build security into the fabric of your organization, it can’t be an afterthought. Gourlay said that money spent on tools like perimeter security is money wasted, as there is no guarantee that it can always be done the right way.

“If you don’t do it perfectly once, you’ve left the door open for somebody to get in that shouldn’t be there,” Gourlay said.

So, their approach is to re-platform for security, with an architecture designed from the get-go to be hardened and secure by default. The Skyport system is composed of a two major components: An on-premise server and a management system.

“The reality is that any mid-size company and larger is going to have a blend of on-premises compute and cloud-based compute,” Gourlay said. “And, the on-premises compute are usually the things they care the most about from a security perspective.”



 Image: Skyport Systems

With this in mind, they wanted to ensure that the workloads clients cared the most about would be the ones that they would be able to secure the best. With their x86-based server, Gourlay said they reduced the attack surface, got rid of some of the extemporaneous ports, and gave it a few extra processing capabilities and a built-in firewall. Here are the specs:

  • 2x 8-core Intel Xeon processors
  • 2.4 GHz (E5-2630v3 “Haswell”)
  • 128 GB ECC DRAM (DDR4-2133)
  • 2x 960GB SSD
  • Zero Ports / Tamper-Resistant Chassis

And, here are the specs on the I/O controller:

  • 40 Gb/sec Flow Processor
  • 2x 1/10GbE SFP+

Out of the box, the first thing the server will do is call home and connect itself to the management system. Once it comes online, the hardware verifies all the software and calculates whether or not the software has been altered before allowing it to run. From the time of its manufacture, the hardware, firmware, and software are all continuously validated.

Everything possible is encrypted, signature signed, and validated, Gourlay said.

Additionally, there is a compartmentalization component to help shrink the perimeter around the workloads and provide specific, application-layer protection. The compartment function also provides transparency around workload communications.

The second major component is the SaaS management system, SkySecure Center, which provides both traffic and system intelligence. It logs every transaction in and out of every server under management and every VM under management, every admin login, and every DNS lookup.

Additionally, packet capture helps determine if a workload has been infected, and the system also records who makes policies so users can track any changes to services. Users get full visibility into all system activities, including an audit trail for policy.

Because Skyport is essentially wrapped around an application, Dyckerhoff said, they are in a unique position to collect and correlate data for users. That data can be used to help further refine an organization’s security practices.

“The first thing we chose to do in the product is help the user define the best possible security policy for that application,” Dyckerhoff said.

Many users allow too much in a policy for a given application. But, Dyckerhoff said, Skyport helps them craft a tighter policy that will help further reduce their threat surface.

According to company literature, the system can be deployed “without changes to the network, application, or OS architecture and operations.”

Skyport Systems got its start in 2013 and has raised close to $40 million in venture capital funding. Interested parties can sign up for a demo here.

Also see

Mobile Phone Etiquette

Nothing irritates me more than someone using their phone while talking to me – and it’s not because I think I am special; I just find it so terribly rude. If I ever find my boys doing it then WATCH OUT! I have zero tolerance!

With 90% of Aussies now owning smartphones according to the latest research from AIMIA (The Digital Industry Association of Australia), almost all of us are ‘always on’ thanks to the glorious nature of mobile connectivity. But this mobile connectivity is completely changing our interactions, both in public spaces and private gatherings, and I am not sure I like it!

Many experts believe a new standard of etiquette is evolving to keep pace with our digital society. But has a new digital etiquette really developed or are we just adjusting to lower standards?

The Pew Research Centre in the U.S. recently conducted a study into Americans’ views on mobile etiquette. With American smartphone ownership almost in sync with that of us Aussies (U.S. at 92%), the results provide a lot of relevant food for thought.

Here are the top findings:

  • 77% think it’s ok to use a mobile phone while walking down the street
  • 75% think it’s ok on public transport
  • 80% consider smartphone use to be off limits at family dinners, meetings, church or movie theatres
  • Younger Americans are more ‘ok’ with device usage – no surprise really! 10% of 18-29 year olds think its ok to use a phone in a meeting whereas 2% of 65 year olds don’t

However, when it comes to face to face interactions, things get a little muddy. While an overwhelming majority (82%) feel that mobile phone use at least occasionally detracts from social gatherings, 89% do it anyway. Among the culprits, 78% reported that their mobile use “contributed” to the group in some way, such as by sharing a picture or sourcing information that could be interesting to the group.  Only 30% said they used their phones to separate themselves from the conversation.

So what does this all mean? Without a doubt, the mobile phone has transformed the way we live. Some of us use it with consideration for others but many don’t. I believe that the most powerful way for us to make a lasting change as a society is for us as parents to instil true digital etiquette into our children. Teaching them to be truly considerate of others, the consequences of being addicted to that small screen and the risks of not putting safety before our mobile phones should be top priorities for us as parents.

Sound a bit overwhelming? Don’t stress. In my next blog post, I will outline my top mobile phone etiquette tips to help you get your kids on the right path!

Till Next Time,

Take care

Alex xx

The post Mobile Phone Etiquette appeared first on McAfee Blogs.

Three baseline IT security tips for small businesses

Credit: iStock

When massive organizations like Sony, Home Depot, and the Office of Personnel Management are hacked they grab equally massive headlines. Yet, while they rarely grab headlines, small and middle-market companies are particularly susceptible to hacks, said Chris Crellin, Senior Director of Product Management at Intronis, a data protection firm, because many SMBs can’t afford to employ a security team, or are uninformed of the risks posed by attackers.

“A lot of companies rely on the idea of ‘security through obscurity,'” said Crellin. “They’re focused on running their business and probably don’t spend a lot of time thinking about hackers.”

These attackers probably aren’t interested in any one particular small business, said Crellin, but they tend to rely on a shotgun strategy. “Small and middle-market businesses are targets because there are so many of them. It’s like a thief in a parking lot looking for one unlocked car.” If your organization is unlocked, he said, you’re a likely target.

Common methods of hacking—phishing, brute-force password attacks, keylogging spyware, and social engineering—can cost small and medium businesses thousands of dollars. According to the National Small Business Association 2014 year end report, both the frequency and cost of small and middle-market business hacks are on the rise. In 2013 the cost of an average cyber-attack for a small business was just over $8,000 per attack. In 2014, that number jumped to over $20,000.

When integrating your service with other web tools, Gary Chou, founder of New York-based incubator OrbitalNYC, strongly recommends using tested and widely-used services. For example, if your company needs to process payments, “don’t try to host solutions yourself,” he advised. “Keeping [services] patched and secure is a full-time job, which can be hard to do as a small business. Use a service like Stripe for payments so that you don’t need to store customers credit card numbers.”

Chou had three other basic security tips for small business owners:

1. Don’t assume anything is secure. “If you have something hackers want (e.g. passwords, bank account numbers),” Chou said, “they will find a way to get it. Be selective about the information you choose to store in a database, whether it’s sensitive financial information or confidential data around customers.”

2. Change company and personal passwords regularly. Use a password that is long and difficult to guess. Strong passwords can equate to stronger security. Password managers like 1Password and Dashlane store and manage the keys to websites you visit frequently. A few bucks for an app, said Chou, can save thousands over time.

3. Use Open Source solutions whenever possible. “If you’re building a technology product, the value—and security—of open source projects is critical. [Open source projects] are most likely to find and quickly patch any discovered security flaws,” said Chou. “You can build faster and stay secure on reliable open source code.”

For many small and middle-market businesses the true cost of good security is time. But technology experts like Chou say good security doesn’t have to be expensive, and security best practices can be implemented for free or at low-cost. “Don’t try to simultaneously be a technology company alongside your core business,” he said.

Chris Crellin agrees: “Good security can be expensive, but locking your ‘car’ is free and can save your company a lot of money in the long run.”

Continue Reading:

Don’t let a penetration test land you in legal hot water

 Image: iStock

Penetration (pen) testing is a valuable way to determine how resistant an organization’s digital infrastructure is to outsider attack. What better way to check a network’s security than giving scary-smart individuals permission to hack it.

The authors of this SANS Institute paper about pen testing — Stephen Northcutt, Jerry Shenk, Dave Shackleford, Tim Rosenberg, Raul Siles, and Steve Mancini — make an interesting point, saying, “The main thing that separates a penetration tester from an attacker is permission. The penetration tester will have permission from the owner of the computing resources that are being tested.”

What exactly does permission mean?



Michael R. Overly

 Image: Foley and Lardner LLP

Employing an outside party to attack an organization’s network while the organization continues normal operation is the only realistic way to test. However, it introduces certain challenges. Enough that Michael R. Overly, a Partner and Intellectual Property Lawyer with Foley and Lardner LLP, urges caution when negotiating the contract for a security audit involving pen testing.

If you are wondering what a lawyer knows about pen testing, Overly is not your normal attorney. He has a slew of security certifications including CISA, CIPP, CISSP, ISSMP, and CRISC, has written about information security, and is recognized by peers for his information-security mettle.

Considerations for organizations requesting a pen test

Here are the precautions and considerations Overly suggests in this National Law Review post for companies seeking a security audit.

The organization requesting a security audit should consider having the auditor represented by legal counsel: Doing so will afford the organization an opportunity to protect the audit and its results with attorney-client privilege and under the attorney work product doctrine. Overly also suggests, “Ask to review the report in draft form to make any changes before it is placed in the final form.”

Treat the audit agreement as a professional services engagement: Ensure the work is clearly detailed in a well-drafted statement of work and that all costs are identified. Overly warns, “Beware of ‘scope creep’: new services that are added as the project progresses. Allowing creep may add significant costs and may not be protected by stipulations in the contract.”

Think carefully before permitting unannounced penetration tests: At least some coordination should be given to ensure the operation of critical systems is not disrupted during key operating hours or month-end processing.

Do not permit the audit agreement to create more risk than it is intended to resolve: This means ensuring the auditor assumes an appropriate level of responsibility. Overly offers the following reasons why this is important:

  • Audit agreements normally do not include sufficient language regarding obligations of the pen tester concerning information security and confidentiality.
  • The auditor will have access to sensitive data and details of how the organization secures its systems. That means strong security and confidentiality obligations, plus a level of liability that ensures the pen tester will comply with those obligations.

Overly further cautions, “Beware of auditors who are unwilling to provide reasonable protection for sensitive information.”

Review language in the agreement permitting the auditor to remove data for off-site review: If such activity is permitted, the agreement should make clear the following:

  • The data cannot be made available outside the country (unless specific controls are employed).
  • The auditor cannot remove personally-identifiable data that may be subject to specific laws or regulations without first committing to be bound by those laws and regulations.
  • The auditor cannot take possession of credit-card information unless there is an express need for possession, and the auditing company and or pen tester are fully compliant with the Payment Card Industry Data Security Standard.

Overly advises, “It is far better, however, to prohibit the pen tester from removing such data in the first place, given its sensitivity.”

Considerations for security auditors

Mark Rasch, in his SecurityCurrent column Legal Issues in Penetration Testing, looks at the implications a security auditor faces when performing a penetration test.

First up, is recognizing that computer crime laws such as 18 USC 1030 come into play. Rasch writes, “18 USC 1030 makes it a crime to access or attempt to access a computer or computer network without authorization or in excess of authorization. What constitutes ‘authorization’ and who can authorize such access can quickly get muddy.”

“So the lesson learned here is that penetration testing, even when authorized, can result in a host of legal trouble,” continues Rash. “The pen tester should obtain a ‘get out of jail free’ card from the customer, specifically indicating not only that the pen testing is authorized, but also indicating that the customer has the legal authority to authorize the pen test.”

Rash offers the following suggestions of what else should be in the contract:

  • Indicate what the auditor will do (and will not do) and the range of IP addresses, subnets, computers, networks, or devices that will be the subject of the pen test.
  • If a software review is being asked for, ensure the copyright to the software permits reverse engineering or code review.
  • If a pen tester is to test a network in the cloud, permission must be obtained from the cloud provider.

Sensitive data

Rash spent considerable energy speaking to the likelihood of auditors bumping into sensitive data. “A successful pen test can result in the pen tester getting into a computer or computer network that they should not have had the ability to access,” he writes. “Also, it may include accessing data or databases that contain sensitive personal information, credit-card information, personally identifiable information (PII) or Private Health Information (PHI).”

Next, Rash introduces the following must ask questions when sensitive data is involved:

  • Is the access to the information by the pen tester a “breach” of the database which must be reported?
  • Must the pen tester sign a “Business Associate Agreement” agreeing to protect the data they just accessed?

During an email conversation, Overly brought up a not often thought about consequence regarding sensitive data. “The party conducting the test will gain highly sensitive information regarding the other party’s security measures,” he writes. “If that information were to be revealed to third parties, it could permit a hacker to compromise the tested systems.”

Like most things, the actual work almost seems easier than all the paperwork and planning that must happen before a penetration test even begins. However, a well-worn cliche seems to apply here: “Better to be safe than sorry.”

Also see