technology

The Modern Security Engineer’s Toolkit

/ bugejajoseph / Leave a comment

Traditional security teams were once seen as roadblocks – the infamous “department of no.” Today, we embrace the “shift left” philosophy, embedding security early in the development process. This represents a fundamental mindset shift: security is not an afterthought, but an integral part of the entire development lifecycle. By shifting security upstream, we detect vulnerabilities earlier, reduce costs, and build more resilient systems from the ground up.

In my journey from conducting manual security reviews to orchestrating automated security pipelines, I have seen this evolution firsthand. The most effective security engineers today do not just identify vulnerabilities — they collaborate with development teams to integrate security into the foundation of every project, fostering a culture of continuous improvement.

The Modern Security Engineer’s Toolkit

Success in today’s security landscape requires a strategic blend of skills and tools:

  • Cloud & Infrastructure Security: A deep understanding of cloud security across major platforms (AWS, Azure, GCP) is essential, along with expertise in securing containerized environments (e.g., Kubernetes, Docker). This is more than just checking boxes; it is about architecting secure, scalable systems that can adapt to the dynamic nature of cloud-native environments. Infrastructure as Code (IaC) tools like Terraform have also become integral in automating cloud infrastructure deployment while ensuring consistency and security. By defining infrastructure using code, teams can apply security best practices directly in the deployment process and version control, reducing human error, and increasing the security of cloud environments.
  • Automation & Integration: Security must be seamlessly integrated into CI/CD pipelines. Manual processes are no longer scalable in rapid development cycles. Leveraging IaC tools to automate secure cloud infrastructure provisioning is a key part of this, ensuring consistency and security throughout the infrastructure lifecycle. Beyond infrastructure, automating tasks such as vulnerability scanning (e.g., using tools like Snyk), compliance checks, and threat intelligence feeds within the CI/CD pipeline vastly improves security posture. For example, automated container scanning can detect vulnerabilities early, reducing production risks. This comprehensive approach to automation, from infrastructure deployment to application release, strengthens security at every stage.
  • Incident Response: When incidents occur, calm precision is essential. Modern security engineers do not just react to threats; they build proactive, automated systems for swift detection, response, and recovery. Technologies like SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) platforms streamline incident response, enabling faster mitigation and reduced impact. Furthermore, AI-powered threat detection and machine learning are transforming how we identify and respond to attacks, helping to detect anomalies, predict potential threats, and automate responses at scale.

Beyond Technical Excellence

While technical skills are crucial, soft skills can make you stand out as an exceptional security engineer. I have observed brilliant engineers struggle to effectively communicate with stakeholders, which can hinder progress. The ability to translate complex technical security concepts into business value is invaluable — especially when working with non-technical teams or executives.

Charting Your Path

For those looking to thrive in security engineering:

  1. Master the fundamentals of cloud-native security, including securing microservices, containerized workloads, and multi-cloud environments.
  2. Develop a strong automation mindset, seeking ways to integrate security into every step of the development process.
  3. Cultivate strong communication skills to bridge the gap between technical and business teams.
  4. Engage with the security community to stay on top of the latest threats, tools, and best practices.
  5. Pursue hands-on projects to test and refine your skills, whether through internships, personal projects, or contributing to open-source security initiatives.

Looking Forward

The security landscape is continuously evolving, with concepts like zero-trust architectures, supply chain security, and AI-powered threat detection reshaping our approach. While the technologies will evolve, the core principle remains the same: security is a journey of continuous adaptation and learning.

Feel free to connect with me if you would like to share your experiences or insights. Our field thrives on collaboration and the exchange of knowledge.

NIST Announces the End of RSA and ECDSA

/ bugejajoseph / Leave a comment

In a significant shift for cyber security, NIST has announced the deprecation of RSA, ECDSA, and EdDSA encryption algorithms by 2030, with a full disallowance by 2035. This transition, outlined in the NIST IR 8547 document (currently in draft), is driven by the growing quantum threat and sets a clear timeline for organizations to update their cryptographic systems.

While there may be no cryptographically relevant quantum computers yet that currently threaten levels of security, these long-standing public-key algorithms remain vulnerable to Shor’s Algorithm on such future quantum systems. On the other hand, NIST-approved symmetric primitives providing at least 128 bits of security are unaffected by this change.

NIST has posted a transition schedule for post-quantum cryptography (PQC), outlining key milestones to help organizations adopt quantum-resistant algorithms. Three PQC standards to strengthen modern public-key cryptography infrastructure for the quantum era include ML-KEM, ML-DSA, and SLH-DSA.

The proposed timeline is expected to significantly influence the industry, with global attention now also on the European Union’s position on PQC, as many await its stance before proceeding with full-scale implementations.

To learn more, read the full NIST IR 8547 draft here.

Is Your Home Giving Away Your Secrets?

/ bugejajoseph / Leave a comment

With an increasing number of companies providing consumers with their smart home products and related services, smart homes are quickly becoming the norm. This trend is likely to continue in the future, as more people are realizing the benefits of having a smart home.

Source: UR.se

Making a home smarter with sensing technologies can seem like a good idea, but it also gives attackers an opportunity to break into your devices and steal your personal data. This could be a problem for you and your family if you have smart devices in your home without having configured them properly or regularly updated them.

In a televised public lecture, I discuss the smart home, its privacy risks, and what can be done to secure the contemporary home. Here is the link to the full lecture: https://urplay.se/program/228807-ur-samtiden-malmoforskare-forelaser-avslojar-ditt-hem-dina-hemligheter