This week, get to know Paul Ionescu, who's working on making applications more secure every day. Learn more about Paul in the interview below and find him at:
Paul Ionescu's profile on My developerWorks - add him to your network
Blog: Rational Security Stories
Tell me about yourself and what you're currently working on...
I have been working in the Rational Security Practice for 3 years now, coming from Watchfire in 2007 together with the AppScan security products.
In my primary role I help IBM customers resolve security issues and improve their development processes but I am also responsible for enabling our practitioners in the application security space, create training material, participate in the management of our internal community site and in general take part in any activity that can make IBMers and IBM customers successful with our products.
Part of my mission is to influence our product direction based on our customers' needs so I work a lot with our product development teams and our security research team. I have participated in several research projects and have created several product tools and integrations that help us in our day to day work.
For example last year I have created an AppScan extension called Login Expert which was intended to make the configuration of our product an easier process. You can read more about the extension here.
The extension achieved its goal and as a result was integrated with AppScan in the 7.9 release.
What first attracted you to working in Information Technology?
Well it might be a bit cheesy but I was fascinated by the fact that you can inspire thought process into a machine. Even today nothing makes me happier than the opportunity to write a computer program.
Are there any reasons the topic of security is especially interesting to you?
Security is a very exciting field. There's a lot of intelligence that goes into hacks, there's always something happening, there's always new challenges, hackers are getting smarter. Knowing that, imagine that working with an automated tool that is intended to act like a hacker is even more interesting.
What's the biggest misconception about security?
There are many misconceptions and is hard to say which is the biggest one but one that comes to mind is that the network layer is the main target of attackers and that as long as you are protecting that layer well, you are secure: we are behind a firewall, nothing can touch us...Well guess what? That firewall has to be opened on ports 80/443 so you can have an internet presence. The web site is in fact the main target of hackers nowadays, not the network.
What are the biggest security challenges related to software development?
The adoption of security practices is the biggest challenge. Without a proper process and management buy-in security bugs will continue to come in. There's always communication challenges & animosity between security auditors and developers, the security team cannot scale becomes a bottleneck often delaying the release of the product. Development organizations need to adopt secure coding practices and security testing tools allowing less security issues to reach the security team, thus improving the release process and the overall security posture of the organization.
How do you use developerWorks?
I use it as an avenue to express my thoughts in the application security space but also to see what other people have to say in many other different domains of application development.
Do you use social networking related to your work?
I use our internal Lotus Connections website heavily but also use LinkedIn and Facebook to keep in touch with work contacts.
What are some of your favorite websites/feeds/twitter accounts to follow?
One of the blogs that I read more often is the IBM Rational Application Security Insider.
What other passions or interests do you enjoy in your off hours?
I play classical guitar. Look me up on YouTube :)
- Thanks Paul!