Reflecting on Where I am
So I’ve been working in the security world for ten years in one shape or another. I got my start working on cryptography and today I work as a security engineer at a web hosting platform. With time people change and so do their interests.
This year has made me reflect on whether I still like security as a profession.
I attended /dev/color in motion earlier this month to connect with fellow black software developers. There I reflected with others about our career paths. I shared that I have been thinking lately whether I still like security. One person gave me a pointer that as we get older, our interests and pursuits will change and that something we should understand about ourselves.
An Exercise on Understanding Oneself
Earlier this year a friend recommended a book to me, what color is my parachute? This book has been helpful to uncover what my passions are, evaluate (1) whether I like security as a profession, and (2) if software security is something that I want to continue with.
In “What color is my parachute?” it details an exercise to prioritize lists. I used this tool to prioritize “what brings me joy” in a job. You can try this yourself with this tool here. I can condense what the “what brings me joy” prioritized list I wrote into two distinct elements in the following order: (1) What I enjoy most is seeing the value that others have in technology I build and (2) the second most enjoyable thing to me is to contribute to the culture in a company setting.
With the enjoyment of seeing how others (i.e. teams or services or individuals) use tech I’ve built is the work I put into these tech projects; I know how much work I put into that technology and when I get to see it in use and its utility building value for someone else brings joy. In a similar vein, contributing to an organization’s culture is rewarding. This can be as small as working with the team I build technology with, improving an organization’s culture through education, communication exercises, or participating with the organization’s members. I find reward and a sense of social duty when I make a difference for others in that organization. While I get a sense of joy out of these things, let me make it clear that this is not exactly where my source of happiness comes from in software security. For the scope of this blog post, I assert that joy and happiness are distinct things.
Building things and cultivating organization culture are great! But there is another element where I get very happy and will not shut up about if given the opportunity: finding elegance in a technology or solution. It took some time to understand this about myself.
Happiness through Elegance
So to tie this back into whether I still like security I had to peel the onion back even more as to why I like it. I find software amazing and software security in general usually presents intriguing solutions to various problems in software. What really gets me going is when a solution is elegant. Usually this looks like something very straightforward and simple looking that solves a large, big problem or it involves an approach that doesn’t seem to address the problem head on and yet still solves the problem. For me, elegance has two shapes: (1) the shape of something small or simple and can do something very well or (2) be very sophisticated and solve a problem in a way that doesn’t seem straightforward at all.
I’ll go over two small, simple, and elegant solutions made by Joan Daemen. My first read of FIPS-197, the NIST document which specifies Advanced Encryption Standard (AES), was almost like reading a story book. As I read the specification, I found elegance to how it works. From a mathematical perspective, AES is very straightforward and was very clear to see where it would be hard to break AES (i.e. the non-linear function, aka S-Box). Years later Joan and a team of co-authors introduced us to permutation based cryptography. Albeit it isn’t as straightforward as AES, it is beautiful and elegant in how permutation based cryptography can be purposed for different cryptographic functions albeit with the same tools! That is not the norm in cryptography; this exception brings elegance to permutation based cryptography for me.
To talk about the other form shape of elegance, a not so straightforward approach into finding software bugs that is concolic testing. At a very high level, it involves posing software into an instance of a Satisfiability Modulo Theory (SMT) problem. For the purposes of this post, we can simply think of SMT problems as logic puzzles and for concolic testing, we go about solving these SMT problems in a way that yield software bugs!
Going through this reflection about software security, how and why I got into it in the first place, and evaluating about whether my interests have changed was a great exercise in learning about myself.
- I know that finding elegance in security solutions is what really gets me going and why I should continue with it. This is my happy place.
- I know that I want to build technology that has a sense of elegance to it.
- I know I get satisfaction and enjoyment from building things and contributing to an organization’s culture/social fabric.
- I have a much clearer picture on what I want in my software security career.
Yes, I still find much enjoyment in security and this is something I what I will continue with as a career; finding how to best compose the things that bring joy and happiness together is what I’m going to aim for careerwise.