Interview with a FANG Information Security Engineer — Meet Gynvael Coldwind
Today I start a series, where i interview leading Cyber Security Professionals in the industry. Cyber Security in recent years has become a key element of organization. The fear of beaches coming from every angle these days from bad actors to nation states. I spent time talking to a FANG Information Security Engineer and Tech lead Gynvael Coldwind.
Can you give a little on your background
Sure! I’m currently an information security engineer at Google, where I’ve been for a bit over 11 years now. Before that I’ve worked at Hispasec — which folks might know from VirusTotal, though I wasn’t much involved in that specific project — and even before that at a small antivirus company called Arcabit. Apart from working in infosec I’ve written a book about programming, played way too many CTFs as part of Dragon Sector, and when I have a bit more time I also do educational livestreams on YouTube.
How did you get into IT and then cyber security
Getting into IT wasn’t really a planned or conscious decision, it just sort of happened. I was fascinated by computers for as long as I remember and then finally, around the age of 6, I’ve got my own Atari 800XL. I’ve started programming and playing computer games, and somehow haven’t stopped neither of these even until this day. And I still find computers fascinating!
Did you know right from the start that you wanted to go into cyber security?
Not really. Getting professionally into hacking happened around the time I’ve started doing a CS degree at my university. Until that point I always wanted to go into gamedev, but at the same time wargames were pulling me further and further into infosec. Eventually that was a conscious decision — I love both, but infosec has way better working conditions. I still try to squeeze in some game development into my work from time to time though (see Hackceler8 or Arcane Sector), and promise myself I’ll switch to full-time gamedev as soon as we solve security ;)
How would you describe a day at the office — if that’s something you can talk about
That’s a bit hard to do, since I’m not sure I have a typical day at the office — it really depends on what project or projects I’m focusing at the moment, and these tend to change frequently. It might be anything from design or code security review, vulnerability research or fuzzing, programming, designing CTF challenges, soldering, or… drawing pixelart — and I’m only partially joking here. There’s usually some management factor included as well though. I like mixing it up — it keeps things from being repetitive and boring.
On a lighter note, what is your favorite anime?
That’s a really hard question! Though I go back to “The Twelve Kingdoms” most often, so that’s probably it. From the more recent titles “Legend of Galactic Heroes: Die Neue These” might be close behind. As well as the “Ghost in the Shell” franchise.
In your opinion do certifications matter in the cyber security field
Personally I have mixed feelings about certs in infosec. On one side at the beginning of one’s career they can be a great goal to achieve and a driver for self-education. On the other side the goal a certificate is claimed to be to serve as an indisputable prove of knowledge and skills, and — speaking in general — certs are absolutely failing that goal (by no fault of folks getting the certificates). This sadly means they are usually useless in the CV and can’t be used as proof of competence — and yes, I am aware some companies try to use them in this way anyway. This happens due to certificate scoping, or due to how most certification exams are carried out — no supervision, just an automated test. And this is underlined by the existence of many „companies” which offer passing an exam in the name of somebody else as a service. On the flip side fully proctored multi-hour exams aren’t a solution either, since that’s pretty exclusionary for folks who just can’t allocate a 24h chunk of time due to e.g. family circumstances. Furthermore, some exams aren’t cheap either, which further excludes folks on an economic/geographic basis — regardless of their actual skill and knowledge. So yeah, I’m not a fan in general. But if one wants to do it for themselves — as a challenge or a goal, or a motivator for self-education — I fully encourage this!
What is the most interesting thing you have learned recently in cyber security
Recently? That’s another hard one, especially that I learn new bits and pieces everyday, which I guess is pretty normal for infosec, or IT in general. Though the last big thing that put me in awe was FPGA bitstream reverse-engineering. I barely scratched the surface while working on a couple of CTF tasks, written a few minor ad-hoc tools in the process, and read a bunch of papers on the topic, but that was an absolutely fantastic ride — even though I’m frequently dealing with assembly and machine code, I rarely go as low in the abstraction level.
What would you say to someone that’s looking to get into cyber security now — what would you advise
Security is a huge field — try different things and go where your heart leads to. And, if you choose one of the more technical branches of infosec, learn programming — otherwise you’ll be limited to existing tools which can get you only that far.
Would you say there is a roadmap for cyber security
I don’t think infosec is mature enough yet to have any written-in-stone roadmaps yet, though if you search for roadmaps I’m pretty sure there are solid ones related to specific specializations in infosec, like e.g. a roadmap to become a penetration tester.
How does software development tie in with cyber security do you think they go hand in hand or are very separate?
Guess by now the answer to that question is pretty obvious — software development must be done with security in mind, both on the conceptual or design phase, as well as during implementation. As we’ve learned through the years however, this doesn’t exactly mean forcing all developers to learn security — that just doesn’t work in practice due to multiple reasons. To name one, you can’t prevent honest mistakes from being made — for example, I’ve been programming basically my whole life, half of which I’ve spent focusing on security, and I still make security-related mistakes when coding. Few and far between for sure, but they are there. Instead, we — as the programming and security communities — should make sure that the tools, programming languages, libraries and frameworks we provide for programmers make it really really hard to make mistakes, yet still remain pleasant to use. I.e. the idea should be to flip from the current “you need to expend additional energy to secure things” to the much better state of “you need to expend additional energy to introduce vulnerabilities”. Same “secure-by-default” approach should follow for when the product is deployed, configured, and actually used.
Where do you see cyber security in the next 5 to 10 years
Still growing, and hopefully working hard on solving the problems mentioned before. And once we’re there, we just have to fix — or ideally deprecate — a few decades of legacy code. I don’t think this is achievable in the next 10 years though, and we — as the IT society — are really good at creating new problems for ourselves anyway, so there will always be stuff to do.
Vim or Nano which do you use
Sublime. I’ve used Vim, or rather gVim for a long time, but decided to switch for something a bit more modern.
Now that was interesting. If anyone wants to get to know Gynvael more here are some links to his youtube channel and blog.
