Women in Security

Catwalk to tech-talk Insights with Kan Tang, Distinguished Technologist and Worldwide Chief Technologist for DevOps, HPE Software Services

Kan Tang CTO, HPE Software Services WW DevOps

By Kan Tang CTO HPE Software Services, WW DevOps & Chris Cubbage Executive Editor

18 | Asia Pacific Security Magazine

I

am the kind of person who loves to learn, but when I have learned something I want to move on to the next challenge. I commenced my technology career in coding, as an Application Developer and moved on to become an Application Architect, then Solution Architect. This allowed me to be increasingly exposed to IT operations. With a desire to balance my knowledge between Dev and Ops, I moved to a project with Sabre Airline Solutions, one of the world’s largest Airline suppliers and worked on their operational side of the business. This involved configuring Network Interfaces, IP address, Network security, firewall, load balancer, Disaster Recovery, proxy server and so on, which provided a greater sense of what operations are about. It has been a benefit to start out as a Coder and Application Developer. In DevOps, if you want to maintain some credibility, you still need to be somewhat hands on. You have to get your hands dirty, otherwise you’re just talk. I worked on a lot of heavy duty Java applications early on, including with American Airlines, General Motors, Adobe, Disney, FedEx Office, Delta Dental, Shell, US National Veterans Healthcare and each in different industries. In my early career, I spent most of time in technology, but I realised that a lot of inefficiencies are actually in the processes. When I was at FedEx Office, I was involved with Agile software development and took a role of Master of Scrum Master for their Agile transformation. I learnt a lot of the ‘good and bad’ of software development, testing and operations, as well as people and team dynamics. It is a challenge to keep the team focused, innovative and working together, with different personalities and hierarchy of the organisation, including working with the senior level executives. I then worked for Disney, as a Lead Chief Technologist and assisted in the build of a $1 billion system, called Disney NextGen Experience (NGE) using Magic Band, with a focus on designing for the Media group. The system was

architecturally challenging, with multiple programs and we used the HPE Fortify for the code scanning. The Magic Band is effectively the key to the kingdom and can be used for all transactions, be it to access your hotel room, make purchases, as well as set up the allowance for your kids. For the Media Group, we were designing how to use the band to link to guests’ media which include photos, videos and eBooks. As you tour Disney and have a photograph/video taken, you can access it immediately from your mobile apps or within the minute can walk into a view station, see your media, as well as allow you to do editing including rotations, black and white, cropping and add Disney Characters to your photos. When we evaluated these use cases, we asked; what are the security risks surrounding this? At the beginning, being the Media group, some asked; what has this got to do with security? However, the architecture leadership team determined that these media are the company’s most important Intellectual Property that can be stolen or manipulated. Or by an attack, such as SQL injection attack, you can manipulate the resolution. The images were able to be displayed in low, medium and high resolutions, with the highresolution images requiring to be purchased. We would only allow the low-resolution for guests to choose their preferred images. But by SQL injection or with privacy violation, with this level of access you could allow free downloads or downloads of other guest images. This type of unauthorised access could be used for all kinds of nefarious things. So, the DevOps team ensured they were conducting code scans and checking the code for these types of vulnerabilities. Identifying and accepting these types of ‘user’ behaviour risks was a cultural change for the team to appreciate the wider risks involved. This is where the HPE Fortify allows architectural teams to build, test and verify the code, often multiples of times to truly force the team to meet security requirements,