 All right, welcome to the career days session for 2021. Today we have Lakshmi from Netflix to talk about cybersecurity career skills and a whole bunch of other cool things related to tech security and even hacking in the media. I think we'll even touch on those subjects as well. This is our fifth installation of the career days sessions for this year. We still have maybe one or two more to go, but I would say this is probably the highlight of the session this year. So we're really looking forward to it. For those of you who don't know, my name is Rai Halada, I work in student services and one of my main projects is to present these professional development and career fair sessions. So I'm very happy to be doing that again and I welcome all of you as we have guests today both from Prague College and our partner school, T-Site University in the UK. So welcome to all of our guests. The format of today's session, as I mentioned, will be a presentation. We'll have some time for Q&A. We have some pre-submitted questions that we'll go over and then we'll have a session at the end with one of our students who helped organize this whole session and he'll talk a little bit more about his professional experience in securities and bug bounties, which we'll touch on a little bit later. So without further ado, I'd like to pass it over to our guest speaker today. You can take it over, do a little introduction and then we look forward to your presentation. Thank you so much, Roy. That's a wonderful welcome. I'm so excited to be here and talk to folks one on the other side of the world and also university, right? That's something that's really, really close to my heart. And every time I speak in a university, it reminds me of me doing my master's or my undergrad and attending this career fair. So I feel very privileged to be here today. Thank you for having me. So a little bit about me. I think I am a senior security partner at Netflix right now, which means that I work with parts of the organization. Now, we all know Netflix, so the company needs no introduction. But when you go watch a movie, right? There's so much that happens behind the scenes and as a partner, what I do from a security standpoint is I go into an art, let's say studio, right? I go and understand what are the tools that's being used, let's say for animation. What is something that's used for production? What's used for pre-production? Try to understand this whole space and look at what are the gaps in security, work through them and try to understand where can we invest? What are the tools we could build and how do we go about securing this ecosystem? So that's something I do as a senior security partner. In my career, I've been with different kinds of companies like consulting firms like Bishop Fox, financial firm like Masli Achil, Adobe for a while, which is a really creative company and the only thing creative I can do is just tech. So I wanna be honest about that, but it's been really interesting working in all of these companies. I started out with product security and now I kind of, with a partner role, I'm trying to understand the whole, the risk space as a whole, not just focused on product security. Other than that, I am on the RSA program committee, which means if you've heard of RSA conference, I help with the CFPs, which is basically like presentation, picking up the ones that are gonna make it through, meeting with all of the folks on the board and trying to make the sessions on what content would be useful to all of the audience at RSA. I'm also B-Sites as a fleet. So B-Sites is one of the security organizations, which has like local chapters everywhere and they're a nonprofit and they help organize conferences which are affordable for students and like, you know, local professionals to be able to attend. I bring this up because if there's a local B-Sites chapter and if you're interested in security, I think it's a great opportunity to learn, connect and network. Moving from my introduction, let's talk about what are the things we're gonna talk about today. I thought we should make it slightly like an episode format. So I'm gonna start off with an introduction to Netflix information security team, how we work, how we operate, why we operate a certain way. Then I thought it'd be more useful to talk about the cybersecurity industry a little more like broadly, not just in the context of Netflix, but really broadly and understand what the careers and skill sets because this is something that I really feel needs to be out there to understand that you can come from a psychology background and still have like a role inside the security. You can come from tech and of course you can have different roles inside the security. So there's like a plethora of different roles. So I wanted to explore some and give you resources for the rest of it for like a self-service thing. The third one that I will talk a little bit about is how do you get started, right? Like maybe we are in school right now, like, you know, you have your courses but you wanna play in the real world and not be simulated like applications and stuff. So how do you go about this? We're gonna talk a little bit about education now like, you know, how can you get started with security? What's like the easiest path? What's your easiest path even to just explore rather than completely get started? The last one I added because I saw some questions around interview and what do recruiters look for? And like a couple of questions on those lines. So I thought maybe let me add a section of the presentation, a little bit about interviewing and as an interviewer, what do I look for? Or what do my colleagues look for? How does a company perceive when we interview a candidate? What are we looking for? So to just present the other side of it, I thought I'll add that section. So this is what we are gonna talk about. We will definitely take questions and I'll definitely take questions at the end of the presentation but anywhere, any place you have a question, please post it in the chat and I think Roy will like formulate that. That's a great idea. So let's start with introduction to like security at Netflix. So first of all, right? Like Netflix is a media company and our mission is to entertain the world. With that mission in mind, what are we trying to do as a security team, right? Like how does this mission of entertaining the world and bringing instant joy actually fall into the security? When I think about a customer or myself, end of the day, I wanna unwind and what I do is I put my foot up on the table. I turn on Netflix and I'm browsing through things that I really wanna watch. As a business, we really wanna provide this friction-free experience to all our customers so that they can really unwind without being stressed again by using a platform. As a security team, how we wanna enable the business is basically by securing all of the processes, the data, your customer data, keep you happy and make sure that we protect it. However, we don't wanna let that interfere too much with usability. Now, security and usability is always spoken in, I mean, together as a pair and conflicting, but I think it's actually a part of it. Like I think it's a composite part of usability. When I think of security, if you have to log in every time on your TV, now that's not a great experience for a customer. Yes, it buy security, but does it bring a good experience for your customer? Probably not. I would drag, I mean, I personally wouldn't really go in and put in a password every time I log in. I mean, every time I would watch Netflix, maybe three times a day, I would probably switch to some other service there. So as a security team, we aim and we push ourselves to do something around meaningful security, something that makes sense and buys down the risk. When we think about any company, right, what are we trying to protect? Are we trying to be 100% secure? We cannot. Even if you like close the box, lock it and super secure it, put it under the ocean, there's always a probability it's gonna be found. And what's the use of such a box, right? So what we try to protect is basically like customer data. We try to protect like our talent data of pre-release content. Of course, we don't wanna get you spoilers before the time when you're all friends wanna have a watch party and really look at Netflix, right? What's your shows? What's your favorite shows? So we try to protect most of the sensitive data. But again, if you can access that data, that means that there is always one opening for usability part of it. So we try to be good about like balancing this usability factor and the security aspect of it. What do we actually do? Now, like I said, nothing can be 100% secure. And if it's 100% secure, it probably is not usable. So we mainly aim at reducing the risk, right? So what's the risk? Like the risk could be like, okay, data being stolen, right? We definitely have protection that let's say Ryan wants to access his credential, I mean, sorry, his username or his watch list, only he should be able to actually do that. And it's not you, me, someone else, neither someone at Netflix, right? So we as a security team try to build these controls to make sure that we can reduce risk in various areas of the business. Now, how do we do that, right? Like one control is probably not enough. So we rely heavily on the concept of like defense and depth. Which means we, when we think about a problem, we try to see what are the different layers? How can we make it so hard for a hacker to actually reach our sensitive information or, I mean, the most important information to the business? One problem though is, I mean, of course, with every feature, there can be a review, you could go many routes, but that doesn't seem to work with the risk reduction from a risk reduction perspective because scaling is a problem. At the scale of Netflix who produce like hundreds of shows and we buy a bunch of content and there is so much data associated to all of this. We have customers from all over the world. Scaling security becomes very important and that's where we have a lot of platform security tools that we built. And by platform security, I can probably give a little bit of insight into what is a platform security tool. So when you think about like, let's say we have 100 apps that perform some function, right? Now I can go in as a security engineer, go and vet each of these apps, but that's not scalable because we're gonna have 1,000 apps in the next year or 10,000 other products that's gonna come in, right? So we try to build something that is very easily pluggable and usable by our teams. Let's say we centralize that authentication happens only through like one particular, like let's say TL, HTTPS, right? That's something we're all familiar with. So can we use that and say we can build our own search and can we have each app talk to each other only if they have this search? So this way we solve it at scale versus like pointed applications. Now it makes it a little more interesting and this is where I wanted to talk a little bit about like how Netflix security operates with a slightly different philosophy than most of the traditional security teams. If you folks have heard from other people in like companies or you've been on internships, you may have heard that security teams are scary and they will say no. So what do we do about it? Now that's the one thing we avoid a lot at Netflix because our culture has taught us that we enable the business by making sure security is easy and friction free, right? How do we do that? We don't wanna gate people. We don't wanna say every time you build a feature come to us and we're gonna help you, right? So we will help you when necessary but what we're gonna do is we are gonna make it so easy and seamless by building all of these tools that we provide guardrails in circuits. You can build what you want and you have these solutions to use, these applications, these tools to use which will make you automatically secure to a certain point which means we are reducing risk at scale, right? And this is in line with one of the philosophy at Netflix is freedom and responsibility. Now our developers, our technologists are like our studio users. They all have a choice, the freedom to make the choice of any tech stack they wanna use, any tool they wanna use, any application they wanna use. But the responsive lead path comes in where they actually integrate with all of our security tools and use it. And if there's a problem, we are the team that go and help and make sure that our products work for these things. So providing that freedom of choice is something we value very highly because we want our developers to own the security of their apps and also be able to move the business at a greater pace. And I think that's what distinguishes like the Netflix security team. This is mostly about Netflix security. We have a lot of roles which are gonna overlap with the next section around like general cybersecurity roles and skills. And I will walk through some of them. Now, when you think of any company, right? Like we have, let's say a hypothetical organization, the sales team has like the motivation to like make as many sales, that's their mission. You have PR who wanna communicate all the cool products as well as take care of any of the issues that's been reported to the media. Customer support of course, wants to provide a good customer experience whenever they require support within. Legal and complex, make sure that the company is safe and we are on legal lines based on the country, we are in based on the geographical region, we are in an all credit. Product and engineering, I think is something we are familiar with is like, yeah, we build tools, we build a product if it's a SaaS product or like any product, right? We to see product, we try to build the solution, the platform for all of these things to use as well as our customers, right? Then comes information security. When you work in information security, you're gonna be a part of all of these organizations. Like you would have to make sure that the sales tools that they're using is safe, the emails that they send actually go to the right people. You also help public relations in case you wanna talk about how secure is your company? How, what do you do for security? Then you have PR, you also help with like, not just securing the customer support software, but building out those processes also require like some kind of a security, like review kind of thing. Legal and complex is one of the teams that you would generally talk to because privacy, legal, complex, those all sometimes encompass security and some of the legal laws also impact how you operate in different countries and regions and how do you go about storing data and that directly influences of course product management. So when I work in cybersecurity, I'm interacted with all of these teams and work at some point or another. So cross collaboration is a very important skill that I've seen with information security. Now let's dive a little into information security and here are some of the teams I'll talk about today. So in an organization, you may have different flavors of this or the same like teams and names and I'm even gonna call out what we have at Netflix. Now, when we think of security, we wanna of course like this breadth and depth, right? Like you wanna go through the full stack and make sure you secure at each layer. But there's also the other part, which is breadth in the previous slide that we spoke about where you wanna understand the customer process, you wanna understand like you know, like the legal and complex laws and all of it. When you're looking at a full stack, mostly we have like team like cloud security which basically protects like cloud assets and then like you could set up like IAM rules if you're using AWS or Azure. This was probably more around service security before but now since most of them use cloud providers like AWS and Azure, it's become cloud security as a team. It could also be called as network security. Then you have product security which means security of the product. At Netflix, what's our product? Netflix.com is our product, right? That's one of our main products. Now as a product security team and I'm a part of the product security team which is also called application security team, what we do is we try to reduce the risk to the business from the product level at the product level. That's what a product security team does, detection and response. Now that we've secured like let's say cloud and product there are still gonna be like attacks that may happen. There's still gonna be like some of the detection we have in place so that we can monitor any changes that seems suspicious and actually respond to it. Now incidents are also sometimes managed by the detection and response team depending on the organization, red team. That's the cool team that a lot of folks may have heard about. They are the ones who are inside the company and are ethical hackers who go in and try to hack the organization to see where do we have the gaps and how do we go about and fix it. Privacy. This term is something that I think in the last few years there's been a lot of laws, there's been a lot of conversation and privacy what it does is it guides us how do we use our customer's data responsibly, right? For us to give you content and relatable content to display that you may like something we need to use some of your data but how can we use the most minimal data to actually still give our customer a good experience is something that privacy helps as well. Risk assessment. Now risk assessment is one of the teams which helps us quantify the risk. I spoke about risk reduction, right? We are never gonna go to a place where we're gonna say there's gonna be no attack, no breach, nothing's gonna happen. That's not really a place where any company can really reach. So risk assessment helps us quantify it. They're gonna say if this event happens if an attacker attacking a database then the loss to the company is 60 million. Now it's up to the company to decide if that 60 million is something that they can take except as a risk or not. Or do we wanna work actively on reducing this risk from 60 million to let's say 5 million and what are the things that we could spend? So that's the risk assessment team. When we talk about roles, just within cloud security you could be an analyst who looks into all of these permissions and rules and look into what network can talk to another network. You could be an architect who builds out this whole isolation of networks, access control and all of that for at a cloud level, at a network security level, what's the perimeter of my company, right? Or you could also be into automation. If you're a developer trying to get into security you could be an automation engineer and create a bunch of automation. One of the things Netflix built was called RepoKir which automatically goes and looks into access patterns and configures IM policies that way. So you could also be an automation engineer if your background is being a developer. On application security, you could be a pen tester which means you go and ethically hack into applications to see if there are any vulnerabilities or you could be like an application security engineer just like what I'm doing where you go into an app, understand the application and provide them guidance or like build out or use the help from the software security engineer on the team to build out these tools that are necessary. Platform security is mostly like identity and authentication system. Now, when you log into Zoom or when you log into your college, like your university portal, there may be a sign on where you enter your email and everything magically happens and you're lit into your portal, right? So that's where the platforms like this to enable this friction-free like login is something that you could do by being a platform security engineer. This probably has the highest impact from like the perspective of building things at scale. In the detection and response space it's something similar where you could definitely be into like detection building our detections or you could be building our processes that come out of detection. And if you are interested in the threat intelligence field which is actually identifying all of the cool like cyber security trends that's going on and how that may impact next list or like the organization you wanna join that's something that threat intelligence engineer does. Incident response is basically when everything's on fire, you know there is either an active breach or you suspect a breach this person actually commands the whole group pulls in the right people and tries to solve for it. I've had a chance to be an incident response engineer and an interesting observation was that keeping calm in crisis is a skill by itself. And that pretty much impressed me about incident response engineer and even with an incident response engineer I think your technical skills are important. I wouldn't want to downplay it but I think your soft skills or what we call as like interpersonal skills are of way more prime importance as an incident response engineer because you have to make the right decisions under pressure. It's a very interesting role if you like high stress situations and you're the one who's calm and high stress situations and figuring out problems. Then you could be a sock analyst a sock analyst is like a first level triage where you see these alerts you see these weird things happening in the detection space like you see like, oh, there was a click made here and then this went somewhere else this is not how our usual customer actually behaves. So this may be something suspicious it could be an attacker. So they are the ones who do that first level of triage. Red team. So red team one of the interesting experiences I think with red team is one of the security teams in the industry what they did was they actually stood by the subway and so they tried to simulate a real world attack just to recap. And what they did was they actually stood by a subway try to like scan badges and people who didn't have RFID protection or something to scan those badges and they could enter into the building they installed a wifi there and people connected to it and they could actually completely penetrate into an organization. So this is the kind of thing that a red team engineer does they are legally, I mean, they of course are an employee of the company and that's why they try to see how would a hacker thing how would an attacker who wants to compromise or bring down our whole system think and go about the whole round of it. Talking about privacy next. So if you're in privacy, the difference I think between security and privacy is like security builds controls to protect data and like privacy actually informs us what data to use, how to use it, what's the data lineage and how do we go about using it very responsibly. So sometimes a privacy engineer also has like some of the skills with compliance. Now, for example, GDPR was something that came about a few years ago, right? And that changed the way we look at data for Europe. So that is also one of the hats you can have as a privacy engineer. Then the risk assessment, right? To run these risk assessments is a lot of scenarios there are simulations, there are different models. It's basically like you run a bunch of data models. So if you're a data engineer, this may be a piece that's of interest to you is like being a risk assessment, being in the risk assessment team and being like a security risk engineer or analyst, there are a lot of names and a lot of things. When I mean a lot, I actually mean a lot. This is also not an exhaustive list but this is a good framework where you can look into like what are the different areas that you could be, I mean, what are the different roles that exist within security? What are the different domains that exist within security? And it's just not within the bounds of what I spoke about. Those are some of the common themes I have seen from a technology space. Also, if you are a content creator, security is very big on education and we really need all everyone to understand why do we care about security? Why do they have to have those plugins? Why do they have to have those controls? Why they shouldn't respond to the prince who said that they're gonna give their 100,000 pounds just out of like, goodwill, right? So education is a huge part in security and I've seen amazing people from different backgrounds who have helped create useful and impactful content. And it could also be like TikTok or use any of the short form videos to any form that's ingestible to people is what we are looking for when we think of content creation or cybersecurity. All of this said, I really wanna call out that each organization, they have their own custom way of creating those teams. For example, right? Like Netflix is a media company. So we have media assets, we have customer information, we have talent information for our own productions. We have a bunch of post-op pre-operations, post-operations information and that's what we wanna secure. Now that looks significantly and we have payment information for our customers, right? Now that looks significantly different from I think let's say a company that manages like HR data. Now that would have assistance, that would have PHI, that would have like by PHI, I mean personal health information because insurance information is also stored there and that would have some other data around your really personally identified information. Now security there definitely looks a lot more different than security here, right? So it's very custom to each organization and something else that also makes a difference is like the risk appetite, right? For an organization, may vary depending on of course all of this data, size of the company and a lot of such factors, obvious factors as well as the region it doesn't, right? Size of the company also, when you're starting out as a new business, you want customers and your security may look absolutely different from what a larger company or a more mature company like Netflix, Google, any of those companies are right. Since I spoke a little bit about the rules, I also want to call out that each role may be different in each company and each industry as such and that's something to just look out for. Now that we spoke about like, Netflix security, Netflix security culture, now we spoke about some of the generic teams, let's go a little into like how do you get started if this is a field of interest where you get to ethically hack and be the cool hacker on the right side, how can you actually get started? The multiple options, again, they all depend on what's the path you want to take, right? I'll also provide resources where you could go and play around with those graphs and actually look at like, oh, this is the field I'm interested in and what are the different roles and how does it work out? However, to start with one of the questions I always get is are certifications necessary? Are they important? I would say that your domain knowledge is important, having some ascent important. However, certifications are optional if you haven't really studied something related to cybersecurity, absolutely some of these certifications would really help. Now GSEC is one of the certifications which is around security essential. So this gives you an overview of everything in security. So if you're just curious, you're exploring that's definitely a good place to go. It's a paid certification though. Similarly with CompTIa Security Plus that's also a paid certification but it gives you the basics of security industry. If you've never heard of security as much before and you really wanna enter, these two certificates definitely serve the cause but they're both paid. However, OWASP is a free resource. It's basically open web application security and they have a wonderful resources for free for all beginners to start with application security or just understand the security domain. They also have some vulnerable applications for free where you go in and you can actually test those applications or try out what you've learned, right? Like a real playground of things. TLSSEC is one of the newsletters you could sign up for. Again, that's free and it talks about the recent changes in security. It could be an attack. It could be something like a new way of solving the cybersecurity problem. So that's a very interesting thing and it's a free resource. If you're someone like me who actually wants to go hack things to learn, if you're someone who needs to go to the deep end to understand things, then Hacker 101 CDF is definitely the place to go. The bunch of capture the flags for every level and you can definitely go in there and challenge yourself and play through it. When I think about security, right? It just feels like gaming for me. Like I try something, then I try something else then you go to some other level. You think of 10 different ways of doing one job. So it's actually kind of gamified when you think of capture the flag. You're actually looking for a flag and you're going all over the place which helps you build your techniques in a very fun and gamified way. I'll just say this one more way. If you're interested, I mean, all of these are simulated at the end of the day, right? But you may want some real world experience. That's where Bugbante programs give you a chance. What's a Bugbante program? So a Bugbante program is basically crowdsource security. What I mean by that is you, let's say you find a security vulnerability at Netflix, first of all, are you even allowed to go looking for it, right? And how do you responsibly do that and responsibly disclose to a company? That's where Bugbante programs come in. How it works is basically that companies build out a program with a defined scope. Now, Netflix says, hey, these are the rules. You can test all of these websites, all of these products, but don't hit, I mean, don't make, don't try denial of service, which means that a service will come down. So they set a bunch of rules, but they give you a nice playground of real world applications that the company owns for you to go test and responsibly disclose this to company. Now, what's in it for a company, right? For a company, like I said, security is all about mindset. The way I think about solving a problem is different from how I write things, like this different kind of, each person has a different mindset and that's what security works on. That's the reason a hacker can still enter despite securing it, because he's thinking of another way, a chief thinker of another way. So for a company, it's a huge benefit because they can get together all of the folks from all over the world, actually looking into their organizations, security posture and help improve. They all, what's in it for a hacker, right? As a ethical hacker. What they can do is they can practice their skills on real world examples. And that's a beautiful opportunity because that builds out confidence, that builds out different ways of trying it. It's again gamified and you also get paid for it. There are a lot of people have seen who have done this full time and have actually earned a lot from it at a certain point. So it's a great like monetary benefit where you're developing your skills and you're getting paid for it when you find a bug. We have a bug bundle program and I would invite you folks to actually take a look at it. I've added the link here and it's a program where we have listed out all these guidelines and all of the things that you could do. And if you, there are two platforms, basically Hacker One and Buckrow. While we use Buckrow, I would encourage if you're starting off, please look at Hacker One as well for different programs that you could test on. There are also example vulnerabilities, lots of tutorials on the internet around like how can you get started with the company. Sebi here, who is one of the folks in the university who helped set up this conference itself was one of the researchers we worked with. But bug bounty what happens is as we start submitting more and more bugs to a company, the company kind of knows you a little bit and I've seen a lot of people being hired in full time jobs because of the relationship they established to these bug bounty programs or because of how valuable they were to these bug bounty programs. So the opportunities are quite in this, in this case. And I think Sebi will be talking a little more about his bug bounty experience from like the hacker part of it, right? This is from a company standpoint. So this was something I stumbled upon and I thought it was useful. So this has free registration. RSA is going on right now and they have a college day on the 20th, which is tomorrow. You can register there, get to resume and look into there's gonna be a lot of like interesting conversations around cybersecurity and helping grad school students to, I mean, students to like see how they can enter cybersecurity. It's a market with a lot of jobs and it's getting more and more interesting as a technology space is like evolving. And with the pandemic from the last few years, things have speeded up into getting online than it would have. And that makes cybersecurity more and more and more important. So I would encourage you to see and if this interest you maybe sign up for it, interviewing, right? I'm sure this is on mind for every student and how do we go about interviewing? Sometimes you go through an interview and you feel like, I don't know what went wrong. Why didn't this work? Or sometimes something works and we don't know what. What do we look for? So I want to give the complete perspective about like what do we look for for technical skills, right? The two parts, technical skills and like, you know, culture or like a management round that you have for the most part. One thing we definitely look for is getting the foundations right. Now, neither do I. Not as anyone hope in the world actually know everything about everything. That's an accepted in the industry. When you go in, it's okay to say, this is one thing that I really, really emphasize on which helped me because someone else passed it to me when I was interviewing was to say, I don't know. It's okay to say I don't know and it displays honesty and humility to say that, oh, this is a field I don't know and I am willing to learn about it, right? That's the part that most interviewers appreciate because what we look for is getting your foundations right. Now, if I am interviewing for a security role, I want you to know the basic foundation of security. What's this knowing every advanced technique, every new technique, the latest technique and all the cool things there, right? That's one of the key things that I always tell people and it's okay if you've never heard of directional response to be if you could just say, I've worked more on like this field or this is what I've studied with network security but I haven't had a chance to do direction response and it's a very absolutely good answer there. Moving from that, I think one thing we look for is understanding the problem with security all you're doing all day or most of the fields, right? Is your problem solving? If everything was available on the internet and there was a process to do that then they wouldn't need me, you, anyone in this world, right? We could just automate the hell out of her. But problem solving is where human brain is useful and that's something that we look for is how do they solve this problem, right? Like how are they thinking? Let's say I say you go into a cafe and you wanna steal their wifi, right? You just have it for 60 minutes. What would you do to extend it? Don't do it. That's not the legal thing to do but this is a hypothetical scenario. So if I ask this, how would you go about thinking about this problem? Most of the times what happens is I have done this. I'm guilty of it. I just go straight into a solution having everything in my head thinking about something that never presents your problem solving skills to the interviewer. And at that point what we are looking for as an interviewer is to understand your approach because that's what matters for the company during your tenure, right? Like anyone can think of solution but how do you think about pros and cons? How do you think about problem solving? What are the use cases you thought about? So this is something that a company is trying to understand when you go in for your technical skills interview. So walk them through your approach and it's okay. Yeah, I probably mentioned that again, it's okay to admit you don't know. Just walk them through the problem even if you cannot solve it at its best. It's okay, walk them through your approach and they know that given more time you're definitely gonna figure out the solution. So that's the technical interview. I think foundations could be your coursework, assignments and a little more. Whenever you do your assignments, ask questions about why am I doing this? Like why is this acting this way? Why am I trying to hack this? And why did this method work instead of something else, right? GitHub website, those are great. And if you want an edge beyond the foundations, I think bug bounty programs, CDS, reading blogs, having mentors definitely do help. You could practice any of your new skills. You could just have a conversation and exchange ideas with your mentors. So choose your mentors wisely such that you and them can actually connect and have a conversation. Moving to something that I think has become more and more important today is in the management interview or soft skills or whatever it's gotten around the world, your communication skills are extremely important today. Especially in security, as I said, in a day, I have spoken to an average of at least five different teams. And that's a lot of communication across teams and getting the point across, understanding the concerns and working through that, right? Also, just within your team, I think teamwork and collaboration is one of the key things that we look for is like, can this person actually work as a team? Because when you go into an organization, the conversations you have are gonna be the best thing for the organization. So we are debating ideas and not people, right? So if I come up with an idea and someone says, hey, I think this is something that would work, am I a person who can process that feedback and actually think about what they said, validate it and offer a solution or just say, that's right, how can we do this better as a team? Because end of the day, all we wanna do is do the best for Netflix in my case and the organization you're working for, right? That's the best interest we need to have in mind. So feedback is one of the things that I have seen being very important, accepting feedback and also giving feedback. How can you actually talk to a person and say, hey, this part of this idea doesn't seem great. And why, right? I cannot just say this doesn't seem great. May not work because of A, B and C reasons. How can you actually provide constructive feedback? I think these are some of the important things that most companies look for. And that maybe discusses different questions. Like I'm sure most of you would have heard about it is like, what did you do when you disagree with your teammate? What did you do when you disagree with your manager? How did you take that situation, right? So in all of these situations, what they're trying to assess is your communication skills, your collaborative skills. How do you take feedback? How do you give feedback? And that whole thing identifies you as this person who everyone wants to work with or it brings out the part about you that is so important for a business. You may be technically amazing but it's not helpful until we have those right collaboration skills because how do we apply it? And where do we apply it? Even if we have the best skills in time. Enthusiasm. In security, one of the things I've noticed is being curious is extremely important. Every day you may have read a new breach, new attack, new attack vector, new problems. I always say in security there's never like, oh, you know what? This is what you do. It's always, you can do this but you may want to do this. There's never a black and white kind of situation. It's always in the gray. It's always like, yeah, we need this feature but maybe we can do some of like, we can add some of these controls. It's gonna reduce the risk, maybe not completely. So all your conversations are always in the gray there. You have to make decisions on the spot. You have to take decisions and problem solve on the go. And it becomes important to have that enthusiasm to learn every day those new things. And it's not easy. I also want to call out that burnout is a lot. And it's important to manage your curiosity. It's important to manage the time where you give your mental health value as well because constantly learning things definitely takes a lot of effort. One other thing I always want to call out is ask questions. This is definitely an opportunity for you to understand the team's culture. The work that they do, not just the work that they do, right? Like you also want to understand how are your teams? Just like they're assessing you for your teamwork and collaboration skills. It's also an opportunity for you to understand if your working style would match with the team, would match with the company, would match with the culture, right? This is definitely a point that I didn't do early on in my career. And I really wish I did was ask questions. That way I, when I'm joining, I get into the right. I've made the right choice versus say, I don't have any questions. I just have questions about the work. It's more important to ask questions about the people and how a manager is managing stylus and a little more on those lines. With all of this, I do want to call out that you have to create your own toolkit. Some of you have strengths in one area, some of you have strengths in other. Pull them all together and have your own toolkit based on your role, based on what you're competing for or what you're working towards, what's your career goal in all of it. If you want to start a company, then your toolkit is going to look absolutely so much more different than whatever we spoke about with interviewing itself. But you may implement it when you are recruiting people there. Network. I know the world unfortunately doesn't look like this right now, but I think networking plays a huge role. I got my first job volunteering at a conference when I happened to bump into a CISO at AppSec USA. There's a lot of local chapters. And for me as a student, one way of getting into like conferences was volunteering my time for it. And that way I got into it without having to pay the fee. And also I felt like I was giving back to the community. And that has stuck with me. Like even today I enjoy volunteering at conferences, helping mentor people and just giving back to the security community that gave me. There's an advantage. Since everything is online, just like we are now, you could actually go into meetings across regions. So you can just be curious and maybe join something in the Bay Area. I mean, I can join something in Prague. So there's like different ways that you could connect. And I think we should see this as a beneficial situation because it just takes an hour out of your day versus like the whole commute time. And sometimes you can't even commute. I couldn't fly from here to there in a day. So it's a huge advantage that I think that we should make use of now, whenever we can, to peep into other worlds and how security looks like in different places. I wanna acknowledge. We may not talk a lot about it, but I really wanna acknowledge that there's always failures. I have failed millions of interviews. I have failed millions of problems at work, right? But solving and it's okay. If you don't do that, you don't know what not to do. So I really wanna call out the failure is normal and it's okay. It's really a stepping stone, right? Like, you know, one technique that's not gonna work. One way it's not gonna work and success is always gonna come your way. All of your parts may lead to different parts. It may not even be security. This talk may have convinced you not to go to security, as well, or how if you wanna go to security, either way, there's a long path and the different, different options that you could take once you enter any field of your choice. And that said, I'm super excited for all of you and I wish you all the best. Like, I really wanna see all of you going through all of these wonderful career pathways, create your own pathways and be successful in whatever term you think of success. That's it, I'm done. And I would love to take any questions that you may have. Okay, thank you very much Lakshmi. That's a very, very insightful and interesting presentation that you've just given. And I think I have a bunch of notes, but I would love to give the rest of our audience an opportunity to ask some questions. I also have someone that were pre-submitted, but as I said, anyone that's joined us today that sat through the presentation and either had a question coming in or have kind of come up with something that interests you throughout the presentation, I would like to open the opportunity now for you to ask questions. And also I'd like to remind all of our guests that our session will be coming to a close fairly soon. However, we have an extended discussion section where we'll dive a little bit more into the bug bounties and other professional experiences from our own students, our own students actually. So I just wanna again, invite you to stick around for that. So yeah, Lakshmi, if you don't mind, maybe if you will stop sharing your screen for the moment, we can get everyone kind of on the grid view. Oh yeah. But thank you, it was very nice. So thanks again. So yeah, as I said, anyone that is with us now, if you want to flip on your camera or unmute yourself, please feel free to ask any questions. If you'd like, you can also type it into the chat and I can read it out and we can kind of answer from there. Otherwise, as I said, I have a few that were already kind of pre-submitted. So I'd like to open that opportunity now if any of you have some questions. So feel free and unmute and jump in. I have one question. So you said that you have a scalable security, if I remember that correctly. So does it imply that you're using an approach called infrastructure as a code? Is that what you're talking about? So infrastructure as a code is one of the things I was talking about, but in general, scalable security is where we try to build out like platforms, like mutual DLS platform, right? That can be used by every team. Now, when you have something like that built out by the security team, each app automatically, like we also have like apps that we just provide like base AMI score. We provide like base apps. Let's say Node.js is being used a lot more. We just provide base apps which already connect with this mutual DLS. That way, it's like scalable in the sense as many apps as possible can just spin up. As soon as they spin it up, it's just gonna be like with the mutual DLS, we call it Metatron. So with Metatron, and it comes with a bunch of things associated with it. Does that make sense? It's a lot of terminology and products that I don't know. So it's very vague for me. Sure, I can try to make it slightly more general. I think I got the idea, thank you. Yeah, okay. Anyone else if you'd like to jump in and ask a question? Otherwise, I'm happy to ask a few just to get things moving on. Feel free to unmute and ask away. Okay, actually, Mohamed sent one into the chat. I'll read it out and then Lakshmi, maybe if you want to take a look, it's as regards to product security, what is the relation between product security and software security and platform security? Great question, Mohamed. So when I say product security, these may be, all of these may be used interchangeably within an organization. When you look at product security, for the most part, actually said Netflix, I can talk to you about what is product security, right? At product security, what we do is we go in and we try to help do threat models of an application. Now, let's say there's a new feature that says you could watch a movie with your friend, or both of you can probably view two different screens. Now, as a product security engineer, I would go in, try to understand the network, I mean, the application architecture, and see if there are any flaws. Is there a way that your friend could hijack a session? Not your friend, but if it's an attacker instead of friend, right? Can they hijack a session? And how can we go about protecting from those kinds of attacks? Or when you both are viewing together, is there a shared session and can I go in and actually, I don't know, get your payment information or try to use your login as mine by changing, making some manipulations there, right? So that's something we do with product security. We lay out the application, we understand the architecture. Let's say JS in the front end, like you have UI, you have a backend. How do all of these things connect? And how are we going about building this feature and utilizing all of these components, right? Like we wanna make sure that no one can escalate the privileges. Nobody can actually go and manipulate and modify something there. Now that's something mostly product security does. And that's what we do at Netflix. Now software security is basically, I think software security and platform security can be similar because you're just building tools, right? As a software engineer, you're building tools, technology, platforms, applications. When you build it for security, it becomes like platform security. So there's a lot of software security engineers who are in platform security. By platform security, what I mean is you come in and you build these tools at scale. Just like I was talking about like, let's say you go about and build an authentication system for people to log in, a single sign on, right? So if you build that out now, that comes under platform security. You're building it for the whole platform, for all of Netflix. Now that becomes platform security. Does that help with the distinction? And like I said, there's a lot of overlapping things. Within our app, product security is also called application security. And we sometimes, there are companies where product security has platform security within it because we are building tools for security, for the company. So it's a little overlapping. Okay, thank you. Yeah, any other questions? Please feel free to jump in. As I can see, some of the ones that were pre-submitted are more, less on the security topic and more insights into Netflix, just in general. Maybe even from just as a general user side. Yeah, if you don't mind, I might ask a few of those. But again, I would like to ask any of our current audience members, if you have a question, please feel free. I'd like to give you guys the opportunity or before I, you know, speak on something else's behalf. I have last question for me. So are you focused or where you have more experience on application side? Let's say, I know Netflix has a lot of applications, at least three of them. We'll say web applications, there is Android applications, there is iPhone applications. Maybe many more. Where do you have more experience? Yeah, so my experience is more on the web application side, but actually I don't work on the streaming product. I work more at a data platform level. So right now what I'm working on is data lifecycle management for all of Netflix. Which means any data that comes not just from the customer facing things, right? Like we have a lot of customer data that comes in. We have like payment data that all of you would provide to your iOS mobile and all of it. So while I have experience in web application, I am way more focused right now on managing data for all of Netflix. Which means like, where do we store the sensitive data? How do I know that sensitive data goes from A to B? And then we have a bunch of products that does like real-time data transfer. So I work on those products as well. I don't know if Kafka is a familiar term but we have something built over it. Yeah, we have something built over it, like a real-time data infrastructure. So I've been working more in that part now as a security partner for AppSec. I have experience with similar tool, I'll give it. Okay, nice. Okay, thanks for both of those questions. Again, like I said, if anyone else has something, otherwise I can ask a few that were submitted or I'll just give everyone else some time maybe to think of their questions. So I'll just ask a few. I'll try to focus on the ones that are a little bit more security related and then maybe get to the insights of how to use Netflix and whatnot. Two questions that kind of stick out to me are both related to kind of vulnerabilities and any hacking situations that either you've experienced or you know of in Netflix. So maybe I'll ask what is a little bit more detail. The first one is, has somebody ever hacked into the Netflix servers? So that's part one of this question. And the second is, how does Netflix avoid leaks? You know, in this case, if someone ever infiltrated somehow Netflix and then maybe tried to expose, I don't know, the next big series or movie or something like that. I think that's what the question was kind of getting at. So I know it's kind of too harder, but... No, that's okay. I can take that. I think if you ask me the question of like, has Netflix servers been hacked? Probably not. Otherwise, I think it would be on the news. So I don't think so. However, coming to the second question around data leak, right? So there are multiple ways how we manage. Now our pre, I mean, pre-release content is stored in one other place than we store like all of the available content right now. And for the pre-release content itself, one thing that distinguishes is of course you can't encrypt like large media files, right? It's almost impossible to encrypt it all the time. In transit, like at storage, it's a huge file. So how we work through that is we build a bunch of monitoring for the most part that in case there is even a signal of leak, then it fires an alert to like our teams, our Infoset data and response team and they immediately spin up an incident, look into it and we try to like reduce that leak to whatever extent possible by building monitoring controls. Also, I'm sorry. Having isolation with the storage also helps because that means our detection is gonna be like, we are highly confident about our detection capability there. So that's something that also helps us prevent like content leaks as such. And also things behind our VPN, right? So we have network isolation, we have like application controls around that. And we also have authorization policies that only these teams can actually access this pre-release content because they are supposed to work with it and put it out there on the Netflix platform and let's say 12 o'clock. So there's that network level isolation, there is like an application level control and we have detection and response. That's how we try to like secure our content. Okay, that's, again, it wasn't my question. So it was one of the submitted ones but thank you for the answer because it's quite insightful as well. Another one, I think you kind of, you've touched on these a little bit but maybe just in case I'll ask them one more time, what do you consider or what have you experienced as one of the, I mean, if you can talk about this, one of the most or dangerous vulnerabilities that you've come across to maybe like solve or protect it against, because I mean, Netflix has grown over the years. I'm sure in the earlier days, it was maybe more challenging, but as you get more and more experienced, you probably have overcome a lot of things. So I guess the question is like, are there still these bigger vulnerabilities that are kind of like high on your radar? Like we need to always protect about this. So I think the basic like vulnerabilities around like cross-site scripting and those things have kind of gone away with platforms which have improved into giving like better security functions and security built into frameworks, right? One of the things that always bothers me is more around like, I think they're like simple silly vulnerabilities around IDORs. I think indirect object references, which means that let's say I go in and I see, and it's just not Netflix, just generally in the world, is sometimes the protections applied on like APIs are different from how they've done it with the UI. They use different APIs and each of them is inconsistent. So which means that while they have protection to hit one API, the same thing is not applied. So I can go and extract information about like, something I'm not authorized to access. So I think these are things that I'm seeing a lot more today. Otherwise I see, I mean, not Netflix specific, but in general in the industry. From a Netflix maturity standpoint, yes, we are more mature than we were before. Like I said, like cross-site scripting is the least of our worries. Right now we hardly have any because of the framework choices we've made and stuff, but there are still these smaller vulnerabilities. And also I think one thing that changes with the new regulations around data and stuff, it's like the way you store data differs, the way you operate on it differs from what it was before, right? So I think those are areas where we are focusing and we are trying to build out more security internally. Like the data tool I spoke about for alias, I'm sorry, I may be butchering your name, but in your question, I mentioned about this data tooling, right? Now we are trying to see, can we protect data all over the place, wherever it goes in the Netflix ecosystem? So I think those are challenges we are dealing with versus like end-level thing. It's not a very technical thing, but fraud is rampant. People, I think use each other's name, that's also a thing. I mean, click credentials gets stolen. I think that's the part where it's a problem. So that's mostly to do with weak passwords and stuff. So I think that's one of the problems that has been common in the media industry. Those are some things I can think about. Yeah, that's great. Actually, I thought, we don't have to dive too deep into it, but I recently saw articles about these kind of password sharings, not only for Netflix, but for all of these kind of streaming services and that it's a bigger problem that these services are trying not to alienate their customers, but also protect and provide the security. So I'm sure there's a thin line between it's a balancing act. So again, we don't have to go too deep, but I've noticed it in the media as well. Ricardo just wrote a message, a question for the channel, read it out. Is machine learning used in application security and scanning at Netflix? Yes, quite a lot right now. I mean, we've started using machine learning, especially to look at our riskiest apps. So in Netflix, we have like a lot of microservices, which we call apps, and I should have probably clarified that one hour ago. So that's what I keep mentioning to us apps. So we use machine learning to rank our applications as high risk to low risk, right? And we use a bunch of factors. Some of it is our paved road tools or our platform security tools, like the usage of it and how many vulnerabilities have been filed against that microservice? Has there been an incident? So what this model does is it goes and it has pulled out all of this data, compared all of these different, like kinds of protection they have or they don't have and then tried out different models predicted like, oh, these may have an incident in the next one year and things like that. So you had a bunch of production stuff that has happened from application risk level thing. ML is more used in detection as well, where we are learning through like what do our, what does, what do attacker flows look like, right? Like detection at a data level, I mean at data leakage level, we have like targeted solutions, but more at all of Netflix level. If someone is trying to attack Netflix, then what are the patterns for that we have some machine learning that has been used today. We have some engineers who primarily work on building out these capabilities. So there are opportunities. I mean, I should share the Netflix security jobs link. Basically. Yeah, let's get it. Yeah. Was that a question? Yeah. So yeah, just in addition, any of the links that you shared so far, we can also share them kind of in a followup. I'll share some information and we may even be sharing bits of this recording. So I'll put it in the description there for any of our audience that want to check out the opportunities or some of these links as well. Yeah. There's also a bunch of tech blogs and that's one thing that Netflix security does and a bunch of talks. So I'd share the links to all of those. We have a YouTube channel where you can watch all of them and you may get more insight into like how Netflix security works and what are the different like total of roles. And you talk to each one of us, we are gonna have a different level of experience and share more about it. So. Okay, great. I can see a few more people have just joined us. For those of you who just came, we did go through a presentation already, kind of giving some more details and insight across various subjects. Right now we're in the kind of, I would say the tail end of our Q&A session and very shortly we'll kick off a discussion section on bug bounties with our student that professionally does this as well. So just kind of catch up everyone where we are. Yeah, so on that note, I would say just to kind of be mindful of the time if anyone has one or two more questions, maybe we could jump in with those. And Lakshmi, I already thank you for the time. I don't want to keep you too long, too much longer in case. So as I said, anyone else that wants to add a quick question here, now's the time. So please feel free to unmute and ask away. Otherwise, if you'd like to, you can write it in the chat and I can read it out. So please feel free. I don't want to ask this question one more time because I'm just feeling like asking too many questions, but is there, do you address those vulnerable, sorry, how do you address vulnerabilities of your, of products that you use? For example, as you remember, SonarCube code that hacked last year at the end of last year and IntelliJ products which are also quite commonly used by developers were also hacked and source code of some companies were available to hackers. Is there any way you address those issues? So how we, we have a vulnerability management system which is built internally. What it does is it gets the feed from Sim, I guess. There's this company which actually does only this as soon as you either find the dark web or like, you know that something has been leaked or if it is through companies, there's always an alert that is set up. And once we get it in our vulnerability management system it goes in and it checks if we use any of those packages or it automatically checks if we use those versions of those packages and then it identifies and flux it for us. So that's one of the automations we have in place. It's called Vulkan, our vulnerability management system. And I would assume there's a blog about it. I will share that after the call today. So that's what we use for vulnerability management. And when such industry events happen and if we know we use it we immediately spin up an incident. Like I said, the incident responder, right? We spin up an incident, we try to understand what was the vulnerability and we go through the logs to see if we've been hacked in the last 60 days or has someone used this vulnerability to hackers. Then we go about, I mean then we also parallely try to patch it locally as much as we can. If we can bring that package down great but most of the times you probably have to do a patch especially if it's facing like the streaming product which is Netflix.com, right? Because that will cause a lot of, I mean problems to our customers. So we usually try to do a local patch and go through this whole cycle of like trigger through our vulnerability management system incident and then try to solve and patch that from our end if there is no patch available from the vendor. I think with most zero days, like you mentioned there's no patch available from the vendor. So we have to build our own thing temporarily. Thank you. Yeah. Okay. Yeah, I guess as I said being mindful of the time we're a little bit over our session now. So I'd just like to say thank you very much Lakshmi for the really interesting and valuable insight that you've provided. It gave us more than just what do you do at Netflix but actually you gave some great tips on how any one of us could actually get into this industry if we were interested. And I'll be happy to share any of those resources or the blogs or the links that you shared later on when we do kind of a follow-up email. So yeah, I just wanted to say thank you for your time and in a great presentation. And before we end this session here I would also like to introduce our student Isabu who helped organize this session in general but also will continue immediately following this talking about experience with bug bounties. So again, Lakshmi one more time. Thank you very much for joining us. And then Lakshmi for this presentation. I will try to do another session where I will do like a mini recon stuff, how to report the issues, how to like a little of the history of bug bounties how it involved in the last years. So if you want to check that out I will show you like the practical mode. And again, thank you Lakshmi for doing this. It's really extensive and informing presentation. Thank you so much Ryan Sebi for having me. I know this was delayed a little bit and I appreciate all of you attending today. I'll just share my Twitter handle if you folks have any questions you can definitely reach out to me on Twitter. This was a really good experience and great questions. It's always nice to come talk about something and actually get questions. Yeah, so I'm very happy and thank you for having me. Let me know if you have any questions through Twitter. And Ryan I'll share the resources with you. Absolutely, I'll be in touch within the next few days. I'll share the links and I'll share the recording and we can kind of touch base as a recap. So yeah, one more time, thank you very much. Those of you who are still with us and would like to take a look a little bit further on about some of the topics that we've talked about and specifically about bug bounties. Please check the chat as we've just pasted the new link in there because we'll actually have to switch sessions as I stop the recording and we prepare for the second one. So yeah, I guess on that note Lakshmi, if you have, I'm sure you're busy on the other side of the world, probably have a full work day ahead of you. So thank you very much for giving us the time and yeah, it was a pleasure. Thank you, thank you very much. Thank you, Sebi. At the end of the session, you'll get the view from half the side of things. I would like to recall Mini just to find trying to find Mini vulnerabilities and stuff like that, yeah. Sure, go ahead, yeah. Cool. Take care, bye. Thank you and have a nice day Lakshmi. Yeah, thank you Ray and you all have a good night, take care. All right.