My personal journey for security started in high school. I wanted to create a distributed storage system across systems I didn’t trust. This lead me to read Bruce Schneier’s Applied Cryptography book. This book opened my eyes to the amazingly complex and deep puzzles that need to be untangled to make real world systems secure. In particular, there is a section on how to use cryptography to make a voting system secure. The considerations of trade offs between anonymity, integrity of votes being counted, and confidentiality of votes casted was extremely fascinating to me. This lead me to go to college with the intention of becoming a cryptographer.
I had dreams of creating new unbreakable ciphers. Sadly after taking classes and doing further research I discovered that in a well designed system cryptography is typically not the weak link. In fact, it seemed to me that if people simply did the right thing security was sort of a “solved” problem. This turned me off of security and by the time I left college I still was interested in the topic but it wasn’t where I thought I would spend most of my career on.
My first job out of college was as a software engineer on the vendor integration team for Google Payments (GPay). About a year into this role, there was a new group being started Payments Security. Given my interest in security from college and the opportunity to be part of something new at a big place like Google I jumped at the chance. This was around 2013.
From there the Payments Security team (PaySec) grew along side the Google Payments organization. The team was initially primarily responsible for protecting all of the credit card, bank account, social security numbers, and any other sensitive data users entrusted to Google for money movement purposes. Google Payments was used for almost all money movement at Google from Adwords, Adsense, Drive, Cloud, Play, and the Google Pay product. So there was a lot of this sensitive data that needed to be kept safe.
The scale of the amount of sensitive data that Google Payments needed to protect was enormous, just like everything at Google. I ended up leading the PaySec team from 2014 - 2020. During my time, we invented numerous technologies and techniques to keep this sensitive data safe. Many of those techniques are now common place in the industry: for example we had something we called edge tokenization where we could limit the number of places needing to ever have sensitive data in memory, this is now a common feature of well designed card payment systems such as Strips Vaulting.
Ultimately the team grew from protecting just the sensitive data to many of the aspects that you would associate with a security team such as: Security design reviews, internal red team exercises, vulnerability remediation, and incident response plus creation of key security critical infrastructure and libraries.
At the end of 2020, I left my role at Google on PaySec and joined Veritone. I am currently leading an effort to create a security focused product which is looking to use cognitive systems to improve authentication. I am also creating an Application Security team dedicated to AiWARE to ensure AiWARE remains a highly trusted place to do processing.
My teams are hiring! If anyone is interested in knowing more and joining me at Veritone to democratize access to AI powered security solutions please reach out! - chardman@veritone.com
Public job postings:
- Security Engineer job listing — All positions are full time remote
- Software Engineers — Looking for Senior and Principal level engineers
No comments:
Post a Comment