Meet Asma Oualmakran, Software Security Consultant

Can you introduce yourself and tell us a bit about yourself and your background?

My background is in computer science, and I always had a passion for technology since I was a kid. I was an avid gamer which quite helped in further establishing my curiosity trying to figure out how computers were built (which sometimes ended up in my pc no longer booting).

During my studies I started out as a coding teacher at Codefever where I taught coding to young kids. During my time at Codefever I discovered the joy of knowledge sharing. After that I joined Software Improvement Group (SIG). First for a summer job and later I ended up working full time at the company as a consultant. Currently I’m combining both my experience in teaching and development into my day-to-day job.

I’ve been at SIG for around two years. It started out as a summer job, which then evolved into a part time job during the academic year. I stuck around and then grew into the position of Technical Consultant. During that time, I specialized mostly in maintainability and governance. Somewhere one year in I discovered that my passions and interests were closer to security and AI. After doing some initiation projects it was clear I was a good fit and evolved to the position of Software Security Consultant.

What is your job and what does a typical workday look like for you?

My day always starts at the coffee machine as most people do. To set the stage on what I typically do, it makes sense to briefly share some details on the company I currently work.

SIG specializes in analyzing and certifying codebases for maintainability aspects of code, more precisely ISO25010. To enable us in our analysis we use internal tooling to analyze the codebase on metrics such as maintainability, security, and overall build quality. These results get registered in our benchmark (which we have been building for over 20 years!). Using this data driven approach we are able to measure current industry standards and improve it over time. Through our Sigrid, our software assurance guiding platform – called Sigrid – we enable clients to take a risk-based approach to improve the health of their IT landscapes.

The actual content of the day depends on the stage of the project I’m currently involved in.

A project starts with introducing the client to our research model and the way of working. Afterwards we start our information gathering phase, consisting of interviews and reading documentation. Here it is important to understand and to know the system inside out. This is followed by the analysis phase where we run tooling as read parts of the code base to identify issues.

These will be reported with recommendations to improve. I never write solutions; we act as an independent third party. A fresh set of eyes looking into systems.

Outside client work, I also work on internal security or AI related Research and Development projects. This can go from developing a new quality model, to looking into techniques to improve security reporting to users of our software quality assurance platform.

Adding on top of that I’m also a security officer, in this role I ensure that information security practices are correctly followed by my colleagues and suggest improvements if needed.

What attracted you to dive into security and artificial intelligence?

My hunger for knowledge and curiosity. Security and AI were not broadly taught during higher studies except if you specialize in those fields, which is quite a shame. These aspects are getting more and more significant in the field.
Secondly, I’ve always been some kind of activist and in the field of security and AI, since you can actively help in building more secure and more fair code.

Certainly knowing that information used to train AI can be biased, because we as humans are always biased. Part of my research work is establishing a quality model to prevent as much bias from training data as possible.
There is also a lot of work to do in the security field. After the ransomware wave, the Covid pandemic and vulnerabilities found in widely spread open source libraries, people are more aware of the importance of security. More effort is needed to integrate secure coding practices into development lifecycles.

How about when you’re not working? Any hobbies or interests you’d like to tell us about?

In my free time I’m an avid fish keeper and I like to be active (powerlifting walking).

I like any fish that you can put in a tub of water without it being animal cruelty ;).

Currently, I mainly focus on keeping tropical fish and shrimp as they live in temperatures that are quite close to “room temperature”. Besides that I also keep a marine tank with fish and corals. My dream setup would be a huge tank where I would keep and grow different types of corals. Alot of the special type of corals are sourced from the ocean, I always check on the origin of animals when I buy them as I want to avoid to buy anything that might be sourced from protected areas.
One day I hope to have a huge setup where I can grow corals, share them with other hobbyists and maybe even contribute to the research efforts to save current reefs.

In the first picture below is my Malawi cichlid tank, currently containing more fish than in this picture as they tend to breed quite easily in captivity.

Next, is my marine tank when corals were still quite small and in process of growing in.

Freshwater dwarf shrimp setup. These are where the mini freshwater creatures live.

Got any favourite walking routes?

Not yet, I do have 2 types of routes. One fixed short one when I don’t have much time but still want to move around a bit. At other times I just walk and choose roads that I’ve not come across yet, which creates a random route each time I go out.
Path generation algorithms tend to seep in from time to time :).

As a fan of the LOTR movies, are you currently watching The rings of power tv series?

I started watching it, I saw the first few episodes and after that I got distracted by other series in my watchlist. So far I quite enjoy watching The rings of power series, I try to keep the lore from the books separated from the series.

What or who got you initially interested in coding and / or pursuing a career in tech?

I was always interested in tech as a kid since I picked up gaming. I was up to date with all the newest hardware and what the future would bring. Later that evolved into building and fixing things myself, computers, phones, anything with a chip in it.
The moment I had to decide what to do with my adult life I decided to move to software and start building stuff there.

How does your software path that brought you here look so far?

My very first language I learned was Scheme, it’s a recursion heavy functional language that’s a dialect of Lisp. It helped me understand how programming languages and paradigms work which in turn helped me to learn languages at a quick pace.

After that I got into C, assembly and was quite into low level programming. This is then followed up by Python and mainly used with Django for web development. For OO I usually used Java or Scala (with Scala as a preferred language).
At the moment I’m experimenting with/learning C# and the Azure deployment environment.

Having experimented with these different languages currently helps me in my day to day work coming into contact with different technologies almost every day. Although I’m not a day-to-day coder in my current job, I still code some hobby projects in my spare time to make my life easier.

If you look back on when you first started out. What advice would you give yourself?

Don’t take yourself too seriously.
And being one of the few girls in the group does not mean you always will be one of the few girls.

Are there any particular women in tech who have inspired you?

Sadly enough no, of course I heard about notable women in tech, science and math. I knew of them when I was in my early twenties, I would’ve liked to have known them during my teens. Getting kids in touch with strong women in tech would help to relieve the stigma and inspire people.

Do you have any favourite resources or projects you like to follow?

• Portswigger Security academy: https://portswigger.net/web-security
• Secureflag knowledge base: https://knowledge-base.secureflag.com/
• Over the wire war games: https://overthewire.org/wargames/
• OWASP SAMM: https://owaspsamm.org
• Open CRE: https://www.opencre.org/

What's the best starting point for people interested in cybersecurity?

What got me started was doing some social engineering on a non-digital level. I did this in my role as security officer. I tried to get access to my own office without identifying myself etc. If you do these types of things, please make sure it is legal. If you do this without it being legal, you did not get this idea from me ;). The idea is to get into the mindset of someone trying to get something illegitimately. When you understand that it is very easy to make the switch to the digital space.

Start reading about vulnerabilities and attacks, try to understand them and think of ways to use those on websites you visit or apps you use (please do not try to actively hack into those, see the rule above).

If you want a more practical approach you can search only for some machines that you can try to hack.

Hacking and getting to understand vulnerabilities is not the only thing you can do in the security space.

For people who want to be more on the governance side you can read up on Secure Software Development practices, think about your internal organization. Are you following the best practices? What do you need to improve? Are you at risk?

There are multiple ways to approach security, at SIG we take the defensive approach. We are reading and looking into code to search for things that might become a vulnerability and that might be exploited in the future. This is also called the Blue team approach. You also have the Red team approach which is more on the offensive side. There you try to actively hack into a system. Here you are actually exploiting the vulnerabilities found in the system.

Try to find out what interests you the most, where you get the biggest thrill from.

What are the basic requirements for someone who wants to specialise in cybersecurity?

Thorough reading skills and having an appetite for knowledge and investigation. Depending on what field you would like to dive into requires different skills. Being a pentester who cannot write code makes no sense, or trying to specialize in vulnerability scanning without being able to interpret code will also not help you in your mission.

Anything in the security field can be learned, you can find great sources and books. But the great ones have a certain affinity for it, this is just the same with coding.

Any skills or traits that should be more valued amongst cybersecurity specialists?

Being able to explain complex security concepts/issues in layman terms. This really helps in building awareness and also if the people working on the software containing the issue don’t understand the issue itself or the severity itself then the chance is high it won’t get solved any time soon.

Findings have no value if the one you’re reporting to has no idea what you’re talking about even though you lay out the solution for them. This will only lead to them repeating the error, maybe in a different way.

What are some of the most common cybersecurity issues and where to they occur? (certain platforms, technologies,...)

Most common cybersecurity issues are vulnerabilities imported through opensource libraries (log4J being the most notorious one). I still have to come across a system that has 0 vulnerabilities in their dependency trees. Python is quite sensitive to this due to its nature of depending on a bunch of libraries without the developer always being aware of what is imported.

PHP is also known to be hard to secure, but definitely not impossible. Have seen some engineers doing a great job integrating secure software development practices into a PHP system.

If you are looking for the most occurring/critical vulnerabilities you can look into the OWASP top 10 (https://owasp.org/www-project-top-ten/)

What do you do or what would you like to do to spread some positive change to our society through your job? (Question from Lisa T)

Getting software right for a healthier digital world is the slogan and mission of SIG, and is exact the reason why I joined. We analyze all types of software from all over the world, and often very critical software affecting people in their day to day lives.

What I try to do is spread awareness, not only to devs and other people in charge of the software but also to end-users. Them knowing the challenges and issues helps them to make better requirements and choices in the future. A very prime example in the android play store, the currently share what information might be shared with the app provides and third parties in a more transparent way. Change and improvements often happen from bottom to top. If the masses are not happy then the ones in charge need to change things to make them happy.

Do you have a mentor and what does this person bring to you?

I do have a mentor; Rob van der Veer, he brings a bulk of knowledge as he helped write standards for AI and Security. Having someone to look critically at my work but also guiding me in search of the right questions to ask and research helped me in my development as researcher but also helped me expand my knowledge on a short term basis.

What made you join the women.code(be) community?

I wanted to connect with other people (women) that are in the same field as me. I’m interested in other peoples stories and experiences, first because I’m quite curious but secondly because I want to get out there and help diversify the tech industry.

How could the tech industry be more inclusive for women and minorities?

Putting women and minorities more into the forefront, the tech industry needs a whole PR revamp to show although there is low diversity it is still there. There is much need for role models as inspiration and to fight the current bias around the typical IT/ tech person.