Security engineering


Three questions about security engineering for Martin Burkhart, Dr. sc. ETH Zürich, Web Application Security Product Manager


How does security engineering differ from other engineering tasks in software development?


Pure software development focuses on the requirements the customer places on software from the business side. The most important criteria here are full coverage of all business processes, data migrations, the adherence to deadlines and the user experience. With security engineering, the focus is completely different. Here, assumptions are questioned and attacks are anticipated. An analysis is carried out as to whether the developed system may cause things to be thrown off course or whether tricks could produce undesired side effects. Whilst software development focuses on the desired operation, a security engineer systematically analyses the system at its limits and looks into any possible undesired functionalities.


Are there typical challenges in the field of security that lots of companies are currently facing?


Digitisation encompasses various industries and results in an increasing number of business processes being made available online. In future, browsers and mobile apps will be the dominant interface between their customers, employees and applications. Furthermore, our customers are mostly interested in securing access for their partners and integrating services from other fields. This leads to big challenges in terms of identity management and access control. We always work out the solutions for this in close collaboration with the customer. Several decades of experience in security engineering led to the development of our Airlock Suite. The Airlock Suite provides a secure and efficient web access management system that protects modern web applications. The Airlock Suite enables strong authentication, single sign-on and protection against attacks to applications such as cross-site scripting (XSS) and SQL injection to be prepared for and implemented.


Which competences do security engineers have and what can you expect from a consultation?


Security engineers have strong analytical skills and are familiar with the state-of-the-art methods and the tools that attackers use. Due to their experience, they are able to take the perspective of an attacker and put their finger on any weak points of application architecture. Security engineers systematically analyse an application's sensitive data and the risks that it faces. Within the scope of a risk assessment, they suggest concrete measures to curb the biggest risks in a cost-efficient manner.