People of Symphony starring Damjan Cvetanovic: Application Security as an Engineering Mindset

Symphony logo
July 7th, 2021

Meet Damjan, or shortly Daca โ€” our youngest engineer (only 22) whose job is to make sure Symphony provides secured apps for clients and paths of its internal communications. We were curious to hear more about the influence Damjan has had on our engineering community and what he has been doing for the security of the systems our community creates. Application Security Engineerโ€™s job is to proactively explore and point out the vulnerabilities of a system, which is essential to building highly secured apps with protected data.

From Googling How to hack Facebook to acquiring OSCP, Security+, VHL Advanced+, eMAPT certificates

Damjan likes to use the term Ethical Hacker to describe his profession, and you must admit that sounds cool! โ€œThereโ€™s a whole lot of theory to it. When I started exploring this branch of the IT industry, my biggest problem was the fact that I didnโ€™t own a machine strong enough to launch all the necessary tools; therefore, I stuck to the theoretical part of the science. In order to be able to acquire some hands-on experience, you need a virtual machine which you can attack in different ways and on different security levels.โ€ Damjan emphasized that platforms like Hack the box have helped translate his theoretical knowledge into practice.

On the other hand, getting certificates played a significant role in his learning curve. โ€œYou learn while preparing to take the tests, but you never know what exactly the challenge will be. I am currently studying for an OSCE3 certificate, which will give me a broader insight regarding all the aspects of security - web, Exploit Development, AD and Linux, AV Evasion.โ€

Security is about protecting the integrity of a user, a client, and a company. This is the way we share the know-how here at Symphony.

โ€œI would say that my mission here at Symphony is to raise the awareness among our software engineers of severe consequences that can occur if we neglect the security aspect of the systems. We need to protect the data, protect userโ€™s privacy, protect our clientโ€™s credibility, and protect the integrity of our development teams.โ€When speaking about raising awareness, we actually refer to education and knowledge sharing. This is why we organize Security Workshops conducted by Damjan for our QA, DevOps, and Software Engineers. How do we do this? Every workshop has 6 participants with different backgrounds; we pair them up in teams of 2 and let them practice Black Box and White Box attacking. Damjan recognized this method as a neat way for our engineering teams to acquire the security knowledge they later use during software development.

โ€œThe goal of these workshops is to educate software engineers on the latest attacks that happen within new technologies they use, and to help them proactively protect the systems they are building, rather than doing it reactively after the potential damage has already been done. Providing secure software solutions to our clients is one of our main goals.โ€ - Damjan added.

โ€œIf you want a system to be 100% secured, it has to be offline.โ€

Staying in the loop with the latest trends helps Damjan stay proactive in terms of finding vulnerabilities within the systems rather than solving security problems after they occur. Blogs and courses such as BugBytes and IppSec help him find out about the latest attacks that he later tests within the systems our engineers create. โ€œThere is no such thing as a completely secured system. If you want it to be 100% secure, it has to be offline,โ€ - Damjan jokingly states. But, all the laughs aside, preventing potential vulnerabilities is the essence of creating solid and credible software solutions, which is the most challenging aspect of building secured systems.ย 

What about some security advice for some of the regular fellows out there? Damjan answered: โ€œKeep your private things away from social media, especially credit card details. Use Multiple Factor Authentication and Password Managers, and please, do not put the name of your first pet as a password!โ€