Eslam is a security professional with experience in web application security and testing. He has provided consultancy to a wide range of organisations before joining Founda in July 2021, and has worked since then as an in-house security engineer. This is a quite uncommon role in the early stages of a startup. In this article, Eslam explains his work and the culture of security at Founda.

‍

‍

Work at Founda Health

Hi Eslam! Can you explain to us about your role as a security engineer at Founda?

“I’d like to describe it as bringing the hacking mindset in the processes that we run. I identify the processes and find possible weaknesses and recommend to the team on how to tackle those. There are risks in a development lifecycle, my role is to create an understanding of those risks and advise the team on how to integrate security in this process. That also means bringing security standards in place to ensure the security of the platform.”

You joined Founda quite early on – you spent a few months here before the platform went live. It is quite unusual to have a security engineer at such an early stage in the product development process. What do you think about that experience?

“Founda puts security as a top priority, it is nice to be part of an organisation that takes security seriously. It is good to establish a strict security baseline. From the very beginning, we have been in control of that.”

Is it unusual to start working at such an early stage in the development process?

“Yes, it can vary between companies, but often there is no one to check the security side of things in the background to ensure a high level of security is in place. But the development process needs to be reviewed and secured. Many companies don’t do that because they lack the funds or don’t see the importance of implementing additional security measures.”

Are there any challenges working at Founda as a security engineer?

“The challenge is when communicating the security controls that should be put in place, I have to find the right balance to not interrupt the development process, but still build a big cultural awareness of security. It’s interesting to think as a team about security risks.”

How is it for you to stand apart from the development team, being a lone wolf? How do they react if you point out a vulnerability?

“The reason I’m not in a team is because I need to find vulnerabilities on all aspects of the platform, not in one team specific. The teams react very fast, and there are quick meetings to run through identified risks and the ways to solve them. If there are any vulnerabilities, they are always fixed right away.”

Are there other challenges, apart from keeping the team on their security toes?

“At Founda there is a complex environment with a variety of technologies being used. I need to have an overview and understanding of all vulnerabilities in all technologies used, and of course come up with solutions. Apart from possible product related security issues, we also need to consider Founda as an organisation, everything is included in the security process.”

Pentesting

What does your work process look like?

“The process starts from design and goes to release; I will look at the design and go through the possible risks and recommend solutions. When the code is written, I review the security of the code and identify possible vulnerabilities, and then work with the development team to fix them. Before releasing the code, we will do a pentest – a simulation of a hacker to see if we can compromise a certain function.”

What are the results of pentesting? What does it mean to the company?

“The results of a penetration test show the current security state of the platform. It gives an insight on what a malicious hacker can do from an external point of view and if he gains access to certain systems. With these results, we can take actions to mitigate any possible risks.

This means that the team can focus on developing the product, without losing track of security related issues.”

You’ve mentioned thinking like a hacker a few times. Could you elaborate more on the hacking mindset?

“To put it in a simpler way, instead of thinking from the user point of view, we ask the question of what a hacker can do and what hackers are looking for.

Healthcare data is extremely privacy sensitive, so our platform needs to be as safe and secure as possible. Thinking like a hacker forces us to actively think about the possible security risks, and take steps in advance to avoid them.”

What are the benefits of having an in-house pentester for the company?

“There are tools that can be used to catch the low hanging fruit, but bigger and deeper issues need to be found manually. This takes time and dedication. That’s why an in-house pentester is very beneficial for a company – their full attention goes to the security of the whole company, not just one project.”

What is the schedule like for pentesting?

“Pentesting is done continuously. We have planned manual testing periodically, in combination with automated testing during development.”

Now Founda is live with Treant Zorggroep and OnlinePROMS. Are you still monitoring that?

“Yes, we’re constantly testing the environment to make sure that there are no security issues. By doing so, we ensure a safe and secure integration – both during the development phase as well as in production.”

‍

‍

Consultancy to in-house

Before you joined Founda Health, you’ve been providing consultancy for big firms. How does that differ from in-house security engineering? Are there any additional advantages of an in-house role?

“In consulting you deal with different customers, this means that with each project you have a timeline and you need to get used to the environment of the customer within a short time period. In contrast, at Founda, I’m involved in the development of the environment from doing threat modelling to reviewing the code and testing it.

In addition, the team always has a security expert to reach out to, so a good relationship of trust is established. This goes the same with our clients in healthcare – they put trust in us that we will secure the transit of information between the Founda environment and theirs."

‍

"It is our responsibility to build a secure platform."

‍

What made you decide to go from consultancy to in-house?

“Security engineering is very critical in building any platform. There are lots of responsibilities entailed. At Founda, I get to participate in the whole process from start to end. Instead of finishing one project after another, there’s the chance for me to really help build something big.”

And why did you choose to work in healthcare?

“I’ve worked in healthcare before. In healthcare the risks of data exposure are critical and it is important to make things secure and ensure privacy. I get to secure the data and be part of Founda’s mission to unlock the best possible care by bringing innovation to healthcare.”

Talking about vulnerabilities, I heard one time that hospitals can get hacked via, for example, the fire alarm. Is this a fact or a fable?

“Every system has weaknesses, how you set up a connected system like fire alarms can have influence on compromising a network. But if you have a secure architecture built on zero trust, then you can rule out these types of risks. All in all, we work more and more in an age of connected systems and IoT technology – the internet of things. As long as there are connected devices sharing data, there are risks of a data breach.”

Okay, final question: Do you enjoy the work?

“Yes! Every day there is something new, I get exposure to all kinds of technologies in an exciting field. I never have to get bored and I work with a very enthusiastic team.”

Do you like Eslam's story and want to join the Founda team? Check out our open positions on our career page!