Interview with Christian Martorella, Skyscanner

Tell us a bit about yourself

I am currently the CISO for Skyscanner, but I started my career in cybersecurity more than 20 years ago. I started in offensive security focusing on penetration testing, web application security, and research, around 10 years ago I switched to defensive security and have been working closely with product organizations to create secure services and products at scale like Skype and Microsoft. I am dedicated to ensuring the full Software Development Lifecycle is as secure and automated as possible in a modern cloud native environment. My main focus is on design reviews, threat modeling, static code analysis, infrastructure as code scanning, supply chain security, container security, and AWS architecture – and doing it all at scale. I like to focus on the culture of security since it is the most important aspect when working towards protecting a company.

You’ve been in the IT security field for over 20 years. What are your thoughts on the connection between software development and application security?

The connection between software development and application security is fundamental – the security of an application will depend on how it is designed, implemented, and deployed in production. 80% will depend on the software development teams, design choices, understanding the threats and risks, being familiar with mitigations, and having proper tools to prevent mistakes in the implementation.

I like to view applications as a pyramid where you have your design review and threat models at the bottom – the container where the application runs is secure, the open-source libraries used are secure, the code is scanned, and finally dynamic testing and runtime monitoring in production at the tip of the pyramid. Nowadays, with the mindset of shifting security to the left, and everything turning into code, developers have more tools at their disposal to ensure they are creating secure software at every level of the stack. 

As a director of Security Engineering, what are some of the everyday challenges of your job?

The fast pace of Skyscanner’s product engineering organization and the distributed structure makes it an exciting challenge for the security team to cover everything and to focus on the right things. We operate in 52 countries globally and right now over 60 million travellers use our products and services every month. We are working on improving our processes to identify the more at-risk services and features so we can engage with the right teams at the right time.

Keeping the supply chain of the SLDC up to date is demanding, and ensuring that teams are fixing the vulnerabilities that are relevant is not easy when projects are made up of dozens of open-source libraries. We designed a set of security-related scores that let us surface only the important and relevant vulnerabilities to the teams based on context. This approach helped us transform the way security is looked at and how we take action, while simplifying the noise and the security language used to communicate across the company. 

At a conference several years ago, you mentioned the importance of situational awareness. What do you think are the best ways to increase it?

Situational awareness means understanding what is going around you before making any decision. When I talked about it in the past it was in the context of knowing what you are protecting before you can decide how to protect it and where to invest your time and resources. Also, in the context of software development, situational awareness can be translated in terms of having the right awareness and training to understand that what engineers are creating can be abused, and being able to propose mitigations.

You’re an advocate of shifting security left. How can a fast-growing company implement this approach?

Shifting to the left has been something we’ve strived for in all my recent teams, and we see a lot of value in reducing the feedback loops and tackling the security issues early. We know that fixing a vulnerability in design could cost 30-40x times less than doing it in production. To be able to design services securely, training and awareness are fundamental for the engineering teams.

Fast-growing companies are likely to be cloud native; this is an advantage when you want to implement automation in all the layers of your services, from cloud infrastructure (IaC), containers, supply chain, code, and runtime protection. 

You interact with multiple teams in your role. How do you motivate developers to treat security as a priority in software development?

We have worked closely with engineering teams to embed security in all phases of the Software Development Lifecycle. For example, we have a design review process where every team follows the same process and security has a dedicated section with a checklist to guide their thinking, plus we have a threat model process for critical services and a classification process to find such critical services. We have security automation at every phase of the project, we do Infrastructure as Code linting with our OSS project Cfripper, we use Snyk OSS for our supply chain security, Snyk code for static code analysis, and we use AWS ECR security scanning for Docker. Finally, we introduced a security grade score where we surface in multiple places like the Engineering Scorecard and the Operational Excellence report. Every team, service, and component will have a security grade along with the actions they can perform to increase it while reducing the risk. We also introduced feedback loops in multiple places like GitHub PRs, Chatops messages (Slack), Dashboards, etc. It’s all about equipping the engineering with the right tools and processes while reducing the friction on their workflows.

You work in an organizational structure that includes many squads/teams and thousands of individual projects. How do you ensure all these teams have good security awareness?

We focused on ensuring the engineers have a comprehensive onboarding experience when it comes to security, starting with a face-to-face presentation about security and how it operates in the company. We then created an online training plan to focus on the areas and vulnerabilities relevant to our tech stack, and finally, we started holding hands-on training dealing with relevant scenarios using the Avatao platform, as there’s no better way to learn than by doing.

We also introduced a Security Champions program to scale out our security capabilities with the goal of increasing awareness in the organization and increasing the skills of key individuals. We write articles on our internal blog about security and lessons learned from other companies (pre-mortems), we do presentations in All hands meetings, Security and Enablement guilds, etc.

When it comes to security, there is no such thing as over-communicating. 

What do you think the best tools and options are for raising security awareness and improving your developers’ security skills?

During the pandemic, people got tired of online training and events, so I believe the best options are hands-on training and better feedback loops, being able to get a nano training surfaced when a vulnerability is detected in the code, for example. If the tools detect an XSS vulnerability, it will be great to offer nano training explaining the error and how to prevent it in the future targeted to the developer. We are also working towards targeted training based on the vulnerability intelligence and the contextual information we have and are going to create specific labs in Avatao and onboard the teams that have those specific needs. Cultural transformation is a long journey, but it is better to start early and keep the pace up.