Since its inception, Slack has fostered a culture of inclusion and diversity. The Security organization at Slack is a prime example of how women can thrive in the security space, transitioning to security from different backgrounds and expertises. With Slack’s strong commitment to diversity, it should not be a surprise that nearly a third of the security employees at Slack identify as women and more than third of Security leadership consists of women. We are excited to share with you some of the stories of the women of Slack’s Security team.
What is Slack doing in the security space?
Suzanna Khatchatrian Senior Engineering Manager, Product Security Foundations
Our customers depend on us to keep their data safe — the measure of our success will be the value we create for them when work systems aren’t getting hacked, and when workers aren’t worrying about the confidentiality of their data. Our mission, in Slack’s Product Security team, is to make people’s working lives more secure.
Slack’s Product Security team works with development teams across Slack to enable adoption of best practices for building secure products. The team pursues this goal by participating in the product development lifecycle, building components to solve harder security problems, deploying tools to detect coding and configuration failures, and creating and delivering customized developer training.
Two years ago the Product Security team was split into two subteams:
- ProdSec Classic (PSC): This team is focused on traditional application security aspects to ensure Slack developers ship secure products. PSC engineers perform security reviews of new features, run static and dynamic scanning, coordinate penetration tests, manage the bug bounty program, and provide testing frameworks to improve vulnerability detection and the secure development lifecycle.
- ProdSec Foundations (PSF): As the founding manager of this team, I was tasked with building a new and innovative team with backend engineering capabilities and security expertise. The team’s mission is to “future proof” Slack against classes of vulnerabilities by building secure-by-default services, libraries, and tools.
Here are some examples of work done by the Product Security Foundations team in the past couple of years. This work has had a big impact in hardening our product, reducing the volume of security incidents, and fostering better engineering practices.
Image Processing Service – A new service that insulates production data and infrastructure from vulnerabilities in image processing libraries, and improves overall image upload performance, reliability, and security.
Crypto Library – Cryptography is really hard to get right, and subtle errors can have big consequences. PHP doesn’t help — it exposes low-level interfaces that require the caller to specify confusing security parameters and is extremely permissive about input and output formats. lib_crypto is designed to be misuse resistant, with strictly typed input and output objects, that can be used for all of Slack’s backend cryptographic needs.
HTML Sanitizer – This library protects against cross-site scripting attacks by sanitizing HTML for unfurled links posted in Slack. Our library is open source, available on the public SlackHQ repo since August 7th, so anyone who uses Hacklang can also have an HTML sanitizer and contribute!
Log Canary – This tool automatically detects and alerts accidental logging of tokens and other sensitive data (e.g. message data, channel names, or file names).
The team is currently working to solve other complex problems including authentication hardening and simplifications, malware detection and prevention, and kubernetes hardening.
What is it like to be a woman leader in security?
Nikki Brandt Engineering Manager, Product Security Classic
Originally I found myself on Slack’s doorstep because of an opening for a manager in Product Security. Prior to Slack, I had been working as a consultant, doing technical work while also managing other consultants (and some interns!). This gave me a taste of people management and a hint that I might enjoy doing it full-time, but then-CSO Geoff Belknap told me directly after I interviewed: I didn’t have the experience they were looking for in a manager for Product Security, but Slack would love to have me join the team as an engineer.
As a consultant, I was going in between companies every few weeks, many in the tech space. Think of a tech company in the Bay Area: I’ve probably consulted for them! I had seen so many engineering organizations and cultures in my work that when I interviewed with Slack, I knew it was a special place. It wasn’t just my interviewers saying that what they loved most at Slack was “the people” or the diversity of my hiring panel. I was really drawn to how transparent the organization was, and how little siloing there was between different parts of the engineering organization. I now know that this transparency, openness, and culture of information sharing is driven by the very product we make. But back then, I was just like: Whoa! This organization really understands collaboration! Where do I sign?!
And so I joined Slack as an engineer on the Product Security team and dove into all the technical work that was offered to me. I loved the breadth of the work and the degree of responsibility I was given right away. In less than a year, I took ownership of our security review process, among other things. Then the unexpected happened: I was given the opportunity to move into an incredible role taking on people management responsibilities while still being able to contribute technically. I jumped at it!
In this role, I was able to continue to utilize my technical background while also growing and exploring people management at Slack. I worked on technical efforts like standardizing our security review process and securing Slack’s App Directory, while also growing my team from 3 to 6 engineers and helping several of my people through difficult phases of their career development. After about 18 months in this position, I transitioned into full-time management at the beginning of 2020.
In many companies, I would not have gotten the chance to move from engineering into leadership. At Slack, I not only had the support of my leadership (including the inestimable Larkin Ryder) and peers in security management (including Suzanna Khatchatrian, who is also in this blog – hi Suzanna!), I also saw women like me successfully make the transition from being amazing engineers into being amazing engineering managers at Slack, again and again. I could fill a whole page with the names of inspirational female leaders at Slack, but I don’t need to — just look back through our engineering blog and you’ll find them. :)
How is Slack supporting women in security?
Lauren Rubin Senior Technical Program Manager
In 2016, I joined Slack as a Senior Technical Recruiter hiring across various Engineering teams, one of which was Security. Fast forward 18 months and I was Slack’s first Technical Program Manager for Security.
Wait, what?
I know… sometimes I still can’t believe it either. There I was, promoting internal mobility to prospective new hires to join Slack, and then Slack put that exact opportunity to make an incredible career change right in front of me. Slack and its Security leadership team are, without a doubt, the driving forces that made my move a possibility. In a typically misogynistic industry, Slack’s Security team has fantastic women leaders and individual contributors who welcomed me with open arms and reassured me that I would be successful in my new role. When I was pregnant with my first daughter, Slack encouraged and allowed me to step away from my day-to-day job in order to participate in a security bootcamp course to expand my domain knowledge to better support the team. Throughout my tenure as a Senior Technical Program Manager, I’ve had the privilege of helping define and implement programs that support Slack’s broader business strategy and operational excellence including incident management streamlining, technology hygiene and end of life technologies, QBR vendor reviews, Hacktober security awareness, bug bounty, vulnerability patching, JIRA optimization, security tooling proof of concepts, and other security engineering objectives.
I am honored and proud to be a member of Slack’s Security team working alongside wonderful and talented teammates.
Vivienne Pustell Senior Risk & Compliance Engineer
As a former teacher, one of the things I love most in life is learning! In my time at Slack, I have not only gotten the *opportunity* to learn, I’ve been provided support and encouragement and guidance to learn more, faster, and better.
Internally, I’ve had the opportunity to take classes that aren’t necessarily directly related to my day-to-day work, but my manager has supported me in using my time to learn.
As I moved deeper into developing technical skills, I was able to pursue more in-depth learning outside of Slack. As my knowledge grew, I found myself working with more varied teams across the company, and opportunities for informal learning and skill development through collaboration began pouring in.
My manager made sure that I had the chance to use what I had learned on the job whenever possible. I got to start providing more technical leadership in the team, and took over new responsibilities. Finally, in 2019, I was able to enroll in a part-time software engineering bootcamp. My whole team had my back through my entire bootcamp journey, and I got to start using bootcamp skills at work long before I finished the program. Other engineers across the company were encouraging and supportive as well, and I know I have a great network I can reach out to whenever I hit a wall.
For me, the most important thing to have in a career is the chance to grow, and with all the opportunities I have at Slack to learn in the classroom, on the job, and through outside trainings, along with the support of my manager and my colleagues, I know that I’ll never be stuck stagnating.
Carly Robinson Senior Security Software Engineer
Working at Slack is a distinctive and positive experience. In my five years at the company, I’ve found that the most unique thing about it is the ease with which we’re able to work on, and transfer between, multiple teams. This allows us to develop holistic skillsets, which, in my view, makes us better engineers.
When I graduated from Hackbright in 2015, I was fascinated by hacking and cybersecurity, but I felt it was important to be in a role that saw me writing code. In other words, I wanted to learn how to build things before I learned how to break them.
So that’s where I started, as a backend application engineer, where I would spend four amazing years. I grew from an associate to a senior engineer and worked with a number of teams, across the Enterprise, Platform, Operations, and Infrastructure engineering pillars. I wrote code in PHP/Hack, Javascript/Typescript, and Go, designed backend billing systems and public-facing admin APIs, wrestled with Terraform and bash scripts to provision AWS infrastructure, and helped configure Thanos for scaling Prometheus metrics across a fleet of several thousand servers. In a nutshell, I built a lot.
Then, in October of last year, a coworker forwarded me a link to a job posting on the Product Security Foundations team — a new, experimental group, whose mission is to build secure-by-default internal tools to support secure development across the engineering organization. A job where I could build things, while also learning how to break them like the hackers do? My heart skipped a beat. I was drawn to PSF’s challenging, high-impact projects, its technical leadership opportunities, and its completely female management team. “Sign me up,” I said.
I’ve worked in security now for ten months. Everyone has been so humble, down-to-earth and eager to share their knowledge. Many of us have taken an unconventional journey into security, and that diversity of experience is one of our greatest assets. In our time together, we’ve refactored a tool for monitoring Slack’s AWS infrastructure operations, launched an education program for software developers, developed testing for Slack Authentication systems and led an initiative to drive adoption of our secure-by-default libraries. Our work touches every part of the organization and our impact is undeniable.
I am grateful to Slack for continuing to nurture my curiosity and encourage my eclectic skillset across numerous teams.
Come join us!
We hope these personal stories were insightful and inspirational. If you are interested in joining Slack’s security team, we are hiring! We have multiple opportunities across Product Security, Security Operations, and Risk and Compliance. We’d love to hear your story, so please check out slack.com/careers and let’s chat!