And just like that, my twelve weeks of interning as a Corporate Security Engineer at Atlassian is over. Being in an ancillary role (i.e not being a developer for the main products) my experience has likely been different to the majority of developers, but the journey has been no less interesting and exciting!
Discovering Corporate Security
I applied for, and entered into this internship with a very vague understanding of exactly what my role would entail (tbh all of us). At times I wondered if I should have applied for a software role instead, but ultimately I thought that I would get more benefit interning from something I’m less well-learned on.
Soo…
Do we look at code? Do we stop bad guys? Do we do boring paperwork?
Or do we make policies to inconvenience everyone else?
A: absolutely 😏
These were a few more of the questions I had coming into the internship…
What is(n’t) corporate security?
What does corporate security do?
What tools do I use?
What are the fun / not-so-fun parts?
Corporate Security seemed to be the “security team which the other security teams weren’t” (and I guess that can go both ways) - whatever security concern existed that wasn’t in the scope of Product Security or Security Intelligence - that’s us. Outside of my internship project, the tasks I had found myself doing were a mixture of threat modelling, looking at dodgy code™️, reviewing these things called TPRMs and SBCRs, staring at graphs, and waiting 25 minutes for my Bitbucket pipeline to hopefully go green.
In terms of tooling; there aren’t really any specific tools that we might use on a day to day basis - again, we just use whatever we need for the task. Not having a “toolbox” (something I’m very used to, having experiences in trades) made me feel abit lost in the first weeks of the internship, as I had no idea what tools/services/resources were at my disposal. Thankfully my managers and teammates were able to assist me whenever I reached out 🥳
What is Corporate Security?
This internship taught me the workings and processes of what constitutes Corporate Security.
From the interesting things like looking at weird code, to the more mundane risk assessments.
Based off the tasks and work assigned to me over this internship,
I would answer my original thoughts and say that we…
- Examine the security posture and improve the security of internal assets and networks
- Conduct code and security reviews
and of course… - Make your lives miserable by forcing you to use 2FA
Look at me I’m a critical risk to Atlassian wooho-wait..
The Internship Project
My internship project(s) revolved around the integration of CrowdStrike (anti-virus software) into our security detections system. Whilst it’s no grand or amazing project that I would show off to others, but it did have a meaningful purpose to Atlassian - and that’s something that I can appreciate (in contrast to other places I’ve been to where your internship project is a tiny change that doesn’t even get pushed to production…)
Playing Kirby on a Monday morning.
I swear, it’s uh.. for work
I also got to fire up After Effects for the first time in like 8 years to make some animation.
Alot has changed.
This took way too long to make.
Learning the ropes
In undergoing my internship project, I got the opportunity to research a lot of Atlassian’s internal tooling, related development services, and got to use a bunch of different Amazon products against large volumes of data.
Operational statistics of my project’s network activity
BTW We definitely store wayyy too much data
I had the opportunity to play with large-capacity AWS EC2 instances (computers on the cloud) that I’d probably never be able to finance on my own, and also had the chance to interact with other teams to optimise my services to perform network operations at peaks of 5 gigabytes per second (yes, GBps)
Development for my project was rather straight forwards, probably because I’ve done a bunch of packet processing a bunch of times for various other projects (i.e. my StudioLive API)
Lea(r)ning into the field
Within the cohort of software-developer-whatever-you-want-to-call-them interns, the majority seemed to be in their second to third year of university. Having caught up with lots of them, I could see that their time at Atlassian was fantastic; with many touching GraphQL, Kotlin, PaaS infrastructures, and other technologies for the very first time!
In security roles, we don’t deal with any specific languages or stacks; rather we’re a jack of all trades, master of none / some / all - since we need to know the product and the code in order to secure it! Coming into this internship as a student nearing the end of my Electrical Engineering / Computer Engineering / Computer Science degree, there wasn’t really any new software technologies for me to pick up on - so this internship offered me a ‘taste of work’ rather than a ‘teach me the things that I actually need to know which for some reason my $140,000 university degree doesn’t provide'
(or which in my case, is even more) [sad engineer noises]
Whilst it was more of a “here’s your work, do it” sort of experience - that was perfectly fine, as it gave me the freedom to approach my project from a range of different angles which I could evaluate, before committing to a particular solution and building it. It also gave me the liberty to research a bunch of other stuff that don’t exactly relate to my work, but would come handy when it came to troubleshooting tickets and issues.
Although I guess I’m a far way off from being a Splunk ninja
One thing I’ve looked out for during previous internships was if companies consistently enforced “best practices” in their build systems, dev-o(o)ps, code style, conventions - and it’s always interesting. I found it interesting, that just like other giant software companies like Google, code is messy, dev-ops is messy, documentation is messy (hahh have you seen Google’s YouTube API docs). With both external code and our own code being pushed out on a regular basis, it’s definitely easy to find yourselves finding out-of-date documentation, or things that just don’t work for some reason.
The more you do, the more is done!
Throughout this internship I was able to help several teams prune their documentation of outdated documentation, and raised several issue tickets which had impacted my work. Hopefully no one else in the future will fall victim to spending a week trying to connect to a non-existent endpoint with a decommissioned protocol 😅
Being the change I seek… seeked? seeken? saught? sauked?
One of Atlassian’s values is to “Be the change you seek” - to do the thing you want to see done. During the early days of the internship, I ended up writing a program to see which office desks the other interns were at, so that we could all sit nearby! Too bad the office closed down a few weeks in.
This was a fun little side project, as I wasn’t sure if my role involved programming at all. From snooping around, to patching an Android APK file, to finding a password reset bypass; it was a fun way to ease myself back into fun programming after a rather boring and unhappy uni term.
ShipIt
ShipIt is Atlassian’s quarterly hackathon, where people do ‘stuff’ to improve the company - whether it be a program, an extension, cute posters or template resources, research, or something else!
I participated in the company’s 53rd ShipIt, where I teamed up with some other interns to (try to) implement a cropping feature in Confluence, which for some reason to this day hadn’t been implemented. It was a fun way (albeit rather daunting experience to see how massive the Confluence codebase was) to experiment and play around with other technologies that I wouldn’t often / ever touch in my security work.
BTW did I mention that our team came 4th!?!?!?
It is technically just a popularity contest, so ranks don’t really matter.
It’s a nice feeling I guess
So, did I enjoy it?
It would be a lie to say that it wasn’t all completely fun and games. Some days were pretty slow and quiet, and some felt mundane (working from home also sullied the mood, since I was keen on being in an office). One time I even accidentally rm -rf’d the wrong directory, and that undid my work for the day… gahhh.
But hey, you can’t appreciate the 🌤️ sun without the 🌧️ rain!
My team (and organisation) treated me exceptionally well, and from day one I immediately felt welcomed. Everyone was chill, and I really enjoy the fact that this company uses 🔥 emojis 🔥.
From installing ‘necessary’ packages for testing
To meeting with people over table tennis…
To making my video calling setup look decent
Also thanks for some swag! Though I won’t really use any of it… Maybe the shirt?
Office Tour
Where to now?
I’m a Computer Engineer, so my real home is in the hardware, electronics and telecommunications sector. But Atlassian is a software company (unless they decide to start manufacturing products or become a data centre).
Whilst I believe that I would make a rather good software developer (or security engineer), what I’m actually interested in is hardware design, designing microprocessors, playing with circuits, climbing up telecommunications towers…
Even in regards to security, we don’t have any physical servers as everything is on AWS, and I doubt that’s going to change any time soon (plus, cloud is probably better anyway). So the only remnant of electronics at Atlassian would probably be some sort of building infrastructure security (speaking of which the security guards are very friendly and I totally recommend you to talk to them).
But perhaps hardware and software are on the same side of the coin; maybe there exists more of an interplay between hardware and software than I could find during this internship. Dunno.
I’m not sure
The prospect of Team Anywhere excites me, as I get the opportunity to travel around, without being confined to my home or office (as good as the perks are, at the end of the day it is still an office).
But I also have that opportunity if I just relocate to another country to work for another company.
For now though, I’ll be finishing up my (hopefully) final year of university and get my thesis out of the way.
Then I’ll hop back on the drawing board and figure the rest out ✌️
Two steps forwards, and one step
backfurther
