Interested in a career with Protiviti? Find out more here.
Passion is important when it comes to growing your career. If you’re not passionate about what you do, it’s likely you’ll find going to work every day a bit of a struggle. As a consulting firm, Protiviti is in the business of helping others. That’s our passion. Through Foundations, our entry level hiring program, we aim to deliver a customized series of meaningful experiences that help our entry-level hires uncover the things they are passionate about.
I recently met up with one of our Consultants in Philadelphia who I had the pleasure of hiring from campus a few years ago. Kathy, a Consultant out of Philadelphia, has always been impressive, so it came as no surprise to me when I received a call from one of our Managing Directors to tell me that she had done some amazing work and made a positive impact for a big client. After learning more about the project, I came to realize the impact she made is in an area that is relatively new territory for Kathy. It’s become her passion, her “bread and butter” as she puts it — and this is her story!
Q&A with Kathy
Tell me a bit about your experience at Protiviti over the last 2 years as an intern and now a consultant.
“As an intern, I was first and foremost exposed to entry-level client work, which helped to develop me professionally. One of the important skills that I learned from my internship experience was how to translate technical language in to easily understandable business terms. In regards to specific project work, I came in as a Computer Science major, so I was able to work in a technical area. I mainly started with source code review, which is essentially looking for vulnerabilities in the source code of applications. Most of the time, the work is focused on security best practices and not necessarily identifying large holes. I also did some penetration testing early on in my internship, which was really fun. The last couple of projects I have done have been specifically mobile application security projects where you dynamically analyze the mobile app. Sometimes you are testing in a test environment, and at other times, our clients do have us test in production, where we are just downloading from the app store.”
I’ve heard that the client was extremely impressed with your findings. Can you give me some more background on the project?
“Our client came to us as part of their payment card industry (PCI) compliance testing. Interestingly enough, mobile application standards are not directly part of PCI guideline testing — the area is still gray. We wanted to ensure that we did thorough testing and that mobile was in scope. Initially, I think our client did push back a bit because they have a public bug-bounty program that pays the public if they find any vulnerabilities or issues, so they weren’t sure they needed us to do that. In the end, though, they did let us test, which turned out to be a good idea — more on that shortly. But, to be honest, I usually don’t find anything too severe, and I definitely didn’t expect to in this case, because of the bug-bounty program. But as you learned, I did end up finding several issues!”
What were you able to identify and why was it so important?
“One of the PCI compliance guidelines is that you’re not allowed to log certain types of credit card information, which is obviously high risk in several scenarios — like if you were to get malicious software downloaded or lose your phone. For our client, I noticed that they were unintentionally logging a tokenized version of the card, which is basically a scrambled version of the credit card that’s being saved. It wasn’t necessarily high-risk, but it’s something important to note and that the client should address. This was found in a test environment, and the client didn’t think this was occurring, so they ultimately asked me to go look at the actual production environment of the app (meaning the application you and I would use). When I went in to test that, the full credit card number was being logged, not even the tokenized version, as well as other sensitive fields. This is very high-risk, so we immediately notified the client and probably saved them a huge headache down the line.”
As you grow in your career, it’s common to begin to specialize in an area or expertise. What did this project mean for you?
“Mobile application testing is my bread and butter. Protiviti is actually helping to support me financially to gain a GMOB certificate in this area and also to do a targeted training. Right now, we have a small team working in this emerging area of code review. I think, in the future, we will hopefully push mobile application testing more. There’s definitely a need for it from our clients.”
Why are you so passionate about mobile application testing?
“Most of the mobile application testing I’ve done is something that I self-learned and taught myself. I just think it’s really cool! I use my phone all the time, and if there’s an issue, I want to know. That’s how I got so interested and became so passionate.”
What does the future of mobile application testing look like?
“I would imagine the PCI council will be updating their guidelines to further develop the mobile application gray area with more specifics. As more mobile apps are asking for credit cards, it will become more front and center. Many of the clients we are working with in Security and Privacy do have an app of some nature. I know for me, I’m on my phone a lot, and I think we’re all only going to get more dependent on our phones, so I don’t think this is something that’s going away!”
What advice do you have for people who are starting their career?
“When I first started my career, I was a sponge, but I often felt like I didn’t know enough and it was intimidating. At the end of the day, don’t be afraid to ask questions, but also proactively search for the answer before you do.”
Why do you think it’s important to have passion in your career?
“If you’re not passionate about what you’re doing, there is no motivation to advance your career or to educate yourself further. When you find something you’re passionate about, it will motivate you to learn more and be your best. If you are not sure what your passion is, that’s totally fine, but be a go-getter and a self-starter. If you think you’re interested in something, ask for more work in that area. That’s how you develop passion — by inserting yourself into initiatives or projects you think are interesting!”
“Kathy’s work on this project, as well as others, has been particularly impactful to our clients and beneficial to our Security and Privacy practice. Kathy brings a unique combination of technical skills and project ownership that is highly valuable in consulting. Our clients have reached out multiple times to recognize her work and the value it has brought to them. Kathy has helped to find significant, deep technical issues in applications that client teams have been managing and reviewing for long periods of time. Kathy was able to not only find the issues, but easily transfer that knowledge to the client with her strong communication skills. Thus, the client was able to understand the risks and make broader, root cause level changes to their processes.”
– Kevin, Associate Director, Technology Consulting – Security & Privacy
“Kathy works in a high velocity project team that is juggling dozens of application security projects. She has had the opportunity to focus on mobile application and application program interface (API) security testing and has a direct line to ensuring the effective application of this for our clients. Kathy has dedicated time to strengthen the thoroughness and effectiveness of the service, and her efforts have helped further establish many on-going client relationships.”
– Steve, Director, Technology Consulting – Security & Privacy
We’re all so proud of the work that you’re doing, Kathy! We can’t wait to watch you continue to grow and thrive in your career.