Can you quickly introduce yourself? Tell us about your background.
My name is Ndeye Codou Baka Diop, often referred to simply as Baka Diop, a name I inherited from my father, Baka Diop, an electromechanical engineer who completed his internship at EDF, managed major projects at SENELEC (Senegal), and is now an energy consultant.
I am currently a Tech Leader in Application Security at Squad and a geekette.
I have had a somewhat unusual career path: after graduating from high school with a science degree, I was accepted into the Faculty of Medicine at Cheikh Anta Diop University, but my dream has always been to innovate and build new things, and I quickly realized that I would be a good surgeon...but not on patients, rather in repairing computer systems.
From a young age, I worked in IT maintenance, and during the summer, when others went on vacation, I took on summer jobs in IT maintenance. While studying applied mathematics at the University of Tlemcen, I also took software development courses at the Protech training school. I then completed a Master's degree in Smart Aerospace and Autonomous Systems at Paris Saclay University with an Erasmus internship in Poland. Finally, I completed my Master's degree (BAC+6) at ESIEA, specializing in information and systems security (MSSIS) with SecNumEdu certification.
I was quickly drawn to certain modules such as risk analysis, code review, pentesting, etc. At the end of my master's degree, I began to take on a series of assignments related to application security, particularly the implementation of "Security by Design" for clients. I also had to complete numerous certifications and training courses, including ISO27001, PCIDSS, and GDPR.
Why did you choose Squad?
At the end of my internship at Orange, my manager put me in touch with Squad through Magaly Provost. Squad had an excellent reputation. From the moment Magaly welcomed me to Squad, I quickly felt at home. I was given challenges that were as exciting as they were educational, which helped me develop my expertise.
It's a company that gives you the opportunity to grow and develop. I was quickly able to prove my abilities with a lot of autonomy. In fact, I lead a CATS (Community for Automating Security Testing) community that deals with application security. As an OWASP member, I recently participated in the OWASP conference in Amsterdam, where I represented Squad. On October 8, I will be hosting a session on "Security by Design" during the third edition of the "Sophia Security Camp" in Sophia Antipolis as part of ADALOVELACE Day.
My goal during this conference will be to present three practical cases to raise participants' awareness of the importance of application security, particularly security by design (SBD).
Were there many women in your class?
There were two of us. When I attended the OWASP conference, I noticed this rarity. There were only a few dozen women out of about 500 people.
For me, IT jobs are just like any other job. We naturally see male nurses, male midwives, etc. Why should cybersecurity be a myth for women? The only prerequisite is to be passionate. You have to love it, be passionate, be curious, dig deep, explore... but for me, it's a passion and a demanding and rigorous profession. Women have just as much place in it as men.
Security professions are promising careers, and even more so in application security. There is a shortage of experts in this field, yet it is a profession with a bright future that encompasses a wide range of expertise. With plenty of surprises and rigor every day!
For me, IT jobs are jobs like any other. We naturally see male nurses, male midwives, etc. Why should cybersecurity be a myth for women? The only prerequisite is to be passionate about it.
Baka D. The Expert Squad
Tell us about Application Security...
Application security involves implementing security controls and measures to ensure an acceptable level of security for the entire application ecosystem: the application itself, its server, its components, its configuration, its processes, its users, and its stakeholders. This requires a certain level of expertise.
SecApp is not limited to application penetration testing and code auditing; it encompasses skills in code, cryptography, IAM, networks, governance, and more. It is very broad and intersects with many different professions.
Application security experts like myself must be able to quickly learn new skills across a wide range of modules and be able to communicate with people, whether they are technical, functional, operational, or organizational, or even children and the elderly.
In this respect, we are true evangelists. All companies today must integrate security, and it is our role to support them in doing so.
What is your definition of DevOps?
For me, DevOps is above all a culture. Until a certain point, developers were on one side and ops on the other. We saw the limitations of this model. With Agility and by working together, developers did a little bit of ops and vice versa. They are no longer alone and isolated in their activity of producing exclusively development: they must take operations into account in a continuous workflow. In this sense, DevOps is a culture for greater responsiveness and better results.
In 1990, we had fewer than ten sites, compared to billions today. We did not anticipate the rise of IT to this extent. Although some structures are now adapting faster than others (the latter being fairly conservative), DevOps and even DevSecOps are philosophies that already existed in the background. Depending on the strategy and taking into account the short cycles required by the market, companies no longer have much choice and must integrate this type of approach. If we want a product that works well in a highly competitive environment and to maintain our lead, reliability, and reputation, we must guarantee security for consumers or customers. Security is a guarantee of trust, and to achieve this, we are forced to adhere to a DevSecOps culture.
… and DevSecOps?
For me, DevOps security has always existed, it was just sidelined in corporate culture and strategy. Now that application breaches have caused enormous damage within companies, it has been necessary to rethink the system that was in place. Due to issues surrounding customer portfolios, reputation, and user trust, as well as requirements and laws on freedom and privacy, security has become increasingly important and crucial to DevOps.
As evangelists like me, who are full of ideas, emerge, these cultures are becoming increasingly integrated into all areas of IT.
How does one become an expert in Security by Design?
Security by Design is a model in itself. When the lack of application security can cost a company millions of euros, it is clear that security is fundamental. What's more, we realize the complexity involved in securing an application after the production phase. This often leads to an application having to go back into development... Ideally, security should be integrated into the design of any application. This is why we talk about Security by Design. It involves implementing security upstream of the project and during all phases: prerequisites, design, pre-production, and production. Security is considered from the application scoping phase and maintained throughout its existence. Every stakeholder and participant involved must integrate this DevSecOps culture.
