A culture of security is always a top priority for Cox’s technology teams. In this blog post, the engineering team at HomeNet – which is part of the Cox Automotive family of brands – details how Cox’s tech employees leveled-up their AWS security skills.
Security is always a top priority for the Cox Automotive product portfolio. Our VP of Engineering, Roger Vidal, reminds us during every all-hands meeting that our commitment to stability and security builds strong relationships with our customers today and builds trust in our brand for the future.
A little more than a year ago, we formed the IMS Security Guild – a volunteer group of engineers and practitioners from across the organization who champion the “security-aware mindset.” Our goal is to create a culture of security, and we identified some core values that Cox Automotive emphasizes with every product release:
- Software that is secure is of higher quality than software that is not secure. Our customers trust us to keep their data safe, and Cox’s reputation depends on the security of our products.
- Secure software is built by people, not just scanned by tools. Although tools can help us, we must educate, train, and mentor our people to deeply understand security in order to build a culture in which everyone participates.
- Everyone is accountable for security. Security is a constant effort, and every person has a responsibility to ensure guardianship of their information, products and applications.
Keeping in mind our mission and core values, the IMS Security Guild has promoted various training opportunities and security-focused activities during 2021.
AWS @ Cox
Cox Automotive has been using AWS as our preferred cloud provider for a number of years, and we’re actively migrating major legacy systems to the cloud. Our software engineers have become intimately familiar with AWS and related technologies, and our executives have actively encouraged us to become AWS certified.
This year, the IMS Security Guild wanted an outside-the-box idea to encourage our engineering teams to level-up their security skills in a meaningful and applicable way. We decided to create a self-paced study group for the AWS Security Specialty exam, with the goal of having at least 5 people achieving certification by the end of the year.
AWS study group
Cox Automotive is a broad company that encompasses many tech teams; we have physical offices various time zones, not to mention dozens of folks who work remotely full time. So it was no surprise that running a study group resulted in some challenges. Simply finding a time on the calendar was a challenge in itself!
Another challenge we faced was the fact that not every software engineer or practitioner at Cox uses all of the parts of AWS covered by the exam. Every person in our study group came into things with a different level of AWS experience. We used video content available in Pluralsight to drive our study group, but not every developer was familiar with EC2 or Lambda or KMS.
Additionally, Cox Automotive abstracts certain features of AWS (namely IAM) away from our day-to-day product engineering, so some of our hands-on experience building software in AWS doesn’t perfectly align with the course content and the certification exam.
If you are going to consider studying for the AWS Security Specialty exam, here are some resources we would recommend based on our experience.
Our study group originally started by following the AWS Cloud Security “skill path” in Pluralsight, which is a collection of shorter courses by various content creators. We also watched Architecting for Security on AWS by Ben Piper. Generally speaking, those two Pluralsight resources were great. They gave us a wonderful baseline for security across AWS, though in hindsight they were not deep enough in several areas to prepare us for the certification exam.
We supplemented our study group with some popular YouTube videos, including a number of presentations from AWS re:Invent and other industry events:
- AWS re:Invent 2020: Instance containment techniques for effective IR
- AWS re:Invent 2020: Best Practices for securing your multi-account environment
- AWS re:Invent 2019: Using AWS KMS for data protection, access control, and audit
- AWS re:Inforce 2019: The Fundamentals of AWS Cloud Security
- AWS Security Virtual Roadshow 2020: Data Protection using Encryption in AWS
- SANS DFIR Summit 2017: IR in the Cloud (AWS)
- Introduction to AWS Certificate Manager Private Certificate Authority (CA)
We also discovered a fantastic blog post from Capital One which highlights a number of other resources. We specifically took closer looks at the AWS documentation and whitepapers for KMS. Last but not least, we highly recommend the WhizLabs practice tests, which really prepared us for the final exam!
If you’re interested in AWS Security, you might consider searching for open positions here at Cox Automotive! The organization is always encouraging us to learn, grow and contribute in innovative ways — they’ll even pay for you to get your AWS certifications!