Employee onboarding at Checkr

I recently joined Checkr as a security engineer and had the opportunity to complete its week-long onboarding program.

In my opinion new employee on boarding is vital to any organization for few simple reasons:

  1. It educational for the new joiners – while they have already decided to jump onboard by accepting the offer, a good onboarding experience helps reinforce the decision.

  2. It helps showcase the value add that the new members will bring to the table and its alignment to the overall mission of the organization.

  3. Life is quite a bit (if not all!) about first impressions and a good onboarding program is just that. For a new employee, it’s the first true insight to how a company really functions.

While it sounds simple enough its tough to get this right I guess. Before joining Checkr, I have worked for various organizations (large, medium, small)  and had my share of new joiner trainings/sessions/seminars/onboarding programs, etc. A common thread between these programs is that, almost always, these are impersonal. Usually these cover things like setting up the benefits, payroll, computer and other administrative chores like providing a rundown of Dos and Don’ts at the company. Very little emphasis goes into explaining what it means to come onboard and what is needed to be successful in that company. To me onboarding programs are perhaps the most boring, monotonous and impersonal activity one does when starting at a company.

So, I was surprised (pleasantly!) at Checkr!

The onboarding program here is different.  Not only is it laid out in a very thoughtful way  (so much so that curiosity piqued by one session was addressed by the immediate next session – such was cohesion in the flow) but was also very conversational.  It reflects  the core principle of transparency that Checkr works on and for a new joiner provides a great platform to get started here.

This sounds surprising when one considers that Checkr started in 2014 and is currently just around 135 employees. Typically in fast growing startups, the focus is on making the new joiners productive from day one. The idea of making them spend a week learning about the company, its mission, its people and plans sounds strange. But at Checkr, the emphasis on this week-long program comes right from the top of the management chain as evidenced by sessions from the CEO, the CTO and various VPs.

The program is 1 week (5 days) long and covers sessions on each aspect of the company, from how it started to where it wants to go and how.

Usually, most of the new hires here, like myself, have no experience in the background check industry. The onboarding sessions were  perfect introduction to the complex world of background records, the court data management/retrieval systems and the painful inconsistencies in timelines as one moves through state/county lines.

This program helps visualize the direct impact of the technology developed at Checkr on the lives of job seekers across the country.

Few of the interesting aspects of the program for me included:

  1. Sessions with early employees of Checkr and getting to know the first hand perspective of  how the company has grown fast while holding tight to its mission helped set my own perspective about how Checkr works

  2. Two sessions with the Checkr CEO talking about the company roadmap and history. The level of transparency he provides in terms of roadmap, challenges and priorities is amazing.

  3. Everyone of the new joiners (yes – everyone!!) have to complete the NAPBS FCRA Basic Certification. I learned amazingly lot of stuff about the whole BGC industry during the training for this certification.

  4. Best part – I got to go to the courthouse to see first hand how the record retrieval process works in the US court systems. This happens during the last day of the onboarding program and is the rightful amalgamation of all the learnings from the previous 4 days.

In summary, Checkr is on a mission to modernize the background screening industry. To be successful here, each employee has to connect to that mission and understand how the role they  play count towards fulfilling it. Checkr’s onboarding program facilitates this understanding by showcasing how the company functions.

The program made a great impression that will stay with me for a long time.

Advertisements

“please check gdb is codesigned” – macOS Sierra

Running GDB on macOS Sierra failed with the error below:
Starting program: /Users/gaurabb/Desktop/Coding-Projects/CLang/a.out
Unable to find Mach task port for process-id 68306: (os/kern) failure (0x5).
 (please check gdb is codesigned - see taskgated(8))
Steps I followed to address this (based on references at the end):
Step 1: Codesign GDB following steps
Step 1.1
MAC-Err-1
Step 1.2
MAC-Err-2
Step 1.3
MAC-Err-4
Step 1.4
MAC-Err-4
Step 1.5
MAC-Err-6
Step 1.6
MAC-Err-6
Step 2: 
    Step 2.1: Create a file named .gdbinit in the /Users/<username>
    Step 2.2: Add the following to the file:  set startup-with-shell off
                    This disables use of a shell that GDB uses to start the program in Unix based systems
Step 3: Open a terminal and run:
 sudo killall taskgated
taskgated is a system daemon that implements a policy for the task_for_pid system service.  When the kernel is asked for the task port of a process, and preliminary access control checks pass, it invokes this daemon (via launchd) to make the decision.
Step 4: In the terminal, run:
 codesign -f -s "gdb-cert" /usr/local/bin/gdb 
These steps  should address the error.

References:

Concurrency tidbit to GO

Consider the code snippet below- it creates a chat room struct with the following fields:

  1. a channel (messageFlow) to forward incoming messages to the room
  2. a channel (joinChat) to queue clients who want to join the room
  3. a channel (quitChat) for clients who want to leave the room
  4. a map of clients who are currently in the room

 

type room struct{
      messageFlow chan []byte
     // joinChat - channel for clients wanting to join the chat
     joinChat chan *client
     // quitChat - channel for clients wanting to leave a room
     quitChat chan *client
     // clients - a map object that holds all current clients in a room
     currentClients map[*clients] bool
}

Quick GO channel refresher – Channels are a typed conduit through which we can send and receive values with the channel operator, “<-“. All channels must be created before use. And by default, sends and receives block until the other side is ready. This allows goroutines to synchronize without explicit locks or condition variables.
More details on channels in GO is here: https://tour.golang.org/concurrency/2

 

Quick GO map refresher – A map maps keys to values. More on maps in GO – https://tour.golang.org/moretypes/19
The usual problem with the code like one above is that it is possible that two goroutines may try to modify the map at the same time thus resulting in an unpredictable state for the currentClients map.

To help mitigate this kind of setup, GO provides a powerful statement called select. As defined here (https://tour.golang.org/concurrency/5)The select statement lets a goroutine wait on multiple communication operations. Select statement can be used whenever we need to perform some operations on shared memory or actions that depend on various activities within the channels.

To address the case in the context of the code snippet above, we can use the select statement to monitor the channels: messageFlow, joinChat, quitClients. As and when a message arrives in any of the of the channels, the select statement will run the code for that particular case. Only the case related to any one channel will be run at any particular time – thus helping synchronize the operations. The select code will look something like:

::::::::::::::
    select{
    case client := <- room.joinChat:
        //do something to allow the client to join in
    case client := <-room.quitChat:
        //do domething to allow the client to leave
    case chatMsg := <- room.messageFlow
}
::::::::::::::

This code should run indefinitely in the background (as goroutines) till the chat program is terminated.

References:
1) GO Programming Blueprints – Mat Ryer
2) https://tour.golang.org/

AWS Boto – Key pair creation – Regions matter!!

I was trying to create an EC2 key-pair using AWS Python SDK’s (Boto) create_key_pair() method, something like:

key_name = 'BlockChainEC2InstanceKeyPair-1'    
def create_new_key_pair(key_name):
    newKey = objEC2.create_key_pair(key_name)
    newKey.save(dir_to_save_new_key)

The keys are created as expected because I was able to fetch the keys using Boto’s get_all_key_pairs() method like below:

def get_all_keypairs():
    try:
         key= objEC2.get_all_key_pairs()
    except:
        raise

The get_all_key_pairs() method returns the result like below showing that the key pair exists:

<DescribeKeyPairsResponse xmlns="http://ec2.amazonaws.com/doc/2014-10-01/">
    <requestId>8d3faa7d-70c2-4b7c-ad18-810f23230c22</requestId>
    <keySet>
        <item>
            <keyName>BlockChainEC2InstanceKeyPair-1</keyName>
            <keyFingerprint>30:51:d4:19:a5:ba:11:dc:7e:9d:ca:49:10:01:30:34:b5:7e:9b:8a</keyFingerprint>
        </item>
        <item>
            <keyName>BlockChainEC2InstanceKeyPair-1.pem</keyName>
            <keyFingerprint>18:7e:ba:2c:44:67:44:a7:06:c4:68:3a:47:00:88:8f:31:98:27:e6</keyFingerprint>
        </item>
    </keySet>
</DescribeKeyPairsResponse>

The problem was that when I logged onto my AWS console of the same account whose access keys I used to create the key pairs – I don’t get to see the newly created keys.

I posted this question to the ever helpful folks at Stack Overflow (here).

Based on the response I realized that Boto was creating the keys in its default configured region of US East while I was defaulting to US West when I log in to the AWS console.  I was able to view the newly created keys when I changed the region in my AWS console [EC2 >> Key Pairs].

The fix was to add the following code snippet to the boto.cfg file:

[Boto]
ec2_region_name = us-west-2

 

ISC2 Certified Cloud Security Professional (CCSP) – My take

I recently passed ISC2’s Certified Cloud Security Professional (CCSP) certification.
While preparing for the certification I found that there are hardly any reviews shared by individuals who had already taken the test for the benefit of ones who plan to take it and want to get a test taker’s perspective.
So, here is my take in a QA format.

How long did I prepare for the exam?

Focussed study of around 40 hours spread over 4 weeks.
I already have following credentials that helped a lot in covering major aspects of the materials covered in CCSP:
  1. Cloud Security Alliance’s  CCSK
  2. ISC2 – CISSP
  3. I have more than 10 years of Software/Cloud Security Engineering and related professional experience.

What materials did I use for preparation?

1) The Official CBK – the first edition. I read a lot of bad reviews about the book but as far as providing relevant information goes, I found this book to be enough.
2) CCSK V3 Prep guide: I did read this for the following 4 domains:
  1. Architecture
  2. Operations
  3. Platform anf Infrastructure
  4. Data Security
Just this will not be enough to clear the CCSP exam but its good, quick “ a day before the exam” kind of refresher.

Is the exam worth the time and money?

Its not a hands on exam and rather checks the theoretical understanding of the concepts of Cloud engineering and the ability to apply those concepts to answer scenarios based questions.
In my opinion that theory and concept should always precede actual hands on work, and so yes this is a worthy investment.

AWS S3 Error – InvalidLocationConstraint – “The specified location-constraint is not valid”

This error is returned when trying to create a S3 bucket using the location parameter and the value passed is not valid.
<?xml version="1.0" encoding="UTF-8"?>
<Error>
<Code>InvalidLocationConstraint</Code>
<Message>The specified location-constraint is not valid</Message>
<LocationConstraint>Default</LocationConstraint>
<RequestId>E1BDC3B868D40B32</RequestId>
<HostId>
t47dkcB6eVf0GW9mEtpECy3x6V6JFaJ8MeWhNynwVwMhJZ4yS9lwEXeQRP2wgz0OZq0X0NuM5oo=
</HostId>
</Error>
The valid list of locations as documented here is below:
Valid Values:
  • us-west-1
  • us-west-2
  • EU or eu-west-1
  • eu-central-1
  • ap-south-1
  • ap-southeast-1
  • ap-southeast-2
  • ap-northeast-1
  • ap-northeast-2
  • sa-east-1
  • empty string (for the US East (N. Virginia) region)
  • us-east-2

2015 State of Application Security: Closing the Gap

Although published in mid 2015, SANS “2015 State of Application Security: Closing the Gap” provides interesting insights into:

  • Application Security Standards in Use
  • Overlap Between Development and Security Focus
  • Popular Languages and Their Perceived Risks
  • Top Challenges for Builders and Defenders
  • Defenders’ Emphasis for Application Security Management Resources
  • Useful Security Practices for Application Defenders

https://www.sans.org/reading-room/whitepapers/analyst/2015-state-application-security-closing-gap-35942