Nord Security wouldn’t exist without the brilliant developers, sysadmins, security experts, and other technical staff who build and test our products and infrastructure. When they get together to share their expertise with one another, there’s electricity in the air!
Daniel Markuson
Dec 31, 2021 · 8 min read
Maintaining and expanding our tech staff’s valuable skill sets is as important as breathing to us. Our recent Nord Security Tech Days event was just the latest in a long line of tools we use to help our tech people stay on the cutting edge.
At Tech Days, nearly 30 of our leading experts got together to share and discuss technical insights that have enriched their work and that might enrich their colleagues as well. We’d like to share just a few of the topics discussed that day to paint a picture of just some of the brilliant tech workers who we are proud to call our colleagues.
Topic: Exceptions are a powerful tool for handling errors in code, but they are perceived by many as being confusing and hard to use. Because of this, some modern languages forego exceptions entirely, instead using error handling mechanisms that the exceptions were meant to replace in the first place. The goal of this talk is to rectify these misconceptions, to show how exceptions can be an incredibly useful tool for error handling, and to provide concrete examples and tips regarding proper exception usage.
Topic: I’ll be discussing how to invest into internal tools and keep your developers happy. In my spare time I find/create internal tools that improve our developers’ workflows. Unfortunately, that also means I am the go-to person when old tools break down. One of the tools we currently use for php projects is a very outdated package manager. As with all software, migration to newer tools requires investment, and I'm here to tell you: outdated tools are a pain to maintain and eat up your developers’ precious time. And that makes our work less fun!
Topic: Packing is a code obfuscation technique used broadly by both legitimate software developers and malicious actors. This is a very popular technology – some statistics show that more than 80% of modern malware is packed with at least one packer. How, then, does the antivirus industry handle their widespread use? The answer: it hardly does.
During this presentation, I will review the most popular antivirus engines and how they analyze packed files. Some vendors’ approaches result in large streams of false positives and mislabelling. We cover the user experience hell those false positives create for legitimate projects and how developers can help overcome this challenge.
Topic: Satellite Infrastructure is introducing a Consul as a layer to manage data synchronization and service discovery on VPN servers. Due to the specific nature of VPN servers, however, we have some quite unusual requirements and ways of doing things. Those requirements have led us to attempt to use Consul in non-standard ways, but Consul is reasonably opinionated in how it allows itself to be abused. In this presentation, I discuss the pitfalls in various approaches we’ve tried with Consul, the limitations we have discovered, and the ways in which Consul prevented us from abusing it and forced us to do things “the Consul way”.
Topic: I’ll be discussing our statistics infrastructure at Nord Security. That includes what our statistics infrastructure looks like today, what kind of tools we use, and how we’re moving forward with statistics infrastructure 2.0. We’ll also cover some of the setbacks and challenges we’ve experienced along the way, how we’ve dealt with them, and what lessons we’ve learned.
Topic: In my presentation, I’ll be discussing how we implement our Threat Protection feature and how it blocks ads, trackers and malicious websites on the user's device. We’re doing lots of work to expand it, including a defense against tracking cookies. The next big step is a feature to jeopardize device fingerprinting. I’ll discuss some of the unique challenges we’re facing and some of the most promising tools we’re looking at to implement these new functionalities.
Topic: Optimizing for the Anycast network was one of the very first tasks I had to work on when I joined NordVPN. At that time, NordVPN had their DNS infrastructure built on Anycast but offered suboptimal user experience in certain cases. It was challenging to optimize Anycast on a global scale because of how the internet works. We learned a lot while tackling this challenge, so today I would like to share that experience with you.
Topic: I will be raising questions about how to build a database platform that works all day and all night for all kinds of tasks either real or imagined. We’ll be touching on issues and experiences here at Nord Security as well as cases faced by database admins at other leading tech companies.
Topic: I’ll be discussing our work with providing dynamic layouts for payments in the client app. We deliver changes to the app while it’s in production and without a release procedure. We also run A/B testing to analyze our layout effectiveness, and we run all of this using a Firebase Remote Config. You’ll find out how in my presentation.
Topic: Many of us have tried to imagine ourselves in the hit show “Squid Game” and have wondered how far we get. In IT, however, we don’t have to try too hard as we live the Squid Game every day. In addition to sharing some similarities between the IT world and Squid Game, I’ll also discuss how we got started automating our QA testing.
Topic: Our Core Admin Team currently consists of 18 Linux, Windows, Database, and other experts. We support over 1500 virtual production servers and over 2000 virtual servers. Our scalable gitlab-runners spin 1,600 jobs per day. We process more than 150 deployments per day, and a normal load for us is 20 deploy per hour and 5 deployments at a time. Every day, we execute 800 automated ansible jobs and up to 400 manual actions. We serve 300 applications written on PHP, Go, NodeJS and .NET and we help more than 150 developers across different teams.
All of this requires a stable and secure staging environment. I’ll be discussing how we plan to transform our current staging and what it still needs.
Topic: Micro frontend architecture has achieved great results for many companies in both the frontend and backend, as evidenced by companies like Dazn and IKEA. However, the path towards success with micro frontend architecture is bumpy. It involves developers, architects, managers, and even business people. Everyone has to be on the same page. Preparation for this journey is crucial. It makes the transition to the micro frontends architecture smooth and pleasant. In this talk, I will break down what pitfalls await if you rush and how good homework upfront helps avoid them.
Topic: I’ll be discussing feature monitoring. How can you know if product features actually work for end users? Error monitoring, regression test results, testing, and the absence of user complaints are all insufficient for determining functionality. What you need is feature monitoring. I’ll discuss what this is and how you can implement it across a wide range of different features.
Topic: As our app grew in scale and was becoming more feature-rich, we noticed it started to run slow. We found a threading issue that we opted to solve by developing a custom thread factory to manage our threads. The results were dramatic, with tenfold reductions in certain UI hangups and even 30% increases in connection speed in certain cases. I’ll talk about how we did it and why thread management is so important.
Topic: I see lots of Android applications out there that handle process death poorly. This can lead to bad UX or even crashes. However, it can also be hard to find relevant and concise information about it. That’s why I’d like to share what I know about Android memory management and process death. This includes an explanation of how Android handles memory management and process death, how it can impact your app, and how you can test for it on your apps.
Topic: I’ll be talking about using machine learning to classify HTML forms In order to generate a new secure password, autofill your login information, shipping address, or credit card information using your NordPass vault, we have to know what sort of form we are dealing with. We needed to capture all the major and subtle differences within every form using our custom “atomic” rules and turn HTML elements into vectors! We processed all the forms we’ve collected and used machine learning to build an extremely accurate model to predict the form type – which we use to fill your specific vault items. Getting the model right was not exactly easy, but we have reached over 98% accuracy. I’ll explain how.
Topic: I’ll be describing the Symfony Messenger component, how its parts are related to each other, and how they can be used. I’ll also discuss how we implement this component in our services and how it allows us to decouple business logic, simplify testing, and make our lives easier.
Topic: I will be discussing our team’s experience with implementing modular architecture in NordVPN’s Apple apps. I’ll cover what modular architecture is, why we considered it, and what obstacles we encountered while adapting it. That will include technical details about our app layers, as well as our final structure, our main achievements, and our future goals after implementing modular architecture.
Topic: Open Source is everywhere, including in many proprietary codebases and community projects. If you're not aware of what is in your software supply chain, an upstream vulnerability in one of your dependencies can be fatal, making you and your customers vulnerable to a potential compromise. In my talk, I will try to explain what the term “software supply chain” means, why it matters, what are the biggest threats and how software engineers can secure their project’s supply chain.
Topic: We encountered some unique challenges when developing the Linux app due to the nature of this platform. There are valid reasons why some companies tend to avoid extending their support to include it. As the creators of a business VPN implementation, we had no easy solutions available, either.
In my presentation I discuss the development and distribution problems we encountered while developing NordLayer Linux, what decisions had to be made and what impact they had on the application. Our successes, our failures, and how we managed to make it all work well. I’ll also share tried and tested ideas and guidelines on how to make your Linux application as portable as possible.
Topic: I'd like to introduce our approach to dealing with Table and Collection views in a quick and easy way. After we got tired of massive and tangled DataSources for UITableViews, we found a declarative approach to make tables really data-driven. The result is that we can build TableView as easily as tableView.rx.bind(sections: sections).disposed(by: bag) for any table with any cells inside. This is all the code that you need in your UIController.
Topic: My presentation is focused on threat modeling. I’ll introduce what threat modeling is, how it’s done, and what key questions the threat modeling manifesto raises. During my talk, I will emphasize why good documentation is crucial for threat modeling and what makes it a team challenge rather than just the security team’s job. We’ll also cover the main threat modeling benefits, challenges, and tips for how to deal with them. My talk will cover free tools that are available to try and what kind of diagrams they help to produce. Also, I will touch on well-known threat modeling methodologies like STRIDE, PASTA and OCTAVE. STRIDE will be presented in a more detailed way with some samples from our internal threat modeling sessions.
Editor’s note: Due to their technical nature, some of the topics covered at the event cannot be published here. Our first and foremost responsibility is to maintain our users’ security and privacy, which sometimes requires us to maintain the confidentiality of our staff, infrastructure, processes, and technologies. Staff present at the event gained even deeper insights into the tech that makes Nord Security products run.
Want to read more like this?
Get the latest news and tips from NordVPN.