Today we meet Nicola Lopatriello, front-end developer and Penetration tester

Tell us how you landed in GFM.

I first learned of GFM about seven years ago by word of mouth. At that time I was working in an IT support store in the town where I lived, in the province of Matera - a job I did for ten years - while attending the online university course in Information Systems and Network Security at the University of Milan. At that time I was unripe when it came to software development, but thanks to the positive climate, the seniority of other colleagues and the desire to learn, it was not difficult to take my first steps in this reality.

What kind of environment did you find?

It's an environment that I really like, because there was a beautiful relationship of trust and familiarity right away, which continues to this day. That's exactly what I'm looking for, and I know that's a difficult thing to find in companies, where sometimes the size of the organization complicates things a bit. We are a small group, and there is great unity and cohesion among us.

What do you think is the secret of this positive climate?

Those who build the company have a clear philosophy; they are not rigid, but flexible and tolerant. As a result, the new people who come in share the values of the team. The value that keeps us together is friendship, familiarity: ours is not an environment of rivalry, we always help each other among colleagues, I think this is not a given in a working environment.

Which project did you start with? And which one are you following now?

The first was "Kirk," a project developed for Vodafone I followed from start to finish, together with Greta. For about three years I have been working on LSI, a multi-tenant cloud platform that features a set of tools for monitoring physical environmental quantities. In recent months I have been working on the graphical interface of a tool that can facilitate the process of labeling images related to the training of an Artificial Intelligence algorithm.

Meanwhile, we understand that you are also very actively involved in cybersecurity....

It's true: we have been actively approaching this world for about a year now, and I am trying to bring my contribution to the company. We are coming off intense months of training and are focusing on "penetration testing" related to web applications-a natural choice, since as a company we are really in the business of developing web applications.

Let's explain it well to our readers: what is a "penetration test"?

A "penetration test" is a simulation of a cyber attack on a system, network or application to assess its security. However, unlike a real attack, a "penetration test" is performed with the consent of the system owner.
The main objective is to identify vulnerabilities and provide as an end result a report containing all the useful information, i.e., the steps needed to replicate the vulnerability and suggestions for remedying it.
Briefly, "penetration tests" can be of three types. White-box: the attacker has full access to information about the system, including documentation, source code, and credentials. Grey-box: the attacker has limited access to information about the system, may know, for example, some basic credentials or partial information about applications. Black-box: the attacker has no inside information about the system. In this case, the approach is similar to that of an external hacker trying to compromise the system without prior knowledge of the system.

What are the risks associated with a vulnerable web application?

Mainly data compromise, and that is the risk of system data being stolen and-often-used to blackmail the organization, demanding payment in exchange for non-disclosure of the data or their return. Let us then keep in mind that a vulnerable application may also be merely the means through which to attack more complex third-party systems. In this scenario, the vulnerable application represents only a weak link in a larger chain.

How does cybersecurity impact GFM's work?

As a software development company we have a duty to try to release secure software to our customers, so we do what we can to be aware of known vulnerabilities. It is clearly a trade-off between costs and benefits: a software may well be affected by vulnerabilities, but the important thing in the meantime is to have awareness of any risk, along with Disaster Recovery strategies.

What do you think is the biggest challenge facing cybersecurity today?

The increasing complexity of attacks. Attackers are increasingly skilled at creating targeted and sophisticated attacks, using advanced techniques such as social engineering, phishing or ransomware. This requires security experts to constantly be one step ahead, taking proactive defense measures and continually updating cybersecurity strategies. It should also be remembered that often the weakest link in the whole chain is the end user, and so cybersecurity practitioners will be required to make increasing efforts to raise awareness and train users.