Welcome to Woman In Cyber Security

The Story of Franziska Bühler-Schmocker, Between Web Server Security and Web Application Firewalls

by Magda CHELLY November 28, 2017

The Story of Franziska Bühler-Schmocker, Between Web Server Security and Web Application Firewalls

Franziska Bühler currently works as a Senior Systems Engineer in Switzerland.
Her main areas of responsibility are web server security and everything related to the access layer. In Switzerland, this typically includes authentication and web application firewalls.
She holds a Bachelor of Science degree in computer science with a specialization in IT security. She is also a Certified OSSTMM Professional Security Tester (OPST), accredited by ISECOM (Institute for Security and Open Methodologies).

 

Android Forensics

While studying, she did research in the field of Android forensics. First, she retrieved YAFFS2 (yet another flash file system 2) file system dumps. Then she managed to gain and understand the file system chunk metadata to recover deleted SMS, contacts and phone calls.
That was a new and unresolved challenge at that time. She presented the result and submitted it to federal authorities. Unfortunately, Android does not use this file system anymore.
Franziska likes to turn bits and bytes until she has resolved the puzzle. When she was growing up, she liked to solve all sorts of physical puzzles made of wood or metal. Maybe that was already an indication of her present preference.

 

Path to Cyber Security

Franziska's started her IT career as a system administrator for various Windows, UNIX and Linux server operating systems. She had to control, operate and monitor different types of systems and locate, isolate and resolve technical incidents.
Yet, she did not seek to transition into security. It came naturally when she changed to engineering exposed and critical systems where security and security awareness is a must.

 

Current Work

She's been working as a Systems Engineer with specialization in web server security and web application firewalls since 2009.
She holds technical responsibility for the reverse proxy platform and leads a group dedicated to all things reverse proxy.
She is responsible for identifying, analyzing and assessing risks, threats and vulnerabilities, and for maintaining the security of the platform.
In addition to building or reorganizing platforms, she also writes and implements security policies. She writes scripts and programs to automatically monitor policy compliance.
Topics related to DevOps are one of the topics of interest today. Her certification as a scrum master helps her with her involvement in agile projects and providing technical advice.
Another important part of her job is providing third level support for critical incidents. This sometimes makes the days unpredictable, but all the more exciting. It is a particular pleasure to investigate and resolve a problem for Franziska.


The Hobby: OWASP ModSecurity Core Rule Set


In her spare time, Franziska Bühler helps as a developer and committer to enhance the OWASP ModSecurity Core Rule Set. The Core Rule Set is a rule set for the ModSecurity web application firewall. See https://coreruleset.org.
It is the first line of defense against web application attacks, like those described by the OWASP Top Ten. The Core Rule Set is mentioned as one of the possible precautions against A10:2017-Insufficient Logging & Monitoring.
She co-developed the new paranoia mode, which helps to keep the number of false positives under control. This is very important for the usability of a WAF, to ensure there are as few false positives as possible.
She recently published a blog post (https://coreruleset.org/20171109/disassembling-sqli-rules/) describing disassembling many optimized regular expressions. They had been optimized with the help of an arcane Perl module a long time ago. The blog post describes how Franziska disassembled the regular expressions to retrieve the source pattern. This work is important to the OWASP Core Rule Set project and its maintainability.

 

The Challenge of Family and Working Life

In addition to the technical challenges that come from work or her hobby, the Core Rule Set project, it is also a challenge to harmonize a part-time job with her husband and their two children.
Fortunately, she is still able to do highly demanding technical work and not work on the side, even part-time. She owes that to her progressive employer, the Swiss Post.

 

Advice for other women

Franziska Bühler has been working in IT since 2001 and she has met different kinds of people throughout it. Most of them were friendly and open to women.
Some of them have very old-fashioned attitudes towards women. It may not be intentional on their part, it is ingrained in their minds. Franziska thinks that women cannot change them and convince them otherwise. It is not worth bothering, it's a lost cause. You would be better off associating with people who are nice and supportive.
Most people are open-minded. One of her mentors is Christian Folini. He believes that good people, women or men, should be supported and promoted. And he thinks that diversity is important and an asset to a team. Such well-meaning people are important and a gift. Let them guide you.
Another important point is to always be up to date. Especially in the field of cyber security, things change often and fast. Take courses, earn certifications, attend conferences and learn new technologies. Outside of being fun, they broaden your horizon and they also make you even more valuable.
And, most important, believe in yourself.

If you want to get in contact with Franziska Bühler, write her a message: @bufrasch on Twitter.




Magda CHELLY
Magda CHELLY

Author

Magda Lilia Chelly, is the Managing Director of Responsible Cyber Pte. by day, and a cyber feminist hacker by night.



Also in Cyber Role Models

Good girls go to heaven, but girls in cyber go everywhere ... An exclusive Interview with Lisa Lorenzin, Director, Emerging Technology Solutions, Americas at Zscaler
Good girls go to heaven, but girls in cyber go everywhere ... An exclusive Interview with Lisa Lorenzin, Director, Emerging Technology Solutions, Americas at Zscaler

by Magda CHELLY March 25, 2018

‘’And the good girls go to heaven, but the bad girls go everywhere...’’ – This is what I have read when I was trying to know Lisa better on her Twitter account. Controversial, courageous, and ambitious, this woman has a lot to share with us about her experience, and how she climbed the corporate ladder in security. I chatted with Lisa for hours about life, politics, and technology as well as about how to tackle the challenges in a male-dominated industry. 

Continue Reading

Amber C. Williamson, Cybersecurity is a fascinating field and it’s never a dull moment in this industry
Amber C. Williamson, Cybersecurity is a fascinating field and it’s never a dull moment in this industry

by Magda CHELLY November 19, 2017

Amber C. Williamson is an IT Mentor Advocate for upcoming aspirants in the Cybersecurity & Information Technology world. Her journey was introduced during her childhood and has never left. She is the first generation in her family to have a Double Bachelor’s and Double Master’s Degree in Biology, Computer Science, Information Systems, and Network Communications. Amber has over 12+ years of industry experience and currently pursuing her cybersecurity certifications for 2018. She is a force to be reckon with and willing to make a difference in the lives of others in Cyber Security.

Continue Reading

Sarah Hendrickson; Pen tests, vulnerability scanning, red team testing – I built it all !
Sarah Hendrickson; Pen tests, vulnerability scanning, red team testing – I built it all !

by Magda CHELLY November 12, 2017

I worked my way through college at a Research and Development lab for a company that milled flour and made baking mixes for consumers as well as restaurants.  I obtained my degree in Chemistry and the lab job included running the analyticals to write the product nutritionals (%fat, %carbs, %protein, etc.).  At almost 6’ tall, I was significantly taller than my manager and when she went to read the instrumentation, her results varied significantly than mine.  I used a software application to calibrate the instruments to remove the human error.  It worked well and they asked me to do this for the instruments in their Quality Assurance lab.  This was the only time I have ever “coded”. 

Continue Reading