Welcome to our Ask the Expert series, featuring profiles from our employees across all teams and offices! Previously, we introduced Maxwell Foley. Let’s meet another one of CertiK’s expert engineers: Peiyu Wang.
Peiyu Wang received a bachelor’s degree in electronics from Georgia Tech and a master’s degree in information security from Johns Hopkins University. He has extensive experience in web applications, mobile applications and network penetration testing.
Through different client engagements and bug bounty programs, he has discovered many high-risk vulnerabilities and proposed effective repair plans to prevent the vulnerabilities from being exploited by malicious hackers. Peiyu is one of the two security engineers who was invited to participate and speak during the DEFCON blockchain village event.
Before joining CertiK, he worked as a security engineer at Harbor Labs and NCC Group and focused on software development, security testing, and medical device-related security research. Now, he currently holds OSWE (Offensive Security Web Expert) and OSCP (Offensive Security Certified Professional) security certificates.
Q: Why did you want to become a security engineer?
When I was in high school, I found a passion for science. My performance in physics was far superior to that in geography, history and politics. My interest in computers was the biggest reason for me to be an engineer at the time. Apart from studying, gaming became my biggest pastime and source of entertainment during my undergraduate career.
I quickly realized that the popularity of a game must always be accompanied by the rampant development of plug-in software. Some people use computer technology to perform non-original operations on the software. This tampers with the original settings and rules of the game, and allows players to gain benefits through improper means.
This kind of ‘cheating program’ or software aroused my initial curiosity, and I gradually moved into contact with network and information security. (I would like to remind everyone to follow the rules when playing games, respect intellectual property rights and the labor of the game design team.)
Taking safety courses and reading safety books have built a bridge for me to enter this industry. My own technical preference coupled with a strong interest guided me to study information security for my masters degree.
Q: What does your daily work like?
Many people think programmers and engineers do the same work, but this is not the case. As a security engineer I have only a handful of coding time compared to programmers, especially when it comes to penetration testing. Penetration testing is a type of test that is focused on uncovering weaknesses in the code, with an analysis of the code’s composition and details. .
Compared with “writing”, the practical term “review” is more appropriate. But does that mean that security engineers don’t have to write code? My answer is no. As a security engineer who needs to be proficient in code, writing code is a means of practice and verification.
Q: What are some of your challenges and accomplishments?
I have encountered many interesting things during the course of my professional career. For example, CertiK audited and reviewed ‘Project Party A’s’ website application.
During the penetration test we successfully found an exploitable vulnerability, which made the website data abnormal. After receiving feedback, Project Party A’s team immediately repaired the code to begin the process again. When we hacked into their website application again, they told me, “we have no way to stop you!” Eventually, the problem was fixed and the code was structurally sound.
As for the challenges, all engineers and programmers have similarities. From the beginning to the end of a project, communication is a crucial role to a successful completion. And the communication extends further than just the technology.
Q: What do you do in your spare time?
I like to pursue and learn about many other fields to broaden my scope of knowledge. I hope to challenge myself and break through into every industry I set foot in, even if I’m not familiar with it. Additionally, my short term goals include learning more about vulnerabilities and understanding how I can fix them.
“Know yourself, know the enemy and win every battle” is a quote I tell myself often. I enjoy studying whether existing vulnerabilities can be exploited in new ways, and if there are other ways to bypass security protection measures so that I can develop more security solutions. Therefore, in addition to intensive work during the day, I also read a lot of papers and professional articles at night.
After studying about those vulnerabilities, I watch hacking videos to solidify everything I’ve learned. Watching videos allows me to observe the vulnerabilities, and explore the methods of exploitation in addition to researching and creating solutions on my own.
And of course, as a ten-year dota game player, playing games is an indispensable part of my spare time.
My final thoughts: the engineer many think are stereotypically boring actually has many diverse interests behind them. They dream of changing the world with their own power. I have learned that many engineers have various rare qualities, and their growth results from countless hardships late at night.
There is no “typical” engineer. Every engineer is their own unique creator.