Enhancing Security and Developer Productivity: LinkedIn’s Journey with Implementing Content Security Policy
Figure 2. Decentralized system
In our effort to decentralize Content Security Policy headers, we created a CSP Filter, which is an intercepting filter. This filter lives as part of our frontend frameworks.
Developers can define Content Security Policies as part of their app’s configurations. When a request comes in, the WebApp processes the request and produces a response. As the response is leaving the WebApp, the response is intercepted by our new CSP Filter. If the WebApp owner has defined CSPs as part of their configurations, then the CSP Filter will decorate the response with Content Security Policy response headers. If the WebApp owners have not defined CSPs as part of their configurations, then the CSP Filter will take no action.
After a response leaves the WebApp layer and returns to the traffic layer, our existing Traffic Headers Plugin looks at the response. If there are no Content Security Policy headers in the response, the plugin will decorate the response with the appropriate headers. This fallback mechanism ensures setting a CSP header for every response.
Overall with the decentralized system, we saw a reduced impact in CSP changes, ensuring that changes have a limited and well-contained scope within the application thus minimizing the potential errors and disruptions. We were able to equip developers with the necessary tools, resources and knowledge to efficiently implement by themselves thereby empowering developer productivity. Additionally, developers could leverage their own testing environment for testing CSP changes.
One primary disadvantage in adopting a decentralized architecture for Content Security Policy customizations is that the security governance for CSP rules became challenging due to the following reasons:
-
Lack of centralized location to easily inspect CSP rules.
-
While developers are empowered to make their own changes, the Application Security team is not directly involved in setting CSP rules leading to lack of visibility into any potentially unsafe CSP changes.
-
Modification of CSP can be tricky for developers and sometimes requires deep knowledge of frontend security.
We addressed these issues by adopting a shift-left approach to implement security validators that analyze code at the time of code commit. To ensure developers always commit safe CSP policies, we implemented risk-based validation rules. We leveraged GitHub validation checks to enforce the rules and appropriate actions for the developer to take using GitHub annotations.
As an example, one critical risk rule we defined is that we support only static JavaScript using hashes or loaded from trusted sources. This means that we block a developer’s pull request (PR) when they set script-src directive to a wildcard or a domain that is not approved. The following is a screenshot of the developer experience for critical rules.
Making the leap from music to LinkedIn Engineering with REACH
My journey to LinkedIn and passion for coding came from an entirely different background than programming. After studying math and music in college, I performed as a professional violinist touring around the world and composing music for television and film for 15 years.
During the pandemic, I discovered data science after my friends suggested I take programming courses. I became super interested in machine learning and wanted to make a shift in my career, so I was excited to discover LinkedIn’s apprenticeship program for people with non-traditional tech backgrounds like me: REACH. While I was an apprentice, I was given the opportunity to learn and develop skills and also got to have a hand in LinkedIn projects.
I am fortunate that I found a second passion in life. My team and mentors were welcoming and flexible with me as I leaned into my role and adapted to how we work at LinkedIn. It’s been a smooth transition since I also worked remotely during my music career. There’s a great culture of work-life balance at LinkedIn. I can adapt my working hours to California or Chicago hours to accommodate my team’s workload, and the flexibility adds to the balance. Although I love working remotely, I think it’s equally important to further connections with your team in person. I visit the Mountain View office each quarter to share coffee, lunch, and thoughts about our projects at LinkedIn with my team members.
Refining the LinkedIn member experience
In my role at LinkedIn, I’m on one of the consumer-facing teams responsible for the algorithm recommending the feed to LinkedIn members. I program in Python, Scala, and Java as I toggle between analyzing data, running machine learning experiments, and evaluating business impact.
In my first big project, I experimented with sampling our training data for the algorithms. It was thrilling to work with data on a different scale than what I was used to in my personal projects; I went from working with tables of 10,000 rows to 500 million! Using big data technologies like Spark and Hadoop, I sampled different data to feed our algorithms, which turned into business metric gains that I also learned to interpret. I still remember the anticipation right before I pressed the button to share the benefits of my model with 10% of LinkedIn members.
I also love keeping tabs on the member experience through on-call shifts, which is when I’m responsible for LinkedIn’s feed worldwide. If something goes down on a data generation pipeline that will affect our members, I can immediately jump in to solve the issue. The decisions I make in those couple of minutes to ensure that I can effectively direct traffic so as to not impact the experience of millions of members makes the work even more rewarding.
Since learning frontend and backend skills, Rishika’s passion for engineering has expanded beyond her team at LinkedIn to grow into her own digital community. As she develops as an engineer, giving back has become the most rewarding part of her role.
From intern to engineer—life at LinkedIn
My career with LinkedIn began with a college internship, where I got to dive into all things engineering. Even as a summer intern, I absorbed so much about frontend and backend engineering during my time here. When I considered joining LinkedIn full-time after graduation, I thought back to the work culture and how my manager treated me during my internship. Although I had a virtual experience during COVID-19, the LinkedIn team ensured I was involved in team meetings and discussions. That mentorship opportunity ultimately led me to accept an offer from LinkedIn over other offers.
Before joining LinkedIn full-time, I worked with Adobe as a Product Intern for six months, where my projects revolved around the core libraries in the C++ language. When I started my role here, I had to shift to using a different tech stack: Java for the backend and JavaScript framework for the frontend. This was a new challenge for me, but the learning curve was beneficial since I got hands-on exposure to pick up new things by myself. Also, I have had the chance to work with some of the finest engineers; learning from the people around me has been such a fulfilling experience. I would like to thank Sandeep and Yash for their constant support throughout my journey and for mentoring me since the very beginning of my journey with LinkedIn.
Currently, I’m working with the Trust team on building moderation tools for all our LinkedIn content while guaranteeing that we remove spam on our platform, which can negatively affect the LinkedIn member experience. Depending on the project, I work on both the backend and the frontend, since my team handles the full-stack development. At LinkedIn, I have had the opportunity to work on a diverse set of projects and handle them from end to end.
Mentoring the next generation of engineering graduates
I didn’t have a mentor during college, so I’m so passionate about helping college juniors find their way in engineering. When I first started out, I came from a biology background, so I was not aware of programming languages and how to translate them into building a technical resume. I wish there would have been someone to help me out with debugging and finding solutions, so it’s important to me to give back in that way.
I’m quite active in university communities, participating in student-led tech events like hackathons to help them get into tech and secure their first job in the industry. I also love virtual events like X (formally Twitter) and LinkedIn Live events. Additionally, I’m part of LinkedIn’s CoachIn Program, where we help with resume building and offer scholarships for women in tech.
Influencing online and off at LinkedIn
I love creating engineering content on LinkedIn, X, and other social media platforms, where people often contact me about opportunities at LinkedIn Engineering. It brings me so much satisfaction to tell others about our amazing company culture and connect with future grads.
When I embarked on my role during COVID-19, building an online presence helped me stay connected with what’s happening in the tech world. I began posting on X first, and once that community grew, I launched my YouTube channel to share beginner-level content on data structures and algorithms. My managers and peers at LinkedIn were so supportive, so I broadened my content to cover aspects like soft skills, student hackathons, resume building, and more. While this is in addition to my regular engineering duties, I truly enjoy sharing my insights with my audience of 60,000+ followers. And the enthusiasm from my team inspires me to keep going! I’m excited to see what the future holds for me at LinkedIn as an engineer and a resource for my community on the LinkedIn platform.
About Rishika
Rishika holds a Bachelor of Technology from Indira Gandhi Delhi Technical University for Women. Before joining LinkedIn, she interned at Google as part of the SPS program and as a Product Intern at Adobe. She currently works as a software engineer on LinkedIn’s Trust Team. Outside of work, Rishika loves to travel all over India and create digital art.
Editor’s note: Considering an engineering/tech career at LinkedIn? In this Career Stories series, you’ll hear first-hand from our engineers and technologists about real life at LinkedIn — including our meaningful work, collaborative culture, and transformational growth. For more on tech careers at LinkedIn, visit: lnkd.in/EngCareers.
Lekshmy has always been interested in a role in a company that would allow her to use her people skills and engineering background to help others. Working as a software engineer at various companies led her to hear about the company culture at LinkedIn. After some focused networking, Lekshmy landed her position at LinkedIn and has been continuing to excel ever since.
How did I get my job at LinkedIn? Through LinkedIn.
Before my current role, I had heard great things about the company and its culture. After hearing about InDays (Investment Days) and how LinkedIn supports its employees, I knew I wanted to work there.
While at the College of Engineering, Trivandrum (CET), I knew I wanted to pursue a career in software engineering. Engineering is something that I’m good at and absolutely love, and my passion for the field has only grown since joining LinkedIn. When I graduated from CET, I began working at Groupon as a software developer, starting on databases, REST APIs, application deployment, and data structures. From that role, I was able to advance into the position of software developer engineer 2, which enabled me to dive into other software languages, as well as the development of internal systems. That’s where I first began mentoring teammates and realized I loved teaching and helping others. It was around this time that I heard of LinkedIn through the grapevine.
Joining the LinkedIn community
Everything I heard about LinkedIn made me very interested in career opportunities there, but I didn’t have connections yet. I did some research and reached out to a talent acquisition manager on LinkedIn and created a connection which started a path to my first role at the company.
When I joined LinkedIn, I started on the LinkedIn Talent Solutions (LTS) team. It was a phenomenal way to start because not only did I enjoy the work, but the experience served as a proper introduction to the culture at LinkedIn. I started during the pandemic, which meant remote working, and eventually, as the world situation improved, we went hybrid. This is a great system for me; I have a wonderful blend of being in the office and working remotely. When I’m in the office, I like to catch up with my team by talking about movies or playing games, going beyond work topics, and getting to know each other. With LinkedIn’s culture, you really feel that sense of belonging and recognize that this is an environment where you can build lasting connections.
LinkedIn: a people-first company
If you haven’t been able to tell already, even though I mostly work with software, I truly am a people person. I just love being part of a community. At the height of the pandemic, I’ll admit I struggled with a bit of imposter syndrome and anxiety. But I wasn’t sure how to ask for help. I talked with my mentor at LinkedIn, and they recommended I use the Employee Assistance Program (EAP) that LinkedIn provides.
I was nervous about taking advantage of the program, but I am so happy that I did. The EAP helped me immensely when everything felt uncertain, and I truly felt that the company was on my side, giving me the space and resources to help relieve my stress. Now, when a colleague struggles with something similar, I recommend they consider the EAP, knowing firsthand how effective it is.
Building a path for others’ growth
With my mentor, I was also able to learn about and become a part of our Women in Technology (WIT) WIT Invest Program. WIT Invest is a program that provides opportunities like networking, mentorship check-ins, and executive coaching sessions. WIT Invest helped me adopt a daily growth mindset and find my own path as a mentor for college students. When mentoring, I aim to build trust and be open, allowing an authentic connection to form. The students I work with come to me for all kinds of guidance; it’s just one way I give back to the next generation and the wider LinkedIn community. Providing the kind of support my mentor gave me early on was a full-circle moment for me.
Working at LinkedIn is everything I thought it would be and more. I honestly wake up excited to work every day. In my three years here, I have learned so much, met new people, and engaged with new ideas, all of which have advanced my career and helped me support the professional development of my peers. I am so happy I took a leap of faith and messaged that talent acquisition manager on LinkedIn. To anyone thinking about applying to LinkedIn, go for it. Apply, send a message, and network—you never know what one connection can bring!
About Lekshmy
Based in Bengaluru, Karnataka, India, Lekshmy is a Senior Software Engineer on LinkedIn’s Hiring Platform Engineering team, focused on the Internal Mobility Project. Before joining LinkedIn, Lekshmy held various software engineering positions at Groupon and SDE 3. Lekshmy holds a degree in Computer Science from the College of Engineering, Trivandrum, and is a trained classical dancer. Outside of work, Lekshmy enjoys painting, gardening, and trying new hobbies that pique her interest.
Editor’s note: Considering an engineering/tech career at LinkedIn? In this Career Stories series, you’ll hear first-hand from our engineers and technologists about real life at LinkedIn — including our meaningful work, collaborative culture, and transformational growth. For more on tech careers at LinkedIn, visit: lnkd.in/EngCareers.
Topics
Messenger Private Reply Updates for the Developer Community
Meta Proposes Monthly Fee of Up to EUR 13 for Ad-Free Access to Instagram and Facebook: Report
Career stories: The math-music connection in data science
Enabling developers to create innovative AIs on Messenger and WhatsApp
Meta Used Public Instagram, Facebook Posts to Train Its New AI Assistant
WhatsApp, Instagram and Messenger to Get AI Assistants; Meta Shows Off Image Generation Tool Emu
![top-social-media-manager-interview-questions-and-answers-[2023]](https://www.social-ping.com/wp-content/uploads/2023/09/130190-top-social-media-manager-interview-questions-and-answers-2023-80x80.png)
Top Social Media Manager Interview Questions and Answers [2023]
What Is FedRAMP, and Why Is It So Important?
Introducing Facebook Graph API v18.0 and Marketing API v18.0
Solving Espresso’s scalability and performance challenges to support our member base
WhatsApp Rolls Out New Instant Video Message Toggle for Android, iOS: Here’s How It Works
Meta to Discontinue “Facebook News” Feature in UK, France, Germany: Here’s Why
-
LINKEDIN2 weeks agoCareer stories: Influencing engineering growth at LinkedIn
-
Uncategorized2 weeks agoVanity Metrics: Definition & Examples for Marketing
-
Uncategorized1 week ago5 B2B Social Media Marketing Tactics That Actually Work
-
OTHER2 weeks agoYouTube Announces AI-Enabled Editing Products for Video Creators
-
![2023-average-engagement-rates-for-13-industries-[stats]](https://www.social-ping.com/wp-content/uploads/2023/09/134947-2023-average-engagement-rates-for-13-industries-stats-400x240.png)
![2023-average-engagement-rates-for-13-industries-[stats]](https://www.social-ping.com/wp-content/uploads/2023/09/134947-2023-average-engagement-rates-for-13-industries-stats-80x80.png)
Uncategorized1 week ago2023 Average Engagement Rates for 13 Industries [STATS]
-
OTHER2 weeks agoMeta Urged Not to Roll Out End-to-end Encryption on Messenger, Instagram by UK
-
![youtube-shorts-monetization-guide-[how-much-can-you-make?]](https://www.social-ping.com/wp-content/uploads/2023/09/135449-youtube-shorts-monetization-guide-how-much-can-you-make-400x240.png)
![youtube-shorts-monetization-guide-[how-much-can-you-make?]](https://www.social-ping.com/wp-content/uploads/2023/09/135449-youtube-shorts-monetization-guide-how-much-can-you-make-80x80.png)
Uncategorized6 days agoYouTube Shorts Monetization Guide [How Much Can You Make?]
-
Uncategorized2 weeks agoInstagram Emoji Guide: Meanings, Reactions, Ideas