Category: Jobs

Building an Application Security Team

The Application Security Engineer role is in demand nowadays. Many job offers are available, but actual candidates are scarce. Why is that? It’s not an easy task as the level of skills needed is both to be broad and specialized at the same time. Most of the offers are about one person, one unicorn that does all those wonderful things to ensure that the organization is making secure software.


Looking at where we are coming from

For the sake of simplicity, let’s say that the application security industry is traditionally split between two main types of offering: those who are selling products and those who are selling pen test services. In many occasions both are from the same vendor, but from different teams internally. Let’s break down how they are judged on their success to have an idea how it managed to evolve.

Continue reading

Phishing and Clearances

Apparently, the CISO of US Homeland Security, a Paul Beckman, said that:

“Someone who fails every single phishing campaign in the world should not be holding a TS SCI [top secret, sensitive compartmentalized information—the highest level of security clearance] with the federal government” (Paul Beckman, quoted in Ars technica)

Now, I’m sure being in the government and trying to defend against phishing attacks is a hard problem, and I don’t want to ignore that real frustration. At the same time, GAO found that the government is having trouble hiring cybersecurity experts, and that was before the SF-86 leak.

Removing people’s clearances is one repsonse. It’s not clear from the text if these are phishing (strictly defined, an attempt to get usernames and passwords), or malware attached to the emails.

In each case, there are other fixes. The first would be multi-factor authentication for government logins. This was the subject of a push, and if agencies aren’t at 100%, maybe getting there is better than punitive action. Another fix could be to use an email client which makes seeing phishing emails easier. For example, an email client could display the RFC-822 sender address (eg, “<>” for any email address that that email client hasn’t sent email to, rather than the friendly text. They could provide password management software with built-in anti-phishing (checking the domain before submitting the password. They could, I presume, do other things which minimize the request on the human being.

When Rob Reeder, Ellen Cram Kowalczyk and I created the “NEAT” guidance for usable security, we didn’t make “Necessary” first just because the acronym is neater that way, we put it first because the poor person is usually overwhelmed, and they deserve to have software make the decisions that software can make. Angela Sasse called this the ‘compliance budget,’ and it’s not a departmental budget, it’s a human one. My understanding is that those who work for the government already have enough things drawing on that budget. Making people anxious that they’ll lose their clearance and have to take a higher-paying private sector job should not be one of them.

Virtual assistant services?

I’m getting ready to announce an East coast book tour. In planning my Silicon Valley tour, I learned that between scheduling, getting the details needed out, making sure I knew where I was sleeping, there was a large amount of administrative work involved. So I’d like to hire someone to take care of all that for me next time.

I think the tasks will include:

  • Engage with companies/venues interested in having me speak to work through scheduling & logistics, including ordering books
  • Scheduling (including travel time, setup, speaking, signing)
  • Travel coordination including hotels & trains

Do you have recommendations for a virtual assistant service that you’ve used for something at this level of complexity?

Alternately, convince me that I want a specialized book tour operator? My experience in Silicon Valley was that most venues were companies, and many were good enough to buy the books for their employees. So I don’t think I need someone specialized.

Follow your passion?

Growing up, we were told by guidance counselors, career advice books, the news media and others to “follow our passion.” This advice assumes that we all have a pre-existing passion waiting to be discovered. If we have the courage to discover this calling and to match it to our livelihood, the thinking goes, we’ll end up happy.

As I considered my options during my senior year of college, I knew all about this Cult of Passion and its demands. But I chose to ignore it. The alternative career philosophy that drove me is based on this simple premise: The traits that lead people to love their work are general and have little to do with a job’s specifics. These traits include a sense of autonomy and the feeling that you’re good at what you do and are having an impact on the world. Decades of research on workplace motivation back this up. (Daniel Pink’s book “Drive” offers a nice summary of this literature.)

(“Follow a career passion?” Cal Newport)

It may be confirmation bias, but I’m feeling a real sense of relief from these career articles in the New York Times. Growing up, I had a series of plans that I was forced to make. Many of these were foisted on me by well meaning folks who wanted to ensure that I avoided defaulting to petroleum transfer engineering. The experience of these guidance counselors was that if you don’t have a plan, you end up at wits end. There was a series of random events that took me off the path that I’d planned, and brought me where I am today.

As a silly example, if someone had told me that going to an intrusion detection conference in Belgium was going to lead to me writing a book 5 years later, I wouldn’t have even laughed. I would have just shaken my head.

The idea that job satisfaction comes from things other than painting by numbers is important. For a great deal of human history, most people worked on their farm or someone else’s, and received little in the way of cash payment. The idea of the organization man required organizations big enough to stick around for your entire life. Professionals worked for themselves, or really, whoever walked through the door on a given day.

More and more folks are working independently. Some of that is by choice. Avoiding the mind-numbing meetings, politics, and co-workers you don’t like can be rewarding. Focusing on projects, where you can see an outcome and a deliverable can be clarifying. On the other hand, a lot of people are getting forced there, and for a lot of people, it’s a rough place to be. I think much of that roughness relates to the unpredictability (where’s my next job coming from?) BUt i also think a lot of it comes from believing that a successful person is painting by numbers. That they’re following a preset plan. And if you’re “just” consulting or contracting, you are not doing that, and therefore, you’re not successful.

What emerges over the course of a life is hard to predict. Demanding that it be both awesome and according to plan is a much harder expectation to meet than just accepting the awesome which comes your way.

Rejecting the chaos of interesting and random opportunities that came along would have made for a different career for me. Would it have been interesting? Probably. Would it have been as rewarding? It’s hard to say. But I doubt it.

So next time you’re thinking about a career choice, try rejecting the paint by numbers approach, and embracing the emergent chaos that might come from looking for more of a chance to build and flex your skills, to have an impact on the world, or to find co-workers who you can learn from.

Two Models of Career Planning

There’s a fascinating interview with Mark Templeton of Citrix in the New York Times. It closes with the question of advice he gives to business students:

There are two strategies for your life and career. One is paint-by-numbers and the other is connect-the-dots. I think most people remember their aunt who brought them a gift for their birthday or whatever and it was a paint-by-number set or a connect-the-dots book.

So with the paint-by-number set, you know ahead of time what it’s going to look like. Then, by contrast, with a connect-the-dots puzzle, you can only guess at what it might look like by the time you finish. And what you notice about that process is the further along you get, the more clear it becomes. It might be a beach ball, or a seal in a Sea World park or something. The speed at which you connect dots gets faster as the picture starts coming into view.

You probably get the parallel. This isn’t about what’s right and what’s wrong. This is about getting it right for you. Parents often want you to paint by numbers. They want it so badly because they have a perception that it’s lower risk, and that’s the encouragement they’re going to give you. They’re going to push you down this road, and faculty members will, too, because they want you to deliver on what they taught you. It doesn’t make it wrong; it’s just that there’s a bias in the system. You have to decide for yourself. The earlier you actually get it right for yourself, the faster and the better that picture is going to look.

And the more time you spend on paint by numbers when you’re a connect-the-dots person, and vice versa, the harder it’s going to be. (Mark Templeton, quoted in “Paint by Numbers or Connect the Dots“)

When I got started in information security, there were a lot fewer jobs. They were less categorized. There might have been degrees in information security, but there certainly were not “Centers of Excellence” churning out graduates. (It turns out “degree” is one of those terms, like “hotel” or “mesothelioma” that’s so heavily SEO’d that it’s a pain to search that history.) Because there was no “paint by numbers” path, people entered the field from a wide variety of backgrounds. Everyone was connecting the dots as we went.

Anyway, I like the analogy, and think it explains why a lot of career advice fails to help its intended recipients.

Fascinating Job at PayPal

Someone reached out to me about a job that looks really interesting:

The Director of Security Experience, Education & Research (SEER) will be responsible for defining the customer-facing security strategy for PayPal , define product roadmaps to enhance feature security and usability, drive customer security best practices adoption throughout our industry, and drive customer security education and engagement in coordination with PayPal’s marketing and global operations teams. The SEER Director will also play a leadership role in helping set the authentication strategy, research agenda, and lead a team to establish a customer-centric culture …

I think the hiring manager has put together a fascinating set of tasks, which, combined with Paypal’s reach, that has a real potential to make the world a better place, and so wanted to help him find the right candidate.

Emergent Chaos endorses Wim Remes for ISC(2) Board

Today, we are sticking our noses in a place about which we know fairly little: the ISC(2) elections. We’re endorsing a guy we don’t know, Wim Remes, to shake stuff up. Because, really, we ought to care about the biggest and oldest certification in security, but hey, we don’t. And really, that’s a bit of a problem. And it seems that Wim wants to make things better. And so we’re encouraging all four of our CISSP-holding readers to go vote for him, because we think that a whole lotta shaking going on would be, at worst, a not-bad thing.

How’s that for a heartfelt endorsement?

Ok, more seriously. ISC(2) offers up a certification in information security. There’s a big infosec community that doesn’t take that certification very seriously. That’s a problem that I’ve never had a motivation to try to solve, but Wim does, and I wish him the very best of luck. I think that that CISSP could do substantially better, and the first phase of that is to elect some outsiders to communicate a message that change is needed. What’s more, Wim is not a joke candidate, and he’s campaigned effectively for the role, getting lots of endorsements from people who are both worth listening to and who take this seriously enough that they wouldn’t open with a jokey lead.

And so Emergent Chaos is endorsing Wim, and hoping that some chaos and other worthwhile things start to emerge. You can read his statement on Jimmy Blake’s blog, and vote here.

Punditry: Better Security Through Diversity Of Thinking

I am honored that the kind folks at threapost have asked me to write for them occasionally. My first post is about better security through diversity of thinking which was inspired by pastry chef Shuna Fish Lydon.
From her post (which I quoted in mine as well)

It is my experience that unless you push yourself really hard to stay away from your sweet spot comfort zone of I-Know-All-I-Need-To-Know-And-I-Feel-Very-Comfy-In-This-Job/Kitchen-Thank-You-Very-Much, and move kitchens or chefs or hire people who are much closer to your level than you feel comfortable having them, you will become stagnant in your baking skill and knowledge.

True for security as well. See my post for more.

Ten Years Ago: Reminiscing about Zero-Knowledge

zks-logo.jpgTen years ago, I left Boston to go work at an exciting startup called Zero-Knowledge Systems. Zero-Knowledge was all about putting the consumer in control of their privacy. Even looking back, I have no regrets. I’m proud of what I was working towards during the internet bubble, and I know a lot of people who can’t say that.

We struggled with the tremendously hard problem of privacy. We did it for something bigger and more important than ordering your groceries online. We didn’t succeed at the first business plan, or the second, but we plugged away at it, listened to prospective customers and partners, and the company is still in business and going strong as RadialPoint.

We learned an awful lot. We learned that people are awfully passionate about privacy. Hundreds of thousands of people signed up to try our software. We had a guy who called support after buying a new computer to get privacy. I remember the woman who took his call telling me how sad she was she had to get off the phone and take other calls. And we learned that what we meant when we said privacy wasn’t what other people meant.

I think too much of today’s privacy debate is wrapped up in a similarly nebulous term, identity theft. It’s hard to address a problem that’s so vague. But that’s a post about today, not about ten years ago.

We hired a lot of great people who I knew. I met a lot of great people, too. Went to work with one of them, Dave Clauson at another startup, Reflective. Work with some of them again (Hi Christian! Hi Stefan!).

For me, the key lesson was to really drink deep of your prospective customer’s pain. To accept that they may have a label that you really understand better than them (“privacy”) and that it doesn’t matter. What matters is how they see it, and how they understand your solution. Zero-Knowledge made me skeptical of great technology as a problem solver, when the customer is asked to understand it or care. Your customers never care about your technology anymore. They care about what pain it solves.

I’d love to go back and tell myself ten years ago to love the customer better. There’s other lessons. I’d love to seized the day and some of its opportunities better. But in the end, that flight to Montreal put me on the path to where I am today.

So a huge thank you to all of our customers and prospective customers. Thank you to Ian for introducing me to Austin. Thank you, Austin and Hamnett for offering me the job. Thank you to all of my co-workers, employees and friends of the company.

Double-take Department, Madoff Division

The Daily Beast has a fascinating article that is a tell-all from a Madoff employee. I blinked as I read:

The employee learned the salaries of his colleagues when he secretly obtained a document listing them. “A senior computer programmer would make $350,000, where in most comparable firms they would be getting $200,000 to $250,000….”

Senior programmers getting a quarter-mil in “comparable firms”? Comparable in what way? Other multi-billion Ponzi schemes that stole from rich suckers and charities alike? Is this another thing to be angry at AIG for? (Cue rimshot.)

I know it’s a tell-all, but tell more, tell more. Another intriguing morsel can be found in:

The employee was part of a trading group, which was able to break a security code that he says led them to a site that was supposed to be seen only by the Madoff family. It showed the profits and losses of the legitimate businesses.

The group broke the code? The person broke the code? And do tell more. Perhaps the author, Lucinda Franks, has some more details for us. Or maybe she’s saving them for a second Pulitzer.