Jared Pfost here. I'm fired up to present at BlueHat. I really appreciate Noelle reaching out so it was a no brainer when asked to spin up a blog post. One thing that keeps popping up is my status as a former blue badge. Actually I'm a former twice over. One tour pre bubble and one post, or I like to think of it as pre/post the TWC memo. My tenure started in 97, two years out of UW and very much a newb on how security really worked in IT and dev teams. Much of what I do today is rooted in my Microsoft experience. Of course I didn't realize it until much later. Between dogfooding and attempting to keep up with the smart folks, I didn't notice the belief structure that formed. Here are a few I hope you'll enjoy.
Belief: We weren't as bad as we thought.
I always got a kick out of the perception from folks outside Redmond who assumed we were all rock stars. This cracked me up. I remember thinking, "if you only knew how screwed up we are..." As I left and worked with startups and other enterprises, there really were some special folks back then. Sometimes it's hard to notice when you're going 100 MPH. I hope it's still that way.
Belief: Heroes don't scale.
Burning key people out has been well documented. I'm talking about ordinary folks being asked to do heroic efforts like working 20 hours before a release. In my program manager or IT roles, I learned the hard way that quality suffers. It's usually better to take it on the chin and slip than fight another regression or outage fire. The root cause and fix is the same but a lot less painful.
Belief: Money doesn't buy happiness.
I didn’t realize it at the time but we had some big budgets in IT or dev compared to other companies. The reason I didn’t notice is because resources rarely correlated to success. We were successful when we had a solid process. For folks who don’t have money to burn, this is often the first excuse. Fact is I’ll take a solid process and two people over a team of ten any day.
Belief 4: Security isn't a technical problem, it's a management one.
After Washington Mutual collapsed, I started a software company to help security leaders manage their team and processes. It took me six months to realize I founded the company out of a belief structure. When you can define what you do, measure it, improve it, and enable your leadership to decide how much they need, life is good. Morale improves, customers are happier, and incidents are reduced. I wish I could quantify those claims for you but I can’t, yet. In my experience, great managers lead to great results. I believe it and I’m passionate about proving it so you can believe it too.
Fired up for Blue Hat!
-Jared Pfost
Jared Pfost brings 16 years of information security experience to Third Defense which he co-founded on the belief that effective management is the key to manage risk. Jared's unique career combines working in IT Security teams such as Washington Mutual and Microsoft, consulting, and designing software across startups, banking, and technology. Jared is a self-proclaimed process nut and has demonstrated you don't need unlimited resources to run a measurable, accountable, and effective security shop.
Jeremiah Grossman here. BlueHat is one of my favorite conferences of the year, and it’s one of the few I’ve consistently kept coming back to. The organizers put together an amazing event with consistently top-quality content, where the attendees are not only security people, but a legion of software developers who have a genuine interest in security -- because their employer (Microsoft) does. Interacting with the BlueHat crowd provides a unique opportunity where conversations can have huge impact. These are the people that make Windows and Internet Explorer after all. They supply development tools to millions who code on those platforms. If you want a feature or something changed relating to security, or learn how something works, these are the folks to talk to.
For me, this year just got that much better. Yesterday, there was a Web Application Security Summit, where I was asked to kick things off. I used this time to impart some of my knowledge of the space gained over the last ten years about what’s really going on out there in terms of vulnerabilities -- backed by statistical data of course. I described what issues are most common across the Web, how many of them get fixed and how quickly, which tend to get exploited and how.
This was also my chance to articulate the technology and policy challenges we currently face in such a way that those in the audience, hopefully those smarter than myself, can find new ways to overcome them. Challenges like, “how do we go about dealing with the trillions of lines of vulnerable code already in circulation?” and “how do we measurably increase the security of new code going into the system?”
As our lives become increasingly dependent on the Web, the subject of “security” is something that is important to us all.
Jeremiah Grossman is the Founder and CTO of WhiteHat Security, where he is responsible for Web security R&D and industry outreach. Mr. Grossman has written dozens of articles, white papers, and is a published author. His work has been featured in the Wall Street Journal, NY Times and many other mainstream media outlets. As a well-known security expert and industry veteran, Mr. Grossman has been a guest speaker on five continents at hundreds of events including BlackHat, RSA, ISSA, and others. He has been invited to guest lecture at top universities such as UC Berkeley, Stanford, Harvard, UoW Madison, UCLA, and Carnegie Mellon. Mr. Grossman is also a co-founder of the Web Application Security Consortium (WASC) and previously named one of InfoWorld's Top 25 CTOs. Before founding WhiteHat, Mr. Grossman was an information security officer at Yahoo!