I’d like to introduce David Rook as a guest on the PTCoreSec blog, David, who is most widely known on the internet as SecurityNinja ( http://securityninja.co.uk ), currently works for a company called Realex Payments( http://realexpayments.com ) as Application Security Lead.
Dave has been a speaker at multiple conferences (DEFCON, BSides London, Black Hat, Bsides Vegas, IRISH Con, etc…), he is currently a Microsoft Most Valuable Professional in the area of Developer Security.
This blog post is intended to look as if it was a face to face interview (conversation) even though it was performed over email.
PTCoreSec: Hi Dave, thank you for taking some time to answer our questions. First I would like to ask you, what got you into security? And specifically into the area of Application Security?
I’d love to give you an answer which makes it sound like I was destined to work in Application Security but I can’t! I have been using computers since I was a young child, I remember playing on Spectrum computers before I even started school. When I first left school I worked in the offices of a physical security company which included looking after their IT needs. I used to look at the physical security controls we implemented and how we decided which ones to recommend to a client and looking back this was real life threat modeling. It wasn’t really until I moved into an IT management position in a property company at 19 that I realised security was important. We had offices and remote users all over the world and they required the same access to company data and emails as the users in the head office. This raised questions in my mind around how to enable this access securely and from then on I was bitten by the security bug!
As for application security that came about almost by accident, I didn’t plan to move into application security! As the company continued to grow we realised a dedicated application security role was required so I moved into that about 4 years ago and the rest is history
PTCoreSec: Apart from a big interest in security which ones are the other major skills you look for when interviewing someone for a job position?
I look for people who are passionate about security which might sound obvious but if that passion doesn’t exist I genuinely don’t think someone can become really good at security. I agree with something Dan Geer pointed out in a recent post that “cybersecurity is the most intellectually difficult profession on the planet” which means you need smart, passionate people. On top of that I’m looking for someone who thinks differently about the world they live in and the things they see/interact with in and who aren’t afraid to ask “why?”.
PTCoreSec: If someone asked you “What is the best advice you can give me to enter the security business?” which would it be?
I think my best advice is often the advice people don’t want to hear because I don’t think anyone should go from school/college/university and straight into a security role. I can only repeat what myself and Mark Hillick said in a recent blog post on Security Ninja:
“MH: I’ve probably answered that earlier to a degree but I believe that it’s better to learn by doing. For example, a lot of my life has been spent administering networks or systems, therefore, I know that sometimes for the sake of speed, performance, reliability, resilience or business reasons, the most secure solution is not the right way to go. On the other hand, I’ve seen folk who go straight into security, they’re brainwashed, accept nothing less than the 100% solution and end up getting a ‘waiver’ indemnifying them of any responsibility when they don’t get their way. It’s not a very constructive, team attitude, encouraging the development/infrastructure teams not to engage security. I ultimately believe that working outside security helps your understand technology better and also enables you to empathise with others more whilst it clearly provides you with more ‘skillz’ before moving into security.
SN: I’m not really sure where to start my input here so I will just jump in and say I agree that ideally no one’s first IT job should be in security. I feel that if you haven’t had experience in other roles first such as systems administration/networking/development you aren’t ready for anything other than junior security roles. The first half of my career was spent in non security roles learning a lot about networking and systems administration which I felt was the perfect grounding for a person looking to move into security roles. The problem is that we have companies needing security positions filled with very few people either having this experience or willing to accept they are not going to step straight into a senior security position.
I think security people who lack this real world experience are very easy to spot because every finding/issue is a blocker, every SQL Injection finding makes them run around like Chicken Little shouting the sky is falling. You can help prevent this by having something like the infosecmentors program internally but even then it’s far from ideal.”
PTCoreSec: What is your opinion when it comes to security certifications? And which ones are, in your opinion the top 3 of certifications?
I honestly don’t think they add much to the industry. I cannot dispute that they help people get their foot in the door with HR departments in certain companies but you have to ask yourself whether a place that has the likes of CISSP/CEH/Others as a hard requirement is the right place for you. I know some of them can be very useful but my time as a certifications tutor really tainted all certifications for me. I actually shouldn’t say all certifications because I do think some of them are very good and very useful, mainly anything that requires hands on exercises to be completed. If I had to name three I think are useful I’d have to say pick three from the any of the Offensive Security certs and SANS GIAC certs such as the GCIH.
PTCoreSec: Lots of people read your blog and know that you’ve built a tool called Agnitio, can you give us a quick description of what is Agnitio, how can the tool be used and who should use it ?
Yeah sure, so Agnitio is a tool developed to make security code reviews structured and repeatable regardless of who completes the review. The core part of the application is the security code review checklist which was inspired by the use of checklists in other industries and the checklist manifesto book from Dr Atul Gawande. I also hated producing the outputs that we really needed like reports, metrics and audit trails so I made the tool do that work for us. The tool has evolved since v1.0 to include more checklist items and more functionality such as the keyword matching module and decompiling Android applications. I recently introduced the concept of dynamic checklists (i.e. you get only the checklist items relevant to the profile being reviewed) and this will be expanded on for v3.0. I plan to begin work on v3.0 once I have finished writing my content for the upcoming O’Reilly Practical Software Security book!
PTCoreSec: You’ve also started to work on a new software project called Windows Phone App Analyser, what made you target the Win Phone App market, instead of perhaps focusing deeper in the Android and/or Iphone market?
It doesn’t really target the Windows Marketplace it was developed to help application security professionals analyse WP7 apps. I’d already got Android and iPhone app analysis covered in Agnitio from v2.0 onwards and after developing a couple of WP7 apps I wanted to make a tool to help the security guys and girls! Ideally it would have been added to an Agnitio release (and will be in a future release) but I wanted to test a few ideas I had for Agnitio without doing an Agnitio release. An Agnitio release involves quite a bit of testing because a lot of people use the tool nowadays, with the WPAA I knew I could quickly throw something out there and test some new things that will be included in future Agnitio versions. The two bigger features would be far more accurate keyword matching which reduces the false positives and the ability to launch third party analysis tools but consume their outputs all in one tool.
PTCoreSec: While we are at it, mobile phone: Android? Iphone? Win Phone?
Tablet: Ipad 2 , Android Tablet, Blackberry playbook?
Laptop: Windows, Linux, OS X?
Phones: iPhone and a Windows Phone 7 phone
Laptop: OS X
PTCoreSec: If you had to try to predict which ones are going to be the top 5 big threats of 2012 which ones would they be in your opinion?
I don’t make security predictions like the ones you asked for. I could roll out the same ones other security people have made for many years (year of mobile malware etc) but plenty of other security professionals have already done that! Look back at the big security issues in 2011 and look back at what security professionals predicted for 2011, how many were right?
I will predict is that the problems we haven’t addressed from the past will continue to be a problem in 2012. The likes of SQL Injection, ineffective anti virus and so on aren’t going anywhere soon no matter which buzzword (Cloud, mobile etc) you attach to them.
Not a problem, speak soon!