Joining Security Innovation (SI) as a Employee

Today (1st August 2011) marks a new period of my career, I'm joining SI (Security Innovation) as an employee.

This is quite a departure for me, since I have been an 'independent consultant' for the past 10+ years and even when I had a contract with OunceLabs and ABN Amro, I was a contractor and not an employee.

I'm very excited to join SI, so far it has been a perfect match. I really like the SI setup, the people are amazing and they seem genuinely happy to support:

• what I want to do,
• how I want to do it, and
• what I have been doing (namely the O2 Platform).

Although I've known SI for a while (I was a big fan of their Holodeck product) I never really thought of them as an Application Security company, so, it was with some surprise that I started a thread with Ed and Jason about OWASP Certification.

At the time I outlined what was the OWASP position (see this post for more details) and was expecting them (as others before) to give up, and not try to do anything about it.

To my surprise , they kept coming back, and the bigger the 'curve ball' I would send on their direction, the better they responded.

Cutting a long story short, SI:

• participated on the OWASP Academies meeting in Portugal and the launch of the OWASP Academy Portal (test website at http://owaspa.org/)
• published under a CC (Creative Commons) licence: A set of Exams questions based on the OWASP Top 10, an OWASP Top 10 Threats and Mitigations eLearning SCORM course and Exam , released 244 Articles from TeamMentor on the Topic of OWASP Top 10 in an XML format (downloadable form GitHub here) and published them online using the previous version of the TeamMentor GUI (http://owasp.securityinnovation.com/ (which btw, is the full version of that version of TeamMentor))
• actively participated on multiple OWASP Summit 2011 working sessions, where Jason helped on the creation of the OWASP's Red Book called the OWASP Application Security Code of Conduct for Certifying Bodies (part of the OWASP Code of Conduct Project )
• started the OWASP Exams Project

Since there was an obvious synergy between us, after the Summit I talked with Jason and Ed and we come up with a first way of working together (see my blog post Working with SI on Team Mentor and OWASP projects ).

What started as a 'lets make some bug fixes' to TeamMentor, became a major redesign, where the new version (3.0) is almost a complete rewrite of the existing version of TeamMentor's backend and frontend.

It was this process that really allowed me to see what SI was like. I basically kept coming back to Jason with requests to improve/redesign TeamMentor's backend/frontend, and he kept trusting me and allowing me to go on the direction that I felt was more suitable for TeamMentor.

I'm glad he let me do that, since the new version is heavily based on JQuery, is fully driven by WebServices and has an File-based-Xml data store (i.e no SqlServer). Of course I used O2 to help with the development of TeamMentor :) and there are LOTs and LOTs of goodies and tools in there that I will be blogging about next.

In some ways, it's the little things that I like about SI:

• The way that Jason and Ed understand the added value of playing the 'open' game at OWASP where everybody benefits
• Jason's (CTO) Free Range family and lifestyle
• The hard-core geek squad at the Seattle office (one of the authors of Firesheep is part of SI :) ), which is VERY strong in Application Security
• The very mature SDL process and Application Security review that they 'try' to get the clients to use :)
• The large component of training and e-learning (which has always been a passion of mine)
• The voice and type of discussion that occurs in the internal mailing lists
• The fact that Jason is happy for me to blog about what I am doing with TeamMentor (see http://teammentordevelopment.wordpress.com)
• The way the marketing department is trying to do the right thing for OWASP
• The fact they SI tag line is 'The Software Security Company' - which is exactly what I want to do :)

So let's see what happens next. I know that I'm now going to be viewed as a 'vendor' and my 'independence' is going to be questioned. I hope that my actions in the next months/years, will show that my heart is still in the right place and that I'm still 100% focused on solving the 'Application Security' problem (i.e. helping developers to create secure applications).

FYI, my new title is 'Principle Security Engineer' and here is a direct quote from my contract:

1. Continue development on TeamMentor. Particularly finish v3.0 and post-release work with .... as well as customers and prospects to ID use cases, promote adoption, and spec new features for future releases.
2. Deliver SI professional services and training, with a focus on European clients. This can include ILT, app pen testing, code reviews, threat modeling, and SDLC consulting.
3. Serve as SME for SI eLearning courses, with a focus on web/OWASP content. This may entail reviewing content and storyboards, and sourcing/adapting existing content from OWASP sources that can be built into our commercial eLearning products.
4. Serve as “outreach” – a public face of SI to help elevate our stature and presence in the industry. This would include everything from your blog to speaking engagements at conferences to interacting with the press and our PR firm.

Btw, if you have any questions or issues about SI, feel free to contact me.