/ Mike

Honourable Mentions

At the end of my last post, I said that in this one I'd talk about some of the people that I've come into contact with during my career, whom have been critical to my development. Let me elaborate on this a little...

I mean folk that have either influenced me, encouraged me, guided me, brought fire and brimstone down on me, indulged me or simply made me feel like I've been doing the right things. In one way or another, they've all helped me, and for that I will always be grateful. This post will follow a similar timeline to my original one, but will be longer. I hope it keeps your attention.

Office Boy Made Good

So, when I was the office boy / telesales guy / credit controller, my boss was Noel, an older fellow, edging towards retirement, having previously served in the Royal Engineers (British Army). He was a tough old boot and I flirted with the sack on a number of occasions. I was 16 years old when I started working for him, so inevitibly had plenty of growing up to do, if I was to adapt to working life. In his own military way, Noel drilled me in things like good book keeping, clear handwriting, punctuality and so on. As basic as this sounds, I learned these skills from him (rather than in the school setting), so for that he gets a well deserved nod.

He also taught me basic electrical engineering principles, which was handy. When some bloke rang up to order something (and they were almost all blokes), you needed to understand your overloads from your contactors from your relays.

When I became a Sales Engineer, I was still at the same firm, however by then, Noel had retired. The firm generously paid to see me through a stint of actually learning about electronic engineering, in order that I might have an actual clue what I was talking about when sat in front of production managers in the aforementioned doughnut factories or nuclear power stations (N.B. to the best of my knowledge, nothing with my fingerprints on it ever resulted in a nuclear incident).

When I could be trusted to go out and sell solutions, they gave me a car and a pay rise. I had to buy some suits and spend more time shaving.

It's worth diverting from the main tale here to reflect on how the fact I was bullied a bit as a kid and found it hard to be part of gangs (not those kind of gangs), helped me build a defense mechanism that required being amiable, affable and sort of charismatic. These are all skills that can help get you out of a mocking, or at worst a beating. You'll often find psychologists talking about kids dealing with being bullied by using comedy as a method of deflection. It was that kind of thing. In any event, I came into industry with some raw skills, growing knowledge of my subject and plenty of drive.

So, armed with my new car, fresh suit and a list of customers to go and grow sales with, I went straight out and lost a customer.

Skills, subject knowledge and drive, yet next to zero experience. It was a disaster and I felt it. The firm was sympathetic, thankfully and after all, I was still a mere youth.

In stepped Alan, the Sales Director. A bolshy Geordie, with a red face and a wonderful gusto. He got things done. Deals signed, revenue generated and profit realised. Things I was struggling with. Many were scared to death of him, simply because he was larger than life and in a senior position, but I thought he was awesome.

On a wet afternoon in Yorkshire (circa 1995), I secured a deal with the purchasing manager of a large conveyor system manufacturer in Hull (they kitted out airports). I was effectively hustling, using that raw skill I talk about to get his agreement to stop buying things from company A and start buying them from us. This news got back to Alan and also Mike, who was the company CEO.

Once the customer started throwing orders our way, I was whisked up to HQ for praise, a posh lunch and then sent home with a bottle of champagne to enjoy. This felt amazing! I'd done something important, it had been recognised and I had received an accolade. Note to leaders...

Alan then became my mentor for a while, accompanying me to negotiations, or driving me to his, in his massive Jaguar. It made me feel like I was part of something people valued and also gave me the opportunity to learn. This development was sadly cut short, as Alan had a serious heart attack and had to retire.

He gave me more than enough though to build on and much of his wisdom I still use today.

Right, I'll wind this on. That was nearly ten years though, so I didn't do too bad a job of compacting it. Two people, both profoundly made me a better person. Heartfelt thanks to them both.

There's no point in me writing about the 'gap jobs', as people came and went, including myself, so I'll drop straight into my time at the large local authority in the North of England.

Local Government Life

"What does 'CSMA/CD' stand for?" I was asked this in my interview for the role as a business analyst / programmer. I wasn't asked what it described, I was asked what the acronym stood for. So, I answered, correctly.

It wasn't the only reason I got hired, but I got hired anyway.

Like my time in industrial automation, two people really kicked me on. I'll try and keep this brief, so bear with me.

My boss was Rob. An academic really, yet much more potent than that; an intelligent guy, he identified that I was enthusiastic about making life better and afforded me plenty, no tonnes of opportunity to simply get on with things. Be it by signing off budgets to recruit talented people, through to the capital spend on technology, he had my back every step of the way. He pulled aside every obstacle to ensure I could solve problems (remember that?).

His boss was Jackie. She reported into the CEO of the Authority. She was by far and away the most capable senior manager I had ever worked under and in the same way that Alan was able to coach me in the finer detail of negotiating with grumpy engineers and penny pinching purchasers, she guided me through the rough and tumble of negotiating with senior Council officers, elected members of Council and even Members of Parliament. I recall a stand up debate I had with an MP at a session in Whitehall, London around personal data sharing, where the MP ended our discussion with "Good point" and then quietly sat down. I grew the cojones and developed the skill to win that battle because of those people.

I'll talk about the people I met in the music business in a future post about that period of my life, if I decide to write one. Anyone can ask about it if they like though and I'll happily answer.

Working For The Internet

So, in 2012 I got that job as a Senior Business Analyst, working for a mid-sized UK based telecoms and internet service provider.

Khalil was my boss. He brought me into the analysis team and then kind of let me do as I pleased (within reason); identifying problems and solving them in due course. My kind of set up. This brought me quickly into contact with Carl, a like minded and very capable Technical Architect, with a strong software development and infrastructure background and (crucially) more than a passing interest in security. We hit it off very early on.

I say 'like minded' because we are. We both care very much about doing the right things and we know that almost invariably, things can be made better, with some commitment and effort and inevitably buy in and support from others.

The Public Facing Website Migration Project

Where I work, this project now exists in folklore. Even in legend. Mainly because the key people involved perpetuate it as such, including me. But it was a biggy.

Setting the scene in a nutshell: Move 27 publicly accessible web applications from hosting setup A. to hosting setup B. So, sites, web services, APIs and underlying databases and networking.

I helmed the project (the usual stuff; planning, organising, leading, solving disputes between very clever people about the right approaches), but the project wouldn't have succeeded at all without the engineers involved. Carl was one of those, alongside Chris and Stu. There were other people that contributed, but we were the four amigos in this particular film.

The project was a success, but from day one, a key deliverable was a more secure platform. What did that mean in real terms, to a novice on the subject? I decided to find out, not because I had an immediate urge to be the security guy, rather I was managing a key strategic project and wanted to understand why we were doing that stuff.

By asking 'silly' questions in the many MANY meetings that were held and then going home and reading the internet, I began to shape my understanding of why it's important to have a secure hosting platform, a secure network configuration and software that isn't prone to being hacked to pieces. Furthermore I started to understand the challenges of achieving these goals.

At around the same time as we delivered this project (late-Summer 2013), Carl ran a series of Pluralsight courses aimed at developers, covering the OWASP Top 10 2013 web application vulnerabilities. The courses were crafted and delivered by Troy Hunt. You can go and learn all about Troy at his website or at his Twitters and in any event, he returns to this story later on. I sat in on these sessions, because A. I wanted to give Carl my support as a pal, but importantly B. I was starting to gain a sense of the importance of security.

Pennies Began To Drop

With the migration project now over and done with, we had a massive list of things that weren't an 'M' in the MoSCoW prioritisation scheme of things. But you know, we should make sure our customers can live safe in the knowledge that we secure their connections to our stuff and we should ensure that their password security is robust. This all resonated with me, not because I somehow felt suddenly like a new career was on the cards. No, it was because it all seemed like common sense.

Winding Forward

Because yeah, this is a long old tale and I know it. I'm hoping my writing style is keeping you here.

Right then, you may remember from my previous post that there was no one in the firm that got paid to care about information security. Here's what happened next.

What Happened Next

Once we (and by we I mean Carl and I) had completed projects to force HTTPS connections to our web apps and made damn sure we had our customer passwords secured, I began to understand some of the finer mechanics of these issues and I also started to get a grip on web application security in general. I realised that no one was around to advise software developers on the matter of secure coding. No one was around to advise systems administrators on the matter of building secure infrastructure. Carl was around, had written lots and lots of guidance on these subjects and talked about them plenty, but frankly wasn't paid to and had zero time to enforce or facilitate change.

I began to see an opportunity. Which then became a plan.

OK, get involved in any project, initiative or scrap of work that had the word 'security' mentioned in meetings, meeting minutes or email dialogues. Easy. "Security you say? I'll take that away and come back with a solution".

As detailed in my last post, in 2015 I was given the sort of dual role of Senior Business Analyst and Information Security Analyst. I won't talk about that combination here (and indeed I talked about the challenges it presented last time), but in keeping with the title of this post, I will talk about the people that helped me stop being a BA and start being the security guy. In comes another Chris - my current leader. Chris is, in his own words an architect and lover of solving problems using software. He also gets security and indeed has been the accountable head of ensuring our firm's PCI-DSS compliance for years, while also sponsoring and / or supporting many improvement projects (remember HTTPS everywhere and salted hash stuff?). Chris was instrumental in identifying my appetite for a career in security and also in laying out all the stepping stones I had to walk on to get here.

It's also important to say or remind you if you read my previous post, that I needed to partially (at least) abandon the BA in me to become what I am now. Pre-my official role, imagine this, you have a new boss, who acquires you as an asset, but you have no love for that role anymore. This was what happened when Stacey took over line management of me in 2015. I was open with her about my aspirations and in absolute credit to her, she supported me every step of the way, in order to help me earn my position.

Right Here, Right Now

It's September 2017 and I've been an InfoSec Analyst for nearly a whole Earth year, having effectively done the job for two and probably actually done it to some extent for nearly four. I'm now blogging. How did that happen?

I've followed Troy since I sat in on the courses that Carl curated way back in 2013. Troy's main currency is common sense and that sits well with me. I'm a bloke from Northern England, where that currency is widely accepted. I say this because I want to be clear that I didn't take a look at Troy and his endeavours and think "yeah I want to be just like him". No, I took a look at his work and thought "yeah, that's absolutely spot on. I can work with these sentiments. I can work with these approaches". It was a bit like having old Alan back, albeit an Alan living 12000 miles away, without a thick Geordie accent and a bolshy way of dealing with people.

Then I watched 'Hack Your Career', which was a talk Troy gave at NDC Oslo earlier this year. That was the lightbulb moment. Many people in business have different names for this phenomenon; 'Be the change you want to see', 'Take control of your own destiny' and so on. But in this case, practical advice was on offer. Things like creating a sticky online profile, setting out your stall, being open and honest, accepting when you get it wrong, don't assume everyone will agree with you.

I could go on, but I suspect you get the idea.

I had already created a Twitter profile that was dedicated to my foray into InfoSec, but it was mostly a retweet place or a place where I made occasional comments about the state of the securities. I wasn't being overly active, because I didn't know how to be.

I love to talk and it seems I love to write (pretty much in the same way I talk!), so a month or so back I posted 10 separate tweets about why I find the dynamic web application vulnerability scanning tool Netsparker so important. I got some good feedback from that and it started to make me think that people might benefit from some of my experience, or even little bits of wisdom.

I went and registered some domains (reflecting my Twitter handle) and after some really basic market research, I bought a Ghost subscription (which is where you are now). So, I had a Twitter, a domain and an empty blog.

When you're talking to the World about security, you need your own security to be in decent shape. So, Adrian swung into play and helped me ensure that your TLS is decent while you're reading my words. He's a brilliant engineer; I've known many and he's in the hall of fame. I won't be collecting any of your information on here for a while yet, but of course eventually I'll invite your comments and feedback. And by doing so collect your personal data.

I really want to bring matters to a conclusion in the next paragraph or so, so I will. If you're still reading and feeling it - great. If you're still reading and thinking 'Get off the internet, man!", then please understand that I wanted to use my first posts to give people a feel for who I am as a bloke, where I came from and why I do what I do. I'd like to think my reflections might encourage others to do the same.

appsecbloke.com

Before I even published a word, I pulled together some topics:

  • Who am I?
  • Honourable mentions
  • Web application security basics - still overlooked
  • OWASP and my membership
  • Application vulnerability testing and why Netsparker is my weapon of choice
  • InfoSec events and how they make me feel part of something important

I wrote Who am I? in around 20 minutes and then sat there with a button to push - PUBLISH

Nerves. Major nerves. A career defining moment (in my head).

I contacted a few people, including Troy:

blog-go

So that's exactly what I did. And in posting a reference to it on Twitter, I gave respect to Troy because he reintroduced me to a concept I was already familiar with, but had shoved in a box - just fucking do it. It all starts here.

I'm happy to report I received some really positive feedback (I even earned around 30 new Twitter followers) and interestingly, I had one comment complimenting me on my choice of the 'Who am I?' post as my first effort. Having given this some thought, it makes sense and goes back to Troy's point that your character should be part of your manifesto. Common sense. You trust someone you have faith in as a person.

In my next post, I'll share some of my experiences of testing software for vulnerabilities, the common problems that persist and how I go about fixing them.

Again, thanks for reading. It can't have been easy.

Mike Thompson

Mike Thompson

InfoSec pro, trying to keep the baddies at bay. Observer, pundit, helper, public speaker and blogger. Views my own. One of @TheBeerFarmers 🍻

Read More