Mark Curphey

Adventures in Code, Security and Running.

Priorities and Changes for 2013

I am embarrassed that I never got around to writing this post sooner. Over Christmas I took a whole week off from work and from being online. I needed it and enjoyed it immensely. I came to the conclusion that consulting full-time, writing a book, trying to start a community and launch a start-up all at the same time is not possible (for me at least) and somethings needed to give. I also realized that I needed to change some working habits so when I got back in the new year I made some decisions.

Seconauts is on hold for the foreseeable future. While I still believe there is room and need for a different type of software security community that appeals primarily to developers, I just don’t have the time to do it. I spent some personal money last year on a developer to work on the site and had a great group of folks lined up to help grow the community. We even had some impressive sponsor commitments but a community is more than a few people and more than money. That’s a marketing effort and there are enough of those out there. If it’s worth doing its worth doing right. It’s not dead but it it on ice. I will open source the code (Rails) if anyone wants to hack on it (we were close to doing that anyway). We needed a Wiki and a few other things added to make it a good base so there is list to work down. If you are interested just let me know. On that note with the recent shift of Google+ to create community software I am now not convinced that building a community site as opposed to using a community site is a great investment although that is another topic. I always wanted us to eat our own dog food.

My priority for 2013 are very much focused on SourceClear. We have the first few developers (my co-founders) ramping up, a wonderful academic data scientist / mathematician and a very strong advisory board who believe in what we are doing. We are building a product (nothing like it exists on the market today and we are solving a very compelling problem) but we will be leading with services and training (some of which we plan to sell through an indirect partner model). We will launch a public website sometime in the next month or so, probably after RSA) and have some neat free tools / code brewing! It’s time for some innovation in the software security space and we are going to bring it!

I am woefully behind on the Practical Software Security Book although making steady progress. I am going to stop predicting publication dates at this point as I can’t seem to finish the content that will allow my co-authors to start their work in earnest but it is coming along and will happen. What I have completed I am really happy with and have been using on some consulting projects working with developers with great success.

I also enjoyed my time away from Twitter and realized that while I value social media, I don’t have the mental capacity or fortitude anymore to filter the raw noise from the raw signal. Zite may not be perfect but it does a ‘good enough’ job when fed my Twitter feed of only showing me stories that I seem to always find relevant.I have pruned my Twitter lists (culled them really) and am almost exclusively using Zite for news. Some may say ‘that just shows you don’t get Twitter’ and they maybe right but it works for me. I have found over time that I like stories from established press sources and a few selected individuals although totally appreciate people who have found the exact opposite. I know there are lot of people with a lot of important and valuable things to say but there are only 24 hours in each day and I am not able to process it all.

On that note I have actually managed to find 26 hours for at least five days a week (working days) and its a neat personal hack that you might want to consider. In November I moved into a new office which was a perfect time to change my daily pattern. I read that many successful people are early risers and struggling to find time to get everything done I started getting into the office at 7am. I always try and leave by 7pm even if I often continue working at home. From 7am to 9am I try and write and while consulting work often gets in the way I have effectively created 10 hours a week of extra working time.

OK back to playing with SalesForce, cash-flow spreadsheets and stock plans!

App Sec Programs Are Like Multi-Axis Gyroscopes

The Practical Software Security book has five main sections:

Introduction - The Curious Case of Software Security Software Security Fundamentals Development Technologies Software Security for Teams Security Engineering Patterns (will be developed online in 2013 at Seconauts)

I finally submitting the intro section and putting the final touches to the ‘fundamentals’ section so that the contributing authors (an awesome bunch) can finally get going writing their Development Technologies sections. I have found it useful over the years to write pseudo-text ahead of time and come back to re-factor massively so earlier this week and very late one evening I did exactly that for the ‘Software Security for Teams’ section. There are lots of different ways to slice and dice a software security program but for me (keeping it simple) it boils down to four core areas of practices for each application:

Design & Architecture Code & Construction Testing & QA Operations & Monitoring

Companies typically have many applications (some quite literally thousands) and each application in the portfolio will (or should) have some level activity in each practice area whether it’s a new application or legacy. This is the reason why the application portfolio management (actively understanding what is happening in your companies application portfolio) is such a critical and under-rated activity. That knowledge allows your team to work on the right things. In most large companies application portfolio management is far from a trivial task and in fact a full-time job for many people.

Now consider that for each practice area (see above) there is actually a set of sub-practices. Take Testing & QA for example: (static) code reviews, (dynamic) reviews, penetration testing, build verification, regression etc. In Design & Architecture: requirements, engineering patterns, compliance, technology alignment, threat modeling / architecture analysis and the list goes on. I go into detail about each thing in the book. Supporting each of these practices and sub-practices are a set of company specific knowledge in the form of guidance or prescriptions or even recipes (code) that need to be applied.

Now take it up another notch and remember that these practices run in parallel in an Agile world. Then take it up a notch again and remember there are usually many scrum teams working on every application so it’s actually many sets of practices per application that needs to be managed. That’s many practices that need to be managed, across many teams across many applications, all-running in parallel. When you think about it, it really isn’t surprising that so many data breaches occur. The sheer lack of visibility most people responsible for software security have into what development teams are doing is poor to say the least and the ability to focus their attention on the things that really matter incredibly difficult.

For a long time (many years) I have been looking for a metaphor to describe this complexity application security programs have to manage but nothing ever seemed to fit but just as I was shutting down my MacBook on while writing the book this week it came to me. Eureka!

An application security program is like a multi-axis gyroscope. Gyroscopes look like magic when they are spinning. They spin furiously while standing perfectly still, you can even nudge them and they return to equilibrium and you can feel the force they generate to maintain equilibrium. But when you get the balance of a gyroscope wrong it will shoot across the table uncontrollably.

Application security programs are like gyroscopes. You have to balance many practices across many teams across many applications. When you get it right it magical but when you get the balance wrong things go very wring very fast.

Look at this video and marvel!

[% video 320 320 %]

Outsourcing Doesn’t Mean the Security Problem Goes Away

Over the last decade or so I have dealt with a lot of outsourcing situations. I have run large outsourced teams (over 120 off-shore developers in India and China at one point) and been responsible for reviewing the security of the work products of many others both as an employee and as a consultant. I am yet to experience a single firm or team that produced reasonable quality ‘secure’ code without significant active ongoing involvement from the purchaser. Despite legal pre-cautions (and best intentions) the outsourcing model is an economic model and it is good advice to never forget that. This is not a cultural or regional issue (although they all exist as well). Some of the best developers I have worked with were born in India, Russia and China. Outsourcing relies on large pools of skilled workers at a significantly lower cost per head than where the purchaser is located. Large pools of skilled workers are hard to find and keep in any location. The magic satellite office of transient workers is a pipe-dream. Software development is also a social process where people must communicate effectively. A reference on the Wikipedia article for body language says:

“James Borg states that human communication consists of 93 percent body language and paralinguistic cues, while only 7% of communication consists of words themselves.”

Relying on phone calls to communicate between the designer and the developer clearly leaves outsourcing teams at a significant unfair disadvantage. If the statistics above hold true then the most effective your communication can ever be is 7% as effective as a local team, and that is in a discipline where communication is critical to your success!

When you layer in that communicating security requirements is even harder, it isn’t any wonder that I am yet to experience a single firm or team that produced reasonable quality ‘secure’ code without significant active ongoing involvement from the purchaser.

The only way I have found to improve the security effectiveness of outsourced teams is active ongoing involvement in the following three areas:

On-Shore Rotation - Pull the off-shore team on-shore for a period of time. This is especially important at the beginning of a project to learn how the team works and to build personal relationships. I also found that cycling the team back on-shore periodically is essential.

Security Knowledge - Treat the off-shore team the same way you do as the on-shore team and provide security training and knowledge sharing.

Off-Shore Visits - Out-of-sight should not be out-of-mind. There is tremendous value in site visits from various members of the team. This also builds empathy with the on-shore team of the challenges the off-shore teams faces. Nothing beats an American getting up in the middle of the night jetlagged to do a daily stand-up!

The three areas all negate some of the economic model which probably explains why few people do it but simply put Outsourcing Doesn’t Mean the Security Problem Goes Away.

Scottish Verdicts and Security

Every few months I watch Greg Wilsons excellent speech from CuSec, What We Actually Know About Software Development, and Why We Believe It’s True.

In the opening remarks Greg talks about how the Scottish legal system can return three verdicts.

Not-Guilty Guilty Not Proven The ‘Not Proven’ verdict is an acquittal used when the judge or jury does not have enough evidence to convict but is not sufficiently convinced of the defendant’s innocence to bring in a “not guilty” verdict. Essentially it says this is what we think but we can’t prove it.

I confess to being very guilty of quoting Scottish verdicts in the past.

Every time I watch the video I can’t help but reflect how the security industry uses Scottish verdicts to sell security to developers. I am sure we have all seen the statistic that it costs 30 times more to fix a security bug in production than it does in development. Fast forward to minute 18:30 and smile.

Great Freelancing

I think I have a pretty sweet setup that lets me spend the maximum amount of time working on projects and the minimal amount of time dealing with over-head. Time is limited so I like using it wisely. These are the business tools I am currently using.

QuickBooks Online - My wife is a small business book keeper so I had some inside knowledge. I had two fixed requirements, the first that my books were accessible from a browser and the second that payroll was done directly from the books. There are many options like Wave Accounting and FreshBooks, QuickBooks generally just works and payroll integration is easy. We use Compupay for payroll which is cheaper than QuickBooks. While I really like Harvest App and RoninApp (and particularly the iPhone and desktop time app for Harvest) QuickBooks has time tracking free if you take the $39.95 a month subscription. Once a week my wife can pull in hours I need to bill, sync the expenses (see below) and electronically invoice. Bam! ShoeBoxed - Colleagues now how much I hate doing expenses. Almost everyone I know finds submitting expenses frustrating and time consuming. I used to spend two hours for every week I was on the road scanning receipts and filling out online forms. Meet ShoeBoxed. As I spend something I photograph the receipt from within the app. It get’s tagged and uploaded and is then available to be pulled onto QuickBooks. That’s it. Oh but wait it gets even better. The good folks at ShoeBox send you a blue envelope like the NetFlix DVD envelopes. If you don’t want to scan your receipts you just chuck them in the pre-paid envelope and mail it. Within a few days the scan them and add them to your account and return the paperwork for your records. I am yet to go through a complete cycle with this but so far it seems to work like a charm and save me 4 hours a month and a ton of frustration. It costs $49.95 a month but that is great value for my time. That’s 4 hours I get to spend with the family (or bill to clients).

TripIt - is a life-saver if you a travel a lot. You can give TripIt access to your gmail via OAuth to scan your mail and create trips based on travel confirmations. Being paranoid I just forward conformations to and it creates then for me. TripIt sends me alerts of gate changes usually before the screens in the airport get updated. When you land you get an alert that tells you where your connection is, how much time you have and even which baggage claim you need to go to if you checked in bags. I upgraded to the Pro version but frankly get nothing more than I used in the free version.

TomTom on iPhone - I used to carry a portable GPS but TomTom on the iPhone is always with me. When combined with a portable car windows mount and car charger it gets the navigation job done. I have struggled through with Google Maps and Hertz’s “Forever Lost” and while TomTom has its quirks, it just works 99% of the time.

SpiderOak - Fully encrypted backup where the provider never sees the data in the clear. You can sync across boxes.

Remember The Milk - I have used this app for years (web and iPhone client). It’s simple and effective. I have lists set up for Personal, Curphey LLC, Client-X, Seconauts, SourceClear, Book and Blog and just constantly re-prioritize. At the start of each day I look at what I didn’t get done yesterday and re-prioritize.

SalesForce - I have just set this up but people I trust swear by it. Don’t get fooled by monthly pricing, you have to pay for an annual license which is painful for a so-called “on demand cloud service” (over $700 for a Pro License) but for managing customer relationships and a sales pipeline it’s tough to beat. I will have the corporate web site post inquiries directly into SalesForce via the API and use it to drive mail marketing campaigns.

If you have great tools that save you time I would love to hear about them!

SourceClear - My New Company

Last Friday was my last day at Foundstone and my last day as an employee. Yesterday was my first day as the founder of a startup called SourceClear. Screw it, I just did it!

I have rented office space at Indie Ballard, got an accountant, a lawyer and am actively talking to potential investors while I start initial work on a prototype. I think that the biggest challenge for software security today is connecting People, Process and Technology and I plan to make an impact on that problem. It’s an issue worth fighting for.

I plan to build the sort of company that I have always wanted to work for. I have been inspired by many startups including GitHub, Etsy, 37 Signals, Fog Creek as well as bigger companies like Virgin, Google and SalesForce. I want to make SourceClear the very best place for great developers and great software security people to do their very best work and make a dent in the world. If you are a talented Java developer (Spring), love software security, are a US citizen (or hold a valid US work visa) and want to be part of small early stage software startup doing something very unique then I would love to talk to you. There are pre-funded opportunities now to work with me on a prototype (pre-funding stock, shape our culture and future) and there will be post-funded opportunities after we raise money (sometime in 2013). We have a pretty damn amazing advisory board being formed.

We may well launch in the new year with training & services that will enable us to generate revenue and better understand specific customer problems. This model has worked well for many startups (Foundstone included) but has advantages and disadvantages. This blog will start to have a lot of posts about the nuts and bolts of startup life. One such topic is that I have taken a contract to boot-strap some of this early work. I happened to be working on an awesome project with an awesome client so continuing as a contractor was a no brainer.

This move also allows me to invest in supporting the launch of Seconauts both financially and with my time. We are setting up a 501(3)C and will go live in January. We now have several sponsorship pledges from some services and product firms for Seconauts (more always welcome, please contact me if interested) and will be ready to start professional coding on the first project, an engineering patterns and re-usable code repository in the new year. Everything will be 100% free and open source. We plan to also release a free online web app scanner service based on Arachni sometime next year.

If I can pull off what I want to pull off with SourceClear then it will disrupt the current status quo and make a significant positive impact on the state of software security. There is a lot of hard work ahead.

Blue skies!

Ready to Pick a Fight

I think I am ready to pick a fight. It’s not a new fight (at least not for me) and it’s not a fight with a person or a company but it’s a fight with the status-quo.

In the grand scheme of things I don’t think we need more or better or different testing tools. I don’t even think we need more or better or different security testers. The people and tools the industry has are already pretty damn good. Conferences are heavy with great talks about how to find issues, how to expose edge cases and hot to automate testing. Sure they could always be better (*) but if you look at the real state of most software in most development teams, better assessment tooling to find more issues is just ‘polishing a turd’ (excuse the British phrase).

In the same way gym memberships don’t make you fit (it’s going to the gym of course that does) unless we improve the way we design, implement and fix broken software we will never get off the current hamster wheel of death.

The pragmatic issues that I have seen time and time again over the last year since I returned to security consulting are fundamental, repetitive and pervasive. One developer I spoke to said “it must be like shooting fish in a barrel?”.

I think the priority for software security should be orchestrating People and Process and Tools (not People or Process or Tools) because without all three working together you don’t have a whole solution. I re-read my Cogs and Levers essay today and I still think it’s spot on.

It’s time for me to pick a fight with the status quo and make a difference.

  • SMALL PRINT TO AVOID THE FLAME MAIL: I am not saying that better assessment tools won’t make things better. Of course they will. I am not saying we shouldn’t continue to improve testing. Of course we should. I am just saying that more and more and more and more testing with better and better and better tools is not going to move the needle as much as orchestrating people and process and tools together. When you get the people and process right then the real effectiveness of the tools will be realized.

Follow Up on Investing in Software Security Talent

A few weeks ago I posted Investing in Developing Software Security Talent. It got a good reaction and stimulated some good discussion. I have now spoken at length to a quite a few people including folks that head up recruitment at BIG Internet companies and a number of security services and product firms. There was an over-whelming sense of “very interesting”, “no brainer”, “you go boy”, “someone needs to do it” and just an overall warm positive response. Thanks to those who spent time on the phone or in person listening to me and sharing their thoughts. I even had verbal offers of over $40K to support such a program from people I spoke to so it clearly wasn’t people just being nice. There were of course the usual array of negative people; one guy even wrote a long blog post criticizing the idea clearly without having read it, but it’s the Internet after all. No time for negativity, I am on a happiness drive!

One of the big things I learned was that many people who have run intern programs confided in me that the reason programs aren’t as effective as they could be is that whilst stellar individuals are usually willing to commit their time and resources, without a central person driving the program at all times they usually flounder. I was independently advised that you need a full-time person for roughly 12 interns, or put another way 4 hours a week per Intern. Sadly, despite the positive response and seemingly valuable idea I am disappointed that after exploring it further I learned about the sheer amount of effort it would take to put such a program together and operate it properly. Sadly I just don’t have that time.

I really believe that this type of program needs to happen and I hope that someone with the time or motivation makes it happen. If you do, please contact me. I will happily financially contribute in some way.

My Happiness Project

I have been an arm-chair phyciatrist for many years reading books like Blink, Drive, The Dip and notably The Art of Happiness (a book that had a profound impact on me). I just read How to Be Happy, Dammit: A Cynic’s Guide to Spiritual Happiness. I say read but it was more a case of flicking through the slides as the book is an ordered collection of small pieces of advice set against relevant images.

Those that know me well often call me a ‘miserable git’ and while I usually dismiss it as ‘hogwash’ it’s probably true. I think I have very high standards and ‘don’t suffer fools gladly’. I know I have a short fuse and an even shorter attention span. I thrive under pressure so like to surround myself with high pressure situations. When I believe in something or am interested enough in something I don’t let go or take no for an answer and have to know every detail and if I can’t make something happen one way I’ll just try another way until I do. When these things are combined it’s easy to see why people confuse what I think as just being ‘driven’ with being miserable. I am hopeully never rude but I rarely go out of my way to consciously be nice.

I have tried several projects in the past from running (which resulted in a life-long passion) to being a vegan (which resulted in me now living on a predominantly plant-based diet) and of course many things that didn’t work. I have decided I am going to try a new project: actively working to be happy. It’s not that I am un-happy. I have a great wife, great kids, I am financially well off, I live in a great place and have good friends. I am healthy and generally enjoy life. Sure there are ups and there are downs but in general life is good. What I don’t have is that outward happiness that some people possess that seems to also translate into a deeper inner happiness. I always tell the kids that “behavior breeds behavior” and have always thought that you are part of the environment you create yet at the same time I am a ‘glass half-empty person’ and admit I can be pretty darn negative at times. But no more, life is not about the bad things but about good things.

If anything Hurricane Sandy teaches you anything it’s that we all have a limited time on this planet and you never know what tomorrow may bring.The tragedy and devastation on the East Coast (and the seemingly constant news of human suffering around the world) made me reflect on what I should be truly grateful for and also on how my life could be even better; how I could be happier.

I have started a bunch of experiments, some small and subtle, some big and bold. I will make notes and post them here as appropriate in the coming weeks and months. I don’t plan to lose being ‘driven’ or walking away from tough situations or pushing on important things but I think you can be ‘driven’ and happy.

If you reap what you sow then I am off to sow some happy seeds!

Choose Your Clients Wisely

Anyone that has been consulting for a while has experienced the ‘tough client’ (aka ‘the bad client’). The company that doesn’t really want your advice but really wants another pair of hands to do what they don’t want to do themselves. The company that wants you to do the tasks that are beneath them or boring or meaningless. The company that doesn’t really want you to do the job they hired you to do but really wants you to deliver a set of information pushing forward thier pre-determined agenda or results. The person that treats you like their pet. The company that pays you for your brain but treats you like a manual laborer. I just left Chicago O’Hare and couldn’t help but over-hear a conversation between two colleagues from a big consulting firm (company name embossed on laptop bags). Relaxing with their guard down at the end of the week one was bitching about the project they were on. From what I could tell they were BI developers. One turned to the other and said, “I hate customers like XXXX and I honestly think YYYY [person] is a jerk dude.” The second quickly replied “I disagree, I prefer clients like this, if you lose them it really doesn’t matter.” The idiocy of this conversation is surely not lost on many.

Working like this is nothing more than short-sighted and foolish for both parties. Tough clients get frustrated when consultants don’t jump on command, don’t follow orders, don’t produce lapdog results or deliver crony messages acting as a supposed independent source. Consultants gets frustrated when they can’t exercise their brains, aren’t valued, aren’t challenged and aren’t respected. If not frustrated then they simply check out like the guys at the airport. When this happens no one wins.

I decided a while back that I am not working with ‘tough’ clients. Life is too short. I work for fun, intellectual stimulation and yes money. I made my decision when I realized that most consulting projects are based on only two things: cost and skill. If the client and consultant are not well aligned in their working culture (principles, goals, working practices, personalities etc.) then the project is unlikely to be anything more than a forgettable dull transaction. I think like is too short for projects like that.

Choose Your Clients Wisely!

The guys from Less Everything offer great advice about how to pick your clients if you are a web developer in their ebook How LessEverything makes $1mil annually from client services.

For the record and hopefully without sounding “smarmy” I have just started a long-term project with an awesome client. Great company, great personal contact, humble, super-smart company team and very meaningful work to boot. I am sure we will face hiccups along the way but when you get a partnership like this it is hard to not deliver great results and everyone is a winner baby!