As Founder and Chief Technology Officer (CTO) of WhiteHat Security, I’ve had the privilege of creating my job description along the way and finding the highest and best use of my time. Over the years my responsibilities have varied widely to include pen-tester, manager, developer, visionary, evangelist, salesman, customer support rep, trainer, slide monkey, blogger, author, janitor, and whatever else that needed to get done. What has been tremendously fun and challenging is witnessing how my role steadily evolved. Even more so now, having “officially” relocated back to Maui. Pause there, I’ll come back to that.
Most recently, before “the move,” my time had been segmented in thirds. The first spent interacting directly with enterprise security executives and software developers where I learn the most about what in Web security seems to work, not work, and where they’d like to improve. This is something I really enjoyed because it keeps my skills fresh and guidance grounded in reality.
The second part of the job is taking my meeting notes back to WhiteHat, exchange ideas with others, develop new attack techniques and defense strategies, honing company vision, and help create solutions to solve real-world problems. If I’ve learned anything at WhiteHat it’s that it takes a team, a brilliant team, to build something great.
To round things out, my job also had me compiling our Web security experience into relatable narratives, travel the globe, and present at conferences to raise awareness. This is obviously the most visible part of the job and what I’m best known for. My badge wall collection serves as a nice record of my mileage.
In the early years I focused my presentations on explaining the basic attacks like Cross-Site Scripting, Cross-Site Request Forgery, SQL Injection, Business Logic Flaws, etc and demonstrating what damage could be done. This was priority one. Later as people came up to speed, my “deep technical” presentations evolved into the Top Ten Web Hacking Techniques series.
Leading up until the last several years there was a strong need for me, THE CTO, to travel heavily and evangelize. As the number of top Web security minds employed at WhiteHat grew and the industry matured, my individual need to be a road warrior became less necessary as a strategic company imperative. As a result, I cut back my conference schedule significantly. This was a welcome change because it allow me to spend more time with my family and focus on another personal passion — security metrics.
My security metrics research grew into the now widely popular WhiteHat’s Website Security Statistics Report and represents one of the accomplishments I’m most proud of. For me, being able to generate and freely share large scale, first-hand, and hard factual data about website vulnerabilities is highly rewarding. I’ve seen the findings cited everywhere. They help push the industry forward, and have served to position WhiteHat as the benchmark for measuring the security posture of production websites. How many people get an opportunity do that!?
To this day, the enterprise need for real-world and trended metrics is growing and is an area of research I’ll continue championing for the foreseeable future. It is that future, WhiteHat’s future, and my future that I want to discuss further.
Being able to view website security from such a uniquely strategic vantage point has enabled WhiteHat to expand into root cause analysis and remediation across the entire software security domain from SDLC to operational controls; from source code to client-side security; and at scale. That’s right, WhiteHat is moving beyond simply “measuring the problem” into providing effective ways that further help solve the Web problem, quantifying cost-savings, and reduce risk of compromise.
As CTO of a fast growing company that’s headed into exciting new territory, I must focus an even greater amount of my time and attention on new and emerging technologies — something I couldn’t execute while traveling non-stop, explaining the finer points of XSS and SQLi.
What many may not know is that my wife and I were both raised in Hawaii. The island of Maui to be exact. Like many of our peers we had to leave that island paradise following high school to pursue better economic opportunities. Through a series of rather remarkable events, WhiteHat was born [near the end of 2001]. We spent practically every vacation back on Maui, our real home away from our bay area home, and of course the kids loved every second.
With a growing family, a more relaxed travel schedule, being CTO of a company in a position of flourishing success (Profitable!), it was a good time to consider a better work/life balance that could accommodate everything going on in my life. Things lined up perfectly, so we’re back on Maui, thankful to be having our
cake coconut and eating it too.
As for job duties as CTO, I’ll be attending ten or so conferences a year and offsetting that time to visit more companies and build next-generation Web security technologies.
WhiteHat Security has dozens of some of the best Web security engineers in the world, many of whom are already carrying the torch in presenting on the latest developments in: XSS; CSRF; filter evasion; canonicalization attacks; new RFI and LFI attacks; DAST and SAST and the correlation of both; and much more you can learn from our presentations, read on the blog, or maybe see on display at Black Hat.
In case anyone is concerned. WhiteHat has NOT been acquired, nor are we struggling financially. The truth is quite the opposite. Every single one of the last several quarters of business have broken sales records and we’ve been hiring nonstop all year. I’ve also not retired or checked out to live a life of leisure — though I fear my wife Llana may have. I’m not done with the Web security industry just yet. When I am, I’ll be the first to tell you. 🙂
I wish I could share some of the projects we’ve been quietly working on the last several months, but soon enough we’ll make some announcements and shake things up! This is a very exciting time. The most exciting part for me is seeing a company I started reach a point where some of the biggest companies in the world, our customers, are demanding we lead the charge on new innovations, and help them actually solve their Web security pains. It’s a big responsibility, we’re ready for it.