If I were to capture 2015 with a single word it would be: transform. The family and I had started the year celebrating our daughter’s 1st birthday, always amazed and in awe watching her continue to grow. Tenille was still re-integrating into her work-life pattern as a working mum, and we were surrounded by our best friends who were also undertaking incredible life changes, such as marriages, having kids and so on. Outside of family, things were getting very exciting at Asterisk as we were drawing more highly skilled talent to the team in our continued vision to bring pragmatic, passionate security results to our clients. All in all, life was humming along perfectly.
When the opportunity arose to join the application security team of LinkedIn my initial reaction was: this is a spam message. When I realised it was legitimate, my next immediate thought was that there was no way us, as a family-unit, would want to go through this sort of upheaval. But the opportunity was too exciting to not discuss with the family. To my surprise, Tenille was more excited about moving to California than I was! Even to this day I’m blown away with the support I receive from her. It was only at this point that I started to seriously look at what I had to do to make this happen. As the onboarding process continued my biggest concern started to weigh heavy on me; how was I going to part ways with Asterisk. Yes, it was emotional, but true to the character and integrity of each of my partners, Dave, Steve, Cole & Greg, they all saw the positive in what my family and I were embarking on.
It’s no surprise that the difference between Perth and the Silicon Valley, as far as app sec goes, is huge. It’s taken me a while to put my finger on it, but I believe I was starting to stagnate as an app sec professional back home. It’s not anything in particular, just the size of the security industry, the nature of the primary businesses (resources and mining, which have a focus on re-use, before buy, before build - and therefore not much of an application development focus) and the general focus on 'compliance' as a primary infosec tool. While a large portion of more tech savvy/Internet businesses have embraced the benefits of bug bounty-style additions to their security arsenal, as a level of measuring app sec maturity, it’s still fairly common for a lot of Australian businesses to be worried about any style of offensive application security assessments, let alone penetration testing or red-teaming.
This was why I needed to surround myself with the best application security people in Perth, and then subsequently Australia. Most of this is a result of another one of these pragmatic application security professionals, Wade Alcorn, who invited me to help out with BeEF 6 years ago. Working on BeEF opened my eyes to a few things, notably the importance of web app security and how complex web-browser technology has gotten, the impacts on attack surfaces, and also the power of open source software, specifically open source security software. I’m never happier than when I’m building stuff, and while I spend most of my time trying to break stuff, I’m a firm believer of the principle of ‘being a better builder makes you a better breaker.’ But without even realising it, I had an itch for something more.
Now that I’ve settled into the amazing security team at LinkedIn I want to spend a moment to focus on why it’s amazing. The culture of the company, filtering all the way down to the culture of the team, aligns very strongly with my approach to information security. In particular, getting shit done. I’ve never worked in a team that was entirely focused on application security in this way, with such unbelievable talent, and such drive to ensure that the team, and each other, succeeds. Back in Perth, I could count on two hands the number of people I would trust with the delivery of app sec capability. To be in a single team in a single company with the same amount of people is nothing short of inspirational. Every day I get up, jump on my bicycle, and ride to work looking forward to a day of learning new tech (at scale), breaking and fixing stuff, having copious laughs, insane perks (jam room, amazing food, free-transport, InDays, tools-of-trade, massages, and so-on), all supported by management who aren’t interested in focusing on what certifications you have - only interested in making sure that you can provide the best app sec expertise to the business as possible.
So here I am now, sitting in my pyjamas at home with the daughter running around my ankles on this month’s InDay, LinkedIn’s monthly day of focusing on important themes, usually combined with community outreach and on-site courses etc. Today’s InDay is focused on "reflection", and so this is how I’ve spent my morning. It’s a big world out there, don’t put up with the status-quo. Take intelligent risks, get out of your comfort zone and push yourself to the next level.