Wednesday, September 18, 2013

My new gig; still making hard things easy

I’m a software guy and I've loved working with developers for 20 years now.   My entire career has been about helping software developers be more successful by making hard things easy.  In the 90’s, creating dynamic web applications was difficult and out of reach for many developers: when I worked for Allaire (later Macromedia/Adobe), ColdFusion changed that.  In the middle of the last decade, developers struggled to create rich internet applications in a way that fit their development style: when I worked at Macromedia/Adobe, Flex changed that.  At Atlassian, the target was the whole software development lifecycle.  Unifying planning, issue tracking, source code management, and build engineering was incredibly complex: and when I worked there, great products like JIRA, Bamboo, Greenhopper, Fisheye & Crucible changed all that.  And at Microsoft, the goal was moving ISVs to the cloud where they could grow faster and better than ever. 

But there’s one thing that’s still too hard, yet incredibly important: making software secure.  Hardly a day goes by when you don’t hear about some malicious hacker bringing down a website, or a vulnerability putting someone’s entire business at risk.  Yet when I ask developers what they do about security, I generally get a shrug.  “I know it’s important and I do what I can, but I’m no expert.” 

On the other end of the spectrum, developers who work in financial services or other regulated industries groan and roll their eyes and say, “I hate dealing with the security team!”  Late security audits reveal issues long after the time when they’re most easily addressed and create a bottleneck to ever actually getting the thing out the door. 

The more we rely on software to run our world, the more we need to be confident that it’s safe – but the higher the need for security, the more onerous the burden for developers.  It’s another hard thing, and I'm now part of a team whose goal is to make it easy!

Cigital Inc. (, where I've joined as VP of Product Management, was established in 1992 with funding and contracts from DARPA and NASA.  Today they’re the world’s largest consulting firm specializing in software security.  Twenty years of research and thousands of successful software security consulting engagements at leading public and private organizations throughout the world have generated a lot of expertise, as you can imagine.  So what if you could take that knowledge and experience and put it into products to help developers design, build, and maintain secure software?  Well, that’s just what I’m here to do.

We have several products already, the most important of which is “SecureAssist.”  It’s an IDE plugin that can help you identify and fix security issues in your code before it even goes to a security team for review.  No security team?  SecureAssist is like peer programming with a security guru – you don’t need to know an SQL injection from a buffer overflow, SecureAssist will spot an issue in your code and help you fix it yourself.

Of course, just finding security issues isn’t much use if you don’t become better at writing secure software (you know, the whole “teach a man to fish” thing).  While SecureAssist shows you where your code may be vulnerable and suggests a way to fix it, we also provide the industry’s best and most comprehensive security training for developers.  With hundreds of security experts on staff, we have access to the best subject matter experts anywhere.  And we’ve taken their knowledge and delivered it in scores of eLearning modules.  Topics like “Defensive Programming for Javascript and HTML5,” “Foundations of iOS (or Android) Security,” or “Architecture Risk Analysis” can get your whole team up to speed on the fundamentals (and advanced topics) in creating secure software.  We can also do instructor-led training.  Order a stack of pizzas, a couple liters of Dr. Pepper, and let the good times roll!

And really, that’s just the start.  I’m excited to get back out there and talk to you about other products and services we’re developing, other ways in which we can ease the process of keeping your software secure – while still fitting in with the way you work.

Cigital isn’t a bunch of security people trying to tell developers what to do.  We’re a bunch of developers who care about helping other developers get better at making great apps: apps that are beautiful, useful, and safe.  That’s what ultimately made me want to join this team.  Security is hard, but it’s really important.  Let’s make it easier.