January 15th is the 10th anniversary of Gates Trustworthy Computing memo. The effects of this memo have already been discussed on Threatpost so I thought it would be interesting to take a different angle on commemorating this event - Where were you on 1/15/2002? I asked a mixed group of my colleagues at Veracode to answer this question. The group has a wide age range, and come from many different backgrounds. Some of the answers are really funny! I hope you enjoy! Chris Wysopal was managing the research team at @stake, a security consulting company with a strong focus on application security. The day before Jan 15th he was on the campus at Microsoft for a sales presentation pitching @stake’s application security services to Microsoft along with fellow @stake technical leaders, Window Snyder (now at Apple) and Frank Swiderski (now at Google). @stake would go on to provide application assessment services: threat modeling, code review, application penetration testing, for many Microsoft products. Within two months of the Trustworthy Computing memo @stake had their “A Team”, including Christien Rioux (now at Veracode), Chris Eng (now at Veracode), Chris Wysopal, Frank Swiderski, Window Snyder, and Dave Aitel (now at Immunity) assessing the first product at Microsoft to embed application security practices into the SDLC, Microsoft IIS 6.0.
Chris Lytle was in high school at the time. Chris guesses that most of what he was doing was trying to get a date with the cute middle on the volleyball team. Outside of sports and dating, Chris was spending time trying to get Linux running on his dad’s old work laptop and passing CDs of cDc textfiles around school. Ben Greenwald was in graduate school at MIT, working with the MIT Computer Architecture Group on the RAW Microprocessor Project, one of the first compiler coordinated multi-core processors. The group was in heavy hardware design testing mode using both software and hardware (FPGA) simulation in preparation for fabricated the chip later that year in what was then IBM’s brand new 0.15 micrometer, 6 copper metal layer ASIC process. Fergal Glynn was working at Fidelity Investments and being introduced to Application Security testing by Ryan O'Boyle and consultants from @stake and Foundstone. Ryan was teaching Fergal how to use network scanners, how source code analysis works, and how to manually review code for security issues. Melissa Elliott was in grade school, and as yet completely unaware of the world of computer security that would eventually become her night and day. Her biggest “hack” was attempting to patch the boot logo in Windows 2000, not realizing that it was using a patcher for Windows XP. Oops. When she noticed a few years later that she was the only person she knew whose Windows machine had never been trashed by a virus (bricking NTDLL doesn’t count), she realized that security was just as much about user education as it was about technology. In Kevin Dunn's own words: "When I think of 2002, I think of 0days and how it seemed like the heart of the AppSec Gilded Age with its creation of an expanded software security economy. Of course, that reflects a significant amount of personal nostalgia, but at @stake in 2002, we were young and wild and free; and the world’s software was “target rich”, to say the least. Every project was exciting and the findings were devastating. If you didn’t crack the product or environment completely wide-open, and I mean wide-wide-open, then you had failed (a true professional failure, worthy of peer admonition – not a modern day 'FAIL' :> ). The browsers, web servers, proxy servers, application servers, and databases of the time were just starting to get their act together, but they were still riddled with holes and if you knew where to look, you could find them. We even had a demo website that could activate your microphone and stream back the audio without the user ever having a clue. No matter the browser, we could hear you. A global spy network just waiting to be activated. Hrm, the more I reflect on 10 years ago, the more it seems like 10 days ago. It’s just that now, there’s an app for that." Come back tomorrow to hear from Chris Eng, Tim Jarrett, Tyler Shields, Mark Kriegsman, Christien Rioux, and Captain @stake Steve Roge. One of these people had blue hair in 2002, can you guess who?