January 15th was the 10th anniversary of Gates Trustworthy computing memo. We thought it would be interesting to ask a few CA Veracode employees what they were doing on that day 10 years ago. This is the second post on this topic. Yesterday's post is here. Some of the answers are really funny! Can you guess who had blue hair in 2002? Captain @stake Steve Roge was selling manual code reviews to Fidelity for $150 per hour and every consultant who worked on the project hated him because they didn’t want to sit in a cube with a pencil reviewing code line by line. Steve believes this was the shift when folks like Fidelity started to look for automated solutions because they wanted to go deeper and broader on their application inventory and knew angry consultants wouldn’t scale. Chris Eng was a security consultant at @stake, delivering web application penetration tests and product security assessments for large enterprises and ISVs. On the date in question, he was pen testing a network appliance, poking around at WebSphere bugs, and gearing up for a product assessment at Macromedia (now Adobe). The interesting thing about that assessment was that we were testing against a beta version of the product. So while many companies were still doing all their security testing post-release -– or not at all -– Macromedia already understood the value of pushing security further back into the SDLC. This was pretty rare at the time. Tim Jarrett. On January 15, 2002, I was in business school and had just accepted a job offer from Microsoft. At the time it was a very different company--hip deep in the fallout from the antitrust suit and the consent decree; having just launched Windows XP; figuring out where it was going on the web (remember Passport)? And the taking of a deep breath that the Trustworthy Computing memo signaled was the biggest sign that things were different at Microsoft. And yet not. It's important to remember that a big part of the context of TWC was the launch of .NET and the services around it (remember Passport)? Microsoft was positioning Passport (fka Hailstorm) as the solution for the Privacy component of their Availability, Security, Privacy triad, so TWC was at least partly a positioning memo for that new technology. And it's pretty clear that they hadn't thought through all the implications of the stance they were taking: witness BillG's declaration that "Visual Studio .NET is the first multi-language tool that is optimized for the creation of secure code". While .NET may have eliminated or mitigated the security issues related to memory management that Microsoft was drowning in at the time, it didn't do anything fundamentally different with respect to web vulnerabilities like cross-site scripting or SQL injection. But there was one thing about the TWC memo that was different and new and that did signal a significant shift at Microsoft: Gates' assertion that "when we face a choice between adding features and resolving security issues, we need to choose security." As an emerging product manager, that was an important principle for me to absorb--security needs to be considered as a requirement alongside user facing features and needs to be prioritized accordingly. It's a lesson that the rest of the industry is still learning. Tyler Shields had left a dot com startup in the fall of 2001 and was in transition to a consulting career with @stake on January 15, 2002. On the specific date that the memo was released, Tyler was employed by a large national security consulting firm and was embedded within the United States Postal Service. Tyler was conducting incident response and forensics engagements on one of the worlds largest networks. Incident response was a mix of constant preparation and occasional frantic engagements. It felt way too responsive. The Trustworthy Computing Memo motivated Tyler to begin a transition, from incident response and forensics, to application security related research. In Tyler's eyes, it was becoming clear that secure code was going to be the key to a secure future. At the end of the day, exploits, flaws, vulnerabilities, and security issues generally trace back to an error in code. Attacking the root cause of the problem would provide the most return on the security problem that was rapidly developing. Tyler joined @stake in the fall of 2002 and helped them become the premier application consulting company of the 2000s. Mark Kriegsman. By January 2002, I had sold my Internet startup (Clearway Technologies), and I was looking around for what I thought the Next Big Thing would be. Within a couple of months, I would join Christien at @stake, shaping and building "SAF", which would it turn become CA Veracode's flagship offering in static binary testing. Given the successes of the last ten years, I'd say "AppSec" was indeed the Next Big Thing! Christien Rioux was working at @stake, starting the CVS repository for the reboot of the 'undeveloper studio' project that he had been working on for two full years already that came to be known as 'SAF', the 'Software Analysis Framework'. Christien was just given clearance by the CEO to hire his first two developers, Mark Kriegsman and Dan Garcia, both of whom have remained either fully or partly employed by CA Veracode ten years later. Christien had hair and it was blue! Where were you 10 years ago? We'd love to hear your stories - add them to the comments section.