We’re pleased to announce that our colleague Colin Domoney, a consultant solutions architect for Veracode, was recently nominated for a Security Leader of the Year award.
Organised by Information Age, Tech Leaders Awards is Britain's flagship celebration of tech leaders, honouring those at the forefront of disruption and innovation and playing a central role in driving business value with technology.
Originally an embedded systems developer working on military grade secure communications systems in South Africa, Colin has over 20 years of development and security expertise in the telecommunications, consumer, medical and financial service industries. His most recent experience has been as the technical expert leading a large-scale application security programme in a large multinational investment bank. He was responsible for the deployment and operation of the Veracode service, and leading the remediation programme, and deploying a RASP solution within the organisation.
I recently sat down with Colin to get his thoughts on the nomination, his role and the security industry.
Like many of my colleagues in the AppSec industry, this isn’t something I set out to do. In fact, in my time at university, there wasn’t even an awareness for the need to code defensively (this was in the days before everything was connected ubiquitously). I had an interest in cryptography and, in particular, what was possible using hardware modules to accelerate cryptographic primitives. My earliest memory is using a $1,000 2048 bit exponentiation chip to raise 2 to the power of 3 (and indeed get 8). But it was very quick ☺ Since then, I’ve always stumbled between software/embedded development and security roles, so my current role is a perfect fit, even if not by design.
I think the problems I faced and the problems I see are somewhat universal – typically, security leaders not knowing where to start to even begin managing their AppSec risk, or not knowing how they’ll affect the cultural change necessary to bring about a “secure mindset.” I am enjoying the consultative approach and would like to think I’m regarded more as a trusted advisor rather than as a “vendor guy.”
When I started my role at the bank in 2012, I went in with the assumption that the problem was a technology problem – if I chose the best tool, everyone would use it and love it. The reality is, of course, significantly different – the problem facing many organisations in their move to secure their portfolio is much more one of process and, most certainly, people. I think there is still a fear of the unknown, be that from CISOs wanting to start a programme and not knowing where to start, down to developers who are concerned about what security testing might reveal about their code.
Although not what I expected when I started at Veracode, I have found my work evangelising very rewarding, and am currently looking for more speaking events and, in particular, hope to expand my portfolio of webinars that I’ve so enjoyed researching and delivering. Also there are rumours of a book in the near future.
My current focus is on how we make security testing seamless for developers, i.e., how to make security testing tools as good as all the other tools that developers are using on their desktops and IDEs. Watch this space!