#2: Mike Zusman

September 9, 2015

Welcome to Episode 2 of the Building a Life and Career in Security Podcast.

This episode features Mike Zusman. Mike is the founder of Carve Systems, an information security consultancy. Formerly a web application developer turned computer security consultant, Mike has spoken at BlackHat, Defcon, CanSecWest, and numerous OWASP events.

Mike and I talk about the aha moment when he realized security was his way forward, transition from developer to security consultant, and about work/life balance with young kids.

Things we talk about:

[content_toggle style=”1" label=”Show%20Episode%20Transcript” hide_label=”Hide”]

Speaker 1: From the jayschulman.com studio, this the Building a Life And Career in Security podcast. Now, your host, Jay Schulman. jay schulman: Hey, it’s Jay. Welcome to another episode of Building a Life And Career in Security podcast, the podcast that lets you see how others grew their information security careers. Today’s guest is Mike Zusman. As I’ve started to do these podcasts, I’m amazed at how many people don’t pick security, but security actually found them. That’s definitely the story for Mike. From developer to security consultant, Mike has had a very interesting, yet still common story on how he ended up starting his own security consulting firm. Here’s Mike’s career journey in his own words. mike zusman: My career, its pretty much fluid from the time I was a youngster, because I grew up around computers. I had a VIC20 Commodore 64, some Texas Instrument computer, I can’t really remember the model of. That’s going back to when I’m 4, 5, 6 years old. From an early age I had my hands on a keyboard. Around 10 and 11, my father, who was into amateur radio, got me into amateur radio, or ham radio. I got my technician’s class license, and started learning about electronics, and just hanging out with his ham radio friends, I was getting a lot of hand-me-down computer components, motherboards, RAMs, CPU cases, hard drives. All the various peripherals. Basically, at that point if I wanted a computer, it was up to me to put it together and make it work. I carried that through schooling, taking whatever programming classes were available, either in elementary school, middle school, up through high school. While I was in high school I started working at a local bike shop, and the interesting bit about that is two of the guys I was working with had a part-time computer business. Not doing anything crazy, but they were doing small, home office networking and computer sales. The reason that’s interesting is that when I graduated high school, went to college, one of those guys connected me with a small computer wholesaler in the area of Rutgers University, down in East Brunswick, New Jersey. At the time my job was nothing more than part-time work, testing RAM, testing hard drives, things that needed to be sold while I was going to school. While working there, ended up meeting a really interesting guy who came in to buy a bunch of old AST Manhattan Pro servers, these four foot high servers. He wanted to buy around 20 of them, but the deal was he only wanted to buy them if he could get them working. My boss at the time volunteered me to go help this guy configure these machines, get them up and running. It seemed a little shady at first, because I had to go to the guy’s house in North Brunswick, New Jersey. When I get there, he’s got all these servers set up in a spare bedroom. I’m like, “What are you doing with these servers?” He’s like “I’m starting a web hosting company.” Okay, what’s web hosting? This was kind of a new world for me. Sure enough, he had a T1 coming into his house, and we got the servers up and running. He started a startup web hosting company in his basement. That was when I really learned about internet technology, web servers, database servers, connectivity, T1s, routers. Interestingly enough, nothing about firewalls at the time. We basically set up these systems, put them on the internet, set up a website, had people sign up for web hosting packages. At that same time I learned about the Microsoft Act, in terms of programming and web development. The web development skills I picked up there I immediately went back to my other employer, the computer wholesaler, and said “You know, you’ve got all this extra components laying around the office that you could probably sell on the internet, on eBay.” My boss basically said “Okay Mike,” I was 19 at the time. He said “If you can sell this stuff on the internet, I’ll pay you a commission.” We started selling components on the internet, and it was working, primarily on eBay at the time. I thought “How can I scale this up so I can sell larger volumes of computers and equipment?” I drew on the web development skills I was picking up at the web hosting company, [inaudible 00 = 04 = 23] auction management software an e-commerce site to actually sell more product. Really what got me into web development, this is probably around 99, 2000, 2001 timeframe, was purely business motivation, to sell more product. It was just that type of environment, a small business where if you had the skills you can make a big impact. I learned a lot about how to write insecure web applications at the time. Ultimately that led to another opportunity working for a much larger company, that was a cellphone retailer. They were a singular-branded retailer selling cell phones both in physical retail locations, and they had a call center. My job there was to basically administer their e-commerce site, which did a whole lot of nothing in terms of sales. While I was there, and they’re trying to get this e-commerce site off the ground. We noticed that [T 00 = 05 = 22] got 50 sales people on the phones in the central office, and they’re all taking orders for cell phones over the phone, and they’re writing these orders on paper. They gave these paper orders to another team, who plugged them into the credit scoring system and did all the approval and activation. I said “Hey guys, you know, you could probably automate a lot of that.” They said “Okay Mike, if you can automate it, go for it.” I once again drew on web development experience and application development experience from the prior two companies. A couple of years later we had a number of applications powering a 200 person call center. We had paperless orders. Sales guys were taking orders over the phone, putting them into our web application, I should say our internet application. Credit scoring was automated, it was automated all the way through until a UPS label and invoice were printed up the other end. Once again, learned a lot about building insecure web applications. I still wasn’t a security guy, this was around 2004 timeframe. Ultimately, I was still a relatively young guy there, I was 23, 24, and ultimately I felt like I had solved all the problems at that company. My roommate at the time was interviewing at a company called Whale Communications. I didn’t know much about them, but they were having a private career fair on a Saturday. I went a long with them, and ended up getting an offer to join their technical services team. What Whale did, they were a web applications firewall, and SSL VPN remote access device. Again, I’m going into this not as a security guy, but the reason why I excelled in their interviews was because of my experience on the Microsoft stack, doing web development, and understanding how web applications work and associated protocols. Ultimately if you’re provisioning a web application firewall, it’s really important to know how web applications work. I joined their services team, I was doing pretty well. I remember one day, a customer reported across I had scripting vulnerability in our product, in our web app firewall. I saw people running around, like “Security vulnerability,” I had to do my research to understand what was going on. Once I realized what this cross-side scripting vulnerability actually was, I realized “Oh, I know of 30 other places in our product where there’s cross site scripting.” I tracked down these vulnerabilities in the code, filed bug reports. They were treated with very high priority in our RND organization, ultimately I became the de facto security guy, the product security guy. Unofficially, so to speak. That was when I really got bit by the application security bug, and that’s when I started going to [inaudible 00 = 08 = 31] conferences, [inaudible 00 = 08 = 33], and just doing my own research, poking and prodding in various web apps to find vulnerabilities. Coming out of that experience, that was a great experience for me because Whale had a successful exit. We were required by Microsoft. I had to do a year working as a Microsoft employee, I could have stayed on, but relocation was required for me, to move out of New Jersey area. That really wasn’t an option for me. With my newfound passion for application security I was able to get a job at ADP, the payroll company here in Jersey, and joined their application security team. Which was interesting, because in reality we were internal consultants, doing pen testing, and working with various development teams throughout the organization. In fact my job, when I joined that team, was to help roll out static analysis tools to the various development groups. This was one of those important events in my career. I was only at ADP a month or two, and I was pretty sure this was publicly disclosed. There was a big, targeted sales force phish, and that affected our organization. I believe that that attack was discussed publicly, because it wasn’t just targeting ADP. In any event, I said “Phishing attacks, these are pretty bad. We’re going to have a lot of problems with these.” I knew at the time of Intrepidus Group, I knew those guys casually through a [lot 00 = 10 = 03], and I knew that they had their phishing product. I brought them in, made contact with them, brought them in to do a demo of Phish Me for our team. In the end, the end result of all that is that ADP did not use Phish Me at the time, but I ended up joining Intrepidus Group. They ended up recruiting me to come on board and be a senior consultant. This is around 2007, 2008. I started Intrepidus as a consultant in that time frame, went to 2011. Ultimately, when I left the Intrepidus Group, this was before they were acquired by the NCC group, I left as director of consulting. In that time I learned a lot more about what it means to be … This is something that I think about quite often, the difference between consulting and penetration testing. It really depends on what your customer wants. Does your customer want you to be a consultant? Do they need you to be a consultant, and help guide them through the information security process? Or do they need you to just come in and do pen testing? Hack the application, report the vulnerabilities, provide some remediation advice? I would say we were doing a lot more pen testing, maybe 80% pen testing, 20% consulting. Ultimately I started to, at least with the clients I was working with, maybe I was just getting a little burnt out of pen testing, I wasn’t seeing … I didn’t see the value of a lot of the pen testing we were doing at the time, because I felt like our clients needed more consulting, more guidance as to how to prevent a lot of the security issues they were coming up against. Ultimately I left Intrepidus Group in 2011, went the one man shop route doing some longer term advisory consulting, as well as some pen testing to pay the bills. I was doing fine as a one man shop, independent consultant. Ultimately peers and friends that I’d made throughout the industry said “Hey Mike, what are you doing, let’s join up, let’s consult together.” Ultimately, my company, Carve Systems, grew to where we are now. We’re six full time consultants. That’s the long-winded story of how I got to where I am today. jay schulman: What an interesting path you took, and I think it’s similar to a lot of people. You walked into Whale, which was itself a security company, and then fell into a security job. Do you think you would have found it any other way? Was it ever interesting to you? Or you really just fell into this? mike zusman: It was of interest, but if I’d taken another development job elsewhere I probably wouldn’t have had that experience. That really fostered that passion for security. In some of the earlier development experience, we had actual security incidents. We never experienced anything in terms of a large-scale breach, but an FTP server getting owned. I remember when the slammer worm hit, we were doing a bone-headed move of running ODB feed connections over the internet. When slammer hit and ISPs started lacking port 1433, 34, MSSQL ports, our systems came to a screeching halt. I didn’t get bit by the security bug then, I was just thinking “Okay, let’s run our ODB feed connections over a different port.” I think it really was that climate, working at Whale, that really fostered my passion for finding these vulnerabilities. jay schulman: You’ve had a lot of different career paths, or changes. Is there a particular moment where you had a fork in the road, or a decision to make that really was crucial to getting to where you are today? mike zusman: Yeah. Definitely the decision to leave Intrepidus Group and go independent, that’s a tough one, right? You’re going from a company that is paying your benefits, and you know that paycheck’s going to come, to “Yeah, you know I’ve got a year contract that’s part-time. The checks probably will keep coming.” That leap of faith that it will all work out without having the comfort of a steady salary. Ultimately, what made that decision a lot easier was knowing the climate. Even today there doesn’t seem to be any shortage of information security related job openings. Knowing that, worse case scenario you just end up going and getting a security job elsewhere, it might not be the job of your dreams, but knowing that if you take this risk and it doesn’t work out, your family’s not going to starve. That was an important mindset that helped me make that decision. Also, interestingly enough, during the midway point at Whale, after I’d gotten bitten by the application security bug, I was doing some freelance consulting with a friend in the New York City area. That time he said to me “Mike, you should quit your job at Whale and we should start an information security consulting firm.” This is, again, around 2005. I thought “Yeah, that’s really what I want to be doing, I want to be doing application penetration testing and application auditing all day long,” that’s what I wanted to do. I said “You know what, it’s too risky.” It seemed too risky at the time to, once again, walk away from that steady paycheck. But I would have ended up starting a company like Carve in 2005, instead of 2011. I think about that from time to time. Ultimately, I don’t beat myself too much up about it, because in that time I’ve learned a heck of a lot more about what it takes to run a business and how to effectively service my clients. jay schulman: It’s interesting, hindsight always being 20–20 to reevaluate decisions that you’ve made, which goes to another core questions that we ask everybody, which is a do-over. Is there something along that great story that you told you would do over if you had the opportunity? mike zusman: Yeah, as much as I can say I’ve learned a lot between 2005 and 2011, I think it would have been … My risk was actually much lower in 2005. Going back, if I had to do anything again, I probably would have taken that leap in 2005 to go and start a consulting company. That’s the one thing. Not a regret, but it would have been cool to see how much we could have grown in that nascent period of the apps industry. jay schulman: I’m guessing part of that risk is kids, we were talking about kids before we started recording. The start of your story is similar to the start of my story, which is where a parent puts technology in front of you at an early age and you fall in love with it, or really enjoy it. I have kids, you have kids. I think a lot about how we use technology, throw kids in front of iPads and things like that. I also appreciate the fact that I wouldn’t be here today if my dad hadn’t done it, and certainly it sounds exactly the same for you. If your dad hadn’t done the same thing. As you think about raising your kids, are you going to do the same thing? Are you going to put a lot of technology in front of them, how is that going to be different? mike zusman: No, I think it’s a lot different, because now it’s all too easy to give your two year old an iPad. There’s no level of effort for them to get the satisfaction of using the technology the way we had to, where you had to build the computer to make it work. That was only when you’re maybe a little bit older, 9, 10, you still had a number of years under your belt of playing outside. I think on the one hand technology is basically going to be readily accessible to kids. One of the things as I raise my daughters is to make sure they get enough time outside and away from technology. As they grow up, I know they’re going to be users of technology, I wonder about “Well, what point do I start giving them opportunities to be creators of technology? Getting them exposed to programming, getting them exposed to electrical engineering concepts, and building gadgets and devices just for the fun of it.” My strategy for raising my daughters is definitely going to be outside first, and then figuring out “What are those effective doses of technology education that I can give them, that I know they’re not going to get in their day to day schooling?” jay schulman: I think that’s a very commonly held belief for technology people, which I always think is ironic. You brought up a great concept there, of how, and again similar to my background, how we started putting things together. There wasn’t an iPad that was sealed, that you couldn’t take apart and figure out how it worked. We had all these parts and we put them together. How do you think somebody either thinking about a career in security or maybe thinking about a career in development? How do they get that experience of building, because it’s just so different today? Building a mobile app is a completely different experience than putting together a homebuilt PC. mike zusman: Right. We struggle with that as we grow our own company, trying to find, trying to recruit security people. We find that really we need to start at basic software engineering skills. “Do you know how to build basic, rudimentary software? Do you understand …” Not even because we want people to be able to build enterprise software, or even open that sort of software, but to understand how software is built. You’re right, there are a lot of security people out there who are skipping the whole software aspect of security, and can be tools-focused. I know, at least for us, when we’re bringing on an intern or an entry-level consultant, we’re exposing them to a lot of software development exercises, and programming exercises. I think, for someone who’s just looking to do this on their own on the side, maybe they have a full time job and they’re looking to grow their security skill sets. I think getting an AWS account, spitting out a couple of instances and doing just the basic things, like learning how to stand up a web application from the various platforms, whether it be PHP or just installing WordPress, to building a ruby on rails app. I know there are numerous tutorials and educational resources online. Actually, I was speaking to a former colleague, he was my boss back in the day at the cell phone retailer. He’s kind of gone up the corporate ladder into product management. He’s got a 20 year career at this point, he’s looking to go to programming boot camp just to, number one, reinvigorate his passion for learning, but also to just pick up these practical skills to understand how this software is made. I think the free route, or the low-cost route, spitting up your own AWS instances and just picking a platform and writing a simple web app, hello world, it’s a great place to start. Maybe spending a little bit of money and attending one of these boot camps, and learning about programming. Then, once you do that, take a look at something like Web Go, or some of the [inaudible 00 = 21 = 54] training resources. That’s just going to build those security skills on top of an underlying understanding of software architecture. jay schulman: Perfect. Anything we haven’t talked about that you wanted to bring up? mike zusman: One thing that we see a lot. When I did join Intrepidus Group, one of the first things I did, I had this backlog of cool research ideas in my head that I never really knew if they would be of interest to anyone else. I submitted them to a number of different conferences, started public speaking. Public speaking, that’s something that we didn’t touch on at all. I learnt from a guy who … I would have failed a class in college … I’ll be honest. I did not pass a class in college because I did not want to present in front of class, I was that shy and that apprehensive about doing any sort of public speaking. I went from that to going to Black Hat and Defcon and talking about whatever research topic was of interest at the time. I think that a lot of people, and this is just based on talking to a lot of other people that are in our industry, they have cool ideas, or ideas that they think might be cool. But then downplay them and say “Well, I don’t know if it’s cool enough to submit to a black hat, or even a local [inaudible 00 = 23 = 14] meeting. When the truth is, in many cases these events are open and willing to … They want submissions, they want new ideas. I guess the point I’m trying to make is that I think people in our industry in general should be a little bit more confident in their level of expertise, or their passion for a specific area, and work towards getting it out there. Whether it’s writing a blog post, or actually submitting a proposal to a conference or even a local [inaudible 00 = 23 = 44] meeting, and actually getting in front of people and speaking about it. That’s just a great personal and professional development right there. Because at some point, we sit here on the consulting track and you want to keep growing. It’s very beneficial to be able to get in front of a team of c-levels, or the board of directors of a company, and actually give a presentation about some aspect of security for their organization. That’s a free, and it can be a fun way to enhance a number of professional skills that ultimately are going to grow your career as well, as well as your social networks. jay schulman: From an [inaudible 00 = 24 = 21] perspective, I agree completely. We try to encourage people to try out new material, at an [inaudible 00 = 24 = 29] meeting, here in Chicago, we range from 40 to 100 people for an [inaudible 00 = 24 = 34] meeting, and it’s a great opportunity. People aren’t expecting the same quality of speech as you would at a Defcon or a Black Hat, so it’s a great opportunity to try it out, see if you like it, get that experience. I agree completely. Mike, if somebody wants to work with Carve Systems, where do they find you? mike zusman: Sure, carvesystems.com, c-a-r-v-e systems.com. I’m pretty easy to find on LinkedIn. jay schulman: Great, thank you. mike zusman: No, thank you Jay. jay schulman: Thanks to Mike for joining us today, I see a lot of Mike’s experiences in myself as well. I try not to promote many companies as part of the podcast, but I’m a huge supporter of small business, so I put Mike’s company information in the show notes. If you have comments or questions about today’s podcast, or want to join me to talk about your career journey, shoot me an email at podcast@jayschulman.com. If you found this podcast valuable, let me know by leaving a comment in iTunes. Thanks again for listening to this episode of Building a Life And Career in Security Podcast. Please subscribe to this podcast on iTunes, or at jayschulman.com/podcast. Speaker 1: Thank you for listening to the Building a Life And Career in Security Podcast, with Jay Schulman. For more information, and to subscribe, go to jayschulman.com. [/content_toggle]