Mark Curphey – SecurityBuddha.com

I openly admit I had a mis-spent youth. I was expelled from school and then went on a rampage of sex, drugs, booze and rock and roll for the best part of a decade. I lived hand to mouth and did everything from stacking yogurts in a yogurt factory (working nights), selling houses, working behind the bar and as a bouncer in a night club. It was good, I don’t regret a single second but one day in my mid twenties I woke up and simply decided I was never going to be a rock star and it was time to get a real life or drift into a wasted life. For the most part my brain and body was undamaged but more by luck than design.

I put myself through University (which took 4 years as I didn’t have any ‘A’ levels) and studied Mechanical Engineering. I was never gifted academically but I knew I could hold my own and with a bit of hard work graduated with a decent degree. My final year project was modeling fluid flow over a grand prix car using computational fluid dynamics software. The software was dongled and cost several thousand pounds. One weekend I decided to figure out how dongles work. As they say “the rest is history”. I managed to talk my way into Royal Holloway, University of London to study for a Masters in Information Security (a large dose of cryptography as its in the Math department) and became ignited by computer security. Royal Holloway is a very special place to me. It literally changed my life for ever, opened up doors and keep me on the straight and narrow. For the most part that fire ignited in me has been burning pretty strong for the last 15 years and allowed me to live a blessed life. If you are doing something you love, something you are good at and something people will pay you for you pretty much have the perfect job. I have lived in some amazing places (London, Brighton, the South of France, Boston, San Francisco and Seattle) and worked at some amazing companies (Schwab, ISS, Foundstone and now Microsoft). I have met some amazing people (too many to mention) and had some good luck (Foundstone acquisition). I have travelled all over the world (quite literally) and I got to start a security revolution on the net with OWASP. I contributed to many books and more than anything I have learned a lot about a lot of things. Security has been very, very good to me.

For the last few years I have grown increasing disillusioned with the security industry to the point where after nearly two years of thinking and talking about it I have decided that it’s time for me to move on. There is a long list of frustrations and I have seriously thought about a last detailed shot over the bow with some home truths as I see them. The reality is it will probably not be productive. I had commentary about the security circus and the clowns, ring masters and performance artists that play in the big top; commentary about the lack of genuine computer science that finds its way into security; commentary about the lack of business science that is being adopted (why aren’t security people obsessed by Freakonomics?);  commentary about the sad fact that for the most part we are still doing “the same old shit” 15 years after I first started (the definition of insanity is to do the same thing twice and expect a different result); commentary about the farce of PCI (and related standards) and people caring about trivial issues (easy to understand and sensationalist in nature) when looming holes that could have major impacts go unnoticed …….I could go on. People thinking they need “purple dinosaur” features in their security software because some marketing spin says so and commentary about the sheer FUD being pumped out by the marketeers. I have watched an industry spin out of control largely paying lip service to the term risk and watched sectors of it become largely irrelevant outside of their own self-fulfilling set of prophesies. When things go right no one notices (at least outside of security) and when things go wrong everyone points fingers. That’s a tough place to be impactful and remain positive.

To the talented smart people that are able to make a difference and advance the state of security in this arena I salute you. We need you. You are troopers. Having been at MSFT for the last two years I am in awe of the way we think about security. The people, the process and the technology have turned us from laughing stock to poster children in 5 years (some may argue and they are welcome to). We are far from perfect but its been humbling to see it done on such a large scale. So it’s with this knowledge behind me that I can confidently say I have been part of the best and it’s just not cutting it for me any more. It’s time to move on.

The caveat here is that I will likely always have an interest in software security and specifically web security. I run the developer Security MVP Program at MSFT and will continue to do so. I am still passionate about making sure we have the right industry experts with the right resources to be their best for our customers. There are also a number of interesting problems still to solve (mainly at a technical level) and as you will see from my growing passion in development process below integrating security as one attribute into the development process is something where I will be able to add significant value (especially looking back from the other side of the wall).

As I move into Mark Curphey 2.0 (that’s a great tag line for the new blog!) I plan to be active talking about my current passions.

1. Web Technology
2. Development Process (specifically Agility)
3. Social Software
4. User Experience

My new role at MSFT is a Director in the Server and Tools Online team which is part of the Developer Division. Among other things we build and run the developer focused web sites such as MSDN.  MSDN has 20 million unique visitors a month. It’s large scale web development focused on building software and content to support our developer community. I am sure you see the fit!

I have a lot going on besides the new job. I am planning to regain my technical chops over the next year or so, probably launch another open community, a side commercial project focused on software for freelancers and seriously thinking about running  a marathon this summer for Leukemia research. Then summer is coming so it’s kite-boarding ……

While it’s been fun I will be closing this blog down soon. I’ll leave it up for a few weeks while I get a new blog setup and port the articles I want to reference. The new blog will move to www.curphey.com (not currently active as of 3/5/2010).

You can can follow me on Twitter at @curphey and over at the new blog.

Lastly and by no means least is a big thank you. Thanks for reading this blog and thanks to all those that helped me be successful in the security industry.