Paid Advertising
web application security lab


Just a forewarning, this is a personal blog entry, and has no technical content. I’ve been blogging on for over 500 posts now, and I have done my best to stay honest and give all my readers the facts necessary to make their own decisions about the products they use, the technology they employ and the risks they face. One thing I have said on a number of occasions is that I do not work in security. At the time I wrote that, I was telling the truth, I was working as a director of product management for a publically traded real-estate company. I was making sure the colors of the page match up, and that the search engines had the right business rules taken into account. Business only, no security. That may come as a shock to a lot of people, but I really had nothing to do with security for the last year since I started working there.

Of course, prior to that I worked for a number of big companies leading up security services, building anti-phishing, anti-virus, anti-cross site scripting, and anti-fraud tools and techniques. I’d been involved in security since there really was a web application to secure in the first place (anyone who tells you that they’ve been in security longer than I have is talking about DECs and Alphas and I’m not even sure how those are relevent to modern applications anyway). Regardless, although I didn’t work in security for the last year (since before I started this blog) I definitely have my roots in security. If it’s not obvious, this is my passion, and I’ve been out of it for too long.

So I’m starting a new consulting company called SecTheory with id and a few other part-time contractors. You may have heard wind about it on Slashdot, the Wall Street Journal, Anurag’s blog, press releases by ClickForesics or I may have told you myself in passing, but I never made it clear on this website. The goal is to deal with middle sized companies who need security help with some of their harder problems, but can’t afford to hire someone full time. Also, I have already helped a number of small security startups with their technology strategy - I will continue to do so. That said, I can no longer be considered completely unbiased as I am now a member of the security community again. In the spirit of full disclosure I thought it only fair for me to explain my new company, and what my plans are for it, so there are no secrets and each of you can make your own informed decisions about why I am saying whatever it is I am saying.

So from time to time you may see me reference material that I will be putting on SecTheory (more of the business side most likely). For the time being it’s just a shell of a site, and there’s nothing interesting on it, but over time I’ll grow it (not into a community site, don’t worry) but I’ll put more content up there as time progresses. I plan on keeping and around for the foreseeable future as I think the community needs to know what’s really happening out there and it’s a way to for me to communicate with all of you as well as the vendor community that I both love and hate.

My only concern with releasing this information is that some people might be upset with my new company (see me as a competitor or a threat) but I assure you that’s not at all how I see it. In fact I see the security community growing with time, not shrinking. The only other threat I see is that I may get into situations where I cannot talk about clients given non-disclosure agreements or whatever. This has already come up in a number of cases, that I would have liked to disclose events that occurred, but I cannot for legal reasons. I have already communicated with a few potential clients that I reserve the rights to talk about anything I learn on my own or talk about them only as “a company.” Wherever possible I will continue that trend to make sure I can share what I learn with the community.

So onward and upward. I’m really glad to be back amongst the ranks. It’s the first time I’ve been really happy since I left. If that’s not a sign, I don’t know what is. If you have questions about the company, feel free to email me off thread and I’ll share what I can. Anyway, let’s get back to the technical meat, shall we?

17 Responses to “SecTheory”

  1. drew Says:

    Congrats on the new venture!

  2. Sid Says:

    The best of luck with SecTheory, as if you’d need it. I’m glad you told everyone about this, not that it matters much to me but still. Good work.

  3. RSnake Says:

    Thanks, guys, I really appreciate it!

  4. blad3 Says:

    Good luck with SecTheory, RSnake!

  5. RSnake Says:

    Thank you, blad3! A friend of mine recently said “Life is 1/2 luck and 1/2 being prepared. If you are super prepared but have no luck you’re screwed, and if you have lots of luck but are totally unprepared for it you’re screwed.” I’m hoping to have some of both! :)

  6. Jungsonn Says:

    @RSnake: “My only concern with releasing this information is that some people might be upset with my new company (see me as a competitor or a threat)”

    Those people aren’t sure of themselfs them, if you know you’re good you don’t have competitors - old saying in my country.

    I wish you all the best luck with the new company RSnake. :)

  7. Chris Shiflett Says:

    Best of luck! I’m glad to see you taking the leap, and I’m sure you’ll do well.

  8. Andrew Hay Says:

    I hope that everything works out for you. If you’re ever looking for some Canadian consultants please don’t hesitate to contact me ;)

  9. nEUrOO Says:

    Wish you the best! But there is no way that RSnake and id cannot do very well :)

  10. Mephisto Says:

    Best of luck on the new venture I’m sure based on your (and id’s) experience and reputation it will be very prosperous.

    Since you stated you were moving to Texas in a couple of months I assume that’s where the company will be based? Are you just providing auditing services or will you also provide training programs, such as developing secure code, implementing security into the SDLC, etc…

  11. hackathology Says:

    Rsnake, you have my support. If you need clients, just holla at me, i can introduce good clients to you in the middle east. I want you to succeed.

  12. Zeroknock Says:

    Well congrats.

    The page you have set for error check is quiet nice.

  13. DeadOnArrival Says:

    Congratulations and best of luck to you.

  14. Spider Says:

    Yes, it all sounds very good….

    But how do I know SecTheory won’t sell me RSnake Oil…..

  15. RSnake Says:

    Wow, so many good comments, thank you all!

    @Jungsonn - thank you for the words of encouragement! Thankfully id is helping me, because we get to tag team a lot on the areas of expertise. He’s been handling all the network architecture stuff, and I’m obviously on the web app side, so it works out nicely.

    @Chris - Thank you!

    @Andrew - You never know, with the way the industry is growing I could experience explosive growth so it’s not out of the question. It’s actually a worry of mine in a way. Clients are great, but controlled growth is critical.

    @nEUrOO - I hope that’s true! Thank you!

    @Mephisto - Yes, that’s correct, although with anything like this, it will be 80% virtual anyway, so the people I’d be hiring when I need more people could be located literally anywhere, as long as they are near an airport. I’ll probably primarily be focused on security architecture. Code review is not really an area I want to focus on, nor is training, although in the short term I might consider things like that on a one off basis. My background is heavy on the architecture and security strategy side so I’ll probably tackle that side where possible. id’s side of the business is mostly hands on security architecture and engineering.

    @hackathology - that would be great. Clients are welcome. Feel free to send me an email and we can talk about it. Maybe we can even work out some sort of reseller agreement so you get something out of the deal. That goes for everyone else too!

    @Zeroknock - hehe, you aren’t the only person to stumble across that. Shame on you for auditing me. ;)

    @Spider - haha… RSnake oil costs extra.

  16. zeroknock Says:

    God knows who should stumble and for whom shame matters : heheh

    Rsnake: Work ahead.

  17. hackathology Says:

    yes sir rsnake.