Unsung (And Under-Sung) Heroes Of Security

You’ve heard of the cybersecurity rock stars, but there are plenty of other major contributors to the industry who deserve kudos. In celebration of Dark Reading’s 10th anniversary, meet a few of these folks.

Even when it was tiny, the cybersecurity field had no shortage of big personalities. When the industry was altered by a new, outstanding piece of work, sometimes it would also herald the birth of a new security rock star (who might also be an outstanding piece of work).

Other times, the people who carried out tremendous feats go largely unrecognized by history, even as their work lives on. Brilliant discoveries and creations. Better ways of doing the same old thing. Or simply the support or mentorship someone needed to create do those revolutionary things.

Here are just a handful of people of the people who’ve made big impacts on information security, who we feel haven’t quite enough credit from security professionals. Some of them we doubt you’ll know. Others you may recognize, but we wouldn’t call them “household names,” not if we were only counting the nerdiest of homes. 

However, you most definitely know their work. 

The Team That Discovered Cross-site Scripting

Back when most people in IT were obsessed with Y2K — now just a sidebar in the history books — a team of security researchers at Microsoft and elsewhere gave a name to something that would have a far longer, far darker life: cross-site scripting.

XSS is still a security nightmare, ranked number three on the latest OWASP Top 10 Web Application Vulnerabilities List. Although it’s the Microsoft Security Research that claims credit for picking the common name, there’s a longer list of contributors who are officially credited in CERT’s original advisory, recorded as “malicious HTML tags embedded in client Web requests.” Credit goes to “Marc Slemko, Apache Software Foundation member; Iris Associates; iPlanet; the Microsoft Security Response Center, the Microsoft Internet Explorer Security Team, and Microsoft Research.”

Jeff Forristal

If there is a vulnerability class that is perhaps more pernicious than cross-site scripting, it would have to be injection attacks — currently reigning at number 1 on the OWASP Top 10. And the Big Daddy of them all, of course, is SQL injection.

The world learned about SQL injection in 1998 thanks to Jeff Forristal, then known more commonly as rain.forest.puppy. Forristal went on to be among the leaders in establishing “responsible disclosure” policies, and made his mark on everything from web apps, to mobile, and physical device security. He’s now CTO of Bluebox Security.

Shari Steele, John Perry Barlow, John Gilmore, & The Whole EFF Crew 

All the way back in 1990, two concerned citizens — Sun Micrososystems employee John Gilmore and poet/essayist/lyricist/cattle rancher John Perry Barlow — came to the legal aid of a man they felt was being wronged by the US Secret Service’s electronic surveillance practices. From there, the Electronic Frontier Foundation (EFF) was born.

Since then, the attorneys and staff at EFF have made it their job to know the ins and outs of every technology, online privacy, cybersecurity, and surveillance law the world can throw at us. 

Shari Steele came on board early, serving as legal director for eight years, executive director for 15 years, and now board member. She led the way on some of the issues that hit infosec pros closest to home — advising the US Sentencing Commission on sentencing guidelines for the Computer Fraud and Abuse Act and the National Research Council on US encryption policy.  

Special Agent Elliott Peterson & The Rest Of The Operation Tovar Crew 

The disruption of CryptoLocker and the GameOver Zeus botnet in spring 2014 — dubbed Operation Tovar by law enforcement — was revolutionary, because it created a brand new model for the way organized cybercrime groups are taken down. 

It was remarkable for to reasons. First, law enforcement made it a higher priority to disrupt/dismantle the cybercriminals’ infrastructure than to capture the criminals themselves; they made only one indictment. Second, the effort was an enormous collaborative effort between both public and private entities in many countries.

Special Agent Elliott Peterson of the FBI was one key member of the team that led the operation, but certainly everyone involved in uniting the forces of good across 11 countries deserves accolades. 

John Reed & Citigroup’s Executive Team In The Mid-90s 

You might have heard of Steve Katz, “the world’s first CISO.” But how about a shout-out for the people who had the idea of hiring him in the first place?

As Katz explained to Tom Field of Bank Info Security, he was working for JP Morgan in the mid-1990s when another financial services organization, Citigroup, experienced a security incident. (This was back when such things were taboo and kept very hush-hush.)

Citigroup CEO John Reed put together a committee of executives, which, according to Katz, realized that security was not just a technological issue but a business issue. They created the position of chief information security officer (CISO), and after months of interviews, Katz landed the job, with support from Citi that was “absolutely incredible.”

The US Postal Service (!)

When sifting through applicants for new information security staff, employers often look for five letters: CISSP. 

ISC(2) created the CISSP certification back in the early 90s, but if it hadn’t been for a timely influx of cash from the US Postal Service, it might never have survived to become what it is today. As Harold “Hal” Tipton explained in an ISC(2) interview

[embedded content]

 

Carey Nachenberg

Hardly any security products have made it to “household name” status, but Norton Antivirus indubitably has. Norton’s co-creator Carey Nachenberg — now Symantec’s senior-most engineer — is also a name you should know.

In addition to Norton AV, Nachenberg conceived Symantec Insight, the industry’s first reputation-based endpoint security tool. He also holds a whopping 85 patents.

Steve Christey Coley

Researchers love to dig up vulnerabilities — tens of thousands of them. Left to themselves, vuln researchers might treat bugs much like kids treat toys — have unreasonable arguments about whose were the coolest, then lose track of them entirely once they got a bit old.

Someone needs to bring order to this chaos, and create systems for prioritizing, rating, and cataloguing these bugs. Steve Christey Coley has been one of the foremost of these appsec entymologists. He was co-creator and editor of the Common Vulnerabilities and Exposures (CVE) list and chair of the CVE editorial board for 16 years. He  was technical lead for CWE, the Common Weakness Scoring Scoring System and an active contributor to related community-driven efforts like CVSS and CVRF.

Now taking on the next frontier in infosec challenges, Coley is a principal information security engineer at The MITRE Corporation, supporting the FDA’s Center for Devices and Radiological Health efforts to improve medical device security. 

Related Content:

 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio

More Insights