Learning to do Secure Code Review – Thrown to the Wolves

Kind of a longer version of the intro and a how I learned to do secure code review.

I fell in love with programming in high school in the early 80s so I studied computer science in college at West Point. After active duty as an officer in the Army, I got out and became a defense contractor in Huntsville, AL. There I did some general engineering and software development at AEgis Research (now AEgis Technologies) and helped build out their corporate network and get on the Internet for the first time. In 1997 a fellow West Point graduate recruited me to join him doing network security at Microsoft. Figuring security would be important in the age of the Internet I made the change.

Those were wild and woolly days of network security as we figured out how to secure a globe spanning network that was a major target. I was on the incident response team fighting worms, viruses and hackers long before today’s tools for that came into existence. I got to see how hackers thought and how they worked. I was there when Microsoft had their great security awakening after things like Code Red and Nimda. I watched their management and developers gain security religion and start to change their ways.

In 2003 I returned to Huntsville to work at SAIC building various solutions for government customers and continuing to do security work. In 2007 I was at the right place at the right time as one of the local managers won a task to do a secure code review of a web application for a government customer and on the very same morning the person slated to do the work became unavailable. I jumped right in. Continue reading “Learning to do Secure Code Review – Thrown to the Wolves”