Chris Eng: An infosec journey from offense to defense

“Come to my lab, I promise you’ll learn something cool,” a friend told Chris Eng. Within a couple of hours, he had walked him through writing an exploit for an obscure Linux bug, and Eng was hooked on the idea that one could leverage a programming error to gain root privileges on the system.

Chris Eng

Chris Eng, photo by Brendan Stewart

He spent the next year or so learning more about finding and exploiting software vulnerabilities and then left the NSA to join a startup called @stake.

“That was probably the first time I realized information security could be a lucrative career path, not just an intellectual pursuit,” he told me.

Currently the Vice President of Research at Veracode, Eng started his computer education at a pretty young age. He taught himself to program BASIC on a TI-99/4A and, somehow, that progressed into an interest in understanding how systems worked and how they were vulnerable.

“Like many in our field, I was constantly hunting for information on BBSes in the form of text files: how to crack copy protection on computer games, how the phone system worked, and so on. But I never really saw any of this as a career direction,” he says.

At the time, information security barely existed. In fact, most people didn’t even have Internet access. So he chose to major in electrical engineering and computer science, anticipating that he would be working in microprocessor design or similar hardware pursuits. In the end, that didn’t happen.

Infosec beginnings

His six years with @stake – including two years after the Symantec acquisition – heavily shaped how he views information security and software in general.

He spent the majority of his time on short, offense-focused projects. “I already knew network security was a mess, but the ease of breaking into one website after another helped me see how brittle and insecure software was, even at the largest, best resourced companies. Very few developers had received any training or guidance on how to write code securely, and their findings were often met with incredulity, even denial,” he recounts.

Among the many important lessons he learned while at @stake were that penetration testing will never scale with the pace of software development, and that understanding how to attack systems is a crucial element in understanding how to defend them.

By later joining Veracode, he seized the opportunity to spend some time on defense after many years on offense, and to try and address the software security problem in a completely new way, with a founding team that he liked and respected.

“Plus, I was excited to join at such an early stage (employee #15) where I knew my efforts would have significant impact and I could be influential. At Veracode, we’re unquestionably making it harder for attackers by finding software vulnerabilities early and helping developers fix them. Even though I’m not interacting directly with customers as much as I used to, my team builds those capabilities, and I’m proud to be having an impact.”

A decade in infosec

A lot of things have changed for te better since he started working in the infosec field.

“On the whole, we still fetishize 0-day vulnerabilities to an extreme I feel is unhealthy, but I’ve started to see more emphasis and respect with regard to defensive work, which is a positive trend,” Eng says.

Other positive trends he pointed out are more attention paid to automation, companies handling vulnerability disclosures in a more structured and less adversarial manner, and more companies proactively baking security testing and other security activities into their development processes.

Also, CISOs are finally able to communicate the value of information security (and improvements to it) to the board level audience. In the past, they would never even interact with the board unless there was a data breach.

He is more undecided about the changes tied to cybersecurity reporting. There’s now doubt that it is reaching a wider audience than ever before, but this is a double-edged sword: public awareness is up, but there is also more misinformation and FUD.

“The media gravitates toward people who speak in sound bites, regardless of their real-world experience. Even scarier, policy makers do too. Like most of the tech industry, we have a ‘thought leadership’ problem. We hear way too often from the same people, he noted.”

Changes he would like to see

He finds that people buy too much into the hype around detecting zero day attacks, yet many are not even doing basic hygiene such as patch management.

Organizations should also do make sure they have an accurate view of their application perimeter, by keeping track of websites and other services that may have access to sensitive information.

The information security industry should aim to stop fixating on failure, characterizing developers as stupid, blaming victims, perpetuating dogma and glamorizing extreme paranoia, and start paying more attention to how it is perceived and finding ways to collaborate more effectively and reasonably with the people it’s trying to reach.

Another of Eng’s goals is to do everything he can to make the industry more welcoming to women and other underrepresented groups. “There is systemic misogyny in both tech and information security, and we need more people to acknowledge this and call out bad behavior,” he says.

Lessons learned

Of the most important lessons he’s learned over the years, none are technical:

“Having good security is not a motivation to the general public. People remember how you interact with them and whether you keep your word. Build relationships. Even the best ideas will never take off unless you can communicate well. Management is about developing people. Assume competence, at least until you’re disproven. Pick your battles.”

His advice to newcomers to the infosec industry is to network like crazy.

“Your best job opportunities will come to you through your professional network, not by submitting your resume blindly to job sites,” he says.

By that, he doesn’t mean “add as many people as you can on LinkedIn”, but connecting with them at conferences, meetups, on Twitter.

“These days, there are so many ways to connect with like-minded people. Take advantage of that, but at the same time, don’t expect to be spoon fed. Take some initiative, and demonstrate the ability to learn things on your own. There are online tutorials for just about every security topic imaginable – I wish information had been this easy to come by when I was getting into security. Be genuine and humble.”

Those who want to wade into security research should have a healthy dose of curiosity, the ability to self-teach, the willingness to take risks and occasionally fail, communication skills, and aptitude and experience to contextualize risk rather than fear-mongering.

“I personally believe humility is extremely important as well, maybe the most important – granted, arrogance won’t prevent you from finding bugs, but who wouldn’t rather work with people who are humble and kind?” he concludes.