Biography

Born: I was raised by two lawyers in Maryland and Virginia. I got a TRS-80 Color Computer in 1983 and spent most of my time in high school cracking copy protection, modding the OS, and doing hardware projects. I have four children, two in university and I love how surprisingly dissimilar they are.

Studied / Education background: I have a BA from Virginia, an MA from George Mason, and a JD from Georgetown.

Current role / bio: I am Co-Founder and CTO of Contrast Security. I’m very active in the DevSecOps community, and recently authored the DZone DevSecOps RefCard. I speak frequently on the topic at conferences like Velocity, DevSecCon, JenkinsWorld, AppSecEU.

I’m also a founder and major contributor to OWASP where I have served as Global Chairman for 9 years and created the OWASP top 10, OWASP Enterprise Security API, OWASP Application Security Verification Standard, XSS Prevention Cheat Sheet, and many other widely adopted free and open projects.

Q&A

Who do you work for and what does your role entail?

I started Contrast Security because after 15 years of consulting I was tired of the application security tools on the market. Arshan Dabirsiagi and I invented a way to use software instrumentation to find security vulnerabilities without exploiting them (IAST) and to prevent exploits at runtime (RASP). I spend the majority of my time showing enterprises how they can take advantage of these technologies to dramatically improve and accelerate their application security efforts.

What’s been your biggest work achievement of the last 12 months?

I’m proud to have released Contrast Community Edition to help small companies, schools, charities, and others that can’t afford commercial application security tools. Contrast CE is full strength vulnerability assessment, open source analysis, and runtime protection – and it’s completely free for one app. There are already over 1100 companies using Contrast CE and I’d like to see security instrumentation become the default for all web applications and web APIs.

What is the biggest challenge facing the industry?

Given that “software is eating the world” we need to be a *lot* better at writing code securely. Application security is already the leading cause of breaches and the pace of development has accelerated dramatically in the past few years. In my opinion, the companies that take application security seriously have a massive market advantage as their market transforms to being a software driven business.

What’s the best piece of advice you have ever been given?

One of my law school professors told me to quit focusing on being right. He said I could just go over in the corner and be right all by myself. Then he encouraged me to be more “compelling.” Since then, I’ve focused on figuring out how to get people to listen and adopt some of my ideas into their own work.

What are your predictions for the IT industry for 2019/20 or beyond?

Unfortunately, I think we are going to see more software, more flaws, and more breaches. We won’t see legislation to influence the market, and software builders and vendors are extremely unlikely to self-regulate. My advice is to use some restraint when adopting new technologies and trusting your enterprise to them. Security depends on simplicity.

How do you perceive the hype around AI, a big concern ethically or a huge opportunity?

Many people think that AI is going to revolutionise security, but I disagree. AI/ML is a poor choice to deal with threats/vulnerabilities/attacks that we know about and are well understood. There’s no reason we shouldn’t be able to codify specific, high-assurance rules for those. And AI/ML is also a poor choice for what we do not know about yet. AI/ML rely on large datasets and those simply don’t exist for novel security situations.

What do you think is going to be the next big technology development? Quantum Computing? Smart Robots?

I think the most revolutionary (and dangerous) technology is CRISPR-based gene editing. It brings the possibility of editing genetic code and eliminating many diseases. However, there are some amazing opportunities for errors as well as misuse of this technology. In the hands of a madman, who knows what biological threat could be easily created from something as common as influenza.

Join Jeff at Digital Transformation EXPO Europe, 9-10 October 2019 at ExCeL London “In my two sessions, you’ll learn how application security is re-inventing itself in the face of massive software acceleration, cloud/container adoption, use of open source libraries, APIs and microservices, new languages, and increasingly dangerous adversaries.”

Jeff's first session 'Penetration Testing at DevOps Speed and Portfolio Scale' is taking place on Wednesday 9 October at 11:00am-11:45am in the Cyber Hack. Jeff will also be presenting 'Updating Enterprise AppSec Tactics for the World of Cloud, DevOps, APIs, and Libraries' on Wednesday 9 October at 2:00-2:30pm in the Cyber Security Keynote Theatre. 

Click here to return to the full speaker Q&A library.