Skip to main content

Posts

Start-Up Security

After many years in Security @ Riot Games and eventually putting the "s' out there, I recently decided to jump out of my comfort circle for a new challenge and joined a   start-up   (yes, I left a comfortable, stable job in a pandemic, lunacy lol). Now that I've been here almost 6 months, I wanted to share some findings because security at a start-up is significantly different.  When you join a start-up, there's going to be so much that you can do and it will be incredibly easy to "boil the ocean", and try to fix everything. At best, this guarantees failure for the Security team, at worst, alienation from the engineering and product teams. There are some obvious quick wins that a Security team can make without slowing down iteration and innovation speed, while also reducing risk: Auth  Partner with Engineering/IT/CTO such that there's alignment on Security owning all things "auth(n|z)".  As part of this ownership, you need to be prepared to resp
Recent posts

Things I Wish I Knew Before InfoSec - Part 1 - Imposter Syndrome

When we (Rookie and Mark) sit down and go into one of those self-reflective modes, we often talk about things we wish we knew and so we figured it’d be a good idea to share some of those things. Hopefully maybe one person learns from our failings :) So, without further ado, this is the first post in the series of “Things I wish I Knew”. One thing, I (Mark) personally wish I knew about was imposter syndrome, which according to  Wikipedia  is: a psychological pattern in which one doubts one's accomplishments and has a persistent internalized fear of being exposed as a "fraud" From exams in school to sports competitions, each house move, big “stretch” projects, every new role and becoming a parent, I’ve always had the feeling that I’m not good enough. This typically results in me striving to prove myself constantly, which typically works out well but when it doesn’t, it causes: me to burnout colleagues or friends to become frustrated as I may not be giving them enough space

Day in the Life during Covid

Firstly, in this time of great stress and difficulty with many challenges across the world, we (David Rook & I) both realise how lucky we are to still have jobs and that those jobs can be done remotely from home. In some ways, these jobs greatly differ, in others, they’re very much the same. Although routines may sound boring or tedious, with the increased pressure, we’ve found they’ve actually resulted in more freedom and relaxation. We figured it’d be fun to share how our routines look as we try to get through the “Crisis Working from Home” period. They’ve modified somewhat since the lockdown started, though outside of spending a lot more time at home, probably not as much as we thought. Mark 07:00-07:30 ::  Either I wake or I’m woken by my kids, but either way I rarely set an alarm.  I have found that my routine is 30 minutes later during Covid, as before Covid, I was in the gym by 07:20.  I usually make a beeline for the coffee machine, where I seek out an espresso to wake myse

Leading with “deadlines” during Covid-19

So firstly, we obviously failed at our promise in our first post, i.e. we didn’t post an article every few months. Both of us did contribute to the   Leadership Tribe of Hackers book   so that makes the failure a little less, right???   Anyway, in this post, we wanted to share what we have found to have worked for the Security teams at Riot Games during the Covid pandemic.  Like Chris Hymes described  here , we pivoted early (before the “stay at home” order) to collaborate with IT (and teams across Riot) to ensure there was a secure and reliable “work from home” experience for Rioters. As challenging as this emergent work was, the more difficult and ambiguous challenge arose after-implementation.  Surely, the pressure was off as Rioters were now able to work from home such that Riot could securely deliver new games, transition to a  remote broadcast for eSports , onboard new vendors (to help further with “ wfh ”) and do their usual day jobs? That wasn't quite reality and, we all so

What to read as an Engineering Manager in InfoSec

 A question that I have received a lot over the last few years is: What are good books about managing and leading people in InfoSec? So to help prevent others from making the many mistakes and blunt approaches that I have made, here's a list of such books with a short note on why I feel it's a good read and why I've found the content helpful. P.S. If you don't want to read books,  the best thing to start with as a leader is being a good listener! High Output Management This is the management bible in many ways. It's a truly fantastic book that describes how to lead, manage your team(s) and how to best spend your time on what’s important. It’s survived the rest of time, being published first in 1983, and although this is over 30 years later, this book is still highly relevant and educational. Principles This was an amazing read - in fact I think it is actually a pretty phenomenal gift of knowledge from Ray Dalio to us all. Clearly both Dalio and Bridgewater aren’t fo

What's the point of (InfoSec) Certifications?

Quite recently, my GSE was up for renewal. I'm currently in the middle of transporting my family to another continent and I've slightly more responsibilities work-wise in 2016 versus 2012. However, given the effort and study that it took to get the cert the first time (and to a lesser degree the expense), I figured it was a no-brainer to renew. For me, I've always been a huge fan of the GSE and considered it the epitome of InfoSec certifications, much like the CCIE for (Cisco) networking. Personally, I learn better by "doing" and consider it as the evidence that someone knows their stuff so the "2-day lab" element in the GSE was a both a huge goal and challenge that I was excited about. I talked about the value of "doing" when trying to learn about yourself previously here with the infamous Security Ninja and here on my own blog so there's no point in repeating myself. When I did the GSE, I absolutely loved the hands-on lab mo

Being the Bug in Bug Bounty :: Fail & Tell

Late in December 2015, I sent the email below to all of "Engineering" across Riot Games. I want to share this externally because it's core to the security culture that we want to build in Riot, i.e. one of accountability and responsibility, where we aren't afraid to talk about our screw-ups. ############################################################ Hey Folks, So as most of you know, I'm a bit of a perfectionist with high standards :) Well recently, I screwed up and didn't come close to meeting my own expectations. What did I do? Well, when testing (locally) Netflix's Security Monkey in 2014, I copied over some aws-related scripts I was using and found useful to a local directory on  my work laptop, where my Github repo was stored. I also mistakenly copied over a flask configuration file ( config-deploy.py ) from the local version of Security Monkey that I was testing at the time. To compound this mistake, prior to committing file