How did I get into security? Certainly not the direct route, if there is such a thing.

Getting a college degree

I tried to become a medical doctor first. It took two years before I figured out that I wouldn’t be a good one. By then, all of my pre-med requirements were completed, but a sunk cost is a sunk cost. A bit more thoughtfully, I changed my major to Computer Science.

At the time CS students were required to choose a concentration, so I chose Computer Networking, where I discovered the unexpected joy of digging into IETF RFCs 1 – naturally I implemented my own Internet Relay Chat client 2 for fun, moderated a couple of IRC channels on EFnet 3 in my spare time, and hung out with others there at the edge of a new and wild digital frontier. Then the internet became important, so it seems to have worked out.

When I wasn’t tinkering with network protocols, I also worked part-time for a gruff, no-nonsense system administrator named Bruce Williams, who ran IT for the Computer Science department. I got to build Windows NT servers, make CAT5 cables, and tinker with real life computer networks. There was little doubt in my mind that I would be a network admin or sysadmin after graduating.

Whups!

Going pro

Instead, I spent the first decade of my career as a software developer, starting with the roller coaster ride that was Y2K and the dot com boom. Back then, Java was James Gosling and Sun Microsystems (now defunct) and object-oriented programming (OOP) was the thing to learn, so I wrote mostly Java, practiced refactoring 4, and tried to program pragmatically 5. I was even an early proponent and adopter of what is now called continuous integration 6, presaging my later stint in DevOps.

Fittingly, I came to respect thoughtful design and the careful craftsmanship that went into good software engineering – and began to wonder about secure coding, planting seeds of curiousity that I would try to sow later.

Along the way, I also started (and stopped) a one-person LLC. This was a side quest that ultimately turned out to be a sort of failed experiment, but I did learn about sales, business administration, and especially the power of the minimum viable product 7.

As these puzzle pieces came together, future me was better equipped to imagine what “security as a product” might look like, so when I became a card-carrying DevOps engineer, my eyes opened to how a platform (the product) designed to empower developers (the customers) could solve security problems.

After a friendly shove forward from COVID, I now get to work on security engineering full-time.

Growing up

Looking back on my childhood now, I suppose there were some clues and foreshadowing. As a Gen Xer, I grew up at a time when most households did not own a personal computer (PC). Then, everyone had one 8.

Like many teenagers, I played video games. My early PC favorites were adventure-based, like Space Quest, King’s Quest, Police Quest, and pretty much anything else from Sierra On-Line. Unlike most, I enjoyed defeating copy protection and spending time in a hex editor.

representative screenshot of buck rogers gameplay

Correspondingly, my characters in Buck Rogers (an early role-playing game) had conspicuously powerful items and unusually high character attributes. Credit for the screenshot (and the nostalgia) goes to CRPG Addict.

I also remember visiting Waldenbooks (now defunct) or the public library and heading straight for those treasured and familiar shelves to inhale the contents of every operating system book I could get my hands on. I was particularly obsessed with how passwords worked and how secrets were kept.

Surprisingly, it would be twenty years before I really tried again to grok 9 cryptography, which is a regrettably long hiatus, but I am certainly glad to be revisiting and walking this path again.

– JW

Footnotes

  1. These requests for comment by the Internet Engineering Task Force can be intimidating to read, but worthwhile if you want to really understand how the protocols work. 

  2. Implementing IRC was a kind of nerdy rite of passage at that time. I have fond memories of diving into the RFC for this protocol

  3. IRC channel operators set topics, kicked out unruly members, and otherwise moderated the channel. Spent most of my time in #linux and #java on EFnet. Those were special days. 

  4. Thanks to Martin Fowler, his book and his writings over the decades

  5. With much owed to Josh Bloch for writing Effective Java and to Andy Hunt and Dave Thomas for The Pragmatic Programmer

  6. Fond memories of Hudson (now Jenkins) and red/green lava lamps for indicating build status

  7. https://en.wikipedia.org/wiki/Minimum_viable_product

  8. Ours was an IBM PS/2

  9. Yes, grok is a real word. Amusingly, I find myself explaining this a few times every year, including this past summer to my son amidst his peals of laughter at learning that this is a word.